Currently, a variety of devices and methods have been developed in an attempt to improve authentication fidelity and to safeguard personal identity and sensitive private information. These devices and methods have grown in importance in light of the increasing security threat due to the rapid advancements in networking and mobile communication technologies. However, certain authentication technologies in use today are still based on the traditional “knowledge-based factor” or “possession-based factor” identification and verification approaches. In a typical knowledge-based authentication approach, only one authentication factor (such as knowledge of a password) is required in order to gain access to a system. In a possession-based authentication approach, possession of one authentication factor (e.g. possession of card or token) is required in order to gain access to a system. More recently, some of these technologies have been deployed in combination as two factor authentication schemes wherein both knowledge-based and possession-based factors are required simultaneously for authentication. These types of authentications have recently gained increasing acceptance. An example of such authentication scheme is the common bank card transaction wherein the card itself represents the authorizing possession factor (bearer has the card). The corresponding password represents the authorizing factor that is known only to the account holder. However, despite these apparent additional layers of security, misplacement of the possession factor (such as lost or stolen cards) and a breach of the knowledge factor (such as compromised password) remain problematic for these types of transactions. As a result, when the possession factor (e.g. card) and the password are simultaneously compromised or duplicated, there is no apparent suitable countermeasure for the breach as this technique cannot reliably authenticate the true identity of the holder of the device.
In a typical financial transaction using the traditional two factor verification system, a bearer of a typical payment processing device (e.g. credit card) presents the card to a merchant for the purchase of an item. The merchant takes the card presented by the bearer and swipes the card through a magnetic strip card reading device or other similar device. The information contained on the magnetic strip of the card is read and transmitted to the issuing financial institution. The financial institution then interrogates its database of active cards to the information received. The institution also verifies whether the amount of credit sought exceeds the amount available. If the financial institution verifies that the card is active and that the credit limit will not be exceeded (for a credit transaction) or that there are sufficient funds to complete the transaction (for a debit transaction), and/or other verification parameters are satisfactorily authenticated, an approval is provided to the merchant for completion of the purchase.
After an approval is determined by the financial institution, an authorization code is prepared and transmitted to the merchant. The merchant returns the card to the bearer after the authorization code has been received and the merchant then requires a signature from the bearer, authorizing the transaction. The bearer of the card signs a sales slip. The merchant verifies the signature of the bearer against a signature on the back of the card and the transaction is then complete.
Within these conventional authentication schemes, verification of the transaction occurs at two points in the transaction. The first authorization occurs at the financial institution that issues the card, wherein an electronic database is used to check valid card numbers. The second authorization occurs at the merchant where the signature verification is performed. Merchants, however, may forget to compare the signature obtained from the individual against the signature on the back of the card. Another problem is that the merchants generally do not have the facility to accurately compare the signature on the back of the card to the signature obtained from the bearer of the card to determine that the signatures were made by one individual. Currently, conventional cards do not have a capability to provide the merchant with authentication of the identity of the bearer apart from comparing the signatures.
In light of these security risks, the use of portable payment processor devices (e.g. credit cards) by un-authorized bearers continues to present a difficult and costly problem for financial institutions.