Browse Prior Art Database

Method to access securely access web site from mobile phone

IP.com Disclosure Number: IPCOM000015703D
Original Publication Date: 2002-Jul-01
Included in the Prior Art Database: 2003-Jun-21
Document File: 4 page(s) / 64K

Publishing Venue

IBM

Abstract

Disclosed is a method to enable secure and easy access to web site from mobile phone without device identification mechanism.

This text was extracted from a PDF file.
At least one non-text object (such as an image or picture) has been suppressed.
This is the abbreviated version, containing approximately 36% of the total text.

Page 1 of 4

Method to access securely access web site from mobile phone

   Disclosed is a method to enable secure and easy access to web site from mobile phone without device identification mechanism.

Many browsers in mobile phones, especially those in Japan, do not provide device identification or client certificate. These phones pose problems for the web site access control. - These phones do not provide device identification/client certificate. User must enter user credentials to authenticate each time logs in.
- It is difficult to enter complex password from mobile phone. - Other use may use the user credentials from other phones because the credentials are not tied to device. - Use of truly one-time URL inhibits the use of "back" button, which significantly decline usability.

The method described will solve these problems. The method is implemented by the server side software and hardware. In the desirable configuration, IVR with Caller ID function is included. The authentication server, mail sender and Web server is mandatory. The authentication server must be configured to intercept all the requests to web server.

1

URL1

URL1

submit PIN

redirect to URL2/index.html URL2/index.html

phone number PIN mail address of phone number PATH1
PATH2
URL origin number

4 3

6

10

11

12

        Mail IVRsender User DB

2 3

Authentication Server

5

7

8

9

request PIN

10

10

12

Web Server

12

URL# Absolute path

First, each phone user must register its mobile phone number, mail address of mobile phone and PIN. When accessing secure web site, the phone user
(1) Make voice call to the IVR with caller identification (phone number notification). On this call, there is no need to connect.
(2) At the application center, the IVR system notifies the caller identification to authentication server. If the IVR is not available, the steps 1 and 2 above may be replaced with one of following substitutional means: (a) User sends e-mail to specific e-mail address. The e-mail server notifies the authentication server. (b) User access specific (c) On the pre-defined time, the authentication server start mail sending

1

[This page contains 1 picture or other non-text object]

Page 2 of 4

process described at step 3.
(3) The authentication server looks up the user database to locate the registered user of that phone. If the phone number is not registered, the processing ends. The authentication server then generates one pair of unique strings, typically using random number generator, so that one string cannot be calculated or guessed from another. Name these strings as PATH1 and PATH2. Save PATH2 in the user directory for the owner of that phone. The authentication server then composes the URL1 from Web server's host name, preconfigured authentication marker string (for example "AUTH") and PATH1, and send URL1 to the mobile phone as an e-mail using mail sender. To illustrate this method, assume PATH1="wRoLs3kV2dAMisYKsJo6b", PATH2="Qgh2KKs7bsJr6pIG1cZ5".

The URL1 would look like http://www.company.co...