Authentication of a holder of a financial account is typically performed by an issuer of the account at the time the account is opened. The authentication of the account holder for delivery of a subsequent service often relies on secret information shared between the account holder and the issuer.
A service provider other than the issuer may wish to offer to the account holder a service that involves access to the account. For example, the service provider may wish to provide a service that allows the account holder to check the account balance via mobile commerce, or may wish to provide a service that allows the account holder to make payments from the account for purchases made over the Internet. In order to reduce the likelihood of fraud, the service provider needs to authenticate an applicant for its service as the rightful holder of the account, but the service provider may not have access to the secret information shared between the account holder and the account issuer.
Previous methods of authenticating an applicant by a provider other than the issuer have required the service provider to learn some of the secret information from the issuer, thereby undesirably proliferating the account holder's secret information.