WO2001082190A1 - Multi-tiered identity verification authority for e-commerce - Google Patents

Multi-tiered identity verification authority for e-commerce Download PDF

Info

Publication number
WO2001082190A1
WO2001082190A1 PCT/US2001/013232 US0113232W WO0182190A1 WO 2001082190 A1 WO2001082190 A1 WO 2001082190A1 US 0113232 W US0113232 W US 0113232W WO 0182190 A1 WO0182190 A1 WO 0182190A1
Authority
WO
WIPO (PCT)
Prior art keywords
authority
user
identity
verification
site
Prior art date
Application number
PCT/US2001/013232
Other languages
French (fr)
Inventor
George Frederick Renner
Original Assignee
Global Transaction Company
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Global Transaction Company filed Critical Global Transaction Company
Priority to AU2001253795A priority Critical patent/AU2001253795A1/en
Publication of WO2001082190A1 publication Critical patent/WO2001082190A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0861Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/32User authentication using biometric data, e.g. fingerprints, iris scans or voiceprints
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/34User authentication involving the use of external additional devices, e.g. dongles or smart cards
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/02Payment architectures, schemes or protocols involving a neutral party, e.g. certification authority, notary or trusted third party [TTP]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/34Payment architectures, schemes or protocols characterised by the use of specific devices or networks using cards, e.g. integrated circuit [IC] cards or magnetic cards
    • G06Q20/341Active cards, i.e. cards including their own processing means, e.g. including an IC or chip
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/401Transaction verification
    • G06Q20/4014Identity check for transactions
    • G06Q20/40145Biometric identity checks
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F7/00Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
    • G07F7/08Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
    • G07F7/10Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means together with a coded signal, e.g. in the form of personal identification information, like personal identification number [PIN] or biometric data
    • G07F7/1008Active credit-cards provided with means to personalise their use, e.g. with PIN-introduction/comparison system
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2113Multi-level security, e.g. mandatory access control
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2115Third party
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2117User registration

Definitions

  • This invention relates to e-commerce, particularly, a mechanism and system for third party verification of the identity of Web and Internet commerce participants, and other participants in Web information transactions and communications (“e-commerce"), namely, an identity authority ("ID Authority”) that is useful with Web and other Internet sites and their users as an improvement of the next generation of Internet infrastructure.
  • e-commerce Web information transactions and communications
  • ID Authority an identity authority
  • the service will verify the identity of a person using a Web browser and allow that user to interact with the Web site or other Internet mechanism.
  • the system can also verify the Web site to the user, and optionally, the personal identity of an individual user at the Web site.
  • the service can verify the personal identities of two Web participants to each other. It is a further object to allow verifications to be requested at more that one level, instance by instance: a lower-risk action may only need smart card verification; a high-risk transaction may require biometric verification; or intermediate levels may be provided.
  • the invention is intended to benefit participants by removing the complexity of implementing and administering unique trust relationships while achieving the benefits of verified identity in electronic communications and transactions. It is an object of the invention to substitute for and provide analogous functions to the Certificate Authority function in the current Public Key Infrastructure (PKI) identification mechanisms. It is also an object of the invention to provide third-party network directory services integrated with the identity verification authority service.
  • PKI Public Key Infrastructure
  • Figure 1 shows the prior art structure in which each user requires a separate and unique relationship with every other user. Every time a new user is added to the population, every member needs to add a new relationship.
  • Figure 2 illustrates the identity authority mechanism and system in which adding a new user involves adding only one relationship with an identity authority.
  • the benefits of the authority mechanism and system compound as the populations of Web sites and users grow.
  • Figure 3 shows system architecture and identity authority structures, relationships and operations in the preferred embodiment. DETAILED DESCRIPTION OF THE INVENTION AND THE PREFERRED EMBODIMENT
  • each user will receive a kit including a smart card, a smart card reader and biometric reader, or combined reader.
  • a lower-price option may be a smart card reader only.
  • Installation software to install the readers and identity verification system of the invention for use in conjunction with a Web browser is also provided.
  • the software may be stand alone for exclusive use with the system or may be provided in the user kit as a plug-in for an OEM browser such as Microsoft Explorer® or Netscape Navigator®.
  • Each member / client Web site or participating Internet site will implement scripts in their Web content HTML pages as explained below to make use of the identity authority mechanism and directory system.
  • the mechanism and system is useful with many categories of participants in Internet transactions, in addition to business transactions that depend on certification of an individual's identity.
  • One example of such a transaction is the Federal government mandate that electronic benefits enrollments and renewals be validated using a biometric verification of identity.
  • Other examples are the regulatory mandates in California and Ohio that online drug prescriptions must have a biometric or other certification of the prescribing doctor's identity.
  • B2B business-to-business
  • the invention is also useful to small companies currently facing problems of recognition on the Web.
  • the identity verification authority mechanism and system of the invention assists business on the Web by backing their presence.
  • B2B commerce that by 2002 is estimated to grow to nearly 75% of corporate buyers and sellers doing over $750 billion in transactions, the invention is likewise useful.
  • the low cost and many-to-many Internet connectivity is motivating businesses to migrate in whole or in part to Web and Internet marketplaces from the Old Economy one-to-one relationships. This commercial movement, however, also creates new openings for misrepresentation and fraud.
  • the biometric identity verification mechanism and system enhances individual accountability onto the Web. In the preferred embodiment, a signup fee and annual renewal per user are charged to the user organizations and a transaction fee per verification is charged to the Web site seller or other provider.
  • the invention will complement, or support, current public key encryption (PKI) certifications of authenticity (CA's) such as VeriSign® and CyberTrust®.
  • PKI public key encryption
  • CA's certifications of authenticity
  • Legacy institutions, such as banks, and the USPS will find the invention readily adaptable to their use in view of the fact that many banks have limited technical resources.
  • Large membership sites such as AOL®, and Yahoo® are configured for a very large population of loosely-held consumer relationships. To perform an authority service, such sites would need to change their business model.
  • Such types of sites however, have access to corporate relationships and technical resources through and by which the invention may be implemented.
  • public key CA's can promote the use of PKI mechanism and systems to fill a digital signature role, and implement a mechanism to make PK certificates portable using smart cards or other means.
  • Private PKI implementations using proprietary software can fill the role in closed communities.
  • Web logon identity managers such as eCode.com®, Ezlogin.com®, and Digitalme® may adapt operations to the smart card and biometric roles, in the context of large numbers of loose relationships.
  • the nature of the identity authority mechanism and system is indifferent to differences between business users and consumer users; the preferred embodiment favors a business orientation in which a population of users and a group of Web sites using the mechanism and system are quickly established in a group of Web site operators that serve a shared user population.
  • Online auctions are an example. Since these marketplaces are often established by a business that wants to operate the auction site, these operating auction companies are points of entry for the market. In implementing the authority mechanism and system at multiple auction operators efficiencies of simplicity and economy as depicted in Figure 2 can be achieved. Web based pharmacies, MD's, banks and Web marketplaces are also potential users.
  • the system provides from the standpoint of a user, a simplified and direct mechanism for standardized user verification. From the standpoint of the site provider, the system offers convenience to users and adds a mechanism whereby access, purchase and other site functions can be predeterminedly controlled in accordance with specific rules and criteria related to individual users and transactions.
  • the system includes a user kit consisting of a smart card, a smart card reader and biometric reader, or combination, and software for the user's terminal, usually a PC, and browser.
  • a lower-priced variant may omit biometric capability.
  • These components are available as semi- custom or off-the-shelf products.
  • the invention provides a mechanism and system that verifies identification packets sent by the seller's Web server, assembled from a combination of off-the-shelf products and custom software, in addition to the existing back room implementation.
  • the user kit enables the establishment of a user identity profile interrelated among the categories of log-in, smart card and biometric routines.
  • the smart card may include a fingerprint profile that will be compared in the identification process at the user terminal to the reading created by the biometric reader. Alternatively or additionally, the fingerprint profile may be maintained in the remote ID Authority database for comparison.
  • the system acts as a third party in Internet interactions, including but not limited to HTTP (Web), e-mail, FTP, WAP, etc.. to verify personal identity.
  • HTTP HyperText Transfer Protocol
  • other information such as corporate affiliations and authorizations of one participant to the other and personal identities and other information of participants are verified to each other.
  • One version, specific to a World Wide Web use of the invention employs a sequence of operations as follows:
  • the ID Authority business enters an agreement with a Web business site to provide the identity verification function.
  • the Web site adds specific software scripts to their HTML pages wherever the identity verification functions are needed.
  • a business Web user is enrolled in the identity verification service and receives a user kit containing software components, a smart card reader, and a biometric reader to install on their PC, and a personalized smart card.
  • the user browses to the Web site and to the particular page of interest.
  • the Web site downloads a page containing the scripts to use the identity verification service.
  • the software components generate a message packet to the identity authority containing the claimed identity and the evidence to support that identity. 5.
  • the identity authority examines the evidence provided in the packet and generates a response. If the comparison fails, the response contains only a failure notification. If the comparison succeeds, the response contains a success notification and a unique verification code. The response is sent to the user's PC. 6.
  • the scripts continuing to execute in the user's PC handle the response, placing the verification code and positive response in their positions in the requesting page. Either upon receipt or on user action, the request page with the appropriate data items is dispatched to the Web server.
  • the Web server can send a message packet to the identity authority requesting a check of the verification code returned by the user.
  • the reply to this request will be a simple Yes/No depending on the results of the check plus any requested optional information such as authorizations.
  • the above methods may be adapted to use cryptography-based methods to verify identity.
  • the system uses smart card based methods, optionally in combination with cryptography methods, to verify identity and provide other optional information.
  • the software components on the users PC would interact with the smart card to produce data elements, and optionally, a cryptographic Message Authentication Code (MAC) for a message to the requesting participant. That participant could then submit the message to the ID Authority for verification.
  • MAC Message Authentication Code
  • Biometric methods are optionally used in combination with smart cards and cryptography to verify identity in the preferred embodiment.
  • a version adapted to World Wide Web use follows:
  • the ID Authority business enters an agreement with a Web business site to provide the identity verification function.
  • the Web site adds specific software scripts to their HTML pages wherever the identity verification functions are needed.
  • a business Web user is enrolled in the identity verification service and receives a user kit containing software components, a smart card reader, and a biometric reader to install on their PC, and a personalized smart card.
  • the software components (a) retrieve the claimed identification and primary biometric template from the smart card
  • the scripts continuing to execute in the user's PC handle the response, placing the data elements in their positions in the requesting page. Either upon receipt or on user action, the request
  • the Web server can send the verification message packet to the Web server.
  • the identity authority recalculates the MAC, compares it to
  • the system offers participants case-by-case options on the level of identity verification to be required for Internet interaction.
  • a Web site could require only smart card methods for simple log-in but require a biometric verification to complete purchases over some threshold level of dollar value or other risk metric.
  • the system may provide services integrated with a P3P implementation for negotiating one participant's access to the other participant's identification and other information.
  • the services may be integrated with a database, X.500, or other directory implementation accessed using LDAP, DAP, or any database access protocol.
  • LDAP implementation follows:
  • the ID Authority business enters an agreement with a Web business site to provide the identity verification function.
  • the Web site adds specific software scripts to their HTML pages wherever the identity verification functions are needed.
  • a business Web user is enrolled in the identity verification
  • smart card reader and a biometric reader to install on their PC, and a personalized smart card.
  • the Web server returns a login request page containing the scripts to use the identity verification service.
  • the script in the Web page executes on the user's PC, making use of the software components installed from the user kit to collect the claimed identity plus evidence to support that claim, specifically to access and manipulate the smart card and biometric reader if those options are being used.
  • the software components generate data elements containing the claimed identity and the evidence to support that identity.
  • the scripts continuing to execute in the user's PC place the data elements in their positions in the login request page. Either upon receipt or on user action, the log-in request with the appropriate data items is dispatched to the Web server. As a part of processing the login request the Web server assembles an LDAP call containing the data elements and dispatches it to the ID Authority LDAP server. The ID Authority server verifies identity and places the results of the verification, plus any other related authorization data, in the LDAP response message.
  • any single or combination of password log-in 1 , smart card 2, or biometric 3 identification routines may be adapted in the system by authority software 4 used in conjunction with the user's browser and/or terminal 5.
  • the ID Authority will be identified as an icon on client Web pages that will also include a brief dialog for functions.
  • the ID authority 10 is interconnected between an enrolled user 6 and web site provider 20 and controls enrollment, customer support and administration.
  • the ID authority site includes interconnected web site server 101 , LDAP server 102, encryption services server 103 and database 104 containing user and subscriber profiles.
  • Web site providers subscribing to the ID authority include identity verification software scripts provided by the authority in their HTML pages 22.
  • the user In enrolling in the system 11 , the user provides an identity profile, such as user name and password, smart card identification code, and a biometric indicia such as a fingerprint read compiled in a data file 12 maintained by the authority at site database 104.
  • the user kit providing password log-in and smart card reader and biometric reader hardware for higher levels of authentication and authority software 7 is installed on the user terminal.
  • the software may be a plug- in for an OEM browser or a custom browser with ID authority functions integrally included.
  • the user kit components are operatively interconnected with browser 5.
  • the user is also provided with a personalized smart card (not shown) for operative relationship with the reader.
  • the browser software includes a mechanism for conventionally communicating with a web site and for receiving a verification demand from a web site 8.
  • the site When the web site is an identity authority subscriber 20, the site prompts the user to comply with an identity demand when verification scripts in the web site HTML page 22 initiate an interaction between the user and the web site by downloading to the user's browser a verification script initiating the identity verification process.
  • the downloaded verification script executes on the user's terminal and signals the user that a verification is required in one or more than one of the forms of a user name and password, a smart card identity, and a biometric identity, or a combination thereof.
  • the browser mechanism Upon receipt, the browser mechanism prompts the user to comply with the demand, to provide identity data from the user in compliance with the demand, and to send a message packet to the authority containing the collected identity data. Communications between the user and ID Authority and the ID Authority may be encrypted, for example through server 103.
  • the identity data from the user in compliance with the demand is sent in a message packet 15 to the authority.
  • ID Authority functions are included in Table 1 below:
  • the tiered verification functions of identification, verified identification, and verified transaction signature may correspond to password log-in, smart card verification and biometric (eg. fingerprint) identification demands.
  • the signal of the web site to the user that a verification is required in one or more than one of the forms of a user name and password, a smart card identity, and a biometric identity is predetermined at the web site depending on the relative need for certainty of an identity verification related to the degree of importance of the electronic commerce to be transacted.
  • the identity authority compares the data in the packet sent from the user with the user identity profile data 12 maintained by the authority in its database
  • a response which is either a failure notification, or a success notification and a unique verification code, is sent to the user terminal 15 for transmission to the web site.
  • the user terminal transmits 8 the verification code to the requesting web site page, which then transmits the code 23 to the identity authority for authentication that the code provided is in fact the code sent to the user by the ID Authority.
  • the ID Authority will either approve, or disapprove, the user identity. With approval secure identity verified communications between the user and web site may proceed consistent with the level of identification, 1c, 2c or 3c, required and consistent with predetermined identity authorization activities allowed to the particular user.

Abstract

Any single or combination of password log-in (1), mart card (2) or biometric (3) identification routines may be adapted in the system by authority software (4) used in conjunction with the user's browser and/or terminal (5). The ID authority (10) is interconnected between an enrolled user (6) and web site provider (20) and controls enrollment, customer support and administration. The ID authority site (10) includes interconnected web site server (101), LDAP server (102), encryption services server (103) and database (104) containing user and subscriber profiles. Web site providers (20) subscribing to the ID authority (10) includes identity verification software scripts provided by the authority (10) in their HTML pages (22). Communications between the user (5) and ID authority (10) may be encrypted through server (103). The identity data from the user (5) in compliance with the demand is sent in a message packet (15) to the authority (10). Depending on the comparison result, a response is sent, either failure or success is sent to the user terminal (15). The user terminal (15) then transmits the verification code (23) to the identity authority (10). In enrolling in the system (11), the user (5) provides an identity profile (12) that can include a combination of biometrics and authentication methods (1c), (2c), or (3c). The biometric software (7) is installed on the user terminal (15). The browser software includes a mechanism for conventionally communicating with a web site and for receiving a verification demand from a web site (8).

Description

MULTI-TIERED IDENTITY VERIFICATION AUTHORITY FOR E-COM ERCE
FIELD OF THE INVENTION
This invention relates to e-commerce, particularly, a mechanism and system for third party verification of the identity of Web and Internet commerce participants, and other participants in Web information transactions and communications ("e-commerce"), namely, an identity authority ("ID Authority") that is useful with Web and other Internet sites and their users as an improvement of the next generation of Internet infrastructure. BACKGROUND AND SUMMARY OF THE INVENTION
In electronic commerce business using the World Wide Web and the Internet, there is a need for better proof of a customer's identity than is provided currently by password login. Most Web users also desire a more secure and convenient way to identify themselves for Web transactions. Financial institutions, pharmaceuticals distributors, and retailers are among the groups that would benefit from improved identity verification mechanisms.
It is an object of the invention to provide a service mechanism and system to act as a third party to verify identity for e-commerce participants using passwords, smart cards, and biometrics in a hierarchy, and combinations thereof depending on the need for security. The service will verify the identity of a person using a Web browser and allow that user to interact with the Web site or other Internet mechanism. The system can also verify the Web site to the user, and optionally, the personal identity of an individual user at the Web site. As a further option, the service can verify the personal identities of two Web participants to each other. It is a further object to allow verifications to be requested at more that one level, instance by instance: a lower-risk action may only need smart card verification; a high-risk transaction may require biometric verification; or intermediate levels may be provided. Users are able to opt for one or more different levels of participation, with higher levels allowing them to meet requests for higher-level verifications. The invention is intended to benefit participants by removing the complexity of implementing and administering unique trust relationships while achieving the benefits of verified identity in electronic communications and transactions. It is an object of the invention to substitute for and provide analogous functions to the Certificate Authority function in the current Public Key Infrastructure (PKI) identification mechanisms. It is also an object of the invention to provide third-party network directory services integrated with the identity verification authority service. The invention is described more fully in the following description of the preferred embodiment considered in view of the drawings in which: BRIEF DESCRIPTION OF THE DRAWINGS
Figure 1 shows the prior art structure in which each user requires a separate and unique relationship with every other user. Every time a new user is added to the population, every member needs to add a new relationship.
Figure 2 illustrates the identity authority mechanism and system in which adding a new user involves adding only one relationship with an identity authority. The benefits of the authority mechanism and system compound as the populations of Web sites and users grow. Figure 3 shows system architecture and identity authority structures, relationships and operations in the preferred embodiment. DETAILED DESCRIPTION OF THE INVENTION AND THE PREFERRED EMBODIMENT
In the mechanism and system of the invention, each user will receive a kit including a smart card, a smart card reader and biometric reader, or combined reader. A lower-price option may be a smart card reader only. Installation software to install the readers and identity verification system of the invention for use in conjunction with a Web browser is also provided. The software may be stand alone for exclusive use with the system or may be provided in the user kit as a plug-in for an OEM browser such as Microsoft Explorer® or Netscape Navigator®. Each member / client Web site or participating Internet site will implement scripts in their Web content HTML pages as explained below to make use of the identity authority mechanism and directory system.
In an example, from the user's perspective, a corporate buyer deals with different Web marketplaces for office supplies, financial services, construction, energy and maintenance, and other new areas that are added frequently. If each of these marketplaces has its own (and likely unique) method for validating identity and "signing" a transaction, as shown in Figure 1, each buyer or user, U1 - Un, will require considerable physical and intellectual overhead to maintain encrypted passwords and the like that are necessary for an entry relationship to all seller, S1 - Sn, web sites. If, on the other hand, the marketplaces referred the identity verification function to the authority mechanism and system of the invention as shown in Figure 2, each buyer or user would need only one set of credentials maintained by the Identity Authority with regard to users and sellers. Each marketplace operator would be relieved from the burden of maintaining a verification infrastructure in instances when identity verification is required in e- commerce.
The mechanism and system is useful with many categories of participants in Internet transactions, in addition to business transactions that depend on certification of an individual's identity. One example of such a transaction is the Federal government mandate that electronic benefits enrollments and renewals be validated using a biometric verification of identity. Other examples are the regulatory mandates in California and Ohio that online drug prescriptions must have a biometric or other certification of the prescribing doctor's identity. Similarly, many other large examples, such as B2B ("business-to-business") contracting and banking, may not have a government mandate but do have the interests of the participants in reducing fraud and liability exposure.
The invention is also useful to small companies currently facing problems of recognition on the Web. The identity verification authority mechanism and system of the invention assists business on the Web by backing their presence. In B2B commerce that by 2002 is estimated to grow to nearly 75% of corporate buyers and sellers doing over $750 billion in transactions, the invention is likewise useful. The low cost and many-to-many Internet connectivity is motivating businesses to migrate in whole or in part to Web and Internet marketplaces from the Old Economy one-to-one relationships. This commercial movement, however, also creates new openings for misrepresentation and fraud. The biometric identity verification mechanism and system enhances individual accountability onto the Web. In the preferred embodiment, a signup fee and annual renewal per user are charged to the user organizations and a transaction fee per verification is charged to the Web site seller or other provider.
In its full multi-layer function, the invention will complement, or support, current public key encryption (PKI) certifications of authenticity (CA's) such as VeriSign® and CyberTrust®. Legacy institutions, such as banks, and the USPS will find the invention readily adaptable to their use in view of the fact that many banks have limited technical resources. Large membership sites such as AOL®, and Yahoo® are configured for a very large population of loosely-held consumer relationships. To perform an authority service, such sites would need to change their business model. Such types of sites, however, have access to corporate relationships and technical resources through and by which the invention may be implemented.
With regard to partial function identification without biometrics, public key CA's can promote the use of PKI mechanism and systems to fill a digital signature role, and implement a mechanism to make PK certificates portable using smart cards or other means. Private PKI implementations using proprietary software can fill the role in closed communities. In further applications, Web logon identity managers such as eCode.com®, Ezlogin.com®, and Digitalme® may adapt operations to the smart card and biometric roles, in the context of large numbers of loose relationships.
The nature of the identity authority mechanism and system is indifferent to differences between business users and consumer users; the preferred embodiment favors a business orientation in which a population of users and a group of Web sites using the mechanism and system are quickly established in a group of Web site operators that serve a shared user population. Online auctions are an example. Since these marketplaces are often established by a business that wants to operate the auction site, these operating auction companies are points of entry for the market. In implementing the authority mechanism and system at multiple auction operators efficiencies of simplicity and economy as depicted in Figure 2 can be achieved. Web based pharmacies, MD's, banks and Web marketplaces are also potential users.
The system provides from the standpoint of a user, a simplified and direct mechanism for standardized user verification. From the standpoint of the site provider, the system offers convenience to users and adds a mechanism whereby access, purchase and other site functions can be predeterminedly controlled in accordance with specific rules and criteria related to individual users and transactions.
In its general description, the system includes a user kit consisting of a smart card, a smart card reader and biometric reader, or combination, and software for the user's terminal, usually a PC, and browser. A lower-priced variant may omit biometric capability. These components are available as semi- custom or off-the-shelf products. On the Web provider side, the invention provides a mechanism and system that verifies identification packets sent by the seller's Web server, assembled from a combination of off-the-shelf products and custom software, in addition to the existing back room implementation. The user kit enables the establishment of a user identity profile interrelated among the categories of log-in, smart card and biometric routines. For example, the smart card may include a fingerprint profile that will be compared in the identification process at the user terminal to the reading created by the biometric reader. Alternatively or additionally, the fingerprint profile may be maintained in the remote ID Authority database for comparison.
The system acts as a third party in Internet interactions, including but not limited to HTTP (Web), e-mail, FTP, WAP, etc.. to verify personal identity. Optionally other information such as corporate affiliations and authorizations of one participant to the other and personal identities and other information of participants are verified to each other. One version, specific to a World Wide Web use of the invention, employs a sequence of operations as follows:
EXAMPLE I
1. The ID Authority business enters an agreement with a Web business site to provide the identity verification function. The Web site adds specific software scripts to their HTML pages wherever the identity verification functions are needed. 2. A business Web user is enrolled in the identity verification service and receives a user kit containing software components, a smart card reader, and a biometric reader to install on their PC, and a personalized smart card.
3. To begin a particular interaction, the user browses to the Web site and to the particular page of interest. The Web site downloads a page containing the scripts to use the identity verification service.
4. The script in the Web page executes on the user's PC,
making use of the software components installed from the user kit
to collect the claimed identity plus evidence to support that claim; specifically to access and manipulate the smart card and biometric reader if those options are being used. The software components generate a message packet to the identity authority containing the claimed identity and the evidence to support that identity. 5. The identity authority examines the evidence provided in the packet and generates a response. If the comparison fails, the response contains only a failure notification. If the comparison succeeds, the response contains a success notification and a unique verification code. The response is sent to the user's PC. 6. The scripts continuing to execute in the user's PC handle the response, placing the verification code and positive response in their positions in the requesting page. Either upon receipt or on user action, the request page with the appropriate data items is dispatched to the Web server. Either immediately or later, depending on business needs, the Web server can send a message packet to the identity authority requesting a check of the verification code returned by the user. The reply to this request will be a simple Yes/No depending on the results of the check plus any requested optional information such as authorizations.
The above methods may be adapted to use cryptography-based methods to verify identity. In a variation, the system uses smart card based methods, optionally in combination with cryptography methods, to verify identity and provide other optional information. In this variation, the software components on the users PC would interact with the smart card to produce data elements, and optionally, a cryptographic Message Authentication Code (MAC) for a message to the requesting participant. That participant could then submit the message to the ID Authority for verification.
Biometric methods are optionally used in combination with smart cards and cryptography to verify identity in the preferred embodiment. A version adapted to World Wide Web use follows:
EXAMPLE II
1. The ID Authority business enters an agreement with a Web business site to provide the identity verification function. The Web site adds specific software scripts to their HTML pages wherever the identity verification functions are needed.
2. A business Web user is enrolled in the identity verification service and receives a user kit containing software components, a smart card reader, and a biometric reader to install on their PC, and a personalized smart card.
3. To begin a particular interaction, the user browses to the Web site and to the particular page of interest. The Web site
downloads a page containing the scripts to use the identity verification service.
4. The script in the Web page executes on the user's PC,
making use of the software components installed from the user kit
to collect the claimed identity plus evidence to support that claim;
specifically to access and manipulate the smart card and biometric
reader. The software components: (a) retrieve the claimed identification and primary biometric template from the smart card
after satisfying the smart card file access methods; (b) read a live fingerprint from the user, prompting if necessary; (c) match the live fingerprint to the template and generate a verification message packet containing the claimed identity, the results of the match, a timestamp and transaction sequence number, and a MAC
generated by the smart card; and (d) return the identification data, indication of biometric match, and the verification message packet
to the calling script. 5. The scripts continuing to execute in the user's PC handle the response, placing the data elements in their positions in the requesting page. Either upon receipt or on user action, the request
page with the appropriate data items is dispatched to the Web
server. 6. Either immediately or later, depending on business needs, the Web server can send the verification message packet to the
identity authority requesting a check of the MAC returned by the
user. The identity authority recalculates the MAC, compares it to
the value provided in the packet, and generates a response. If the
comparison fails, the response to the Web server contains only a
failure notification. If the comparison succeeds, the response
contains a success notification and a unique verification code. Thus, it can be seen that the system offers participants case-by-case options on the level of identity verification to be required for Internet interaction. For example, a Web site could require only smart card methods for simple log-in but require a biometric verification to complete purchases over some threshold level of dollar value or other risk metric.
In its implementation, the system may provide services integrated with a P3P implementation for negotiating one participant's access to the other participant's identification and other information. The services may be integrated with a database, X.500, or other directory implementation accessed using LDAP, DAP, or any database access protocol. A version for LDAP implementation follows:
EXAMPLE III
1. The ID Authority business enters an agreement with a Web business site to provide the identity verification function. The Web site adds specific software scripts to their HTML pages wherever the identity verification functions are needed.
2. A business Web user is enrolled in the identity verification
service and receives a user kit containing software components, a
smart card reader, and a biometric reader to install on their PC, and a personalized smart card.
3. To begin a particular interaction, the user browses to the Web site. The Web server returns a login request page containing the scripts to use the identity verification service. 4. The script in the Web page executes on the user's PC, making use of the software components installed from the user kit to collect the claimed identity plus evidence to support that claim, specifically to access and manipulate the smart card and biometric reader if those options are being used. The software components generate data elements containing the claimed identity and the evidence to support that identity.
5. The scripts continuing to execute in the user's PC place the data elements in their positions in the login request page. Either upon receipt or on user action, the log-in request with the appropriate data items is dispatched to the Web server. As a part of processing the login request the Web server assembles an LDAP call containing the data elements and dispatches it to the ID Authority LDAP server. The ID Authority server verifies identity and places the results of the verification, plus any other related authorization data, in the LDAP response message.
With reference to Figure 3 showing the system architecture, any single or combination of password log-in 1 , smart card 2, or biometric 3 identification routines may be adapted in the system by authority software 4 used in conjunction with the user's browser and/or terminal 5. The ID Authority will be identified as an icon on client Web pages that will also include a brief dialog for functions. The ID authority 10 is interconnected between an enrolled user 6 and web site provider 20 and controls enrollment, customer support and administration. The ID authority site includes interconnected web site server 101 , LDAP server 102, encryption services server 103 and database 104 containing user and subscriber profiles. Web site providers subscribing to the ID authority include identity verification software scripts provided by the authority in their HTML pages 22.
In enrolling in the system 11 , the user provides an identity profile, such as user name and password, smart card identification code, and a biometric indicia such as a fingerprint read compiled in a data file 12 maintained by the authority at site database 104. The user kit providing password log-in and smart card reader and biometric reader hardware for higher levels of authentication and authority software 7 is installed on the user terminal. As noted the software may be a plug- in for an OEM browser or a custom browser with ID authority functions integrally included. The user kit components are operatively interconnected with browser 5. The user is also provided with a personalized smart card (not shown) for operative relationship with the reader. The browser software includes a mechanism for conventionally communicating with a web site and for receiving a verification demand from a web site 8.
When the web site is an identity authority subscriber 20, the site prompts the user to comply with an identity demand when verification scripts in the web site HTML page 22 initiate an interaction between the user and the web site by downloading to the user's browser a verification script initiating the identity verification process. The downloaded verification script executes on the user's terminal and signals the user that a verification is required in one or more than one of the forms of a user name and password, a smart card identity, and a biometric identity, or a combination thereof. Upon receipt, the browser mechanism prompts the user to comply with the demand, to provide identity data from the user in compliance with the demand, and to send a message packet to the authority containing the collected identity data. Communications between the user and ID Authority and the ID Authority may be encrypted, for example through server 103. The identity data from the user in compliance with the demand is sent in a message packet 15 to the authority.
Examples of ID Authority functions are included in Table 1 below:
TABLE 1
Function Query / Demand Response
Identification Who are you? am Doug James.
Verified Identification Who are you? I am Doug James.
My verification code is 3a665mn48277db#346&
Verified Transaction Who are you? I am Doug James.
Signature
Who is really purchasing Doug James is agreeing to this this lot of pharmaceuticals? transaction for XYZ Corp.
What is your authority? My ID Authority verification code is 6593vz748d4827d% ....
In the order of relative importance and security needed for the transaction used as an example in the table above, the tiered verification functions of identification, verified identification, and verified transaction signature may correspond to password log-in, smart card verification and biometric (eg. fingerprint) identification demands.
In the verification process, the signal of the web site to the user that a verification is required in one or more than one of the forms of a user name and password, a smart card identity, and a biometric identity is predetermined at the web site depending on the relative need for certainty of an identity verification related to the degree of importance of the electronic commerce to be transacted.
The identity authority compares the data in the packet sent from the user with the user identity profile data 12 maintained by the authority in its database
104. Depending on the comparison result, a response which is either a failure notification, or a success notification and a unique verification code, is sent to the user terminal 15 for transmission to the web site. The user terminal then transmits 8 the verification code to the requesting web site page, which then transmits the code 23 to the identity authority for authentication that the code provided is in fact the code sent to the user by the ID Authority. The ID Authority will either approve, or disapprove, the user identity. With approval secure identity verified communications between the user and web site may proceed consistent with the level of identification, 1c, 2c or 3c, required and consistent with predetermined identity authorization activities allowed to the particular user. For example, some users, although their identity may be sufficiently verified may not have authority to make purchases, or to make purchases in excess of a given value, or to access certain information. Having thus described the invention in detail, those skilled in the art will appreciate that, given the present disclosure, modifications may be made to the invention without departing from the spirit of the inventive concept herein described. Therefore, it is not intended that the scope of the invention be limited to the specific and preferred embodiments illustrations and described. Rather, it is intended that the scope of the invention be determined by the appended claims.

Claims

WHAT IS CLAIMED IS: 1. A multi-tiered identity verification authority system for e-commercecomprising: an identity authority interconnected between an enrolled user and member Internet or Web site providers, the site providers subscribing to the authority and including identity verification software scripts provided by the authority in their HTML pages, the user having enrolled and provided identity data maintained by the authority; a user kit installed on a user terminal including a browser having identity verification functions and at least one of a smart card reader and a biometric reader operatively interconnected with the browser, and a personalized smart card, the browser including a mechanism for receiving a verification demand from a site, for prompting the user to comply with the demand, for collecting identity data from the user in compliance with the demand, and for sending in a message packet to the authority the collected identity data; the verification scripts in the site HTML page including means to begin an interaction between the user and the site by downloading to the user's browser a verification script initiating an identity verification; the downloaded verification script executing on the user's terminal signaling the user that a verification is required in one or more than one of the forms of a user name and password, a smart card identity, and a biometric identity and, upon receipt, initiating the browser mechanism to prompt the user to comply with the demand, to collect identity data from the user in compliance with the demand, and to send a message packet to the authority containing the collected identity data; the identity authority comparing the data in the packet with a user identity profile in a database maintained by the authority and generating a response which is 5 either a failure notification or a success notification and a unique verification code
5 depending on the comparison and sending the response to the user terminal for
7 transmission to the site;
8 means in the user terminal for transmitting the verification code to the
? requesting site page whereby the web page server transmits the verification code to
3 the identity authority for an authentication approval or disapproval that is transmitted l back to the site that permits or denies user access to the website.
l 2. The verification authority of claim 1 including a smart card file access protocol.
1 3. The verification authority of claim 2 further including interconnected
2 mechanisms at the user terminal whereby upon receipt by the user terminal of an
3 identity demand, the user terminal retrieves a demanded identification and biometric % template from the smart card.
i
4. The verification authority of claim 3 in which a demand for a biometric
2 identification results in a prompt at the user terminal that the user provide a
3 fingerprint.
1 5. The verification authority of claim 4 in which a user provided fingerprint is
2 compared to the fingerprint of the smart card template.
1 6. The verification authority of claim 5 in which the identity message packet returned to the authority from the user terminal includes a timestamp and transaction
3 sequence number.
1 7. The verification authority of claim 1 in which the authority includes a database
2 of identity profiles of enrolled users with regard to verification criteria and in
3 processing the login request from the site page, the web server assembles an data \ base access protocol call containing the data elements demanded and dispatches it 5 to the authority database server.
1 8. The verification authority of claim 7 in which in the verification process, the
2 identity authority data base server places the results of the verification, and other
3 related authorization data, in the data base access protocol response message.
1 9. The verification authority of claim 1 in which in the verification process, the
2 signal of the site to the user that a verification is required in one or more than one of
3 the forms of a user name and password, a smart card identity, and a biometric
% identity is predetermined at the site depending on the relative need for certainty of an
5 identity verification related to the degree of importance of the electronic commerce to s be transacted.
1 10. The verification authority of claim 1 in which the user kit includes a plug-in for
2 an OEM browser.
1 11. The verification authority of claim 1 in which the authority response includes a
2 time stamp and a cryptographic message authentication code.
12. A user kit for the multi-tiered identity verification authority system of claim 1 comprising a smart card, a smart card reader, a biometric reader and a browser plug-in.
PCT/US2001/013232 2000-04-26 2001-04-25 Multi-tiered identity verification authority for e-commerce WO2001082190A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU2001253795A AU2001253795A1 (en) 2000-04-26 2001-04-25 Multi-tiered identity verification authority for e-commerce

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US55889800A 2000-04-26 2000-04-26
US09/558,898 2000-04-26

Publications (1)

Publication Number Publication Date
WO2001082190A1 true WO2001082190A1 (en) 2001-11-01

Family

ID=24231440

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2001/013232 WO2001082190A1 (en) 2000-04-26 2001-04-25 Multi-tiered identity verification authority for e-commerce

Country Status (2)

Country Link
AU (1) AU2001253795A1 (en)
WO (1) WO2001082190A1 (en)

Cited By (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2384331A (en) * 2002-01-19 2003-07-23 Hewlett Packard Co Access control using credentials
WO2003062969A1 (en) * 2002-01-24 2003-07-31 Activcard Ireland, Limited Flexible method of user authentication
WO2003093923A2 (en) * 2002-04-30 2003-11-13 Robert Eryou System and apparatus for authenticating to a system or network
WO2003100544A2 (en) * 2002-05-24 2003-12-04 Telefonaktiebolaget Lm Ericsson (Publ) Method for authenticating a user to a service of a service provider
WO2004038665A1 (en) * 2002-10-24 2004-05-06 Giesecke & Devrient Gmbh Method for carrying out a secure electronic transaction using a portable data support
EP1546957A2 (en) * 2002-09-10 2005-06-29 Visa International Service Association Data authentication and provisioning method and system
EP1569405A1 (en) * 2004-02-27 2005-08-31 Telefonaktiebolaget LM Ericsson (publ) Technique for creation and linking of communications network user accounts
WO2006089822A1 (en) 2005-02-22 2006-08-31 International Business Machines Corporation User verification with a multimodal web-based interface
DE102005011039A1 (en) * 2005-03-08 2006-09-14 Web.De. Ag Method and system for logging into a service
US7137008B1 (en) 2000-07-25 2006-11-14 Laurence Hamid Flexible method of user authentication
US7447772B2 (en) 2000-11-10 2008-11-04 Ntt Docomo, Inc. Authentication system, authentication undertaking apparatus, and terminal apparatus
ITMI20081517A1 (en) * 2008-08-13 2010-02-14 Eios Ict & Software Solutions S R L METHOD AND APPARATUS FOR ACCESSING TELEMATIC SERVICES IN PROTECTED MODE BY MEANS OF A SINGLE UNIVERSAL ELECTRONIC KEY, AND RELATED UNIVERSAL ELECTRONIC KEY
US9098685B2 (en) 2000-07-25 2015-08-04 Activcard Ireland Limited Flexible method of user authentication
WO2016046765A1 (en) * 2014-09-23 2016-03-31 David Thomas Systems and methods for verifying an identity record
US9769134B2 (en) 2002-04-17 2017-09-19 Visa International Service Association Mobile account authentication service
US9864993B2 (en) 2000-04-24 2018-01-09 Visa International Service Association Account authentication service with chip card
US20200012772A1 (en) * 2018-07-03 2020-01-09 Tinoq Inc. Systems and methods for matching identity and readily accessible personal identifier information based on transaction timestamp
CN112347440A (en) * 2020-11-13 2021-02-09 北京国泰网信科技有限公司 User access authority separate-setting system of industrial control equipment and use method thereof
US11146558B2 (en) 2020-03-11 2021-10-12 International Business Machines Corporation Stateless multi-party authorization system in web applications
WO2022141067A1 (en) * 2020-12-29 2022-07-07 Nanjing Easthouse Electrical Co., Ltd. Multi-factor authentication electronic lock systems and methods of using the same

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5615268A (en) * 1995-01-17 1997-03-25 Document Authentication Systems, Inc. System and method for electronic transmission storage and retrieval of authenticated documents
EP0935221A2 (en) * 1998-02-05 1999-08-11 Mitsubishi Denki Kabushiki Kaisha Remote authentication system
US5987232A (en) * 1995-09-08 1999-11-16 Cadix Inc. Verification server for use in authentication on networks
US6182076B1 (en) * 1997-06-09 2001-01-30 Philips Electronics North America Corporation Web-based, biometric authetication system and method
US6212634B1 (en) * 1996-11-15 2001-04-03 Open Market, Inc. Certifying authorization in computer networks

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5615268A (en) * 1995-01-17 1997-03-25 Document Authentication Systems, Inc. System and method for electronic transmission storage and retrieval of authenticated documents
US5987232A (en) * 1995-09-08 1999-11-16 Cadix Inc. Verification server for use in authentication on networks
US6212634B1 (en) * 1996-11-15 2001-04-03 Open Market, Inc. Certifying authorization in computer networks
US6182076B1 (en) * 1997-06-09 2001-01-30 Philips Electronics North America Corporation Web-based, biometric authetication system and method
EP0935221A2 (en) * 1998-02-05 1999-08-11 Mitsubishi Denki Kabushiki Kaisha Remote authentication system

Cited By (39)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10572875B2 (en) 2000-04-24 2020-02-25 Visa International Service Association Online account authentication service
US9864993B2 (en) 2000-04-24 2018-01-09 Visa International Service Association Account authentication service with chip card
US9098685B2 (en) 2000-07-25 2015-08-04 Activcard Ireland Limited Flexible method of user authentication
US8296570B2 (en) 2000-07-25 2012-10-23 Activcard Ireland Limited Flexible method of user authentication
US7137008B1 (en) 2000-07-25 2006-11-14 Laurence Hamid Flexible method of user authentication
US8775819B2 (en) 2000-07-25 2014-07-08 Activcard Ireland Limited Flexible method of user authentication
US7447772B2 (en) 2000-11-10 2008-11-04 Ntt Docomo, Inc. Authentication system, authentication undertaking apparatus, and terminal apparatus
US7302591B2 (en) 2002-01-19 2007-11-27 Hewlett-Packard Development Company, L.P. Access control
GB2384331A (en) * 2002-01-19 2003-07-23 Hewlett Packard Co Access control using credentials
WO2003062969A1 (en) * 2002-01-24 2003-07-31 Activcard Ireland, Limited Flexible method of user authentication
US9769134B2 (en) 2002-04-17 2017-09-19 Visa International Service Association Mobile account authentication service
AU2003247117B2 (en) * 2002-04-30 2010-01-21 Robert Eryou System and apparatus for authenticating to a system or network
WO2003093923A3 (en) * 2002-04-30 2004-12-23 Robert Eryou System and apparatus for authenticating to a system or network
WO2003093923A2 (en) * 2002-04-30 2003-11-13 Robert Eryou System and apparatus for authenticating to a system or network
WO2003100544A3 (en) * 2002-05-24 2004-03-11 Ericsson Telefon Ab L M Method for authenticating a user to a service of a service provider
WO2003100544A2 (en) * 2002-05-24 2003-12-04 Telefonaktiebolaget Lm Ericsson (Publ) Method for authenticating a user to a service of a service provider
EP1546957A4 (en) * 2002-09-10 2006-03-29 Visa Int Service Ass Data authentication and provisioning method and system
US10679453B2 (en) 2002-09-10 2020-06-09 Visa International Service Association Data authentication and provisioning method and system
US10672215B2 (en) 2002-09-10 2020-06-02 Visa International Service Association Data authentication and provisioning method and system
EP1546957A2 (en) * 2002-09-10 2005-06-29 Visa International Service Association Data authentication and provisioning method and system
CN100365666C (en) * 2002-10-24 2008-01-30 德国捷德有限公司 Method for carrying out a secure electronic transaction using a portable data support
WO2004038665A1 (en) * 2002-10-24 2004-05-06 Giesecke & Devrient Gmbh Method for carrying out a secure electronic transaction using a portable data support
US8205249B2 (en) 2002-10-24 2012-06-19 Giesecke & Devrient Gmbh Method for carrying out a secure electronic transaction using a portable data support
EP1569405A1 (en) * 2004-02-27 2005-08-31 Telefonaktiebolaget LM Ericsson (publ) Technique for creation and linking of communications network user accounts
CN101120350B (en) * 2005-02-22 2011-07-20 纽昂斯通讯公司 User verification with a multimodal web-based interface
WO2006089822A1 (en) 2005-02-22 2006-08-31 International Business Machines Corporation User verification with a multimodal web-based interface
US8725514B2 (en) 2005-02-22 2014-05-13 Nuance Communications, Inc. Verifying a user using speaker verification and a multimodal web-based interface
EP2273414A1 (en) * 2005-02-22 2011-01-12 Nuance Communications, Inc. User verification with a multimodal web-based interface
US10818299B2 (en) 2005-02-22 2020-10-27 Nuance Communications, Inc. Verifying a user using speaker verification and a multimodal web-based interface
EP2273412A1 (en) * 2005-02-22 2011-01-12 Nuance Communications, Inc. User verification with a multimodal web-based interface
DE102005011039A1 (en) * 2005-03-08 2006-09-14 Web.De. Ag Method and system for logging into a service
DE102005011039B4 (en) * 2005-03-08 2011-01-05 1&1 Internet Ag Method and system for logging into a service
WO2010018469A1 (en) * 2008-08-13 2010-02-18 Eios Ict & Software Solutions S.R.L. Method and apparatus for access to telematic services in protected mode by means of a single electronic universal key, and corresponding electronic universal key
ITMI20081517A1 (en) * 2008-08-13 2010-02-14 Eios Ict & Software Solutions S R L METHOD AND APPARATUS FOR ACCESSING TELEMATIC SERVICES IN PROTECTED MODE BY MEANS OF A SINGLE UNIVERSAL ELECTRONIC KEY, AND RELATED UNIVERSAL ELECTRONIC KEY
WO2016046765A1 (en) * 2014-09-23 2016-03-31 David Thomas Systems and methods for verifying an identity record
US20200012772A1 (en) * 2018-07-03 2020-01-09 Tinoq Inc. Systems and methods for matching identity and readily accessible personal identifier information based on transaction timestamp
US11146558B2 (en) 2020-03-11 2021-10-12 International Business Machines Corporation Stateless multi-party authorization system in web applications
CN112347440A (en) * 2020-11-13 2021-02-09 北京国泰网信科技有限公司 User access authority separate-setting system of industrial control equipment and use method thereof
WO2022141067A1 (en) * 2020-12-29 2022-07-07 Nanjing Easthouse Electrical Co., Ltd. Multi-factor authentication electronic lock systems and methods of using the same

Also Published As

Publication number Publication date
AU2001253795A1 (en) 2001-11-07

Similar Documents

Publication Publication Date Title
US7457950B1 (en) Managed authentication service
US7395246B2 (en) Delegating digital credentials
US10769297B2 (en) Centralized identification and authentication system and method
RU2292589C2 (en) Authentified payment
US6965881B1 (en) Digital credential usage reporting
US7356837B2 (en) Centralized identification and authentication system and method
Cox et al. NetBill Security and Transaction Protocol.
US20010027527A1 (en) Secure transaction system
WO2001082190A1 (en) Multi-tiered identity verification authority for e-commerce
JP3871300B2 (en) A method for job-based authorization between companies
US7194426B1 (en) Customizing an electronic interface to the government
US8020196B2 (en) Secure transmission and exchange of standardized data
US6775782B1 (en) System and method for suspending and resuming digital certificates in a certificate-based user authentication application system
US20040030887A1 (en) System and method for providing secure communications between clients and service providers
US20030163686A1 (en) System and method for ad hoc management of credentials, trust relationships and trust history in computing environments
US10762501B2 (en) System and method for partner key management
US20070150942A1 (en) Centralized identity verification and/or password validation
EP1328103A2 (en) Method and system for identifying users and authenticating digital documents on data communications networks
US6611916B1 (en) Method of authenticating membership for providing access to a secure environment by authenticating membership to an associated secure environment
KR100453616B1 (en) Method, article and apparatus for registering registrants, such as voter registrants
Hsiung et al. Bridging e-business and added trust: keys to e-business growth
TW202115670A (en) Delivery authentication system
KR20230090803A (en) Service system for managing identity using blockchain
EP1428156A1 (en) System and method for integrating multiple trading engines
KR20030059734A (en) Onestop application method for credit cards using internet

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CR CU CZ DE DK DM DZ EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG US UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase

Ref country code: JP