In the field of computer systems, it is often desired to verify a user's identity, as user identity verification is important to maintain secure systems. Once a user's identity has been verified, an appropriate level of access can be allowed. In addition to allowing access, knowledge of a user's identity allows that user's browsing and/or other habits to be monitored.

Common user identity verification systems are based on passwords that are memorised by the user. Such systems may be subverted if the memorised information becomes publicly available. Another problem associated with passwords for user identity verification is that a user may require passwords for a number of separate computer systems, and therefore has to remember not only a number of passwords, but also which password corresponds to which computer system. This can lead to a user adopting a common password for all computer systems. Having a single universal password poses a considerable increase in risk of a security breach at all the systems due to the increased likelihood of the password becoming publicly available, and public awareness that one password may permit access to more than one separate computer system.

Other more sophisticated forms of subvision exist, such as local or remote monitoring of key storkes or screen displays.

A known alternative user identity verification technique involves the possession of a token, such as a card comprising identification information. The holder of the token can be identified as an authorised user. One example of this type of system is described in the International Application WO 00/62249 in which the token comprises an optical disc or a smartcard disc. However, cards can be stolen or duplicated, allowing unauthorised and/or unidentifiable users to access otherwise secure computer systems.

An aim of the present invention is to provide a method and apparatus for verifying identity of a user in a manner which is reliable and which is not vulnerable to subversion. Preferred embodiments of the present invention aim to address the problems of the prior art mentioned above.

According to a first aspect of the present invention there is provided a method of user identity verification in a system comprising a client terminal couplable to a server by a first communication medium, the method comprising: sending a first identification information over the first communication medium from the client terminal to the server ; verifying, at the server, that the first identification information corresponds to a stored user profile; returning a second identification information to a user over a second communication medium according to the stored user profile; sending the second identification information to the server via the client terminal; and verifying user identity, at the server,

according to presentation of the second identification information.

According to a second aspect of the present invention there is provided a user identity verification apparatus comprising: a server comprising a user profile store ; a client terminal coupled to a server by a first communication medium; a second communication medium coupled to the server for supply of second identification information to a user, the client terminal being arranged in use to receive the first identification information, and to supply the first identification information over the first communication medium to the server; the server being arranged to verify that the first identification information correspond to a user profile in the user profile store and to supply a second identification information to the user over the second communication medium according to the stored user profile; the client terminal being arranged to receive the second identification information from the user and to supply the second identifier information to the server; and the server being arranged to verify user identity according to presentation of the second identification information.

Preferably, the first identification information includes any one of a username, a memorised access code, information read from a token, or any combination thereof.

Preferably, the first communication medium is different from the second communication medium.

Preferably, the third identification information is supplied to the user over the second communication medium through a mobile communication device.

Preferably, the second identification information is transmitted from the client terminal to the server over the first communication medium.

Preferably, the first identification information is derived from at least one second identification information supplied to a user previously.

Preferably, the first information includes a plurality of second identification information supplied to a user previously, and stored on a token.

Preferably, the token is a removable storage device.

Preferably, the second identification information sent to the user over the second communication medium is regenerated by the server.

For a better understanding of the invention, and to show how embodiments of the same may be carried into effect, reference will now be made, by way of example, to the accompanying diagrammatic drawing in which: Figure 1 shows a preferred apparatus for user identity verification; and Figure 2 shows a flowchart illustrating a preferred method for user identity verification.

Figure 1 shows a preferred apparatus for verifying identity of a user 1. The apparatus comprises a client terminal 10 coupled to a server 20 over a first communication link 50. The server 20 is also coupled to a second communication link 60. The first communication link 50 is ideally different to the second communication link 60. For example, the first communication link 50 comprises a computer network such as a local area or wide area network, a virtual private network, or a more open communication link such as the internet. The second communication link is, for example, a telecommunications network, suitably a wireless telephony network or cellular telephony network. Most preferably the second communication link 60 is a GSM cellular network capable of carrying short messages (SMS).

The apparatus of Figure 1 comprises a user profile store 22 at a suitable verification point. In this example it is convenient for the server 20 to comprise the user profile store 22, although it is possible for the user profile store 22 to be remote from the server 20.

It is desired to verify the identity of a user 1 who wishes to gain access to the apparatus, through the client terminal 10. Here, the client terminal 10 is any suitable form of computing platform, such as a desktop computer or mobile computing device such as a laptop or palmtop computer.

Figure 2 shows a preferred method for verifying user identity, for use with the apparatus of Figure 1.

Initially, the client terminal 10 receives first identification information. Suitably, the first identification information is supplied to the client terminal 10, such as by the user 1 typing a user name and/or memorised access code into a keyboard input device 12 of the client terminal 10.

At step 201, the first identification information is sent from the client terminal 10 to the server 20 over the first communication link 50.

At step 202, the server 20 uses the received first identification information to retrieve a user profile from the user profile store 22. This provides a preliminary identification of the user 1. The server 20 then generates a second identification information, which is returned over the second communication link 60, to reach the user 1, at step 203.

The second identification information is transferred to the client terminal 10, such as by the user 1 typing the second identification information into a keyboard input device 12 of the client terminal 10.

At step 204, the client terminal 10 sends the second identification information back to the server 20, over the first communication link 50.

At step 205, the server 20 verifies the identity of the user 1 based on the received second identification information.

Referring again to Figure 1, ideally the second communication link 60 is a message transmission system such as an SMS system for use on GSM cellular networks.

Hence, the second identification information is received by the user 1 such as by using a mobile communications device 40, i. e. a mobile phone.

Advantageously, sending the second identification information to the user's mobile phone 40 according to a predetermined user profile in the user profile store 22, allows increased certainty as to the user's identity.

Most users tend to carefully guard their mobile communication device 40 and will notice if it is stolen or subject to subversion. Hence, the user will take precautions to avoid unauthorised use of their mobile communication device 40. By sending the second identification information through the mobile communication device, possession of the mobile communication device 40 allows a high degree of trust to be placed in the user's identity.

As a further enhancement of the present invention, it is preferred that the first identification information is provided at least in part from a token 30. Suitably, the token 30 is readily portable and may be carried by the user 1. The user presents the token 30 to a token reader 11 of the client terminal 10. The token reader 11 extracts the first identification information from the token 30.

In this embodiment, the first identification information may come only from the token 30.

Alternatively, the first identification information can be

formed by taking identification information from the token 30, and from a user input such as a user name and/or memorised access code.

The first identification information is received and checked by the server 20, and is used to extract a user profile from the user profile store 22. Suitably, the user profile store 22 contains information which allows a message to be sent over the second communication link 60 to reach the user 1, suitably at their mobile- communication device 40. For example, the user profile store contains a predetermined mobile telephone number of the mobile communication device 40.

Suitably, the second identification information is in the form of a password that is randomly generated by the server 20. In an example embodiment, the randomly generated password contains a short string (e. g. eight to twelve characters) containing a sequence of letters and numbers. The user 1 may then easily manually transfer the password from their mobile communication device by typing the password into a keyboard input device of the client terminal 10. Alternatively the password can be automatically transferred from the mobile communication device 40 to the client terminal 10, such as by a short range infra-red communication link.

Any suitable event can be used to trigger. the generation of a password by the server 20, e. g. the expiry of a particular time period such as seven days. The trigger may be specific to a particular user, or can cover a. small or large group of users to allow mass renewal of passwords conveniently through software administration.

In preferred embodiments, the token 30 is a removable storage medium such as a smart card, or preferably a CD or DVD format storage medium. Ideally, the token 30 comprises an updateable or re-writable storage medium such as a CD-RW or a re-writable DVD. This provides an additional layer of security, as the client terminal 10 can record passwords from previous occasions onto the token 30, i. e. record an incremental identity derived from the previous passwords. The client terminal 10 can then transmit the incremental token identity back to the server 20 via the first communication link 50, and these can also be checked against a list contained in the user profile store 22. Only if the server 20 is satisfied that the first identification information comprising the incremental identity read from the token 30 matches a stored profile in the user profile store 22 is a new password transmitted to the mobile communication device 40 of the user 1. This makes the cloning of tokens a less effective way to defeat the user identity verification system, since a cloned token will become out of date as soon as the real token 30 is used. Furthermore, other security coding can be included with the first identification information on the token 30. The other security coding can also be regenerated and stored on the token 30 to add a yet further layer of security.

The token 30 suitably stores operating software which allows the identity verification system to run on the client terminal 10. Advantageously, by inserting the token 30 into any suitable computer terminal 10, the user 1 is able to operate the identity verification system.

Token 30 can also store other information such as promotional and advertising material. The identification information stored by the token 30 and/or the other information can be strongly encrypted. In yet further embodiments, the token 30 and the mobile communication device 40 can be incorporated into a single unit.

Furthermore, the token 30 can in alternative embodiments further comprise a magnetic strip and/or a microprocessor chip to enable a single token 30 to be used for identification in a number of other existing systems. The token may include other visible identification information, such as a photograph identity.

It will be appreciated that the user identity verification system described herein is able to operate at a number of different levels of security. Advantageously, a system administrator is able to select appropriate levels of security according to the needs of particular user or group of users. For some purposes it may be sufficient simply for possession of the token 30 to be an adequate mechanism for identifying the user 1. When a more secure system is desired, the transmission of first and second identification information, via the first and second communication links 50,60, allows a higher degree of certainty. In a still more secure mode, possession of both the token 30 and the mobile communication device 40 is required. In a still higher security mode, a memorised user name or memorised access code is required, which avoids subversion in the event that the token 30 and the mobile communication device 40 are stolen. Hence, it is very unlikely that all of the communication device 40, the token 30 and the memorised information will be subverted simultaneously.

The method and apparatus for user identify verification described above has many practical applications. As one example, the system is useful in the field of banking, both for identification at cash machines (automatic teller machines), and for internet banking. As another example, the user identification system can be used to control access to buildings in combination with electronic locking mechanisms. Further example applications include authentication for pay-per-view broadcasting systems, or access to a private electronic messaging system.

The reader's attention is directed to all papers and documents which are filed concurrently with or previous to this specification in connection with this application and which are open to public inspection with this specification, and the contents of all such papers and documents are incorporated herein by reference.

All of the features disclosed in this specification (including any accompanying claims, abstract and drawings), and/or all of the steps of any method or process so disclosed, may be combined in any combination, except combinations where at least some of such features and/or steps are mutually exclusive.

Each feature disclosed in this specification (including any accompanying claims, abstract and drawings), may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise. Thus, unless expressly stated otherwise,

each feature disclosed is one example only of a generic series of equivalent or similar features.

The invention is not restricted to the details of the foregoing embodiment (s). The invention extends to any novel one, or any novel combination, of the features disclosed in this specification (including any accompanying claims, abstract and drawings), or to any novel one, or any novel combination, of the steps of any method or process so disclosed.