1. Technical Field
The present disclosure relates generally to biometric systems and access control, and more particularly, to mobile device-based authentication in connection with secure transactions.
2. Related Art
The recognition of private property interests in general necessarily implicates the division of individuals into those with access, and those without access. Commensurate with the perceived and/or actual values of the property interests, security protocols must be established to ensure that authorized individuals readily have access, while unauthorized individuals are not, no matter what attacks and bypass attempts are made.
In the simplest context, one private property interest may be in a physical facility, and access to the inside may be safeguarded by a keyed mechanical lock on a door. The owner of the physical facility, along with any other individuals granted access thereby, may possess a key that unlocks the mechanical lock to open the door. Any other unauthorized individual who does not have the key will be unable to unlock the mechanical lock. The mechanical lock, of course, may be bypassed in any number of different ways, including picking the lock, destroying the lock and the door altogether, or by pilfering the key from the authorized individuals. To prevent unauthorized access despite such possible bypass attempts, the complexity of the lock may be increased, the strength of the lock and the door may be bolstered, and so forth. Increasingly sophisticated attacks may defeat these further safeguards, so security remains an ever-evolving field.
A property interest may also lie in an individual's bank accounts, credit card accounts, retail installment accounts, utilities accounts, or any other resource that is frequently encountered and used in modern day life, access to which must be properly limited by security systems. In many cases, these resources or property interests can be accessed electronically, and there are conventional security systems and devices that are currently in use. For example, access to monetary funds in a bank account may be possible via an automated teller machine (ATM). Before disbursing any funds, the bank (and hence the ATM) must ensure that the requestor is, indeed, who he asserts to be.
There are a variety of known techniques to authenticate, or verify, the identity of the requestor. Authentication may utilize one or more factors, which include something the requestor knows, something the requestor has, and something the requestor is. Most often, only one, or at most two factors are utilized because of the added cost and complexity of implementing additional authentication factors. In the ATM example, the ATM card with basic accountholder information encoded thereon is one factor (something the requestor has), and access to the account is granted only upon the successful validation of a corresponding personal identification number (PIN, or something the requestor knows). Conventional banking services are also accessible online through the Internet, and while most financial-related web services have additional security measures, access to some other less critical web services may be protected only with an account name and a password constituting a single factor (something the requestor/user knows).
The secret nature of passwords and PINs, at least in theory, is intended to prevent unauthorized access. In practice, this technique is ineffective because the authorized users oftentimes mistakenly and unwittingly reveal their passwords or PINs to an unauthorized user. Furthermore, brute-force techniques involving the entry of every combination of letters, numbers, and symbols, as well as dictionary-based techniques, may further compromise the effectiveness of such authentication systems. Because passwords and PINs must be memorized, users often choose words that are easier to remember, making it more susceptible to defeat by means of dictionary attacks. On the other hand, the more complex the passwords are required to be, and hence more difficult to remember, the more likely that the password will be written on something easily accessible, for both the legitimate and malicious user, in the vicinity of the computer. The usability of the PIN or password is an increasing concern due to the number of services that employ such security modalities.
As briefly mentioned above, various hardware devices may be employed as a second authentication factor. These include simple magnetic strip encoded cards such as the aforementioned ATM card, as well as radio frequency identification (RFID) devices, both of which require specific readers at the point of access. Greater levels of protection are possible with sophisticated tokens that generate unique codes or one-time passwords that are provided in conjunction with a first authentication factor. However, token devices are expensive to license, expensive to maintain, and cumbersome for the user to carry. As with any diminutive device, tokens are easy to lose, especially when it represents yet another addition to the clutter of items that must be managed and carried on the person on a daily basis; many individuals already have enough difficulty keeping track of keys, wallets, and mobile phones.
Acknowledging that the conventional mobile phone is ubiquitous and is kept readily accessible, such devices may also be employed as a second hardware authentication factor. Prior to accessing an online service, a one-time password may be sent to the mobile phone, the number for which is pre-registered with the service, as a Short Message Service (SMS) text message. Access is authorized when the same text message sent to the mobile phone is re-entered to the service.
Much functionality is converging upon the mobile phone, particularly those full-featured variants that have substantial computing resources for accessing the web, run various software applications, and so forth, which are referred to in the art as a smart phone. For instance, credit card payments and the act of physically presenting the physical card itself may be replaced with a software application running on the smart phone. The application may be in communication with a point of sale (POS) terminal via a modality such as Near Field Communication (NFC) or Bluetooth low energy, and transmits credit card payment information, such as credit card number, expiration date, billing ZIP code, and other such verification information. The POS terminal may then complete the payment process with the received information. Domestically, services such as Google Wallet are in existence and progressing toward widespread deployment. Besides NFC and Bluetooth low energy, it is possible to utilize RFID (Radio Frequency Identification) type devices that are encoded with the aforementioned data.
As an additional authentication measure, a third factor utilizes unique biometric attributes of a person such as fingerprints, retinal and facial patterns, voice characteristics, and handwriting patterns. Although prior biometric systems were challenging to implement because of the high costs associated with accurate reader devices and database systems for storing and quickly retrieving enrollment data, the increasing demand for biometrics-based security has resulted in the development of substantially improved reader devices, and user interfaces and back-end systems therefor. Currently there are fingerprint reader peripheral devices that are connective to a Universal Serial Bus (USB) port on personal computer system, and restrict access without providing a valid, enrolled fingerprint. Mobile devices may also be incorporated with biometric readers, and front-facing video cameras such as those already existing in smart phones such as the Apple iPhone may be utilized for facial recognition.
As noted above, there are divergent proposals for solving the issue of authenticating a user of remote service resources and ensuring that the user is, indeed, who he asserts he is. Thus there is a need in the art for an improved mobile device-based authentication in connection with secure transactions.