The ability to identify online users has grown in importance as use of the worldwide web has evolved from mere sharing of unsecured information to processing of trusted data transactions. As the popularity of the Internet has grown over the past decades, so has the number of Internet services available supporting business-to-consumer and business-to-business transactions. Today's digital networks pose both an opportunity for physically dispersed parties to interact securely, and a risk that unwitting users may interact securely with untrustworthy parties.
These competing opportunities and risks create the design dilemma of establishing an effective level of identification practices online without creating a security regime that is too difficult or inconvenient for consumers to shop, bank online, request services, and access other restricted Internet content and features. If security measures are too lax, protected personal and business data may be put at risk of undesired disclosure. If security measures are too strict, customer frustration with a service provider's cumbersome web presence may lead to lost revenues.
Two areas of significant research in the art of trusted online environments are authentication and verification. For purposes of definition, the term “authentication” refers to systems and methods for controlling access to an online resource, particularly when the resource is configured to support access across an unsecured, public network. The term “verification,” as used herein, refers to establishing the veracity of an identity claim (made either explicitly or impliedly) by a person who is requesting access to the online resource.
A common authentication technique is to require a requestor to input some combination of a username, a password, and/or responses to fact-based questions (such as a mother's maiden name) to form a request to access a given online resource. The requesting user may be granted access to the protected data and functions of the online resource only after an authentication service for the resource sends an access token in response to the access request. By contrast, verification protocols are typically implemented by presentation of a “digital credential,” defined as a proof of qualification that is issued by a trusted source and attached to a person. Digital credentials may contain personal identifying information such as the person's name, birthplace, birthdate, and/or biometric information such as a picture or a finger print.
The digital networking industry is experiencing advancements in designs to securely process trusted transactions, some of which may be pertinent to certain aspects of verifying identities online.
U.S. Patent Application No. 2008/0289020 by Cameron discloses a method for receiving an identity token that includes a claim (such as identity) and a biometric representation that are bound by a digital signature. The veracity of the claim may be determined by comparing the biometric information to a second biometric representation received through a second channel. Although the Cameron implementation uses biometric information for authentication purposes, the security regime does not account for verification of identity to combat, for example, cases of tampering and/or identity theft.
U.S. Patent Application No. 2002/0004900 by Patel discloses secure anonymous communication between a first party and a second party using a third party (such as a registry) to identity the end user. The Patel implementation relies upon collection of and reliance upon information that is known to others (that is, the first party) and proactively transferred into the digital world for use in authentication. However, the disclosure does not address gleaning of unknown identifying information from sources outside the digital world.
U.S. Patent Application No. 2011/0099617 by Ponnath discloses a method of verifying authenticity of identity claims of communicating entities in an online transaction over a network. Identity information of the first communicating entity is extracted by the second communicating entity, and a client is prompted to provide a unique resource name of the first entity. Like the Patel disclosure, the Ponnath implementation assumes known identity information is already registered in a registry, and makes no attempt to glean unknown identifying information. Also, the registered information is concerned with identification of servers, not users.
A need exists for a security regime that gathers a knowledge base of real-time identifying information for users based not only on identifying events occurring in the digital environment, but also on identifying events happening in the real world. The knowledge base should be populated with correlations among authentication events, transaction events, and real world events. The security regime should be automated to support fast and reliable access to protected content and features. The solution should also empower relying parties in a trusted transaction to analyze the risk associated with an assessment of the veracity of an identity claim.
This background information is provided to reveal information believed by the applicant to be of possible relevance to the present invention. No admission is necessarily intended, nor should be construed, that any of the preceding information constitutes prior art against the present invention.