Many services require credentials to be provided to authenticate a user's identity before access is provided. For example, in order to access banking services via an automated teller machine, a bank ATM card serves as a first credential and a personal identification number (“PIN”) punched in upon being prompted serves as a second credential. By requiring a user to have a strong credential, such as a bank ATM card, the second credential can be weaker. The first credential is only provided to the registered user and the second credential, the PIN, which is also provided to the user separately, authenticates that the person in possession of the card is, in fact, the registered user. Together, the two credentials form a strong form of authentication of identity.
A similar system does not exist for providing services via a web interface for all mobile devices without requiring additional software to be installed on either the mobile device or the subscriber identification module (“SIM”).
For purposes of the discussion hereinbelow, mobile devices include mobile telephones, personal digital assistants, and other portable computing devices that have a network communications interface and messaging capabilities associated with a mobile device identifier, such as a telephone number or the like.
There do exist, however, systems for controlling access via mobile devices to web pages that can contain sensitive information or that provide control over accounts, etc., without requiring the installation of additional software on the mobile device or the SIM. When users of mobile devices wish to access web-based services, they open a mobile web browser on the mobile device and either type in the address of a web site or they select a bookmarked address for the web site. For many users, such a process can be confusing, as they do not access this functionality on their mobile devices frequently or as often as other functionality thereof. Further, the entering of a web site address on their mobile device can be difficult, let alone the bookmarking of the web site once the address is entered. Upon hitting “go”, the mobile web browser generates a request that is forwarded to the identified address. The request includes the Internet protocol (“IP”) address of the mobile device and the page requested. The IP address of the mobile device is generally randomly assigned by the cellular communications provider and cannot, by itself, be relied on to independently authenticate a user. Any information identifying the mobile device's hardware is not passed on. The user is then prompted for login credentials, typically a login name and password. This approach can be problematic for a number of reasons. It requires that the user remember both pieces of information. As a result, many users select easily-remembered and/or short login credentials that are relatively vulnerable to attack. In addition, the input of the login name can be difficult using the input interface of the mobile device. Many mobile devices only have a standard numeric keypad and not an alphanumeric one, and thus require a user to use a multi-tap system or the like to enter in alphabetic characters. As will be appreciated, this is onerous. Further, it can be relatively easy for another person to obtain the user's login credentials.
Another approach is to use the number of a bank card or the like as a credential, which resolves the issue of remembering strong credentials. This, however, presents a new issue in that the card must be retrieved by the user from his wallet. Additionally, as bank card numbers are generally quite long (e.g., 16 digits), their entry can be onerous using the input interface of a mobile device. Further, as possession of the bank card number is sufficient, and actual possession of the bank card is not required, this approach provides relatively weak authentication.
In other scenarios, relatively weak authentication is required for an application but this requires the entry of one or more login credentials by the user.
It is an object of this invention to provide a novel method and system for authenticating a user of a mobile device.