US2017249633A1PendingUtilityA1

One-Time Use Password Systems And Methods

49
Assignee: CA INCPriority: May 10, 2010Filed: May 16, 2017Published: Aug 31, 2017
Est. expiryMay 10, 2030(~3.8 yrs left)· nominal 20-yr term from priority
H04L 2209/56G06Q 20/4014G06Q 20/40G06Q 20/382H04L 9/321H04L 9/3271H04L 9/0822G06F 2221/2103G06F 21/31G06Q 20/385H04L 2463/062G06F 21/335G06Q 20/3829H04L 9/3228H04L 63/0838
49
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

According to the invention, a method of using a one-time password for a transaction between a user and a merchant is disclosed. The method may include generating the one-time password. The method may also include authenticating the user by the authentication server in response to a request from the user to use the one-time password. The method may further include authorizing the use of the one-time password for the transaction in response to authenticating the user by the authentication server. The method may moreover include using the one-time password in combination with an account number to settle the transaction between the user and the merchant. The method may additionally include sending a message to the authentication server originating from the merchant, wherein the message comprises the one-time password, and wherein the message requests a determination whether the one-time password is authorized for use in the transaction. The method may also include sending a message to the merchant originating from the authentication server, wherein the message includes a determination whether the transaction should be approved in response to the authentication server determining whether the one-time password is authorized for use in the transaction.

Claims

exact text as granted — not AI-modified
1 . A method of using a one-time password for a transaction by a user, comprising:
 requesting an authentication server for authorization to use the one-time password in the transaction;   generating a signed challenge at an electronic device based on information received from a user to sign the challenge; and   sending the signed challenge from the electronic device to the authentication server to authenticate the user and authorize the use of the one-time password in the transaction.   
     
     
         2 . The method of  claim 1 , further comprising generating the one-time password at the electronic device and sending the one-time password from the electronic device to the authentication server. 
     
     
         3 . The method of  claim 1 , further comprising receiving the one-time password at the electronic device from the authentication server. 
     
     
         4 . The method of  claim 1 , further comprising the electronic device generating the challenge, wherein the authentication server generates a substantially similar challenge. 
     
     
         5 . The method of  claim 1 , further comprising receiving the challenge at the electronic device from the authentication server. 
     
     
         6 . The method of  claim 1 , wherein the challenge comprises at least a part of the one-time password. 
     
     
         7 . The method of  claim 1 , wherein generating a signed challenge at an electronic device based on information received from a user to sign the challenge comprises:
 receiving a user access code at the electronic device;   using at least the user access code to retrieve a private key from a key wallet, wherein the key wallet is configured to output a key having the appearance of the private key for at least one access code not equaling the user access code; and   creating the signed challenge by encrypting the challenge with the private key.   
     
     
         8 . The method of  claim 1 , wherein sending the signed challenge to the authentication server further comprises sending a public key that is encrypted using a key known only to the authentication server. 
     
     
         9 . The method of  claim 1 , further comprising:
 the electronic device transmitting the one-time password to a merchant; and   the electronic device transmitting an account number to the merchant.   
     
     
         10 . A method of authorizing a one-time password by an authentication server to be used in a transaction by a user, comprising:
 receiving, at the authentication server, a request originating from an electronic device to authorize the one-time password;   sending a challenge via a secure communication channel from the authentication server to the electronic device of the user to authenticate the user;   receiving, at the authentication server, a signed version of the challenge originating from the electronic device of the user via a secure communication channel;   determining, by the authentication server, whether the user is authentic based on the signed challenge; and   authorizing, by the authentication server, the one-time password for use in the transaction in response to a determination that the user is authentic based on the signed challenge.   
     
     
         11 . The method of  claim 10 , further comprising:
 receiving a request originating from an issuer server to determine if the one-time password has been authorized for use in the transaction; and   in response to a determination that the one-time password is authorized for use, sending a notification to the issuer server that the one-time password is authorized.   
     
     
         12 . The method of  claim 11 , further comprising:
 in response to a determination that the one-time password is authorized for use, sending a notification to the issuer server that the one-time password is authorized.   
     
     
         13 . The method of  claim 10 , further comprising restricting the user's access to future one-time password authorization if the user is determined not to be authentic after a predetermined number of failed authentication attempts. 
     
     
         14 . The method of  claim 10 , further comprising receiving the one-time password in a message originating from the user. 
     
     
         15 . The method of  claim 10 , further comprising generating the one-time password and sending it to the electronic device of the user. 
     
     
         16 . The method of  claim 10 , wherein the step of receiving a signed challenge originating from the electronic device of the user via a secure communication channel further comprises receiving a public key this is encrypted with a key known only to the authentication server. 
     
     
         17 . The method of  claim 16 , wherein the step of determining whether the user is authentic comprises:
 decrypting the public key using the key known only to the authentication server;   decrypting the signed challenge using the public key to create a decrypted challenge;   determining whether the decrypted challenge matches the challenge; and   determining that the user is authentic in response to determining that the decrypted challenge matches the challenge.   
     
     
         18 . A system for using a one-time password in a transaction, comprising:
 a processor configured to:
 receive a request originating from an electronic device to authorize the one-time password for use in the transaction; 
 send a challenge to the electronic device to authenticate a user; 
 receive a signed version of the challenge originating from the electronic device; 
 determine whether the user is authentic based on the signed version of the challenge; and 
 authorize the one-time password for use in the transaction in response to a determination that the user is authentic based on the signed version of the challenge. 
   
     
     
         19 . The system of  claim 18 , wherein the processor is further configured to:
 receive a request originating from an issuer server to determine if the one-time password has been authorized for use in the transaction; and   in response to a determination that the one-time password is authorized for use, send a notification to the issuer server that the one-time password is authorized.   
     
     
         20 . The system of  claim 19 , wherein the processor is further configured to:
 in response to a determination that the one-time password is authorized for use, send a notification to the issuer server that the one-time password is authorized.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.