Search

US-12626241-B2 - Secure generation of one-time passcodes using a contactless card

US12626241B2US 12626241 B2US12626241 B2US 12626241B2US-12626241-B2

Abstract

Systems, methods, apparatuses, and computer-readable media for secure generation of one-time passcodes using a contactless card. In one example, an operating system (OS) of a device may receive a uniform resource locator (URL) and a cryptogram from a contactless card. The OS may launch an application associated with the URL. The application may transmit the cryptogram to an authentication server. The application may receive a decryption result from the authentication server indicating the authentication server decrypted the cryptogram. Based on the decryption result, the application may request an OTP. The processor may receive an OTP from an OTP generator. The application may receive an input value and compare the input value to a copy of the OTP. The application may determine that the comparison results in a match, and display, based on the determination that the comparison results in the match, one or more attributes of the account.

Inventors

  • Jason Ji
  • Jeffrey Rule
  • Colin Hart
  • Wayne Lutz

Assignees

  • CAPITAL ONE SERVICES, LLC

Dates

Publication Date
20260512
Application Date
20241119

Claims (20)

  1. 1 . A method, comprising: receiving, by a server, a request from an application executing on a device, the request comprising an encrypted data record, the encrypted data record generated by a contactless card associated with an account; decrypting, by the server, the encrypted data record; transmitting, by the server to the application, a decryption result indicating the server decrypted the encrypted data record; receiving, by the server from the application based on the decryption result, a request for a one-time passcode (OTP); transmitting, by the server, the OTP to the application; receiving, by the server from the application, an input value; and transmitting, by the server to the application based on the input value matching the OTP, an authorization message for the request.
  2. 2 . The method of claim 1 , further comprising generating, by the server, the OTP prior to transmitting the OTP to the application.
  3. 3 . The method of claim 1 , further comprising receiving, by the server, the OTP from an OTP generator prior to transmitting the OTP to the application.
  4. 4 . The method of claim 1 , wherein the authorization message authorizes performance of a requested operation associated with the account on the device.
  5. 5 . The method of claim 4 , wherein the requested operation comprises one or more of: (i) viewing one or more attributes of the account, (ii) transferring funds from the account, (iii) receiving funds, or (iv) processing a purchase using funds from the account.
  6. 6 . The method of claim 5 , wherein the request for the OTP comprises a request to perform the operation.
  7. 7 . The method of claim 1 , wherein the request comprises a link.
  8. 8 . The method of claim 7 , wherein the link is directed to an application programming interface (API) endpoint of the server.
  9. 9 . The method of claim 1 , wherein the request for the OTP comprises an identifier, wherein the identifier comprises one of an identifier of the contactless card or an identifier of the account.
  10. 10 . The method of claim 9 , wherein the server transmits the OTP based on one of: (i) an email address associated with the identifier, (ii) a short message service (SMS) message at a phone number associated with the identifier, or (iii) a push notification based on a device identifier of the device associated with the identifier.
  11. 11 . A non-transitory computer-readable storage medium, the computer-readable storage medium including instructions that when executed by a processor, cause the processor to: receive a request from an application executing on a device, the request comprising an encrypted data record, the encrypted data record generated by a contactless card associated with an account; decrypt the encrypted data record; transmit, to the application, a decryption result indicating the encrypted data record was decrypted; receive, from the application based on the decryption result, a request for a one-time passcode (OTP); transmit the OTP to the application; receive, from the application, an input value; and transmit, to the application based on the input value matching the OTP, an authorization message for the request.
  12. 12 . The computer-readable storage medium of claim 11 , wherein the processor generates the OTP prior to transmitting the OTP to the application.
  13. 13 . The computer-readable storage medium of claim 11 , wherein the processor receives the OTP from an OTP generator prior to transmitting the OTP to the application.
  14. 14 . The computer-readable storage medium of claim 11 , wherein the authorization message authorizes performance of a requested operation associated with the account on the device.
  15. 15 . The computer-readable storage medium of claim 14 , wherein the requested operation comprises one or more of: (i) view one or more attributes of the account, (ii) transferring funds from the account, (iii) receiving funds, or (iv) processing a purchase using funds from the account.
  16. 16 . The computer-readable storage medium of claim 15 , wherein the request for the OTP comprises a request to perform the operation.
  17. 17 . The computer-readable storage medium of claim 11 , wherein the request for the OTP further comprises a link.
  18. 18 . The computer-readable storage medium of claim 17 , wherein the link is directed to an application program interface (API) endpoint.
  19. 19 . The computer-readable storage medium of claim 11 , wherein the request for the OTP comprises an identifier, wherein the identifier comprises one of an identifier of the contactless card and an identifier of the account.
  20. 20 . A computing apparatus comprising: a processor; and a memory storing instructions that, when executed by the processor, cause the processor to: receive a request from an application executing on a device, the request comprising an encrypted data record, the encrypted data record generated by a contactless card associated with an account; decrypt the encrypted data record; transmit, to the application, a decryption result indicating the encrypted data record was decrypted; receive, from the application based on the decryption result, a request for a one-time passcode (OTP); transmit the OTP to the application; receive, from the application, an input value; and transmit, to the application based on the input value matching the OTP, an authorization message for the request.

Description

RELATED APPLICATIONS This application is a continuation of U.S. patent application Ser. No. 18/451,237, filed Aug. 17, 2023, which is a continuation of U.S. patent application Ser. No. 17/531,981, filed Nov. 22, 2021, which is a continuation of U.S. patent application Ser. No. 17/140,698, titled “SECURE GENERATION OF ONE-TIME PASSCODES USING A CONTACTLESS CARD” filed on Jan. 4, 2021. The contents of the aforementioned application are incorporated herein by reference in their entirety. TECHNICAL FIELD Embodiments disclosed herein are related to computing systems. More specifically, embodiments disclosed herein are related to computing systems that provide for secure generation of one-time passcodes using a contactless card. BACKGROUND One-time passcodes may be used as a second form of authentication. However, one-time passcodes are susceptible to many security risks. For example, if a user leaves their smartphone unlocked in a public place, passersby may have access to any passcodes sent to the device. Similarly, if a malicious user gains access to the device and/or the account where the passcodes are sent, the malicious user may have access to the passcodes. Doing so may allow the malicious user to access account data and other sensitive information. SUMMARY Systems, methods, apparatuses, and computer-readable media for secure generation of one-time passcodes using a contactless card. In one example, an operating system (OS) executing on a processor of a device may receive a uniform resource locator (URL) and a cryptogram from a contactless card associated with an account. The OS may launch an application associated with the contactless card. The application may transmit the cryptogram to an authentication server. The application may receive a decryption result from the authentication server indicating the authentication server decrypted the cryptogram. Based on the decryption result, the application may transmit a request for a one-time passcode (OTP) comprising an identifier to the URL. The processor may receive an OTP from an OTP generator at the URL. The application may receive an input value and compare the input value to a copy of the OTP received from the OTP generator. The application may determine that the comparison results in a match, and display, based on the determination that the comparison results in the match, one or more attributes of the account on the device. BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE DRAWINGS FIG. 1A illustrates an aspect of the subject matter in accordance with one embodiment. FIG. 1B illustrates an aspect of the subject matter in accordance with one embodiment. FIG. 1C illustrates an aspect of the subject matter in accordance with one embodiment. FIG. 2A illustrates an aspect of the subject matter in accordance with one embodiment. FIG. 2B illustrates an aspect of the subject matter in accordance with one embodiment. FIG. 2C illustrates an aspect of the subject matter in accordance with one embodiment. FIG. 2D illustrates an aspect of the subject matter in accordance with one embodiment. FIG. 3 illustrates a routine 300 in accordance with one embodiment. FIG. 4 illustrates a routine 400 in accordance with one embodiment. FIG. 5A illustrates a contactless card in accordance with one embodiment. FIG. 5B illustrates a contactless card 136 in accordance with one embodiment. FIG. 6 illustrates a data structure 600 in accordance with one embodiment. FIG. 7 illustrates a computer architecture 700 in accordance with one embodiment. DETAILED DESCRIPTION Embodiments disclosed herein provide techniques to securely generate a one-time passcode (OTP) that may be used as a second form of authentication. Generally, a user may desire to authenticate into an account, complete a purchase, or perform any operation that requires multi-factor authentication (MFA). In one example, the user may tap a contactless card to a computing device to initiate the authentication. In response to coming into communications range with the device, the contactless card may generate a data package comprising a cryptogram and a uniform resource locator (URL). An operating system of the device may read the data package and/or the URL and launch an account application on the device that is associated with the URL. In one example, the account application is associated with an issuer of the contactless card. The account application may transmit an OTP request to an OTP generator at the URL. The OTP request may include the cryptogram. The OTP generator and/or a server associated with the OTP generator may then attempt to decrypt the cryptogram as described in greater detail herein. If the decryption is successful, the OTP generator may identify contact information for the associated account, such as a phone number, email, etc. The OTP generator may generate an OTP and transmit the OTP to the identified contact information. The user may then receive the OTP from the OTP generator and provide the received OTP as