[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

GB2531255A - Secure authentication token - Google Patents

Secure authentication token Download PDF

Info

Publication number
GB2531255A
GB2531255A GB1418052.5A GB201418052A GB2531255A GB 2531255 A GB2531255 A GB 2531255A GB 201418052 A GB201418052 A GB 201418052A GB 2531255 A GB2531255 A GB 2531255A
Authority
GB
United Kingdom
Prior art keywords
token
wireless communication
security token
security
user
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
GB1418052.5A
Other versions
GB201418052D0 (en
Inventor
Kris Hansen
Lewis Daniels
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
DIGITAL PAYMENT PARTNERS LLC
Original Assignee
DIGITAL PAYMENT PARTNERS LLC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by DIGITAL PAYMENT PARTNERS LLC filed Critical DIGITAL PAYMENT PARTNERS LLC
Priority to GB1418052.5A priority Critical patent/GB2531255A/en
Publication of GB201418052D0 publication Critical patent/GB201418052D0/en
Priority to PCT/IB2015/057819 priority patent/WO2016059546A1/en
Publication of GB2531255A publication Critical patent/GB2531255A/en
Withdrawn legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06KGRAPHICAL DATA READING; PRESENTATION OF DATA; RECORD CARRIERS; HANDLING RECORD CARRIERS
    • G06K19/00Record carriers for use with machines and with at least a part designed to carry digital markings
    • G06K19/06Record carriers for use with machines and with at least a part designed to carry digital markings characterised by the kind of the digital marking, e.g. shape, nature, code
    • G06K19/067Record carriers with conductive marks, printed circuits or semiconductor circuit elements, e.g. credit or identity cards also with resonating or responding marks without active components
    • G06K19/07Record carriers with conductive marks, printed circuits or semiconductor circuit elements, e.g. credit or identity cards also with resonating or responding marks without active components with integrated circuit chips
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06KGRAPHICAL DATA READING; PRESENTATION OF DATA; RECORD CARRIERS; HANDLING RECORD CARRIERS
    • G06K7/00Methods or arrangements for sensing record carriers, e.g. for reading patterns
    • G06K7/10Methods or arrangements for sensing record carriers, e.g. for reading patterns by electromagnetic radiation, e.g. optical sensing; by corpuscular radiation
    • G06K7/10009Methods or arrangements for sensing record carriers, e.g. for reading patterns by electromagnetic radiation, e.g. optical sensing; by corpuscular radiation sensing by radiation using wavelengths larger than 0.1 mm, e.g. radio-waves or microwaves
    • G06K7/10316Methods or arrangements for sensing record carriers, e.g. for reading patterns by electromagnetic radiation, e.g. optical sensing; by corpuscular radiation sensing by radiation using wavelengths larger than 0.1 mm, e.g. radio-waves or microwaves using at least one antenna particularly designed for interrogating the wireless record carriers
    • G06K7/10336Methods or arrangements for sensing record carriers, e.g. for reading patterns by electromagnetic radiation, e.g. optical sensing; by corpuscular radiation sensing by radiation using wavelengths larger than 0.1 mm, e.g. radio-waves or microwaves using at least one antenna particularly designed for interrogating the wireless record carriers the antenna being of the near field type, inductive coil
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06KGRAPHICAL DATA READING; PRESENTATION OF DATA; RECORD CARRIERS; HANDLING RECORD CARRIERS
    • G06K19/00Record carriers for use with machines and with at least a part designed to carry digital markings
    • G06K19/06Record carriers for use with machines and with at least a part designed to carry digital markings characterised by the kind of the digital marking, e.g. shape, nature, code
    • G06K19/067Record carriers with conductive marks, printed circuits or semiconductor circuit elements, e.g. credit or identity cards also with resonating or responding marks without active components
    • G06K19/07Record carriers with conductive marks, printed circuits or semiconductor circuit elements, e.g. credit or identity cards also with resonating or responding marks without active components with integrated circuit chips
    • G06K19/0723Record carriers with conductive marks, printed circuits or semiconductor circuit elements, e.g. credit or identity cards also with resonating or responding marks without active components with integrated circuit chips the record carrier comprising an arrangement for non-contact communication, e.g. wireless communication circuits on transponder cards, non-contact smart cards or RFIDs
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06KGRAPHICAL DATA READING; PRESENTATION OF DATA; RECORD CARRIERS; HANDLING RECORD CARRIERS
    • G06K7/00Methods or arrangements for sensing record carriers, e.g. for reading patterns
    • G06K7/0008General problems related to the reading of electronic memory record carriers, independent of its reading method, e.g. power transfer
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/32Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices
    • G06Q20/327Short range or proximity payments by means of M-devices
    • G06Q20/3278RFID or NFC payments by means of M-devices
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/34Payment architectures, schemes or protocols characterised by the use of specific devices or networks using cards, e.g. integrated circuit [IC] cards or magnetic cards
    • G06Q20/341Active cards, i.e. cards including their own processing means, e.g. including an IC or chip
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/36Payment architectures, schemes or protocols characterised by the use of specific devices or networks using electronic wallets or electronic money safes
    • G06Q20/367Payment architectures, schemes or protocols characterised by the use of specific devices or networks using electronic wallets or electronic money safes involving electronic purses or money safes

Landscapes

  • Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Accounting & Taxation (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Strategic Management (AREA)
  • General Business, Economics & Management (AREA)
  • Microelectronics & Electronic Packaging (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Toxicology (AREA)
  • Artificial Intelligence (AREA)
  • Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Finance (AREA)
  • Electromagnetism (AREA)
  • General Health & Medical Sciences (AREA)
  • Telephone Function (AREA)

Abstract

A system for secure, contactless financial transactions. A security token 1 (e.g. a smart card) comprises a secure processor 2 and a plurality of wireless communication technologies 3a, 3b, 3c. A mobile computing device is configured for wireless communication with the token, and also for wireless communication with an electronic payment device. The secure processor 1 may be a crypto-processor, for encrypting data with RSA. The wireless communication may include Near Field Communication (NFC) 3a, Bluetooth (RTM) 3c, ZigBee (RTM), RFID 3b, iBeacon (RTM) or Ultra-wideband. The security token may be paired with one or more electronic devices, and thus the token may have one or more antennae 4. The token may connect wirelessly to a digital wallet. The token may also contain a photo-voltaic means (e.g. solar power) for generating electricity, which may be stored in a battery.

Description

Intellectual Property Office Application No. GB1418052.5 RTI\4 Date:9 April 2015 The following terms are registered trade marks and should be read as such wherever they occur in this document: Bluetooth, ZigBee and iBeacon in claim 4 and on pages 1 -3, 5-7, 12 and 13 of the
description
Intellectual Property Office is an operating name of the Patent Office www.gov.uk/ipo Secure Authentication Token This invention relates generally to electronic security devices, and more particularly to token-based authentication technologies. The invention is particularly suited for use in situations where a high degree of security is required to protect confidential data such as, for example, electronic payments. The invention is suited for verifying the identity of an individual prior to allowing a computer-related operation to be performed.
Many operations require a user's identity to he verified before access is allowed to a controlled resource or process. Such controlled resources might include fimmcial funds, a controlled building or area, a computing resource or network, or sensitive data. Various authentication techniques and devices are known, including security tokens. Various types of token are known, both hardware and software based.
It is known for tokens to be implemented in a device calTied by an individual so that the individual can verify his identity using the device. These may sometimes be referred to as hardware tokens', authentication tokens' or cryptographic tokens'. In essence, the security token serves as an electronic key to unlock access to the controlled resource. In addition to possession of the token, other forms of authentication may sometimes be required before the user is allowed to perform the operation such as password or PIN entry, or verification of biometric data associated with the user. However, without (physical) access to the token the user is not able to authenticate with the client system.
During use, the token sends a key to the client system or device so that the client knows that the token can be trusted. The token is provided with hardware and/or software to enable it to communicate with the client. For example, sonic tokens might include a USB connector for physical connection to the client while others might indude REID capabilities or a Bluctooth interface so that the key sequence can he transmitted wirelessly to a client within close proximity. or to a nearby access point.
Wireless tokens which do not need to be physically connected to the client device to transfer data have proved popular because they offer convenience of use. They may he used, br example. with keyess entry systems and also with electronic payment arrangements. One such payment system is the Mobil Speedpass which uses RFID to transmit authentication data from a token provided on a keychain.
However, such tokens have known disadvantages. For example, Bluetooth tokens function when the token is within 10 meters or so of the client device. For some applications, this range may not be appropriate. Furthermore, if Bluetooth connectivity is not available the token is rendered unusable. One so'ution to this has been to incorporate a USB interface into some Bluetooth tokens so that the token can operate in both a connected and a disconnected state. Thc token is inserted into a USB input device when a Bluctooth connection cannot be established. Therefore, this solution defaults back to a physical connection between the token and the client and so the convenience of wireless/contactless operation is lost. As such, Ic own tokens suffer from the disadvantage that they are configured for use with only one form of wireless communication technology.
Thus, it is desirable to provide a token-based authentication solution which provides a variety of wireless connectivity capabilities. Such a solution would ideally enable the token to use a variety of wireless communication protocols and technologies so that a variety of communication techniques can be utilised by the same device, providing more connectivity options than currently available on single prior art tokens. Such a solution would he agnostic to the type of communication protocol used by the client because the token would be able to select and use whichever transmission technology is appropnatc for a particular client. Such a solution would reduce complexity and costs for service providers such as banks and merchants.
It is also desirable to provide a solution which overcomes or at least alleviates the problem ob short battery life associated with known security tokens.
Ideally, such a solution would also provide one or more mechanisms to ensure that the security of the data stored, processed and transmitted by the token is maintained.
Also, such a solution would implement continuous, persistent authentication such that proximity of the token with the client device is required in order for a process (e.g. verification) to be maintained. Upon loss of proximity between the token and the device, die process is terminated.
Such an improved solution has now been devised. Thus, in accordance with the present invention there is provided an arrangement as defined in the appended claims.
Therefore, in accordance with the invention there is provided a security token comprising: a secure processor; and a plurality of hardware and/or software components arranged to enable communication using a plurality of wireless communication technologies.
The may token provide an authentication device for verifying the identity of an individual prior to and/or while permitting an operation to be perfoirned, and/or permitting access to a controlled resource such as a building. financial resources or a computer-based resource such as hardware or software.
Thus, the invention provides a highly secure authentication solution wherein the security token is able to communicate wirdessly via more than one type of wireless communication technology. This is an advantage over prior art arrangements which provide the ability to cornrnunicatc via only one wireless protocol. Therefore, in one sense, the invention may provide a solution which combines the functionalities of various prior art alTangements into an integrated device. The invention provides protocol interoperahility so that existing communication techniques (e.g NEC, Bluetooth. RFID) can be extended, to support devices where these techniques are not supported or are inaccessible.
The inclusion of a secure processor also provides enhanced security over prior art tokens which would not comprise such a feature.
The plurality of wireless communication technologies may enable the token device to communicatc wirdessly with another dcvicc without the need for insertion of the token into the client device via a physical interlace. This other device may he a computer implemented device which may be referred to as a tlient'. The client device may be a payment processing device, a card reading terminal, a door entry system or any other device/system which requires authentication of a user before permitting an operation to he performed. The client device may comprise software, such as an app, arranged for execution of a transaction, such as a financial payment.
The communication between the token and the other device may he one or two directional.
In other words, the token may he arranged to send and/or receive data.
The token may be arranged to select and utilise one of the plurality of communication technologies during an authentication process. The token may he arranged to detect which wireless communication technology is appropriate for communication with a particular client device, and then select and use the appropriate wireless technology from the plurality so as to communicate with the client. Thus, the token is able to communicate with a greater variety of client devices than prior art tokens which are designed to communicate using one particular type of wireless protocol.
The security token may be used to verify a user's identity during an authendcation process.
The authentication process maybe a continuous (or persistent') authentication process meaning that the continuing presence of the token is required in or for the process to continue. The process may terminate if the token is not within range of the client.
Therefore, continuous or repeated monitoring for the token may be performed. The monitoring may he performed by software executing on the client.
The authentication process may comprise, for example, verification of the user prior to completing a financial transaction. The authentication process may he initiated by the client device or some other device. Without the presence of the token the authentication process may fail. One or more further authentication techniques may be employed in conjunction with the use of the token. For example. the user may be required to provide authentication data such as a password, PIN, biometric data or other unique identifier in order to complete the authentication process. The authentication data maybe yen fled by the token, the client device and/or some other device.
The plurahty ol wireless communication technologies maybe selected such that communication is only possible when the token is within a predetermined range from a client device, in some embodiments the token may be arranged and configured such that it can only communicate with other devices via a wireless connection. In other embodiments, however, the token may he arranged and configured for communication via a wired interface in addition to wireless communication. The token may comprise contact, contactlcss or hybrid interface tcchnologics.
The token may he arranged to determine which communication technology is appropriate br communication with a particular client device. Therebore. the token may he arranged to determine which form of communication protocol/technology is required for communication with the other device, and then select and/or use the relevant technology from the plurality provided on the token to establish and a communication channel with the other device. For example, the token may detect that the other device has Bluctooth connectivity, and thus the token may use its own Bluetooth capabilities to establish a Bluetooth connection with the other device. If, on the other ham!, it detects that the other device is an NEC enabled device it may establish an NEC connection.
The token may be arranged to provide and/or enable persistent authentication of a user with a client device such that authentication of the user fails unless a wireless connection is maintained. The token or other device maybe arranged to monitor a connection between the token and the other device. A continuous connection may be required so that the user can access the other device or some software provided thereon, or complete an operation such as user authentication.
The secure processor may be a cryptoprocessor. It may be a secure cryptoprocessor. It may comprise anti-tamper sensors, full Encryption mechanisms and/or capabilities to create a RSA key. Secure memory may be associated with the secure processor. By incorporating a secure processor into the token, the token's communications maybe secured. This provides a signilicant advantage over prior art arrangements which do not offer the enhanced security provided by a secure processor. For applications involving financial payments and transactions, for example, the need for high security is an important lactor.
The plurality of wireless communication technologies incorporated into the token may include Near Field Communication (NFC). Bluetooth, ZigBee, RFID. iBeacon and/or Ultra-widehand. However, other wireless technologies may he employed instead of or in addition to these. Essentially, any wireless communication technology may he employed.
The more technologies that are incorporated into the token, the greater the choice of client device that the token is able to communicate with.
The plurahty ol wireless protocols may include one or more proximity protocols. The proximity protocols may require the token and client device to be within the same locality or range. Thus, the token may need to be co-located with (i.e. within the same location as) the client device in order for them to communicate. The token may be configured such that it is not capable of communication over a wide area network such as the internet or a telecommunications network. The token may be incapable of communication with another device unless it is (physical) proximity to the other device. The communication may be restricted to within a loca' region or area so as to maintain security because the user must he in possession of the token and within proximity of the client device in order to authenticate.
The plura'ity may include one or more medium to long range proximity protocols. such as Bluetooth. wherein the communication range may be substantially between lOin and 30m.
However, the range may be shortened for security purposes.
Additionally or alternatively, one or more short range technologies may he included such as RFID capabilities. Such short range technologies may restrict communication between the token and the other device to a range of a few feet.
Additionally or alternativdy, one or more close range technologies may he included in the plurality of technologies, such as Ncar Field Communication (NFC). The one or more close range technologies may restrict communications to substantially within a few centimeters in range.
In sonic embodiments, the token may bc paired with one or more electronic devices. This electronic device may be any form of computing device. For example, it could be a PC. It could he a mohilc or portable devicc such as a Inptop, a tablet computcr, a smart phone etc. It may hc the clicnt devicc.
The pairing may be achieved using hardware and/or software. The pairing associates the particular token with a particular dectronic device so that they are matched or linked. The device may then he known' to token and/or vice versa. The token may he arranged to he paired with a software application (app) installed on a mobile computing device such as a smartphone or tablet. The app may be arranged to facilitate performance of a transaction, such as a financial payment, which requires authentication of the user. The app may be a digital wallet.
The pairing may provide the ability to restrict which device(s) the token is able to communicate with. Prefcraffly, as a result of the pairing the token is unahIn to communicate with (ie transmit data to and/or receive data from) a dcvicc with which it is not paired. This provides the advantage that the user must be in proximity to the paired device as well as being in possession of the paired token, which increases the level of security provided hy the invention. The invention is not intended to he limited with respect to the manner in which the pairing is performed.
The token may comprise one or more antennae to iaeilitate wireless communication between the token and the client device.
The token may comprise one or more sensors. The sensors may enable the token to detect the presence of a transmitter, such as an iBeacon transmitter, within the vicinity of the token. Thus, the token may receive a signal from the transmitter via the sensor when the token is in proximity to the transnntter.
The token may comprise means for generating electricity. The means for generating electricity may be photovoltaic means. The token may comprise photovoltaic (solar) cells arranged to produce electricity from sun light. This can be used to recharge a battery provided in or on the token. Thus, the security token may further comprise a battery arranged to receive electricity generated by the photovollaic means.
The token may be portable. It may comprise a housing or body which has no external data ports or interface such as a USB interface. Therefore, the housing or body may be completely sealed. Thus, communication with the token may only he achieved via a non-physical interlace.
The token may comprise a smart card. The secure processor may be embedded in, or carried on, the card body.
The token may be configured for secure storage of data. For example, the token may comprise secure memory for the storage of virtual currency. The token may be configured to comprise, or communicate with, a digital wallet.
The token may be arranged to store financial data. The financial data may relate to a user's bank account, credit account or other financial resource associated with the user.
Thc tokcn may be arrangcd to communicate with and/or conncct wirclcssly to a digital wallet. The digital wallet may be provided on a portable computing device such as a smart phone or tablet computer. The token and the portable computing device may he paired, as detailed above.
The token may be arranged to communicate with and/or connect wirelessly to an app stored and/or executed on a mobile device e.g. smart phone, tablet computer. The app may he configured to emulate the functional responses or operations of an NEC-enabled smart card. The app may he conFigured to access data relating to a smart card on a mobile computing device. The data may be stored in memory provided on the mobile device or the token.
The token may be arranged to authenticate a Host Card Emulation (HCE) operation or transaction performed via a mobile device. The mobile device may be a smart phone or a tablet computer. The token may form part of a HCE system such that when a user taps the mobile device to initiate a transaction, the transaction may only he completed if the token is within proximity to the mobile device. This provides the benefit that in the event that thc mobilc dcvicc is lost or stolcn. an unauthoriscd party cannot use thc mobile dcvicc to complete a HCE transaction without access to the token as well.
According to another aspect of the invention there is provided a security token For authenticating a user and comprising photovoltaic means for generating electricity.
The token may further comprise a battery arranged to receive electricity generated by the photovoltaic means.
Also according to the invention there is provided an authentication method comprising the steps: bringing a token according to any embodiment described above into proximity with a client device so that a wireless communication channel can be established between the token and the client device; permitting a user to perform a process or transaction if, and only if, the wireless communication channel is established.
The process or transaction may he a payment. The process or transaction may he a Host Card Emulation transaction. The payment may be processed via a HCE software component arranged for execution on the client device. The client device may be a smart phone or a tablet computer.
-1 0-The method may further comprise die step of terminating the process or transaction ii the communication channel is interrupted, lost or intercepted. Thus, the authentication method may be a persistent (or continuous') authentication method. The method may comprise die step ol monitonng the communication channel between the token and the client device to determine whether the wireless connection between the devices has been lost or eompronnsed.
The method may further comprise the step of pairing the token with the client device. It may a'so comprise the step of checking whether the token and client device are paired before and/or during the process or tnmsaction.
The method may further comprise the step of making a payment from the token or a digital wallet provided on the chent device.
The invention also provides a payment system comprising: a token according to any embodiment described above: a portable computing device configured for wireless communication with the token: an electronic payment device configured for wireless communication with the portable computing device.
The portable computing device maybe a smart phone or a tablet computer.
The token may be paired with the portable computing device. As above, the pairing can take a variety of forms but essentially the token is known' to the client device so that. the authentication process is only successful when the paired token is in proximity with the device. A different (non paired) token will not be able to establish a connection with the device, and so the authentication process will fail.
The portable computing device may he configured to perform Host Card Emulation. The device may comprise suitably arranged software to perform the HCE functionality.
The portable computing device may comprise a digital wallet. A payment. may be made from the token or the wallet. -lI-
The electronic payment device may he a NEC enabled terminal or reader.
Any feature described above in relation to one aspect/embodiment of the invention may also be applicable to any other aspect/embodiment of the invention. Features described in relation the token device may also apply with respect to the method, and vice versa.
These and other aspects of the present invention will be apparent from and elucidated with reference to. the embodiment described herein.
An embodiment of the present invention will now be described, by way of example only, and with reference to the accompany drawings, in which: Figure 1 illustrates an exemplary embodiment of the present invention, showing a secure token comprising a secure processor and a plurality of wireless communication capabilities.
Figure 2 is a flow chart illustrating one way in which the invention provides authentication of a user during performance of an operation or process e.g. a payment or other transaction.
Turning to Figure 1, the invention provides a secure hardware token I which can he used to authenticate a user during a transaction. This transaction may he a financial transaction but it should be noted that the invention is not intended to be limited with regard to the type of transaction or process for which it can be used.
In order to authenticate, the user niust be in possession of the token 1, or at least be in the vicinity of it. Without the token the user is not able to authenticate with the client system/device.
The token comprises a secure processor such as a MaximTM secure microcontroller 2 having cryptographic capabilities. Such a secure processor 2 might include any or all of the following security features: Unique 64-Bit Serial Number * Tamper Detection with Rapid Key/Data Destruction * Secret Key Destruction on Tamper Events * Permanent Loader Lockout. Option * Proprietary Code Scrambling Technique Using Random Keys * Hardware Accelerators for AES, RSA, DSA. ECDSA, DES, 3DES, SHA-1, SHA- 224. SHA-256 * True Hardware Random-Number Generator * Temperature and Voltage Sensors to Detect Attacks * Two Self-Destruct Input Pins The token may be provided in a variety of forms, including as a smart card. Smart card embodiments provide the advantage that they are slim, low cost to produce, and can he easily carried by a user in a physical wallet. Other embodiments niay include keychain tokcns.
The token 1 may provide continuous (also known as persistent) authentication. This is illustrated in Figure 2. Therefore, rather than the authentication being a single, discrete event the token's continued presence is required. The channel or connection established between the token and the client device is continuously monitored to check that connectivity has been maintained. If it is found that the connection between the token and the device has been lost or compromised, the authentication process fails. The user is not able to complete the desired operation and/or have access to the desired resource.
Branding or other printed information may he provided on one or more sides. The token comprises a battery and also solar cells to recharge the battery. thus prolonging its life.
The token is equipped with a variety ol wireless communication capabilities. These would typically include Near Field Communication 3a, Bluetooth 3e, ZigBee, REID 3h, iBeacon and/or Ultra-wideband components but other communication protocols may be used in addition or instead of these. The wireless protocols 3a. 3b, 3c enable the token 1 to communicate with another device which is in proximity to the token. Thus, the token and die other device are relativdy close to each other when connected, rather than communicating via a wide area network.
The token comprises one or more and antennae and sensors 4 to enable it to use certain communication technologies eg iBeacon.
In use, various scenarios may be supported. some of which are described below.
The token is ahk to connect to a mobile wallet via its Bluetooth 3c or other protocol 3a, 3b, enabling it to secure the transaction with the secure processor 2. A user may tap a card to the token to communicate with a mobile app which the user is engaging with in order to make a transaction. This enables the user to authenticate and perform an online/mobile transaction as ilit were a "card present" transaction. There are significant benefits which flow from this, including increased security, reversal of liability and reduced costs.
The token could be in shop mode' and communicating wirelessly to a mobile device. The user selects items for purchase and subsequently passes through an RFID scanner. The items are immediately charged to the electronic wallet on the user's device. The user does not need to wait at a payment till.
The token can also validate card proximity during a mobile transaction to provide an additional security factor.
In some embodiments, the token may he used to verify a PIN or other identifier sent from a mobile app in order to gain authenticated access to the mobile computing/telephone device.
In some embodiments, the token provides (lull or partia') PAN inlormation for credit cards. This provides the advantage that such sensitive data does not need to he stored on an insecure device such as a mobile phone.
hi use, the token can also serve as an intermediary device which transactions can be directed through in order to bridge the gap between different technologies at either end of die transaction flow. For example. in the financial world different banks, merchants.
processors and consumers utilise different systems which are often unable to communicate with one another. Therefore, a payment or other transaction may not be possible between two technically incompatible parties. The present inventions solves this issue because, for example, a payment request can be received by the token using one type of protocol, but can be transnntted on from the token to a terminal using a different type of protocol. In this way, transactions can be completed between systems which use different types of communication technologies as the token provides a layer of protocol and inipementation abstraction. For example. a NFC transaction can he comp'eted over a Bluetooth connection. This provides a seamless and convenicnt solution which is simple to implement and removes the need for re-engineering of the transactional systems involved in the process.
The invention also provides significant advantages in relation to HCE systems. A disadvantage with existing HCE systems is that in the event of the user's mobile device being lost or stolen, it can be used to make transactions by unauthorised parties. As the HCE software replicates the user's physical smart card, the credit or debit account is debited upon completion of the HCE transaction. The invention provides a beneficial, additional layer of security because the physical presence of the token is required in order to complete the transaction. Therefore, the unauthorised party would need to gain access to the token as well as the mobile device in order to make a transaction.
For example, according to known techniques, a user may add payment card details to a mobile wallet app on a smart phone so as to make NEC payments via terminals provided at retailers' premises. This provides the user with a convenient way of making contactless payments using the phone instead of inserting the actual smart card into the reader. The HCE software on the phone emulates the user's physical smart card. The data received by the phone's NFC controller from the retailer's device is sent directly from the NFC controller to the processing app.
However, in accordance with the present invention, the transaction cannot be completed unless the token is in continued communication with the app. If the token is within proximity to the phone. a wireless communication channel can he established hetween the app and the token, and the transaction can proceed. However, if the channel cannot be established, or is lost or intercepted for some reason, the transaction cannot proceed and the user's account is not dehi ted.
Thus, sonic of the advantages provided by the invention include: * the provision of protocol and implementation abstraction between banks, merchants, processors and consumers; * provides continuous, persistent authentication; allows for these parties to make longer term decisions in a fast moving technological area * allows for dynamic firmware updates and provisioning to continually adapt and evolve as digital payments standards change * Adds additional security measures br digital payments by adding security factors and reducing the sensitive information kept on insecure mobile devices * Augments digital mobile payment applications to allow for secure storage and identify validation * The token serves as an intermediate between different / potentially competing protocols to facilitate i nteroperahil ity Smart card token is slim and can fit into a wallet, providing convenience and portability * Battery lasts for a year or longer * Solar panel on non-branded side of card can he used to add battery charge * Provides an additional layer of security for HCE systems and methods It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will he capable of designing many alternative embodiments without departing from the scope of the invention as defined by the appended claims. In the claims, any reference signs placed in parentheses shall not be construed as limiting the claims. The word "comprising" and "comprises", and the like, does not exclude the presence of elements or steps other than those listed in any daim or the specification as a whole. In the present specification, "comprises" means "includes or consists ol" and "comprising" means "including or consisting ci'. The singular reference of an element does not exclude the plural reference of such elements and vice-versa. The invention may be implemented by means of hardware comprising several distinct elements, and by means ol a suitably programmed computer. In a device claim enumerating several means, several of these means may be embodied by one and the same item of hardware.
The mere fact that certain measures are recited in mutually different dependent claims does riot. indicate that a combination of these measures cannot be used to advantage.

Claims (21)

  1. CLAIMS: 1. A security token comprising: a secure processor; and a plurality of hardware and/or software components arranged to enable communication using a plurality of wireless communication technologies.
  2. 2. A security token according to daim 1 wherein the plurality of wireless communication technologies is sdeeted such that communication is only possible when the token is within a prcdctcrrnincd range from a client device.
  3. 3. A security token according to daim I or 2 wherein the secure processor is a secure cryptoprocessor.
  4. 4. A security token according to any preceding claim wherein the plurality of wireless communication technologies includes Near Field Communication, Bluetooth, ZigBee, RFID, iBeacon and/or Ultra-widehand. contactless payment technology.
  5. 5. A security token according to any preceding claim wherein the token is paired with one or more electronic devices.
  6. 6. A security token according to any preceding claim whercin the token comprises one or more sensors and/or antennae.
  7. 7. A security token according to any preceding claim and further comprising: photovoltaic means for generating electricity.
  8. 8. A security token according to claim 7, wherein the token further comprises a battery arranged to receive electricity generated by the photovoltaic means.
  9. 9. A security token according to any preceding claim wherein the token is provided in the form of a smart card.
  10. 10. A security token according to any preceding claim wherein the token is arranged to store a user's financial data.
  11. 11. A security token according to any preceding claim wherein the token is arranged to connect wirelessly to a digital wallet.
  12. 12. A security token according to any preceding claim wherein the token is arranged to determine which communication technology is appropriate for communication with a particular client dcvicc.
  13. 13. A security token according to any preceding daim wherein the token is arranged to provide and/or enahie persistent authentication of a user with a client device such that authentication of the user fails unless a wireless connection is maintained.
  14. 14. A security token according for authenticating a user and comprising photovoltaic means for generating electricity.
  15. 15. A security token according to claim 14, wherein the token further comprises a battery arranged to receive electricity generated by the photovoltaic means.
  16. 16. An authcntication method comprising thc steps: bringing a token according to any preceding claim into proximity with a client device so that a wireless communication channel can he established hetween the token and thc clicnt dcvicc; permitting a user to perform a process or transaction if, and only if. the wireless communication channel is established.
  17. 17. The authentication method of claim 16 and further comprising the step of terminating the process or transaction if the communication channel is interrupted, lost or intercepted.
  18. 18. The authentication method of claim 16 or 17 wherein the process or transaction is a Host Card Emulation transaction.
  19. 19. The authentication method of claim 16 to 18 and lurther comprising the step of making a payment from the token or a digital wallet provided on the client device.
  20. 20. A payment system comprising: a token according to any of claims I to 15; a portable computing device configured for wireless communication with the tokcn: an electronic payment device configured for wireless communication with the portable computing device.
  21. 21. The payment system of claim 20 wherein: the portable computing device is a smart phone or a tablet computer; the token is paired with the portable computing device; the portable computing device is configured to perform Host Card Emulation; the portable computing device comprises a digital wallet; and/or the electronic payment device is a NFC enabled terminal or reader.
GB1418052.5A 2014-10-13 2014-10-13 Secure authentication token Withdrawn GB2531255A (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
GB1418052.5A GB2531255A (en) 2014-10-13 2014-10-13 Secure authentication token
PCT/IB2015/057819 WO2016059546A1 (en) 2014-10-13 2015-10-13 Secure authentication token

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GB1418052.5A GB2531255A (en) 2014-10-13 2014-10-13 Secure authentication token

Publications (2)

Publication Number Publication Date
GB201418052D0 GB201418052D0 (en) 2014-11-26
GB2531255A true GB2531255A (en) 2016-04-20

Family

ID=52001302

Family Applications (1)

Application Number Title Priority Date Filing Date
GB1418052.5A Withdrawn GB2531255A (en) 2014-10-13 2014-10-13 Secure authentication token

Country Status (2)

Country Link
GB (1) GB2531255A (en)
WO (1) WO2016059546A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021011354A1 (en) * 2019-07-18 2021-01-21 Capital One Services, Llc Continuous authentication for digital services based on contactless card positioning

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
RU191690U1 (en) * 2019-05-20 2019-08-15 Закрытое акционерное общество "Особое Конструкторское Бюро Систем Автоматизированного Проектирования" SPECIALIZED COMPUTER WITH HARDWARE DATA PROTECTION
CN112749385B (en) * 2021-01-19 2024-06-21 张友平 NFC equipment safety authentication system suitable for HCE mode

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2005078370A (en) * 2003-08-29 2005-03-24 Ngk Spark Plug Co Ltd Ic card with display device and method to use it
US20120109735A1 (en) * 2010-05-14 2012-05-03 Mark Stanley Krawczewicz Mobile Payment System with Thin Film Display
CN202795429U (en) * 2012-09-03 2013-03-13 厦门盛华电子科技有限公司 Mobile phone user identification card with centrally-mounted decoder capable of supporting close range inductive coupling
CN203366367U (en) * 2013-07-08 2013-12-25 深圳市文鼎创数据科技有限公司 Multifunctional intelligent card
EP2733654A1 (en) * 2012-11-20 2014-05-21 Nagravision S.A. Electronic payment method, system and device for securely exchanging payment information
WO2014124405A2 (en) * 2013-02-08 2014-08-14 Schlage Lock Company Llc Control system and method
WO2014161883A1 (en) * 2013-04-04 2014-10-09 Certgate Gmbh Device having communications means and a receptacle for a chip card

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9324071B2 (en) * 2008-03-20 2016-04-26 Visa U.S.A. Inc. Powering financial transaction token with onboard power source
CA2799289A1 (en) * 2009-05-12 2010-11-18 Baruch Bouzaglo Parking management and billing
AU2012201745B2 (en) * 2011-03-24 2014-11-13 Visa International Service Association Authentication using application authentication element
US20130298208A1 (en) * 2012-05-06 2013-11-07 Mourad Ben Ayed System for mobile security

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2005078370A (en) * 2003-08-29 2005-03-24 Ngk Spark Plug Co Ltd Ic card with display device and method to use it
US20120109735A1 (en) * 2010-05-14 2012-05-03 Mark Stanley Krawczewicz Mobile Payment System with Thin Film Display
CN202795429U (en) * 2012-09-03 2013-03-13 厦门盛华电子科技有限公司 Mobile phone user identification card with centrally-mounted decoder capable of supporting close range inductive coupling
EP2733654A1 (en) * 2012-11-20 2014-05-21 Nagravision S.A. Electronic payment method, system and device for securely exchanging payment information
WO2014124405A2 (en) * 2013-02-08 2014-08-14 Schlage Lock Company Llc Control system and method
WO2014161883A1 (en) * 2013-04-04 2014-10-09 Certgate Gmbh Device having communications means and a receptacle for a chip card
CN203366367U (en) * 2013-07-08 2013-12-25 深圳市文鼎创数据科技有限公司 Multifunctional intelligent card

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021011354A1 (en) * 2019-07-18 2021-01-21 Capital One Services, Llc Continuous authentication for digital services based on contactless card positioning
US11521213B2 (en) 2019-07-18 2022-12-06 Capital One Services, Llc Continuous authentication for digital services based on contactless card positioning

Also Published As

Publication number Publication date
GB201418052D0 (en) 2014-11-26
WO2016059546A1 (en) 2016-04-21

Similar Documents

Publication Publication Date Title
US11893580B2 (en) Establishment of a secure session between a card reader and a mobile device
AU2020210294B2 (en) Establishment of a secure session between a card reader and a mobile device
KR101820573B1 (en) Mobile-merchant proximity solution for financial transactions
US9251513B2 (en) Stand-alone secure PIN entry device for enabling EMV card transactions with separate card reader
US20130226812A1 (en) Cloud proxy secured mobile payments
US20150324792A1 (en) Establishment of a secure session between a card reader and a mobile device
JP2016509295A (en) A method for performing secure payment transactions and protecting cardholder data in a mobile device that allows the mobile device to function as a secure payment terminal
US20150142669A1 (en) Virtual payment chipcard service
US20150142667A1 (en) Payment authorization system
EP2987123B1 (en) Facilitating secure transactions using a contactless interface
Van Damme et al. Offline NFC payments with electronic vouchers
KR20170133307A (en) Online financial transactions, identity authentication system and method using real cards
GB2531255A (en) Secure authentication token
CN104966193A (en) System and method for safely transmitting ID (identity )by using Bluetooth
EP4179697B1 (en) Secure end-to-end pairing of secure element to mobile device
Desta Security for Mobile Payment Transaction
Aldughayfiq NFC-mobile payment system based on POS terminal authentication
WO2021054854A1 (en) Generation and use of a trusted digital image of a document

Legal Events

Date Code Title Description
WAP Application withdrawn, taken to be withdrawn or refused ** after publication under section 16(1)