Authenticating the identity of customer information is of paramount importance in Internet-based financial services and banking industries. The Internet has provided users with access to real-time electronic transactions, transferring funds between linked accounts or to other parties. However, such global access leaves systems susceptible to fraud and identity theft.
There are a number of ways financial institutions employ customer authentication for access to Internet-based services. For example, a simple user name and password/PIN are entered into a front-end interface. More recently, technologies such as digital certificates, smart cards and one-time passwords have been used to add security levels to authentication techniques.
Single factor authentication acting as the only control mechanism for high risk transactions is considered inadequate. It is desired for Internet-based financial services to provide effective and reliable methods of authentication to safeguard customer information.
Financial services may involve a number of applications available to the user, spread over a number of controlling departments. For example, credit services may be distinct from investment services and employ different application environments. Accordingly, a level of convenience for the user is required to access multiple applications, while providing a suitable level of security corresponding to the risk of desired transactions.
Reduced or single sign-on (SSO) services have been developed to manage authentication of users wishing to access secure applications. SSO services provide the advantage of a single authentication to allow a user to gain access to multiple resources. One example of an SSO service is discussed in US Patent Publication No. 2004/0163087 assigned to the present applicant.
In one form of SSO system there is included a client application installed on a user workstation. Such an application is conventionally installed, whether from local portable storage media or over a secure network connection to a local network server, by adding a persistent program to the menu of applications programs accessible by the workstation's operating system.
However, security issues are a concern for SSO services. Some organisations are disinclined to distribute single sign-on client applications for installation on a remote user work station in an uncontrolled environment. A home office computing environment, for example, may not be as well protected from external security threats as an office workstation coupled to a fire-walled corporate network. A highly mobile user may further wish to have a reduced or single sign-on capability from a communal computer work station, such as provided in a hotel business centre or Internet cafe. Installation of persistent client applications on a communal or shared work station is generally not possible or at least highly undesirable.
In an alternative arrangement, a web browser application can be used to access a financial services web site when the workstation is coupled to the Internet. Where the web site incorporates a web portal provided by a back-end portal server, the portal can display information to the user in a consolidated form. The portal server can achieve this by authenticating the user to the secure application on behalf of the user. Thus the single sign-on process occurs between the back-end server and the secure application. However, this arrangement does not address the issue of providing initial secure access to the portal server via the user's web browser application, and still only provides a single-factor authentication process.
Some prior SSO systems, not necessarily adapted for authentication with Internet-based financial services, are described below.
The disclosure in US 2003/0105981 (Miller et al.) is concerned with a single sign on system, wherein credentials from a first computer system are placed on a client and used by a second computer system to effectively impersonate the client to the first system for validation purposes. When the first system confirms the validity of the credentials, the second system uses that validation to grant access to the client machine. In one embodiment discussed in Miller, the first system is a central logon server and the second system is a target application server that relies on a token generated by the first system. Miller requires that the client machine provide a service-independent credential/token to the target application system. However, the credential/token is not related to the application credentials rather it is associated with another trusted system, requiring the second system to communicate with the first system to validate the credential/token.
In a manner similar to web portal single sign-on service terminal server configurations, such as Microsoft Terminal Server™ and Citrix Metaframe™ or equivalents, many existing SSO solutions run on the terminal server rather than on a remote workstation. Because of this configuration, these solutions are limited to providing SSO services to applications running in the terminal server environment and do nothing to provide SSO to applications run on the user's workstation.
The disclosure in US 2004/0003081 (Microsoft) is concerned with a single sign on system, wherein a single sign on server receives a request from the client's credentials from a computer program, determines whether the client's credentials are stored in a database, and sends the client's credentials from the database to the computer program. The Microsoft arrangement requires the single sign on server to present the client credentials authorizing access to the application to the target computer program directly, wherein the SSO engine is on the server rather than the client machine.
The disclosure in US 2004/0250118 (IBM) is concerned with an access portal server that provides a front-end to a set of target applications, providing a single point of authentication for all of the target applications. The access portal server incorporates an SSO engine that provides application credentials to a target application after the target application is selected, and then transfers the authenticated target application session from the access server to the client machine. The IBM arrangement requires the access server to present the application credentials to the target application directly where, again, the SSO engine is on the server instead of on the client machine.
A further problem with SSO solutions exists when credentials for accessing secure applications hosted by backend systems must be reset or changed. Ordinarily the reset or change of credentials involves going into the normal interface for the backend system; resetting/changing the password or other credentials; accessing the SSO interface and setting the new credential in SSO. However, this procedure is both time consuming and error prone.
The disclosure in US 2003/0188193 (IBM) is concerned with a single sign on system, wherein credentials from a first system are placed on a client and used by a second system to impersonate the client to the first system. When the first system confirms the validity of the credentials the second system uses that validation to grant access to the client. In one described embodiment utilizing Kerberos authentication, the first system is a central logon server and the second system is a target application server that relies on a token generated by the first system. This arrangement requires the client to provide a service-independent credential/token to the target application system, limiting the invention to when the credential/token is not related to the application credentials themselves but is associated with another trusted system, and further limiting the invention to when the second system communicates to the first system to validate the credential/token.
The reference to any prior art in this specification is not, and should not be taken as, an acknowledgement or any form of suggestion that the referenced prior art forms part of the common general knowledge in Australia.
The present invention advantageously provides an alternative to existing arrangements for providing remote secure access to Internet-based financial services. The system and method according to certain embodiments of the present invention may advantageously be used to address at least some of the drawbacks of prior services of the background art.