Browse Prior Art Database

Two-Step Authentication Method For Online Banking

IP.com Disclosure Number: IPCOM000126859D
Original Publication Date: 2005-Aug-03
Included in the Prior Art Database: 2005-Aug-03
Document File: 1 page(s) / 25K

Publishing Venue

IBM

Abstract

Performing online banking requires that a user log-on to a website by supplying a user ID and entering a valid password. The level of security provided by this method is less than optimal. A user's ID may be readily obtained since the ID is always displayed when entered. The user's password can be guessed or obtain via other methods (e.g., phishing). It is not unusual for a hacker to obtain user info from a businesses server. A user can be ruined financially or their identity stolen if a hacker obtains access to a user's account information. Disclosed is a method to increase a user's security when their online ID and password have been compromised.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 90% of the total text.

Page 1 of 1

Two-Step Authentication Method For Online Banking

This invention works by implementing a two-step authentication method for online transactions. A two-step authentication method normally requires external hardware such as a fob or a dongle attached to the user's computer in addition to a user-id and password. While this method is very secure, it is also very costly for businesses to implement and very few businesses use this method. The two-step authentication method disclosed here is a software only method. The two-step authentication method consists of the normal logon procedure and a second authentication method consisting of a cookie that is stored on the user's computer when the online account is established. During the account registration the customer will be required to specify actions to be taken if the bank does not detect the presence of the cookie. The action can consist of one or more of the following:

Do not allow the logon to proceed.


1.


2.


3.


4.

The bank will update the cookie after each successful login (i.e., when the cookie is detected) to further increase security. If a hacker had succesfully logged on to the account, the user would eventually be made aware of this since the next time they attempted to logon, their cookie would not be valid.

If a hacker obtains the user's ID and password from the bank's server or some other means , it is unlikely that they will have access to the cookie stored on the user's computer.

Limit the type of transact...