The invention relates to a method for authenticating a user of a secured system and to a method for verifying a user right. A general need currently exists for security and billing in different applications, such as e-commerce, confidential or licensed web contents, etc. The authentication methods of a user of a secured system currently being used require either special equipment, e.g. a separate identification card or such a device, or personal procedures. A single channel is typically used for delivering identification information, which makes the authentication more vulnerable and requires e.g. one-time identifiers or a strong and heavy encryption method, such as a Public Key Infrastructure (PKI) to be used.
Dual channel methods, which use e.g. a telephone network and an information network, currently require identification information to be entered manually into the system either by a service provider or the user, which also puts the information at risk of being lost or copied and, in the case of the service provider, requires personnel procedures.
Current single-channel payment and access control systems utilizing a telephone network bind subscriber number B to a single device.
An object of the invention is to provide a new authentication and verification solution.
This object is achieved by arrangements according to claims 1, 12 and 17, devices according to claims 19 and 20, and a secured system according to claim 21. Preferred embodiments of the invention are disclosed in the dependent claims.
The invention enables a user of an information system, or another system controlled by such, e.g. web pages, to be authenticated or a user right to be verified (authorization). The method is based on using two independent authentication channels. One channel is a telephone network and the identifiers of terminals connected thereto. The other channel can be an information network connection or another user interface of a secured system.
The method can be applied e.g. to real-time management of user rights of information networks and systems and as support for authentication and charging mechanisms required by e-commerce. Other applications include e.g. access control for buildings and centralized billing of use of chargeable devices.
When the invention is used for authenticating a user, thanks to the use of two independent authentication channels, the invention enables a safer authentication compared to single-channel authentication, reducing the need for different one-time identifiers and separate authentication devices and strong encryption to be used. However, one-time identifiers can be applied in order to enhance security.
When the invention is used for verifying a user right (authorization), the invention makes services easier to use and it enables a confirmation to be generated and delivered to a secured system without any procedures being required from the user and without the user having any information about the confirmation.
The invention also enables billing of a plurality of services to be tied to a single point. In other words, a single authentication device based on a telephone network can be used e.g. for all application communication channels of a web server or for a plurality of servers. The access control and charging processes of many automatic service machines (such as vending machines) can be carried out in a centralized manner with no need for device-specific solutions.
If the invention is used in combination with conventional security solutions, the user can authenticate himself or herself and sign events using different security solutions and products and select a solution that suits a given situation best. For example, the user can at home use a smart card on his or her personal computer (PC) and the authentication of the invention on his or her mobile station when not at home.