Authentication system and method for operating an authentication system

Abstract

An authentication system for authenticating a human requester requesting a service, wherein the authentication system is configured to establish via a first and a second port of the authentication system an authentication communication channel comprising a first communication channel to the requester and a second communication channel to a human authenticator, such that at least one of an audio stream of a voice of the requester, a video stream of a face of the requester and a 3D-data stream of the face of the requester is transmittable between the end node device of the requester and the end node device of the authenticator; and to record a confirmation message of the authenticator, wherein the confirmation message confirms or rejects at least one of the claimed identity and the requested service.

Claims

1. An authentication system for authenticating a human requester requesting a service, the authentication system comprising: a first port, configured such that a first communication channel is establishable via an end node device of the requester and a communication link between the first port and the end node device of the requester; a second port, configured such that a second communication channel is establishable via an end node device of a human authenticator and a communication link between the second port and the end node device of the authenticator; and a storage device configured to store a plurality of contact data entries; wherein the authentication system is configured to record an identity claimed by the requester; to select from the plurality of contact data entries a contact data entry of the end node device of the authenticator depending on the claimed identity; to establish the second communication channel depending on the selected contact data entry; to establish via the first and the second port an authentication communication channel comprising the first communication channel and the second communication channel such that at least one of a real-time audio stream of a voice of the requester, and a real-time video stream of a face of the requester and/or a 3D-data stream of the face of the requester is transmittable between the end node device of the requester and the end node device of the authenticator; wherein the authentication communication channel is further configured to allow the authenticator, by using the end node device of the authenticator, to listen to the voice of the requestor that has been captured by the end node device of the requestor and to allow a real-time two-way conversation between the requester and the authenticator via the authentication communication channel; and wherein the authentication system is further configured to record a confirmation message of the authenticator, wherein the confirmation message confirms or rejects at least one of the claimed identity and the requested service.

2. The authentication system of claim 1, wherein the authentication communication channel is configured such that the authentication communication channel allows the authenticator, by using the end node device of the authenticator, to watch an image of the face of the requester that has been captured by the end node device of the requester.

3. The authentication system of claim 1, wherein the authentication system is configured to establish, in response to the requesting of the service, the first communication channel to the requester.

4. The authentication system of claim 1, wherein the authentication system is configured to record a service requested by the requester.

5. The authentication system of claim 1, wherein the plurality of contact data entries are contact data entries of a plurality of human authenticators, wherein the storage device is further configured to store a plurality of identities of potential human requesters and authorization data; and wherein for each of the plurality of authenticators, the authorization data assign to the respective authenticator at least one of the identities of the potential requesters, which the respective authenticator is authorized to authenticate.

6. The authentication system of claim 5, wherein the selecting of the contact data entry comprises identifying one or more authenticators from the plurality of authenticators, each of the one or more identified authenticators being assigned to the claimed identity of the requester by the authorization data.

7. The authentication system of claim 1, wherein the authentication system is further configured to establish at least one further communication channel to at least one further human authenticator such that at least one of a further audio stream of the voice of the requester, a further video stream of the face of the requester and a further 3D-data stream of the face of the requester is transmittable between the end node device of the requester and an end node device of the further authenticator.

8. The authentication system of claim 7, wherein the authentication system is further configured to determine a number of the at least one further authenticator such that a security level of the authentication meets a predefined authentication security criterion.

9. The authentication system of claim 1, wherein the authentication system is configured to analyze the at least one of the audio stream, the video stream and the 3D-data stream to extract characteristics, which correspond to at least one of the requester, the authenticator and a combination of the requester and the authenticator.

10. The authentication system of claim 1, wherein the authentication communication channel is configured such that an audio stream is transmittable between the end node device of the requester and the end node device of the authenticator; wherein the authentication system further comprises a filter, which is configured to check the audio stream for the two-way conversation between the requester and the authenticator.

11. The authentication system of claim 1, wherein the establishing of the second communication channel comprises randomly selecting a contact data entry of the end node device of the authenticator from a second subset of the plurality of contact data entries.

12. The authentication system of claim 1, wherein the authentication system is configured to select a selection algorithm from a plurality of selection algorithms, each of which configured to perform the selecting of a contact data entry of the end node device of the authenticator.

13. The authentication system of claim 12, wherein the authentication system is configured to randomly select the selection algorithm.

14. A method of authenticating a human requester requesting a service, the authenticating being performed using an authentication system and a first communication channel; wherein the first communication channel comprises an end node device of the requester and a communication link between a first port of the authentication system and the end node device of the requester; wherein the method comprises: recording an identity claimed by the requester; selecting from a plurality of contact data entries stored on a storage device of the authentication system a contact data entry of an end node device of a human authenticator depending on the claimed identity; establishing a second communication channel via the end node device of the authenticator and a communication link between a second port of the authentication system and the end node device of the authenticator depending on the selected contact data entry; establishing via the first and the second port an authentication communication channel comprising the first communication channel and the second communication channel such that at least one of a real-time audio stream of a voice of the requester, a real-time video stream of a face of the requester and/or a 3D-data stream of the face of the requester is transmittable between the end node device of the requester and the end node device of the authenticator; wherein the authentication communication channel is further configured to allow the authenticator, by using the end node device of the authenticator, to listen to the voice of the requester that has been captured by the end node device of the requester and to allow a real-time two-way conversation between the requester and the authenticator via the authentication communication channel; and wherein the method further comprises recording a confirmation message of the authenticator, wherein the confirmation message confirms or rejects at least one of the claimed identity and the requested service.

15. The method of claim 14, wherein the authentication communication channel is configured such that the authentication communication channel allows the authenticator, by using the end node device of the authenticator, to watch an image of the face of the requester that has been captured by the end node device of the requester.

16. The method according any one of claim 14, further comprising establishing the first communication channel via the end node device of the requester and the communication link between the first port of the authentication system and the end node device of the requester.

17. The method of claim 14, wherein the method comprises recording a service requested by the requester.

18. The method of claim 14, wherein the plurality of contact data entries are contact data entries of a plurality of human authenticators, wherein the method further comprises storing on the storage device a plurality of identities of potential human requesters and authorization data; and wherein for each of the plurality of authenticators, the authorization data assign to the respective authenticator at least one of the identities of the potential requesters, which the respective authenticator is authorized to authenticate.

19. The method of claim 18, wherein the selecting of the contact data entry comprises identifying one or more authenticators from the plurality of authenticators, each of the one or more identified authenticators being assigned to the claimed identity of the requester by the authorization data.

20. A non-transitory computer-readable storage medium storing instructions, that when executed by a computer, cause the computer to perform a method of authenticating a human requester requesting a service, the authenticating being performed using an authentication system and a first communication channel, wherein the first communication channel comprises an end node device of the requester and a communication link between a first port of the authentication system and the end node device of the requester, the method comprising: recording an identity claimed by the requester; selecting from a plurality of contact data entries stored on a storage device of the authentication system a contact data entry of an end node device of a human authenticator depending on the claimed identity; establishing a second communication channel via the end node device of the authenticator and a communication link between a second port of the authentication system and the end node device of the authenticator depending on the selected contact data entry; establishing via the first and the second port an authentication communication channel comprising the first communication channel and the second communication channel such that at least one of a real-time audio stream of a voice of the requester, and a real-time video stream of a face of the requester and a 3D-data stream of the face of the requester is transmittable between the end node device of the requester and the end node device of the authenticator wherein the authentication communication channel is further configured to allow the authenticator, by using the end node device of the authenticator, to listen to the voice of the requester that has been captured by the end node device of the requester and to allow a real-time two-way conversation between the requester and the authenticator via the authentication communication channel; and wherein the method further comprises recording a confirmation message of the authenticator, wherein the confirmation message confirms or rejects at least one of the claimed identity and the requested service.

21. The computer-readable storage medium of claim 20, wherein the authentication communication channel is configured such that the authentication communication channel allows the authenticator, by using the end node device of the authenticator, to watch an image of the face of the requester that has been captured by the end node device of the requester.

22. The computer-readable storage medium of claim 20, wherein the method comprises recording a service requested by the requester.

23. The computer-readable storage medium of claim 20, wherein the plurality of contact data entries are contact data entries of a plurality of human authenticators, wherein the method further comprises storing on the storage device a plurality of identities of potential human requesters and authorization data; and wherein for each of the plurality of authenticators, the authorization data assign to the respective authenticator at least one of the identities of the potential requesters, which the respective authenticator is authorized to authenticate.

24. The computer-readable storage medium of claim 23, wherein the selecting of the contact data entry comprises identifying one or more authenticators from the plurality of authenticators, each of the one or more identified authenticators being assigned to the claimed identity of the requester by the authorization data.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

(1) The foregoing as well as other advantageous features are more apparent from the following detailed description of exemplary embodiments with reference to the accompanying drawings. It is noted that not all possible embodiments necessarily exhibit each and every, or any, of the advantages identified herein.

(2) FIG. 1 is a schematic illustration of an authentication system according to an exemplary embodiment;

(3) FIG. 2 is a flow-chart illustrating the operation of the authentication system, which shown in FIG. 1;

(4) FIG. 3 is a flow chart illustrating an exemplary manner of determining the contact data entries of the authenticators for authenticating the requester; and

(5) FIG. 4 is a schematic illustration of how an authentication security level is determined based on predefined security classes.

DETAILED DESCRIPTION OF EXEMPLARY EMBODIMENTS

(6) FIG. 1 is a schematic illustration of an authentication system 1 and the various communication channels, which are managed by the authentication system 1 according to an exemplary embodiment. The authentication system 1 is installed in a bank service center 40.

(7) A requester, who wishes to access a service offered by the bank service center 40, calls the bank service center 40 with a requesting end node device, such as a mobile telephone. The requested service may be, for example, a bank transaction. The call is routed through a local area network 13 of the bank service center 40 to the authentication system 1, which performs an authentication of the requester. After the requester is authenticated, the service request is forwarded to a bank service provider system (not shown in FIG. 1) of the bank service center 40.

(8) When the requester is connected to the authentication system 1, the authentication system 1 records a service request and an identity claimed by the requester. Then, the authentication system 1 establishes a first communication channel between a first port (not shown in FIG. 1) of the authentication system 1 and an end node device 20 of the requester. Also, the authentication system 1 establishes a second communication channel between a second port (not shown in FIG. 1) of the authentication system 1 and an end node device 30 of an authenticator. A portion of the first communication channel is established within a wireless telephone network 25, within the public switched telephone network 40, and within the local area network 13 of the service center 40. A portion of the second communication channel is established within the Internet 38.

(9) Alternatively, the first communication channel may be established when the requester calls the bank service center 40 to gain access to the service. Then, via the first communication channel, the requester may transmit the claimed identity and the service request to the authentication system 1.

(10) The authentication system 1 then combines or merges the first communication channel and the second communication channel such that an authentication communication channel is established between the end node device 20 of the requester and the end node device 30 of the authenticator. The authentication communication channel comprises the first communication channel and the second communication channel, the first and the second port. The authentication communication channel is configured such that at least one of an audio stream of a voice of the requester, a video stream of a face of the requester and a 3D-data stream of the face of the requester is transmittable between the end node device of the requester 20 and the end node device of the authenticator 30. Thereby, the authenticator can communicate with the requester and at the same time can see the face of the requester displayed on the display 32 of the end node device 30 of the authenticator. This allows the authenticator to authenticate the requester by listening to the voice of the requester and/or by watching the requester's face image. The authenticator may be selected by the authentication system 1 such that the authenticator is a person, who is part of the requester's life and/or such that the authenticator is able and/or authorized to authenticate the requester. Thereby, by talking to the requester and/or watching the face of the requester, it is possible for the authenticator to authenticate the requester. Thereby, the security level of the authentication is not limited by deficiencies of biometric sensors.

(11) The authentication system 1 then requests the authenticator to transmit a confirmation message to the authentication system 1. The authenticator confirms or rejects the identity of the requester by using a keyboard 33 or a computer mouse 34 of the end node device 30 of the authenticator, or by giving a voice command, which is recorded by the microphone 39 of the end node device 30. The confirmation message confirms or rejects the claimed identity and/or the requested service. The confirmation message is recorded by the authentication system 1, for example by storing information contained in the confirmation message on a storage device 11 of a computer system 10 of the authentication system 1.

(12) The authentication system 1 comprises a storage device 11, on which a plurality of contact data entries are stored. A contact data entry may for example be a telephone number or a user address for a voice over IP session or a video over IP session. The authentication system 1 selects contact data entries from the plurality of stored contact data entries for establishing the first communication channel and/or the second communication channel. For example, the authentication system may select the contact data entry of the end node device of the requester by selecting a contact data entry from those contact data entries, which correspond to a person having the claimed identity. Furthermore, the contact data entry of the end node device of the authenticator may be selected from the contact data entries, which correspond to authenticators who personally know the person having the claimed identity.

(13) The end node device 30 of the authenticator comprises a digital video camera 31, a microphone 39, a display 32 and a speaker 35. This allows to establish a video over IP session between the authentication system 1 and the end node device 30 of the authenticator. Also, the end node device 20 of the requester comprises a digital video camera 21, which is configured to capture a real-time video image of the face of the requester. The mobile telephone 20 further comprises a display 22, a microphone 23 and a speaker 26. Thereby, it is possible for the authentication system 1 to establish a video call or a video conference between the end node device 20 of the requester and the end node device 30 of the authenticator.

(14) The end node device 30 of the authenticator is not limited to the computer system, as shown in FIG. 1, but may be any end node device, which is suitable for receiving audio and/or video streams forwarded from the authentication system 1 and to acquire audio data and/or video image data for transmitting corresponding audio and/or video streams to the authentication system 1.

(15) The authentication system 1 is configured to determine a security level of the authentication communication channel before the first and the second communication channel are established. Thereby, it is possible for the authentication system 1 to determine, whether the security level of the authentication communication channel meets a security criterion. By way of example, the authentication system 1 may determine, whether the security level of the authentication communication channel exceeds a predetermined threshold value.

(16) The security level of the authentication communication channel may depend on the degree of complexity, which is required to launch a successful attack.

(17) Depending on the security criterion, the authentication system 1 may establish a further communication channel to an end node device 50 of a further authenticator. In the example, shown in FIG. 1, the end node device 50 of the further authenticator is a wired telephone device. A portion of the further communication channel is established within a public switched telephone network 40. The further communication channel is connected to a third port of the authentication system 1. The authentication system 1 is configured such that a communication channel is establishable between the first port and the third port. Thereby, it is possible for the further authenticator to authenticate the requester based on an audio telephone communication between the requester and the further authenticator. Additionally or alternatively, the further authenticator may authenticate the first authenticator who uses the end node device 30 of the first authenticator, after a communication channel is established by the authentication system 1 between the second and the third port. Additionally or alternatively, the first authenticator may confirm the claimed identity of the requester and the second authenticator may confirm the requested service.

(18) The end node device 50 of the further authenticator is not limited to the wired telephone device, as shown in FIG. 1, but may be any end node device, which is suitable to receive audio and/or video streams forwarded from the authentication system 1, to acquire audio data and/or video image data for transmitting corresponding audio and/or video streams to the authentication system 1.

(19) The authentication system 1 may be configured to establish communication channels to a number of end node devices of authenticators. A higher number of authenticators increases the authentication security level.

(20) The authentication system 1 may comprise a conference bridge (not shown in FIG. 1), which is configured to establish the required communication channels between the various ports of the authentication system 1. It is also conceivable that the authentication system comprises a plurality of conference bridges, which are connected to form a cluster. Thereby, is it possible to balance the load generated by a plurality of authenticators.

(21) It is also conceivable that the authentication system 1 deals with services different from bank services. By way of example, the authentication system 1 may be configured to handle alarms, which are triggered by persons or sensors, which detect a dangerous condition. The alarm message is transmitted to the authentication system 1. The authentication system 1 contacts a person (requester in the example above), who is entitled to determine which action is to be taken to eliminate the dangerous condition after having been authenticated by an authenticator.

(22) FIG. 2 is a flow chart illustrating an exemplary authentication process, which is performed by the authentication system 1, as shown in FIG. 1. After the requester has established a connection to the authentication system, the authentication system records 100 an identity claimed by the requester and a service requested by the requester. The authentication system selects a first subset of a plurality of contact data entries, wherein each contact data entry of the first subset corresponds to the claimed identity. The authentication system selects a first contact data entry from the first subset to contact the requester by establishing 120 a first communication channel.

(23) The authentication system further selects a second subset from the plurality of contact data entries. Each contact data entry of the second subset corresponds to one of a group of authenticators, who personally know the requester. Additionally or alternatively, the second subset may comprise a plurality of contact data entries, which correspond to a same authenticator, but which represent communication channels which are at least partially located in different networks or which represent communication channels to physically different end node devices.

(24) Then, the authentication system selects 110 a second contact data entry from the second subset. The authentication system is configured to select the first contact data entry and the second contact data entry such that the security level of the authentication communication channel, which will be established depending on the selected first and second contact data entry, meets a predefined security criterion.

(25) Depending on the predefined security criterion, a number of contact data entries of authenticators, which will be contacted in order to authenticate the requester are selected. In the example shown in FIG. 2, the number of authenticators is two, however, it may also be one or any other number. Alternatively, the number may be a fixed number for all services provided by the service center.

(26) Then, a second communication channel to a first authenticator is established 130 between a second port of the authentication system and an end node device of the first authenticator. Via the second communication channel, the first authenticator may authenticate his identity, for example by providing a password or by an authentication token, which is read by the end node device of the authenticator. Then, the authentication system establishes 140 an authentication communication channel via the first and the second port. This allows the first authenticator to communicate with the requester via audio and/or video. Then, a message is transmitted from the end node device of the first authenticator to the authentication system, as to whether or not the first authenticator confirms the claimed identity of the requester. The confirmation message is received 150 and stored by the authentication system.

(27) Simultaneously or successively to the establishing 120, 130 of the first and/or second communication channel, the establishing 140 of the communication channel between the first and the second port and the receiving 150 of the confirmation message, the corresponding procedure for the authentication by the second authenticator may be performed. This corresponding procedure comprises an establishing 170 of a third communication channel between a third port of the authentication system and an end node device of the second authenticator, an establishing 180 of a communication channel between the first port and the third port, whereby the requester can communicate with the second authenticator via audio and/or video, and a receiving 190 of a confirmation message of the second authenticator.

(28) The authentication system may further be configured such that in case any one of the first and the second authentication channel is establishable (e.g. since the respective authenticator is not available), the authentication system selects further contact data entries from the plurality of contact data entries for contacting one or more further authenticators.

(29) The authentication system may further be configured to send status updates to the requester informing him about the status of the authentication. The status updates may be sent after a random delay time has passed from the point of time of the corresponding status changes. Thereby, it is more difficult for a possible attacker to predict the point of time, when the communication channel to the one or more authenticators are established.

(30) The authentication system may be configured to analyze the audio and/or video streams transmitted between the end node device of the requester and the end node device of the authenticator. For example, the authentication system may be configured to determine, whether there is a mutual communication between the requester and the authenticator. The authentication system may analyze the audio streams to check whether the communication comprises verbal statements of both the authenticator and the requester. Furthermore, the authentication system may be configured to analyze the reaction times between successive verbal statements to determine, whether the transmitted audio streams represent a real-time communication rather than played recordings. The analysis of the audio and/or video streams may be performed in real-time. Additionally or alternatively, the audio and/or video streams may be recorded and the analysis is performed at a later point in time. The analysis may also comprise analyzing the video streams, to detect voice manipulation filters.

(31) The authentication system may further be configured to present to the requester information about the service requested. For example, the authenticator may see on the display 32 (shown in FIG. 1) the transaction amount and the recipient of the bank transaction.

(32) The authenticator may inform the authentication system that the authenticator does not personally know the requester. Then, the authentication system will select a further contact data entry from the subset of contact data entries for contacting a further authenticator.

(33) When each of the confirmation messages of the first and the second authenticators are positive, the service request is forwarded 160 to the service provider system.

(34) The authentication system may further be configured such that before the service request is forwarded 160 to the service provider system, messages to further persons are transmitted, wherein each of the messages contains information about the service request. The information contained in the messages may depend on the desired security level. The authentication system may be configured such that the messages do not have to be confirmed for forwarding the message to the service provider. The authentication system may be configured to reject the service request, in case a message from any one of the persons is received, which contains a disapproval of the service request. The authentication system may be configured to wait a delay time within which a disapproval from the further persons can be received. The delay time may depend on the desired security level.

(35) FIG. 3 is a flow chart illustrating an algorithm for selecting 120 the contact data entries of the one or more authenticators from the subset of contact data entries. The algorithm shown in FIG. 3 may be performed by the authentication system 1 (shown in FIG. 1). The algorithm, shown in FIG. 3 is started after the determining 110 (shown in FIG. 2) of the subset of contact data entries of the authenticators and before the establishing 130, 170 (shown in FIG. 2) of the one or more communication channels to the authenticators.

(36) The authentication system determines 210 a desired security level for the authentication process. The desired security level may be determined depending on the requested service and/or the claimed identity of the requester.

(37) By way of example, the desired security level ds may be determined according to the following equation
ds=us.Math.si,
wherein us denotes a user security level and si denotes a service importance. It is also conceivable that the desired security level depends on additional factors.

(38) The user security level us may be determined depending on the claimed identity. For example, the authentication system may perform an initial authentication of the requester. The initial authentication may be based on voice recognition techniques, face recognition techniques or other biometric recognition techniques. The user security level us may then be determined depending on the degree of uncertainty involved in this initial authentication. Additionally or alternatively, potential requesters may be grouped into groups of different user security levels. By way of example, a high user security level us may be assigned to service requests, when the claimed identity corresponds to a client, who wants to have a high security level for all its transactions.

(39) The service importance si may depend on the potential damage, which may be caused by a successful attack. By way of example, a small transaction amount of a bank transaction may result in a comparatively low service importance si. By way of example, both the user security level us and the service importance si are positive values of between 0 and 10.

(40) Depending on the determined desired security level ds, one or more contact data entries of one or more authenticators are determined. A high desired security level ds may result in selecting contact data entries, which correspond to a communication channel having a high communication channel security level and/or may result in a high number of different authenticators.

(41) In the exemplary method illustrated in FIG. 3, a first contact data entry is selected 220 from the subset of contact data entries. The first contact data entry may be selected depending on the desired security level ds. For example, in case the desired security level ds has a high value, a contact data entry may be selected, which corresponds a high communication channel security level of the corresponding authenticator.

(42) Then, a security level of the authentication communication channel is determined 230 based on the selected first contact data entry. In case the security level of the authentication communication channel is equal to or greater than the desired security level (YES in 240), the method proceeds with establishing (130 in FIG. 2) a communication channel to the authenticator of the selected contact data entry. In case the security level of the authentication communication channel is smaller than the desired security level (NO in 240), a second contact data entry is selected 220 from the subset of contact data entries. Hence, at least two authenticators will be contacted for authenticating the requester. Based on the selected first and second contact data entries, a determining 230 of the security level of the authentication communication channel is again performed depending on the selected first and second contact data entries.

(43) The security level of the authentication communication channel may be determined depending on a security level of the communication channel to the requester and a security level of the communication channels to the authenticators. In case more than one contact data entry of an authenticator has been selected so far, the security level of the authentication communication channel may additionally or alternatively be determined depending on a number of the contact data entries, which have been selected so far.

(44) The security level of the authentication communication channel may depend on at least one of the following: the number of contact data entries, selected so far, a line difference factor and locations of end node devices corresponding to the contact data entries, selected so far.

(45) By way of example, the security level of the authentication communication channel may be determined according to the following equation

(46) $as = ld .Math. {.Math.}_{i = 1}^{N} {cs}_{i} .Math. d_{i} {wf}_{i} .Math. {bf}_{i}$
wherein N denotes the number of communication channels, including the first communication channel to the requester, and the second to Nth communication channels to the authenticators. ld denotes a line difference factor and d.sub.i denotes the location distance between the end node device of the authenticator and the end node device of the requester; wherein for N=1 (i.e. the requester) the location distance is set to 1. cs.sub.i denotes the security level of the ith communication channel. wf.sub.i denotes a white list factor of the ith communication channel and bf.sub.i denotes a black list factor of the ith communication channel.

(47) The security level of the communication channel may depend on a security level of the end node device, a security level of the communication link between the end node device and the authentication system and/or a security level of an application or operating system running on the end node device. For example, the security level of the communication channel is calculated by multiplying the security level of the end node device with the security level of the communication link. The security level of the communication channel may depend on the number of contact data entries which are stored on the storage device for the respective authenticator, who is called to authenticate the requester. A call diversion to an authenticator's end node device may lead to a low security level of the communication channel.

(48) The white list factor wf.sub.i yields a high security level of the authentication communication channel in case a parameter related to the ith communication channel considers the ith communication channel as secure. The black list factor bf.sub.i yields a low security level in case a parameter related to the ith communication channel considers the ith communication channel as insecure.

(49) The location distance d.sub.i may for example be indicative, of whether the end node device of the requester and the end node device of the authenticator are both located substantially at a same location. End node devices, which are located substantially at a same location involve a high security risk, since it is possible that they are both operated by a same person.

(50) It is also conceivable that the security level of the authentication communication channel depends on additional factors. The process of how to determine the line difference factor is explained with reference to FIG. 4.

(51) After having determined 230 again the security level of the authentication communication channel, the security level of the authentication communication channel is again compared to the desired security level. In case the authentication security level is smaller than the desired security level (i.e. NO in 240), a further contact data entry is selected 220 from the subset of contact data entries. In case the authentication level is equal to or greater than the desired security level (i.e. YES in 240), the method proceeds with establishing (130, 170 in FIG. 2) the communication channels to each of authenticators using the selected contact data entries.

(52) Before the authentication system starts to establish the communication channels to the authenticators, the authentication system waits a call delay time. The call delay time may be determined such that the precise time of establishing a communication channel is difficult to predict for a possible attacker. The call delay time may be randomly generated or depend on a randomly generated number. The call delay time may depend on at least one of the following: an action security, an action-threat-level, user settings for calculating the call delay time, and a random number generated for calculating the call delay time.

(53) For example, the call delay time cd may be determined according to the following equation
cd=si.Math.tl.Math.us.Math.r.sub.cd,
wherein si denotes the service importance, tl denotes the threat-level, us denotes user settings for calculating the call delay time, and r.sub.CD denotes the randomly generated number for calculating the call delay time. It is also conceivable that the call delay time depends on additional factors.

(54) The threat level tl is raised in case the authentication system gets aware of potential risks, which are independent from the pending service request. For example, a suspiciously high number of recent attacks may cause an increased threat level.

(55) In order to further increase the security of the service provided, the authentication system may be configured to wait an action delay time after positive confirmation messages have been received from each of the authenticators and before forwarding the service request to the service provider system. The action delay time may be randomly generated or depend on a randomly generated number. The action delay time may depend on at least one of the following: the authentication security level, the action-threat level, user settings for calculating the call delay time, and a random number, generated for calculating the action delay time.

(56) By way of example, the action delay time ad may be determined according to the following equation
ad=si.Math.tl.Math.us.Math.r.sub.ad,
wherein si denotes the service importance, tl denotes the threat-level, us denotes the user settings for calculating the action delay time, and r.sub.ad denotes the randomly generated number for calculating the action delay time. It is also conceivable that the action delay time depends on additional factors.

(57) The method, which is illustrated in the flow chart of FIG. 3 together with the equations, as given above, represents an algorithm for determining 120 one or more contact data entries from the subset of contact data entries. The authentication system may be configured to randomly change the algorithm for determining 120 the one or more contact data entries. Thereby, it is more difficult for an attacker to predict, which authenticators will be contacted by the authentication system. Additionally or alternatively, the algorithm for determining 120 the one or more contact data entries may itself involve a random selection of the contact data entries of the authenticators.

(58) FIG. 4 schematically illustrates, how the contact data entry of the end node device of the requester and the contact data entry of the end node device of the authenticator are selected based on predefined security classes. In the example shown in FIG. 4, the security classes represent mutually different communication protocols or mutually different types of communication protocols.

(59) In the example, shown in FIG. 4, the authentication system 1 (shown in FIG. 1) is configured to assign a communication channel to one of a group of security classes. The group of security classes comprises class A class B and class C. By way of example, each of the security classes represents an encrypted or non-encrypted communication protocol. In the example, which is shown in FIG. 4, the plurality of contact data entries comprises contact data entries R1 and R2 of the requester and contact data entries A1, A2 and A3 of three authenticators. Each of these three authenticators know the requester personally and are therefore authorized and/or able to authenticate the requester. Each of the contact data entries represents a communication channel.

(60) The authentication system assigns contact data entries R1 and A3 to security class C, contact data entries R2 and A2 to security class B and contact data entry A1 to security class A. On the storage device of the authentication system, there is further stored a table 100, which assigns each combination of classes to a line difference factor. The authentication system is further configured to calculate the security level of the authentication communication channel depending on the line difference factor. The security level of the authentication communication channel may increase with increasing line difference factor. Alternatively, the line difference factor is the security level of the authentication communication channel.

(61) In the example shown in FIG. 4, the authentication system prefers a combination of a communication channel, which was assigned to class A with a communication channel which was assigned to class C, since the communication protocol which is represented by class A is highly incompatible with the communication protocol which is represented by class C. On the other hand, a combination of a communication channel, which was assigned to class A and a communication channel, which was assigned to class B is less preferred, since the communication protocol of class B is a higher version of the communication protocol of class A.

(62) Therefore, the authentication channel chooses contact data entry R1 to contact the requester and contact data entry A1 to contact the authenticator. Thereby, a high security level for the authentication communication channel is achieved.

(63) The authentication system may be configured to dynamically adapt the above given formulas for calculating the desired security level, the security level of the authentication communication channel, the call delay time and the action delay time. Dynamically adapting a formula may comprise adapting parameters, adding parameters or removing parameters. Thereby, it is possible to ensure an even higher security level of the authentication even more.

Authentication system and method for operating an authentication system

Assignee

Inventors

Cpc classification

Classification Explorer

H04L63/105

ELECTRICITY

Classification Explorer

G06F21/313

PHYSICS

Classification Explorer

G07C9/37

PHYSICS

Classification Explorer

H04L63/18

ELECTRICITY

Classification Explorer

H04L63/0861

ELECTRICITY

Classification Explorer

G07C2209/04

PHYSICS

Classification Explorer

G06F21/32

PHYSICS

Classification Explorer

H04L63/08

ELECTRICITY

Classification Explorer

G06F21/30

PHYSICS

International classification

Classification Explorer

G06F7/04

PHYSICS

Classification Explorer

G07C9/00

PHYSICS

Classification Explorer

H04L29/06

ELECTRICITY

Abstract

Claims

Description