Digital services are widely available as local servers are remotely accessible, e.g. via Internet or other communication means. Depending on the character of the digital service, it might be desired or required to set up a secure connection between a remote device employed by the user on the one hand and a server providing the digital service on the other hand.

Usually, authorization techniques include verification whether a personal identification number, PIN, entered by a user matches with data associated with a user account of said user.

However, a PIN based security scheme is vulnerable for fraud since fraudulent persons may relatively easily collect PIN data from other people.

Another security scheme includes sending an SMS to the user, the SMS including data security data to be entered via the remote device.

However, a process of transmitting and receiving an SMS may take some time rendering the methodology less attractive. Furthermore, there occurs sometimes telecommunication failures between the mobile phone carrier and the user's mobile phone requiring recursive SMS sending action.

It is an object of the invention to provide an alternative method of providing access to a digital service. In particular, it is an object to provide a method that has improved security compared to a PIN based scheme.

Thereto, a method of providing access to a digital service is provided, comprising the steps of receiving an access request via a user interface on a terminal station, providing an identification request on said user interface, receiving user identification data via said user interface, the user

identification data being associated with a user account, forwarding the user identification data from the terminal station to a host server providing the digital service, transmitting a call request to a telecommunication server being operatively in communication with a communication device associated with said user account, initiating, by the telecommunication server, an incoming call on said communication device, receiving, by the

telecommunication server, a response signal from said communication device, transmitting a positive authentication signal from the

telecommunication server to the host server if the received response signal is a predefined approval signal, and authorizing the terminal station to access the digital service on the host server.

By initiating an incoming call to a communication device of a user requesting access to the digital service and by evaluating whether a response signal of the communication device is a predefined approval signal, the user can both securely and easily obtain access to the digital service. Further, initiating a call can generally be implemented in a relatively quick way having a higher priority than a process of generating and transmitting SMS messages.

The invention also relates to an authorization system for providing access to a digital service.

Further, the invention relates to a computer program product. A computer program product may comprise a set of computer executable instructions stored on a data carrier, such as but not limited to a flash memory, a CD or a DVD. The set of computer executable instructions, which allow a programmable computer to carry out the method as defined above, may also be available for downloading from a remote server, for example via the Internet, e.g. as an app.

Other advantageous embodiments according to the invention are described in the following claims.

By way of example only, embodiments of the present invention will now be described with reference to the accompanying figures in which Fig. 1 shows a schematic view of an authorization system according to the invention;

Fig. 2 shows a flow chart of a method according to the invention, and

Fig. 3 shows a flow diagram of the method in Fig. 2.

The figures merely illustrate preferred embodiments according to the invention. In the figures, the same reference numbers refer to equal or corresponding parts.

Figure 1 shows a schematic view of an authorization system 10 according to the invention. The system 10 is used for providing access to a digital service, such as a bank transaction.

The authorization system 10 includes a terminal station 12 provided with a user interface 14 such as a touch screen or a combined display and keyboard. The terminal station 12 acts as a front end of a digital system processing data for offering the digital service. In practice, the terminal station can be implemented as a shop cash register or a home computer that has Internet connectivity to a secure Internet web page, e.g. for online shopping or for Internet banking functionality. Further, the system 10 includes a host server 16 and a telecommunication server 18. The host server 16 is arranged for providing the digital service, while the telecommunication server 18 is arranged for operatively being in

communication with a communication device 20 associated with a user account of a user U.

The communication device 20 is a device being operatively connected to the telecommunication server 18, preferably in a wireless way, i.e. a cell phone, smartphone, phablet, tablet or other mobile communication device, or wired, e.g. for home or office applications.

Generally, the terminal station 12 is connected to the host server 16 via a first data channel 22 while the telecommunication server 18 is connected to the host server 16 via a second communication channel 24. The communication channels 22, 24 can be wired or wireless for transmitting data between the terminal station 12 and the host server 16 on the one hand, and between the telecommunication server 18 and the host server 16 on the other hand.

The authorization system is arranged for performing a number of steps to provide access to the digital service provided by the host server 16 as explained in more detail below.

Figure 2 shows a flow chart of a first embodiment of a method according to the invention. The method 100 is used for providing access to a digital service. The method comprises a step of receiving 110 an access request via a user interface on a terminal station, a step of providing 120 an identification request on said user interface, a step of receiving 130 user identification data via said user interface, the user identification data being associated with a user account, a step of forwarding 140 the user

identification data from the terminal station to a host server providing the digital service, a step of transmitting 150 a call request to a

telecommunication server being operatively in communication with a communication device associated with said user account, a step of initiating 160, by the telecommunication server, an incoming call on said

communication device, a step of receiving 170, by the telecommunication server, a response signal from said communication device, a step of transmitting 180 a positive authentication signal from the

telecommunication server to the host server if the received response signal is a predefined approval signal, and a step of authorizing 190 the terminal station to access the digital service on the host server.

Fig. 3 shows a flow diagram of the method in Fig. 2.

In practice, the method can be implemented particularly referring to Fig. 1 and Fig. 3 as follows.

A user U is permitted to use a digital service, such as a financial service e.g. a bank transaction service or another service such as a digital service concerning secure data or a digital service providing physical access to a protected area or zone.

The digital service is serviced by the host server 16. The user U has a user account related to said digital service, the user account including user identification data, such as personal data like first name, last name address, username etc. The user account also includes a telephone number or similar data associating the user account with the communication device 20 of the user U.

When the user U wishes to have access to the digital service, e.g. for carrying out a payment, the user U enters an access request 40 via the user interface 14 of the terminal station 12. The terminal station receives 110 said access request 40 and returns 120 an identification request 42 on said user interface 14 inviting the user U to enter user identification data. The user U may input user identification data 44 via said user interface, e.g. by entering a username, said data being included in the user account. Upon receiving 130 the entered user identification data 44, the terminal station 12 forwards 140 said data 44 to the host server 16, preferably together with the access request 40.

Then, a call request 46 is transmitted 150 to the

telecommunication server 18 that initiates 160 an incoming call 48 on the communication device 20 associated with the user account. Upon interaction of the user U with the communication device 20, the telecommunication server 18 receives 170 a response signal 50 from said device 20.

If the received response signal 50 is a predefined approval signal 52, the telecommunication server 18 transmits 180 a positive authentication signal 54 to the host server 16. Responsive to said positive authentication signal 54 the host server 16 authorizes 190 the terminal station 12 to have access to the digital service.

In a preferred embodiment, the predefined approval signal 52 is a call declination signal that the communication device 20 transmits when the user U declines the incoming call 48 initiated by the telecommunication server 16, e.g. by pressing a NO or similar button on the device 20. In another embodiment, the predefined approval signal 52 may be different, e.g. a call acceptance signal.

In an embodiment of the invention, an application may be run on the communication device 20 to selectively configure the predefined approval signal 52 based on signal induced by a user interaction with the communication device 20, e.g. a button signal caused by pressing a NO, YES or some other physical button or virtual button on a touch screen.

On the other hand, if the received response signal 50 is a predefined rejection signal 56, the communication server 18 transmits a negative authentication signal 58 to the host server 16. Responsive to said negative authentication signal 58 the host server 16 denies the terminal station 12 to have access to the digital service.

The user of the communication device 20 may cause the device 20 to send the predefined rejection signal 56 if another, fraudulent person has requested access to the digital service using the user identification data of the user. Then, access to the digital service is effectively denied.

In a preferred embodiment, the predefined rejection signal 56 is a call acceptance signal that the communication device 20 transmits when the user U accepts the incoming call 48 initiated by the telecommunication server 16, e.g. by pressing a YES or similar button on the device 20. In another embodiment, the predefined rejection signal 56 may be different, e.g. a call declination signal.

Optionally, a communication session is set up between the communication device 20 and the telecommunication server 18, e.g. for informing the user U about details concerning the access request 40 and/or terminal station 12.

If the response signal 50 is not a predefined approval signal 52 or a predefined rejection signal 56, the host server 16 may transmit another call request to the telecommunication server and/or may transmit a message to the terminal station 12 informing the user U that something went wrong when processing the access request 40.

Advantageously, the method may further include a step of offering, via the user interface 14, an alternative authorization process, before the step of transmitting the call request 46 to the telecommunication server 18. As an example, the user U may enter a password or may transmit biometric data such as iris recognition data.

Further, an alternative authorization process may be initiated if no positive authentication signal 54 is received by the host server 16.

In principle, the terminal station 12, the host server 16, the telecommunication server 18 and the communication device 20 are separate devices. However, devices can be physically integrated. As an example, functionality of the terminal station 12 may be available on the

communication device 20. Then, the user U interacts with the

communication device 20 for initiating the access request 40, entering the user identification data and responding to the incoming call 48 that is initiated by the telecommunication server 18.

The method for providing access to a digital service can be performed using dedicated hardware structures, such as FPGA and/or ASIC components. Otherwise, the method can also at least partially be performed using a computer program product comprising instructions for causing a processor of a computer system or a control unit to perform the above described step of the method according to the invention, or at least a sub- step thereof. As an example, the step of forwarding the user identification data from the terminal station to the host server is preferably initiated by the terminal station, while the step of forwarding a call request to the telecommunication server is preferably initiated by the host server.

All steps can in principle be performed on a single processor.

However, it is noted that at least one sub-step can be performed on a separate processor. A processor can be loaded with a specific software module. Dedicated software modules can be provided.

The invention is not restricted to the embodiments described herein. It will be understood that many variants are possible.

These and other embodiments will be apparent for the person skilled in the art and are considered to fall within the scope of the invention as defined in the following claims. For the purpose of clarity and a concise description features are described herein as part of the same or separate embodiments. However, it will be appreciated that the scope of the invention may include embodiments having combinations of all or some of the features described.