TOKEN, PARTICULARLY OTP, BASED AUTHENTICATION SYSTEM AND METHOD

Abstract

A method for authenticating a mobile device of a user versus a third-party such that instead of a mobile phone number MSISDN of the mobile device, a Universal Unique User Identifier, U3I, assigned to the mobile device is used, in combination with a secure routing service server constructed to communicate with a third-party server and with an MNO server. The secure routing service server and the MNO server interact to translate the Universal Unique User Identifier, U3I, to the mobile phone number MSISDN so as to enable sending the token to the mobile device.

Claims

1. A system for authenticating a mobile device of a user versus a third-party, the mobile device being assigned to a Mobile Network Operator MNO by a set of mobile subscriber data comprising a mobile phone number (MSISDN); the system comprising: (a) a third-party server constructed to receive from a requesting device an authentication request (REQ), requesting to authenticate the mobile device; in reaction, send an authentication token (OTP) to be received at the mobile device; receive back the authentication token; and upon successful receipt back of the authentication token (OTP), acknowledge the mobile device as authenticated; (b) the mobile device; (c) an MNO server of the Mobile Network Operator MNO (MNO 1) to which mobile device is assigned; wherein: (d) a secure routing service server constructed to communicate with the third-party server and with the MNO server; (e) a Universal Unique User Identifier, U3I, assigned to the mobile device; (f) the U3I of (e) being registered at the MNO server and assigned to the registered mobile phone number (MSISDN) of the user; (g) the U3I of (e) being registered at the secure routing service server and assigned to the Mobile Network Operator MNO, wherein the secure routing service server doesn't provide of the user's mobile phone number (MSISDN); (h) the authentication request (REQ) received at the third-party server comprising the U3I of step (e); (i) the third-party server being constructed to send the authentication token (OTP) and the U3I to the secure routing service server; (j) the secure routing service server being constructed to receive from the third-party server the authentication token (OTP) and the U3I; retrieve a Mobile Network Operator MNO (MNO 1) to which the U3I is assigned; and send the authentication token (OTP) and the U3I to the MNO server of the retrieved MNO (MNO 1); (k) the MNO server constructed to receive from the secure routing service server the authentication token (OTP) and the U3I; retrieve the mobile phone number (MSISDN) assigned to the U3I; and send the authentication token (OTP) to the mobile device using the retrieved mobile phone number (MSISDN).

2. The system according to claim 1, wherein the authentication token (OTP) is a One Time Password OTP.

3. The system according to claim 1, wherein the requesting device is the same device as the mobile device, or a device different from the mobile device.

4. The system according to claim 1, wherein the Universal Unique User Identifier, U3I, and/or the subscriber data and the mobile phone number (MSISDN) are assigned to an eUICC hosted in the mobile device.

5. A method for authenticating a mobile device of a user versus a third-party, the mobile device being assigned to a Mobile Network Operator MNO by a set of mobile subscriber data comprising a mobile phone number (MSISDN); the method comprising: (a) providing a third-party server, and at a third-party server: receive from a requesting device an authentication request (REQ), requesting to authenticate the mobile device; in reaction, send an authentication token (OTP) to be received at the mobile device; receive back the authentication token (OTP); and upon successful receipt back of the authentication token (OTP), acknowledge the mobile device as authenticated; (b) providing the mobile device; (c) providing an MNO server of the Mobile Network Operator MNO (MNO 1) to which the mobile device is assigned; wherein: (d) a secure routing service server constructed to communicate with the third-party server (20) and with the MNO server; (e) a Universal Unique User Identifier, U3I, assigned to the mobile device; (f) the U3I being registered at the MNO server and assigned to the registered mobile phone number (MSISDN) of the user; (g) the U3I being registered at the secure routing service server and assigned to the Mobile Network Operator MNO (MNO 1), wherein the secure routing service server doesn't provide of the user's mobile phone number (MSISDN); (h) the authentication (a) request received at the third-party server comprising the U3I; wherein: (i) by the third-party server, send the authentication token (OTP) and the U3I of (e) to the secure routing service server; (j) by the secure routing service server: receive from the third-party server the authentication token (OTP) and the U3I of (e); retrieve a Mobile Network Operator MNO (MNO 1) to which the U3I is assigned; and send the authentication token and the U3I to the MNO server of the retrieved MNO (MNO 1); (k) by the MNO server: receive from the secure routing service server the authentication token (OTP) and the U3I; retrieve the mobile phone number (MSISDN) assigned to the U3I; and send the authentication token (OTP) to the mobile device using the retrieved mobile phone number (MSISDN).

6. The method according to claim 5, further comprising: (i) at the third-party server or instructed by the third-party server, generate the authentication token (OTP).

7. The method according to claim 5, further comprising the steps: (l) registering the third-party server to the secure routing service server; and upon step (j): (j) at the secure routing service server: verify that the third-party server from which the authentication token (OTP) and the U3I are received is registered to the secure routing service server; and proceed to retrieve a Mobile Network Operator MNO and send the authentication token and the U3I to the MNO server of the retrieved MNO (MNO 1) only under the condition that the third-party server is registered.

8. The method according to claim 5, wherein step (i) by the third-party server, sending the authentication token (OTP) and the U3I of (e) to the secure routing service server, is performed via a secure communication channel, an HTTPs channel, between the third-party server and the secure routing service server.

9. The method according to claim 5, wherein the authenticating is performed on the occasion of taking over a software element offered on the third-party server for use by the mobile phone, the taking over of the software element being performed by: either downloading of the software element, an app, from the third-party server (20) to the mobile device, or logging in to the software element, constructed to be run on the third-party server, by the mobile device; the method further comprising the steps: (l) registering the software element offered at the third-party server to the secure routing service server; and upon step (j): (j) at the secure routing service server: verify that the software element offered on the third-party server for which the authentication token (OTP) and the U3I are received is registered to the secure routing service server; and proceed to retrieve a Mobile Network Operator MNO and send the authentication token and the U3I to the MNO server of the retrieved MNO (MNO 1) only under the condition that the software element, an app, offered on the third-party server is registered.

10. The method according to claim 9, further comprising the steps: (l) for registering, providing a secret API key to the software element; (j) upon step (j), by the software element, providing the secret API key to the secure routing service server; by the secure routing service server, verifying the secret API key provided by the software element.

11. The method according to claim 5, wherein in step (a), the sub-step to send an authentication token (OTP) to be received at the mobile device is performed via a mobile network, via Short Message Service SMS; and/or in step (a), the sub-step to receive from the requesting device an authentication request (REQ), requesting to authenticate the mobile device, is performed via a communication channel different from a mobile network, such that a mobile phone number MSISDN is not required for use of the communication channel; and/or the sub-step to receive back the authentication token (OTP) is performed via a communication channel different from a mobile network, such that a mobile phone number MSISDN is not required for use of the communication channel.

12. A system for sending requested data from a third-party to a mobile device of a user, the mobile device being assigned to a Mobile Network Operator MNO by a set of mobile subscriber data comprising a mobile phone number (MSISDN); the system comprising: (a) a third-party server constructed to receive from a requesting device a data transfer request (REQ), requesting to transfer data to the mobile device; in reaction, send the requested data to be received at the mobile device; (b) the mobile device; (c) an MNO server of the Mobile Network Operator MNO (MNO 1) to which mobile device is assigned; wherein: (d) a secure routing service server constructed to communicate with the third-party server and with the MNO server; (e) a Universal Unique User Identifier, U3I, assigned to the mobile device; (f) the U3I of (e) being registered at the MNO server and assigned to the registered mobile phone number (MSISDN) of the user; (g) the U3I of (e) being registered at the secure routing service server and assigned to the Mobile Network Operator MNO, wherein the secure routing service server doesn't provide of the user's mobile phone number (MSISDN); (h) the data transfer request (REQ) received at the third-party server comprising the U3I of (e); (i) the third-party server being constructed to send the requested data and the U3I to the secure routing service server; (j) the secure routing service server being constructed to receive from the third-party server the requested data and the U3I; retrieve a Mobile Network Operator MNO (MNO 1) to which the U3I is assigned; and send the requested data and the U3I to the MNO server of the retrieved MNO (MNO 1); (k) the MNO server constructed to: receive from the secure routing service server the requested data and the U3I; retrieve the mobile phone number (MSISDN) assigned to the U3I; and send the requested data to the mobile device using the retrieved mobile phone number (MSISDN).

13. The system according to claim 12, wherein the Universal Unique User Identifier, U3I, and/or the subscriber data and the mobile phone number (MSISDN) are assigned to an eUICC hosted in the mobile device.

14. A method for sending requested data from a third-party to a mobile device of a user, the mobile device being assigned to a Mobile Network Operator MNO by a set of mobile subscriber data comprising a mobile phone number (MSISDN); the method comprising: (a) providing a third-party server, and at a third-party server: receive from a requesting device a data transfer request (REQ), requesting to transfer data to the mobile device; in reaction, send the requested data to be received at the mobile device; (b) providing the mobile device; (c) providing an MNO server of the Mobile Network Operator MNO (MNO 1) to which the mobile device is assigned; wherein: (d) a secure routing service server constructed to communicate with the third-party server and with the MNO server; (e) a Universal Unique User Identifier, U3I, assigned to the mobile device; (f) the U3I being registered at the MNO server and assigned to the registered mobile phone number (MSISDN) of the user; (g) the U3I being registered at the secure routing service server and assigned to the Mobile Network Operator MNO (MNO 1), wherein the secure routing service server doesn't provide of the user's mobile phone number (MSISDN); (h) the data transfer request received at the third-party server comprising the U3I; wherein: (i) by the third-party server, send the requested data and the U3I of (e) to the secure routing service server; (j) by the secure routing service server: receive from the third-party server the requested data and the U3I of (e); retrieve a Mobile Network Operator MNO (MNO 1) to which the U3I is assigned; and send the requested data and the U3I to the MNO server of the retrieved MNO (MNO 1); (k) by the MNO server: receive from the secure routing service server the requested data and the U3I; retrieve the mobile phone number (MSISDN) assigned to the U3I; and send the requested data to the mobile device using the retrieved mobile phone number (MSISDN).

15. The method according to claim 5, wherein (h) the authentication (a) request or data transfer request received at the third-party server comprising the U3I is received from the mobile device; the U3I is provided from the mobile device to the third-party server; wherein: either the user enters the U3I to the mobile device manually for its transfer to the third-party server; or the U3I is retrieved by the mobile device from the mobile device, from an eUICC hosted in the mobile device, for its transfer to the third-party server.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

[0054] Embodiments of the invention will be described with reference to the accompanying drawings, throughout which like parts are referred to by like references, and in which represents:

[0055] FIG. 1 a system for authenticating a user of a mobile device versus a third-party, according to an embodiment of the invention;

[0056] FIG. 2 a system for authentication, similar to the system of FIG. 1.

DETAILED DESCRIPTION OF THE INVENTION

[0057] FIG. 1 shows a system for authenticating a user of a mobile device 10 versus a third-party, according to an embodiment of the invention. The system comprises: a mobile device 10 to which an app of a third-party shall be downloaded, a third-party server 20, several MNO servers 30 of several Mobile Network Operators MNO—MNO 1, MNO 2, . . . , MNO n, and a secure routing service server 40. The app on the mobile device 10 and the third-party server 20 communicate via a network connection 50, for example an internet connection, between the app and an app interface 21 of the third-party server 20. The third-party server 20 and the secure routing service server 40 communicate via a secured network connection 60, for example a HTTPs connection via the internet. The secure routing service server 40 and the MNO server(s) 30 communicate via an interface 42, e.g., rest API interface, of the secure routing service server 40 and interfaces 31, e.g., rest API interfaces, of the MNO server(s) 30. The MNO server(s) 30 communicate with the mobile device 10 via a mobile network 70. The mobile device 10 provides of a eUICC (not shown) with at least one subscription profile implemented and enabled therein.

[0058] The third-party server 20 is in the example of FIG. 1 an app provider backend server of an app provider offering OTP authentication services for apps of said app provider offered for download from e.g., an app store to mobile devices such as the mobile device 10. The apps can be downloaded to mobile devices via an internet network connection 50. The request mechanism for OTP services for authentication in connection with an app download can as well be via an internet network connection 50, either the same or a different one. The app provider requests a mobile device 10 user desiring to download an app to his/her/its mobile device 10 and set the app into operation to authenticate him/her/itself via an OTP—One Time Password—mechanism. Herein, the user downloads the app from an app store or the like to the mobile device 10. The app requests the user to request for an OTP via the downloaded app. The user requests, via the downloaded app, for an OTP. The app is constructed to direct the user request to the correct third-party server 20, e.g., the backend server of said app provider. The request for an OTP is thus sent to the third-party server 20 via the app. According to the invention, the mobile phone number MSISDN is not sent to the third-party server 20 with the OTP request, instead the Universal Unique User Identifier U3I is sent to the third-party server 20 together with the OTP request.

[0059] The third-party server 20 generates an OTP and sends the OTP and the Universal Unique User Identifier U3I to the secure routing service server 40 via a secured network connection 60, for example a HTTPs connection via the internet.

[0060] The secure routing service server 40 stores, in a database, a list of Universal Unique User Identifiers U3I of all eUICCs registered for the secure routing service of the secure routing service server 40, together with an indicator of the Mobile Network Operator MNO (MNO1 or MNO 2 or . . . or MNO n) to which the respective eUICC is registered. The secure routing service server 40 doesn't have knowledge of the particular mobile phone number MSISDN associated to the respective eUICCs. The secure routing service server 40 looks up, in its database, the MNO associated with the Universal Unique User Identifiers U3I received with the OTP and forwards the Universal Unique User Identifier U3I and the OTP to the correct MNO server 30 of the retrieved MNO. The secure routing service server 40 can comprise only one server or several interconnected servers.

[0061] The MNO servers 30 -1, -2, . . . -n store data associated to subscriber data of profiles loaded and installed to eUICCs, herein data for subscriber data of the eUICC of the mobile device 10. For the eUICC of the mobile device 10, particularly a mobile phone number MSISDN is stored on the MNO server 30. According to the invention, for the eUICC of the mobile device 10, in addition to the mobile phone number MSISDN, a Universal Unique User Identifier U3I is stored associated with the stored MSISDN. The MNO server 30 retrieves, from the Universal Unique User Identifier U3I received from the secure routing service server 40 together with the OTP, the associated mobile phone number MSISDN and forwards the received OTP to the mobile device 10 via the mobile network 70, for example in an SMS.

[0062] The mobile device 10 receives the OTP, for example the SMS with the OTP. The user reads the OTP and enters the OTP into an entry mask of the downloaded app on the mobile device 10. Alternatively, the app can automatically import the received OTP into the app. The app sends the OTP back to the third-party server 20 via the network connection 50, e.g., via internet. The third-party server 20 receives the OTP sent by the app. In case the received OTP is correct, i.e., the same OTP as the originally sent OTP, the third-party server 20 accepts and acknowledges the user as authenticated and allows the app on the mobile device 10 to be set into full functionality.

[0063] Preferably, every third-party server 20 and every software element and every app intended for making use of the U3I and token (e.g., OTP) based authentication service has to register with the secure routing service server 40 in advance to be permitted to the secure routing service offered by the server 40.

[0064] Particularly for software elements such as apps (or websites), the registration can imply that the respective software element or app is provided with an API key which the software element or app has to present to the secure routing service server 40. The interfaces on the secure routing service server 40 and/or on the MNO servers 30 are corresponding APIs (API=Application Programing Interface), matching with the API keys provided to software elements such as apps (or websites). Only for software elements or apps having a correct API key, the third-party server 20 will be permitted to pass an authentication task, including a token (e.g., OTP) and U31, through the interface 41 onwards to the secure routing service server 40. Particularly, the APIs (Application Programming Interfaces) can be REST APIs (Representational State Transfer APIs) or HTTPS APIs or j son APIs or similar suitable APIs.

[0065] Solution according to a preferred embodiment of the invention:

[0066] Instead of providing the phone number MSISDN in the third-party app, the user will provide the U3I to it.

1. Every user will be given a “Universal Unique User Identifier”, in the following called U31. Herein, each U31 is assigned to a particular MNO.
2. U3I as the name suggests is a universally unique identifier assigned to every user account at an MNO, like a MSISDN or an IMSI which can be used by the third-party apps to verify a MSISDN or communicate with the user without knowing the users MSISDN.
3. The Universal Unique User Identifier U3I can either be provided along with the MNO profile when providing the profile to the eUICC, or the U3I can be generated and provided to the existing user, to an already present profile on the eUICC, over the air separately, e.g., via an RSP mechanism.
4. Instead of providing the phone number MSISDN in the third-party app, the user will provide the U3I to it.
5. The third-party app will use the U3I instead of the phone number MSISDN to send an OTP or/and any other info (e.g., advertisements) to the user.
6. To achieve this, a routing server system deploys a service called the U3I routing service which exposes REST APIs to receive the U3I along with the OTP (or other token or other information) over a secured communication channel, here a HTTPs channel, in a suitable format, here a specific json (Java Script Object Notation) format.
7. The U3I routing service has a mapping of the U3I to the MNO it belongs to, taking into account that each U3I is assigned to a particular MNO.
8. The third-party app sends a request over the secure channel, here a HTTP request, which contains the OTP and the further information to the routing server system, to the routing service, and here to the rest API provided by this service.
9. The routing service on the routing server system then sends the OTP and U3I to the appropriate MNO.
10. The MNO's database contains a mapping between U3I and MSISDN (like it has the mapping between MSISDN and IMSI).
11. Using this mapping, the MNO encloses the OTP contained in the request into an SMS and sends the SMS to the user.
12. The user reads the OTP from the SMS and provides the OTP to the third-party app which then verifies the OTP to verify the user via the user's mobile phone number MSISDN, without the MSISDN being disclosed to the third-party.
13. The service can not only be used to send OTPs but also any other information to the user over SMS if the user wishes to receive such info.
14. To avoid anyone randomly calling the routing service, preferably every third-party app using the service will have to register and verify itself with the routing service through a process much like a Certificate Authority signs a certificate. The third-party app is preferably also provided with a secret API key which is used to authenticate and authorize the third-party. This along with TLS/HTTPS or comparable security measures would restrict anyone from randomly calling the routing service to forward malicious data.
15. The difference between other services which provide virtual phone numbers is that in this case the user's MSISDN remains only with the MNO which already has the MSISDN. In case of a virtual phone numbers, you will still have to give your phone number to this third-party service which provides the virtual phone number.

[0067] In the foregoing, a use case was described wherein an OTP received on a mobile phone (as an example of a mobile device) through a platform was used for authentication on the occasion of downloading a mobile app from a third-party server to the mobile phone, for the purpose to later run the app on the device. The authentication can, similarly to its use upon app download, also be used to login/sign-up on a website to be run on the third-party server, and to be accessed by the mobile device.

[0068] Further embodiment A:

[0069] According to an embodiment of the invention, authentication upon login or sign-up to a website to be run on the third-party server works as follows.

1) The user opens, on a mobile phone (device) a browser and loads the website they want to login into.
2) The user either navigates to sign-up page or login page.
3) Instead of asking for the phone number—which is done on a number of websites—the user will be asked to add a U3I on the website's login/sign-up page.
4) The user receives the OTP/token on the mobile phone using the U3I platform, as described above.
5) The user enters the OTP into a field on the website's login or sign-up page to authenticate and login.

[0070] Further embodiment B:

[0071] According to some embodiments, extra security in the above-described authentication flow is achieved by an additional PIN or password check. The OTP establishes the identity assuming the mobile is in possession of a valid user, however if e.g., the phone is stolen one could login to any website/app that uses the above mechanism. The solution to this problem is to:

1) Protect the flow with a PIN or password in addition to the OTP.
2) Before sending the OTP, the user is asked for entry of a PIN or password as well.

[0072] Further embodiment C:

[0073] In case of login in or signing up on websites, connect the phone to the computer. [0074] 1) The user opens a browser and loads the website they want to login into. [0075] 2) The user either navigates to sign-up page or login page. [0076] 3) The webpage detects the connected phone and tries to login automatically using the same steps as in further embodiment A.

[0077] In the above-described embodiments wherein an OTP is mentioned, an authentication token different from an OTP can be used as well, instead of or in addition to the OTP.

TOKEN, PARTICULARLY OTP, BASED AUTHENTICATION SYSTEM AND METHOD

Inventors

Cpc classification

Classification Explorer

H04W12/02

ELECTRICITY

Classification Explorer

H04L63/18

ELECTRICITY

Classification Explorer

H04W4/14

ELECTRICITY

Classification Explorer

H04L63/0853

ELECTRICITY

Classification Explorer

H04L63/20

ELECTRICITY

Classification Explorer

H04L63/0838

ELECTRICITY

Classification Explorer

H04L2463/082

ELECTRICITY

Classification Explorer

H04W12/068

ELECTRICITY

International classification

Classification Explorer

H04W12/06

ELECTRICITY

Abstract

Claims

Description