Today most business transactions or part of the transaction is performed electronically. A potentially vulnerable and complicated aspect of processing and/or performing an electronic transaction is to identify the user electronically as the authorized user. To authenticate the originator of an electronic transaction, many devices use input terminals as authenticating user interfaces into a business system with one of the most common being a credit card transaction. To identify the user at automated teller machines (ATM), the user typically employs a touch screen device to key in their personal identification number (PIN) in conjunction with a swipe card entered into the machine. In this manner both the swipe card and the PIN work in conjunction to authenticate the user at the terminal. These are just two of many examples of how authorizations may be accomplished to guarantee the authenticity of the owner of the transaction.
A sufficiently high level of security has not been achieved despite the long sought need and motivation to try. Credit cards, debit cards, and bank cards for instance, are still relatively vulnerable to theft, which puts the owner vulnerable to financial theft. Further, when passwords are used in conjunction with cards, other and additional vulnerabilities may be introduced into the transactions, such as the poor choice of a user-defined password, stolen passwords, lost passwords or the situations in which the user exposes the password to an unauthorized party. Handwritten signatures of the users are often used in credit cards transactions, but they are vulnerable to manual and electronic copying.
The industry has long recognized the need to try to reduce the level of risk or vulnerability which is inherent in secondary devices such as biometric devices: fingerprint and retinal scanners, etc, thus requiring the user to authenticate via redundant and varied means. However, these methods tend to be onerous and intrusive to the user and non-adaptive to any changes in the biometric signature. These prior attempts teach away from this invention.
A less intrusive and more adaptable means of recording an identifiable signature of the user is to monitor or additionally monitor the behaviormetrics of the user at the input terminal. Behaviormetrics may for example pertain to how the user interacts with the input terminal, or acts or reacts while being observed by a camera or photo image device at or near the input terminal. The observed behaviors that may be observed and/or recorded may for example include the rhythm or timing of typing or input entry, the pressure applied during input, the location on the terminal where input is made, etc.
Behaviormetrics can be monitored and applied at any input terminal including keypads, mouse devices, touch screens, pen or stylus devices, etc. It is the statistical behavior of use that has been shown to be unique and identifiable for each user.
In an exemplary scenario in which an unauthorized party gains initial access under an authorized user's identity, the behaviormetrics of the unauthorized party exposes them as a different person. Prior art focused on keystroke dynamics as the identifying behavior of the user but a host of input devices are at the general disposal of lay users. A shortcoming of some of the prior art is that no adaptive mechanism has been established for the changes in the keystroke behavior or changes in any biometric pattern. The prior art also uses techniques to authenticate the user that are computationally intensive on a large scale and therefore are less scalable than this invention, especially as utilized over such mediums as the world wide web or internet.
Many devices and systems use a keypad, keyboard or similar terminal as a user interface to access the device or system. Keyboard terminals are generally hardware devices or user interfaces that emulate typewriters, but they are also keypads on cellular telephones, portable devices such as PDA's and touch screen devices, tablet computers, or other devices that use a touch screen for key entry. These types of devices with the user interfaces may for example be a computer or electronic machine that generally requires any type of input such as alphanumeric input, but keyboards are not restricted to having alphanumeric keys.
At the keypad, ATM, or keyboard for example, statistical dynamics of the keyboard typing/entry are unique to the user, with some dynamics more unique or indicative of that user than others. Therefore, the dynamics of the authorized user's use of the input device, provide a way of identifying a probability that the purported authorized user is in fact the authorized user. This dynamic use unique to or indicative of a particular person may also be referred to as a statistical signature of the authorized user at the human device interface. The ongoing dynamic use of the user interface such as the keypad, touch screen or X-Y device provides real time, continuous data which may be utilized to authenticate the user.
In either case, the attempted unauthorized access may be identified in a real time, continuous fashion, by embodiments of this invention. Prior art focused on the timing of the keystrokes as the identifying behavior of the user.
Identifying and knowing the user of a card or other input in a financial transaction is a very desirable aspect of financial transactions, especially remote financial transactions, for security and other reasons. The financial transaction input device, keypad, ATM or other, may preferably accurately define the current user of said computer or software application.
This invention provides for the authentication of a user via the input behavior of the authorized user, such as by keypad, touch screen, keyboard, or by the X-Y device movement or dynamics of the authorized user. Unlike other biometric devices, it is non-intrusive and adaptable to changes in the user's behavior. The keypad, touch screen, keyboard dynamics and/or X-Y device dynamics system provided by this invention is relatively scalable through the use of probability distribution representations, which in some examples or embodiments, may provide scales relative to O(1) number of users in calculating the likelihood the user is the authorized user. Other implementations scale to n or n2 number of users. Embodiments of this invention may also provide a means to notify security sentries and execute programmed actions upon a breach in security based on the keyboard dynamics.
Embodiments of this invention provide for the authentication of a user via the behaviormetrics behavior of the user at the input device as a means of a signature to authorize electronic transactions. Unlike other biometric devices, embodiments of this invention may be non-intrusive and adaptable to changes in the user's behavior. These embodiments of this invention also do not require any additional hardware, since the behaviormetrics can be recorded on existing hardware interfaces. Unlike other implementations of behaviormetrics embodiments of this invention are scalable through the use of probability tables, which scale relative to O(1) number of users in calculating the likelihood the user is the legitimate user. Other implementations scale to n or n2 number of users. This invention also provides a means to notify security sentries and executive programmed actions upon a breach in security based on the keyboard dynamics.
An object of some embodiments of this invention is to provide a user authentication or identification system using data related to mouse dynamics to determine if it is probable that the data is indicative that the purported authorized user is actually the authorized user, based on the chosen data characteristic (which in some aspects of the invention may be like a signature) for the authorized user.
Probability distribution representations may be used in embodiments of this invention to identify if the purported or alleged authorized user or participant in the financial transaction is in fact the authorized user. Calculation and/or algorithms may be utilized to calculate the likelihood the alleged authorized user is the legitimate authorized user who has been authorized to access the system, account or device. The probability distribution representations provide a fast, adaptable and scalable mechanism for discerning legitimate users from illegitimate users. Embodiments of this invention may also provide a system to provide security alerts to, or notify, sentries when the system determines that it may be probable that the new or purported authorized user may not in fact be the authorized user. In some aspects of this invention, the security notification mechanism may provide a more proactive notification and security system to better secure the system to which it is being applied.
It is an object of some embodiments of this invention to provide a system for determining which of a plurality of identifying data points provide better identification of an authorized user, user group or class of users.
While the invention was motivated in addressing some objectives, it is in no way so limited. The invention is only limited by the accompanying claims as literally worded, without interpretative or other limiting reference to the specification, and in accordance with the doctrine of equivalents.
Other objects, features, and advantages of this invention will appear from the specification, claims, and accompanying drawings which form a part hereof. In carrying out the objects of this invention, it is to be understood that its essential features are susceptible to change in design and structural arrangement, with only one practical and preferred embodiment being illustrated in the accompanying drawings, as required.