AUTHENTICATION METHOD AND SYSTEM AND AUTHENTICATION
CARD THEREOF
Field of invention
[001] The present invention is directed towards a method for authentication. More particularly, the present invention provides a method and system of secure authentication using multiple factors of authentication.
Background of the invention
[002] With the advancements in the field of Web and Mobile based commerce and communications, secure authentication has emerged as one of the most important requirements for any electronic commerce or mobile commerce based organization. Various situations require a user to be authenticated, in particular for financial transactions and it is anticipated that such authentications will only grow with time.
[003] Traditionally single factor authentication or password/PIN based authentication and security systems have been predominantly used. Single factor authentication is widely used in the fields of banking, web-mails, e-commerce, m-commerce, etc. However, single factor authentication has been found susceptible to compromise and there has been of late a move towards multiple factor authentication systems.
[004] Many organizations, particularly banks have started implementing second factor authentication systems in the form of something that the user has such as tokens for secure authentication of the user to the system. This second factor authentication is deployed in combination with the above mentioned first factor of authentication. For example, the user is required to enter a Username or Login name or ID and Password known only to the user as a first factor authentication. The user is also then required to enter a code from an electronic device referred to as token, the code being randomly generated by the token, to satisfy the second factor authentication requirement after having satisfied the first factor authentication requirement.

[005] The second factor authentication systems have found limited success on account for the cost of implementation, particularly cost of restructuring existing systems. Moreover existing multiple factor authentication systems are not entirely secure and are often found vulnerable to attacks and security breaches.
[006] In order to overcome the drawbacks of the existing art, an authenticating system and method is provided by the applicant in Indian Patent Application No.: 1746/DEL/2007 which application is incorporated herein by reference. The authenticating system and method provided in Indian Patent Application No.: I746/DEL/2007 utilizes a mobile phone or personal computing device which a user possesses, a secret code like a PIN which only the user knows and a compiled data sheet or booklet containing unique signatures which the user owns.
[007] FIG. AI illustrates the signature card 10 or booklet 20 as described in Indian Patent Application No.: I746/DEL/2007. As illustrated the signature card or booklet contains unique alphanumeric series referred to as signatures. The card 10 or signature booklet 20 has a set of signatures that are different from the other signatures in the same signature booklet or card. Each signature booklet or card is linked with a particular mobile phone or computing device such that a signature from a particular card or book can only be authenticated when submitted using the associated mobile phone or computing device. As also illustrated in FIG. Al. each signature has a number of 'X' marks randomly placed within the signatures. A user of the signature card or booklet is required to enter his personal idcntillcation number (PIN) into the spaces marked as 'X' in a particular signature. A user may pick any signature from the signature booklet and insert his PIN to generate a new signature which may then be submitted for user authentication.
[008] The authenticating system and method provided in Indian Patent Application No.: I746/DEL/2007 provides a reliable authentication system. However, the use of the authenticating system and method requires a slightly high cognitive ability due to an interplay between the processes of substitution and dialing. A user is firstly required to replace the blanks in a signature with consecutive digits of the user's PIN and then press the corresponding keys on the phone

keypad while looking at the digits in the signature on a booklet. This process may be difficult to execute by a user having limited cognitive skills or exposure such as a user belonging to a rural background with a very limited exposure to mobile phones. Further, it is envisaged that a person having a privileged access to the authentication system could potentially harvest a lot of transaction signatures corresponding to a user and therefore compute the PIN based on pattern analysis.
[009] Consequently, an authentication system and method which is strong, reliable, and resistant to security breaches, and at the same time is easy to use by a wide variety of users hailing from diverse backgrounds is required.
Summary of the invention
[0010] In various embodiments the present invention provides a method for authenticating a transaction conducted via a mobile device by using at least a personal identification number (PIN) and a signature card comprising one or more randomly generated transformation codes, the method at least comprising the steps of: encoding the PIN by using a transformation code; and transferring a transaction information and the encoded PIN to a predefined destination via the mobile device. In an embodiment, the mobile device is a cellular telephone. In another embodiment, the mobile device is a computing device.
[0011] In an embodiment of the present invention, the step of encoding the PIN by using a transformation code comprises replacing each character of the PIN by a corresponding character of at least one transformation code. Also, in an embodiment, the transaction is a financial transaction and the transaction information comprises a pre-allocated destination number, a number of a recipient device, and an amount of money being transferred.
[0012] In yet another embodiment, each of the transformation code comprises a sequence of 10 digits ranging from 0 to 9 inserted into 10 slots in a pseudorandom order, each slot containing a unique digit. In another embodiment, each of the transformation code comprises a sequence of 10 digits ranging from 0 to 9 inserted into 10 slots in a pseudo-random order, the slots being

uniquely numbered using digits ranging from 0 to 9. a number of each slot being encoded by replacing the number by the unique digit inserted in the slot. In a further embodiment, each of the transformation code comprises a sequence of 10 digits ranging from 0 to 9 inserted into 10 slots in a pseudo-random order, each slot containing a unique digit, one or more transformation codes being presented in a signature card in a plurality of presentation styles.
[0013] In another embodiment of the present invention, the signature card comprises a plurality of transformation codes, each transformation code capable of being used to encode a first PIN only once, a transformation code capable of being reused with respect to a second PIN. the second PIN differing from the first PIN by at least one digit. Each signature card is linked with a unique predefined mobile device, the signature card being capable of authenticating a transaction only when the transaction information and the encoded PIN is transferred using the unique predefined mobile device.
[0014] The present invention also provides a system for authenticating a transaction conducted via a mobile device by using at least a personal identification number (PIN) and a signature card comprising one or more randomly generated transformation codes. The system comprises a registration module for recording a mobile device number and a personal identification number for each user: a signature card generation module for generating one or more signature cards for each user, each signature card comprising one or more transformation code, each transformation code comprising a sequence of 10 digits ranging from 0 to 9 inserted into 10 slots in a pseudo-random order, the slots being uniquely numbered using digits ranging from 0 to 9; and an authentication module for authenticating a secure transaction performed by at least: encoding a PIN by using a transformation code: and transferring a transaction information and the encoded PIN to a predefined destination via the mobile device. In an embodiment the mobile device is a cellular telephone. In another embodiment, the mobile device is a computing device.
[0015] In an embodiment of the present invention, encoding a PIN by using a transformation code comprises replacing each character of the PIN by a corre-

sponding character of at least one transformation code. Also, in an embodiment, the transaction is a financial transaction and the transaction information comprises a pre-allocated destination number, a number of a recipient device, and an amount of money being transferred.
[0016] In various embodiments, one or more transformation codes are presented in a signature card in a plurality of presentation styles and the one or more transformation codes are generated using a random number generation method.
Brief description of the accompanying drawings
[0017] The present invention is described by way of embodiments illustrated in the accompanying drawings wherein:
[0018] FIG. Al illustrates a signature card as described in Indian Patent Application No.: 1746/DEL/2007:
[0019] FIG. 1 illustrates an exemplary design of the signature card, in accordance with an embodiment of the present invention:
[0020] FIG. 2 illustrates another exemplary design of the signature card, in accordance with an embodiment of the present invention;
[0021] FIG. 3 illustrates a tabular representation of a transforming pattern, in accordance with an embodiment of the present invention; and
[0022] FIG. 4 illustrates an environment in which the authentication system of the present invention is implemented, in accordance with an embodiment of the present invention
Detailed description of the invention
[0023] The present invention provides a method and system for authenticating a user of a mobile device such as a mobile phone or other personal computing de-

vice. The method involves the use of the mobile device which the user possesses, a secret code like a PIN which is known only to the user and a signature card comprising a transforming pattern which the user owns. The authentication method and system described herein is cost effective, and provides secure authentication to organizations involving mobile or electronic commerce, online transfer of funds, other banking functionalities which can be performed electronically, and other places where user authentication is a requirement to access the system,
[0024] The following disclosure is provided in order to enable a person having ordinary skill in the art to practice the invention. Exemplary embodiments are provided only for illustrative purposes and various modifications will be readily apparent to persons skilled in the art. The general principles defined herein may be applied to other embodiments and applications without departing from the spirit and scope of the invention. Also, the terminology and phraseology used is for the purpose of describing exemplary embodiments and should not be considered limiting. Thus, the present invention is to be accorded the widest scope encompassing numerous alternatives, modifications and equivalents consistent with the principles and features disclosed. For purpose of clarity, details relating to technical material that is known in the technical fields related to the invention have not been described in detail so as not to unnecessarily obscure the present invention.
[0025] The present invention would now be discussed in context of embodiments as illustrated in the accompany ing draw ings.
[0026] FIG. 1 illustrates a signature card, in accordance with an embodiment of the present invention. The signature card 100 comprises a first side 102 and a second side 104. Optionally, the first side comprises pre-allocated spots 106. 108 and 110 for holding a user's picture, name and mobile phone number respectively. The name/logo of an organization such as a bank honouring the signature card 100 is provided at spot 1 12. The second side 104 comprises a sequence of 10 digits (numerals from 0 to 9) 114 inserted into 10 slots 1 16 in a pseudo-random order.

[0027] In an embodiment, the pseudo random order of the numerals is generated by using an algorithm which makes the number generation appear random and with sufficient randomness. In an embodiment a random number generating algorithm commonly known in he art is used wherein firstly even transforming set of digits is attached to a serial number and then every serial number is attached to a position randomizer (a seed). Next the digits from 0 to 9 are inserted into the slots slot 0 to slot 9 by firstly initializing a random number generator and providing the seed. For a given seed, a function generates the same sequence of random numbers for each invocation. Next the digits so produced are added and a modular division by 9 is performed resulting in a number from 0 to 9 (slot number). It is determined if the slot number is empty before inserting the next digit in the sequence (0.1.2.3.4.5.6.7.8.9) into the slot. The addition and insertion steps are repeated till all the 10 slots have been tilled up with the all the 10 individual digits.
[0028] In various embodiments of the present invention the second side of the signature card 100 represents a transforming pattern explained with reference to FIG. 3. The signature card 100 may be used either once for authenticating the user or alternately be allowed an unlimited or fixed number of uses. The digits on the second side 104 of the signature card 100 may be printed, typed, embossed, transferred or displayed in any known manner. Each signature card 100 or a set of such signature cards 100 is linked with a particular mobile device such that the signature card can only be used to authenticate a user when a required authentication information is submitted using the particular mobile device.
[0029] The design of the signature card as illustrated in FIG. 1 is for illustrative purposes only. Any suitable design conveying a transforming pattern to a user may be employed. FIG. 2 illustrates another exemplary design of the signature card, in accordance with an embodiment of the present invention. The signature card 200 comprises a sequence of 10 digits (numerals from 0 to 9) 204 inserted into 10 slots 202 in a pseudo-random order. In various embodiments, the digits are inserted by using a pseudo random method ensuring that there

are no repetitions, i.e. a digit which has been inserted into a slot once is not inserted into another slot again. In the embodiment illustrated in FIG. 2. the digits inserted in row 202 are covered by a protective opaque material commonly known in the art which must be scratched by a blunt instrument in order to reveal the digits. Row 204 of the signature card 200 represents a transforming pattern which is used for authenticating transactions. In various other embodiments, various diverse designs may be used to implement the signature card provided by the present invention. In an embodiment, a transforming pattern once used for authentication may not be used again. In an embodiment, the transforming patterns in the signature card may be capable of being scratched or peeled off, so as to ensure that the same transforming pattern is not repeated resulting in authentication failure.
[0030] FIG. 3 illustrates a tabular representation of the transforming pattern, in accordance with an embodiment of the present invention. Table 300 comprises a first row 302 and a second row 304. Row 302 represents the ten slots 116 illustrated in FIG. 1 and row 304 represents the digits I 14 ranging from 0 to 10 that are inserted in each of the slots. In various embodiments, the digits are inserted by using a pseudo random method ensuring that there are no repetitions, i.e. a digit which has been inserted into a slot once is not inserted into another slot again. The table 300 represents a transforming pattern wherein the row 302 contains input patterns and the row 304 contains corresponding output patterns. For example an input digit contained in row 302 and column 306 is '3' and a corresponding output digit is '8' which is contained in row 304 and column 308. Hence the digit "3" is transformed to digit '8" by the transforming pattern represented by table 300. For an exemplary input sequence o\~ digits '3124", the transforming pattern applied to each of the individual input digits results in"8409" as an output sequence of digits.
[0031] An exemplary scenario A where the signature card 100 is used to authenticate a financial transaction involving transfer of an amount of money from a first user's account to a second user's account is described. It is assumed that the first and the second users are registered with the authentication system described in the present invention and possess mobile devices such as mobile

phones or personal computing devices which have also been registered with the authentication system. In order to transfer Rs. 100 to the second user"s account, without using the signature card, the first user is required to dial the following numbers on his mobile phone; *543*987651234*100*1234#
where digits '543' represent an access code for accessing the authentication system, digits '987651234' represent the second user's mobile phone number, digits ' 100" represent the amount of money being transferred and digits ' 1234' represent the secret personal identification number (PIN) of the first user. The symbol '*' is used as a digit sequence separator and the symbol '#' is used to signify an end of the digit string. As is evident, the above described method of money transfer is prone to security breaches as the PIN being entered in an unencrypted form may be extracted by unauthorized personnel using the host of eavesdropping methods available.
[0032] By using the signature card described in the present invention the first user can make the money transfer more secure. The transforming pattern provided on the signature card may be used to encode am of the digit strings involved in a secured transaction into a different set of digits making it impossible for an eavesdropper to predict the original sequence of digits. A transaction executer system which finally receives the transformed sequence of digits however knows the transforming pattern and is therefore able to reconstruct the original sequence of digits. The transforming pattern provided in the signature card may be applied to any of the different numeric elements of a transaction string like the mobile number of the recipient, the amount or the PIN of a user.
[0033] In an exemplary embodiment, in the exemplary scenario A the first user would enter the following string of digits using the signature card illustrated in FIG. I. for transferring Rs. 100 from his account to the second user's account: *543*987651234* 100*4089#
where digits '4089' represent output digits resulting from transformation of the input digits ' 1234'. Hence, in the exemplary embodiment described above, the transforming pattern provided in signature card 100 is applied to the PIN of the first user in order to make the financial transaction secure.

[0034] In another exemplary embodiment, the transforming pattern maybe applied to the mobile phone number of the second user. In such a case the first user would be required to dial the following string of digits using the signature card illustrated in FIG. I, for transferring Rs. 100 from his account to the second user's account: *543*52364089*100*1234#
where digits "52364089' represent output digits resulting from transformation of the input digits '987651234'.
[0035] In yet another exemplary embodiment, the transforming pattern maybe applied to the entire string of digits entered in a mobile device. In such a case the first user would be required to dial the follow ing string of digits using the signature card illustrated in FIG. 1, for transferring Rs. 100 from his account to the second user's account: *543*52364089*477*408#
where digits '52364089'. '477'. '4089" represent output digits resulting from transformation of the input digits '987651234'. '100' and '1234' respectively.
[0036] Hence, the use of the signature card provided by the present invention makes it virtually impossible for any eavesdropping system to extract any information at all from the dialed sequence of digits as it travels till the transaction executing system for decoding and further implementation of the transaction.
[0037] In another exemplary embodiment the transforming pattern provided by the present invention may be applied over the authentication signature provided the by Indian Patent Application 1 746/DEL/2007. Hence, the authentication signature illustrated in FIG. A1 mas be used in conjunction with the authentication method and system of the present invention to provide a very high level of security. For example, if a user's PIN is '1234' and the user possesses a signature booklet as illustrated in FIG. A1. the user would be required to enter his PIN by firstly substituting the digits of the PIN in the blank spaces marked by an 'X' in a signature string represented in FIG. Al. Hence, if the signature string being used is 2X3X54X91X the user's PIN would be represented as

'2132543914". When the exemplary translbrming pattern illustrated in FIG. 1 is applied to the PIN the transformed PIN would be represented as '0480198549'.
[0038] In an embodiment of the present invention, where a set of transforming patterns are provided to a user, each of which could be identified through a unique PIN; a computing platform (server) sends a message using SMS/ email/ USSD/ Voice Call to the user (randomly) indicating which transforming pattern (e.g.. by using a signature card serial number) is to be used for the next transaction such that each transforming pattern could be used only once with a given user PIN. Additionally, before the entire set of transforming patterns (all the serial numbers or the stack of cards) have been consumed, the user is forced to choose a new PIN. By the act of choosing a new PIN. reuse of all transforming patterns provided to the user again, without replenishment, is enabled, while still maintaining security of the transactions.
[0039] For example.
if the following set of N (3) transforming patterns are provided to a user possessing a first PIN which is ' 1234":
1.
0123456789
8930142567
0123456789 7914582360
0123456789
0746153298
The server initially informs the user to use pattern serial number '1' first.
Hence, the transformed PIN becomes 9301.

For the next transaction, the server informs the user to use patter serial number '3'. Hence, the transformed PIN becomes 7461.
For the next transaction, the server informs the user to set a new PIN. In an exemplary scenario, if the user sets the PIN as "0123. and. the server informs the user to use pattern serial number '1' again, the transformed PIN becomes 8930. For the next transaction the server informs the user to use pattern serial number '2' again, but now the transformed PIN becomes 7914.
[0040] As is evident from the example above, in an embodiment, the invention allows the use of a set of signature cards to be used multiple times without replenishment by using an algorithm to force the change of user's PIN before using up all the cards in the set.
[0041] Hence, the authentication method provided by the present invention is cost effective on account of minimal modification of existing system and an easily provided signature card. The signature card may be associated with a particular mobile device such as mobile phone or personal computing device so that in order to achieve authentication, three elements would be required, namely the mobile phone or device, the PIN which is only known to a user and the signature card. If any of these three components is not in possession of the user, obtaining authentication would not be possible. Moreover, the loss of any of the three components does not pose a security threat and is capable of a simple replacement.
[0042] FIG. 4 illustrates an environment in which the authentication system of the present invention is implemented, in accordance with an embodiment of the present invention. In accordance with an embodiment, an authentication system 400 is provided for authenticating encrypted strings 402 submitted to it by a mobile phone 404 or a computing device 406. The strings are encrypted by using a transforming code provided by the present invention. The authentication system 400 may in turn authenticate a user at various entities such as merchant 408. user 410 and financial institutions such as banks 412 or any other third party 414 that requires secure authentication and is registered with the authentication system. As illustrated, a user making use of his mobile phone

402 or personal computing device 404 and the signature card 401 and his PIN
403 transmits an encrypted string to the authentication system, is authenticated at multiple entities. In an embodiment, each entity is not required to implement the authentication system and incur costs of implementation. The entity desirous of implementing secure authentication must register with the authentication system for authenticating its users.
[0043] While the exemplary embodiments of the present invention are described and illustrated herein, it will be appreciated that they are merely illustrative. It will be understood by those skilled in the art that various changes in form and detail may be made therein without departing from or offending the spirit and scope of the invention.

We claim:
1. A method for authenticating a transaction conducted via a mobile device by
using at least a personal identification number (PIN) and a signature card
comprising one or more randomly generated transformation codes, the method
at least comprising the steps of:
a. encoding the PIN by using a transformation code: and
b. transferring a transaction information and the encoded PIN to a prede
fined destination via the mobile device.
2. The method as claimed in claim I wherein the mobile device is a cellular telephone.
3. The method as claimed in claim I wherein the mobile device is a computing device.
4. The method as claimed in claim I wherein the step of encoding the PIN by using a transformation code comprises replacing each character of the PIN by a corresponding character of at least one transformation code.
5. The method as claimed in claim I wherein the transaction is a financial transaction.
6. The method as claimed in claim I wherein the transaction information comprises a pre-allocated destination number, a number of a recipient device, and an amount of money being transferred.
7. The method as claimed in claim I wherein each of the transformation code comprises a sequence of 10 digits ranging from 0 to 9 inserted into 10 slots in a pseudo-random order, each slot containing a unique digit.
8. The method as claimed in claim I wherein each of the transformation code comprises a sequence of 10 digits ranging from 0 to 9 inserted into 10 slots in a pseudo-random order, the slots being uniquely numbered using digits ranging from 0 to 9. a number of each slot being encoded by replacing the number by the unique digit inserted in the slot.
9. The method as claimed in claim I wherein each of the transformation code comprises a sequence of 10 digits ranging from 0 to 9 inserted into 10 slots in a pseudo-random order, each slot containing a unique digit, one or more transformation codes being presented in a signature card in a plurality of presentation styles.

10. The method as claimed in claim I wherein the signature card comprises a plurality of transformation codes, each transformation code capable of being used to encode a first PIN only once, a transformation code capable of being reused with respect to a second PIN. the second PIN differing from the first PIN by at least one digit.
11. The method as claimed in claim I wherein each signature card is linked with a unique predefined mobile device, the signature card being capable of authenticating a transaction only when the transaction information and the encoded PIN is transferred using the unique predefined mobile device.
12. A system for authenticating a transaction conducted via a mobile device by using at least a personal identification number (PIN) and a signature card comprising one or more randomly generated transformation codes, the system comprising:
a. a registration module for recording a mobile device number and a per
sonal identification number for each user:
b. a signature card generation module for generating one or more signa
ture cards for each user, each signature card comprising one or more
transformation code, each transformation code comprising a sequence
of 10 digits ranging from 0 to 9 inserted into 10 slots in a pseudo
random order, the slots being uniquely numbered using digits ranging
from 0 to 9: and
c. an authentication module for authenticating a secure transaction per
formed by at least:
i. encoding a PIN by using a transformation code: and ii. transferring a transaction information and the encoded PIN to a predefined destination via the mobile device.
13. The system as claimed in claim 12 wherein the mobile device is a cellular telephone.
14. The system as claimed in claim 12 wherein the mobile device is a computing device.
15. The system as claimed in claim 12 wherein encoding a PIN by using a transformation code comprises replacing each character of the PIN by a corresponding character of at least one transformation code.

16. The system as claimed in claim 12 wherein the transaction is a financial transaction.
17. The system as claimed in claim 12 wherein the transaction information comprises a pre-allocated destination number, a number of a recipient device, and an amount of money being transferred.
18. The system as claimed in claim 12 wherein one or more transformation codes are presented in a signature card in a plurality of presentation styles.
19. The system as claimed in claim 12 wherein the one or more transformation codes are generated using a random number generation method.
20. The system as claimed in claim 12 wherein each transformation code is used
for encoding a first PIN only once, a transformation code capable of being re
used with respect to a second PIN. the second PIN differing from the first PIN
by at least one digit.