As more and more people begin to own computing communication devices, such as cellular phones, smart phones, tablet computers, smart watches, etc., new functions, applications, and utilities are being developed for these devices to take advantage of better technologies and the large and increasing user base. However, due to the ease at which such devices may be lost, stolen, or misplaced, ensuring that the user of a computing device is authentic when performing sensitive actions, such as conducting a payment transaction or managing private information, is of great importance. Similarly, many entities, such as payment networks, financial institutions, insurance companies, etc., may also have a desire to be assured that the computing device itself is authentic, such as to prevent the use of a cloned or tampered-with application program or device.
Some methods have been developed to authenticate a user of a computing device or the computing device itself. For instance, one method includes the use of a one-time password provided by an entity requesting the authentication. For example, a financial institution may e-mail a user a confirmation code to be input into the computing device, to insure that the user is who they claim to be. However, if such codes are only used occasionally, there is a risk that actions performed in between confirmations may be fraudulent. Conversely, if such codes are used every time an action is performed, it may require the user to be at a location where the code may be received, which may inconvenience the user, or the user may use a different application on the computing device to receive the code, which may defeat the purpose of using the code.
Another method for authenticating a user includes the input of a personal identification number (PIN) by the user in the application program each time an action is performed. The PIN is then sent back to a server, such as at a payment network or financial institution, and verified. However, in such methods, the computing device does not verify that the entity requesting the PIN is a valid entity, and thus may be subject to fraudulent requests. Similarly, the use of a single communication channel to communicate with the entity may result in a higher chance of the communication being compromised.
Thus, to address at least these technical problems as well as others, there is a need for a technical solution in the form of a method for authenticating a computing device that ensures authentication of both the device and the server performing the authentication, and that uses more than one channel communication for a stronger, more effective authentication process.