We Claim:
1. A method of providing authenticated access to a secure resource of a self-service terminal (120 or 400), the method comprising:
generating, by a control application of the self-service terminal (120 or 400), in response to receiving a request for access to the secure resource sent from a mobile device (110), an authentication token (step 211 or step 213 or step 214);
providing, by the control application, the authentication token (step 210) comprising presenting the authentication token on a display (401) of the self-service terminal (120 or 400);
a mobile application of the mobile device (110) scanning the authentication token and contacting an authentication server (130) over a wireless connection;
the authentication server (130) independently authenticating the mobile device (110) using the generated authentication token;
once the mobile device (110) has been authenticated by the authentication server (130), the method being characterized by
the authentication server (130) instructing a controller server (140) to send an access command to the control application of the self-service terminal (120 or 400);
obtaining, by the control application, the access command from the controller server (140) (step 220);
requesting, by the control application, a cryptographic peripheral device (123) to validate the access command (step 230);
the cryptographic peripheral device (123), in response to the request to validate the access command, sending a challenge message to the controller server (140);
the controller server (140) digitally signing and sending the challenge message back to the cryptographic peripheral device (123) as a response;
the cryptographic peripheral device (123) validating the response, and providing authenticated access to the secure resource of the self-service terminal (120 or 400) upon verification by the cryptographic peripheral device
22

(123) that the response was a valid response to the challenge message (step 230).
2. The method as claimed in claim 1, wherein the request for access to the secure resource comprises a wireless request sent from the mobile device (110) (step 211 or step 213).
3. The method as claimed in claim 2, wherein the step of generating the authentication token includes creating the authentication token as a two dimensional barcode encoded with a mobile device identifier for the mobile device (110), a terminal identifier for the self-service terminal (120 or 400), an indication of the wireless request, and a date and time when the barcode was created.
4. The method as claimed in any of claims 1 to 3, wherein the step of obtaining the access command from the controller server (140) includes re- presenting a new authentication token on the display (401) when a adapted period of time elapses before the access command is received from the server (140) (step 221).
5. The method as claimed in any of claims 1 to 4, wherein the step of requesting the cryptographic peripheral device (123) to validate the access command includes acting as an intermediary to forward encrypted information between the cryptographic peripheral device (123) and the controller server (140) to assist the cryptographic peripheral device (123) in independently validating the access command on behalf of the self-service terminal (120 or 400), wherein the control application (121) in the self-service terminal (120 or 400) is incapable of decrypting the encrypted information (step 231).
6. The method as claimed in any of claims 1 to 5, wherein the method comprises
sending audit data to the controller server (140) when the authenticated access
is granted (step 240), and
maintaining audit data in a log on the terminal (120 or 400) (step 241).
23

7. A self-service terminal (120 or 400) comprising:
a secure resource;
a controller executing a control application (121 or 402); and a cryptographic peripheral device (123) in communication with the controller and executing a cryptographic application (403); the control application (121 or 402) being adapted to:
receive a request from a mobile device (110) for access to the secure resource and
provide an authentication token comprising presenting the authentication token on a display (401) of the self-service terminal (120 or 400), wherein the authentication token is generated in response to the request from the mobile device (110); wherein the self-service terminal is characterized in that the control application is adapted to:
obtain an access command from a controller server (140), wherein the access command is sent in response to an instruction from an authentication server (130) after the authentication server (130) has independently authenticated the mobile device (110) using the generated authentication token as scanned by the mobile device and sent to the authentication server (130);
request the cryptographic peripheral device (123) to validate the access command,
forward a challenge message from the cryptographic application (403) to the controller server (140),
receive a response comprising a digitally signed challenge message from the controller server (140), and
provide authenticated access to the secure resource upon verification by the cryptographic application (403) that the received response was a valid response to the challenge message.
8. The terminal as claimed in claim 7, wherein the secure resource comprises
devices located within a secure area of the terminal (120 or 400), and the control
24

application (121 or 402) is adapted to provide the authenticated access by electronically unlocking an access panel to the secure resource.
9. The terminal as claimed in claim 7, wherein the secure resource comprises an administrative interface to the terminal (120 or 400).
10. The terminal as claimed in any of claims 7 to 9, wherein the terminal (120 or 400) comprises an automated teller machine, and the cryptographic peripheral device (123) comprises an encrypting PINpad.