Abstract: Methods and systems are provided for mutual authentication between an agent, such as a user (142), and a service host system (128), such as a service provider system, via an insecure and/or untrusted communications network (140). In exemplary embodiments, an initial enrolment sequence (300, 400) is mediated by an authentication server (102) to establish an association between the service host system (128) having an identifier (SPID), an agent (142) that is assigned an identifier (UID) known to the service provider, and a client device (116) having a device identifier (DevID), which is used to access the service, along with a set of credentials comprising cryptographic signatures generated by the service host system (128) and client device (116) using corresponding private keys.

Abstract: A user authentication method in a distributed processing system commences by receiving, at a first processing unit (108), a request (1004) to initiate an authentication session, wherein the request includes a unique identifier of a user requiring authentication. The first processing unit acquires at least one item of authentication data (412, 1712), which is valid during the authentication session. The authentication data is transmitted (1006) to a second processing unit (106) which is associated with a terminal device operated by the user. The second processing unit transforms the authentication data using a transformation algorithm based upon one or more session-specific authentication factors (404, 1704), to generate transformed authentication data that is characteristic of the authentication session and of the user.

Abstract: A transaction includes one or more transaction messages transmitted to a transaction server via a first communications channel. Each transaction message includes at least one item of critical transaction data, A method of securing the transaction includes transmitting (606), to the transaction server via the first communications channel, a first transaction message. One-time security data is then generated (608), which defines one or more operations to be performed based upon the critical transaction data in order to generate a transaction verification code. The one-time security data (402, 403) is transmitted to the user via a second communications channel which is functionally distinct from the first communications channel. The transaction server receives, via the first communications channel, a second transaction message which includes a first transaction verification code provided (612) by the user responsive to receipt of the one-time security data via the second communications channel.

Abstract: A security system and method for authenticating a user's access to a target system is disclosed. The security system receives an authentication request from the user and generates a security matrix which comprises a mapping between each symbol within a symbol set and a code value randomly selected from a distinct code set. The number of elements in the symbol set and in the code set are selected to provide a predetermined level of security against capture of a user-defined keyword by an unauthorized observer. The security system sends the security matrix to the user and awaits a one-time code in response. The user forms the one-time code based on the user keyword and the security matrix. The security system validates the one-time code against the security matrix and the keyword to determine an authentication result, permitting or denying the user access to the target system.