Patent Issued for Multi-channel authentication using smart cards (USPTO 11822638): United Services Automobile Association
2023 DEC 07 (NewsRx) -- By a
The assignee for this patent, patent number 11822638, is
Reporters obtained the following quote from the background information supplied by the inventors: “Account takeovers are prevalent due in part to mass data breaches and phishing attacks exposing billions of email addresses, usernames and passwords in the past few years. Additionally, many people use the same username/password combination across multiple accounts, which makes it easy for cybercriminals to sell stolen credentials. Service providers attempt to curtail fraudulent activity by collecting and using information such as a username and password or in some cases requiring mufti-factor authentication to authenticate the user. However, these techniques have limitations using current systems.
“The techniques introduced here may be better understood by referring to the following Detailed Description in conjunction with the accompanying drawings, in which like reference numerals indicate identical or functionally similar elements. Moreover, while the technology is amenable to various modifications and alternative forms, specific embodiments have been shown by way of example in the drawings and are described in detail below. The intention, however, is not to limit the technology to the particular embodiments described. On the contrary, the technology is intended to cover all modifications, equivalents, and alternatives falling within the scope of the technology as defined by the appended claims.”
In addition to obtaining background information on this patent, NewsRx editors also obtained the inventors’ summary information for this patent: “Multi-factor authentication (i.e., the user is authenticated only after successfully presenting two or more pieces of evidence to an authentication mechanism: knowledge (something the user and only the user knows), possession (something the user and only the user has), and inherence (something the user and only the user is)) is becoming standard in authentication due to the prevalence of account takeovers. Multi-channel authentication is a method of multi-factor authentication where one or more of the authentication factors involved are communicated over separate communication channels or protocols. One way to allow users to obtain multi-channel authentication is by using a one-time password (“OTP”) token which is a hardware device capable of generating one-time passwords. More advanced hardware tokens use microprocessor-based smart cards to calculate one-time passwords. Smart cards can also include additional strong authentication capabilities such as or Public Key Infrastructure (‘PKI’) certificates. When used for PKI applications, the smart card device can provide core PKI services, including encryption, digital signature and private key generation and storage.
“In existing systems, to use the hardware token, the user checks the hardware token and enters the OTP with other identity credentials (typically username and password) and an authentication server validates the request. In some cases, the hardware token can be inserted into a device and a OTP can be directly sent to an authentication server. Although this is a proven solution for enterprise applications, the deployment cost can make the solution inconvenient and expensive for consumer applications. Additionally, having to type in an OTP each time the user wants to access an application or input a hardware token into a user device such as mobile phone is burdensome. Moreover, requiring the user to carry a separate hardware token with no other use than authentication can also be problematic.
“To address the above-mentioned issues, the technology described herein provides a system and method that allows a user to be authenticated using multiple channels without requiring the user to enter a OTP or carry a hardware token dedicated to generating OTPs. In some embodiments, a smart card is embedded into a medium such as a payment card (e.g., credit card, debit card) or membership card. When the user receives the smart card, the user registers the smart card with the system by providing identity and/or authentication (e.g., username, password, PIN) to the system (e.g., via an application) and by holding the smart card within a proximity of the user’s device. The proximity is determined by the type of protocol being used to communicate information from the smart card to the device. The system collects (e.g., using RFID) information that can be used to verify OTPs generated by the smart card (e.g., digital certificate) and associated with the user profile, device, and smart card. When the smart card is embedded in a payment card, registering the smart card can accomplish two tasks simultaneously: (1) activating the payment card so it can be used to make purchases and (2) activating the smart card as an authentication device that can be used to authenticate the user for activities (e.g., access to a bank account, access to make an in-application call).
“When the user requests an interaction with the entity (e.g., by accessing the application, viewing bank accounts, requesting a transaction, filing a claim, making a call, making an in-application call), after the system identifies the user (e.g., by collecting identifying information from the user or from the device), the system prompts the user to hold the smart card within a proximity of the user’s device. The smart card generates the OTP or other information and communicates the information to the device and the device via the application sends the information to the system for verification. In some embodiments, verification occurs locally on the device. Using the digital certificate or other information previously collected by the system and associated with the user profile, the system can verify that the smart card is or is not associated with the user and/or the device. The system can either allow the user to interact, request for information or deny the request based on verification of the OTP and business rules. In some embodiments, the user is asked to provide additional authentication such as a PIN for further authentication.
“The smart card can be associated with more than one device associated with the user using the same or similar registration process. In some implementations, the device is a smartphone, tablet, laptop, smartwatch, or voice-controlled personal assistant.”
The claims supplied by the inventors are:
“1. A computerized method comprising: receiving, via an application installed on a device associated with a user, a request to engage in an activity; after receiving the request, initiating, by a process, a random authentication check; detecting, during the initiated random authentication check, a trigger based on one or more parameters of the activity being outside of a normal range for the user, wherein the trigger is detected using information received from a wearable device associated with the user, and the detected trigger causes a possession check for possession of a smart card associated with a user profile; in response to detecting the trigger, prompting the user to place the smart card within a threshold proximity of the device; and in response to the smart card being detected within the threshold proximity of the device, allowing the user to engage in the activity.
“2. The computerized method of claim 1, further comprising: determining a level of authentication required for the activity; and in response to the level of authentication required for the activity being above a threshold, requesting authentication from the user before allowing the user to engage in the activity.
“3. The computerized method of claim 1, wherein information received from the wearable device comprises health information about the user.
“4. The computerized method of claim 1, further comprising: in response to detecting the trigger, requesting biometric authentication from the user before allowing the user to engage in the activity.
“5. The computerized method of claim 1, further comprising: receiving, from the device associated with the user, a request to register the smart card, wherein the request is triggered by wirelessly detecting the smart card and the request comprises a credential associated with the smart card sent to the device via a wireless protocol.
“6. The computerized method of claim 1, wherein the smart card is embedded in a payment card, wherein registering the smart card activates the payment card for purchases and activates the smart card for use as an authentication device.
“7. The computerized method of claim 1, wherein the smart card communicates with the device using near-field communication.
“8. A system comprising: one or more processors; and one or more memories storing instructions that, when executed by the one or more processors, cause the system to perform a process comprising: receiving, via an application installed on a device associated with a user, a request to engage in an activity; after receiving the request, initiating, by a process, a random authentication check; detecting, during the initiated random authentication check, a trigger based on one or more parameters of the activity being outside of a normal range for the user, wherein the trigger is detected using information received from a wearable device associated with the user, and the detected trigger causes a possession check for possession of a smart card associated with a user profile; in response to detecting the trigger, prompting the user to place the smart card within a threshold proximity of the device; and in response to the smart card being detected within the threshold proximity of the device, allowing the user to engage in the activity.
“9. The system according to claim 8, wherein the process further comprises: determining a level of authentication required for the activity; and in response to the level of authentication required for the activity being above a threshold, requesting authentication from the user before allowing the user to engage in the activity.
“10. The system according to claim 8, wherein information received from the wearable device comprises health information about the user.
“11. The system according to claim 8, wherein the process further comprises: in response to detecting the trigger, requesting biometric authentication from the user before allowing the user to engage in the activity.
“12. The system according to claim 8, wherein the process further comprises: receiving, from the device associated with the user, a request to register the smart card, wherein the request is triggered by wirelessly detecting the smart card and the request comprises a credential associated with the smart card sent to the device via a wireless protocol.
“13. The system according to claim 8, wherein the smart card is embedded in a payment card, wherein registering the smart card activates the payment card for purchases and activates the smart card for use as an authentication device.
“14. A non-transitory computer-readable medium storing instructions that, when executed by a computing system, cause the computing system to perform operations comprising: receiving, via an application installed on a device associated with a user, a request to engage in an activity; after receiving the request, initiating, by a process, a random authentication check; detecting, during the initiated random authentication check, a trigger based on one or more parameters of the activity being outside of a normal range for the user, wherein the trigger is detected using information received from a wearable device associated with the user, and the detected trigger causes a possession check for possession of a smart card associated with a user profile; in response to detecting the trigger, prompting the user to place the smart card within a threshold proximity of the device; and in response to the smart card being detected within the threshold proximity of the device, allowing the user to engage in the activity.
“15. The non-transitory computer-readable medium of claim 14, wherein the operations further comprise: determining a level of authentication required for the activity; and in response to the level of authentication required for the activity being above a threshold, requesting authentication from the user before allowing the user to engage in the activity.
“16. The non-transitory computer-readable medium of claim 14, wherein information received from the wearable device comprises health information about the user.
“17. The non-transitory computer-readable medium of claim 14, wherein the operations further comprise: in response to detecting the trigger, requesting biometric authentication from the user before allowing the user to engage in the activity.
“18. The non-transitory computer-readable medium of claim 15, wherein the operations further comprise: receiving, from the device associated with the user, a request to register the smart card, wherein the request is triggered by wirelessly detecting the smart card and the request comprises a credential associated with the smart card sent to the device via a wireless protocol.
“19. The non-transitory computer-readable medium of claim 14, wherein the smart card is embedded in a payment card, wherein registering the smart card activates the payment card for purchases and activates the smart card for use as an authentication device.
“20. The computerized method of claim 5, further comprising: in response to the smart card being detected within the threshold proximity of the device, receiving verification information associated with the smart card, wherein the verification information is verified using the credential prior to allowing the user to engage in the activity.”
For more information, see this patent: Clowe,
(Our reports deliver fact-based news of research and discoveries from around the world.)
Findings from Beijing Institute of Petrochemical Technology Advance Knowledge in Risk Management (Civil gas energy accidents in China from 2012-2021): Insurance – Risk Management
Citizens, Florida's property insurance of 'last resort,' doesn't need any federal bailout, CEO says
Advisor News
- Social Security Fairness Act increases need for financial advice
- It’s a new year: How will you reinvigorate your client service?
- Trump should impose China tariffs, prioritize renewing tax cuts and immigration reform
- Fewer report having retirement savings than a year ago
- Paul Brahim becomes 2025 FPA president
More Advisor NewsAnnuity News
- AM Best Affirms Credit Ratings of Reinsurance Group of America, Incorporated and Subsidiaries
- Life insurance and annuity sales: What’s ahead for 2025?
- Ares Management Raises Over $2.3 Billion of Equity Commitments to Support the Long-Term Growth of Aspida
- Salt Financial Annuity Index analytics report for 2024
- Ibexis Life & Annuity Insurance Company® Launches WealthDefender™ Fixed Index Annuity Series
More Annuity NewsHealth/Employee Benefits News
- Community roots, expanding horizons: MountainOne Insurance's decade of growth and commitment
- HCA-CMC deal could lead to higher costs
- EDITORIAL: Permanent relief from medical debt is needed
- Findings from Harvard University Provides New Data on Managed Care (Medicare Advantage: National Carriers Expand Market Share While Regional Carriers Without Affiliation Decline, 2012-23): Managed Care
- Americans’ rage at insurers goes beyond health coverage – the author of ‘Delay, Deny, Defend’ points to 3 reforms that could help
More Health/Employee Benefits NewsLife Insurance News
- AM Best Affirms Credit Ratings of Reinsurance Group of America, Incorporated and Subsidiaries
- Life insurance and annuity sales: What’s ahead for 2025?
- Investor overview presentation
- AM Best Affirms Credit Ratings of Etiqa General Insurance Berhad
- UnitedHealth ordered to pay $165M for deceiving costumers
More Life Insurance News