US20230274277A1 - Identity management service via a user-level token - Google Patents
Identity management service via a user-level token Download PDFInfo
- Publication number
- US20230274277A1 US20230274277A1 US18/142,558 US202318142558A US2023274277A1 US 20230274277 A1 US20230274277 A1 US 20230274277A1 US 202318142558 A US202318142558 A US 202318142558A US 2023274277 A1 US2023274277 A1 US 2023274277A1
- Authority
- US
- United States
- Prior art keywords
- user
- computing system
- identity verification
- individual
- contextual data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000012795 verification Methods 0.000 claims abstract description 233
- 238000000034 method Methods 0.000 claims description 98
- 230000004044 response Effects 0.000 claims description 19
- 241001155433 Centrarchus macropterus Species 0.000 claims description 11
- 230000008569 process Effects 0.000 description 73
- 238000012545 processing Methods 0.000 description 18
- 238000004891 communication Methods 0.000 description 12
- 238000010586 diagram Methods 0.000 description 11
- 230000006870 function Effects 0.000 description 8
- 230000000694 effects Effects 0.000 description 6
- 230000001413 cellular effect Effects 0.000 description 5
- 230000007246 mechanism Effects 0.000 description 4
- 238000004458 analytical method Methods 0.000 description 3
- QVFWZNCVPCJQOP-UHFFFAOYSA-N chloralodol Chemical compound CC(O)(C)CC(C)OC(O)C(Cl)(Cl)Cl QVFWZNCVPCJQOP-UHFFFAOYSA-N 0.000 description 3
- 230000009471 action Effects 0.000 description 2
- 230000000977 initiatory effect Effects 0.000 description 2
- 238000004900 laundering Methods 0.000 description 2
- APTZNLHMIGJTEW-UHFFFAOYSA-N pyraflufen-ethyl Chemical compound C1=C(Cl)C(OCC(=O)OCC)=CC(C=2C(=C(OC(F)F)N(C)N=2)Cl)=C1F APTZNLHMIGJTEW-UHFFFAOYSA-N 0.000 description 2
- 238000000926 separation method Methods 0.000 description 2
- LFQSCWFLJHTTHZ-UHFFFAOYSA-N Ethanol Chemical compound CCO LFQSCWFLJHTTHZ-UHFFFAOYSA-N 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 229940079593 drug Drugs 0.000 description 1
- 239000003814 drug Substances 0.000 description 1
- 238000011156 evaluation Methods 0.000 description 1
- 230000001815 facial effect Effects 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 239000004570 mortar (masonry) Substances 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000002207 retinal effect Effects 0.000 description 1
- 230000001052 transient effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/40—Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
- G06Q20/401—Transaction verification
- G06Q20/4014—Identity check for transactions
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/08—Payment architectures
- G06Q20/18—Payment architectures involving self-service terminals [SST], vending machines, kiosks or multimedia terminals
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/08—Payment architectures
- G06Q20/20—Point-of-sale [POS] network systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/382—Payment protocols; Details thereof insuring higher security of transaction
- G06Q20/3821—Electronic credentials
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/40—Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
- G06Q20/405—Establishing or using transaction specific rules
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q30/00—Commerce
- G06Q30/06—Buying, selling or leasing transactions
- G06Q30/0601—Electronic shopping [e-shopping]
- G06Q30/0609—Buyer or seller confidence or verification
Definitions
- Identity verification is necessary to ensure that an individual is who he or she purports to be.
- identity verification is often required by “know your customer” (KYC) or “customer identification program” (CIP) regulations.
- KYC and CIP programs are implemented to prevent identity theft, financial fraud, money laundering and terrorist financing.
- identity verification is used to perform many different functions in normal daily activities, such as making credit or debit card purchases, using an ATM, online shopping, purchasing a plane ticket, etc.
- additional information may be required by a user, such as membership numbers, frequent flier miles, age, personal identifying information, or other non-payment information.
- a user may be required to provide additional information, which may further require identity verification. Therefore, it would desirable to include non-identification information within identity management systems and methods.
- a computer implemented method performed by an identity verification computing system includes verifying the identity of an individual.
- Non-financial data is received from the individual, and a user-level profile is generated.
- the user-level profile includes the non-financial data received from the individual.
- a user-level token unique to the individual is further generated.
- the user-level token is associated with the generated user-level profile.
- the user-level token is provisioned to a device associated with the individual.
- An entity computing system receives an identity verification request including the user-level token, wherein the identity verification request is structured as a financial transaction card-originated message.
- the user-level token is validated and a context of the received user-level token is analyzed to determine a relevant non-financial data element included in the non-financial information within the user-level profile. Additionally, an identity verification approval is transmitted to the entity computing system, including the relevant non-financial data element.
- a system includes personal identifying information associated with an individual of the system.
- the system also includes an identity verification computing system.
- the identity verification computing system includes a processor and instructions stored in non-transitory machine-readable media. The instructions are configured to cause the identity verification computing system to verify the identity of the individual using the personal identifying information associated with the individual, and to receive non-financial data from the individual.
- a user-level profile is generated.
- the user-level profile includes the non-financial data received from the individual and is stored in a memory of the identity verification computing system.
- a user-level token unique to the individual is generated.
- the user-level token is associated with the generated user-level profile.
- the user-level token is transmitted to a device associated with the individual.
- An entity computing system receives an identity verification request including the user-level token, wherein the identity verification request is structured as a financial transaction card-originated message.
- the user-level token is validated, and contextual data is analyzed to determine the non-financial data relevant to the contextual data included in the non-financial information within the user-level profile.
- An identity verification approval is transmitted to the entity computing system which includes the relevant non-financial information.
- a system includes a network interface configured to communicate with an entity computing system via a network.
- An identity database stores verified personal identifying information relating to an individual.
- the system also includes a memory and at least one processor configured to verify the identity of the individual using the personal identifying information associated with the individual.
- Non-financial data is received from the individual.
- a user-level profile is generated.
- the user-level profile includes the non-financial data received from the individual.
- a user-level token unique to the individual is generated.
- the user-level token is associated with the generated user-level profile.
- the user-level token is transmitted to a device associated with the individual via the network.
- An entity computing system receives an identity verification request comprising the user-level token.
- the user-level token is validated and it is determined if the request includes contextual data.
- the contextual data is analyzed to determine the non-financial data relevant to the contextual data within the user-level profile, and an identity verification approval is transmitted to the entity computing system along with the relevant non-financial data.
- FIG. 1 is a block diagram of a data processing system, according to an embodiment.
- FIG. 2 is a flow diagram illustrating generation and provisioning of a user-level token to a user, according to an embodiment.
- FIG. 3 is a flow diagram of a method of processing an identity verification request, according to an embodiment.
- FIG. 4 A is a block diagram illustrating a card-based transaction message, according to an embodiment.
- FIG. 4 B is a block diagram illustrating an ISO 8583-compliant card-based transaction message, according to an embodiment.
- FIG. 5 is a flow diagram illustrating an example implementation of the method shown in FIG. 3 .
- FIG. 6 is a flow diagram illustrating an example implementation of the method shown in FIG. 3 .
- FIG. 7 is a flow diagram illustrating an example implementation of the method shown in FIG. 3 .
- FIs financial institutions
- KYC know your customer
- CIP Customer Identification Program
- FIs request and obtain access to substantial identifying information from new customers when accounts are opened, and may be particularly well-suited and trusted to perform accurate identity verification and related services.
- identity verification is performed in person, e.g., a banker compares a driver's license photo to the person standing in front of them as part of the account opening process.
- a trusted party e.g., an FI
- an entity e.g., a merchant
- the trusted party may be the most reliable source for storing additional information associated with the identity of an individual.
- an identity verification system may include multiple identity verification computing systems (e.g., associated with different FIs or other identity verification entities).
- An identity verification computing system may verify the identity of an individual and create a user-level token (“ULT”) for the individual.
- ULT may be linked to a ULT profile maintained by an FI, or other institution.
- the ULT profile may include personal or other information related to a user, including financial information and non-financial information.
- the ULT profile may also include non-financial information such as identity information of the user (age, address, name, height, weight, biometrics, etc.), non-financial account information (frequent flyer program information, rewards/loyalty program information, social media accounts, on-line service accounts such as online dating accounts, etc.), multiple IDs (personal, business, etc.), and so on. While this information may be generally provided by a user in many instances, the verification of the information by the FI will be more trusted due to the additional verification requirements provided by the FI.
- the ULT profile may also include financial information such as payment cards, account numbers, DDA accounts, credit information, etc.
- the ULT may then be pushed to a user device such as a smartphone.
- the ULT may be stored in a virtual passport on the user device, which includes an individualized (e.g., customer-specific) digital signature that is easy to verify by the identity verification computing system, but is also very difficult to reproduce by fraudsters.
- the virtual passport is implemented in a mobile wallet.
- the virtual passport may be used, for example, to verify an individual's identity to entities (e.g., merchants, currency exchanges, etc.), to objects (e.g., ATMs), to other individuals, etc.
- the virtual passport may include identification of the particular identity verification computing system that generated the virtual passport.
- An example virtual passport identity management system is described in U.S. patent application Ser. No. 14/937,210, entitled “Identity Management Service via Virtual Passport,” by Kurani et al., which is herein incorporated by reference in its entirety and for all purposes.
- the merchant transmits the ULT to the trusted third party via existing communication channels, such as a payment card network.
- the ULT may implemented in the form of a payment token used to make a credit card payment according to the EMV specification.
- the payment token may thus be used to effect payment as well as to provide other identity-related services.
- the ULT is different than the payment token.
- the ULT may be transmitted as part of an ISO 8583-compliant card-based transaction message, but may be different than the payment token.
- utilizing existing payment channels to provide identity verification improves an ability of a vendor to authenticate a customer automatically via a trusted third-party, such as an FI.
- Various embodiments enable value-add functionality to be provided by a FI to various vendors, thereby allowing for increased throughputs of transactions requiring authentication (e.g., by requiring fewer steps by the vendor) and/or additional non-financial information to be obtained at the time of the transactions.
- transactions may also be simplified, allowing for a more seamless customer experience.
- the embodiments described herein solve the technical and internet-centric problem of providing relevant financial and non-financial information related to an individual transaction. This is addressed by leveraging contextual information related to an individual transaction to automatically provide non-financial data, which is relevant to the transaction being performed, to a vendor initiating the transaction.
- a token may be provided by the customer to the vendor when initiating the transaction.
- the use of the token, in combination with contextual information associated with the vendor requesting verification of the token allows for a customized data message to be relayed to the vendor, including both financial and non-financial information. This provides a technical solution to the internet-centric challenge of automatically providing customized financial and non-financial information associated with a particular transaction.
- the ULT may be used in various different scenarios to enhance/streamline identity verification processes and provide other related services.
- a user may be at a merchant.
- the user may tap their phone at the point of sale (POS) device.
- the phone may communicate the user level token to the POS device.
- the merchant may communicate the ULT to the identity verification computing system via a card payment network.
- the identity verification computing system may access a user level profile associated with the ULT and return additional information to the merchant from the user level profile.
- the identity verification computing system may use various mechanisms to determine what information if any from the profile should be returned to the merchant.
- merchants that utilize the identity verification service may create a profile with the service that specifies what information the merchant wishes to have returned.
- the information that the merchant wishes to have returned may be specified in the identity verification request.
- the user may be provided with a dashboard that enables the user to specify controls over information that may be shared with merchants. For example, the user may specify that some merchants be permitted access to certain information, while other merchants are not to be permitted access to the same information.
- the ULT may be provisioned directly to the merchant.
- the merchant may be an online dating website.
- the user may be asked to use the user's phone to provide live video of the user (i.e., a video selfie) to the online dating service.
- the video selfie may then be provided to the identity verification service, which may compare the video against a photo of the user (e.g., the user's driver's license picture) to confirm the identity of the user.
- the identity verification service may confirm that information provided by the user to the online dating service (name, age, address/city of residence, gender, etc.) matches information in the user level profile for the user.
- the identity verification service may provide a merchant-specific ULT to the merchant.
- the merchant may then periodically confirm with the identity verification service that the ULT is still valid. For example, if the user passes away, the ULT for the online dating service may be rendered invalid on that basis.
- FIG. 1 is a block diagram of a user authentication system 100 , according to an embodiment.
- the user authentication system 100 includes a user 102 , an identity verification computing system 104 , and an entity computing system 106 .
- the user 102 , the identity verification computing system 104 , and the entity computing system 106 may communicate directly or through a network 108 , which may include one or more of the Internet, cellular network, Wi-Fi, Wi-Max, a proprietary banking network, or any other type of wired or wireless network.
- a network 108 may include one or more of the Internet, cellular network, Wi-Fi, Wi-Max, a proprietary banking network, or any other type of wired or wireless network.
- data transmitted between any of the user 102 , the identity verification computing system 104 , and the entity computing system 106 may be encrypted or otherwise cryptographically protected.
- the user 102 may be associated with a user device 110 .
- the user device 110 is a device configured to communicate with the entity computing system 106 .
- the user device 110 communicates directly with the entity computing system 106 .
- the user device 110 may communicate wirelessly to the entity computing system 106 , such as via Wi-Fi, Bluetooth, Near Field Communication (NFC), Zigbee, IR, RF, Cellular (3G, 4G, LTE, CDMA), etc.
- a display on the user device 110 may generate a machine readable image which may be readable by the entity computing system 106 , such as a bar code, a QR code, or other machine readable image.
- the machine readable image may contain user related data, such as a user-level token (ULT).
- the user device 110 communicates with the entity computing system 106 via the network 108 .
- the user device 110 may communicate with the network 108 via a wireless connections, such as Wi-Fi, Wi-Max, cellular (3G, 4G, LTE, CDMA, GSM, etc.), Zigbee, LoRA, Bluetooth, IR, RF, or other applicable wireless protocol.
- the user device 110 may communicate with the network 108 via a wired connection, such as via Ethernet, a LAN, a WAN, Firewire, USB, or other applicable wired interface.
- the user device 110 may be, but is not limited to a phone (e.g., iPhone, Android Phone, Windows Phone, or other smartphone), a mobile computing device (e.g. tablet computer, laptop computer, personal digital assistant, netbook, etc.), a desktop computing device, a wearable computing device, or the like.
- the user 102 may be associated with the user device 110 , such that the user device 110 is utilized for authentication purposes.
- the user device 110 may include an input device for the user to enter a password, a fingerprint scanner to scan a finger print, etc., and authentication of the user by the user device 110 may be leveraged to facilitate authentication of the user to the entity computing system 106 . In other arrangements, however, multiple users are associated with the same user device 110 .
- a husband and wife may be associated with the same tablet computer.
- the husband and wife may have separate accounts, or log-ins, on the same user device 110 .
- the user 102 uses multiple user devices 110 , or the user device 110 may be a public computing device used by a number of persons.
- the user device 110 is shown to include a network interface circuit 112 and a user authentication circuit 114 .
- the network interface circuit 112 is configured to facilitate data communication to and from other devices via the network 108 .
- data passing through the network interface circuit 112 is encrypted.
- the network interface circuit 112 may include any combination of wired network 108 protocols (e.g., Ethernet, USB, Thunderbolt, Firewire, etc.), and wireless network protocols, such as Wi-Fi, Bluetooth, cellular (3G, 4G, LTE, CDMA, GSM, etc.), Zigbee, LoRA, etc.
- the user authentication circuit 114 is structured to allow the user device 110 to communicate data to and from the identity verification computing system 104 via the network interface circuit 112 and the network 108 .
- the user authentication circuit 114 may include a user interface that permits the user 102 to provide information to the identity verification computing system 104 via the user device 110 .
- the user authentication circuit 114 may also be utilized to display messages and other prompts from the identity verification computing system 104 .
- the user 102 may utilize the user authentication circuit 114 to establish a user account with the identity verification computing system 104 , or to request authentication services on behalf of the user 102 .
- the user authentication circuit 114 may store one or more user-level tokens 116 .
- the user authentication circuit 114 includes programming instructions stored in a memory of the user device 110 that is executed locally on the user device 110 (e.g., as a smartphone application).
- the user authentication circuit 114 may be or include, a mobile banking application associated with the identity verification computing system 104 .
- the user authentication circuit 114 includes a web-based interface application accessed via the network 108 (e.g. the Internet), such as by a web browser executed on the user device 110 .
- the user authentication circuit 114 may be executed and/or maintained remotely by the identity verification computing system 104 . In this instance, the user 102 logs onto or accesses the web-based interface to access the user authentication circuit 114 .
- the user authentication circuit 114 is supported by a separate computing system comprising one or more servers, processors, network interface circuits, etc.
- the user authentication circuit 114 includes or utilizes an application programming interface (API) and/or a software development kit (SDK) that facilitates the integration of other applications (e.g., a mobile banking application, a mobile wallet application, a virtual passport application, a third party provider application, etc.) with the user authentication circuit 114 .
- API application programming interface
- SDK software development kit
- the identity verification computing system 104 and the entity computing system 106 may each include a computer system (e.g., one or more servers, each with one or more processing circuits), each including a processor and memory.
- the processors may be implemented as application specific integrated circuits (ASICs), one or more field programmable gate arrays (FPGAs), a group of processing components, or other suitable electronic processing components.
- the memory may be one or more devices (e.g., RAM, ROM, Flash memory, hard disk storage, etc.) for storing data and/or computer code for completing and/or facilitating the various processes described herein.
- the memory may be or include non-transient volatile memory, non-volatile memory, and non-transitory computer storage media.
- the memory may include data base components, object code components, script components, or any other type of information structure for supporting the various activities and information structures described herein.
- the memory may be communicably connected to the processor and include computer code or instructions for executing one or more processes described herein.
- the identity verification computing system 104 and the entity computing system 106 may each include server-based computing systems, for example, comprising one or more networked computer servers that are programmed to perform the operations described herein.
- the identity verification computing system 104 and the entity computing system 106 may each be implemented as distributed computer systems where each function is spread over multiple computer systems.
- the identity verification computing system 104 is managed by a third-party service provider to provide identity verification services to various entities.
- the entity computing system 106 may utilize the identity verification computing system 104 to verify that the user 102 is who he or she purports to be.
- the entity computing system 106 may wish to verify the identity of the user 102 for any of various reasons, such as to prevent payment (e.g., credit card) fraud, banking fraud, identity fraud, illegal activity (e.g., harassment, scams, money laundering, etc.), catfishing, sockpuppetry, underage signups, spamming, etc.
- payment e.g., credit card
- banking fraud e.g., identity fraud
- illegal activity e.g., harassment, scams, money laundering, etc.
- catfishing e.g., sockpuppetry
- underage signups e.g., harassment, scams, money laundering, etc.
- the identity verification computing system 104 may be a trusted third-party computing system that is configured to verify that the user 102 is who he or she purports to be.
- the identity verification computing system 104 may provide identity verification services through an API.
- an API is a software-to-software interface that allows computing systems of two different entities to communicate with each other.
- the API of the identity verification computing system 104 may be used by the entity computing system 106 and other entities to verify the identities of individuals.
- the identity verification computing system 104 may distribute a software development kit (SDK) to allow the customers to better integrate the API into their websites and applications.
- SDK software development kit
- Some embodiments may include multiple identity verification computing systems 104 .
- the identity verification computing system 104 may be managed by an FI, a governmental institution, a credit bureau, a dedicated identity verification service provider, or another type of business or entity.
- the identity verification computing system 104 may be managed by an FI that provides banking services (e.g., deposit account services, credit account services, brokerage account services, etc.) to individuals and entities, such as the user 102 .
- banking services e.g., deposit account services, credit account services, brokerage account services, etc.
- the identity verification computing system 104 e.g., FI
- the identity verification computing system 104 already has a significant amount of information regarding the individual's identity, which has been collected through the onboarding process for opening an account with the FI.
- the user 102 may be required to provide certain personal information, such as a legal name, address, contact information, driver's license number, tax identification number, social security number, and the like.
- the personal information provided during the onboarding process was previously verified prior to permitting the user 102 to open an account with the FI. Such information may be provided in connection with KYC and/or CIP regulations.
- the identity verification computing system 104 includes an identity database 118 , a user-level profile database 120 , a network interface circuit 122 , and an identity verification circuit 124 .
- the identity database 118 stores information relating to the identities of individuals, customers, users, account holders, etc.
- the identity database 118 may also store information relating to the identity service.
- the user-level profile database 120 stores information relating to generated user-level profiles for each user 102 .
- the user-level profiles may include additional information about a user 102 , such as identity information of the user 102 (age, address, name, height, weight, biometrics, etc.), non-financial account information (frequent flyer program information, rewards/loyalty program information, social media accounts, on-line service accounts such as online dating accounts, etc.), multiple IDs (personal, business, etc.).
- identity information of the user 102 age, address, name, height, weight, biometrics, etc.
- non-financial account information frequent flyer program information, rewards/loyalty program information, social media accounts, on-line service accounts such as online dating accounts, etc.
- multiple IDs personal, business, etc.
- the user-level profile database 120 may be in communication with the identity database 118 , and may initially populate a user-level profile for the user 102 with data contained in the identity database 118 .
- the identity database 118 and the user-level profile database 120 may be part of the same database schema.
- the network interface circuit 122 facilitates data communications to and from the identity verification computing system 104 .
- the network interface circuit 122 includes hardware (e.g., Ethernet controller, memory, etc.) and software necessary to facilitate data communications for the identity verification computing system 104 over the network 108 .
- data passing through the network interface circuit 122 is encrypted.
- the network interface circuit 122 may include any combination of wired network protocols (e.g., Ethernet, USB, Thunderbolt, Firewire, etc.), and wireless network protocols, such as Wi-Fi, Bluetooth, cellular (3G, 4G, LTE, CDMA, GSM, etc.), Zigbee, LoRA, etc.
- the identity verification circuit 124 is structured to generate and manage user-level profiles and user-level tokens 116 for individuals, and to verify the identity of individuals. For example, the identity verification circuit 124 may generate a user-level profile for the user 102 , based on various types of personal identifying information, as described above. In some embodiments, the identity verification circuit 124 populates a user-level profile for the user 102 based on user information already stored in the identity database 118 that is related to the user 102 . In further embodiments, the user 102 may be able to provide information to the identity verification circuit 124 , such as via the user device 110 , for populating the user-level profile.
- the user authentication system 100 may include multiple identity verification computing systems 104 and multiple entity computing systems 106 .
- the entity computing system 106 may include an identity verification circuit 128 , a network interface circuit 130 and a point-of-sale (POS) system 132 .
- the identity verification circuit 128 is structured to verify the identity of individuals via operative communication with the identity verification circuit 124 of the identity verification computing system 104 .
- the identity verification circuit 128 may be structured to analyze information received from the user 102 to format and send API calls to the identity verification computing system 104 to verify the identity of individuals.
- the network interface circuit 130 facilitates data communications to and from the entity computing system 106 .
- the network interface circuit 130 includes hardware (e.g., Ethernet controller, memory, etc.) and software necessary to facilitate data communications for the entity computing system 106 over the network 108 .
- identity verification may be facilitated through the POS system 132 of the entity computing system 106 .
- a user-level token is transmitted to the identity verification computing system 104 , and the identity of the user 102 is authenticated, in-whole or in-part, via the user-level token.
- the POS system 132 may include a cash register system operated by the entity computing system 106 .
- a user-level token may be transmitted from the user device 110 to the POS system 132 , and from the POS system 132 to the identity verification computing system 104 .
- the POS system 132 may include a backend server system that provides a website (e.g., an online shopping web site) and/or a mobile application (e.g., a smartphone application, a tablet application, etc.) associated with the entity computing system 106 .
- a mobile application e.g., a smartphone application, a tablet application, etc.
- Other embodiments may not include a POS system 132 .
- the entity computing system 106 may be operated by an individual, and identity verification may be facilitated via a device (e.g., smartphone) of the individual rather than the POS system 132 .
- a user-level token may be transmitted from the user device 110 to the identity verification computing system 104 without being routed through the POS system 132 , e.g., in embodiments where a payment card network is not utilized to transmit the ULT.
- the POS system 132 includes additional information related to the POS system 132 .
- the POS system 132 may have information related to the type of POS system 132 (e.g. ATM, back-end server, cash register, etc.), location of the POS system 132 , etc.
- the entity computing system 106 itself generates additional information.
- the entity computing system 106 may generate contextual information such as location of the user 102 , the type of transaction being performed by the user 102 (e.g. online purchase, identity verification request, etc.), and/or third party identification information (e.g. subscription services such as an online dating site, age restricted content provider, age restricted vendors, etc.), which may all provide contextual information to the identity verification computing system 104 .
- third party identification information e.g. subscription services such as an online dating site, age restricted content provider, age restricted vendors, etc.
- FIG. 2 a flow diagram illustrating the generation and provisioning of a ULT to a user 102 is shown, according to an embodiment.
- the method 200 is discussed below in connection with the user authentication system 100 of FIG. 1 . More specifically, the method 200 may be performed by the identity verification computing system 104 of FIG. 1 . However, it should be understood that the method 200 may be performed by other systems and devices.
- a user may request a ULT.
- the user 102 requests the ULT via a user device, such as user device 110 , described above.
- the user 102 may request a ULT from the identity verification computing system 104 by accessing a smartphone application associated with the identity verification computing system 104 , such as mobile banking application, or mobile wallet application.
- the user 102 accesses the identity verification computing system 104 by logging into a web-based application (e.g. website) associated with the identity verification computing system 104 .
- a web-based application e.g. website
- other methods of requesting a ULT may also be used.
- the process 200 determines if the user 102 has an existing account with the institution associated with the identity verification computing system 104 .
- the process 200 may determine if the user 102 has an existing account with the financial institution, such as a savings account, a checking account or a brokerage account. If the user 102 does not have an existing account or relationship with the institution associated with the identity verification computing system 104 , the user 102 may be instructed to set up a user account at process block 206 . Where the institution is an FI, the user 102 may be required to provide identifying information to allow the identity verification computing system 104 to initially verify the identity of the user 102 .
- the identifying information may include authentication credentials and information that may be used by the identity verification computing system 104 to authenticate the user 102 .
- Example identifying information may include legal name, address, date of birth, contact information, driver's license number, tax identification number, social security number, and the like.
- the personal identifying information provided during the new account opening process is verified prior to the user 102 being permitted to open an account with the institution. Such information may be provided in connection with KYC and/or CIP regulations.
- the identity of the user 102 requesting the ULT is verified at process block 208 .
- the identity of the user 102 is verified using personal identifying information supplied by the user 102 when setting up the account with the institution. Once the identity of the user 102 has been verified, the user 102 may be instructed to provide non-financial data at process block 210 .
- Non-financial data may include non-financial information such as various identity information of the user 102 (height, weight, biometrics, etc.), non-financial account information (frequent flyer program information, rewards/loyalty program information, social media accounts, on-line service accounts such as online dating accounts, etc.), multiple IDs (personal, business, etc.), or other relevant non-financial data.
- the user 102 may also provide permissions associated with the provided non-financial data. The permissions may be provided by the user 102 to instruct the identity verification computing system 104 as to what non-financial data may be provided to a third party.
- the user 102 may specify what non-financial data should not be shared with any third party; however, in other examples, the user 102 may specify what non-financial data is accessible to different types of third parties. For example, the user 102 may specify that a financial institution may have access to any of the supplied non-financial data that is requested, but restrict what non-financial data a point-of-sale third party (e.g. consumer stores) may have access to. For example, the user 102 may not allow a point-of-sale third party to have access to user-level information such as credit scores.
- a point-of-sale third party e.g. consumer stores
- the process can generate a user-level profile associated with the user 102 at process block 212 .
- the user-level profile is stored in the user-level profile database 120 .
- the non-financial data processing circuit 126 may generate the user-level profile based on the non-financial data provided by the user 102 .
- the user 102 may already have an existing user-level profile.
- the user 102 may be able to provide additional non-financial data to the identity verification computing system 104 , which may process the data using the non-financial data processing circuit 126 , and subsequently update the user-level profile associated with the user 102 .
- the user-level profile may include all the non-financial data provided by the user 102 at process block 210 , as well as identifying information previously associated with the user 102 that was provided to set up the initial account.
- the user-level profile may further include information related to permissions provided by the user 102 .
- the non-financial data processing circuit 126 may generate a unique ULT associated with the generated user-level profile for the user 102 .
- the ULT may be formatted the same as a tokenized primary account number (“TPAN”), or payment token.
- TPAN tokenized primary account number
- the ULT is associated directly with the institution generating the ULT.
- the ULT may include a prefix, such as a bank identification number (“BIN”), which defines where the ULT should be routed when presented by the user 102 .
- the ULT is stored in a token vault, which maps the ULT to a given user-level profile.
- the token vault may be stored in the user-level profile database 120 .
- the ULT may be managed by an external token service provider (“TSP”).
- TSP external token service provider
- the non-financial data processing circuit 126 may further generate sub-ULTs for different identities associated with the user 102 .
- the sub-ULTs can be structured to return different types of information, based on context.
- the user 102 may structure the different identities to correspond with different transactions.
- the user 102 may structure one identity to be used with social media services, such as blogs, dating websites, etc.
- the identity associated with the social media services may be configured to only provide verification of the identity of the user 102 , and, where required, other basic information, such as the age of the user 102 .
- the user 102 may structure a separate identity to be used with purchases.
- the identity associated with making purchases may be configured to provide verification of the identity of the user 102 , as well as other information, such as age verification, loyalty program information, and/or credit information.
- the user 102 may create as many sub-ULTs as needed for different services/entities.
- the ULT may be provisioned to the user 102 at process block 216 .
- the ULT may be transmitted to the user device 110 by the identity verification computing system 104 , via the network 108 .
- the identity verification computing system 104 may push the ULT directly to the user device 110 .
- the user 102 may need to perform a specific action to get the ULT provisioned to the user device 110 .
- the user 102 may need to log into their account with the institution that generated the ULT in order to download the ULT onto the user device 110 .
- the ULT is stored in the user authentication circuit 114 of the user device 110 .
- the ULT may be stored in a mobile wallet or other application running on the user device 110 .
- FIG. 3 a flow diagram illustrating the processing of a ULT provided by a user is shown, according to an embodiment.
- the method 300 is discussed below in connection with the user authentication system 100 of FIG. 1 . More specifically, the method 300 may be performed by the identity verification computing system 104 of FIG. 1 . However, it should be understood that the method 300 may be performed by other systems and devices.
- an identity verification request containing a ULT is received by the identity verification computing system 104 .
- the user 102 may present the ULT to the POS system 132 .
- the user 102 may tap the user device 110 against the POS system 132 to transmit the ULT.
- the ULT may be able to be transmitted via NFC, Bluetooth, or other wireless transmission protocols.
- the user 102 may provide the ULT as a machine readable code (e.g. barcode or QR code) displayed on a user interface of the user device 110 , which can then be read by the POS system 132 .
- the POS system 132 may then transmit the ULT to the identity verification computing system 104 via the network 108 .
- the machine readable code may be read by another user device, such as a separate smartphone.
- the user 102 may transmit the ULT to the entity computing system 106 , via the network 108 .
- the entity computing system 106 may then transmit the ULT to the identity verification computing system 104 via the network 108 .
- the parameters of the user device 110 may be verified to ensure that proper security is active on the user device 110 .
- the identity verification computing system 104 verifies that there the user device 110 is only accessible by authorized users 102 .
- the identity verification computing system 104 may verify that the user device 110 has a lock mechanism in place, such that an unlock code must be provided to access the user device 110 .
- Example unlock codes may include PIN numbers, passwords, fingerprint scans, retinal scans, facial recognition scans, security tokens, or other applicable unlock codes.
- a message may be sent to the user 102 requiring the user 102 to provide additional authentication information to verify that the user 102 is in possession of the user device 110 when the ULT 118 is used.
- the user may be required to use the phone to provide the identity verification computing system 104 with live video of the user's face, which may then be compared by the identity verification computing system 104 to a previously stored photograph of the user (e.g., the photograph in the user's driver's license).
- the ULT is received from a device that is known and authenticated by the identity verification computing system 104 .
- the ULT may be received from the POS system 132 (e.g., identified by a unique identifier), which has been verified by the identity verification computing system 104 as being securely managed by a particular merchant.
- the ULT and/or other data transmitted to and from the identity verification computing system 104 is encrypted or otherwise cryptographically protected.
- the POS system 132 signs the ULT with its public/private key pair and a public key associated with the identity verification computing system 104 .
- the identity verification computing system 104 may then decrypt the ULT with its private key and the public key of the POS system 132 .
- the identity verification request can be transmitted using an existing payment channel.
- the entity computing system 106 may transmit the identity verification request to the identity verification computing system 104 in a standard card-based transaction message.
- the identity verification request may be part of the general message derived from a card-based transaction (e.g. credit card transaction, debit card transaction, etc.).
- a typical card-based transaction message may include information derived from the card associated with the transaction (e.g. an account number associated with the card), the point-of-transaction terminal (e.g. entity computing system 106 ) identifier, such as a merchant ID, transaction information, as well as other data which can be generated or added by intervening systems.
- the entity computing system 106 may include additional information into the card-based transaction message.
- the card-based transaction message 400 can include a card information portion 402 , a point-of-transaction identification information portion 404 , a transaction information portion 406 and a POS data portion 408 .
- the card information portion 402 can include information about the card (e.g. the payment mechanism), such as an account number.
- the card information portion 402 can be configured to include a ULT associated with the user 102 , such as the ULT 116 described above.
- the ULT is formatted the same as a personal account number (PAN).
- PAN personal account number
- TPAN tokenized account number
- the ULT can be transmitted via a payment card network using the standard card-based transaction message 400 . While the ULT is discussed as formatted as a PAN and/or TPAN above, it is contemplated that the ULT can be formatted similar to other known card-identification messages.
- the point-of-transaction identification information portion 404 can include various information associated with the point-of-transaction (e.g. entity computing system 106 ).
- the point-of-transaction identification information portion 404 can include a merchant ID number.
- the point-of-transaction identification information portion 404 may also include merchant information, such as merchant type (e.g. physical location, internet-based entity, etc.), merchant location, or other general merchant information.
- the transaction information portion 406 may include information about the transaction, such as the amount of the transaction, the time of the transaction, etc.
- the POS data portion 408 may include various information related to the transaction.
- the POS data portion 408 may include contextual data related to the transaction, such as the type of purchase being made, the type of merchant (e.g.
- the POS data portion 408 may include a ULT associated with the customer.
- a ULT associated with the customer may be inserted into the POS data portion 408 of the message instead of, or in combination with, the card information portion 402 , as described above.
- the ULT can be provided to a system, such as identity verification computing system 104 , using a typical card-based payment communication scheme.
- the card-based transaction message may be formatted as an ISO 8583-compliant message.
- ISO 8583 defines message formats and communication flows to allow for different types of systems to perform card-based transactions.
- FIG. 4 B an exemplary ISO 8583-compliant card-based transaction message 450 is shown, according to some embodiments.
- the ISO 8583-compliant message 450 may include a message type indicator 452 , one or more bitmaps 454 , and a number of data elements 456 .
- the message type indicator 452 is a four digit numerical field, which may be used to classify the high level function of the message.
- the message type indicator 452 can be used to indicate the ISO 8583 version of the ISO message 450 .
- the message type indicator 452 can further be used to indicate a class of the message. For example, whether the message is an authorization message, a financial message, a reconciliation message, an administrative message, or any other message class utilizing ISO 8583 messages.
- the message type indicator 452 can further be used to indicate a function of the message to define how the message should flow within a system.
- Message functions can include requests (end-to-end messages), or advices (point-to-point messages). Additionally, message functions may include notifications, and/or instructions.
- the message type indicator 452 can be used to indicate a message origin. The message origin may be with an acquirer, an issuer, or other entity.
- the bitmaps 454 may be configured as a field or sub-field within the message which can indicate which data elements 456 or data element subfields may be present in a message.
- the bitmaps 454 may include a primary bitmap, which can indicate which of data elements 456 one to sixty-four are present. Additional bitmaps 454 (secondary, tertiary, etc.) can further be used to indicate which data elements 456 beyond sixty-four are present in the message.
- a specific data element 456 is only present when a specific bit in the bitmap is “true.”
- the bitmap may be expressed as a binary value, such as an eight byte message, a hexadecimal value, an ASCII character set, or an EBCDIC character set.
- the data elements 456 may include a number of individual fields containing information about the transaction. For example, in some ISO 8583-compliant messages, there may be up to one-hundred ninety-two data elements 456 ; however more or fewer data elements 456 are also contemplated.
- the data elements 456 may include specific data elements, general purpose data elements, system-specific data elements, and/or country-specific data elements. Further, each individual data element 456 may be described using a standard format which can define the permitted content of the field (e.g. numeric value, binary value, hexadecimal value, alpha-numeric value, etc.) and a field length (e.g. variable length or fixed length).
- the data elements 456 may include contextual data which may be processed by a FI or other system, such as identity verification computing system 104 .
- data elements 456 may provide a time of transaction, a date of a transaction; a merchant type, a payee; an account identification, a custom field, or any other data element field available in the data element 456 .
- a ULT such as ULT 116 , may be transmitted as a data element within the data elements 456 .
- the ULT could be provided as a primary account number (PAN) (data field 2 ) data element, an extended PAN (data element 34 ), or as a custom or private data elements (e.g. via data element 48 , 61 , etc.).
- PAN primary account number
- data element 34 data element 34
- custom or private data elements e.g. via data element 48 , 61 , etc.
- a common messaging format over an existing card-based transaction network can be utilized to provide a ULT, along with contextual data, to an identity verification computing system, such as identity verification computing system 104 . While the above examples illustrate transmitting a ULT and contextual data over known card-based transaction messages, it is contemplated that other card-based transaction messages may be used to transmit the ULT and/or contextual data from the entity computing system 106 to the identity verification computing system 104 .
- the ULT may be analyzed to determine if the ULT is valid.
- the identity verification circuit 124 analyzes the ULT to determine if it is valid. For example, the identity verification circuit 124 may evaluate the ULT to determine if it has expired. To determine if the ULT has expired, the identity verification circuit 124 may access the token vault used to store the ULT. In other embodiments, the identity verification circuit 124 may communicate with a TSP responsible for managing the ULT to determine if the ULT is still valid. In still further embodiments, the identity verification circuit 124 may evaluate other data provided with the ULT, such as biometric data (e.g. fingerprint or eye scans), to determine if the ULT is valid. While the above examples describe the identity verification circuit 124 determining the validity of the ULT, it is contemplated that other components within the identity verification computing system 104 may be used to verify the validity of the ULT.
- biometric data e.g. fingerprint or eye scans
- the identity verification computing system 104 may transmit a message to the user 102 and/or the entity computing system 106 that the ULT is invalid at process block 306 . If the ULT is determined to be a valid ULT at process block 304 , the identity verification computing system 104 can determine if any contextual data was received along with the identity verification request and the ULT. Contextual data may include geo-location of where the ULT was presented to the entity computing system 106 , information relating to the type of entity computing system 106 that first received the ULT (e.g. ATM, POS station, on-line store, etc.).
- Contextual data may include geo-location of where the ULT was presented to the entity computing system 106 , information relating to the type of entity computing system 106 that first received the ULT (e.g. ATM, POS station, on-line store, etc.).
- the identity verification computing system 104 may analyze other information, such as the previous transaction history of the user 102 to further determine if there is any applicable contextual data associated with the request.
- the non-financial data processing circuit 126 determines if there is any contextual data associated with the request.
- other components within the identity verification computing system 104 may also determine if there was contextual information associated with the request.
- the identity verification circuit 124 is structured to infer contextual information based on the received ULT. For example, in some embodiments, the identity verification circuit 124 defines contextual information based on the device from which the ULT was received.
- the identity verification circuit 124 analyzes an address or other unique identifier (e.g., MAC address, IP address, etc.) of the device from which the ULT was received.
- the ULT is digitally signed, and the identity verification circuit 124 is structured to verify the digital signature prior to evaluating the ULT. The evaluation of contextual data will be examined more in the examples that follow.
- the identity verification computing system 104 determines that no contextual data was provided with the request, the identity verification computing system 104 simply processes the received request (e.g. identity verification) without providing any additional information to the entity computing system 106 , at process block 310 .
- the identity verification computing system 104 may provide an identity verification approval to the entity computing system 106 if the ULT received at 302 matches a valid user-level profile. If the identity verification computing system 104 does determine that contextual data is associated with the request, the identity verification computing system 104 may then determine if there is any relevant non-financial data that can be provided to the entity computing system 106 based on the contextual data, at process block 312 .
- the identity verification computing system 104 may access non-financial data associated with the user-level profile for the user 102 to determine if there is any relevant data. For example, if the entity computing system 106 is associated with an airline, the request may contain contextual information such as the identification of the entity computing system 106 being a ticketing kiosk within an airport. The identity verification computing system 104 may subsequently process the request, and provide the processed request to the entity computing system 106 , along with additional non-financial data based on the provided contextual data, at process block 314 .
- the identity verification computing system 104 may provide the processed request to the entity computing system 106 , along with a frequent flier account number of the user 102 associated with the airline.
- the frequent flier account number may be provided based on a pre-configured profile set up by the requester with the identity verification computing system 104 specifying what additional information should be returned in response to an identity verification request.
- the frequent flier account number may be provided responsive to a request within the identity verification request requesting that the frequent flier account number be returned.
- the identity verification computing system 104 is preconfigured to provide certain user data to the entity computing system 106 based on the type of entity computing system 106 that is transmitting the ULT. For example, the identity verification computing system 104 may be pre-configured to respond with a frequent flier account number where the entity computing system 106 is related to an airline. Each merchant that utilizes the identity verification system 104 may be provided with the ability to configure a merchant profile that specifies what information the merchant wishes to receive in connection with responses to identity verification requests. In other embodiments, the submitted request may specify the information that the merchant wishes to receive. In other embodiments, the identity verification computing system 104 may make logical decisions as to what non-financial data to provide based on the received contextual data.
- the ULT is used to provide heightened authentication at a third-party ATM, e.g., to allow the user to withdraw an amount of funds in excess of normal withdrawal limits.
- the ATM is referred to as “third party” in the sense that the FI that provides the ATM is different than an FI that provides the identity verification computing system 104 .
- the user 102 may transmit a ULT 503 to the ATM (e.g., which may be part of the entity computing system 106 , which is assumed for purposes of the present example to be operated by another FI).
- the user 102 may wirelessly transmit the ULT 503 to the ATM using a user device, such as the user device 110 described above.
- the ATM may receive the ULT 503 at process block 504 , and subsequently analyze the ULT 503 at process block 506 .
- the ATM analyzes the ULT 503 to determine where the ULT 503 should be sent to verify the identity of the user 102 .
- the ATM may analyze an identification portion of the ULT 503 , such as an embedded BIN number of the ULT 503 , to determine where the ULT 503 should be sent for processing.
- the ATM may then transmit the ULT 503 to the appropriate FI (e.g.
- the ATM transmits the ULT 503 to the identity verification computing system 104 with additional data, such as an ATM identifier, a FI responsible for the ATM, a location of the ATM, etc.
- additional data such as an ATM identifier, a FI responsible for the ATM, a location of the ATM, etc.
- the ATM transmits the ULT 503 and the additional data to the identity verification computing system 104 as a ULT data packet 507 at process block 508 .
- the identity verification computing system 104 receives the ULT data packet 507 at process block 510 .
- the FI analyzes the ULT data packet 507 to verify that the ULT 503 is a valid ULT 503 .
- the FI may then evaluate the additional data in the ULT data packet 507 at process block 514 .
- the identity verification computing system 104 may then access the identity verification request and the user's account to determine if a specific response should be provided to the ATM. For example, the identity verification computing system 104 user 102 may determine that the user wishes to withdraw an amount of funds in excess of normal withdrawal limits.
- the identity verification computing system 104 may then send a photo of the user obtained from the user's driver's license to the entity computer system 106 .
- the photograph of the user may have been obtained during opening of an account for the user at the FI, e.g., for purposes of compliance with CIP/KYC requirements.
- the identity verification computing system 104 transmits a processed request 518 to the entity computer system 106 .
- the processed request 518 may include a verification of the ULT, as well as a picture of the user 102 (e.g., obtained from the user's driver's license).
- the entity computer system 106 may then receive and process the processed request 518 , at process block 520 .
- the entity computer system 106 may compare the photo of the user from the user's driver's license with image data of the user obtained by the ATM.
- the ATM may provide the results of the processed request 518 to the user 102 , via a user interface on the ATM. For example, if the user 102 wished to withdraw an amount of cash over normal ATM withdrawal transaction limits, the cash may be dispensed to the user by the ATM. The transaction may then be completed at process block 522 .
- the entity computer system 106 may be operated by a merchant, and the comparison of the photo from the user's driver's license may be compared by the entity computer system 106 with live image information of the user obtained by mechanisms other than an ATM for identity verification purposes.
- the user 102 may transmit a ULT 604 to a non-FI controller (e.g. an entity computing system 106 ), such as an airline kiosk.
- a non-FI controller e.g. an entity computing system 106
- the user 102 may wirelessly transmit the ULT 604 to the airline kiosk using a user device 110 , as described above.
- the airline kiosk may receive the ULT 604 at process block 606 .
- the airline kiosk may then process the ULT 604 at process block 608 .
- the airline kiosk may analyze the ULT 604 to determine what financial institution (or other identity verifying service) the ULT 604 is associated with.
- the kiosk can transmit the ULT 604 to the appropriate institution (e.g. the identity verification computing system 104 ) at process block 610 .
- the airline kiosk may add additional information to the ULT 604 prior to transmitting the ULT 604 to the institution. For example, the airline kiosk may simply put a return address (e.g. the airline kiosk, the entity computing system in general, etc.). Other examples of additional data may include specific requests, or transaction information (e.g. ticket purchase, airline check-in, boarding pass details, etc.).
- the ULT 604 and additional data are combined in a ULT data packet 612 .
- the ULT data packet 612 is received by the identity verification computing system 104 at process block 614 .
- the institution may then verify the ULT 604 at process block 616 .
- the institution may process the additional data stored in the ULT data packet 612 .
- the institution may determine that the ULT 604 was presented to an airline kiosk.
- the institution may then access the user-level profile of the user 102 associated with the ULT to determine if there is any relevant data within the user-level profile based on the additional data.
- the institution may determine that the user 102 has a frequent flier account associated with the airline transmitting the ULT 604 .
- the institution may generate a response packet 622 as part of transmitting the processed request.
- the response packet 622 includes an authentication result indicator (e.g., a binary YES/NO), indicating whether the ULT provided to by the user 102 is a valid ULT.
- the response packet 622 may include identity information for the user 102 .
- the response packet 622 may include a name and address of the user 102 that provided the ULT.
- the response packet 622 may include a tokenized verification of the ULT 604 , as well as additional non-financial data, such as the above-mentioned frequent flier account number. However, other non-financial data may be transmitted as well.
- the response packet 622 may include a tokenized primary account number (TPAN) of one of the payment cards of the user 102 to allow for in-flight purchases.
- TPAN tokenized primary account number
- this may be a time-limited TPAN, such that the TPAN is only good for the duration of the flight of the user 102 .
- the airline kiosk may require character limited return messages.
- the institution may be able to include an indication, such as a token, indicator, or pointer, to access an API of the institution to retrieve the additional information.
- the indication may instruct the airline kiosk (or other third party entity computing system) to access other conduits to retrieve the information.
- the response packet 622 may then be transmitted to the airline kiosk at process block 620 , and received by the airline kiosk at process block 624 .
- the airline kiosk may then complete the transaction at process block 626 .
- the user 102 may transmit a ULT 704 to a non-financial institution controller (e.g. an entity computing system 106 ), such as a point-of-sale (POS) device.
- a non-financial institution controller e.g. an entity computing system 106
- the POS device may be a POS device as used in a brick-and-mortar store.
- the POS device is an online POS device used for making purchases via the internet.
- the user 102 may wirelessly transmit the ULT 704 to the POS device using a user device, such as user device 110 described above.
- the POS device may receive the ULT 704 at process block 706 .
- the POS device may then analyze the ULT 704 at process block 708 .
- the POS device may analyze the ULT 704 to determine what FI (or other identity verifying service) the ULT 704 is associated with.
- the POS device can transmit the ULT 704 to the appropriate institution (e.g. an identity verification computing system 104 ). Similar to above, the POS device may add additional information to the ULT 704 prior to transmitting the ULT 704 to the institution at process block 710 .
- the ULT 704 and additional data are combined in a ULT data packet 712 .
- the POS device may simply put a return address (e.g.
- POS device the store associated with the POS device, etc.
- additional data may include specific requests, or transaction information (e.g. purchases, credit application etc.)
- An example of a specific request may be an age verification request. For example, if the user 102 is attempting to purchase an age restricted product, such as alcohol or prescription medication, the POS device may include an age verification request in the ULT data packet 712 .
- the ULT data packet 712 is received by the identity verification computing system 104 at process block 714 .
- the identity verification computing system 104 may then verify the ULT 704 at process block 716 .
- the identity verification computing system 104 may process the additional data stored in the ULT data packet 712 .
- the identity verification computing system 104 may determine that the ULT 704 was presented along with an age verification request.
- the identity verification computing system 104 may then access the user-level profile of the user 102 associated with the ULT 704 to determine the age of the user 102 .
- the identity verification computing system 104 may determine that the ULT 704 was presented along with a credit verification/report request.
- the identity verification computing system 104 may then access the user-level profile of the user 102 associated with the ULT 704 , to determine if credit information is available in the user-level profile. In some embodiments, the identity verification computing system 104 may perform a credit analysis of the user 102 based on information stored in the user-level profile. The identity verification computing system 104 may generate the credit analysis itself, or send the request, along with the required information, to other institutions in order to obtain the credit verification/report. At process block 720 , the identity verification computing system 104 may generate a response packet 722 as part of processing the request.
- the response packet 722 may include a tokenized verification of the ULT 704 , as well as additional non-financial data, such as the above-mentioned age verification and/or credit verification/report.
- the user thus does not need to provide date of birth information or a social security number to the merchant in order for the merchant to verify an age or credit worthiness of the user. Hence, security of such information is enhanced.
- financial data may be transmitted as well within the response packet 722 .
- the response packet 622 may include a tokenized primary account number (TPAN) of one of the user's 102 payment cards to allow for a purchase to be completed. In some examples, this may be a transaction limited TPAN, such that it is only good for requested transaction.
- the response packet 722 may include a restricted-use payment token. The restricted-use payment token may allow the user 102 to perform certain financial transactions with the entity computing system 106 .
- the restricted-use payment token may be restricted to use at a certain POS device, during a defined duration; for defined transactions, while the user 102 is located within a defined area, or any combination of the following restrictions.
- the response packet 722 may then be transmitted to the POS device at process block 720 , and received by the POS device at process block 724 .
- the POS device may then complete the transaction at process block 726 .
- the user may be provided with a dashboard that enables the user to specify controls over information that may be shared with merchants. For example, the user may specify that some merchants be permitted access to certain information, while other merchants are not to be permitted access to the same information.
- the user 102 may configure their account to require the identity verification computing system 104 to request permission from the user 102 before any information about the user is provided to any merchant.
- the user 102 may configure their account to specify what information may be shared without permission of the user and what information may be shared but only with the permission of the user.
- the user may specify on a merchant-by-merchant basis what information may be shared without approval, which information may be shared but only with approval, and which information may never be shared.
- the user is further prompted whether the user wishes to save that setting for that merchant.
- the present disclosure contemplates methods, systems and program products on any machine-readable media for accomplishing various operations.
- the embodiments of the present disclosure may be implemented using existing computer processors, or by a special purpose computer processor for an appropriate system, incorporated for this or another purpose, or by a hardwired system.
- Embodiments within the scope of the present disclosure include program products comprising machine-readable media for carrying or having machine-executable instructions or data structures stored thereon.
- Such machine-readable media can be any available media that can be accessed by a general purpose or special purpose computer or other machine with a processor.
- machine-readable media can comprise RAM, ROM, EPROM, EEPROM, CD-ROM or other optical disk storage, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to carry or store desired program code in the form of machine-executable instructions or data structures and which can be accessed by a general purpose or special purpose computer or other machine with a processor. Combinations of the above are also included within the scope of machine-readable media.
- Machine-executable instructions include, for example, instructions and data which cause a general purpose computer, special purpose computer, or special purpose processing machines to perform a certain function or group of functions.
- Software implementations could be accomplished with standard programming techniques with rule based logic and other logic to accomplish the various connection steps, processing steps, comparison steps and decision steps.
Landscapes
- Business, Economics & Management (AREA)
- Accounting & Taxation (AREA)
- Engineering & Computer Science (AREA)
- Finance (AREA)
- Physics & Mathematics (AREA)
- Strategic Management (AREA)
- General Business, Economics & Management (AREA)
- General Physics & Mathematics (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Development Economics (AREA)
- Economics (AREA)
- Marketing (AREA)
- Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)
Abstract
A computing system includes an interface configured to communicate with an entity computing system associated with a merchant via a network, an identity database storing verified personal identifying information, a memory, and at least one processor configured to: determine whether an individual is associated with an existing user account; prompt the individual to create a user account; verify an identity of the individual using personal identifying information associated with the individual; receive non-financial information associated with the individual; generate a user-level profile having the non-financial information; generate a user-level token unique to the individual; transmit the user-level token to a device associated with the individual; receive an identity verification request having the user-level token; validate the user-level token; determine that the identity verification request includes contextual data; determine the non-financial information that is relevant to the contextual data; and transmit a verification approval and the non-financial information.
Description
- This application is a continuation of U.S. patent application Ser. No. 15/456,122, filed Mar. 10, 2017, which is incorporated herein by reference in its entirety.
- Identity verification is necessary to ensure that an individual is who he or she purports to be. In financial industries, identity verification is often required by “know your customer” (KYC) or “customer identification program” (CIP) regulations. KYC and CIP programs are implemented to prevent identity theft, financial fraud, money laundering and terrorist financing. Furthermore, identity verification is used to perform many different functions in normal daily activities, such as making credit or debit card purchases, using an ATM, online shopping, purchasing a plane ticket, etc. However, in many instances additional information may be required by a user, such as membership numbers, frequent flier miles, age, personal identifying information, or other non-payment information. Additionally, for activities such as applying for loans, a user may be required to provide additional information, which may further require identity verification. Therefore, it would desirable to include non-identification information within identity management systems and methods.
- According to one example embodiment, a computer implemented method performed by an identity verification computing system includes verifying the identity of an individual. Non-financial data is received from the individual, and a user-level profile is generated. The user-level profile includes the non-financial data received from the individual. A user-level token unique to the individual is further generated. The user-level token is associated with the generated user-level profile. The user-level token is provisioned to a device associated with the individual. An entity computing system receives an identity verification request including the user-level token, wherein the identity verification request is structured as a financial transaction card-originated message. The user-level token is validated and a context of the received user-level token is analyzed to determine a relevant non-financial data element included in the non-financial information within the user-level profile. Additionally, an identity verification approval is transmitted to the entity computing system, including the relevant non-financial data element.
- According to another example embodiment, a system includes personal identifying information associated with an individual of the system. The system also includes an identity verification computing system. The identity verification computing system includes a processor and instructions stored in non-transitory machine-readable media. The instructions are configured to cause the identity verification computing system to verify the identity of the individual using the personal identifying information associated with the individual, and to receive non-financial data from the individual. A user-level profile is generated. The user-level profile includes the non-financial data received from the individual and is stored in a memory of the identity verification computing system. A user-level token unique to the individual is generated. The user-level token is associated with the generated user-level profile. The user-level token is transmitted to a device associated with the individual. An entity computing system receives an identity verification request including the user-level token, wherein the identity verification request is structured as a financial transaction card-originated message. The user-level token is validated, and contextual data is analyzed to determine the non-financial data relevant to the contextual data included in the non-financial information within the user-level profile. An identity verification approval is transmitted to the entity computing system which includes the relevant non-financial information.
- According to another example embodiment, a system includes a network interface configured to communicate with an entity computing system via a network. An identity database stores verified personal identifying information relating to an individual. The system also includes a memory and at least one processor configured to verify the identity of the individual using the personal identifying information associated with the individual. Non-financial data is received from the individual. A user-level profile is generated. The user-level profile includes the non-financial data received from the individual. A user-level token unique to the individual is generated. The user-level token is associated with the generated user-level profile. The user-level token is transmitted to a device associated with the individual via the network. An entity computing system receives an identity verification request comprising the user-level token. The user-level token is validated and it is determined if the request includes contextual data. The contextual data is analyzed to determine the non-financial data relevant to the contextual data within the user-level profile, and an identity verification approval is transmitted to the entity computing system along with the relevant non-financial data.
- The details of one or more implementations are set forth in the accompanying drawings and the description below. Other features, aspects, and advantages of the disclosure will become apparent from the description, the drawings, and the claims.
-
FIG. 1 is a block diagram of a data processing system, according to an embodiment. -
FIG. 2 is a flow diagram illustrating generation and provisioning of a user-level token to a user, according to an embodiment. -
FIG. 3 is a flow diagram of a method of processing an identity verification request, according to an embodiment. -
FIG. 4A is a block diagram illustrating a card-based transaction message, according to an embodiment. -
FIG. 4B is a block diagram illustrating an ISO 8583-compliant card-based transaction message, according to an embodiment. -
FIG. 5 is a flow diagram illustrating an example implementation of the method shown inFIG. 3 . -
FIG. 6 is a flow diagram illustrating an example implementation of the method shown inFIG. 3 . -
FIG. 7 is a flow diagram illustrating an example implementation of the method shown inFIG. 3 . - Before turning to the figures which illustrate example embodiments, it should be understood that the application is not limited to the details or methodology set forth in the following description or illustrated in the figures. It should also be understood that the phraseology and terminology employed herein is for the purpose of description only and should not be regarded as limiting.
- Certain companies, organizations, or other entities may be better situated than others to verify the identities of individuals. For example, financial institutions (FIs) are required to comply with know your customer (KYC) and Customer Identification Program (CIP requirements. As such, FIs request and obtain access to substantial identifying information from new customers when accounts are opened, and may be particularly well-suited and trusted to perform accurate identity verification and related services. In many cases, such identity verification is performed in person, e.g., a banker compares a driver's license photo to the person standing in front of them as part of the account opening process. Accordingly, other entities (e.g., merchants) may rely on the fact that a trusted party (e.g., an FI) has verified an individual's identity rather than solely engaging in their own identity verification efforts. In some cases, an entity (e.g., a merchant) may choose to accept identity verification only from certain identity verification computing systems. For example, a merchant may trust identity verification performed by a U.S. bank, but may not trust purported identity verification performed by other entities that are not subject to KYC and CIP requirements. Similarly, the trusted party may be the most reliable source for storing additional information associated with the identity of an individual.
- Referring generally to the figures, systems and methods for providing identity verification and identity based information via a user-level token are shown. According to various embodiments, an identity verification system may include multiple identity verification computing systems (e.g., associated with different FIs or other identity verification entities). An identity verification computing system may verify the identity of an individual and create a user-level token (“ULT”) for the individual. For example, the ULT may be linked to a ULT profile maintained by an FI, or other institution. The ULT profile may include personal or other information related to a user, including financial information and non-financial information. The ULT profile may also include non-financial information such as identity information of the user (age, address, name, height, weight, biometrics, etc.), non-financial account information (frequent flyer program information, rewards/loyalty program information, social media accounts, on-line service accounts such as online dating accounts, etc.), multiple IDs (personal, business, etc.), and so on. While this information may be generally provided by a user in many instances, the verification of the information by the FI will be more trusted due to the additional verification requirements provided by the FI. The ULT profile may also include financial information such as payment cards, account numbers, DDA accounts, credit information, etc.
- The ULT may then be pushed to a user device such as a smartphone. In some embodiments, the ULT may be stored in a virtual passport on the user device, which includes an individualized (e.g., customer-specific) digital signature that is easy to verify by the identity verification computing system, but is also very difficult to reproduce by fraudsters. In some embodiments, the virtual passport is implemented in a mobile wallet. The virtual passport may be used, for example, to verify an individual's identity to entities (e.g., merchants, currency exchanges, etc.), to objects (e.g., ATMs), to other individuals, etc. The virtual passport may include identification of the particular identity verification computing system that generated the virtual passport. An example virtual passport identity management system is described in U.S. patent application Ser. No. 14/937,210, entitled “Identity Management Service via Virtual Passport,” by Kurani et al., which is herein incorporated by reference in its entirety and for all purposes.
- In some embodiments, the merchant transmits the ULT to the trusted third party via existing communication channels, such as a payment card network. For example, in some embodiments, the ULT may implemented in the form of a payment token used to make a credit card payment according to the EMV specification. The payment token may thus be used to effect payment as well as to provide other identity-related services. In other embodiments, the ULT is different than the payment token. For example, the ULT may be transmitted as part of an ISO 8583-compliant card-based transaction message, but may be different than the payment token. As described in further detail below, utilizing existing payment channels to provide identity verification improves an ability of a vendor to authenticate a customer automatically via a trusted third-party, such as an FI. Further, by providing both financial and non-financial information and services via an existing payment channel, data security of the payment channel is utilized for both types of information instead of relying on out-of-band communications via a potentially unsecured channel. Various embodiments enable value-add functionality to be provided by a FI to various vendors, thereby allowing for increased throughputs of transactions requiring authentication (e.g., by requiring fewer steps by the vendor) and/or additional non-financial information to be obtained at the time of the transactions. By providing both financial and non-financial data via an existing payment channel, transactions may also be simplified, allowing for a more seamless customer experience. Additionally, the embodiments described herein solve the technical and internet-centric problem of providing relevant financial and non-financial information related to an individual transaction. This is addressed by leveraging contextual information related to an individual transaction to automatically provide non-financial data, which is relevant to the transaction being performed, to a vendor initiating the transaction. A token may be provided by the customer to the vendor when initiating the transaction. The use of the token, in combination with contextual information associated with the vendor requesting verification of the token, allows for a customized data message to be relayed to the vendor, including both financial and non-financial information. This provides a technical solution to the internet-centric challenge of automatically providing customized financial and non-financial information associated with a particular transaction.
- The ULT may be used in various different scenarios to enhance/streamline identity verification processes and provide other related services. For example, in one example scenario, a user may be at a merchant. The user may tap their phone at the point of sale (POS) device. As a result, the phone may communicate the user level token to the POS device. The merchant may communicate the ULT to the identity verification computing system via a card payment network. The identity verification computing system may access a user level profile associated with the ULT and return additional information to the merchant from the user level profile. The identity verification computing system may use various mechanisms to determine what information if any from the profile should be returned to the merchant. In some embodiments, merchants that utilize the identity verification service may create a profile with the service that specifies what information the merchant wishes to have returned. In some embodiments, the information that the merchant wishes to have returned may be specified in the identity verification request. In some embodiments, the user may be provided with a dashboard that enables the user to specify controls over information that may be shared with merchants. For example, the user may specify that some merchants be permitted access to certain information, while other merchants are not to be permitted access to the same information.
- In some embodiments, the ULT may be provisioned directly to the merchant. For example, the merchant may be an online dating website. As part of registering for the online dating service, the user may be asked to use the user's phone to provide live video of the user (i.e., a video selfie) to the online dating service. The video selfie may then be provided to the identity verification service, which may compare the video against a photo of the user (e.g., the user's driver's license picture) to confirm the identity of the user. For example, the identity verification service may confirm that information provided by the user to the online dating service (name, age, address/city of residence, gender, etc.) matches information in the user level profile for the user. Upon verifying the identity of the user, the identity verification service may provide a merchant-specific ULT to the merchant. The merchant may then periodically confirm with the identity verification service that the ULT is still valid. For example, if the user passes away, the ULT for the online dating service may be rendered invalid on that basis.
-
FIG. 1 is a block diagram of auser authentication system 100, according to an embodiment. Theuser authentication system 100 includes a user 102, an identityverification computing system 104, and anentity computing system 106. The user 102, the identityverification computing system 104, and theentity computing system 106 may communicate directly or through anetwork 108, which may include one or more of the Internet, cellular network, Wi-Fi, Wi-Max, a proprietary banking network, or any other type of wired or wireless network. It should be understood that, according to various embodiments, data transmitted between any of the user 102, the identityverification computing system 104, and theentity computing system 106, either directly or via thenetwork 108, may be encrypted or otherwise cryptographically protected. - The user 102 may be associated with a user device 110. The user device 110 is a device configured to communicate with the
entity computing system 106. In some embodiments, the user device 110 communicates directly with theentity computing system 106. For example, the user device 110 may communicate wirelessly to theentity computing system 106, such as via Wi-Fi, Bluetooth, Near Field Communication (NFC), Zigbee, IR, RF, Cellular (3G, 4G, LTE, CDMA), etc. In other embodiments, a display on the user device 110 may generate a machine readable image which may be readable by theentity computing system 106, such as a bar code, a QR code, or other machine readable image. The machine readable image may contain user related data, such as a user-level token (ULT). In other embodiments, the user device 110 communicates with theentity computing system 106 via thenetwork 108. For example, the user device 110 may communicate with thenetwork 108 via a wireless connections, such as Wi-Fi, Wi-Max, cellular (3G, 4G, LTE, CDMA, GSM, etc.), Zigbee, LoRA, Bluetooth, IR, RF, or other applicable wireless protocol. In other examples, the user device 110 may communicate with thenetwork 108 via a wired connection, such as via Ethernet, a LAN, a WAN, Firewire, USB, or other applicable wired interface. - The user device 110 may be, but is not limited to a phone (e.g., iPhone, Android Phone, Windows Phone, or other smartphone), a mobile computing device (e.g. tablet computer, laptop computer, personal digital assistant, netbook, etc.), a desktop computing device, a wearable computing device, or the like. The user 102 may be associated with the user device 110, such that the user device 110 is utilized for authentication purposes. For example, the user device 110 may include an input device for the user to enter a password, a fingerprint scanner to scan a finger print, etc., and authentication of the user by the user device 110 may be leveraged to facilitate authentication of the user to the
entity computing system 106. In other arrangements, however, multiple users are associated with the same user device 110. For example, a husband and wife may be associated with the same tablet computer. In some instances, the husband and wife may have separate accounts, or log-ins, on the same user device 110. In still other arrangements, the user 102 uses multiple user devices 110, or the user device 110 may be a public computing device used by a number of persons. - The user device 110 is shown to include a
network interface circuit 112 and a user authentication circuit 114. Thenetwork interface circuit 112 is configured to facilitate data communication to and from other devices via thenetwork 108. In some embodiments, data passing through thenetwork interface circuit 112 is encrypted. Thenetwork interface circuit 112 may include any combination ofwired network 108 protocols (e.g., Ethernet, USB, Thunderbolt, Firewire, etc.), and wireless network protocols, such as Wi-Fi, Bluetooth, cellular (3G, 4G, LTE, CDMA, GSM, etc.), Zigbee, LoRA, etc. - The user authentication circuit 114 is structured to allow the user device 110 to communicate data to and from the identity
verification computing system 104 via thenetwork interface circuit 112 and thenetwork 108. For example, the user authentication circuit 114 may include a user interface that permits the user 102 to provide information to the identityverification computing system 104 via the user device 110. The user authentication circuit 114 may also be utilized to display messages and other prompts from the identityverification computing system 104. For example, the user 102 may utilize the user authentication circuit 114 to establish a user account with the identityverification computing system 104, or to request authentication services on behalf of the user 102. In one embodiment, the user authentication circuit 114 may store one or more user-level tokens 116. - In some embodiments, the user authentication circuit 114 includes programming instructions stored in a memory of the user device 110 that is executed locally on the user device 110 (e.g., as a smartphone application). For example, the user authentication circuit 114 may be or include, a mobile banking application associated with the identity
verification computing system 104. In other arrangements, the user authentication circuit 114 includes a web-based interface application accessed via the network 108 (e.g. the Internet), such as by a web browser executed on the user device 110. In such arrangements, the user authentication circuit 114 may be executed and/or maintained remotely by the identityverification computing system 104. In this instance, the user 102 logs onto or accesses the web-based interface to access the user authentication circuit 114. In some embodiments, the user authentication circuit 114 is supported by a separate computing system comprising one or more servers, processors, network interface circuits, etc. In further arrangements, the user authentication circuit 114 includes or utilizes an application programming interface (API) and/or a software development kit (SDK) that facilitates the integration of other applications (e.g., a mobile banking application, a mobile wallet application, a virtual passport application, a third party provider application, etc.) with the user authentication circuit 114. - The identity
verification computing system 104 and theentity computing system 106 may each include a computer system (e.g., one or more servers, each with one or more processing circuits), each including a processor and memory. The processors may be implemented as application specific integrated circuits (ASICs), one or more field programmable gate arrays (FPGAs), a group of processing components, or other suitable electronic processing components. The memory may be one or more devices (e.g., RAM, ROM, Flash memory, hard disk storage, etc.) for storing data and/or computer code for completing and/or facilitating the various processes described herein. The memory may be or include non-transient volatile memory, non-volatile memory, and non-transitory computer storage media. The memory may include data base components, object code components, script components, or any other type of information structure for supporting the various activities and information structures described herein. The memory may be communicably connected to the processor and include computer code or instructions for executing one or more processes described herein. The identityverification computing system 104 and theentity computing system 106 may each include server-based computing systems, for example, comprising one or more networked computer servers that are programmed to perform the operations described herein. The identityverification computing system 104 and theentity computing system 106 may each be implemented as distributed computer systems where each function is spread over multiple computer systems. - In one embodiment, the identity
verification computing system 104 is managed by a third-party service provider to provide identity verification services to various entities. For example, theentity computing system 106 may utilize the identityverification computing system 104 to verify that the user 102 is who he or she purports to be. Theentity computing system 106 may wish to verify the identity of the user 102 for any of various reasons, such as to prevent payment (e.g., credit card) fraud, banking fraud, identity fraud, illegal activity (e.g., harassment, scams, money laundering, etc.), catfishing, sockpuppetry, underage signups, spamming, etc. The identityverification computing system 104 may be a trusted third-party computing system that is configured to verify that the user 102 is who he or she purports to be. The identityverification computing system 104 may provide identity verification services through an API. Generally, an API is a software-to-software interface that allows computing systems of two different entities to communicate with each other. In this instance, the API of the identityverification computing system 104 may be used by theentity computing system 106 and other entities to verify the identities of individuals. The identityverification computing system 104 may distribute a software development kit (SDK) to allow the customers to better integrate the API into their websites and applications. Some embodiments may include multiple identityverification computing systems 104. - According to various embodiments, the identity
verification computing system 104 may be managed by an FI, a governmental institution, a credit bureau, a dedicated identity verification service provider, or another type of business or entity. For example, the identityverification computing system 104 may be managed by an FI that provides banking services (e.g., deposit account services, credit account services, brokerage account services, etc.) to individuals and entities, such as the user 102. In the instance in which the user 102 is a current financial account holder, the identity verification computing system 104 (e.g., FI) already has a significant amount of information regarding the individual's identity, which has been collected through the onboarding process for opening an account with the FI. During the initial onboarding process used by the FI to verify the user 102, and before permitting the user 102 to become an account holder, the user 102 may be required to provide certain personal information, such as a legal name, address, contact information, driver's license number, tax identification number, social security number, and the like. The personal information provided during the onboarding process was previously verified prior to permitting the user 102 to open an account with the FI. Such information may be provided in connection with KYC and/or CIP regulations. - The identity
verification computing system 104 includes anidentity database 118, a user-level profile database 120, anetwork interface circuit 122, and anidentity verification circuit 124. Theidentity database 118 stores information relating to the identities of individuals, customers, users, account holders, etc. Theidentity database 118 may also store information relating to the identity service. Similarly, the user-level profile database 120 stores information relating to generated user-level profiles for each user 102. As described above, the user-level profiles may include additional information about a user 102, such as identity information of the user 102 (age, address, name, height, weight, biometrics, etc.), non-financial account information (frequent flyer program information, rewards/loyalty program information, social media accounts, on-line service accounts such as online dating accounts, etc.), multiple IDs (personal, business, etc.). In certain embodiments, the user-level profile database 120 may be in communication with theidentity database 118, and may initially populate a user-level profile for the user 102 with data contained in theidentity database 118. In other embodiments, theidentity database 118 and the user-level profile database 120 may be part of the same database schema. - The
network interface circuit 122 facilitates data communications to and from the identityverification computing system 104. Thenetwork interface circuit 122 includes hardware (e.g., Ethernet controller, memory, etc.) and software necessary to facilitate data communications for the identityverification computing system 104 over thenetwork 108. In some embodiments, data passing through thenetwork interface circuit 122 is encrypted. Thenetwork interface circuit 122 may include any combination of wired network protocols (e.g., Ethernet, USB, Thunderbolt, Firewire, etc.), and wireless network protocols, such as Wi-Fi, Bluetooth, cellular (3G, 4G, LTE, CDMA, GSM, etc.), Zigbee, LoRA, etc. - The
identity verification circuit 124 is structured to generate and manage user-level profiles and user-level tokens 116 for individuals, and to verify the identity of individuals. For example, theidentity verification circuit 124 may generate a user-level profile for the user 102, based on various types of personal identifying information, as described above. In some embodiments, theidentity verification circuit 124 populates a user-level profile for the user 102 based on user information already stored in theidentity database 118 that is related to the user 102. In further embodiments, the user 102 may be able to provide information to theidentity verification circuit 124, such as via the user device 110, for populating the user-level profile. - According to various embodiments, the
user authentication system 100 may include multiple identityverification computing systems 104 and multipleentity computing systems 106. - The
entity computing system 106 may include anidentity verification circuit 128, a network interface circuit 130 and a point-of-sale (POS)system 132. Theidentity verification circuit 128 is structured to verify the identity of individuals via operative communication with theidentity verification circuit 124 of the identityverification computing system 104. For example, theidentity verification circuit 128 may be structured to analyze information received from the user 102 to format and send API calls to the identityverification computing system 104 to verify the identity of individuals. The network interface circuit 130 facilitates data communications to and from theentity computing system 106. The network interface circuit 130 includes hardware (e.g., Ethernet controller, memory, etc.) and software necessary to facilitate data communications for theentity computing system 106 over thenetwork 108. - According to various embodiments, identity verification may be facilitated through the
POS system 132 of theentity computing system 106. In some embodiments, a user-level token is transmitted to the identityverification computing system 104, and the identity of the user 102 is authenticated, in-whole or in-part, via the user-level token. For example, thePOS system 132 may include a cash register system operated by theentity computing system 106. In this arrangement, a user-level token may be transmitted from the user device 110 to thePOS system 132, and from thePOS system 132 to the identityverification computing system 104. In another embodiment, thePOS system 132 may include a backend server system that provides a website (e.g., an online shopping web site) and/or a mobile application (e.g., a smartphone application, a tablet application, etc.) associated with theentity computing system 106. Other embodiments may not include aPOS system 132. For example, in some embodiments, theentity computing system 106 may be operated by an individual, and identity verification may be facilitated via a device (e.g., smartphone) of the individual rather than thePOS system 132. In such arrangements, a user-level token may be transmitted from the user device 110 to the identityverification computing system 104 without being routed through thePOS system 132, e.g., in embodiments where a payment card network is not utilized to transmit the ULT. - In some embodiments, the
POS system 132 includes additional information related to thePOS system 132. For example, thePOS system 132 may have information related to the type of POS system 132 (e.g. ATM, back-end server, cash register, etc.), location of thePOS system 132, etc. Moreover, in other embodiments, theentity computing system 106 itself generates additional information. For example, theentity computing system 106 may generate contextual information such as location of the user 102, the type of transaction being performed by the user 102 (e.g. online purchase, identity verification request, etc.), and/or third party identification information (e.g. subscription services such as an online dating site, age restricted content provider, age restricted vendors, etc.), which may all provide contextual information to the identityverification computing system 104. - Turning to
FIG. 2 , a flow diagram illustrating the generation and provisioning of a ULT to a user 102 is shown, according to an embodiment. For clarity and brevity, themethod 200 is discussed below in connection with theuser authentication system 100 ofFIG. 1 . More specifically, themethod 200 may be performed by the identityverification computing system 104 ofFIG. 1 . However, it should be understood that themethod 200 may be performed by other systems and devices. - At
process block 202, a user, such as user 102, may request a ULT. In one embodiment, the user 102 requests the ULT via a user device, such as user device 110, described above. For example, the user 102 may request a ULT from the identityverification computing system 104 by accessing a smartphone application associated with the identityverification computing system 104, such as mobile banking application, or mobile wallet application. In other embodiments, the user 102 accesses the identityverification computing system 104 by logging into a web-based application (e.g. website) associated with the identityverification computing system 104. However, other methods of requesting a ULT may also be used. - The
process 200 then determines if the user 102 has an existing account with the institution associated with the identityverification computing system 104. For example, where the institution is a financial institution, theprocess 200 may determine if the user 102 has an existing account with the financial institution, such as a savings account, a checking account or a brokerage account. If the user 102 does not have an existing account or relationship with the institution associated with the identityverification computing system 104, the user 102 may be instructed to set up a user account atprocess block 206. Where the institution is an FI, the user 102 may be required to provide identifying information to allow the identityverification computing system 104 to initially verify the identity of the user 102. The identifying information may include authentication credentials and information that may be used by the identityverification computing system 104 to authenticate the user 102. Example identifying information may include legal name, address, date of birth, contact information, driver's license number, tax identification number, social security number, and the like. In one embodiment, the personal identifying information provided during the new account opening process is verified prior to the user 102 being permitted to open an account with the institution. Such information may be provided in connection with KYC and/or CIP regulations. - Once the user 102 is determined to have an existing account with the institution at
process block 204, or successfully sets up an account with the institution atprocess block 206, the identity of the user 102 requesting the ULT is verified atprocess block 208. In one embodiment, the identity of the user 102 is verified using personal identifying information supplied by the user 102 when setting up the account with the institution. Once the identity of the user 102 has been verified, the user 102 may be instructed to provide non-financial data atprocess block 210. Non-financial data may include non-financial information such as various identity information of the user 102 (height, weight, biometrics, etc.), non-financial account information (frequent flyer program information, rewards/loyalty program information, social media accounts, on-line service accounts such as online dating accounts, etc.), multiple IDs (personal, business, etc.), or other relevant non-financial data. In some embodiments, the user 102 may also provide permissions associated with the provided non-financial data. The permissions may be provided by the user 102 to instruct the identityverification computing system 104 as to what non-financial data may be provided to a third party. In some examples, the user 102 may specify what non-financial data should not be shared with any third party; however, in other examples, the user 102 may specify what non-financial data is accessible to different types of third parties. For example, the user 102 may specify that a financial institution may have access to any of the supplied non-financial data that is requested, but restrict what non-financial data a point-of-sale third party (e.g. consumer stores) may have access to. For example, the user 102 may not allow a point-of-sale third party to have access to user-level information such as credit scores. - Having received the non-financial data from the user 102, the process can generate a user-level profile associated with the user 102 at
process block 212. In one embodiment, the user-level profile is stored in the user-level profile database 120. In further embodiments, the non-financialdata processing circuit 126 may generate the user-level profile based on the non-financial data provided by the user 102. In some examples, the user 102 may already have an existing user-level profile. Where the user 102 has an existing user-level profile, the user 102 may be able to provide additional non-financial data to the identityverification computing system 104, which may process the data using the non-financialdata processing circuit 126, and subsequently update the user-level profile associated with the user 102. The user-level profile may include all the non-financial data provided by the user 102 atprocess block 210, as well as identifying information previously associated with the user 102 that was provided to set up the initial account. The user-level profile may further include information related to permissions provided by the user 102. - At
process block 214, the non-financialdata processing circuit 126 may generate a unique ULT associated with the generated user-level profile for the user 102. The ULT may be formatted the same as a tokenized primary account number (“TPAN”), or payment token. In one embodiment, the ULT is associated directly with the institution generating the ULT. In some examples, the ULT may include a prefix, such as a bank identification number (“BIN”), which defines where the ULT should be routed when presented by the user 102. In a further embodiment, the ULT is stored in a token vault, which maps the ULT to a given user-level profile. For example, the token vault may be stored in the user-level profile database 120. In other embodiments, the ULT may be managed by an external token service provider (“TSP”). In some embodiments, the non-financialdata processing circuit 126 may further generate sub-ULTs for different identities associated with the user 102. The sub-ULTs can be structured to return different types of information, based on context. In one embodiment, the user 102 may structure the different identities to correspond with different transactions. For example, the user 102 may structure one identity to be used with social media services, such as blogs, dating websites, etc. The identity associated with the social media services may be configured to only provide verification of the identity of the user 102, and, where required, other basic information, such as the age of the user 102. In further examples, the user 102 may structure a separate identity to be used with purchases. The identity associated with making purchases may be configured to provide verification of the identity of the user 102, as well as other information, such as age verification, loyalty program information, and/or credit information. The user 102 may create as many sub-ULTs as needed for different services/entities. - Once the ULT has been generated at
process block 214, the ULT may be provisioned to the user 102 atprocess block 216. In one embodiment, the ULT may be transmitted to the user device 110 by the identityverification computing system 104, via thenetwork 108. In some examples, the identityverification computing system 104 may push the ULT directly to the user device 110. In other examples, the user 102 may need to perform a specific action to get the ULT provisioned to the user device 110. For example, the user 102 may need to log into their account with the institution that generated the ULT in order to download the ULT onto the user device 110. In some embodiments, the ULT is stored in the user authentication circuit 114 of the user device 110. For example, the ULT may be stored in a mobile wallet or other application running on the user device 110. - Turning to
FIG. 3 , a flow diagram illustrating the processing of a ULT provided by a user is shown, according to an embodiment. For clarity and brevity, themethod 300 is discussed below in connection with theuser authentication system 100 ofFIG. 1 . More specifically, themethod 300 may be performed by the identityverification computing system 104 ofFIG. 1 . However, it should be understood that themethod 300 may be performed by other systems and devices. - At
process block 302, an identity verification request containing a ULT is received by the identityverification computing system 104. In one embodiment, the user 102 may present the ULT to thePOS system 132. For example, the user 102 may tap the user device 110 against thePOS system 132 to transmit the ULT. The ULT may be able to be transmitted via NFC, Bluetooth, or other wireless transmission protocols. In other examples, the user 102 may provide the ULT as a machine readable code (e.g. barcode or QR code) displayed on a user interface of the user device 110, which can then be read by thePOS system 132. ThePOS system 132 may then transmit the ULT to the identityverification computing system 104 via thenetwork 108. In some examples, the machine readable code may be read by another user device, such as a separate smartphone. In some embodiments, the user 102 may transmit the ULT to theentity computing system 106, via thenetwork 108. Theentity computing system 106 may then transmit the ULT to the identityverification computing system 104 via thenetwork 108. - The parameters of the user device 110 may be verified to ensure that proper security is active on the user device 110. In one embodiment, the identity
verification computing system 104 verifies that there the user device 110 is only accessible by authorized users 102. For example, the identityverification computing system 104 may verify that the user device 110 has a lock mechanism in place, such that an unlock code must be provided to access the user device 110. Example unlock codes may include PIN numbers, passwords, fingerprint scans, retinal scans, facial recognition scans, security tokens, or other applicable unlock codes. If the identityverification computing system 104 determines that insufficient security exists on the user device 110, a message may be sent to the user 102 requiring the user 102 to provide additional authentication information to verify that the user 102 is in possession of the user device 110 when theULT 118 is used. For example, the user may be required to use the phone to provide the identityverification computing system 104 with live video of the user's face, which may then be compared by the identityverification computing system 104 to a previously stored photograph of the user (e.g., the photograph in the user's driver's license). - In some embodiments, the ULT is received from a device that is known and authenticated by the identity
verification computing system 104. For example, the ULT may be received from the POS system 132 (e.g., identified by a unique identifier), which has been verified by the identityverification computing system 104 as being securely managed by a particular merchant. In some embodiments, the ULT and/or other data transmitted to and from the identityverification computing system 104 is encrypted or otherwise cryptographically protected. For example, in one embodiment, thePOS system 132 signs the ULT with its public/private key pair and a public key associated with the identityverification computing system 104. The identityverification computing system 104 may then decrypt the ULT with its private key and the public key of thePOS system 132. - In some embodiments, the identity verification request can be transmitted using an existing payment channel. For example, the
entity computing system 106 may transmit the identity verification request to the identityverification computing system 104 in a standard card-based transaction message. For example, the identity verification request may be part of the general message derived from a card-based transaction (e.g. credit card transaction, debit card transaction, etc.). A typical card-based transaction message may include information derived from the card associated with the transaction (e.g. an account number associated with the card), the point-of-transaction terminal (e.g. entity computing system 106) identifier, such as a merchant ID, transaction information, as well as other data which can be generated or added by intervening systems. For example, theentity computing system 106 may include additional information into the card-based transaction message. - Turning now to
FIG. 4A , an exemplary card-basedtransaction message 400 is shown, accordingly to some embodiments. The card-basedtransaction message 400 can include acard information portion 402, a point-of-transactionidentification information portion 404, atransaction information portion 406 and aPOS data portion 408. Thecard information portion 402 can include information about the card (e.g. the payment mechanism), such as an account number. In some embodiments, thecard information portion 402 can be configured to include a ULT associated with the user 102, such as theULT 116 described above. In one embodiment, the ULT is formatted the same as a personal account number (PAN). In other embodiments, the ULT is formatted the same as a tokenized account number (TPAN). By configuring the ULT similar to a PAN and/or TPAN, the ULT can be transmitted via a payment card network using the standard card-basedtransaction message 400. While the ULT is discussed as formatted as a PAN and/or TPAN above, it is contemplated that the ULT can be formatted similar to other known card-identification messages. - The point-of-transaction
identification information portion 404 can include various information associated with the point-of-transaction (e.g. entity computing system 106). For example, the point-of-transactionidentification information portion 404 can include a merchant ID number. The point-of-transactionidentification information portion 404 may also include merchant information, such as merchant type (e.g. physical location, internet-based entity, etc.), merchant location, or other general merchant information. Thetransaction information portion 406 may include information about the transaction, such as the amount of the transaction, the time of the transaction, etc. ThePOS data portion 408 may include various information related to the transaction. For example, thePOS data portion 408 may include contextual data related to the transaction, such as the type of purchase being made, the type of merchant (e.g. airline, sporting venue, grocery store, electronics store, on-line retailer, restaurant, etc.), location of the transaction, and/or type of transaction (e.g. physical card, on-line purchase, mobile wallet, etc.). In some embodiments, thePOS data portion 408 may include a ULT associated with the customer. For example, a ULT associated with the customer may be inserted into thePOS data portion 408 of the message instead of, or in combination with, thecard information portion 402, as described above. By inserting the ULT into a standard card-transaction message, the ULT can be provided to a system, such as identityverification computing system 104, using a typical card-based payment communication scheme. - In some embodiments, the card-based transaction message may be formatted as an ISO 8583-compliant message. ISO 8583 defines message formats and communication flows to allow for different types of systems to perform card-based transactions. Turning now to
FIG. 4B , an exemplary ISO 8583-compliant card-basedtransaction message 450 is shown, according to some embodiments. The ISO 8583-compliant message 450 may include amessage type indicator 452, one ormore bitmaps 454, and a number ofdata elements 456. In one embodiment, themessage type indicator 452 is a four digit numerical field, which may be used to classify the high level function of the message. For example, themessage type indicator 452 can be used to indicate the ISO 8583 version of theISO message 450. Themessage type indicator 452 can further be used to indicate a class of the message. For example, whether the message is an authorization message, a financial message, a reconciliation message, an administrative message, or any other message class utilizing ISO 8583 messages. Themessage type indicator 452 can further be used to indicate a function of the message to define how the message should flow within a system. Message functions can include requests (end-to-end messages), or advices (point-to-point messages). Additionally, message functions may include notifications, and/or instructions. Finally, themessage type indicator 452 can be used to indicate a message origin. The message origin may be with an acquirer, an issuer, or other entity. - The
bitmaps 454 may be configured as a field or sub-field within the message which can indicate whichdata elements 456 or data element subfields may be present in a message. In some embodiments, thebitmaps 454 may include a primary bitmap, which can indicate which ofdata elements 456 one to sixty-four are present. Additional bitmaps 454 (secondary, tertiary, etc.) can further be used to indicate whichdata elements 456 beyond sixty-four are present in the message. In one embodiment, aspecific data element 456 is only present when a specific bit in the bitmap is “true.” The bitmap may be expressed as a binary value, such as an eight byte message, a hexadecimal value, an ASCII character set, or an EBCDIC character set. Thedata elements 456 may include a number of individual fields containing information about the transaction. For example, in some ISO 8583-compliant messages, there may be up to one-hundred ninety-twodata elements 456; however more orfewer data elements 456 are also contemplated. Thedata elements 456 may include specific data elements, general purpose data elements, system-specific data elements, and/or country-specific data elements. Further, eachindividual data element 456 may be described using a standard format which can define the permitted content of the field (e.g. numeric value, binary value, hexadecimal value, alpha-numeric value, etc.) and a field length (e.g. variable length or fixed length). - The
data elements 456 may include contextual data which may be processed by a FI or other system, such as identityverification computing system 104. For example,data elements 456 may provide a time of transaction, a date of a transaction; a merchant type, a payee; an account identification, a custom field, or any other data element field available in thedata element 456. Further, in some embodiments, a ULT, such asULT 116, may be transmitted as a data element within thedata elements 456. In one embodiment, the ULT could be provided as a primary account number (PAN) (data field 2) data element, an extended PAN (data element 34), or as a custom or private data elements (e.g. via data element 48, 61, etc.). Similar to above, by using an ISO 8583-compliant message to transmit the ULT, a common messaging format over an existing card-based transaction network can be utilized to provide a ULT, along with contextual data, to an identity verification computing system, such as identityverification computing system 104. While the above examples illustrate transmitting a ULT and contextual data over known card-based transaction messages, it is contemplated that other card-based transaction messages may be used to transmit the ULT and/or contextual data from theentity computing system 106 to the identityverification computing system 104. - Returning now to
FIG. 3 , atprocess block 304, the ULT may be analyzed to determine if the ULT is valid. In one embodiment, theidentity verification circuit 124 analyzes the ULT to determine if it is valid. For example, theidentity verification circuit 124 may evaluate the ULT to determine if it has expired. To determine if the ULT has expired, theidentity verification circuit 124 may access the token vault used to store the ULT. In other embodiments, theidentity verification circuit 124 may communicate with a TSP responsible for managing the ULT to determine if the ULT is still valid. In still further embodiments, theidentity verification circuit 124 may evaluate other data provided with the ULT, such as biometric data (e.g. fingerprint or eye scans), to determine if the ULT is valid. While the above examples describe theidentity verification circuit 124 determining the validity of the ULT, it is contemplated that other components within the identityverification computing system 104 may be used to verify the validity of the ULT. - If the ULT is determined to be invalid at
process block 304, the identityverification computing system 104 may transmit a message to the user 102 and/or theentity computing system 106 that the ULT is invalid atprocess block 306. If the ULT is determined to be a valid ULT atprocess block 304, the identityverification computing system 104 can determine if any contextual data was received along with the identity verification request and the ULT. Contextual data may include geo-location of where the ULT was presented to theentity computing system 106, information relating to the type ofentity computing system 106 that first received the ULT (e.g. ATM, POS station, on-line store, etc.). In further embodiments, the identityverification computing system 104 may analyze other information, such as the previous transaction history of the user 102 to further determine if there is any applicable contextual data associated with the request. In one embodiment, the non-financialdata processing circuit 126 determines if there is any contextual data associated with the request. However, other components within the identityverification computing system 104 may also determine if there was contextual information associated with the request. In some embodiments, theidentity verification circuit 124 is structured to infer contextual information based on the received ULT. For example, in some embodiments, theidentity verification circuit 124 defines contextual information based on the device from which the ULT was received. For example, in some embodiments, theidentity verification circuit 124 analyzes an address or other unique identifier (e.g., MAC address, IP address, etc.) of the device from which the ULT was received. In some embodiments, the ULT is digitally signed, and theidentity verification circuit 124 is structured to verify the digital signature prior to evaluating the ULT. The evaluation of contextual data will be examined more in the examples that follow. - If the identity
verification computing system 104 determines that no contextual data was provided with the request, the identityverification computing system 104 simply processes the received request (e.g. identity verification) without providing any additional information to theentity computing system 106, atprocess block 310. For example, the identityverification computing system 104 may provide an identity verification approval to theentity computing system 106 if the ULT received at 302 matches a valid user-level profile. If the identityverification computing system 104 does determine that contextual data is associated with the request, the identityverification computing system 104 may then determine if there is any relevant non-financial data that can be provided to theentity computing system 106 based on the contextual data, atprocess block 312. In one embodiment, the identityverification computing system 104 may access non-financial data associated with the user-level profile for the user 102 to determine if there is any relevant data. For example, if theentity computing system 106 is associated with an airline, the request may contain contextual information such as the identification of theentity computing system 106 being a ticketing kiosk within an airport. The identityverification computing system 104 may subsequently process the request, and provide the processed request to theentity computing system 106, along with additional non-financial data based on the provided contextual data, atprocess block 314. For example, where theentity computing system 106 is determined to be an airline ticketing kiosk, the identityverification computing system 104 may provide the processed request to theentity computing system 106, along with a frequent flier account number of the user 102 associated with the airline. The frequent flier account number may be provided based on a pre-configured profile set up by the requester with the identityverification computing system 104 specifying what additional information should be returned in response to an identity verification request. In other embodiments, the frequent flier account number may be provided responsive to a request within the identity verification request requesting that the frequent flier account number be returned. - In some embodiments, the identity
verification computing system 104 is preconfigured to provide certain user data to theentity computing system 106 based on the type ofentity computing system 106 that is transmitting the ULT. For example, the identityverification computing system 104 may be pre-configured to respond with a frequent flier account number where theentity computing system 106 is related to an airline. Each merchant that utilizes theidentity verification system 104 may be provided with the ability to configure a merchant profile that specifies what information the merchant wishes to receive in connection with responses to identity verification requests. In other embodiments, the submitted request may specify the information that the merchant wishes to receive. In other embodiments, the identityverification computing system 104 may make logical decisions as to what non-financial data to provide based on the received contextual data. - Turning now to
FIG. 5 anexample implementation 500 of theabove process 300 is shown. In this example, the ULT is used to provide heightened authentication at a third-party ATM, e.g., to allow the user to withdraw an amount of funds in excess of normal withdrawal limits. (The ATM is referred to as “third party” in the sense that the FI that provides the ATM is different than an FI that provides the identityverification computing system 104.) At process block 502 the user 102 may transmit aULT 503 to the ATM (e.g., which may be part of theentity computing system 106, which is assumed for purposes of the present example to be operated by another FI). For example, the user 102 may wirelessly transmit theULT 503 to the ATM using a user device, such as the user device 110 described above. The ATM may receive theULT 503 atprocess block 504, and subsequently analyze theULT 503 atprocess block 506. In one embodiment, the ATM analyzes theULT 503 to determine where theULT 503 should be sent to verify the identity of the user 102. For example, the ATM may analyze an identification portion of theULT 503, such as an embedded BIN number of theULT 503, to determine where theULT 503 should be sent for processing. The ATM may then transmit theULT 503 to the appropriate FI (e.g. identity verification computing system 104), e.g., via backend servers associated with the third party, based on the analysis performed atprocess block 506. In one embodiment, the ATM transmits theULT 503 to the identityverification computing system 104 with additional data, such as an ATM identifier, a FI responsible for the ATM, a location of the ATM, etc. The ATM transmits theULT 503 and the additional data to the identityverification computing system 104 as aULT data packet 507 atprocess block 508. The identityverification computing system 104 receives theULT data packet 507 atprocess block 510. - At process block 512, the FI analyzes the
ULT data packet 507 to verify that theULT 503 is avalid ULT 503. The FI may then evaluate the additional data in theULT data packet 507 atprocess block 514. The identityverification computing system 104 may then access the identity verification request and the user's account to determine if a specific response should be provided to the ATM. For example, the identityverification computing system 104 user 102 may determine that the user wishes to withdraw an amount of funds in excess of normal withdrawal limits. The identityverification computing system 104 may then send a photo of the user obtained from the user's driver's license to theentity computer system 106. The photograph of the user may have been obtained during opening of an account for the user at the FI, e.g., for purposes of compliance with CIP/KYC requirements. Once the identityverification computing system 104 has finished processing the ULT data packet 509, the identityverification computing system 104 transmits a processedrequest 518 to theentity computer system 106. For example, the processedrequest 518 may include a verification of the ULT, as well as a picture of the user 102 (e.g., obtained from the user's driver's license). Theentity computer system 106 may then receive and process the processedrequest 518, atprocess block 520. For example, theentity computer system 106 may compare the photo of the user from the user's driver's license with image data of the user obtained by the ATM. In one example, the ATM may provide the results of the processedrequest 518 to the user 102, via a user interface on the ATM. For example, if the user 102 wished to withdraw an amount of cash over normal ATM withdrawal transaction limits, the cash may be dispensed to the user by the ATM. The transaction may then be completed atprocess block 522. In other embodiments, rather than being operated by another FI, theentity computer system 106 may be operated by a merchant, and the comparison of the photo from the user's driver's license may be compared by theentity computer system 106 with live image information of the user obtained by mechanisms other than an ATM for identity verification purposes. - Turning now to
FIG. 6 , a further example 600 of theprocess 300 described above is shown, according to various embodiments. Atprocess block 602, the user 102 may transmit aULT 604 to a non-FI controller (e.g. an entity computing system 106), such as an airline kiosk. For example, the user 102 may wirelessly transmit theULT 604 to the airline kiosk using a user device 110, as described above. The airline kiosk may receive theULT 604 atprocess block 606. The airline kiosk may then process theULT 604 atprocess block 608. For example, the airline kiosk may analyze theULT 604 to determine what financial institution (or other identity verifying service) theULT 604 is associated with. Once the airline kiosk has processed theULT 604, the kiosk can transmit theULT 604 to the appropriate institution (e.g. the identity verification computing system 104) atprocess block 610. Similar to above, the airline kiosk may add additional information to theULT 604 prior to transmitting theULT 604 to the institution. For example, the airline kiosk may simply put a return address (e.g. the airline kiosk, the entity computing system in general, etc.). Other examples of additional data may include specific requests, or transaction information (e.g. ticket purchase, airline check-in, boarding pass details, etc.). TheULT 604 and additional data are combined in aULT data packet 612. - The
ULT data packet 612 is received by the identityverification computing system 104 atprocess block 614. The institution may then verify theULT 604 atprocess block 616. Atprocess block 618, the institution may process the additional data stored in theULT data packet 612. For example, the institution may determine that theULT 604 was presented to an airline kiosk. The institution may then access the user-level profile of the user 102 associated with the ULT to determine if there is any relevant data within the user-level profile based on the additional data. For example, the institution may determine that the user 102 has a frequent flier account associated with the airline transmitting theULT 604. Atprocess block 620, the institution may generate aresponse packet 622 as part of transmitting the processed request. In one embodiment, theresponse packet 622 includes an authentication result indicator (e.g., a binary YES/NO), indicating whether the ULT provided to by the user 102 is a valid ULT. In one embodiment, theresponse packet 622 may include identity information for the user 102. For example, theresponse packet 622 may include a name and address of the user 102 that provided the ULT. In one embodiment, theresponse packet 622 may include a tokenized verification of theULT 604, as well as additional non-financial data, such as the above-mentioned frequent flier account number. However, other non-financial data may be transmitted as well. For example, where the institution is a financial institution, theresponse packet 622 may include a tokenized primary account number (TPAN) of one of the payment cards of the user 102 to allow for in-flight purchases. In some examples, this may be a time-limited TPAN, such that the TPAN is only good for the duration of the flight of the user 102. - In further examples, the airline kiosk (or other third party entity computing system) may require character limited return messages. Accordingly, the institution may be able to include an indication, such as a token, indicator, or pointer, to access an API of the institution to retrieve the additional information. Alternatively, the indication may instruct the airline kiosk (or other third party entity computing system) to access other conduits to retrieve the information. The
response packet 622 may then be transmitted to the airline kiosk atprocess block 620, and received by the airline kiosk atprocess block 624. The airline kiosk may then complete the transaction atprocess block 626. - Turning now to
FIG. 7 , a further example 700 of theprocess 300 described above, is shown according to some embodiments. Atprocess block 702, the user 102 may transmit aULT 704 to a non-financial institution controller (e.g. an entity computing system 106), such as a point-of-sale (POS) device. The POS device may be a POS device as used in a brick-and-mortar store. In other embodiments, the POS device is an online POS device used for making purchases via the internet. For example, the user 102 may wirelessly transmit theULT 704 to the POS device using a user device, such as user device 110 described above. The POS device may receive theULT 704 atprocess block 706. The POS device may then analyze theULT 704 atprocess block 708. For example, the POS device may analyze theULT 704 to determine what FI (or other identity verifying service) theULT 704 is associated with. Once the POS device has processed theULT 704, the POS device can transmit theULT 704 to the appropriate institution (e.g. an identity verification computing system 104). Similar to above, the POS device may add additional information to theULT 704 prior to transmitting theULT 704 to the institution atprocess block 710. In one embodiment, theULT 704 and additional data are combined in aULT data packet 712. For example, the POS device may simply put a return address (e.g. the POS device, the store associated with the POS device, etc.). Other examples of additional data may include specific requests, or transaction information (e.g. purchases, credit application etc.) An example of a specific request may be an age verification request. For example, if the user 102 is attempting to purchase an age restricted product, such as alcohol or prescription medication, the POS device may include an age verification request in theULT data packet 712. - The
ULT data packet 712 is received by the identityverification computing system 104 atprocess block 714. The identityverification computing system 104 may then verify theULT 704 atprocess block 716. Atprocess block 718, the identityverification computing system 104 may process the additional data stored in theULT data packet 712. For example, the identityverification computing system 104 may determine that theULT 704 was presented along with an age verification request. The identityverification computing system 104 may then access the user-level profile of the user 102 associated with theULT 704 to determine the age of the user 102. In other examples, the identityverification computing system 104 may determine that theULT 704 was presented along with a credit verification/report request. The identityverification computing system 104 may then access the user-level profile of the user 102 associated with theULT 704, to determine if credit information is available in the user-level profile. In some embodiments, the identityverification computing system 104 may perform a credit analysis of the user 102 based on information stored in the user-level profile. The identityverification computing system 104 may generate the credit analysis itself, or send the request, along with the required information, to other institutions in order to obtain the credit verification/report. Atprocess block 720, the identityverification computing system 104 may generate aresponse packet 722 as part of processing the request. In one embodiment, theresponse packet 722 may include a tokenized verification of theULT 704, as well as additional non-financial data, such as the above-mentioned age verification and/or credit verification/report. The user thus does not need to provide date of birth information or a social security number to the merchant in order for the merchant to verify an age or credit worthiness of the user. Hence, security of such information is enhanced. - In some embodiments, financial data may be transmitted as well within the
response packet 722. For example, where the institution is a financial institution, theresponse packet 622 may include a tokenized primary account number (TPAN) of one of the user's 102 payment cards to allow for a purchase to be completed. In some examples, this may be a transaction limited TPAN, such that it is only good for requested transaction. Additionally, in one embodiment, theresponse packet 722 may include a restricted-use payment token. The restricted-use payment token may allow the user 102 to perform certain financial transactions with theentity computing system 106. The restricted-use payment token may be restricted to use at a certain POS device, during a defined duration; for defined transactions, while the user 102 is located within a defined area, or any combination of the following restrictions. Theresponse packet 722 may then be transmitted to the POS device atprocess block 720, and received by the POS device atprocess block 724. The POS device may then complete the transaction atprocess block 726. - As previously noted, in some embodiments, the user may be provided with a dashboard that enables the user to specify controls over information that may be shared with merchants. For example, the user may specify that some merchants be permitted access to certain information, while other merchants are not to be permitted access to the same information. In some embodiments, the user 102 may configure their account to require the identity
verification computing system 104 to request permission from the user 102 before any information about the user is provided to any merchant. In other embodiments, the user 102 may configure their account to specify what information may be shared without permission of the user and what information may be shared but only with the permission of the user. In some embodiments, the user may specify on a merchant-by-merchant basis what information may be shared without approval, which information may be shared but only with approval, and which information may never be shared. In some embodiments, when a user is prompted to provide approval to share information, and the user gives approval, the user is further prompted whether the user wishes to save that setting for that merchant. - The present disclosure contemplates methods, systems and program products on any machine-readable media for accomplishing various operations. The embodiments of the present disclosure may be implemented using existing computer processors, or by a special purpose computer processor for an appropriate system, incorporated for this or another purpose, or by a hardwired system. Embodiments within the scope of the present disclosure include program products comprising machine-readable media for carrying or having machine-executable instructions or data structures stored thereon. Such machine-readable media can be any available media that can be accessed by a general purpose or special purpose computer or other machine with a processor. By way of example, such machine-readable media can comprise RAM, ROM, EPROM, EEPROM, CD-ROM or other optical disk storage, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to carry or store desired program code in the form of machine-executable instructions or data structures and which can be accessed by a general purpose or special purpose computer or other machine with a processor. Combinations of the above are also included within the scope of machine-readable media. Machine-executable instructions include, for example, instructions and data which cause a general purpose computer, special purpose computer, or special purpose processing machines to perform a certain function or group of functions. Software implementations could be accomplished with standard programming techniques with rule based logic and other logic to accomplish the various connection steps, processing steps, comparison steps and decision steps.
- While this specification contains many specific implementation details, these should not be construed as limitations on the scope of what may be claimed, but rather as descriptions of features specific to particular implementations. Certain features described in this specification in the context of separate implementations can also be implemented in combination in a single implementation. Conversely, various features described in the context of a single implementation can also be implemented in multiple implementations separately or in any suitable subcombination. Moreover, although features may be described above as acting in certain combinations and even initially claimed as such, one or more features from a claimed combination can in some cases be excised from the combination, and the claimed combination may be directed to a subcombination or variation of a subcombination.
- Similarly, while operations are depicted in the drawings in a particular order, this should not be understood as requiring that such operations be performed in the particular order shown or in sequential order, or that all illustrated operations be performed, to achieve desirable results. In certain circumstances, multitasking and parallel processing may be advantageous. Moreover, the separation of various system components in the implementations described above should not be understood as requiring such separation in all implementations, and it should be understood that the described program components and systems can generally be integrated in a single software product or packaged into multiple software products embodied on tangible media.
- Thus, particular implementations of the subject matter have been described. Other implementations are within the scope of the following claims. In some cases, the actions recited in the claims can be performed in a different order and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In certain implementations, multitasking and parallel processing may be advantageous.
- The claims should not be read as limited to the described order or elements unless stated to that effect. It should be understood that various changes in form and detail may be made by one of ordinary skill in the art without departing from the spirit and scope of the appended claims. All implementations that come within the spirit and scope of the following claims and equivalents thereto are claimed.
Claims (20)
1. A computing system, comprising:
a network interface configured to communicate with an entity computing system associated with a merchant via a network;
an identity database storing verified personal identifying information;
a memory; and
at least one processor configured to:
determine whether an individual is associated with an existing user account;
in response to determining that the individual is not associated with an existing user account, prompt the individual to create a user account;
verify an identity of the individual using personal identifying information associated with the individual;
receive non-financial information associated with the individual;
generate a user-level profile, wherein the user-level profile comprises the non-financial information;
generate a user-level token unique to the individual, wherein the user-level token is associated with the user-level profile;
transmit the user-level token to a device associated with the individual via the network;
receive an identity verification request comprising the user-level token;
validate the user-level token;
determine that the identity verification request includes contextual data;
determine the non-financial information within the user-level profile that is relevant to the contextual data; and
transmit an identity verification approval and the non-financial information relevant to the contextual data to the entity computing system.
2. The computing system of claim 1 , wherein the contextual data includes a merchant type, the merchant type is associated with an airport kiosk, and the non-financial information relevant to the contextual data is a frequent flier account number.
3. The computing system of claim 1 , wherein the contextual data includes a merchant type, the merchant type is associated with an automated teller machine (ATM), and the non-financial information relevant to the contextual data is a photo of the individual.
4. The computing system of claim 1 , wherein:
the identity verification request is structured as a transaction card-originated message; and
the user-level token is inserted into an account number of the transaction card-originated message.
5. The computing system of claim 1 , wherein determining whether the individual is associated with an existing user account includes determining that the individual holds a financial account at a financial institution.
6. The computing system of claim 1 , wherein the contextual data includes at least one of an entity computing type or a geo-location of the entity computing system.
7. The computing system of claim 1 , wherein the user-level token includes a bank identification number.
8. A computing implemented method performed by an identity verification computing system communicatively coupled to an entity computing system of a merchant, the method comprising:
determining, by the identity verification computing system, whether an individual is associated with an existing user account;
in response to determining that the individual is not associated with an existing user account, prompting, by the identity verification computing system, the individual to create a user account;
verifying, by the identity verification computing system, an identity of the individual using personal identifying information associated with the individual;
receiving, by the identity verification computing system, non-financial information associated with the individual;
generating, by the identity verification computing system, a user-level profile, wherein the user-level profile comprises the non-financial information;
generating, by the identity verification computing system, a user-level token unique to the individual, wherein the user-level token is associated with the user-level profile;
transmitting, by the identity verification computing system, the user-level token to a device associated with the individual via a network;
receiving, by the identity verification computing system, an identity verification request comprising the user-level token;
validating, by the identity verification computing system, the user-level token;
determining, by the identity verification computing system, that the identity verification request includes contextual data;
determining, by the identity verification computing system, the non-financial information within the user-level profile that is relevant to the contextual data; and
transmitting, by the identity verification computing system to the entity computing system, an identity verification approval and the non-financial information relevant to the contextual data.
9. The method of claim 8 , wherein the contextual data includes a merchant type, the merchant type is associated with an airport kiosk, and the non-financial information relevant to the contextual data is a frequent flier account number.
10. The method of claim 8 , wherein the contextual data includes a merchant type, the merchant type is associated with an automated teller machine (ATM), and the non-financial information relevant to the contextual data is a photo of the individual.
11. The method of claim 8 , wherein:
the identity verification request is structured as a transaction card-originated message; and
the user-level token is inserted into an account number of the transaction card-originated message.
12. The method of claim 8 , wherein determining whether the individual is associated with an existing user account includes determining, by the identity verification computing system, that the individual holds a financial account at a financial institution associated with the identity verification computing system.
13. The method of claim 8 , wherein the contextual data includes at least one of an entity computing type or a geo-location of the entity computing system.
14. The method of claim 8 , wherein the user-level token includes a bank identification number.
15. A non-transitory computer-readable medium having processor-readable instructions stored thereon such that, when executed by one or more processors, cause the one or more processors to perform the steps of:
determining whether an individual is associated with an existing user account;
in response to determining that the individual is not associated with an existing user account, prompting the individual to create a user account;
verifying an identity of the individual using personal identifying information associated with the individual;
receiving non-financial information associated with the individual;
generating a user-level profile, wherein the user-level profile comprises the non-financial information;
generating a user-level token unique to the individual, wherein the user-level token is associated with the user-level profile;
transmitting the user-level token to a device associated with the individual via a network;
receiving an identity verification request comprising the user-level token;
validating the user-level token;
determining that the identity verification request includes contextual data;
determining the non-financial information within the user-level profile that is relevant to the contextual data; and
transmitting an identity verification approval and the non-financial information relevant to the contextual data to an entity computing system associated with a merchant.
16. The non-transitory computer-readable medium of claim 15 , wherein the contextual data includes a merchant type, the merchant type is associated with an airport kiosk, and the non-financial information relevant to the contextual data is a frequent flier account number.
17. The non-transitory computer-readable medium of claim 15 , wherein the contextual data includes a merchant type, the merchant type is associated with an automated teller machine (ATM), and the non-financial information relevant to the contextual data is a photo of the individual.
18. The non-transitory computer-readable medium of claim 15 , wherein:
the identity verification request is structured as a transaction card-originated message; and
the user-level token is inserted into an account number of the transaction card-originated message.
19. The non-transitory computer-readable medium of claim 15 , wherein determining whether the individual is associated with an existing user account includes determining that the individual holds a financial account at a financial institution.
20. The non-transitory computer-readable medium of claim 15 , wherein the contextual data includes at least one of an entity computing type or a geo-location of the entity computing system.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US18/142,558 US20230274277A1 (en) | 2017-03-10 | 2023-05-02 | Identity management service via a user-level token |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US15/456,122 US11763303B1 (en) | 2017-03-10 | 2017-03-10 | Identity management service via a user-level token |
US18/142,558 US20230274277A1 (en) | 2017-03-10 | 2023-05-02 | Identity management service via a user-level token |
Related Parent Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US15/456,122 Continuation US11763303B1 (en) | 2017-03-10 | 2017-03-10 | Identity management service via a user-level token |
Publications (1)
Publication Number | Publication Date |
---|---|
US20230274277A1 true US20230274277A1 (en) | 2023-08-31 |
Family
ID=87761833
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US15/456,122 Active 2038-07-19 US11763303B1 (en) | 2017-03-10 | 2017-03-10 | Identity management service via a user-level token |
US18/142,558 Pending US20230274277A1 (en) | 2017-03-10 | 2023-05-02 | Identity management service via a user-level token |
Family Applications Before (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US15/456,122 Active 2038-07-19 US11763303B1 (en) | 2017-03-10 | 2017-03-10 | Identity management service via a user-level token |
Country Status (1)
Country | Link |
---|---|
US (2) | US11763303B1 (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20230306000A1 (en) * | 2022-03-28 | 2023-09-28 | Palantir Technologies Inc. | Data asset sharing |
US20240022562A1 (en) * | 2022-07-15 | 2024-01-18 | Mastercard International Incorporated | Systems, methods, and non-transitory computer-readable media for biometrically confirming trusted engagement |
Families Citing this family (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2018167570A2 (en) * | 2017-03-16 | 2018-09-20 | Age Checked Limited | Secure age verification system |
WO2020232336A1 (en) * | 2019-05-15 | 2020-11-19 | Traitware, Inc. | System and methods for using a trusted single web portal for accessing multiple web services |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20170262842A1 (en) * | 2016-03-14 | 2017-09-14 | Facebook, Inc. | Network payment tokenization for processing payment transactions |
US9846878B2 (en) * | 2014-01-14 | 2017-12-19 | Visa International Service Association | Payment account identifier system |
US20190333055A1 (en) * | 2018-04-27 | 2019-10-31 | Visa International Service Association | Secure authentication system with token service |
Family Cites Families (32)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6775782B1 (en) | 1999-03-31 | 2004-08-10 | International Business Machines Corporation | System and method for suspending and resuming digital certificates in a certificate-based user authentication application system |
GB0028731D0 (en) | 2000-11-24 | 2001-01-10 | Nokia Oy Ab | Improvement in and relating to transaction security |
EP1856674A4 (en) * | 2005-02-01 | 2009-11-11 | Source Inc | Secure transaction system |
CN1901448B (en) | 2005-07-21 | 2010-12-01 | 华为技术有限公司 | Access identification system in communication network and realizing method |
US20090182674A1 (en) * | 2008-01-14 | 2009-07-16 | Amol Patel | Facilitating financial transactions with a network device |
EP2096829B1 (en) | 2008-02-29 | 2010-12-08 | Research In Motion Limited | Methods and apparatus for use in obtaining a digital certificate for a mobile communication device |
US20110145152A1 (en) * | 2009-12-15 | 2011-06-16 | Mccown Steven Harvey | Systems, apparatus, and methods for identity verification and funds transfer via a payment proxy system |
GB201010546D0 (en) | 2010-06-23 | 2010-08-11 | Applied Neural Technologies Ltd | Method of indentity verification |
US20130159154A1 (en) * | 2011-08-18 | 2013-06-20 | Thomas Purves | Wallet service enrollment platform apparatuses, methods and systems |
US20140229388A1 (en) * | 2012-04-18 | 2014-08-14 | Edgard Lobo Baptista Pereira | System and Method for Data and Identity Verification and Authentication |
US9727862B2 (en) * | 2012-05-08 | 2017-08-08 | Visa International Service Association | System and method for authentication using payment protocol |
US9858560B2 (en) | 2012-06-28 | 2018-01-02 | Maxim Integrated Products, Inc. | Secure payments with untrusted devices |
US9084114B2 (en) | 2012-08-07 | 2015-07-14 | Genesys Telecommunications Laboratories, Inc. | Technique to authenticate in a mobile application using near-field communication |
PL2929671T3 (en) | 2012-12-07 | 2017-08-31 | Microsec Szamitastechnikai Fejlesztö Zrt. | Method and system for authenticating a user using a mobile device and by means of certificates |
US9232394B2 (en) | 2013-01-02 | 2016-01-05 | International Business Machines Corporation | Authentication of phone caller identity |
US9060057B1 (en) | 2013-03-07 | 2015-06-16 | Serdar Artun Danis | Systems and methods for caller ID authentication, spoof detection and list based call handling |
US20160078430A1 (en) | 2013-03-15 | 2016-03-17 | Capital One Financial Corporation | System and method for digital authentication |
CA2857106C (en) | 2013-07-18 | 2023-08-01 | Diego Matute | Method for securing electronic transactions |
WO2015027216A1 (en) | 2013-08-23 | 2015-02-26 | Bouse Margaret | System and method for identity management |
US9407620B2 (en) * | 2013-08-23 | 2016-08-02 | Morphotrust Usa, Llc | System and method for identity management |
US10515358B2 (en) * | 2013-10-18 | 2019-12-24 | Visa International Service Association | Contextual transaction token methods and systems |
IL229832A (en) * | 2013-12-05 | 2016-06-30 | Google Inc | Determining merchant identity for received merchant identifiers |
US9288062B2 (en) | 2014-02-20 | 2016-03-15 | International Business Machines Corporation | Telephone caller authentication |
US8943568B1 (en) | 2014-03-25 | 2015-01-27 | Fmr Llc | Secure video conferencing to conduct financial transactions |
US20150312248A1 (en) | 2014-04-25 | 2015-10-29 | Bank Of America Corporation | Identity authentication |
US10311434B2 (en) | 2014-05-29 | 2019-06-04 | Paypal, Inc. | Systems and methods for reporting compromised card accounts |
US20170104870A1 (en) | 2014-06-25 | 2017-04-13 | Orange | A method to authenticate calls in a telecommunication system |
WO2016179334A1 (en) | 2015-05-05 | 2016-11-10 | ShoCard, Inc. | Identity management service using a block chain |
GB2557556A (en) | 2015-11-25 | 2018-06-20 | Walmart Apollo Llc | Unmanned aerial delivery to secure location |
US10574692B2 (en) | 2016-05-30 | 2020-02-25 | Christopher Nathan Tyrwhitt Drake | Mutual authentication security system with detection and mitigation of active man-in-the-middle browser attacks, phishing, and malware and other security improvements |
US10504095B2 (en) | 2016-08-05 | 2019-12-10 | Mastercard International Incorporated | System and method for processing a transaction using account information on file |
US20180232725A1 (en) * | 2017-02-14 | 2018-08-16 | Its, Inc. | Payment tokenization using separate token vault |
-
2017
- 2017-03-10 US US15/456,122 patent/US11763303B1/en active Active
-
2023
- 2023-05-02 US US18/142,558 patent/US20230274277A1/en active Pending
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9846878B2 (en) * | 2014-01-14 | 2017-12-19 | Visa International Service Association | Payment account identifier system |
US20170262842A1 (en) * | 2016-03-14 | 2017-09-14 | Facebook, Inc. | Network payment tokenization for processing payment transactions |
US20190333055A1 (en) * | 2018-04-27 | 2019-10-31 | Visa International Service Association | Secure authentication system with token service |
Non-Patent Citations (1)
Title |
---|
B. Hampiholi and G. Alpár, "Privacy-Preserving Webshopping with Attributes," 2017 IEEE Symposium on Privacy-Aware Computing (PAC), Washington, DC, USA, 2017, pp. 25-36, doi: 10.1109/PAC.2017.34. (Year: 2017) * |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20230306000A1 (en) * | 2022-03-28 | 2023-09-28 | Palantir Technologies Inc. | Data asset sharing |
US12066982B2 (en) * | 2022-03-28 | 2024-08-20 | Palantir Technologies Inc. | Data asset sharing |
US20240022562A1 (en) * | 2022-07-15 | 2024-01-18 | Mastercard International Incorporated | Systems, methods, and non-transitory computer-readable media for biometrically confirming trusted engagement |
Also Published As
Publication number | Publication date |
---|---|
US11763303B1 (en) | 2023-09-19 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11568405B2 (en) | Identification and verification for provisioning mobile application | |
US11799851B1 (en) | User-level token for user authentication via a user device | |
US20220391891A1 (en) | Secure Authentication System With Token Service | |
US11089003B2 (en) | Browser extension for limited-use secure token payment | |
US12074974B2 (en) | Method and system for access token processing | |
US10037516B2 (en) | Secure transactions using a point of sale device | |
CN108885747B (en) | Adaptive authentication processing | |
US20230274277A1 (en) | Identity management service via a user-level token | |
CA2906911C (en) | Systems and methods for generating and administering mobile applications using pre-loaded tokens | |
US10949859B2 (en) | Enhancing information security via the use of a dummy credit card number | |
US20180285875A1 (en) | Static token systems and methods for representing dynamic real credentials | |
US20170148009A1 (en) | Dynamic multilayer security for internet mobile-related transactions | |
US20160086184A1 (en) | Secure Mobile Device Credential Provisioning Using Risk Decision Non-Overrides | |
US20130304646A1 (en) | Method and system for identity and know your customer verification through credit card transactions in combination with internet based social data | |
CN112823368B (en) | Tokenized contactless transactions through cloud biometric identification and authentication | |
CN112740207A (en) | Method and system for token provisioning and processing | |
US20210004800A1 (en) | Method and system for conducting transactions using electronic chip | |
US20180204214A1 (en) | Systems and methods for transaction authentication using dynamic wireless beacon devices | |
GB2544109A (en) | Transaction authorisation | |
US20210374719A1 (en) | Secure presentation of transaction card data of numberless transaction cards | |
John | METHOD AND SYSTEM FOR SECURE CREDENTIAL GENERATION | |
US20230230070A1 (en) | Integrated mobile wallet systems and methods | |
GB2539523A (en) | System and method for generating long token and subtoken for processing an interaction |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
STPP | Information on status: patent application and granting procedure in general |
Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: NON FINAL ACTION MAILED |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: FINAL REJECTION MAILED |