优先权要求priority claim
根据美国专利法第35章第119条,本申请要求于2013年7月3日提交的美国临时专利申请,申请号为61/842,386的专利优先权。其公开内容在此被引入作为参考。This application claims priority under Title 35, Section 119 of the United States Patent Act to United States Provisional Patent Application No. 61/842,386, filed July 3, 2013. The disclosure thereof is hereby incorporated by reference.
交叉引用cross reference
本申请为2012年9月2日提交的第13/602,197号美国专利申请的的继续申请,其公开内容在此被引入作为参考。This application is a continuation of US Patent Application Serial No. 13/602,197, filed September 2, 2012, the disclosure of which is hereby incorporated by reference.
技术领域technical field
本发明涉及在线用户认证的方法和系统。更具体地说,本发明涉及使用带外通道(out-of-bandchannels)进行用户认证的技术。The invention relates to a method and system for online user authentication. More specifically, the present invention relates to techniques for user authentication using out-of-band channels.
背景技术Background technique
很多在线活动,如牵涉到访问个人及保护信息之在线购买和在线支付,往往需要用户认证。最常见之用户认证形式为用户使用用户标识和密码进行登录。然而,这种用户认证形式有不少缺点,包括忘记密码、用户标识和/或密码被盗、密码太简单等,导致安全性较差。如今也开发出了其他多因素强认证的方法和系统;但大多数都不能够在不牺牲用户方便性的情况下保持强安全性。因此,需要有一种能支持强安全性且只需用户最小努力的身份认证的方法和系统。Many online activities, such as online purchases and online payments that involve access to personal and protected information, often require user authentication. The most common form of user authentication is for a user to log in using a user ID and password. However, this form of user authentication has many disadvantages, including forgotten passwords, stolen user IDs and/or passwords, too simple passwords, etc., resulting in poor security. Other methods and systems for strong multi-factor authentication have been developed today; but most are not capable of maintaining strong security without sacrificing user convenience. Therefore, there is a need for a method and system for authentication that supports strong security and requires minimal user effort.
发明内容Contents of the invention
本发明的目的之一,是提供一种使用移动通信设备进行在线用户认证的方法和系统。由于移动通信设备已事先在用户认证系统中注册完毕,并可唯一地识别认证用户,所以它可充用户认证的带外通道。本发明进一步的目的是提供一种支持强安全性的方法和系统,让用户只需记住并提供一个用于认证的安全个人识别码。One of the objectives of the present invention is to provide a method and system for online user authentication using mobile communication equipment. Since the mobile communication device has been registered in the user authentication system in advance and can uniquely identify the authenticated user, it can serve as an out-of-band channel for user authentication. It is a further object of the present invention to provide a method and system that supports strong security so that the user only needs to remember and provide a secure PIN for authentication.
本发明的优选方案中,本发明可作为美国专利申请号为13/602,197之安全移动支付系统的一个扩展部分。In the preferred version of the present invention, the present invention can be used as an extension of the secure mobile payment system of US Patent Application No. 13/602,197.
本发明的优选方案中,包含:可通过通信网络访问的中央处理服务器,比如通过因特网;多个用户;可访问中央处理服务器的移动通信设备和客户端计算设备;以及可访问中央处理服务器的第三方计算处理器。In a preferred solution of the present invention, comprising: a central processing server accessible through a communication network, such as the Internet; a plurality of users; a mobile communication device and a client computing device accessible to the central processing server; 3rd party computing processor.
本发明的优选方案中,中央处理服务器之功能包含用户认证,用于管理用户帐号的用户帐号管理,其中用户帐号记录包含用户标识及认证凭证,它们都被安全地存储在一数据库里。In the preferred solution of the present invention, the functions of the central processing server include user authentication and user account management for managing user accounts, wherein the user account records include user identification and authentication credentials, which are all safely stored in a database.
本发明的优选方案中,中央处理服务器包括让用户可使用各种计算设备和移动通信设备以运行网络浏览器应用程序完成用户交互的多个用户界面。此外,中央处理服务器还包括用于机对机集成的服务器端后端应用程序编程接口(API),使在第三方计算处理器中运行的特别开发之应用程序能够与中央处理服务器通信。这些用户界面和服务器端后端API的功能包括但不限于:由用户完成的用户认证、用户帐号管理和网上购物,由管理员完成的系统管理,由用户完成的在线购物清单、支付和用户全程管理。In a preferred solution of the present invention, the central processing server includes a plurality of user interfaces allowing users to use various computing devices and mobile communication devices to run web browser application programs to complete user interaction. In addition, the central processing server also includes a server-side back-end application programming interface (API) for machine-to-machine integration, enabling specially developed applications running in third-party computing processors to communicate with the central processing server. The functions of these user interfaces and server-side back-end APIs include but are not limited to: user authentication completed by users, user account management and online shopping, system management completed by administrators, online shopping list completed by users, payment and user-full process manage.
本发明的优选方案中,每个移动通信设备配有相机或扫描仪以便对计算机生成之编码数据,例如条形码,进行光学图像采集。本发明中,移动通信设备被配置为可处理所采集的编码数据图像并与中央服务器处理交换数据,以完成上述之各种功能,例如用户认证。In a preferred aspect of the invention, each mobile communication device is equipped with a camera or scanner for optical image capture of computer-generated coded data, such as barcodes. In the present invention, the mobile communication device is configured to process the collected coded data images and process and exchange data with the central server, so as to complete the various functions mentioned above, such as user authentication.
中央处理服务器和其数据库、用户界面及服务器端后端API,与运行安全移动交易移动应用程序的移动通信设备一起,组成安全移动交易系统。本发明中,安全移动交易系统内的每个用户帐号在任一时刻只可与单个移动通信设备相关联。The central processing server and its database, user interface and server-side back-end API, together with the mobile communication device running the secure mobile transaction mobile application program, constitute the secure mobile transaction system. In the present invention, each user account in the secure mobile transaction system can only be associated with a single mobile communication device at any moment.
本发明的一个优选方案中,已经注册并在安全移动交易系统里创建了有效用户帐号的用户,可使用其已在安全移动交易系统注册并配对的移动通信设备来进行认证,以对受保护的第三方应用程序进行访问,例如由第三方处理服务器提供的第三方网站,或者对由中央处理服务器提供的一个或多个保护的用户界面进行访问。用户认证方法包括:中央处理服务器从随机生成的会话码而生成编码数据,如QR码;第一移动通信设备或第一客户端计算设备向用户展示包含用户认证QR码的登录页面以供认证使用;用户使用已在中央处理服务器中注册并与用户帐号配对的第二移动通信设备来对QR码进行图像采集,并向中央处理服务器发送解码的QR码数据;中央处理服务器对解码的QR码数据与会话号进行匹配确认;基于有效的确认,则用户在第二移动通信设备输入其安全个人识别码并发送至中央处理服务器以进行确认;基于有效的确认,进而完成用户认证In a preferred solution of the present invention, users who have registered and created a valid user account in the secure mobile transaction system can use their mobile communication devices that have been registered and paired in the secure mobile transaction system to perform authentication to authenticate the protected Access by third-party applications, such as third-party websites provided by a third-party processing server, or access to one or more protected user interfaces provided by a central processing server. The user authentication method includes: the central processing server generates encoded data, such as a QR code, from a randomly generated session code; the first mobile communication device or the first client computing device presents a login page containing the user authentication QR code to the user for authentication. ; The user uses the second mobile communication device registered in the central processing server and paired with the user account to carry out image acquisition of the QR code, and sends the decoded QR code data to the central processing server; Confirm the match with the session number; based on the valid confirmation, the user enters his secure personal identification code in the second mobile communication device and sends it to the central processing server for confirmation; based on the valid confirmation, the user authentication is completed
附图说明Description of drawings
下面将结合附图对本发明的实施例作进一步说明,其中,Embodiments of the present invention will be further described below in conjunction with the accompanying drawings, wherein,
图1是本发明一个实施例中安全移动交易系统的原理框图;Fig. 1 is a functional block diagram of a secure mobile transaction system in one embodiment of the present invention;
图2是本发明一个实施例中使用安全移动交易系统的流程图;Fig. 2 is a flow chart of using the secure mobile transaction system in one embodiment of the present invention;
图3是本发明一个实施例中使用安全移动交易系统进行用户认证过程中展示的用户界面图。Fig. 3 is a user interface diagram displayed during the user authentication process using the secure mobile transaction system in an embodiment of the present invention.
具体实施方式detailed description
在以下的描述中,基于优选的实施例展示了一种使用带外通道进行在线用户认证的方法和系统,其中包括第三方移动应用程序与安全移动支付系统之间的集成,通信以及数据交换。本领域的技术人员可以理解的是,在此基础上的修改,包括增添或替代,均未脱离本发明的范围。In the following description, a method and system for online user authentication using an out-of-band channel is presented based on a preferred embodiment, including integration, communication and data exchange between a third-party mobile application and a secure mobile payment system. Those skilled in the art can understand that modifications on this basis, including additions or substitutions, do not depart from the scope of the present invention.
系统system
请参考图1,本实施例中,包含:可通过第一通信网络104,例如因特网对其进行访问的中央处理服务器105;电信网络,或任何支持TCP/IP协议的网络;多个用户101,每个用户都关联了一个用户帐号;可通过第一通信网络104访问中央处理服务器105的移动通信设备102;可访问中央处理服务器105和第三方处理服务器107的客户端计算设备103,具体可通过第二通信网络106,它可以是与第一通信网络104相同的网络,或者是单独的通信网络,可为因特网、电信网络、或者为任何支持TCP/IP协议的网络。Please refer to Fig. 1, in the present embodiment, comprise: can pass through the first communication network 104, for example the central processing server 105 that it is accessed on the Internet; Telecommunication network, or any network that supports TCP/IP agreement; Multiple users 101, Each user is associated with a user account; the mobile communication device 102 that can access the central processing server 105 through the first communication network 104; the client computing device 103 that can access the central processing server 105 and the third-party processing server 107, specifically through The second communication network 106 may be the same network as the first communication network 104, or an independent communication network, and may be the Internet, a telecommunication network, or any network supporting the TCP/IP protocol.
本实施例中,中央处理服务器105的功能包括:用户认证,用于管理用户帐号的用户帐号管理,其中用户帐号记录包含用户标识及认证凭证。In this embodiment, the functions of the central processing server 105 include: user authentication, user account management for managing user accounts, wherein the user account records include user identifiers and authentication credentials.
本实施例中,中央处理服务器105包括让用户可使用移动通信设备102和客户端计算设备13访问的至少一组用户界面。所述用户界面组包括互动交易网页,后者可在运行于移动通信设备102与客户端计算设备103中的web浏览器应用程序中显示,以及在运行于移动通信设备102中的特别开发移动应用程序的用户界面中显示。此种用户界面之典型例子是在苹果公司开发的iOS操作系统上运行的移动应用程序(App)。另一典型例子是在谷歌公司开发的安卓操作系统上运行的移动应用程序(App)。中央处理服务器还提供了另一组供系统管理用户使用的用户界面。In this embodiment, the central processing server 105 includes at least one set of user interfaces accessible by a user using the mobile communication device 102 and the client computing device 13 . The set of user interfaces includes interactive transactional web pages that can be displayed in web browser applications running on mobile communication device 102 and client computing device 103, and in specially developed mobile applications running on mobile communication device 102 displayed in the program's user interface. A typical example of such a user interface is a mobile application program (App) running on the iOS operating system developed by Apple Inc. Another typical example is a mobile application (App) running on the Android operating system developed by Google. The central processing server also provides another set of user interfaces for system administration users.
除用户界面组之外,中央处理服务器105还包括用于机对机集成的服务器端后端应用程序编程接口(API),使在第三方计算处理器107中运行的特别开发之应用程序能够与中央处理服务器105通信。本实施例中,通过服务器后端API的机对机数据交换支持工业标准,包括但不限于XML和JSON。In addition to the user interface suite, the central processing server 105 also includes a server-side backend application programming interface (API) for machine-to-machine integration, enabling specially developed applications running in third-party computing processors 107 to communicate with The central processing server 105 communicates. In this embodiment, the machine-to-machine data exchange through the server backend API supports industry standards, including but not limited to XML and JSON.
这些用户界面和服务器端后端API的功能包括但不限于:由用户完成的用户认证、用户帐号管理和网上购物,由管理员完成的系统管理,由用户完成的在线购物清单、支付和用户全程管理。The functions of these user interfaces and server-side back-end APIs include but are not limited to: user authentication completed by users, user account management and online shopping, system management completed by administrators, online shopping list completed by users, payment and user-full process manage.
本实施例中,中央处理服务器105包括一数据库,用于保存用户帐号的数据记录、系统配置数据、以及其他元数据。数据库可在与中央处理服务器105在同一个物理计算机服务器105上,或者在一个单独的物理计算机服务器上。所述数据库可以是各种商用的关系型数据库管理系统,如Oracle数据库和微软SQL服务器。In this embodiment, the central processing server 105 includes a database for storing user account data records, system configuration data, and other metadata. The database can be on the same physical computer server 105 as the central processing server 105, or on a separate physical computer server. The database can be various commercial relational database management systems, such as Oracle database and Microsoft SQL server.
本实施例中,每个移动通信设备102配有相机或扫描仪以便对计算机生成之编码数据,例如条形码,进行光学图像采集。本发明中,移动通信设备被配置为可处理所采集的编码数据图像并与中央服务器处理交换数据,以完成上述之各种功能,例如用户认证。本实施例中,对移动通信设备的配置使之可处理解码数据和执行移动交易,是通过在移动通信设备中安装和执行应用程序的软件和/或专为移动通信设备设计的固件来实现的(在此称为“安全移动支付移动应用程序”)。可选地,移动通信设备的操作系统可被修改和/或配置,用来完成上述部分或全部的功能。In this embodiment, each mobile communication device 102 is equipped with a camera or scanner for optical image capture of computer-generated coded data, such as barcodes. In the present invention, the mobile communication device is configured to process the collected coded data images and process and exchange data with the central server, so as to complete the various functions mentioned above, such as user authentication. In this embodiment, the configuration of the mobile communication device so that it can process the decoded data and execute the mobile transaction is realized by installing and executing application software and/or firmware specially designed for the mobile communication device in the mobile communication device (referred to herein as the "Secure Mobile Payment Mobile Application"). Optionally, the operating system of the mobile communication device can be modified and/or configured to complete some or all of the above functions.
中央处理服务器105和其数据库、用户界面及服务器端后端API,与运行安全移动交易移动应用程序的移动通信设备102一起,组成安全移动交易系统。本实施例中,安全移动交易系统内的每个用户帐号在任一时刻只可与单个移动通信设备相关联。每个用户101也被要求可根据系统配置为其用户帐号定义一个安全个人识别号码(PIN)。当一新用户在安全移动交易系统中注册时,中央处理服务器创建一个新的用户帐号并且其记录数据被存储于中央处理服务器的数据库中。用户注册步骤包括注册以及将其移动通信设备进行配对的步骤。本实施例中,可采用美国专利申请号13/602,197中公开的安全移动支付系统的用户注册流程。The central processing server 105 and its database, user interface and server-side back-end API, together with the mobile communication device 102 running the mobile application program of the secure mobile transaction, constitute a secure mobile transaction system. In this embodiment, each user account in the secure mobile transaction system can only be associated with a single mobile communication device at any time. Each user 101 is also required to define a secure personal identification number (PIN) for its user account according to system configuration. When a new user registers in the secure mobile transaction system, the central processing server creates a new user account and its record data is stored in the database of the central processing server. The user registration step includes the steps of registering and pairing his mobile communication device. In this embodiment, the user registration process of the secure mobile payment system disclosed in US Patent Application No. 13/602,197 can be used.
本实施例中,计算机生成的条形码是一维码或二维码,例如QR码。该条形码可由中央处理服务器105生成。该条形码包含至少一个身份数据,如其不是全球唯一,至少在安全移动交易系统中是唯一的。该条形码可通过客户端计算设备103或移动通信设备通电展示。条形码同样可印刷或展示于各种便携式物品上,包括但不限于纸质票面或卡片。In this embodiment, the barcode generated by the computer is a one-dimensional code or a two-dimensional code, such as a QR code. The barcode can be generated by the central processing server 105 . This barcode contains at least one identity data, if not globally unique at least within the secure mobile transaction system. The barcode can be presented by powering on the client computing device 103 or mobile communication device. Barcodes can also be printed or displayed on a variety of portable items, including but not limited to paper coupons or cards.
本实施例中,移动通信设备102和中央处理服务器105之间的所有通信都经PKI加密,具体可使用AES加密,数据通信信息皆通过安全套接字层(SSI)进行传输。In this embodiment, all communications between the mobile communication device 102 and the central processing server 105 are encrypted by PKI, specifically AES encryption, and all data communication information is transmitted through Secure Sockets Layer (SSI).
用户认证User Authentication
本发明的一个实施例中,已在安全移动交易系统注册并创建了有效用户帐号的用户,可使用其已在安全移动交易系统中注册和配对的移动通信设备来进行认证,以访问受保护的第三方应用程序,例如第三方处理服务器提供的第三方网站,或由中央处理服务器提供的一个或多个受保护的用户界面。In one embodiment of the present invention, users who have registered in the secure mobile transaction system and created a valid user account can use their mobile communication devices that have been registered and paired in the secure mobile transaction system to perform authentication to access the protected Third-party applications, such as third-party websites provided by a third-party processing server, or one or more protected user interfaces provided by a central processing server.
请参考图2,用户认证方法包括以下步骤:Please refer to Figure 2, the user authentication method includes the following steps:
1.(201)用户要求访问第三方处理服务器提供的受保护的第三方应用程序,或由中央处理服务器提供的一个或多个受保护的用户界面,其中受保护的第三方应用程序可为有访问控制和要求用户认证方能访问的第三方网站,可通过运行于第一移动通信设备或第一客户端计算设备上的网络浏览器应用程序进行访问;其中由中央处理服务器提供的受保护的用户界面可为受访问控制及要求用户认证以进入之互动交易网页,可通过运行于第一移动通信设备或第一客户端计算设备上的网络浏览器应用程序进行访问。1. (201) A user requests access to a protected third-party application provided by a third-party processing server, or one or more protected user interfaces provided by a central processing server, where the protected third-party application may be a Access control and third-party websites that require user authentication can be accessed through a web browser application running on the first mobile communication device or the first client computing device; wherein the protected The user interface may be an interactive transactional web page that is access controlled and requires user authentication to access, accessible through a web browser application running on the first mobile communication device or the first client computing device.
2.(202)用户被重新定向到登录页面,该登录页面可通过第三方处理服务器或中央处理服务器提供。登录页面包括一个编码数据,如展示在第一移动通信设备或第一客户端计算设备上的条形码。条形码可为QR码。编码数据中央处理服务器在生成登录页面时动态产生。2. (202) The user is redirected to a login page, which may be provided by a third party processing server or a central processing server. The login page includes an encoded data, such as a barcode, displayed on the first mobile communication device or the first client computing device. The barcode may be a QR code. The encoded data is generated dynamically by the central processing server when generating the login page.
本发明的实施例中,编码数据的产生包括:由中央处理服务器生成随机数,该随机数可包含32个字符(30个字母+2个校验码);对所述随机数进行编码可形成编码数据的QR码。随机数是与用户登录会话关联的会话号。本发明的另一实施例中,编码数据的产生包括:由中央处理服务器对其之前生成并保存的会话号进行编码以形成编码数据的QR码。会话号的记录保存在中央处理服务器的数据库中以备后期认证使用。In an embodiment of the present invention, the generation of encoded data includes: generating a random number by a central processing server, which may contain 32 characters (30 letters+2 check codes); encoding the random number may form A QR code that encodes data. The nonce is the session number associated with the user's login session. In another embodiment of the present invention, the generation of encoded data includes: the central processing server encodes the previously generated and saved session number to form a QR code of the encoded data. The record of the session number is stored in the database of the central processing server for later authentication.
如果登录页面由第三方处理服务器所提供,则第三方处理服务器通过调用中央处理服务器后端API来请求和接受来自中央处理服务器的编码数据。If the login page is provided by a third-party processing server, the third-party processing server requests and accepts encoded data from the central processing server by calling the central processing server backend API.
3.(203)带有编码数据的登录页面被展示在第一移动通信设备或第一客户端计算设备的屏幕上。用户使用已在安全安全移动交易系统中注册和配对的第二移动通信设备对编码数据进行图像采集。3. (203) The login page with encoded data is presented on the screen of the first mobile communication device or first client computing device. The user uses the second mobile communication device that has been registered and paired in the safe and secure mobile transaction system to perform image capture on the coded data.
本发明的另一实施例中,编码数据除被展示在第一移动通信设备或第一客户端计算设备屏幕上外,还可被印刷在物理介质上,例如纸质票或卡片,从而呈现给客户使其可用第二移动通信设备对编码数据进行图像采集。In another embodiment of the present invention, in addition to being displayed on the screen of the first mobile communication device or the first client computing device, the coded data can also be printed on a physical medium, such as a paper ticket or card, thereby presenting to the The customer enables image acquisition of the encoded data with the second mobile communication device.
4.(204)运行安全移动交易移动应用程序的第二移动通信设备,对图像采集到的编码数据进行解码并提取会话号。4. (204) The second mobile communication device running the secure mobile transaction mobile application program decodes the coded data collected from the image and extracts the session number.
5.(205)第二移动通信设备将所提取的会话号与第二移动通信设备的识别数据一起发送到中央处理服务器。5. (205) The second mobile communication device sends the extracted session number together with the identification data of the second mobile communication device to the central processing server.
6.(206)中央处理服务器接收会话号和第二移动通信设备的识别数据;并将该会话号与数据库中之前保存的会话号记录作匹配以进行确认。基于有效确认,中央处理服务器通过匹配第二移动通信设备的识别数据以检索用户帐号记录。中央处理服务器将会话号与用户帐号进行关联。6. (206) The central processing server receives the session number and the identification data of the second mobile communication device; and matches the session number with the previously saved session number record in the database for confirmation. Based on the valid confirmation, the central processing server retrieves the user account record by matching the identification data of the second mobile communication device. The central processing server associates the session number with the user account.
7.(207)如果登录页面由中央处理服务器提供,当展示登录页面的网页浏览应用程序通过自动重新加载或手动重新加载时,中央处理服务器会重新呈现带视觉提示的登录页面,以使用户可进入用户认证之下一步。7. (207) If the login page is provided by the central processing server, when the web browsing application displaying the login page is automatically reloaded or manually reloaded, the central processing server will re-render the login page with visual cues so that the user can Go to the next step of user authentication.
如登录页面由第三方处理服务器提供,第三方处理服务器会收到所述会话号与用户帐号之间成功关联的通知,具体是通过中央处理服务器后端API回调或反应的方式,或通过第三方处理服务器重复调用中央处理服务器后端API的方式。一旦接收到通知,当展示登录页面的网页浏览应用程序通过自动重新加载或手动重新加载时,中央处理服务器会重新呈现带视觉提示的登录页面,以使用户可进入用户认证之下一步。If the login page is provided by a third-party processing server, the third-party processing server will receive a notification of the successful association between the session number and the user account, specifically through the back-end API callback or response of the central processing server, or through the third-party Handles the way the server makes repeated calls to the central processing server's backend API. Once notified, when the web browsing application displaying the login page is reloaded automatically or manually, the central processing server re-renders the login page with visual cues to allow the user to proceed to the next step of user authentication.
8.(208)用户在运行于第二移动通信设备的安全移动交易移动应用程序的用户界面中,输入其安全个人识别码。8. (208) The user enters his secure PIN in the user interface of the secure mobile transaction mobile application running on the second mobile communication device.
9.(209)第二移动通信设备对所述安全个人识别码进行加密,并将加密的安全个人识别码与设备的识别数据一起发送到中央处理服务器。9. (209) The second mobile communication device encrypts the secure personal identification code, and sends the encrypted secure personal identification code together with the identification data of the device to the central processing server.
10.(210)中央处理服务器接收所述加密的安全个人识别码和第二移动通信设备的识别数据;通过匹配第二移动通信设备之识别数据来检索用户帐号记录;对加密的安全个人识别码进行解密,并将解密后的安全个人识别码与用户记录里的安全个人识别码进行匹配确认。基于有效的确认,则视为用户通过了认证,且现在会话号与用户登录会话相关联了。10. (210) The central processing server receives the encrypted secure PIN and the identification data of the second mobile communication device; retrieves the user account record by matching the identification data of the second mobile communication device; Decryption is performed, and the decrypted secure PIN is matched with the secure PIN in the user's record for confirmation. Based on a valid confirmation, the user is considered authenticated and the session number is now associated with the user's login session.
11.(211)如果登录页面由中央处理服务器提供,当展示登录页面的网页浏览应用程序通过自动重新加载或手动重新加载时,网页浏览器应用程序被重新定向至受保护第三方程序,或由中央处理服务器提供的受保护的用户界面。11. (211) If the login page is provided by a central processing server, when the web browsing application displaying the login page is automatically reloaded or manually reloaded, the web browser application is redirected to a protected third-party program, or by A protected user interface provided by the central processing server.
如是登录页面由第三方处理服务器提供,第三方处理服务器会收到用户认证成功的通知,具体是通过中央处理服务器后端API回调或反应的方式,或通过第三方处理服务器重复调用中央处理服务器后端API的方式。一旦接收到通知,当展示登录页面的网页浏览应用程序通过自动重新加载或手动重新加载时,中央处理服务器会重新呈现带视觉提示的登录页面,以使用户可进入用户认证之下一步。一旦接收到通知,当展示在登录页面之网页浏览器应用程序通过自动载入或手动载入更新时,网页浏览器应用程序被重新定向至受保护第三方程序,或由中央处理服务器提供的受保护的用户界面。If the login page is provided by a third-party processing server, the third-party processing server will receive a notification that the user has successfully authenticated, specifically through the back-end API callback or response of the central processing server, or after repeatedly calling the central processing server through the third-party processing server The way of terminal API. Once notified, when the web browsing application displaying the login page is reloaded automatically or manually, the central processing server re-renders the login page with visual cues to allow the user to proceed to the next step of user authentication. Once the notification is received, when the web browser application displayed on the login page is updated through automatic loading or manual loading, the web browser application is redirected to a protected third-party program, or a protected Protected user interface.
本发明的另一实施例中,中央处理服务器和第二移动通信设备,通过安全移动交易移动应用程序被设置为由用户提供的安全个人识别码在用户认证时是可选择的。因此,上面提到步骤7-10步可能会删除,在此情况下,在中央处理服务器接收到的会话号和第二移动通信设备的识别数据被确认有效时,即可认为用户认证已完成。In another embodiment of the present invention, the central processing server and the second mobile communication device are configured through the secure mobile transaction mobile application so that the secure pin code provided by the user is optional during user authentication. Therefore, the steps 7-10 mentioned above may be deleted. In this case, when the session number received by the central processing server and the identification data of the second mobile communication device are confirmed to be valid, the user authentication can be considered as completed.
本发明的前述实施例可使用以下方式实现:通用或专门计算设备,移动通信设备,计算机处理器,或电子电路包括但不限于数字信号处理器(DSP),专用集成电路(ASIC),现场可编程门阵列(FPGA)和其他根据本发明方案配置的可编程逻辑设备。运行在通用或专门计算机设备,移动通信设备,计算机处理器,或可编程逻辑器件中的计算机指令或软件代码,可由软件及电子领域的技术人员根据本发明的教导进行编写。The foregoing embodiments of the present invention may be implemented using general or specialized computing equipment, mobile communication equipment, computer processors, or electronic circuits including but not limited to digital signal processors (DSPs), application specific integrated circuits (ASICs), and field programmable Programmable gate array (FPGA) and other programmable logic devices configured according to the scheme of the present invention. Computer instructions or software codes running on general-purpose or specialized computer equipment, mobile communication equipment, computer processors, or programmable logic devices can be written by those skilled in the field of software and electronics according to the teaching of the present invention.
具体实施时,本发明包括可存储计算机指令或软件代码的计算机存储介质,以对计算机或微处理器进行编程使之可实现本发明的任何处理。所述存储介质包含但不限于:软盘,光盘,蓝光光盘,DVD光盘,CD-ROM,磁光盘,可记录光盘,随机存储器,快闪记忆体装置,或适用于存储指令、代码和/或数据的任何类型的媒体或设备。In practice, the present invention includes a computer storage medium that can store computer instructions or software codes, so as to program a computer or microprocessor to implement any process of the present invention. Such storage media include, but are not limited to, floppy disks, compact disks, Blu-ray disks, DVD disks, CD-ROMs, magneto-optical disks, recordable disks, random access memory, flash memory devices, or devices suitable for storing instructions, code and/or data any type of media or device.
具体实施时,其中的移动通信设备包括但不限于:移动电话,与个人电脑类似的移动电话(通常称为智能电话),电子个人数字助理(PDA),有线或无线广域网的便携式计算机,或带有通讯功能的设备,例如如平板电脑和上网本。移动通信设备包括但不限于苹果公司的iPhone,谷歌公司的Nexus10,HTC的One,诺基亚公司的Lumia,三星公司的Galaxy,以及索尼公司的Xperia。During specific implementation, the mobile communication devices include, but are not limited to: mobile phones, mobile phones similar to personal computers (usually called smart phones), electronic personal digital assistants (PDAs), portable computers with wired or wireless wide area networks, or Devices with communication capabilities, such as tablets and netbooks. Mobile communication devices include but are not limited to Apple's iPhone, Google's Nexus 10, HTC's One, Nokia's Lumia, Samsung's Galaxy, and Sony's Xperia.
本发明的以上描述用于提供示意性说明和描述,而不应构成对本发明的限制。对于本领域技术人员来说,许多修改和变化均是显而易见的。The above description of the present invention is provided for illustration and description, and should not be construed as limiting the present invention. Many modifications and changes will be apparent to those skilled in the art.
本发明所选择和描述的实施例,都是为了更好地解释本发明的原理及其实际应用,从而使本领域技术人员可以理解还可根据实际使用需求而作出其他实施例和其他修改。本发明的范围以权利要求中的内容及其同等方案为准。The embodiments selected and described in the present invention are all to better explain the principle of the present invention and its practical application, so that those skilled in the art can understand that other embodiments and other modifications can also be made according to actual use requirements. The scope of the present invention is determined by the contents of the claims and their equivalents.
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US201361842386P | 2013-07-03 | 2013-07-03 | |
| US61/842,386 | 2013-07-03 | ||
| PCT/CN2014/081588WO2015000425A1 (en) | 2013-07-03 | 2014-07-03 | Method and system for authenticating user using out-of-band channel |
| Publication Number | Publication Date |
|---|---|
| CN105556531Atrue CN105556531A (en) | 2016-05-04 |
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201480038231.XAPendingCN105556531A (en) | 2013-07-03 | 2014-07-03 | Method and system for user authentication using out-of-band channel |
| Country | Link |
|---|---|
| EP (1) | EP3017391A4 (en) |
| CN (1) | CN105556531A (en) |
| WO (1) | WO2015000425A1 (en) |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20240303638A1 (en)* | 2023-03-08 | 2024-09-12 | Capital One Services, Llc | Systems and methods for secure authentication of contactless card |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| GB2558789B (en)* | 2014-05-09 | 2019-01-09 | Smartglyph Ltd | Method of authentication |
| CN104618401A (en)* | 2015-03-10 | 2015-05-13 | 四川省宁潮科技有限公司 | Real-name system-based wifi one-key logging method |
| CN104639566A (en)* | 2015-03-10 | 2015-05-20 | 四川省宁潮科技有限公司 | Transaction authorizing method based on out-of-band identity authentication |
| GB2591759A (en)* | 2020-02-05 | 2021-08-11 | Vst Enterprises Ltd | System and process for Validation |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102595643A (en)* | 2010-11-19 | 2012-07-18 | 罗技欧洲股份有限公司 | System and method used for connection and pairing of wireless devices |
| CN102939613A (en)* | 2010-06-04 | 2013-02-20 | 维萨国际服务协会 | Payment tokenization apparatuses, methods and systems |
| US20130167208A1 (en)* | 2011-12-22 | 2013-06-27 | Jiazheng Shi | Smart Phone Login Using QR Code |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8769784B2 (en)* | 2009-11-02 | 2014-07-08 | Authentify, Inc. | Secure and efficient authentication using plug-in hardware compatible with desktops, laptops and/or smart mobile communication devices such as iPhones |
| JP2014518597A (en)* | 2011-03-31 | 2014-07-31 | ソニーモバイルコミュニケーションズ, エービー | System and method for establishing a communication session associated with an application |
| EP2602735B1 (en)* | 2011-12-09 | 2018-04-04 | BlackBerry Limited | Secure authentication |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102939613A (en)* | 2010-06-04 | 2013-02-20 | 维萨国际服务协会 | Payment tokenization apparatuses, methods and systems |
| CN102595643A (en)* | 2010-11-19 | 2012-07-18 | 罗技欧洲股份有限公司 | System and method used for connection and pairing of wireless devices |
| US20130167208A1 (en)* | 2011-12-22 | 2013-06-27 | Jiazheng Shi | Smart Phone Login Using QR Code |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20240303638A1 (en)* | 2023-03-08 | 2024-09-12 | Capital One Services, Llc | Systems and methods for secure authentication of contactless card |
| Publication number | Publication date |
|---|---|
| EP3017391A4 (en) | 2016-12-28 |
| WO2015000425A1 (en) | 2015-01-08 |
| EP3017391A1 (en) | 2016-05-11 |
| Publication | Publication Date | Title |
|---|---|---|
| US20140317713A1 (en) | Method and System of User Authentication Using an Out-of-band Channel | |
| US11743041B2 (en) | Technologies for private key recovery in distributed ledger systems | |
| KR101842868B1 (en) | Method, apparatus, and system for providing a security check | |
| US9805182B1 (en) | Authentication using a client device and a mobile device | |
| US12413574B1 (en) | System and method for authenticating a user to provide a web service | |
| US20150294313A1 (en) | Systems, apparatus and methods for improved authentication | |
| US9256724B2 (en) | Method and system for authorizing an action at a site | |
| US11455621B2 (en) | Device-associated token identity | |
| US20140223520A1 (en) | Guardian control over electronic actions | |
| WO2015062530A1 (en) | User account information management method, user account management server, sales terminal and system | |
| US20200067709A1 (en) | Methods, apparatuses, and computer program products for frictionlesscustody chain management | |
| US11410212B2 (en) | Secure identity verification | |
| US20160065581A1 (en) | Method and system for exchanging information | |
| US12047371B2 (en) | Mobile device based credential authentication | |
| KR101691412B1 (en) | Phone number based 2channel user authentication assistive device and method | |
| CN105556531A (en) | Method and system for user authentication using out-of-band channel | |
| CN108964921A (en) | Verification System, authentication method and service server | |
| KR20230138502A (en) | Code-based two-factor authentication | |
| KR101305901B1 (en) | Authentication method and system | |
| KR101531878B1 (en) | Simple payment support apparatus and method for a mobile terminal | |
| CN111314343B (en) | Account management method, device and readable storage medium | |
| KR101625065B1 (en) | User authentification method in mobile terminal | |
| JP2023013003A (en) | Automated cash transaction system | |
| CN105117904A (en) | Method for mobile terminal payment transaction, mobile terminal, service provider and system | |
| CN103457728B (en) | Security information interaction system, Apparatus and method for |
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication | Application publication date:20160504 | |
| WD01 | Invention patent application deemed withdrawn after publication |