Transaction authentication using a centrally generated transaction

Abstract

Each access attempt transmitted to an authentication agency causes the agency to produce a request identifier unique to that request. The request identifier is transmitted back to the authentication code generator of the user initiating the access attempt, and to an authentication code generator in the agency. The agency also retrieves a user identifier from a database and sends it to its authentication code generator. Both the user's authentication code generator and the agency's authentication code generator independently combine, through identical or complementary transformations, the user identifier and the request identifier to form a user authentication code and an agency authentication code. The two authentication codes are presented by a comparator, which issues a permit signal only if the comparison indicates a match between the two authentication codes. The permit signal is transmitted to a transaction control device to permit the transaction to proceed. Since the authentication code is unique to each transaction attempt, interception of an authentication code will not permit an unauthorized user to successfully initiate another transaction. As an additional security feature, the user of irreversible transformations in the authentication code generator would prevent decoding of an intercepted authentication code and would not allow an unauthorized user to derive the user identifier associated with the transaction. As required by a particular application, additional levels of security can be achieved by using encryption steps in combination with the irreversible transformations at selected points in the process.