Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Protection at a particular protocol layer
Reexamination Certificate
1999-05-20
2001-11-20
Trammell, James P. (Department: 2161)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Protection at a particular protocol layer
Reexamination Certificate
active
06321339
ABSTRACT:
FIELD OF THE INVENTION
The invention relates to electronic communications, and more particularly to issuing digital certificates including those for authenticating the identity of network users.
BACKGROUND OF THE INVENTION
The issuing of digital certificates to promote electronic commerce is known. Digital certificates, that is, specially issued files containing identification and other information, provide a level of security and authentication that gives vendors, suppliers and others comfort as they increasingly commit to electronic commerce. Digital certificates provide electronic confirmation of the identity of a potential customer or other user seeking to access a resource or to process a transaction. Digital certificates also regulate the access to particular transactions or information. For example, digital certificates can differentiate classes of transaction within a Web site based upon credit or other information contained in a digital certificate or directory.
Typically, the steps involved in deciding whether to issue a digital certificate involve an interaction between a user who wants to perform a transaction and a certification authority. In most cases, the certification authority is not a party to the eventual transaction but serves instead to qualify the user to perform transactions by issuing a digital certificate. The certification authority queries the user for information and attempts to match the responses to known data from databases to determine whether to issue the digital certificate to the requesting user. In addition, the responses provided and the data available in the databases may be used by the certification authority to determine the content or privilege level of the digital certificate. That is, the certification authority determines what financial, privilege or other limitations will be associated with the digital certificate, as indicated by the criteria of the online vendor.
An important aspect of the process of issuing the digital certificate is confirming the identity of network users. Various systems exist that perform some level of user authentication. These systems generally require a user to provide certain basic identification information, such as name, date of birth, social security number, address, telephone number and sometimes driver's license information. This type of information is sometimes known as wallet information, and it is compared to known data, such as from a credit file to determine a level of match between the stored and presented information. However this type of validation by itself is limited and not flexible in accepting other types of background information. Other problems exist.
SUMMARY OF THE INVENTION
It is an object of the invention to overcome these and other drawbacks of existing digital certificate systems and methods.
It is another object of the invention to provide a digital certificate issuing system and method that perform a first authentication step based on a first type of user identification information and, based on the result, determine whether to perform at least a separate second authentication step using further information.
Another object of the invention is to provide a digital certificate issuing system and method that perform a first authentication step based on a first type of user identification information and, based on the results of the first authentication step, determine whether to proceed to at least a second authentication step depending on available information and the level of certainty of authentication desired.
Another object of the invention is to provide a digital certificate issuing system and method with a multilevel authentication process, where a first step includes the preprocessing of user-supplied information.
It is still another object of the invention to provide a digital certificate issuing system and method which determine the content or privilege level of a digital certificate to be issued including, for example, the financial and access privileges or other classifications associated with the digital certificate.
In an illustrative embodiment of the invention, a user who wishes to apply for an online transaction accesses a client/server network through a client terminal. The server side of the network includes an application server communicating with an authentication server. When the user wishes to initiate the transaction or at other times, the authentication server determines whether the user's identity can be confirmed, and the level of authentication that may be accorded to the user's identity based on specific to the vendor accepting the transaction rules.
The transaction the user is applying for, such as an electronic brokerage trade, is either carried out or not carried out or other action taken depending on the results of the authentication. The extent of authentication processing performed depends upon the nature of the transaction and vendor-specific requirements. Once the authentication process has been satisfied, the invention may generate a digital certificate recording authentication levels and other information related to the user. The digital certificate can then be presented in future transactions to avoid the need to reauthenticate the user for each new transaction event.
For example, in the context of electronic commerce, lower risk transactions such as relatively small purchases may not require an extensive authentication process. On the other hand, more sensitive or greater risk transactions such as large purchases or sensitive data access may require a more thorough authentication process and a greater level of certainty. A greater level of security could conceivably be attained by automatically performing a thorough authentication process for every transaction. However, this approach incurs unnecessary costs or resources in cases where only a lower level of certainty is needed.
The invention avoids this drawback by enabling different levels of authentication to be performed based on the level of security desired, reducing costs and unnecessary use of system resources.
Generally in the invention, the user is authenticated according to their ability to respond to successive queries for personal information and the level of match attained from comparing the information they provide with reliable data sources. The user is initially requested to provide a first type of identification information. The first type of information is preferably wallet-type information, that is, information such as name, address, driver's license or other information that may be commonly carried on the person. This information is transmitted to the authentication server which carries out a first level authentication process on that information.
That first level authentication process compares the degree of match between the user-supplied first type of information and known data about the user from other sources. At the completion of this first level authentication process, the authentication server may allow the requested access, allow the requested access with restriction, refuse access or proceed to another level of authentication.
Preferably, the second and any additional levels of authentication request a second, non-wallet type of information from the user. The second type of information is preferably based on comparatively private information that only the user would know. For example, the second type of information may include mortgage loan or other information obtained from a credit report or another source. Such information is typically not carried with a person, and therefore the chances of fraud by someone who obtains lost or stolen information and attempts to execute a transaction are reduced.
The private financial or other data elicited in the second level authentication process may be requested using an interactive query. The interactive query may include multiple choice questions that are automatically generated based upon the information available in the known data sources. For example, the authentication server may access a credit
French Jennifer
Wilder Jone
Elisca Pierre Eddy
Equifax Inc.
Kilpatrick & Stockton LLP
Trammell James P.
LandOfFree
System and method for authentication of network users and... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with System and method for authentication of network users and..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and System and method for authentication of network users and... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2605118