The field of the disclosure relates generally to a payment network for processing payment transactions between an authentic user and a merchant, and more specifically, to a method and system for leveraging transaction data associated with the payment transactions to authenticate a candidate user of a computing device.
Service providers, such as merchants, banks, and/or government agencies, often need to authenticate the identity of a candidate user (i.e. an unauthenticated person claiming to be the authentic user) before allowing the candidate user to access services and systems offered by the service provider. For example, a bank may require authentication, such as identity verification, prior to allowing the candidate user to access bank statements and/or transfer funds. However, authentication of a candidate user that is remotely accessing the service provider through a user computing device can be problematic.
More specifically, previously known computing systems authenticate candidate users based on static security measures provided by, or to, an authentic user for security purposes. Static security measures include, for example, passwords, pin numbers, security questions, and the like. In such known systems, the candidate user is authenticated by providing the static security measure to the service provider along with a username or other identifier. However, static security measures have some inherent drawbacks. Specifically, strong static security measures (e.g., passwords that are difficult to guess by brute force) tend to be complicated and/or difficult for ordinary users to remember. In addition, many users utilize the same security measure for a plurality of service providers. As such, once a security measure is overcome for a single service provider, the user's secure data and services may be compromised for any number of service providers.
More recently, known authentication systems have authenticated candidate users based on other information, such as a current address of the user. However, in some instances the other information, such as the current address of the user, is easily accessible over the internet, in a telephone book, or through other publicly available resources. Further, such known authentication systems generally use information that is changed very infrequently, providing limited protection. Accordingly, there is a need in the art for authentication systems that use dynamic knowledge that is not generally available to, or shared with, the public.