Improving the security of online and other remote transactions is very important to limit access to authorized personnel, for example when accessing high-security documents or when purchasing an item with a business or personal account. Both parties in any such transaction need to be certain that only authorized personnel can participate in such a transaction to prevent identity theft or improper actions. While it is known to use a username/password to authenticate a remote user, passwords can be inferred or stolen from authorized personnel and used to subsume the identity of an authorized personnel.
U.S. Pat. No. 6,880,079 to Kefford discusses a method for sending a message to a trusted recipient by sending an encrypted reply to a mobile device. The trusted recipient who wishes to read the reply must first have control of the mobile device, and must also have a key to decrypt the encrypted reply. Kefford, however, does not appear to allow the system to verify the trusted recipient.
U.S. pat. publ. no. 2009/0235339 to Mennes et al. (publ. September 2009) teaches a method of authenticating a trusted recipient by providing a recipient with a one-time security token through a trusted device that the trusted recipient must use in order to gain access to the system. However, Mennes fails to consider a situation where the trusted device itself has been stolen or otherwise compromised.
These systems can also be problematic where an unauthorized user steals and attempts to use a user's mobile device to send and receive replies from the system. In such circumstances, the systems fail to protect the user even though the responses are encrypted. In addition, the use of security tokens has myriad problems where an unauthorized user can simply steal the user's security to gain access to the system.
Therefore, there remains a need for improved systems and methods for verifying an identity of a trusted user prior to a transaction using a message authentication system.