1. Field of the Invention
The present invention is in the field of Internet navigation including various communication means and connection technologies and pertains to systems and methods enabling Web authentication of users by proxy for gathering summary data and authorizing Web transactions.
2. Discussion of the State of the Art
In the field of Internet communications, particularly Web browsing activities, it is known that proxy servers exist and that a proxy service may perform tasks on behalf of a subscribing user, and may present the information to that user at some point in time that is convenient for the user. The inventor is aware of a service that aggregates data from one or more Web sites submitted by the user for the purpose, and can summarize the data for the user before presenting it or otherwise making the summary presentation available to the user. The service is accessible through a portal server functioning as a proxy or go-between. The server has software installed and configured to do summary searches based on Internet destinations and instructions provided by the subscribers. Information is retrieved from such destinations based on pre-programmed site information. The summary data can be accessed at the server or downloaded to the user's personal device for consumption.
The software that enables the service includes a configuration and initiation interface for a subscriber to set up and start a summary search. In some cases retrieved information is immediately sent to the subscriber's personal device, and in other situations such information is saved at the portal server to be retrieved by a subscriber at a later time, or in some cases pushed to the subscriber at specified times. In preferred embodiments of the invention automatic logins are accomplished for a subscriber at Internet destinations by use of pre-stored configuration information and user authentication credentials.
The subscribing user pre-provides the login data to the service in association with any site that requires the information. The service, using the appropriate site login data represents the user to the user's subscribed-to Web sites and services. Using this service saves the user from having to remember and repeatedly type in authentication data to get information from their Web locations.
More recently, security regimens have been developed to elevate the level of security provided over the traditional username/personal identification number or password combination login credentials. One improvement is the advent of hardware or software Web token generators that are often used in conjunction with traditional authentication elements to authenticate a user. For example, a Web-based account or service may require the user to log in and provide, in addition to normal user credentials, a token that changes in value, say every 60 seconds. One popular method is to provide a hardware token generator that provides a unique token value at predictable intervals such as every 60 seconds. The hardware may be provided in the form of a universal serial bus (USB) device, for example. Soft token generators are also available for handheld devices like personal digital assistants and cell phones. The server accepting the token has prior information as to which token number value should be current for a particular user, based on the time intervals, and can perform a database lookup to compare a received token with the expected token and then determine whether to grant access based on the results of the lookup.
Another relatively new development is CAPTCHA, which is an acronym for Completely Automated Public Turing Test to tell Computers and Humans Apart. CAPTCHA is a challenge/response test used in network computing to determine whether a requester of services is in fact human or a machine attempting to emulate a human. A server may be configured to initiate the CAPTCHA whenever a request for services is received. The test involves having the requestor look at a distorted character display and then type the correct sequence of characters into a provided input field associated with the display. The data received back at the server authenticates the requester as Human if the information is correct. Otherwise the requester is a machine that might be a malicious operator on the network.
Both of the developments described above present a challenge for automated data aggregation and summary services. Because the Web-site access, authentication (if required) and data gathering is performed by software operating on a machine, it cannot complete automated proxy logins if CAPTCHA is required to gain access or to perform a transaction. In the case of time-sensitive tokens, the software described further above has no way of inputting or utilizing the unique user token data without the user's direct input.
In examples and descriptions that follow, two-factor authentication generally comprises the following: There are typically three universally recognized factors for authenticating individuals: (1) Something a person knows, such as a password, a PIN or an out-of-wallet-response. (2) Something a person has, such as a mobile phone, a credit card or a hardware security token. (3) Something a person is, such as represented by a fingerprint, by a retinal scan, or by some other biometric.
A system is said to leverage Two-factor authentication (T-FA, or dual factor authentication) when it requires at least two of the authentication form factors mentioned above. This contrasts with traditional password authentication, which requires only one authentication factor (such as knowledge of a password) in order to gain access to a system.