1. Technical Field
Embodiments of the present invention generally relate to secure communications initiated from a consumer electronic device and, more particularly, to authenticating a user and the device for purposes of communications initiated from the device and needing security, such as purchases and financial transactions.
2. Related Art
In direct (face-to-face) or online financial transactions customers may search for and purchase products and/or services from a merchant. In the case of online shopping, transactions are conducted through electronic communications with online merchants over electronic networks. A variety of electronic devices and various electronic techniques may be used to conduct such electronic transactions. Methods of initiating or making financial transactions from an electronic device include, for example, SMS (Short Message Service), radio frequency identification (RFID) or near field communication (NFC) at a point-of-sale (POS), and mobile Internet-based payments, by which customers search for and purchase products and services through electronic communications with online merchants over electronic networks such as the Internet. Such electronic transactions may be conducted via wireless communication, also referred to as “over-the-air” (OTA) communication—which may include ordinary (e.g., longer distance) radio frequency (RF) communication; mid-range communication such as Wi-Fi or Bluetooth; or short-range RFID or NFC, for communication over a distance that is typically less than about 4 inches). Such transactions may be conducted, for example, with a cell phone using the cell phone's normal RF communication or using NFC if the cell phone is NFC-enabled. Other mobile devices, in addition to cell phones, that may provide OTA communication for facilitating such transactions may include, for example, radio frequency-enabled credit and debit cards, key fobs, mobile Internet devices, consumer electronics (not limited to, but as an example, a contactless and proximity enabled personal computer (PC) or laptop) and contactless and proximity enabled personal digital assistants (PDA).
When conducting secure communications, such as financial transactions, via any kind of consumer electronic device (CED), security is generally an issue in that the data transferred may typically include credit card and financial instrument information such as a user name, account number, a PIN, or a password, for example, that are susceptible to abuse such as theft or malicious attack. Thus, a central issue with consumer electronic devices—such as a personal computer (PC), a laptop, mobile phone, NFC enabled mobile device, for example, or other CEDs—is the need for authentication of the device and its user for secure communications.
Authentication is a fundamentally difficult and important problem to solve. Authentication is based, first, on identification. Identification may be based on the identifying materials that an entity presents to establish who an entity is, for example, an identification (ID) card with a picture or image of the entity. Such presenting of identifying materials to establish identity is usually called an “identity claim.” Subsequent to identification is authentication. Authentication usually includes a process of proving whether the identity claim asserted by the identified entity is true or not. For comparison, identification may include the “presentation” of identification material, whereas authentication is the assertion—the act that happens—usually in the form of verification. For the ID card image example, the authenticator may compare the ID card image to the actual appearance of the person, and if the actual appearance matches the image to within a degree of certainty, then the authenticator may make a decision—e.g., “yes, the person is who she claims she is”—or if the appearance does not match to within the required degree of certainty, then the authenticator may make a different decision—e.g., “no, permission is not granted or alternative authentication is required.”