NO313949B1 - Authentication in mobile networks - Google Patents

Abstract

This invention relates to an arrangement and method for providing authentication of a user in performing wireless electronic commerce transactions using a mobile device. This is achieved by combining a WML (WAP Markup language) based micro-reader on the mobile device and voice-based authentication in the network.

Description

TECHNICAL AREA

This invention relates to an arrangement and method for providing user authentication when performing wireless electronic commerce transactions using a mobile device.

PRIOR ART

The problem is to provide a satisfactory level of security when someone conducts wireless electronic commerce transactions on a mobile device. Some solutions to this problem are known from the prior art, which include: 1. Using SIM card-based security. This requires either that the microreader is located on the SIM card, or that there are standard solutions for a microreader for phones to access the security functions on the SIM card. SIM card solutions are limited to GSM systems. A SIM Application Toolkit-based browser has certain limitations due to proprietary SIM technology; limited functionality in the SIM Toolkit standards and no support outside of GSM. Standardization is underway to provide SIM/smart card security within WAP, but the standards are not finished. There is therefore a need for intermediate solutions that use WAP 1.0-based solutions, which have not solved the security aspects. 2. Using security features on a smart card that can be read from the phone with an additional card reader.

The limitation of this solution is that a phone with an additional smart card reader is required. Availability of these phones is limited, solutions are not standardized yet, and the phones easily become larger and more expensive. 3.Using external security devices, such as password calculators that generate one-time passwords and require a personal PIN to activate.

It is not very convenient to carry a password calculator with you, and it takes time to use it (first enter the PIN, then enter the generated password on the phone). Furthermore, the costs of the solution for the end user increase.

OBJECTS OF THE INVENTION

The purpose of the present invention is to provide secure user authentication when performing wireless business transactions on a mobile device without security functions beyond the standard security provided by the network.

This is achieved by combining a WML (WAP Markup Language) based microreader on the mobile device and voice-based authentication in the web.

The invention can be used in wireless electronic commerce and other Wireless Application Protocol (WAP)-based applications that require user authentication beyond that provided by the wireless network itself. The invention can be used in wireless networks, such as GSM, D-AMPS and CDMA.

The exact scope of the invention is as defined in the attached patent claims.

BRIEF DESCRIPTION OF THE DRAWINGS

Figure 1 is a schematic diagram showing different entities (objects/entities) in a transaction using the present invention. Figure 2 shows an example of a network architecture for systems that use the invention. Figure 3 shows an example of message flow for a transaction that uses the invention.

DETAILED DESCRIPTION OF THE INVENTION

Figure 1 shows the different devices involved when a user wants to access a WML-based application (wireless e-commerce. Intranet access portal, access to bonus service and so on), 4, via a mobile device, and using a method and a system according to the present invention. The user initiates a WML-based dialog involving the WML-based reader, 1, a microreader with the ability to display Wireless Markup Language (WML). The reader may be located in a telephone or other type of wireless device, such as a personal digital assistant (PDA). For simpler wireless devices, parts of the reader can be implemented in a server. An example of this is a GSM phone that uses the USSD capabilities of GSM phase 2 together with a proxy server that converts WML content into USSD text strings that are displayed on the phone. Alternatively, SMS or GPRS can be used as the carrier.

The mobile device is connected to a wireless network, 2, which includes a WAP web port. This unit (entity) consists of all wireless switching components, such as base station system (BSS) and mobile switching center (MSC). In addition to this, it contains the WAP web portal. The WAP gateway converts between the WAP protocol and bearer services on the radio side, and Internet protocols on the Internet side. The user accesses the WML-based application, 4. This device is an application that uses the WAP-defined Wireless Markup Language (WML) for dialogue with a user. At a certain step in the dialog, an authentication is required. The application, 4, uses a device, 3, which handles voice passwords, for authenticating the user. This device is a network component that handles speech recognition and speech-based dialogue with the user. It will also handle the password and personal voice detection mechanisms. This device will typically be based on an integrated voice response system (IVR - Integrated Voice Response). The authentication can be performed by presenting a WML card (page) to the user that includes a menu selection that initiates a voice call to an IVR-based authentication center using basic wireless telephony functionality (the ability to make a phone call by selecting an entry in the WAP-based menu). The authentication is performed using a voice-based password that can provide both a user password and verification of the user's speech. The result of the authentication is returned to the WML-based application, which continues or terminates the transaction.

If the browser does not support this menu property (click to call), the voice password handler may instead initiate a call to the user, after the WML dialog has ended, to perform the authentication. The device for handling voice passwords can identify the user to be authenticated by his/her caller ID (phone number). In the case of several users connected to the same telephone number, or in the case of a telephone not owned by the user, additional identification of the user is required for the device handling the voice password. This can be achieved by using a B-number that provides additional information, or by informing the device handling voice passwords in advance that an authentication of a specific user will take place from the given telephone number.

The actual algorithm used by the device handling the voice password to perform the authentication may differ for different implementations of a device handling the voice password. An example of an algorithm is to use a personal PIN code combined with recognition of personal speech. The device that handles voice passwords will ask for the full PIN code or alternatively a random digit within the PIN code. The latter will ensure that the entire PIN code is never delivered at the same time. Personal speech recognition will provide a verification of a specific person's own speech within an acceptable level of accuracy.

The device for handling voice passwords delivers information about the result of the authentication using a secured link to the WML-based application.

In Figure 1, the letters A-D denote the interfaces between the different devices, which interfaces are: a) The interface between the device containing the WML-based reader and the wireless network. b) A connection with the ability to transport digitally coded speech. This can be a 56/64 kbits/s circuit that uses

a signaling core such as signaling system #7 or uses ISDN.

c) An interface that transfers WML content. This is normally an IP-based interface. The protocol that transmits

WML can be the WAP stack, HTTP or HTTPS.

d) This can be any type of open or proprietary interface between the two devices. The two devices can be linked together directly or via a secure network connection.

An exemplary physical embodiment of an arrangement according to the invention is shown in Figure 2 as a network architecture. In this example, the user accesses an application of interest located on a wireless e-commerce server from a mobile phone with a micro reader installed. The wireless e-commerce server is connected to an IVR server that performs the authentication. For security reasons, the connection uses a proprietary link. The interfaces involved are as defined above.

In the message flow form in Figure 3, the procedure for establishing the WAP session is shown as a message sent from the user terminal to the application. This message is triggered by a message from the application to the device that handles the voice password. This in turn initiates an exchange of call control messages between the reader (on the user terminal) and the device that handles voice passwords (on the IRV server). If the result of the authentication process is satisfactory, the device that handles voice passwords sends an authentication OK message to the application. The application can then complete the transaction.

The advantage of the inventive arrangement and the inventive method is that it provides extended features for user authentication on first stage WAP/WML based devices. Security solutions based on voice passwords are implemented, for example, in banking systems, that is, this solution will meet requirements from financial institutions for security during user authentication. Using the "click to call" feature of WAP, this feature will be easy to use for the end user.

The invention can be used for any type of WML-based transaction that requires authentication security beyond that provided by the basic WAP and the cell-shared network. This could be access to home banking, access to confidential information (for example company information), an additional security to pass an Internet firewall for WAP access and so on.

DEFINITIONS AND ABBREVIATIONS

GSM (Global System for Mobile Communications) - global system for mobile communications

A digital cellular telephone technology based on TDMA that is widely used in Europe and throughout the world.

Web portal

A network port (gateway) is a network point that acts as an entrance to another network. In a corporate network, a proxy server acts as a gateway between the internal network and the Internet. A gateway can also be any device that delivers packets from one network to another on their way across the Internet.

HTTP - Hypertext Transfer Protocol

HTTP is the set of rules for exchanging files (text, graphic images, sound, video and other multimedia files) on the World Wide Web. Compared to the TCP/IP suite of protocols (which is the basis for information exchange on the Internet), HTTP is an application protocol.

HTTPS

Secure Hypertext Transfer Protocol is a Web protocol built into a browser that encrypts and decrypts user page requests, as well as the pages returned by the Web server. HTTPS is really just the use of security protocol (SSL - Secure Socket Layer) as a sub-layer under the normal HTTP application layer.

IVR - Interactive Voice Response, i.e. interactive voice response

An automated answering system that responds with a call menu and allows the user to make selections and enter information via the keypad field. IVR systems are widely used in call centers as well as a replacement for human switchboard operators. The system can also integrate database access and fax response.

Hicro reader

A slimmer variant of a www-reader tailored for thin clients with small screens and communication with low bandwidth. Examples of a microreader are the reader on a WAP client, for example a WAP-enabled telephone.

Password

In the context of the invention, a secret pattern shared between the user and the device provides authorization. The password can be a spoken word or, for example, a PIN code consisting of a number of digits.

PIN (Personal Identification Number) - personal identification number

A personal password used for identification purposes

SIM - Subscriber Identity Module, i.e. module for subscriber in dent i t e t

The SIM card is a special type of smart card used for security, subscription data and storage in a GSM phone. The SIM Application Toolkit standard in GSM makes it possible also for simple applications to be stored and executed on the SIM card.

USSD - Untrue Supplementary Service Data

A GSM protocol for delivering service data via the control plane of the GSM protocol. Many additional services use USSD for signaling (for example format of type <*>123#)

WAP - Wireless Application Protocol

A wireless standard originally proposed by Motorola, Ericsson and Nokia to allow small wireless devices such as telephones and PDAs access to Internet-type content. WAP uses Wireless Markup Language (WML) to present Internet content.

WTA - Wireless Telephony Application

WTA provides telephone functions that can be used in conjunction with WAP. In this invention, WTA functionality requires the ability to make a phone call to select an entry in a WAP-based menu.

Claims (6)

1. Arrangement for providing secure user authentication when conducting wireless electronic commerce over a cellular wireless network, using a mobile device equipped with a WML-{Wireless Markup Language) based reader (1), in communication with a wireless e-commerce server that running a WML-based application (4) to perform wireless electronic commerce transactions, via a WAP {Wireless Application Protocol) gateway (2) connecting the WAP protocol and bearer service on the radio side and Internet protocols on the other side, characterized in that the arrangement includes a server for authentication of the user, where the server includes a device (3) based on an IVR system (Integrated Voice Response) which handles recognition and verification of the user by voice and voice password authentication. 2. Arrangement according to claim 1, characterized in that said WML-based reader is a microreader. 3. Arrangement according to claim 1 or 2, characterized in that said WML-based reader is implemented in a proxy server that converts WML content into USSD (Unstructured Supplementary Service Data) text strings that are displayed on said mobile device. 4. Arrangement according to one of the preceding claims, characterized in that communication between said WML-based application and said device that handles voice passwords takes place over a proprietary secure link. 5. Method for performing wireless electronic commerce transactions using a mobile device, the method comprising the following steps: • initiating a WML-based reader on the mobile device • accessing a WML-based application (4), which includes the application for electronic commerce, thereby initiating a first dialogue, characterized in that at a specific step in the first dialogue, • the WML-based application (4) addresses a device (3) for handling voice passwords for authenticating the user • said device (3) for voice passwords is adapted to handle speech recognition and initiate a second speech-based dialogue with the user, and also handle mechanisms for passwords and personal speech detection • results of the authentication process are delivered to the WML-based application (4) • after which the WML-based application (4) completes the first dialogue with the user 6. Method according to claim 5, characterized in that the WML-based application (4) communicates with the device (3) for handling voice passwords over a proprietary secure link.