1. Field of Invention
Embodiments of the invention generally relate to apparatus, systems and methods for identification, in particular, apparatus, systems and methods for identifying an entity for computer and/or network security, secure authorization of a payment or for funds transfer and for selectively granting privileges and providing other services in response to such identifications. In addition, embodiments of the invention relate generally to apparatus, systems and methods for the communication of information between a mobile user-device and a point-of-sale device to securely provide authorization for a financial transaction.
2. Discussion of Related Art
Millions of financial transactions are conducted daily using electronic systems. Many of these are conducted using traditional magnetic stripe readers while others are conducted using smart-cards, mobile phones or other handheld electronic devices. However, these prior approaches all require that an account number (bank account number, credit card account number, debit card account number, etc.) be provided to authorize the transaction. Because a thief with access to an account number poses a significant financial risk and risk of identity theft, financial service providers go to great efforts to try to communicate the account numbers securely when conducting these transactions.
In addition, electronic transactions often require that a user provide information that uniquely identifies the user to allow financial information or other personal information to be used in completing the transaction. This user-identification is generally static-information, that is, the information does not change over time, for example, user names and/or passwords. In addition, the user-identification information uniquely identifies the user. As a result of the well documented risk posed by identity theft, business entities spend enormous amounts of time, effort and money to protect this static user-identity information. The approaches implemented by business entities include using secure networks to transmit the user-identity information, and alternatively or in combination with the preceding, using various forms of encryption to protect the user-identity information from electronic-eavesdroppers. Regardless, each of these prior approach results in the transmission of the highly-sensitive user-identity information.
Further, traditional approaches to identity authentication rely on a verification process. That is, the authenticator receives static user-identity information along with other information such as a time (or event)-varying code. The authenticator employs the user-identity information to establish the user that the entity purports to be. The authenticator then employs the other information to determine whether that information authenticates that the entity is who they purport to be. Such approaches can include multi-factor authentication in which the entity provides the authenticator with information including evidence of one or more of something the user is (for example, a biometric), something the user knows (for example, a PIN); or something the user possesses (for example, a token). In this example, static information (for example, a user name or password) is used to verify the identity of the user to locate the other information (for example, any of biometric data, the user's PIN and/or a seed associated with the token) concerning the user which is stored by the authenticator. With a proprietary algorithm and the current time, the authenticator generates a non-predictable code using the other information that is associated with the user. The authenticator then determines whether the time-varying code received from the user is the same as that generated by the authenticator.
That is, some existing token technologies use a verification process that requires the user to supply a remote authentication system with a unique static index such as a user name or email address. This static information is used to retrieve the user's file, including a secret seed. With a proprietary algorithm and current time, that seed generates the expected unpredictable code. If the user sends the same code, the possession of the token is “VERIFIED.” With today's powerful computers, it is possible to electronically eavesdrop or otherwise obtain a series of a particular user's codes at different times, and then reverse engineer the algorithm, and unique seed to counterfeit a token.
As mentioned above, however, the preceding approaches must begin with the entity providing the authenticator with the user-identity of the user that the entity purports to be. The security of these approaches can be breached because each requires the communication of the static identifying information. For example, today's powerful computers can be used by an electronic eavesdropper to reverse engineer the algorithm and the seed based on a series of intercepted time-varying codes generated for a particular user. Such an attack would then allow the eavesdropper to counterfeit the user's token.
Because of the previously described shortcomings of current approaches, improved identity-authentication is needed to provide sufficient security in view of the processing power of today's computers and the sophistication of today's eavesdroppers.