FIELD OF THE INVENTION:

The present invention relates to communication in a networking environment and in particular relates to an authentication mechanism in the networking environment.

BACKGROUND OF THE INVENTION:

The advent of internet has enabled execution of a plethora of tasks online and mobile device technology has evolved itself to impart the benefits of online services on the fly. Examples of such devices include tablets, smartphones, palm-tops, smart-watches etc. Accessing a mobile-device application software i.e. a mobile app running on data packet network connection to access such online services has become a general norm.

The mobile apps may also help in emulating through the cloud, a user-identity related information or user-credentials for requesting various online services. Such information or credentials are otherwise known to be electronically emulated by a physical media such as a mobile device subscriber’s identity card, credit card, accidental insurance cards, RFID chips etc. Accordingly, just like a physical media is operable through a designated device i.e. Point of sale (POS) device to send a service request, the mobile apps emulating the physical media also trigger sending service requests for the performance of various tasks electronically such as sending insurance claim requests, net-banking, communicating identity details, attendance marking etc. Accordingly, such emulation does away with an otherwise mandatory physical presence of a user-identity based storage media.

The service requests are also accompanied with a user-identity data that has to be authenticated as pre-condition to the processing of the service request. As a part of providing user-identity data through the mobile app for authentication, a mobile-app generated token or cryptogram is communicated to represent a user-identity in an encoded form. As the aforesaid tokens are prone to be copied by a malware or other hacking device, the authentication system may be configured to request supplementary user-identity data for performing additional authentication from the mobile device, wherein such supplementary data may a pre-defined password or a pre-defined PIN based information. However, PIN/password based data is also equally vulnerable to be hacked.

To provide a robust authentication mechanism, one may think of providing biometric details, voice signal, image-based identifiable data, etc, as user-identity data for authentication. However, provision of the same requires employment of a complex data acquisition mechanism at the mobile device and an equally complex authentication mechanism at the receiving system’s end as well, thereby increasing an overall complexity and associated costs. Cost-escalation and complexity are one of the major reasons for rendering any technology or mechanism beyond the reach of masses and accordingly unprofitable. Due to such reasons, device manufacturers are demotivated to incorporate robust authentication mechanisms such as biometric technology in majority of the mobile devices.

Accordingly, there has been a long felt need for a robust user authentication mechanism for authenticating user identity as a part of processing service-requests originating from a mobile device, without requiring significant up-gradation both to the mobile device and the service-request processing systems.

OBJECT OF THE INVENTION:

Thus, it is an object of the present invention to provide a method and system for enabling a substantially secure authentication mechanism, while processing service requests originating from a mobile device, through utilizing existing infrastructure and network elements.

It is another object of the present invention to maintain robustness of the aforesaid authentication mechanisms, without causing a substantial increase towards a turn-around time period.

SUMMARY OF THE INVENTION:
Accordingly, the present invention provides a method to authenticate a user account in a networking environment. The method comprises receiving a request triggered by operation of a mobile device hosting a particular environment, the request comprising details of historic mobile usage data in relation to a mobile network operator; receiving from the mobile network operator historic mobile usage data as logged in respect of the mobile device; comparing the historic mobile usage data in relation to a mobile network operator as contained in the request with the historic mobile usage data as logged in respect of the mobile device as received from the mobile network operator; and at least partly authenticating the user account in case of a match in the comparison.
The present invention also provides a system to authenticate a user account in a networking environment. The system comprises a receiver for receiving a request triggered by operation of a mobile device hosting a particular environment, the request comprising details of historic mobile usage data in relation to a mobile network operator. The receiver receives historic mobile usage data as logged in respect of the mobile device from the mobile network operator. A processor compares the historic mobile usage data in relation to a mobile network operator as contained in the request with the historic mobile usage data as logged in respect of the mobile device as received from the mobile network operator. The processor at least partly authenticates the user account in case of a match in the comparison.
The present invention further provides a method to authenticate a user account in a networking environment. The method includes constructing, through a pre-defined environment in a mobile device, a request comprising at least details of a historic mobile usage data in relation to a mobile network operator. Thereafter, the request thus constructed is transmitted for the purposes of said authentication.

The present invention further provides a system to authenticate a user account in a networking environment. The system comprises a processor for constructing, through a pre-defined environment in a mobile device, a request comprising at least details of a historic mobile usage data in relation to a mobile network operator. A transmitter transmits the request thus constructed for the purposes of said authentication.
To further clarify advantages and features of the present invention, a more particular description of the invention will be rendered by reference to specific embodiments thereof, which is illustrated in the appended drawings. It is appreciated that these drawings depict only typical embodiments of the invention and are therefore not to be considered limiting of its scope. The invention will be described and explained with additional specificity and detail with the accompanying drawings.

BRIEF DESCRIPTION OF FIGURES:

These and other features, aspects, and advantages of the present invention will become better understood when the following detailed description is read with reference to the accompanying drawings in which like characters represent like parts throughout the drawings, wherein:

Figure 1 shows a flow chart corresponding to a first embodiment of the invention;
Figure 2 shows a detailed internal construction of the apparatus in accordance with a first embodiment of the present invention;
Figure 3 shows a flow chart corresponding to a second embodiment of the invention;
Figure 4 shows a detailed internal construction of the apparatus in accordance with the second embodiment of the present invention;
Figure 5 shows a detailed internal construction of the apparatus as described in Fig. 2, and 4;
Figure 6 shows an exemplary implementation of a networking environment corresponding to application of the first and second embodiments of the present invention;
Figure 7 shows an exemplary control flow diagram as applicable within the implementation described in Fig. 6.

Further, skilled artisans will appreciate that elements in the drawings are illustrated for simplicity and may not have been necessarily been drawn to scale. For example, the flow charts illustrate the method in terms of the most prominent steps involved to help to improve understanding of aspects of the present invention. Furthermore, in terms of the construction of the device, one or more components of the device may have been represented in the drawings by conventional symbols, and the drawings may show only those specific details that are pertinent to understanding the embodiments of the present invention so as not to obscure the drawings with details that will be readily apparent to those of ordinary skill in the art having benefit of the description herein.

DETAILED DESCRIPTION:

For the purpose of promoting an understanding of the principles of the invention, reference will now be made to the embodiment illustrated in the drawings and specific language will be used to describe the same. It will nevertheless be understood that no limitation of the scope of the invention is thereby intended, such alterations and further modifications in the illustrated system, and such further applications of the principles of the invention as illustrated therein being contemplated as would normally occur to one skilled in the art to which the invention relates.

It will be understood by those skilled in the art that the foregoing general description and the following detailed description are exemplary and explanatory of the invention and are not intended to be restrictive thereof.

Reference throughout this specification to “an aspect”, “another aspect” or similar language means that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one embodiment of the present invention. Thus, appearances of the phrase “in an embodiment”, “in another embodiment” and similar language throughout this specification may, but do not necessarily, all refer to the same embodiment.

The terms "comprises", "comprising", or any other variations thereof, are intended to cover a non-exclusive inclusion, such that a process or method that comprises a list of steps does not include only those steps but may include other steps not expressly listed or inherent to such process or method. Similarly, one or more devices or sub-systems or elements or structures or components proceeded by "comprises... a" does not, without more constraints, preclude the existence of other devices or other sub-systems or other elements or other structures or other components or additional devices or additional sub-systems or additional elements or additional structures or additional components.

Unless otherwise defined, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. The system, methods, and examples provided herein are illustrative only and not intended to be limiting.

Embodiments of the present invention will be described below in detail with reference to the accompanying drawings.

Now referring to Figure 1, it can be seen that the present invention provides a method to authenticate a user account in a networking environment, comprising:
receiving (step 102) a request triggered by operation of a mobile device hosting a particular environment, the request comprising details of historic mobile usage data in relation to a mobile network operator;
receiving (step 104) from the mobile network operator historic mobile usage data as logged in respect of the mobile device;
comparing (step 106) the historic mobile usage data in relation to a mobile network operator as contained in the request with the historic mobile usage data as logged in respect of the mobile device as received from the mobile network operator; and
at least partly authenticating (step 108) the user account in case of a match in the comparison.

In an embodiment, wherein said request comprises a request to process a token/parameter associated with a user account.

In another embodiment of the invention, wherein said request is triggered by detection of said mobile device in a pre-determined operational state by at least one of a sensing media, an NFC based detector, and a POS device.

In a further embodiment of the invention, wherein said environment inside the mobile device is at least one of: an NFC card emulation application, NFC compatible application, and a HCE application

In another embodiment, wherein said environment additionally assists said detection of the mobile device during said operational state and thereafter, said triggering of the request.

In another embodiment, wherein said historic mobile usage data in relation to the mobile network operator comprises at least one of: details of recent outgoing/incoming calls, recently browsed website addresses, details of recent outgoing/incoming SMS, and at least one recent billed amount.

In another embodiment, wherein said historic mobile usage data as logged in respect of the mobile device comprises at least one of a browsing history of the mobile device, call related data, messaging related data or an expenditure record of said mobile device.

In another embodiment, the present invention comprises verifying the received token based on a pre-determined criteria.

In another embodiment, the present invention comprises completely authenticating said user account based on said partial authentication and a successful result of said verification

Referring to Figure 2, the present invention also provides a system (200) to authenticate a user account in a networking environment. The system comprising:
a receiver (202) for receiving a request triggered by operation of a mobile device hosting a particular environment, the request comprising details of historic mobile usage data in relation to a mobile network operator;
said receiver (202) for receiving from the mobile network operator historic mobile usage data as logged in respect of the mobile device;
a comparator (204) comparing the historic mobile usage data in relation to a mobile network operator as contained in the request with the historic mobile usage data as logged in respect of the mobile device as received from the mobile network operator;
and
a processor (206) for at least partly authenticating the user account in case of a match in the comparison.

Now referring to Figure 3, it can be seen that the present invention further provides a method to authenticate a user account in a networking environment, comprising:
constructing (step 302), through a pre-defined environment in a mobile device, a request comprising at least details of a historic mobile usage data in relation to a mobile network operator; and
transmitting (step 304) the request thus constructed for the purposes of said authentication.

Referring to Figure 4, the present invention also provides a system (400) to authenticate a user account in a networking environment, comprising:
a processor (402) for constructing, through a pre-defined environment in a mobile device, a request comprising at least details of a historic mobile usage data in relation to a mobile network operator; and
a transmitter (404) for transmitting the request thus constructed for the purposes of said authentication.

Referring to figure 5, yet another typical hardware configuration of the systems 200, 400, in the form of a computer system 500 is shown. The computer system 500 can include a set of instructions that can be executed to cause the computer system 500 to perform any one or more of the methods disclosed. The computer system 500 may operate as a standalone device or may be connected, e.g., using a network, to other computer systems or peripheral devices.

In a networked deployment, the computer system 500 may operate in the capacity of a server or as a client user computer in a server-client user network environment, or as a peer computer system in a peer-to-peer (or distributed) network environment. The computer system 500 can also be implemented as or incorporated across various devices, such as a personal computer (PC), a tablet PC, a personal digital assistant (PDA), a mobile device, a palmtop computer, a laptop computer, a desktop computer, a communications device, a wireless telephone, a land-line telephone, a web appliance, a network router, switch or bridge, or any other machine capable of executing a set of instructions (sequential or otherwise) that specify actions to be taken by that machine. Further, while a single computer system 500 is illustrated, the term "system" shall also be taken to include any collection of systems or sub-systems that individually or jointly execute a set, or multiple sets, of instructions to perform one or more computer functions.

The computer system 500 may include a processor 502 e.g., a central processing unit (CPU), a graphics processing unit (GPU), or both. The processor 502 may be a component in a variety of systems. For example, the processor 502 may be part of a standard personal computer or a workstation. The processor 502 may be one or more general processors, digital signal processors, application specific integrated circuits, field programmable gate arrays, servers, networks, digital circuits, analog circuits, combinations thereof, or other now known or later developed devices for analysing and processing data The processor 502 may implement a software program, such as code generated manually (i.e., programmed).

The computer system 500 may include a memory 504, such as a memory 504 that can communicate via a bus 508. The memory 504 may be a main memory, a static memory, or a dynamic memory. The memory 504 may include, but is not limited to computer readable storage media such as various types of volatile and non-volatile storage media, including but not limited to random access memory, read-only memory, programmable read-only memory, electrically programmable read-only memory, electrically erasable read-only memory, flash memory, magnetic tape or disk, optical media and the like. In one example, the memory 504 includes a cache or random access memory for the processor 502. In alternative examples, the memory 504 is separate from the processor 502, such as a cache memory of a processor, the system memory, or other memory. The memory 504 may be an external storage device or database for storing data. Examples include a hard drive, compact disc ("CD"), digital video disc ("DVD"), memory card, memory stick, floppy disc, universal serial bus ("USB") memory device, or any other device operative to store data. The memory 504 is operable to store instructions executable by the processor 502. The functions, acts or tasks illustrated in the figures or described may be performed by the programmed processor 502 executing the instructions stored in the memory 504. The functions, acts or tasks are independent of the particular type of instructions set, storage media, processor or processing strategy and may be performed by software, hardware, integrated circuits, firm-ware, micro-code and the like, operating alone or in combination. Likewise, processing strategies may include multiprocessing, multitasking, parallel processing and the like.

As shown, the computer system 500 may or may not further include a display unit 510, such as a liquid crystal display (LCD), an organic light emitting diode (OLED), a flat panel display, a solid state display, a cathode ray tube (CRT), a projector, a printer or other now known or later developed display device for outputting determined information. The display 510 may act as an interface for the user to see the functioning of the processor 502, or specifically as an interface with the software stored in the memory 504 or in the drive unit 516.

Additionally, the computer system 500 may include an input device 512 configured to allow a user to interact with any of the components of system 500. The input device 512 may be a number pad, a keyboard, or a cursor control device, such as a mouse, or a joystick, touch screen display, remote control or any other device operative to interact with the computer system 500.

The computer system 500 may also include a disk or optical drive unit 516. The disk drive unit 516 may include a computer-readable medium 522 in which one or more sets of instructions 524, e.g. software, can be embedded. Further, the instructions 524 may embody one or more of the methods or logic as described. In a particular example, the instructions 524 may reside completely, or at least partially, within the memory 504 or within the processor 502 during execution by the computer system 500. The memory 504 and the processor 502 also may include computer-readable media as discussed above.

The present invention contemplates a computer-readable medium that includes instructions 524 or receives and executes instructions 524 responsive to a propagated signal so that a device connected to a network 526 can communicate voice, video, audio, images or any other data over the network 526. Further, the instructions 524 may be transmitted or received over the network 526 via a communication port or interface 520 or using a bus 508. The communication port or interface 520 may be a part of the processor 502 or may be a separate component. The communication port 520 may be created in software or may be a physical connection in hardware. The communication port 520 may be configured to connect with a network 526, external media, the display 510, or any other components in system 500, or combinations thereof. The connection with the network 526 may be a physical connection, such as a wired Ethernet connection or may be established wirelessly as discussed later. Likewise, the additional connections with other components of the system 500 may be physical connections or may be established wirelessly. The network 526 may alternatively be directly connected to the bus 508.

The network 526 may include wired networks, wireless networks, Ethernet AVB networks, or combinations thereof. The wireless network may be a cellular telephone network, an 802.11, 802.16, 802.20, 802.1Q or WiMax network. Further, the network 526 may be a public network, such as the Internet, a private network, such as an intranet, or combinations thereof, and may utilize a variety of networking protocols now available or later developed including, but not limited to TCP/IP based networking protocols.

In an alternative example, dedicated hardware implementations, such as application specific integrated circuits, programmable logic arrays and other hardware devices, can be constructed to implement various parts of the system 500.

Applications that may include the systems can broadly include a variety of electronic and computer systems. One or more examples described may implement functions using two or more specific interconnected hardware modules or devices with related control and data signals that can be communicated between and through the modules, or as portions of an application-specific integrated circuit. Accordingly, the present system encompasses software, firmware, and hardware implementations.

The system described may be implemented by software programs executable by a computer system. Further, in a non-limited example, implementations can include distributed processing, component/object distributed processing, and parallel processing. Alternatively, virtual computer system processing can be constructed to implement various parts of the system.

The system is not limited to operation with any particular standards and protocols. For example, standards for Internet and other packet switched network transmission (e.g., TCP/IP, UDP/IP, HTML, HTTP) may be used. Such standards are periodically superseded by faster or more efficient equivalents having essentially the same functions. Accordingly, replacement standards and protocols having the same or similar functions as those disclosed are considered equivalents thereof.

In the following paragraphs, a detailed description about exemplary implementation of the invention and a control flow within such exemplary implementation has been provided. It should however, be understood every implementation of as claimed method and apparatus need not follow the components and steps as described mentioned in the following paragraphs. Thus, the scope of the claims is intended to be restricted only on the basis of the claims and their equivalents and not on the basis of the examples provided herein below.

EXEMPLARY IMPLEMENTATION IN A NETWORKING ENVIRONMENT

Fig. 6 depicts a technical and exemplary implementation of the systems 200, 400, as defined in Fig. 2, and Fig. 4 in a networking environment, wherein the systems are communicatively linked with each other through a network. The systems 200, 400 are further connected to an authentication mechanism 1002, and a point of sale device 1004 (NFC enabled), and a mobile network element 1006 or a mobile network operator 1006 for discharging their respectively functionalities. The authentication mechanism 1002 may be a stand-alone system or a subset of the system 200. In addition, the present networking environment may be implemented through a plurality of networking technologies like cellular network, data packet network, near field communication, radio frequency based networking, etc.

Various operational steps in respect of the present implementation denoted by the arrows and reference numerals 601 to 608 have been depicted within the Fig. 6, wherein the order of reference numerals from 601 to 608 defines a sequence of operation within the exemplary networking implementation in Fig. 6. Accordingly, these operational steps depict a combination of functionalities specific to each system 200, 400 by virtue of their interconnection. Further, while arrows 601-604 (broken) represent upstream flow, the arrows 605-608 (solid) represent downstream flow.

The operational steps 601 to 608 have been explained in the order of their sequence with respect to Fig. 7 for better clarity. Fig. 7 denotes a control flow diagram denoting occurrence of various events from top to bottom, thereby depicting the sequence of operational steps 601 to 608 of Fig 6 in an alternate way. Accordingly, regard may be had to a conjoined observation of Fig. 6 and Fig. 7 for understanding the steps 601 to 608 that have been illustrated as follows:

Step 601 denotes the system 400 (or a mobile device 400) sending an ARQC (Authorization Request Cryptogram) instruction to a POS device 1004. Such system 400 corresponds to a system defined in the second embodiment of the present invention The ARQC instruction comprises a request to authenticate a user-identity associated with the mobile app, say a mobile wallet application, and may be encapsulated within an overall service request generated by the mobile device 400.

Specifically, as a part of the generation of ARQC request, the system 400 or the mobile device 400 constructs, through an HCE (Host Card emulation) architecture, a request for service, say executing an online bank-transaction. As a user-authentication is a pre-condition to transaction, accordingly, the request comprises a cryptogram that indirectly/directly represents the user’s bank account details. In addition, either outside the cryptogram or as a part of such cryptogram, the request comprises details of the historic mobile-device usage data in relation to an applicable mobile network operator. In an example, the historic mobile usage data comprises one or more of details of recent outgoing/incoming calls, recently browsed website addresses, details of recent outgoing/incoming SMS, and at least one recent billed amount.

Furthermore, in addition to the cryptogram or as a part of the cryptogram, the request may optionally comprise a current mobile device location. Accordingly, while constructing the cryptogram, the mobile app may gather location information and cell ID from various sources, i.e. GPS and/or a cell tower. However, in case the mobile device is a mobile phone, the same may be very often unable to access a cellular signal in a peculiar situation (say a basement). In such a scenario, the mobile app considers device locations of the recent past while constructing the request, e.g. locations traversed in the last ten minutes.

Upon having constructed the request, the mobile device 400 sends the request (or the ARQC instruction) to the POS device 1004 through an installed network-run mobile app, e.g. a Mobile wallet application based on the HCE architecture, which is associated with executing contactless payment through mobile devices.

In an example, the POS device 1004 is an NFC based detector to read magnetic cards, while the mobile wallet application is one of an NFC card emulation application, NFC compatible application, and a HCE application. Specifically, to enable receipt of the aforesaid ARQC instruction by the POS device 1004, the mobile device 400 is brought in a pre-determined proximity of the POS device 1004 and a consequent detection of the mobile device 400 in a pre-determined operational state takes place. Such operational state refers to the mobile device 400 hosting the mobile app, e.g. mobile wallet application. Accordingly, the mobile application assists the detection of the mobile device 400 by the POS device 1004. The detection leads to immediate receipt of the ARQC request by the POS device 1004 from the mobile device 400.

In step 602, the POS device 1004 forwards the request to an acquirer end of a transaction system 200 that corresponds to a system defined in the first embodiment of the present invention. In an example, the transaction system 200 may be linked with a payer bank (or any other financial institution) that is associated with the mobile wallet application and a payee bank that is associated with the POS device 1004. However, in other examples, the bank associated with the mobile application may also act as a payee, while the bank associated with the POS device 1004 may be a payer bank. Nevertheless, the acquirer end of the transaction system 200 is always linked to the bank or financial institution associated with the merchant establishment maintaining the POS device 1004

In step 603, an issuer end of the transaction system 200 forwards the authentication request to an authentication mechanism 1002 that may also be referred as an issuer host system 1002. As aforesaid, the issuer end of the transaction system 200 is associated with the bank or any other financial institution associated with the mobile wallet application.

As aforementioned, the authentication mechanism 1002 may either be a stand-alone apparatus or integrated with the transaction system 200. The authentication mechanism 1002 is responsible for authenticating the user who has sent the service request by comparing user details with a pre-defined criteria. The following description elaborates the operation within the authentication mechanism 1002.

In step 604, the authentication mechanism 1002 processes the received cryptogram and retrieves a corresponding mobile device identifier. In an example, in the case the mobile device is mobile phone, the MSISDN is retrieved as an identifier. However, in case the mobile device is an I-Pad, Tablet, or a smart-watch or any other non-telecommunication device, an IP address or any other device specific ID may be retrieved as a device identifier. Based upon the identifier, a corresponding mobile network operator 1006 that serves the current mobile device under consideration is located and requested to provide logged data with respect to the mobile device’s usage. In an example, the mobile network operator 1006 may include a wireless service provider, a wireless carrier, a cellular company, a mobile network carrier, a data network operator, a telecommunication service provider cum data network operator etc.

In step 605, the mobile network operator 1006 provides the historic mobile usage data as logged with itself in relation to the mobile device 400 under consideration. In an example, the data as sent by the mobile network operator 1006 comprises said historic mobile usage data as logged in respect of the mobile device. Such data sent by the mobile network operator 106 comprises at least one of a browsing history of the mobile device, call related data, messaging related data or an expenditure record of said mobile device. Such logged data may pertain to a particular time period, say last 3 hours, last 3 hours, last 3 weeks, etc., depending upon the time period as sought by the authentication mechanism 1002.

Optionally, the mobile network operator 1006 may also provide a location specific data pertaining to the current-most location or one or more recent historical locations as traversed by the mobile device 400.

In step 606, the data as received from the mobile network operator 1006 is compared by the authentication mechanism 1002 with the data as earlier received in the step 603 from the issuer end of the transaction system 200. In case a match results out of the comparison, then the user account is deemed to have been partly authenticated.

Furthermore, as an optional or add on feature, the location specific data as provided by the mobile device 400 and the mobile network operator 1006 may also be compared with each other. In case match results out of the comparison of locations or in case the two compared locations fall within a pre-determined threshold radius, then the aforesaid ‘part-authentication’ of the user account is affirmed.

Simultaneously, as a part of another authentication, the token residing within the cryptogram and representing the user account details (e.g. user bank account details) is also compared with a pre-defined criteria specific to the user as maintained by the authentication mechanism 1002. Accordingly, in case the token residing within the cryptogram and representing the user account details (e.g. user bank account details) also matches with the a pre-defined criteria, then the user account is deemed to have been fully authenticated

However, performance of both types of authentication need not necessarily proceed simultaneously as described above and may rather proceed sequentially in any order. Further, it may be understood that the step 606 is also understandable to cover such scenarios where one type of authentication is negative, while other is positive. Nevertheless, the user may be deemed fully authenticated in case both types of authentication yield positive results.

Further, the authentication mechanism 1002 communicates an outcome of the aforesaid comparisons to the issuer end of the transaction system 200. In case the user has been deemed fully authenticated, then the authentication system 1002 communicates an authorization response to the transaction system 200. In case the user has been only partly authenticated, the authentication system 1002 waits for positive outcome from the another authentication stage, prior to sending the authorization response to the transaction system 200. In case one of the authentication or both types of authentication fail, then the authentication system 1002 provides “authentication failure” response to the transaction system 200.

The rest of the steps 607 and 608 denote communication of either the authorization response or authentication failure response to the mobile device 400 via the POS device 1008. Especially, the mobile device 400 receives the authorization response from the POS device 1008 as an issuer cryptogram or authorization response cryptogram (ARPC).

Upon having given ARPC to the mobile device 400, the POS 1004 is empowered to access the user account associated with the mobile device 400 and perform the actual service or transaction as requested by the mobile device 400. Example of requested services/transaction include debiting of the user account in lieu of some product or service availed by a user, crediting of user account with a certain sum, or simple updating or redeeming loyalty points as accrued to the user account etc.

By virtue of the embodiments and implementations described so far, the present invention enables a secure and robust authentication of the user requesting online services through the mobile device, without seeking any specific input pertaining to the knowledge of the user, and without incurring significant economic costs in terms of up-gradation of the mobile device or the system processing the service request. Instead, the present invention aims at utilizing an existing methodology implemented within the mobile devices and the network infrastructure to authenticate the user.

Moreover, owing to a simple architecture, the present invention facilitates a substantially less turn-around time which is almost at par with a turn-around time generally associated with comparatively less secure authentication systems e.g. PIN/Password based authentication systems.

As may be understood, the user identity data, i.e. data related to historical mobile usage of the mobile device through a mobile network operator, is dynamic in nature owing to ever changing characteristics, and unlike PIN or password based data that is static in nature. Therefore, the present invention authenticates a user based on different set of parameters in every session, thereby lending more security to the authentication system. Moreover, such data is accessible through existing mobile devices and network infrastructure, and does not necessitate any major up-gradation to the mobile device or the network infrastructure.

While specific language has been used to describe the disclosure, any limitations arising on account of the same are not intended. As would be apparent to a person in the art, various working modifications may be made to the method in order to implement the inventive concept as taught herein.

The drawings and the forgoing description give examples of embodiments. Those skilled in the art will appreciate that one or more of the described elements may well be combined into a single functional element. Alternatively, certain elements may be split into multiple functional elements. Elements from one embodiment may be added to another embodiment. For example, orders of processes described herein may be changed and are not limited to the manner described herein.

Moreover, the actions of any flow diagram need not be implemented in the order shown; nor do all of the acts necessarily need to be performed. Also, those acts that are not dependent on other acts may be performed in parallel with the other acts. The scope of embodiments is by no means limited by these specific examples. Numerous variations, whether explicitly given in the specification or not, such as differences in structure, dimension, and use of material, are possible. The scope of embodiments is at least as broad as given by the following claims.

Benefits, other advantages, and solutions to problems have been described above with regard to specific embodiments. However, the benefits, advantages, solutions to problems, and any component(s) that may cause any benefit, advantage, or solution to occur or become more pronounced are not to be construed as a critical, required, or essential feature or component of any or all the claims.

Claims:We Claim:
1. A method to authenticate a user account in a networking environment, comprising:
receiving (step 102) a request triggered by operation of a mobile device hosting a particular environment, the request comprising details of historic mobile usage data in relation to a mobile network operator;
receiving (step 104) from the mobile network operator historic mobile usage data as logged in respect of the mobile device;
comparing (step 106) the historic mobile usage data in relation to a mobile network operator as contained in the request with the historic mobile usage data as logged in respect of the mobile device as received from the mobile network operator; and
at least partly authenticating (step 108) the user account in case of a match in the comparison.

2. The method as claimed in claim 1, wherein said request further comprises a request to process a token associated with said user account.

3. The method as claimed in claim 1, wherein said request is triggered by detection of said mobile device in a pre-determined operational state by at least one of a sensing media, an NFC based detector, and a POS device.

4. The method as claimed in claim 1, wherein said environment inside the mobile device is at least one of: an NFC card emulation application, an NFC compatible application, and a HCE application.

5. The method as claimed in claim 1, wherein said environment additionally assists said detection of the mobile device during said operational state and thereafter, said triggering of the request.

6. The method as claimed in claim 2, wherein said historic mobile usage data in relation to the mobile network operator comprises at least one of: details of recent outgoing/incoming calls, recently browsed website addresses, details of recent outgoing/incoming SMS, and at least one recent billed amount.

7. The method as claimed in claim 1, wherein said historic mobile usage data as logged in respect of the mobile device comprises at least one of a browsing history of the mobile device, call related data, messaging related data or an expenditure record of said mobile device.

8. The method as claimed in claim 2, further comprising verifying the received token based on a pre-determined criteria.

9. The method as claimed in claim 8, further comprising completely authenticating said user account based on said partial authentication and a successful result of said verification.

10. A system (200) to authenticate a user account in a networking environment, comprising:
a receiver (202) for receiving a request triggered by operation of a mobile device hosting a particular environment, the request comprising details of historic mobile usage data in relation to a mobile network operator;
said receiver (202) for receiving from the mobile network operator historic mobile usage data as logged in respect of the mobile device;
a comparator (204) comparing the historic mobile usage data in relation to a mobile network operator as contained in the request with the historic mobile usage data as logged in respect of the mobile device as received from the mobile network operator;
and
a processor (206) for at least partly authenticating the user account in case of a match in the comparison.

11. A method to authenticate a user account in a networking environment, comprising:
constructing (step 302), through a pre-defined environment in a mobile device, a request comprising at least details of a historic mobile usage data in relation to a mobile network operator; and
transmitting (step 304) the request thus constructed for the purposes of said authentication.

12. A system (400) to authenticate a user account in a networking environment, comprising:
a processor (402) for constructing, through a pre-defined environment in a mobile device, a request comprising at least details of a historic mobile usage data in relation to a mobile network operator; and
a transmitter (404) for transmitting the request thus constructed for the purposes of said authentication.