WO2012076939A1 - Method, apparatus, and computer program product for implementing graphical authentication - Google Patents

Method, apparatus, and computer program product for implementing graphical authentication Download PDF

Info

Publication number
WO2012076939A1
WO2012076939A1 PCT/IB2010/055754 IB2010055754W WO2012076939A1 WO 2012076939 A1 WO2012076939 A1 WO 2012076939A1 IB 2010055754 W IB2010055754 W IB 2010055754W WO 2012076939 A1 WO2012076939 A1 WO 2012076939A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
marks
mark
comparing
authentication marks
Prior art date
Application number
PCT/IB2010/055754
Other languages
French (fr)
Inventor
Andreas Petrus Heiner
Original Assignee
Nokia Corporation
Nokia, Inc.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nokia Corporation, Nokia, Inc. filed Critical Nokia Corporation
Priority to PCT/IB2010/055754 priority Critical patent/WO2012076939A1/en
Publication of WO2012076939A1 publication Critical patent/WO2012076939A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/36User authentication by graphic or iconic representation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2109Game systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2111Location-sensitive, e.g. geographical location, GPS

Definitions

  • Embodiments of the present invention relate generally to implementing a user interface, and, more particularly, relate to a method, apparatus, and computer program product for implementing graphical authentication.
  • One example method may include receiving characteristics of a one or more authentication marks within a user input field, where the characteristics of each authentication mark comprise at least one of an appearance characteristic of the authentication mark or a positional characteristic of the authentication mark.
  • the positional characteristics may be defined based on the relative positions between the authentication marks, or the positional characteristics may be defined with respect to an absolute or fixed position (e.g., one or more positional reference points or axes).
  • the example method may further include comparing the characteristics of the one or more authentication marks to characteristics of one or more reference marks, where the characteristics of each reference mark comprise at least of an appearance characteristic of the reference mark or a positional characteristic of the reference mark. Comparing the characteristics may comprise comparing the appearance characteristics of the
  • the example method may also include determining whether a user is successfully authenticated based at least on the comparison of the characteristics.
  • An additional example embodiment is an apparatus configured to implement graphical authentication.
  • the example apparatus may comprise at least one processor and at least one memory including computer program code, the at least one memory and the computer program code configured to, with the at least one processor, direct the apparatus to perform various functionality.
  • the example apparatus may be directed to receive characteristics of a one or more authentication marks within a user input field, where the characteristics of each authentication mark comprise at least one of an appearance characteristic of the authentication mark or a positional characteristic of the authentication mark.
  • the example apparatus may also be directed to compare the characteristics of the one or more authentication marks to characteristics of a one or more reference marks, where the characteristics of each reference mark comprise at least one of an appearance characteristic of the reference mark or a positional characteristic of the reference mark. Further, being directed to compare the characteristics may comprise being directed to compare the appearance characteristics of the authentication marks to appearance characteristics of the reference marks or comparing the positional
  • the example apparatus is directed to, based at least on the comparison of the characteristics, determine whether a user is successfully authenticated.
  • Another example embodiment is a computer program that, when executed causes an apparatus to receive characteristics of a one or more authentication marks within a user input field, where the characteristics of each authentication mark comprise at least one of an appearance characteristic of the authentication mark or a positional characteristic of the authentication mark.
  • the example computer program may also direct the apparatus to compare the characteristics of the one or more authentication marks to characteristics of a one or more reference marks, where the characteristics of each reference mark comprise at least one of an appearance characteristic of the reference mark or a positional
  • characteristics may comprise being directed to compare the appearance characteristics of the authentication marks to appearance characteristics of the reference marks or comparing the positional characteristics of the authentication marks to positional characteristics of the reference marks.
  • the example computer program may further direct the apparatus to, based at least on the comparison of the characteristics, determine whether a user is successfully authenticated.
  • Another example embodiment is a computer program product comprising a non- transitory memory or other non-transitory computer readable medium having computer program code stored thereon, wherein the computer program code is configured to direct an apparatus to perform various functionalities.
  • the program code may be configured to direct the apparatus to receive characteristics of a one or more authentication marks within a user input field, where the characteristics of each authentication mark comprise at least one of an appearance characteristic of the authentication mark or a positional characteristic of the authentication mark.
  • the example computer program code may also be configured to direct the apparatus to compare the characteristics of the one or more authentication marks to characteristics of a one or more reference marks, where the characteristics of each reference mark comprise at least one of an appearance characteristic of the reference mark or a positional characteristic of the reference mark.
  • being directed to compare the characteristics may comprise being directed to compare the appearance characteristics of the authentication marks to appearance characteristics of the reference marks or comparing the positional characteristics of the authentication marks to positional characteristics of the reference marks.
  • the example computer program code may further direct the apparatus to, based at least on the comparison of the characteristics, determine whether a user is successfully authenticated.
  • Another example apparatus comprises means for receiving characteristics of a one or more authentication marks within a user input field, where the characteristics of each authentication mark comprise at least one of an appearance characteristic of the authentication mark or a positional characteristic of the authentication mark.
  • the example apparatus may further comprise means for comparing the characteristics of the one or more authentication marks to characteristics of a one or more reference marks, where the characteristics of each reference mark comprise at least of an appearance characteristic of the reference mark or a positional characteristic of the reference mark.
  • the means for comparing the characteristics may comprise means for comparing the appearance characteristics of the authentication marks to appearance characteristics of the reference marks or comparing the positional characteristics of the authentication marks to positional characteristics of the reference marks.
  • the example apparatus may also comprise means for determining whether a user is successfully authenticated based at least on the comparison of the characteristics.
  • FIG. la illustrates an example mobile device with a touch screen display for inputting authentication marks according to an example embodiment of the present invention
  • FIG. lb illustrates an example computer system for inputting authentication marks according to an example embodiment of the present invention
  • FIGs. 2a and 2b illustrate screen shots of an implementation that uses color and pattern for determining whether a user is authentic according to various example embodiments of the present invention
  • FIG. 3 illustrates a quadrant definition of a mark according to an example embodiment of the present invention
  • FIGs. 4a through 4c illustrate screen shots of an implementation that relies upon relative quadrant positioning for determining whether a user is authentic according to an example embodiment of the present invention
  • FIG. 5 illustrates a block diagram of an apparatus and associated system for implementing a graphical authentication according to some example embodiments of the present invention
  • FIG. 6 illustrates a block diagram of a mobile terminal configured to implement graphical authentication according to some example embodiment of the present invention.
  • FIG. 7 is a flowchart of an example method for graphical authentication according to an example embodiment of the present invention.
  • circuitry refers to all of the following: (a) hardware-only circuit implementations (such as implementations in only analog and/or digital circuitry); (b) to combinations of circuits and software (and/or firmware), such as (as applicable): (i) to a combination of processor(s) or (ii) to portions of processor(s)/software (including digital signal processor(s)), software, and memory(ies) that work together to cause an apparatus, such as a mobile phone or server, to perform various functions); and (c) to circuits, such as a microprocessor(s) or a portion of a microprocessor(s), that require software or firmware for operation, even if the software or firmware is not physically present.
  • circuitry would also cover an implementation of merely a processor (or multiple processors) or portion of a processor and its (or their) accompanying software and/or firmware.
  • circuitry would also cover, for example and if applicable to the particular claim element, a baseband integrated circuit or applications processor integrated circuit for a mobile phone or a similar integrated circuit in a server, a cellular network device, or other network device.
  • Various example embodiments of the present invention relate to methods, apparatuses, and computer program products for implementing graphical authentication.
  • a user may input a plurality of authentication marks on, for example, a touch screen display as a means for submitting an authenticator or password to
  • a device may compare these authentication marks with reference marks to determine whether the user is authentic, and, for example, provide access to functionality of an electronic device.
  • characteristics of the authentication marks may be compared to characteristics of a plurality of reference marks. Reference marks may be provided, and their characteristics defined, during an enrollment or password definition process.
  • a mark such as an authentication mark or a reference mark, may be, according to some example embodiments, any type of graphic that is based on a user input.
  • a mark may be referred to as a blob because a mark may take any form such as a shape, a graphical representation of a touch or a swipe, or the like.
  • a mark may be drawn or provided by a user, for example, with a stylus, finger, or the like on a touch pad or touch screen display of an electronic device, or by using an electronic implement for input such as a mouse, trackball, automated drawing puck, joystick, gaming controller, or the like. Because a plurality of marks can be rather unique, collections of marks may be utilized as highly reliable and convenient passwords.
  • a plurality of marks may be used to determine the authenticity of a user.
  • a plurality of reference marks may be defined and stored during enrollment.
  • a user may input a plurality of authentication marks, in a similar manner to entering a password. If characteristics of the authentication marks sufficiently match the characteristics of a plurality of reference marks, the use may be authenticated, and, for example, gain access to data or functionalities.
  • FIGs. la and lb illustrate an example mobile terminal 100 and an example computer system 150 that may be configured to implement graphical authentication as described herein.
  • the mobile terminal 100 and/or the computer system 150 may be electronic devices that, for example, execute applications that require user authentication.
  • a graphical password may be requested as depicted in FIG. la.
  • the user may utilize the touch screen display 103, mouse 151, or other drawing apparatus to enter the authentication marks 105 during an authentication process and/or reference marks during an enrollment process.
  • the computer system 105 may be installed in, for example, a banking machine and entry of authentication marks may be required to authenticate a user prior to permitting the user to conduct banking from the machine.
  • the mobile terminal 100 and/or the computer system 151 may be connected to a network and the authentication marks may be required to access data or functionality via another terminal or server on the network.
  • authentication marks may be required to access a webpage that is available via the network, such as, for example, a social networking site, an email service site, or any other site that would require authentication of the user prior to awarding access.
  • a user may input a plurality of authentication marks in a number of ways. For example, referring to FIG. la, a user may select a color from the color panel 101, select a pattern from the pattern panel 102, and place an authentication mark within a user input field 104 of the display 103.
  • the authentication mark may have characteristics including the selected color and the selected pattern.
  • the letters a, b, c, d, e, and/of the color panel 102 are representative of particular colors that may be selected by, for example, touching the associated colored box within the panel.
  • the letter indications with the marks 105 indicate the colors are associated with the marks (e.g., a may be blue, b may be red, etc.).
  • the patterns to select from may be any type of patterns including but not limited to, diagonal lines, vertical lines, horizontal lines, diagonal cross- hatch, vertical/horizontal cross-hatch, or the like.
  • the user may then indicate a position within a user input field to place the mark.
  • Placement of a mark e.g., an authentication mark during an authentication process or a reference mark during an enrollment process
  • a user may drag, using for example a finger on touch screen or a mouse with a depressed button, a mark in the user input field.
  • the user may also further manipulate the size and shape of the mark (e.g., stretch the mark) or change the orientation of the mark (e.g., rotate the mark).
  • characteristics such as color, pattern, shape, size may be classified as appearance characteristics, while characteristics such as position and orientation may be classified as positional characteristics.
  • the color and/or pattern of each of a plurality of marks may be selected, and as each is selected, a mark may be automatically placed, possibly in a random or pseudo-random position in the user input field. Upon adding some or all of the desired marks to the user input field, the user may then move or drag the various marks into desired positions. Further, in some example embodiments, an authentication process may begin with a plurality of marks already located within the user input field.
  • FIG. la illustrates authentication marks that have both color and pattern characteristics
  • marks may be input, and an authentication process may consider, marks that have a color characteristic and no pattern, or a pattern but no color for performing authentications.
  • inputting a mark having a single considered characteristic may increase the drawing or painting speed of the user.
  • distinctive shapes such as, for example hand-drawn alphanumeric characters may also be considered as another characteristic or dimension for authentication, with the effect of increasing authentication entropy while possibly slowing user input speeds.
  • gestures may also be considered as a mechanism for inputting a mark. Through the use of gestures, three positional dimensions may be considered either in a relative sense between the marks or in an absolute sense relative to a fixed origin.
  • the ordering of the colors in the color panel 101 and/or the ordering of the patterns in the pattern panel 102 may be randomly or pseudo-randomly determined each time an authentication process is undertaken.
  • security may be improved by reducing the risk associated with shoulder surfing attacks.
  • the electronic device may automatically select the characteristics of the reference marks (e.g., colors, patterns, shapes, sizes, positions, etc.).
  • the characteristics of the reference marks e.g., colors, patterns, shapes, sizes, positions, etc.
  • the biases of the user can be eliminated. For example, a user may be prevented from always using their favorite color, repeating the same color or pattern for simplicity, or use other predictable characteristics when enrolling reference marks.
  • FIGs. 2a and 2b illustrate an example embodiment of the present invention that involves determining whether a user is successfully authenticated by comparing the colors of authentication marks to the colors of reference marks, and by comparing the patterns of the authentication marks with the patterns of the references marks. According to some example embodiments, more or less characteristics may be considered for an
  • the authentication process such as, for example, the positions of the marks, the size of the marks, the shape of the marks, or the like.
  • the order in which the marks are introduced or otherwise acted upon by the user may be considered as a characteristic.
  • an additional bit per mark of entropy may be introduced to the authentication process.
  • a plurality of reference marks 205 is shown.
  • the user may input authentication marks that have particular characteristics that match the characteristics of reference marks, possibly, with respect to some characteristics (e.g., positional characteristics), within a threshold difference.
  • some characteristics e.g., positional characteristics
  • four reference marks are being utilized.
  • Reference mark 201 has characteristics of a color a and a pattern that is diagonal top-right to bottom- left.
  • Reference mark 202 has characteristics of a color d and a pattern that is vertical- horizontal Crosshatch.
  • Reference mark 203 has characteristics of a color/ and a pattern that is diagonal Crosshatch.
  • Reference mark 204 has characteristics of a color c and a pattern that is diagonal top-left to bottom-right. According to some example
  • presentation of the reference marks may be provided to the user, only during enrollment or after having already been authenticated, possibly in another fashion (e.g., through security questions due to a forgotten authenticator).
  • FIG. 2b illustrates four example input authentication marks 215 that have been provided by the user.
  • the authentication marks 215 include authentication mark 211 that has characteristics of a color a and a pattern of diagonal top- right to bottom-left.
  • Authentication mark 212 has characteristics of a color d and a pattern that is vertical-horizontal Crosshatch.
  • Authentication mark 213 has characteristics of a color/and a pattern that is diagonal Crosshatch.
  • Authentication mark 214 has characteristics of a color c and a pattern that is diagonal top-left to bottom-right. While FIG. 2a and 2b illustrate marks that have different colors and different patterns between each mark, according to various example embodiments, multiple marks could share a pattern with or without different colors, or multiple marks could share colors with or without different patterns.
  • the device compares the characteristics of the authentication marks to the characteristics of the reference marks.
  • the colors and patterns of the authentication marks may be compared to the colors and patterns of the reference marks.
  • the characteristics of each authentication mark may be compared with the characteristics of each reference mark to determine if a match is found. Since, in this example embodiment, only color and pattern are being considered, other characteristics such as position, size, shape, and the like are not factored into this example type of authentication analysis, but these characteristics could be if desired.
  • the characteristics of authentication mark 211 may be considered and compared to the characteristics of each of the reference marks 201, 202, 203, and 204. Based on this example scenario, a device (e.g., processor) would determine that the characteristics of authentication mark 211 match those of reference mark 201. Similar analyses may be performed with respect to the other authentication marks to determine that the characteristics of authentication mark 212 match those of reference mark 202, the characteristics of authentication mark 213 match those of reference mark 203, and the characteristics of authentication mark 214 match those of reference mark 204. Accordingly, with respect this example scenario, matches have been identified between each of the authentication marks and each of the reference marks, and no reference marks are left unmatched. As such, the user is authentic. Had one or more of the authentication marks not satisfied a characteristic match to a reference mark, or if a reference mark had been left unmatched, then the user would not have been authenticated.
  • the marks may be lines or curves, such as lines or curves for implementing a draw-a-secret authentication process.
  • the lines or curves may be entered and compared in the same manner as described above and otherwise herein.
  • the colors of the authentication lines or curves may be compared to the colors of the reference lines or curves.
  • the pattern of the authentication lines or curves may be compared to the patterns of the reference lines or curves.
  • the entropy of the passwords generated in this way is very high due to the various combinations of colors and patterns that can be created.
  • the characteristics of each mark may be described using a 6 bit value per mark.
  • the entropy for four marks may be 24 bits and for five marks is 30 bits. If however, a scheme was used that did not consider one of the characteristics (e.g., only color was considered), then four marks may have an entropy of 12 bit and five marks may have an entropy of 15 bits.
  • Relative position may be considered in any of a number of ways.
  • a reference point for each mark may be defined and used for comparisons of relative positions.
  • the reference point may be calculated as the geometric center of the mark, however other techniques may be used to define a reference point for a mark.
  • relative positions of the marks may be considered with respect to quadrants defined for each mark.
  • an origin of the mark may be defined, which may be a calculated reference point (e.g., the geometric center).
  • an orientation reference e.g., the edges of a display screen or a calculated orientation reference that considers the orientation of the reference marks
  • a two-dimensional quadrant axis system may be defined for a mark.
  • the two-dimensional quadrant axis system may be defined with respect to two selected marks, such that the two selected marks may be within a common quadrant.
  • FIG. 3 illustrates an example mark with a quadrant axis system. The point of where the dashed lines of FIG. 3 cross may be the origin.
  • four quadrants may be defined - a first quadrant, a second quadrant, a third quadrant, and a fourth quadrant.
  • Relative positions between two marks may be defined by which quadrant the other mark resides within.
  • a mark may reside at a position defined by the mark's reference point.
  • reference mark 403 resides in reference mark 401 's second quadrant.
  • relative position relationships can be defined and used for authentication.
  • a polar coordinate system may be considered when utilizing a quadrant scheme, where the position between two points may be given more precisely by an angle from 0 to 360 degrees relative to the origin.
  • a regional relationship may include attributes indicating the angular relationship between marks, the distance relationship between marks, or both.
  • the distance may be a value between a minimum and a maximum.
  • the area surrounding the origin of a mark may be defined into halves.
  • the relative regional relationships may then based on, for example, whether the other mark is to the left or right of a mark, or for example, above or below the mark as indicated by a line drawn form the origin to a reference point of a another mark.
  • FIG. 4b illustrates a situation where the user is authenticated, based on relative positions of the authentication marks, and where FIG. 4c illustrates a different
  • FIG. 4a illustrates the enrolled reference marks 405, which include reference marks 401, 402, 403, and 404.
  • an origin and quadrant axis system has been defined for each reference mark. While the dashed axes for each mark are depicted in FIGs. 4a through 4c, according to some example embodiments, the axes need not be displayed to the user. Here, the axes are provided for assistance in explanation.
  • the relative position relationship may be defined as characteristic of each mark.
  • the characteristics for reference mark 401 may indicate that one reference mark is positioned in its second quadrant (reference mark 403), and two reference marks are positioned in its fourth quadrant (reference marks 402 and 404).
  • the characteristics for reference mark 402 may indicate that one reference mark is positioned in its first quadrant (reference mark 401), and two reference marks are positioned in its second quadrant (reference marks 403 and 404).
  • the characteristics for reference mark 403 may indicate that three reference marks are positioned in its third quadrant (reference marks 401, 402, and 404).
  • characteristics for reference mark 404 may indicate that one reference mark is positioned in its first quadrant (reference mark 401), one reference mark is positioned in its second quadrant (reference mark 403), and one reference mark is positioned in its third quadrant (reference mark 402).
  • comparisons may be made between authentication marks and reference marks to determine whether a user is authentic.
  • a match of the characteristics may be determined and the user may be determined to be authentic.
  • the color, pattern, size, shape, and other characteristics are not being considered, but these or other additional characteristics could be considered to generate more robust passwords, as further described below.
  • authentication mark 411 has the same relative position relationship characteristics as reference mark 401
  • authentication mark 412 has the same relative position relationship characteristics as reference mark 402
  • authentication mark 413 has the same relative position relationship characteristics as reference mark 403
  • authentication mark 414 has the same relative position relationship characteristics as reference mark 404. Since the comparisons of the characteristics of the marks identify matches between the authentication marks and the reference marks, and no reference mark is left unmatched, a successful authentication may be identified for the authentication marks 415.
  • the authentication marks 425 which include
  • authentication marks 421, 422, 423, and 424 do not have relation position relationship characteristics that match those of the reference marks 405.
  • authentication mark 424 has two marks in its first quadrant, but no reference mark has two reference marks in its first quadrant. As such, no match can be made with the characteristics of authentication mark 424, as well as other authentication marks, and therefore an unsuccessful authentication attempt is determined.
  • a device may automatically shift a mark at the time of entry to avoid ambiguity.
  • the mark may be shifted into one of the quadrants (e.g., the lower numbered quadrant) such that the mark (or the mark's reference point) is at least a minimum distance from the axis. This shifting may be performed during enrollment of reference marks or during authentication for authentication marks.
  • the relative position relationship characteristics add two bits of entropy per pair of marks. For four marks, the additional entropy is 12 bits or (0.5n(n-l)*2 bits). However, if other characteristics such as color and pattern are not considered, the entropy would be lower.
  • some example embodiments may consider absolute positions of the marks with respect to a coordinate reference system.
  • the coordinate reference system may be defined such that the positions of the marks are described relative to the coordinate reference system as positional characteristics.
  • the coordinate reference system may be fixed.
  • the coordinate reference system may be rotated to create a new coordinate reference system that, for example, simplifies the positional descriptions of the marks within the rotated system.
  • a two-dimensional, orthogonal coordinate reference system may be defined with respect to two predefined points.
  • the coordinate reference system may be defined with respect to two points with a condition that the at least two points are positioned within a common region (e.g., quadrant, such as the first quadrant).
  • a skewed reference system may be defined, for example, based on three predetermined points.
  • the input may be provided in three dimensions (e.g., through the use of gestures)
  • a three-dimensional reference system may be defined. Using absolute positions based on a coordinate reference system as described above, comparisons of the positional characteristics may be compared between one or more authentication marks and one or more reference marks. Additionally, the use of the coordinate reference system may permit authentication based on the position of a single authentication mark, as compared to the position of a single reference mark.
  • the example authentication processes described herein provide the advantage of not being line width dependent as is the case with some draw-a-secret password solutions. Further, some example embodiments also enjoy the advantage of being independent of an absolute coordinate system and rather rely on relative positioning. Additionally, according to some example embodiments, a detailed and tedious entry of a sketch is not required from a user because the degree of entropy that can be obtained is sufficient to generate robust authenticators (passwords). Finally, according to some example embodiments, high usability is realized with simple and fast user entry of information, while still providing robust authenticator (password) strength.
  • the description provided above and generally herein illustrates example methods, example apparatuses, and example computer program products for implementing graphical authentication. FIGs.
  • FIG. 5 and 6 depict example apparatuses that may be configured to perform various functionalities as described herein, including those described with respect to operations described with respect to the descriptions of FIGs. la- 4c provided above, and with respect to the flowchart of FIG. 7, and the operations otherwise described herein.
  • apparatus 500 an example embodiment of the present invention is depicted as apparatus 500.
  • the mobile terminal 100 or the computer system 150 may be example embodiments of apparatus 500.
  • the apparatus 500 need not include wireless communications functionality, but in other example embodiments, the apparatus 500 may, be embodied as, or included as a component of, a communications device with wired and/or wireless communications capabilities.
  • the apparatus 500 may be part of a communications device, such as a stationary or a mobile communications terminal.
  • the apparatus 500 may be a mobile and/or wireless communications node such as, for example, a mobile and/or wireless server, computer, access point, handheld wireless device (e.g., telephone, portable digital assistant (PDA), mobile television, gaming device, camera, video recorder, audio/video player, radio, digital book reader, and/or a global positioning system (GPS) device), any other type of device that may require personal authentication (e.g., banking devices such automated teller machines (ATMs), doorway and personal access devices, vehicle control systems, and the like) , any combination of the aforementioned, or the like.
  • apparatus 500 may also include computing capabilities.
  • FIG. 5 illustrates a block diagram of example components of the apparatus 500.
  • the example apparatus 500 comprises or is otherwise in communication with a processor 505, a memory device 510, an Input/Output (I/O) interface 506, a user interface 525, and an authentication analyzer 540.
  • the apparatus 500 may further include a communications interface 515.
  • the processor 505 may, according to some example embodiments, be embodied as various means for implementing the various functionalities of example embodiments of the present invention including, for example, a microprocessor, a coprocessor, a controller, a special-purpose integrated circuit such as, for example, an ASIC (application specific integrated circuit), an FPGA (field
  • processor 505 may be representative of a plurality of processors, or one or more multiple core processors, operating in concert. Further, the processor 505 may be comprised of a plurality of transistors, logic gates, a clock (e.g., oscillator), other circuitry, and the like to facilitate performance of the functionality described herein.
  • the processor 505 may, but need not, include one or more
  • the processor 505 is configured to execute instructions stored in the memory device 510 or instructions otherwise accessible to the processor 505.
  • the processor 505 may be configured to operate such that the processor causes or directs the apparatus 500 to perform various functionalities described herein.
  • the processor 505 may be an entity and means capable of performing operations according to embodiments of the present invention while configured accordingly.
  • the processor 505 is specifically configured hardware for conducting the operations described herein.
  • the processor 505 is embodied as an executor of instructions stored on a computer-readable storage medium
  • the instructions specifically configure the processor 505 to perform the algorithms and operations described herein.
  • the processor 505 is a processor of a specific device (e.g., a communications server or mobile terminal) configured for employing example embodiments of the present invention by further configuration of the processor 505 via executed instructions for performing the algorithms, methods, and operations described herein.
  • the memory device 510 may be one or more tangible and/or non-transitory computer-readable storage media that may include volatile and/or non-volatile memory.
  • the memory device 510 comprises Random Access Memory (RAM) including dynamic and/or static RAM, on-chip or off-chip cache memory, and/or the like.
  • RAM Random Access Memory
  • memory device 510 may include non- volatile memory, which may be embedded and/or removable, and may include, for example, read-only memory, flash memory, magnetic storage devices (e.g., hard disks, floppy disk drives, magnetic tape, etc.), optical disc drives and/or media, non-volatile random access memory (NVRAM), various type of solid-state storage (e.g., flash memory), and/or the like.
  • NVRAM non-volatile random access memory
  • Memory device 510 may include a cache area for temporary storage of data. In this regard, some or all of memory device 510 may be included within the processor 505. In some example embodiments, the memory device 510 may be in communication with the processor 505 and/or other components via a shared bus. In some example embodiments, the memory device 510 may be configured to provide secure storage of data, such as, for example, the characteristics of the reference marks, in trusted modules of the memory device 510.
  • the memory device 510 may be configured to store information, data, applications, computer-readable program code instructions, and/or the like for enabling the processor 505 and the example apparatus 500 to carry out various functions in accordance with example embodiments of the present invention described herein.
  • the memory device 510 may be configured to buffer input data for processing by the processor 505.
  • the memory device 510 may be configured to store instructions for execution by the processor 505.
  • the I/O interface 506 may be any device, circuitry, or means embodied in hardware, software, or a combination of hardware and software that is configured to interface the processor 505 with other circuitry or devices, such as the communications interface 515.
  • the I/O interface may embody or be in communication with a bus that is shared by multiple components.
  • the processor 505 may interface with the memory 510 via the I/O interface 506.
  • the I/O interface 506 may be configured to convert signals and data into a form that may be interpreted by the processor 505.
  • the I/O interface 506 may also perform buffering of inputs and outputs to support the operation of the processor 505.
  • the processor 505 and the I/O interface 506 may be combined onto a single chip or integrated circuit configured to perform, or cause the apparatus 500 to perform, various functionalities of the present invention.
  • the apparatus 500 or some of the components of apparatus 500 may be embodied as a chip or chip set.
  • the apparatus 500 may comprise one or more physical packages (e.g., chips) including materials, components and/or wires on a structural assembly (e.g., a baseboard).
  • the structural assembly may provide physical strength, conservation of size, and/or limitation of electrical interaction for component circuitry included thereon.
  • the apparatus 500 may therefore, in some cases, be configured to implement embodiments of the present invention on a single chip or as a single "system on a chip.”
  • a chip or chipset may constitute means for performing the functionalities described herein and with respect to the processor 505.
  • the communication interface 515 may be any device or means embodied in hardware, a computer program product, or a combination of hardware and a computer program product that is configured to receive and/or transmit data from/to a network 520 and/or any other device or module in communication with the example apparatus 500.
  • the communications interface may be configured to communicate information via any type of wired or wireless connection, and via any type of communications protocol, such as a communications protocol that supports cellular communications.
  • the communication interface 515 may be configured to support the transmission and reception of communications in a variety of networks including, but not limited to Internet Protocol-based networks (e.g., the Internet), cellular networks, or the like. Further, the communications interface 515 may be configured to support device-to-device communications.
  • Processor 505 may also be configured to facilitate communications via the communications interface 515 by, for example, controlling hardware included within the communications interface 515.
  • the communication interface 515 may include, for example, communications driver circuitry (e.g., circuitry that supports wired communications via, for example, fiber optic connections), one or more antennas, a transmitter, a receiver, a transceiver and/or supporting hardware, including, for example, a processor for enabling communications.
  • the example apparatus 500 may communicate with various other network entities in a device-to-device fashion and/or via indirect communications via a base station, access point, server, gateway, router, or the like.
  • the user interface 525 may be in communication with the processor 505 to receive user input via the user interface 525 and/or to present output to a user as, for example, audible, visual, mechanical, or other output indications.
  • the user interface 525 may include, for example, a keyboard, a mouse, a joystick, a display (e.g., a touch screen display), a microphone, a speaker, camera, accelerometer, or other input/output mechanisms.
  • the processor 505 may comprise, or be in communication with, user interface circuitry configured to control at least some functions of one or more elements of the user interface.
  • the processor 505 and/or user interface circuitry may be configured to control one or more functions of one or more elements of the user interface through computer program instructions (e.g., software and/or firmware) stored on a memory accessible to the processor 505 (e.g., volatile memory, non-volatile memory, and/or the like).
  • the user interface 525 may also be configured to support the implementation of haptic feedback.
  • the user interface 525, as controlled by processor 505, may include a vibra, a piezo, and/or an audio device configured for haptic feedback as described herein.
  • the user interface circuitry is configured to facilitate user control of at least some functions of the apparatus 500 through the use of a display and configured to respond to user inputs.
  • the processor 505 may also comprise, or be in communication with, display circuitry configured to display at least a portion of a user interface, the display and the display circuitry configured to facilitate user control of at least some functions of the apparatus 500.
  • the user interface 525 may include, as mentioned above, one or more touch screen displays.
  • a touch screen display may be configured to visually present graphical information to a user, as well as receive user input via a touch sensitive screen.
  • the touch screen display which may be embodied as any known touch screen display, may also include a touch detection surface configured to enable touch recognition by any suitable technique, such as resistive, capacitive, infrared, strain gauge, surface wave, optical imaging, dispersive signal technology, acoustic pulse recognition, or other like techniques.
  • the touch screen display may be configured to operate in a hovering mode, where movements of a finger, stylus, or other implement can be sensed when sufficiently near the touch screen surface, without physically touching the surface.
  • the touch screen displays may include all of the hardware necessary to detect a touch when contact is made with the touch detection surface and send an indication to, for example, processor 505 indicating characteristics of the touch such as location information.
  • a touch event may occur when an object, such as a stylus, finger, pen, pencil or any other pointing device, comes into contact with a portion of the touch detection surface of the touch screen display in a manner sufficient to register as a touch.
  • the touch screen display may therefore be configured to generate touch event location data indicating the location of the touch event on the screen.
  • the touch screen display may be configured to detect a touch and capture attributes of the touch for deriving characteristics of the plurality of authentication marks.
  • the authentication analyzer 540 of example apparatus 500 may be any means or device embodied, partially or wholly, in hardware, a computer program product, or a combination of hardware and a computer program product, such as processor 505 implementing stored instructions to configure the example apparatus 500, memory device 510 storing executable program code instructions configured to carry out the functions described herein, or a hardware configured processor 505 that is configured to carry out the functions of the authentication analyzer 540 as described herein.
  • the processor 505 comprises, or controls, the authentication analyzer 540.
  • the authentication analyzer 540 may be, partially or wholly, embodied as processors similar to, but separate from processor 505. In this regard, the authentication analyzer 540 may be in communication with the processor 505.
  • the authentication analyzer 540 may, partially or wholly, reside on differing apparatuses such that some or all of the functionality of the authentication analyzer 540 may be performed by a first apparatus, and the remainder of the functionality of the authentication analyzer 540 may be performed by one or more other apparatuses.
  • the apparatus 500 and the processor 505 may be configured to perform the following functionality via authentication analyzer 540.
  • the authentication analyzer 540 may be configured to perform operations associated with enrolling a graphical password or authenticator as described herein, and/or perform authentication of a marks input by a user to determine the authenticity of the user and permit, for example, unlocking of a device, accessing a website, or the like. Further, performance of the functionality of the authentication analyzer 540 also describes various example method embodiments.
  • the authentication analyzer 540 may be configured to cause or direct means, such as the processor 505 and/or the apparatus 500 to perform various functionalities, such as those described with respect to FIGs. la-4c, and 7, and as generally described herein.
  • the authentication analyzer 540 may be configured to receive characteristics of one or a plurality of authentication marks within a user input field at 700.
  • the characteristics of each authentication mark may include at least one of an appearance characteristic (e.g., color, pattern, shape, size, or the like) of the authentication mark or a positional characteristic (e.g., relative or absolute) of the authentication mark.
  • the authentication analyzer 540 may be configured to compare the characteristics of the authentication marks to characteristics of the reference marks. For example, particular appearance characteristics may be compared, and/or particular positional characteristics may be compared.
  • the reference marks may also have appearance characteristics including, but no limited to color, pattern, shape, size, or the like and/or positional characteristics.
  • Comparisons of the characteristics may involve comparisons between those of an authentication mark and those of a reference mark.
  • the colors of the authentication marks may be compared to the colors of the reference marks.
  • the patterns of the authentication marks may be compared to the patterns of the reference marks.
  • the shapes of the authentication marks may be compared to the shapes of the reference marks. Additionally or alternatively, the sizes of the authentication marks may be compared to the sizes of the reference marks. Based at least on the comparison of some or all of the characteristics, the authentication analyzer 540 may be configured to determining whether a user is successfully authenticated at 720.
  • the authentication analyzer 540 may be
  • the authentication analyzer 540 may be configured to define regions for each authentication mark and determine relative regional relationships between each of at least two authentication marks. In this regard, comparing the characteristics may include comparing the regional relationships between each of the authentication marks to regional relationships between the reference marks.
  • the authentication analyzer 540 may be configured to define a two- dimensional reference system based on positions of two predefined points.
  • the example apparatus of FIG. 6 is a mobile terminal 10 configured to communicate within a wireless network, such as a cellular communications network.
  • the mobile terminal 10 may be configured to perform the functionality of the mobile terminal 100 or apparatus 500 as described herein. More specifically, the mobile terminal 10 may be caused to perform the functionality described with respect to FIGs. la-4c and/or 7, via the processor 20.
  • the processor 20 may be configured to perform the functionality described with respect to the authentication analyzer 540.
  • Processor 20 may be an integrated circuit or chip configured similar to the processor 505 together with, for example, the I/O interface 506. Further, volatile memory 40 and non-volatile memory 42 may be configured to support the operation of the processor 20 as computer readable storage media.
  • the mobile terminal 10 may also include an antenna 12, a transmitter 14, and a receiver 16, which may be included as parts of a communications interface of the mobile terminal 10.
  • the speaker 24, the microphone 26, display 28 (which may be a touch screen display), and the keypad 30 may be included as parts of a user interface.
  • FIG. 7 illustrates flowcharts of example systems, methods, and/or computer program products according to example embodiments of the invention. It will be understood that each operation of the flowcharts, and/or combinations of operations in the flowcharts, can be implemented by various means. Means for implementing the operations of the flowcharts, combinations of the operations in the flowchart, or other functionality of example embodiments of the present invention described herein may include hardware, and/or a computer program product including a computer-readable storage medium (as opposed to a computer-readable transmission medium which describes a propagating signal) having one or more computer program code instructions, program instructions, or executable computer-readable program code instructions stored therein. In this regard, program code instructions for performing the operations and functions of FIG.
  • any such program code instructions may be loaded onto a computer or other programmable apparatus (e.g., processor 505, memory device 510, or the like) from a computer-readable storage medium to produce a particular machine, such that the particular machine becomes a means for implementing the functions specified in the flowcharts' operations.
  • program code instructions may also be stored in a computer-readable storage medium that can direct a computer, a processor, or other programmable apparatus to function in a particular manner to thereby generate a particular machine or particular article of manufacture.
  • the instructions stored in the computer-readable storage medium may produce an article of manufacture, where the article of manufacture becomes a means for implementing the functions specified in the flowcharts' operations.
  • the program code instructions may be retrieved from a computer-readable storage medium and loaded into a computer, processor, or other programmable apparatus to configure the computer, processor, or other programmable apparatus to execute operations to be performed on or by the computer, processor, or other programmable apparatus.
  • Retrieval, loading, and execution of the program code instructions may be performed sequentially such that one instruction is retrieved, loaded, and executed at a time. In some example embodiments, retrieval, loading and/or execution may be performed in parallel such that multiple instructions are retrieved, loaded, and/or executed together. Execution of the program code instructions may produce a computer- implemented process such that the instructions executed by the computer, processor, or other programmable apparatus provide operations for

Abstract

Various methods for implementing graphical authentication are provided. One example method may include receiving characteristics of one or more authentication marks within a user input field, wherein the characteristics of each authentication mark include at least one of an appearance characteristic of the authentication mark or a positional characteristic of the authentication mark. The example method may further include comparing the characteristics of the plurality of authentication marks to characteristics of one or more reference marks. The example method may also include determining whether to authenticate a user based at least on the comparison of the characteristics. Similar and related example methods, example apparatuses, and example computer program products are also provided.

Description

METHOD, APPARATUS, AND COMPUTER PROGRAM PRODUCT FOR IMPLEMENTING GRAPHICAL AUTHENTICATION
TECHNICAL FIELD
Embodiments of the present invention relate generally to implementing a user interface, and, more particularly, relate to a method, apparatus, and computer program product for implementing graphical authentication.
BACKGROUND
The security of local and remote computing devices and services has become an important issue as an increasing amount of sensitive data and functionality is made accessible via devices and network connections. For example, mobile computing devices, such as smart phones and other wireless devices, are being commonly used for sensitive tasks such as banking, record keeping, and the like. These devices can put this sensitive information at a security risk, because, for example, the device is portable which increases the likelihood that the device may be lost or stolen. Sensitive information may be accessible via remote network connections, such as via the Internet. Additionally, costly functionality (i.e., international phones calls, online shopping) may be used by a thief of a device, if that device is not securely protected by a robust authentication process. As a result of the increased accessibility to sensitive information and functionality, a need arises for convenient but highly secure authentication procedures to provide access.
SUMMARY
Example methods, example apparatuses, and example computer program products are described herein that provide for implementing graphical authentication. One example method may include receiving characteristics of a one or more authentication marks within a user input field, where the characteristics of each authentication mark comprise at least one of an appearance characteristic of the authentication mark or a positional characteristic of the authentication mark. According to some example embodiments, the positional characteristics may be defined based on the relative positions between the authentication marks, or the positional characteristics may be defined with respect to an absolute or fixed position (e.g., one or more positional reference points or axes). The example method may further include comparing the characteristics of the one or more authentication marks to characteristics of one or more reference marks, where the characteristics of each reference mark comprise at least of an appearance characteristic of the reference mark or a positional characteristic of the reference mark. Comparing the characteristics may comprise comparing the appearance characteristics of the
authentication marks to appearance characteristics of the reference marks or comparing the positional characteristics of the authentication marks to positional characteristics of the reference marks. The example method may also include determining whether a user is successfully authenticated based at least on the comparison of the characteristics.
An additional example embodiment is an apparatus configured to implement graphical authentication. The example apparatus may comprise at least one processor and at least one memory including computer program code, the at least one memory and the computer program code configured to, with the at least one processor, direct the apparatus to perform various functionality. In this regard, the example apparatus may be directed to receive characteristics of a one or more authentication marks within a user input field, where the characteristics of each authentication mark comprise at least one of an appearance characteristic of the authentication mark or a positional characteristic of the authentication mark. The example apparatus may also be directed to compare the characteristics of the one or more authentication marks to characteristics of a one or more reference marks, where the characteristics of each reference mark comprise at least one of an appearance characteristic of the reference mark or a positional characteristic of the reference mark. Further, being directed to compare the characteristics may comprise being directed to compare the appearance characteristics of the authentication marks to appearance characteristics of the reference marks or comparing the positional
characteristics of the authentication marks to positional characteristics of the reference marks. The example apparatus is directed to, based at least on the comparison of the characteristics, determine whether a user is successfully authenticated.
Another example embodiment is a computer program that, when executed causes an apparatus to receive characteristics of a one or more authentication marks within a user input field, where the characteristics of each authentication mark comprise at least one of an appearance characteristic of the authentication mark or a positional characteristic of the authentication mark. The example computer program may also direct the apparatus to compare the characteristics of the one or more authentication marks to characteristics of a one or more reference marks, where the characteristics of each reference mark comprise at least one of an appearance characteristic of the reference mark or a positional
characteristic of the reference mark. Further, being directed to compare the
characteristics may comprise being directed to compare the appearance characteristics of the authentication marks to appearance characteristics of the reference marks or comparing the positional characteristics of the authentication marks to positional characteristics of the reference marks. The example computer program may further direct the apparatus to, based at least on the comparison of the characteristics, determine whether a user is successfully authenticated.
Another example embodiment is a computer program product comprising a non- transitory memory or other non-transitory computer readable medium having computer program code stored thereon, wherein the computer program code is configured to direct an apparatus to perform various functionalities. In this regard, the program code may be configured to direct the apparatus to receive characteristics of a one or more authentication marks within a user input field, where the characteristics of each authentication mark comprise at least one of an appearance characteristic of the authentication mark or a positional characteristic of the authentication mark. The example computer program code may also be configured to direct the apparatus to compare the characteristics of the one or more authentication marks to characteristics of a one or more reference marks, where the characteristics of each reference mark comprise at least one of an appearance characteristic of the reference mark or a positional characteristic of the reference mark. Further, being directed to compare the characteristics may comprise being directed to compare the appearance characteristics of the authentication marks to appearance characteristics of the reference marks or comparing the positional characteristics of the authentication marks to positional characteristics of the reference marks. The example computer program code may further direct the apparatus to, based at least on the comparison of the characteristics, determine whether a user is successfully authenticated.
Another example apparatus comprises means for receiving characteristics of a one or more authentication marks within a user input field, where the characteristics of each authentication mark comprise at least one of an appearance characteristic of the authentication mark or a positional characteristic of the authentication mark. The example apparatus may further comprise means for comparing the characteristics of the one or more authentication marks to characteristics of a one or more reference marks, where the characteristics of each reference mark comprise at least of an appearance characteristic of the reference mark or a positional characteristic of the reference mark. The means for comparing the characteristics may comprise means for comparing the appearance characteristics of the authentication marks to appearance characteristics of the reference marks or comparing the positional characteristics of the authentication marks to positional characteristics of the reference marks. The example apparatus may also comprise means for determining whether a user is successfully authenticated based at least on the comparison of the characteristics.
BRIEF DESCRIPTION OF THE DRAWING(S) Having thus described some example embodiments of the invention in general terms, reference will now be made to the accompanying drawings, which are not necessarily drawn to scale, and wherein:
FIG. la illustrates an example mobile device with a touch screen display for inputting authentication marks according to an example embodiment of the present invention;
FIG. lb illustrates an example computer system for inputting authentication marks according to an example embodiment of the present invention;
FIGs. 2a and 2b illustrate screen shots of an implementation that uses color and pattern for determining whether a user is authentic according to various example embodiments of the present invention;
FIG. 3 illustrates a quadrant definition of a mark according to an example embodiment of the present invention;
FIGs. 4a through 4c illustrate screen shots of an implementation that relies upon relative quadrant positioning for determining whether a user is authentic according to an example embodiment of the present invention;
FIG. 5 illustrates a block diagram of an apparatus and associated system for implementing a graphical authentication according to some example embodiments of the present invention; FIG. 6 illustrates a block diagram of a mobile terminal configured to implement graphical authentication according to some example embodiment of the present invention; and
FIG. 7 is a flowchart of an example method for graphical authentication according to an example embodiment of the present invention.
DETAILED DESCRIPTION
Example embodiments of the present invention will now be described more fully hereinafter with reference to the accompanying drawings, in which some, but not all embodiments of the invention are shown. Indeed, the invention may be embodied in many different forms and should not be construed as limited to the embodiments set forth herein; rather, these embodiments are provided so that this disclosure will satisfy applicable legal requirements. Like reference numerals refer to like elements throughout. The terms "data," "content," "information," and similar terms may be used
interchangeably, according to some example embodiments of the present invention, to refer to data capable of being transmitted, received, operated on, and/or stored.
As used herein, the term 'circuitry' refers to all of the following: (a) hardware-only circuit implementations (such as implementations in only analog and/or digital circuitry); (b) to combinations of circuits and software (and/or firmware), such as (as applicable): (i) to a combination of processor(s) or (ii) to portions of processor(s)/software (including digital signal processor(s)), software, and memory(ies) that work together to cause an apparatus, such as a mobile phone or server, to perform various functions); and (c) to circuits, such as a microprocessor(s) or a portion of a microprocessor(s), that require software or firmware for operation, even if the software or firmware is not physically present.
This definition of 'circuitry' applies to all uses of this term in this application, including in any claims. As a further example, as used in this application, the term
"circuitry" would also cover an implementation of merely a processor (or multiple processors) or portion of a processor and its (or their) accompanying software and/or firmware. The term "circuitry" would also cover, for example and if applicable to the particular claim element, a baseband integrated circuit or applications processor integrated circuit for a mobile phone or a similar integrated circuit in a server, a cellular network device, or other network device. Various example embodiments of the present invention relate to methods, apparatuses, and computer program products for implementing graphical authentication. In this regard, a user may input a plurality of authentication marks on, for example, a touch screen display as a means for submitting an authenticator or password to
authenticate the user. A device may compare these authentication marks with reference marks to determine whether the user is authentic, and, for example, provide access to functionality of an electronic device. To authenticate a user, characteristics of the authentication marks may be compared to characteristics of a plurality of reference marks. Reference marks may be provided, and their characteristics defined, during an enrollment or password definition process.
A mark, such as an authentication mark or a reference mark, may be, according to some example embodiments, any type of graphic that is based on a user input. In some example embodiments, a mark may be referred to as a blob because a mark may take any form such as a shape, a graphical representation of a touch or a swipe, or the like. A mark may be drawn or provided by a user, for example, with a stylus, finger, or the like on a touch pad or touch screen display of an electronic device, or by using an electronic implement for input such as a mouse, trackball, automated drawing puck, joystick, gaming controller, or the like. Because a plurality of marks can be rather unique, collections of marks may be utilized as highly reliable and convenient passwords.
In this regard, a plurality of marks may be used to determine the authenticity of a user. For authentication purposes, a plurality of reference marks may be defined and stored during enrollment. When a user wishes, for example, to unlock a handheld device and gain access to the device's functionality, gain access to information on a secure website, or be otherwise authenticated, a user may input a plurality of authentication marks, in a similar manner to entering a password. If characteristics of the authentication marks sufficiently match the characteristics of a plurality of reference marks, the use may be authenticated, and, for example, gain access to data or functionalities.
Given the context provided above, FIGs. la and lb illustrate an example mobile terminal 100 and an example computer system 150 that may be configured to implement graphical authentication as described herein. In this regard, the mobile terminal 100 and/or the computer system 150 may be electronic devices that, for example, execute applications that require user authentication. In this regard, based on the context of the device, a graphical password may be requested as depicted in FIG. la. The user may utilize the touch screen display 103, mouse 151, or other drawing apparatus to enter the authentication marks 105 during an authentication process and/or reference marks during an enrollment process. In some example embodiments, the computer system 105 may be installed in, for example, a banking machine and entry of authentication marks may be required to authenticate a user prior to permitting the user to conduct banking from the machine. Further, in some example embodiments, the mobile terminal 100 and/or the computer system 151 may be connected to a network and the authentication marks may be required to access data or functionality via another terminal or server on the network. For example, authentication marks may be required to access a webpage that is available via the network, such as, for example, a social networking site, an email service site, or any other site that would require authentication of the user prior to awarding access.
A user may input a plurality of authentication marks in a number of ways. For example, referring to FIG. la, a user may select a color from the color panel 101, select a pattern from the pattern panel 102, and place an authentication mark within a user input field 104 of the display 103. The authentication mark may have characteristics including the selected color and the selected pattern. In this regard, the letters a, b, c, d, e, and/of the color panel 102 are representative of particular colors that may be selected by, for example, touching the associated colored box within the panel. As such, the letter indications with the marks 105 indicate the colors are associated with the marks (e.g., a may be blue, b may be red, etc.). The patterns to select from may be any type of patterns including but not limited to, diagonal lines, vertical lines, horizontal lines, diagonal cross- hatch, vertical/horizontal cross-hatch, or the like. The user may then indicate a position within a user input field to place the mark. Placement of a mark (e.g., an authentication mark during an authentication process or a reference mark during an enrollment process) may be performed, for example, by touching a touch screen at a position where the mark is desired to be placed. In some example embodiments, a user may drag, using for example a finger on touch screen or a mouse with a depressed button, a mark in the user input field. The user may also further manipulate the size and shape of the mark (e.g., stretch the mark) or change the orientation of the mark (e.g., rotate the mark). In this regard, characteristics such as color, pattern, shape, size may be classified as appearance characteristics, while characteristics such as position and orientation may be classified as positional characteristics. In some example embodiments, the color and/or pattern of each of a plurality of marks may be selected, and as each is selected, a mark may be automatically placed, possibly in a random or pseudo-random position in the user input field. Upon adding some or all of the desired marks to the user input field, the user may then move or drag the various marks into desired positions. Further, in some example embodiments, an authentication process may begin with a plurality of marks already located within the user input field. The user may then be required to modify the characteristics of these marks to continue the authentication. Additionally, while FIG. la illustrates authentication marks that have both color and pattern characteristics, it is contemplated that, according to some example embodiments, marks may be input, and an authentication process may consider, marks that have a color characteristic and no pattern, or a pattern but no color for performing authentications. According to some example embodiments, inputting a mark having a single considered characteristic may increase the drawing or painting speed of the user. In some example embodiments, distinctive shapes, such as, for example hand-drawn alphanumeric characters may also be considered as another characteristic or dimension for authentication, with the effect of increasing authentication entropy while possibly slowing user input speeds. In some embodiments, gestures may also be considered as a mechanism for inputting a mark. Through the use of gestures, three positional dimensions may be considered either in a relative sense between the marks or in an absolute sense relative to a fixed origin.
Additionally, according to some example embodiments, the ordering of the colors in the color panel 101 and/or the ordering of the patterns in the pattern panel 102 may be randomly or pseudo-randomly determined each time an authentication process is undertaken. By continually modifying the ordering according to some example embodiments, security may be improved by reducing the risk associated with shoulder surfing attacks.
According to some example embodiments, to further increase security and avoid user bias when enrolling a plurality of reference marks (when setting the graphical password), the electronic device may automatically select the characteristics of the reference marks (e.g., colors, patterns, shapes, sizes, positions, etc.). By defining a plurality of reference marks in this manner, the biases of the user can be eliminated. For example, a user may be prevented from always using their favorite color, repeating the same color or pattern for simplicity, or use other predictable characteristics when enrolling reference marks.
FIGs. 2a and 2b illustrate an example embodiment of the present invention that involves determining whether a user is successfully authenticated by comparing the colors of authentication marks to the colors of reference marks, and by comparing the patterns of the authentication marks with the patterns of the references marks. According to some example embodiments, more or less characteristics may be considered for an
authentication process, such as, for example, the positions of the marks, the size of the marks, the shape of the marks, or the like. In some example embodiments, the order in which the marks are introduced or otherwise acted upon by the user may be considered as a characteristic. By considering ordering of the authentication marks, an additional bit per mark of entropy may be introduced to the authentication process.
In FIG. 2a, a plurality of reference marks 205 is shown. During an authentication process, for a user to be authenticated, the user may input authentication marks that have particular characteristics that match the characteristics of reference marks, possibly, with respect to some characteristics (e.g., positional characteristics), within a threshold difference. According to FIG. 2a, four reference marks are being utilized. Reference mark 201 has characteristics of a color a and a pattern that is diagonal top-right to bottom- left. Reference mark 202 has characteristics of a color d and a pattern that is vertical- horizontal Crosshatch. Reference mark 203 has characteristics of a color/ and a pattern that is diagonal Crosshatch. Reference mark 204 has characteristics of a color c and a pattern that is diagonal top-left to bottom-right. According to some example
embodiments, presentation of the reference marks may be provided to the user, only during enrollment or after having already been authenticated, possibly in another fashion (e.g., through security questions due to a forgotten authenticator).
Accordingly, when a user wishes to be authenticated, a device may request the input of authentication marks. FIG. 2b illustrates four example input authentication marks 215 that have been provided by the user. The authentication marks 215 include authentication mark 211 that has characteristics of a color a and a pattern of diagonal top- right to bottom-left. Authentication mark 212 has characteristics of a color d and a pattern that is vertical-horizontal Crosshatch. Authentication mark 213 has characteristics of a color/and a pattern that is diagonal Crosshatch. Authentication mark 214 has characteristics of a color c and a pattern that is diagonal top-left to bottom-right. While FIG. 2a and 2b illustrate marks that have different colors and different patterns between each mark, according to various example embodiments, multiple marks could share a pattern with or without different colors, or multiple marks could share colors with or without different patterns.
To determine whether the user has been successfully authenticated, the device compares the characteristics of the authentication marks to the characteristics of the reference marks. In one example embodiment, for the purpose of determining authentication, the colors and patterns of the authentication marks may be compared to the colors and patterns of the reference marks. With respect the authentication marks 215 and the reference marks 205, for example, the characteristics of each authentication mark may be compared with the characteristics of each reference mark to determine if a match is found. Since, in this example embodiment, only color and pattern are being considered, other characteristics such as position, size, shape, and the like are not factored into this example type of authentication analysis, but these characteristics could be if desired.
As such, referring to FIGs. 2a and 2b, the characteristics of authentication mark 211 may be considered and compared to the characteristics of each of the reference marks 201, 202, 203, and 204. Based on this example scenario, a device (e.g., processor) would determine that the characteristics of authentication mark 211 match those of reference mark 201. Similar analyses may be performed with respect to the other authentication marks to determine that the characteristics of authentication mark 212 match those of reference mark 202, the characteristics of authentication mark 213 match those of reference mark 203, and the characteristics of authentication mark 214 match those of reference mark 204. Accordingly, with respect this example scenario, matches have been identified between each of the authentication marks and each of the reference marks, and no reference marks are left unmatched. As such, the user is authentic. Had one or more of the authentication marks not satisfied a characteristic match to a reference mark, or if a reference mark had been left unmatched, then the user would not have been authenticated.
In some example embodiments, the marks may be lines or curves, such as lines or curves for implementing a draw-a-secret authentication process. The lines or curves may be entered and compared in the same manner as described above and otherwise herein. In this regard, the colors of the authentication lines or curves may be compared to the colors of the reference lines or curves. Additionally, or alternatively, the pattern of the authentication lines or curves may be compared to the patterns of the reference lines or curves.
According to various example embodiments, the entropy of the passwords generated in this way is very high due to the various combinations of colors and patterns that can be created. In an embodiment utilizing eight distinct colors and eight distinct patterns, the characteristics of each mark may be described using a 6 bit value per mark. As such, the entropy for four marks may be 24 bits and for five marks is 30 bits. If however, a scheme was used that did not consider one of the characteristics (e.g., only color was considered), then four marks may have an entropy of 12 bit and five marks may have an entropy of 15 bits.
Another characteristic (dimension) that may be additionally or alternatively included in an authentication process may be the relative positions between the marks. Relative position may be considered in any of a number of ways. One example embodiment, a reference point for each mark may be defined and used for comparisons of relative positions. According to some example embodiments, the reference point may be calculated as the geometric center of the mark, however other techniques may be used to define a reference point for a mark.
In one example embodiment, relative positions of the marks may be considered with respect to quadrants defined for each mark. In this regard, an origin of the mark may be defined, which may be a calculated reference point (e.g., the geometric center). Based on the origin and an orientation reference (e.g., the edges of a display screen or a calculated orientation reference that considers the orientation of the reference marks), a two-dimensional quadrant axis system may be defined for a mark. In some example embodiments, the two-dimensional quadrant axis system may be defined with respect to two selected marks, such that the two selected marks may be within a common quadrant. FIG. 3 illustrates an example mark with a quadrant axis system. The point of where the dashed lines of FIG. 3 cross may be the origin. Using the orientation reference, four quadrants may be defined - a first quadrant, a second quadrant, a third quadrant, and a fourth quadrant. Relative positions between two marks may be defined by which quadrant the other mark resides within. According to various example embodiments, a mark may reside at a position defined by the mark's reference point. For example, referring to FIG. 4a, reference mark 403 resides in reference mark 401 's second quadrant. In this fashion, relative position relationships can be defined and used for authentication. Again referring to FIG. 3, a polar coordinate system may be considered when utilizing a quadrant scheme, where the position between two points may be given more precisely by an angle from 0 to 360 degrees relative to the origin.
While the example embodiment described herein relies upon a quadrant system, it is contemplated that non-quadrant based systems having any number of defined regions may be alternatively utilized. In this regard, the area surrounding an origin for a mark may be divided into any number of, for example, pie-shaped regions such that a line drawn from the origin of the mark to a reference point of another mark will be placed within one of the regions and will indicate which region the mark associated with the reference point is located. In this manner, the relative regional relationships between the marks may be defined. According to some example embodiments, a regional relationship may include attributes indicating the angular relationship between marks, the distance relationship between marks, or both. In some example embodiments, the distance may be a value between a minimum and a maximum. As an alternative example, the area surrounding the origin of a mark may be defined into halves. The relative regional relationships may then based on, for example, whether the other mark is to the left or right of a mark, or for example, above or below the mark as indicated by a line drawn form the origin to a reference point of a another mark.
Referring to FIGs. 4a through 4c, an example authentication process is described where FIG. 4b illustrates a situation where the user is authenticated, based on relative positions of the authentication marks, and where FIG. 4c illustrates a different
authentication attempt where the user is not authenticated based on the relative positions of the authentication marks. FIG. 4a illustrates the enrolled reference marks 405, which include reference marks 401, 402, 403, and 404. In FIG. 4a, an origin and quadrant axis system has been defined for each reference mark. While the dashed axes for each mark are depicted in FIGs. 4a through 4c, according to some example embodiments, the axes need not be displayed to the user. Here, the axes are provided for assistance in explanation.
With respect to the reference marks of FIG. 4a, the relative position relationship may be defined as characteristic of each mark. In this regard, the characteristics for reference mark 401 may indicate that one reference mark is positioned in its second quadrant (reference mark 403), and two reference marks are positioned in its fourth quadrant (reference marks 402 and 404). The characteristics for reference mark 402 may indicate that one reference mark is positioned in its first quadrant (reference mark 401), and two reference marks are positioned in its second quadrant (reference marks 403 and 404). The characteristics for reference mark 403 may indicate that three reference marks are positioned in its third quadrant (reference marks 401, 402, and 404). The
characteristics for reference mark 404 may indicate that one reference mark is positioned in its first quadrant (reference mark 401), one reference mark is positioned in its second quadrant (reference mark 403), and one reference mark is positioned in its third quadrant (reference mark 402).
Based on these relative position relationship characteristics, comparisons may be made between authentication marks and reference marks to determine whether a user is authentic. In this regard, considering the example authentication marks 415 of FIG. 4b, a match of the characteristics may be determined and the user may be determined to be authentic. It is noteworthy that in the example embodiments described with respect to relative position, the color, pattern, size, shape, and other characteristics are not being considered, but these or other additional characteristics could be considered to generate more robust passwords, as further described below. However, considering only relative position, it can be seen that authentication mark 411 has the same relative position relationship characteristics as reference mark 401, authentication mark 412 has the same relative position relationship characteristics as reference mark 402, authentication mark 413 has the same relative position relationship characteristics as reference mark 403, and authentication mark 414 has the same relative position relationship characteristics as reference mark 404. Since the comparisons of the characteristics of the marks identify matches between the authentication marks and the reference marks, and no reference mark is left unmatched, a successful authentication may be identified for the authentication marks 415.
Referring now to FIG. 4c, a failed authentication attempt is identified based on relative positions. In this regard, the authentication marks 425, which include
authentication marks 421, 422, 423, and 424, do not have relation position relationship characteristics that match those of the reference marks 405. In this regard, it can be seen that authentication mark 424 has two marks in its first quadrant, but no reference mark has two reference marks in its first quadrant. As such, no match can be made with the characteristics of authentication mark 424, as well as other authentication marks, and therefore an unsuccessful authentication attempt is determined.
Since in some instances the quadrant that a mark resides in may be visually unclear, according to some example embodiments, a device may automatically shift a mark at the time of entry to avoid ambiguity. In this regard, if a mark is positioned near or within a threshold distance of an axis, the mark may be shifted into one of the quadrants (e.g., the lower numbered quadrant) such that the mark (or the mark's reference point) is at least a minimum distance from the axis. This shifting may be performed during enrollment of reference marks or during authentication for authentication marks.
The inclusion of the relative position relationship characteristics to an
authentication process that also considers color and patterns increases the entropy of the possible options for authenticators (passwords). The relative position relationship characteristics add two bits of entropy per pair of marks. For four marks, the additional entropy is 12 bits or (0.5n(n-l)*2 bits). However, if other characteristics such as color and pattern are not considered, the entropy would be lower.
Alternatively, rather than relying upon relative position characteristics, some example embodiments may consider absolute positions of the marks with respect to a coordinate reference system. In this regard, the coordinate reference system may be defined such that the positions of the marks are described relative to the coordinate reference system as positional characteristics. In some example embodiments, the coordinate reference system may be fixed. However, in some example embodiments, the coordinate reference system may be rotated to create a new coordinate reference system that, for example, simplifies the positional descriptions of the marks within the rotated system. In some example embodiments, a two-dimensional, orthogonal coordinate reference system may be defined with respect to two predefined points. In this regard, the coordinate reference system may be defined with respect to two points with a condition that the at least two points are positioned within a common region (e.g., quadrant, such as the first quadrant). Alternatively, in some example embodiments, a skewed reference system may be defined, for example, based on three predetermined points. Further, in example embodiments, where the input may be provided in three dimensions (e.g., through the use of gestures), a three-dimensional reference system may be defined. Using absolute positions based on a coordinate reference system as described above, comparisons of the positional characteristics may be compared between one or more authentication marks and one or more reference marks. Additionally, the use of the coordinate reference system may permit authentication based on the position of a single authentication mark, as compared to the position of a single reference mark.
According to some example embodiments, the example authentication processes described herein provide the advantage of not being line width dependent as is the case with some draw-a-secret password solutions. Further, some example embodiments also enjoy the advantage of being independent of an absolute coordinate system and rather rely on relative positioning. Additionally, according to some example embodiments, a detailed and tedious entry of a sketch is not required from a user because the degree of entropy that can be obtained is sufficient to generate robust authenticators (passwords). Finally, according to some example embodiments, high usability is realized with simple and fast user entry of information, while still providing robust authenticator (password) strength. The description provided above and generally herein illustrates example methods, example apparatuses, and example computer program products for implementing graphical authentication. FIGs. 5 and 6 depict example apparatuses that may be configured to perform various functionalities as described herein, including those described with respect to operations described with respect to the descriptions of FIGs. la- 4c provided above, and with respect to the flowchart of FIG. 7, and the operations otherwise described herein.
Referring now to FIG. 5, an example embodiment of the present invention is depicted as apparatus 500. The mobile terminal 100 or the computer system 150 may be example embodiments of apparatus 500. In some example embodiments, the apparatus 500 need not include wireless communications functionality, but in other example embodiments, the apparatus 500 may, be embodied as, or included as a component of, a communications device with wired and/or wireless communications capabilities. In some example embodiments, the apparatus 500 may be part of a communications device, such as a stationary or a mobile communications terminal. As a mobile device, the apparatus 500 may be a mobile and/or wireless communications node such as, for example, a mobile and/or wireless server, computer, access point, handheld wireless device (e.g., telephone, portable digital assistant (PDA), mobile television, gaming device, camera, video recorder, audio/video player, radio, digital book reader, and/or a global positioning system (GPS) device), any other type of device that may require personal authentication (e.g., banking devices such automated teller machines (ATMs), doorway and personal access devices, vehicle control systems, and the like) , any combination of the aforementioned, or the like. Regardless of the type of communications device, apparatus 500 may also include computing capabilities.
FIG. 5 illustrates a block diagram of example components of the apparatus 500.
The example apparatus 500 comprises or is otherwise in communication with a processor 505, a memory device 510, an Input/Output (I/O) interface 506, a user interface 525, and an authentication analyzer 540. In some example embodiments, the apparatus 500 may further include a communications interface 515. The processor 505 may, according to some example embodiments, be embodied as various means for implementing the various functionalities of example embodiments of the present invention including, for example, a microprocessor, a coprocessor, a controller, a special-purpose integrated circuit such as, for example, an ASIC (application specific integrated circuit), an FPGA (field
programmable gate array), or a hardware accelerator, processing circuitry or the like. According to one example embodiment, processor 505 may be representative of a plurality of processors, or one or more multiple core processors, operating in concert. Further, the processor 505 may be comprised of a plurality of transistors, logic gates, a clock (e.g., oscillator), other circuitry, and the like to facilitate performance of the functionality described herein. The processor 505 may, but need not, include one or more
accompanying digital signal processors. In some example embodiments, the processor 505 is configured to execute instructions stored in the memory device 510 or instructions otherwise accessible to the processor 505. The processor 505 may be configured to operate such that the processor causes or directs the apparatus 500 to perform various functionalities described herein.
Whether configured as hardware or via instructions stored on a computer-readable storage medium, or by a combination thereof, the processor 505 may be an entity and means capable of performing operations according to embodiments of the present invention while configured accordingly. Thus, in example embodiments where the processor 505 is embodied as, or is part of, an ASIC, FPGA, or the like, the processor 505 is specifically configured hardware for conducting the operations described herein.
Alternatively, in example embodiments where the processor 505 is embodied as an executor of instructions stored on a computer-readable storage medium, the instructions specifically configure the processor 505 to perform the algorithms and operations described herein. In some example embodiments, the processor 505 is a processor of a specific device (e.g., a communications server or mobile terminal) configured for employing example embodiments of the present invention by further configuration of the processor 505 via executed instructions for performing the algorithms, methods, and operations described herein.
The memory device 510 may be one or more tangible and/or non-transitory computer-readable storage media that may include volatile and/or non-volatile memory. In some example embodiments, the memory device 510 comprises Random Access Memory (RAM) including dynamic and/or static RAM, on-chip or off-chip cache memory, and/or the like. Further, memory device 510 may include non- volatile memory, which may be embedded and/or removable, and may include, for example, read-only memory, flash memory, magnetic storage devices (e.g., hard disks, floppy disk drives, magnetic tape, etc.), optical disc drives and/or media, non-volatile random access memory (NVRAM), various type of solid-state storage (e.g., flash memory), and/or the like.
Memory device 510 may include a cache area for temporary storage of data. In this regard, some or all of memory device 510 may be included within the processor 505. In some example embodiments, the memory device 510 may be in communication with the processor 505 and/or other components via a shared bus. In some example embodiments, the memory device 510 may be configured to provide secure storage of data, such as, for example, the characteristics of the reference marks, in trusted modules of the memory device 510.
Further, the memory device 510 may be configured to store information, data, applications, computer-readable program code instructions, and/or the like for enabling the processor 505 and the example apparatus 500 to carry out various functions in accordance with example embodiments of the present invention described herein. For example, the memory device 510 may be configured to buffer input data for processing by the processor 505. Additionally, or alternatively, the memory device 510 may be configured to store instructions for execution by the processor 505.
The I/O interface 506 may be any device, circuitry, or means embodied in hardware, software, or a combination of hardware and software that is configured to interface the processor 505 with other circuitry or devices, such as the communications interface 515. In some example embodiments, the I/O interface may embody or be in communication with a bus that is shared by multiple components. In some example embodiments, the processor 505 may interface with the memory 510 via the I/O interface 506. The I/O interface 506 may be configured to convert signals and data into a form that may be interpreted by the processor 505. The I/O interface 506 may also perform buffering of inputs and outputs to support the operation of the processor 505. According to some example embodiments, the processor 505 and the I/O interface 506 may be combined onto a single chip or integrated circuit configured to perform, or cause the apparatus 500 to perform, various functionalities of the present invention.
In some embodiments, the apparatus 500 or some of the components of apparatus 500 (e.g., the processor 505 and the memory device 510) may be embodied as a chip or chip set. In other words, the apparatus 500 may comprise one or more physical packages (e.g., chips) including materials, components and/or wires on a structural assembly (e.g., a baseboard). The structural assembly may provide physical strength, conservation of size, and/or limitation of electrical interaction for component circuitry included thereon. The apparatus 500 may therefore, in some cases, be configured to implement embodiments of the present invention on a single chip or as a single "system on a chip." As such, in some cases, a chip or chipset may constitute means for performing the functionalities described herein and with respect to the processor 505.
The communication interface 515 may be any device or means embodied in hardware, a computer program product, or a combination of hardware and a computer program product that is configured to receive and/or transmit data from/to a network 520 and/or any other device or module in communication with the example apparatus 500. The communications interface may be configured to communicate information via any type of wired or wireless connection, and via any type of communications protocol, such as a communications protocol that supports cellular communications. According to various example embodiments, the communication interface 515 may be configured to support the transmission and reception of communications in a variety of networks including, but not limited to Internet Protocol-based networks (e.g., the Internet), cellular networks, or the like. Further, the communications interface 515 may be configured to support device-to-device communications. Processor 505 may also be configured to facilitate communications via the communications interface 515 by, for example, controlling hardware included within the communications interface 515. In this regard, the communication interface 515 may include, for example, communications driver circuitry (e.g., circuitry that supports wired communications via, for example, fiber optic connections), one or more antennas, a transmitter, a receiver, a transceiver and/or supporting hardware, including, for example, a processor for enabling communications. Via the communication interface 515, the example apparatus 500 may communicate with various other network entities in a device-to-device fashion and/or via indirect communications via a base station, access point, server, gateway, router, or the like.
The user interface 525 may be in communication with the processor 505 to receive user input via the user interface 525 and/or to present output to a user as, for example, audible, visual, mechanical, or other output indications. The user interface 525 may include, for example, a keyboard, a mouse, a joystick, a display (e.g., a touch screen display), a microphone, a speaker, camera, accelerometer, or other input/output mechanisms. Further, the processor 505 may comprise, or be in communication with, user interface circuitry configured to control at least some functions of one or more elements of the user interface. The processor 505 and/or user interface circuitry may be configured to control one or more functions of one or more elements of the user interface through computer program instructions (e.g., software and/or firmware) stored on a memory accessible to the processor 505 (e.g., volatile memory, non-volatile memory, and/or the like). The user interface 525 may also be configured to support the implementation of haptic feedback. In this regard, the user interface 525, as controlled by processor 505, may include a vibra, a piezo, and/or an audio device configured for haptic feedback as described herein. In some example embodiments, the user interface circuitry is configured to facilitate user control of at least some functions of the apparatus 500 through the use of a display and configured to respond to user inputs. The processor 505 may also comprise, or be in communication with, display circuitry configured to display at least a portion of a user interface, the display and the display circuitry configured to facilitate user control of at least some functions of the apparatus 500.
In addition to or in lieu of, some of the user input and out devices described above, the user interface 525 may include, as mentioned above, one or more touch screen displays. A touch screen display may be configured to visually present graphical information to a user, as well as receive user input via a touch sensitive screen. The touch screen display, which may be embodied as any known touch screen display, may also include a touch detection surface configured to enable touch recognition by any suitable technique, such as resistive, capacitive, infrared, strain gauge, surface wave, optical imaging, dispersive signal technology, acoustic pulse recognition, or other like techniques. In some example embodiments, the touch screen display may be configured to operate in a hovering mode, where movements of a finger, stylus, or other implement can be sensed when sufficiently near the touch screen surface, without physically touching the surface. The touch screen displays may include all of the hardware necessary to detect a touch when contact is made with the touch detection surface and send an indication to, for example, processor 505 indicating characteristics of the touch such as location information. A touch event may occur when an object, such as a stylus, finger, pen, pencil or any other pointing device, comes into contact with a portion of the touch detection surface of the touch screen display in a manner sufficient to register as a touch. The touch screen display may therefore be configured to generate touch event location data indicating the location of the touch event on the screen. Additionally, in some example embodiments, the touch screen display may be configured to detect a touch and capture attributes of the touch for deriving characteristics of the plurality of authentication marks.
The authentication analyzer 540 of example apparatus 500 may be any means or device embodied, partially or wholly, in hardware, a computer program product, or a combination of hardware and a computer program product, such as processor 505 implementing stored instructions to configure the example apparatus 500, memory device 510 storing executable program code instructions configured to carry out the functions described herein, or a hardware configured processor 505 that is configured to carry out the functions of the authentication analyzer 540 as described herein. In an example embodiment, the processor 505 comprises, or controls, the authentication analyzer 540. The authentication analyzer 540 may be, partially or wholly, embodied as processors similar to, but separate from processor 505. In this regard, the authentication analyzer 540 may be in communication with the processor 505. In various example embodiments, the authentication analyzer 540 may, partially or wholly, reside on differing apparatuses such that some or all of the functionality of the authentication analyzer 540 may be performed by a first apparatus, and the remainder of the functionality of the authentication analyzer 540 may be performed by one or more other apparatuses.
Further, the apparatus 500 and the processor 505 may be configured to perform the following functionality via authentication analyzer 540. The authentication analyzer 540 may be configured to perform operations associated with enrolling a graphical password or authenticator as described herein, and/or perform authentication of a marks input by a user to determine the authenticity of the user and permit, for example, unlocking of a device, accessing a website, or the like. Further, performance of the functionality of the authentication analyzer 540 also describes various example method embodiments. The authentication analyzer 540 may be configured to cause or direct means, such as the processor 505 and/or the apparatus 500 to perform various functionalities, such as those described with respect to FIGs. la-4c, and 7, and as generally described herein.
For example, with reference to FIG. 7, the authentication analyzer 540 may be configured to receive characteristics of one or a plurality of authentication marks within a user input field at 700. The characteristics of each authentication mark may include at least one of an appearance characteristic (e.g., color, pattern, shape, size, or the like) of the authentication mark or a positional characteristic (e.g., relative or absolute) of the authentication mark. At 710, the authentication analyzer 540 may be configured to compare the characteristics of the authentication marks to characteristics of the reference marks. For example, particular appearance characteristics may be compared, and/or particular positional characteristics may be compared. In this regard, the reference marks may also have appearance characteristics including, but no limited to color, pattern, shape, size, or the like and/or positional characteristics. Comparisons of the characteristics may involve comparisons between those of an authentication mark and those of a reference mark. For example, the colors of the authentication marks may be compared to the colors of the reference marks. Additionally or alternatively, the patterns of the authentication marks may be compared to the patterns of the reference marks.
Additionally or alternatively, the shapes of the authentication marks may be compared to the shapes of the reference marks. Additionally or alternatively, the sizes of the authentication marks may be compared to the sizes of the reference marks. Based at least on the comparison of some or all of the characteristics, the authentication analyzer 540 may be configured to determining whether a user is successfully authenticated at 720.
In some example embodiments, the authentication analyzer 540 may be
additionally or alternatively configured to receive positions of the authentication marks (e.g., relative or absolute) and compare the relative positions of the authentication marks with positions (e.g., relative or absolute) of the reference marks. Further, in some example embodiments, the authentication analyzer 540 may be configured to define regions for each authentication mark and determine relative regional relationships between each of at least two authentication marks. In this regard, comparing the characteristics may include comparing the regional relationships between each of the authentication marks to regional relationships between the reference marks. Additionally or
alternatively, the authentication analyzer 540 may be configured to define a two- dimensional reference system based on positions of two predefined points.
Referring now to FIG. 6, a more specific example apparatus in accordance with various embodiments of the present invention is provided. The example apparatus of FIG. 6 is a mobile terminal 10 configured to communicate within a wireless network, such as a cellular communications network. The mobile terminal 10 may be configured to perform the functionality of the mobile terminal 100 or apparatus 500 as described herein. More specifically, the mobile terminal 10 may be caused to perform the functionality described with respect to FIGs. la-4c and/or 7, via the processor 20. In this regard, according to some example embodiments, the processor 20 may be configured to perform the functionality described with respect to the authentication analyzer 540. Processor 20 may be an integrated circuit or chip configured similar to the processor 505 together with, for example, the I/O interface 506. Further, volatile memory 40 and non-volatile memory 42 may be configured to support the operation of the processor 20 as computer readable storage media.
The mobile terminal 10 may also include an antenna 12, a transmitter 14, and a receiver 16, which may be included as parts of a communications interface of the mobile terminal 10. The speaker 24, the microphone 26, display 28 (which may be a touch screen display), and the keypad 30 may be included as parts of a user interface.
FIG. 7 illustrates flowcharts of example systems, methods, and/or computer program products according to example embodiments of the invention. It will be understood that each operation of the flowcharts, and/or combinations of operations in the flowcharts, can be implemented by various means. Means for implementing the operations of the flowcharts, combinations of the operations in the flowchart, or other functionality of example embodiments of the present invention described herein may include hardware, and/or a computer program product including a computer-readable storage medium (as opposed to a computer-readable transmission medium which describes a propagating signal) having one or more computer program code instructions, program instructions, or executable computer-readable program code instructions stored therein. In this regard, program code instructions for performing the operations and functions of FIG. 7 and otherwise described herein may be stored on a memory device, such as memory device 510, volatile memory 40, or volatile memory 42, of an example apparatus, such as example apparatus 500 or mobile terminal 10, and executed by a processor, such as the processor 505 or processor 20. As will be appreciated, any such program code instructions may be loaded onto a computer or other programmable apparatus (e.g., processor 505, memory device 510, or the like) from a computer-readable storage medium to produce a particular machine, such that the particular machine becomes a means for implementing the functions specified in the flowcharts' operations. These program code instructions may also be stored in a computer-readable storage medium that can direct a computer, a processor, or other programmable apparatus to function in a particular manner to thereby generate a particular machine or particular article of manufacture. The instructions stored in the computer-readable storage medium may produce an article of manufacture, where the article of manufacture becomes a means for implementing the functions specified in the flowcharts' operations. The program code instructions may be retrieved from a computer-readable storage medium and loaded into a computer, processor, or other programmable apparatus to configure the computer, processor, or other programmable apparatus to execute operations to be performed on or by the computer, processor, or other programmable apparatus. Retrieval, loading, and execution of the program code instructions may be performed sequentially such that one instruction is retrieved, loaded, and executed at a time. In some example embodiments, retrieval, loading and/or execution may be performed in parallel such that multiple instructions are retrieved, loaded, and/or executed together. Execution of the program code instructions may produce a computer- implemented process such that the instructions executed by the computer, processor, or other programmable apparatus provide operations for
implementing the functions specified in the flowcharts' operations.
Accordingly, execution of instructions associated with the operations of the flowchart by a processor, or storage of instructions associated with the blocks or operations of the flowcharts in a computer-readable storage medium, support
combinations of operations for performing the specified functions. It will also be understood that one or more operations of the flowcharts, and combinations of blocks or operations in the flowcharts, may be implemented by special purpose hardware-based computer systems and/or processors which perform the specified functions, or combinations of special purpose hardware and program code instructions.
Many modifications and other embodiments of the inventions set forth herein will come to mind to one skilled in the art to which these inventions pertain having the benefit of the teachings presented in the foregoing descriptions and the associated drawings. Therefore, it is to be understood that the inventions are not to be limited to the specific embodiments disclosed and that modifications and other embodiments are intended to be included within the scope of the appended claims. Moreover, although the foregoing descriptions and the associated drawings describe example embodiments in the context of certain example combinations of elements and/or functions, it should be appreciated that different combinations of elements and/or functions may be provided by alternative embodiments without departing from the scope of the appended claims. In this regard, for example, different combinations of elements and/or functions other than those explicitly described above are also contemplated as may be set forth in some of the appended claims. Although specific terms are employed herein, they are used in a generic and descriptive sense only and not for purposes of limitation.

Claims

WHAT IS CLAIMED IS:
1. A method comprising:
receiving characteristics of one or more authentication marks within a user input field, wherein the characteristics of each authentication mark comprise at least one of an appearance characteristic of the authentication mark or a positional characteristic of the authentication mark;
comparing the characteristics of the one or more authentication marks to characteristics of one or more reference marks, the characteristics of each reference mark comprising at least one of an appearance characteristic of the reference mark or a positional characteristic of the reference mark, and wherein comparing the characteristics comprises comparing the appearance characteristics of the authentication marks to the appearance characteristics of the reference marks or comparing the positional
characteristics of the authentication marks to the positional characteristics of the reference marks; and
based at least on the comparison of the characteristics, determining whether a user is successfully authenticated.
2. The method of claim 1, wherein receiving the characteristics of the one or more authentication marks comprises receiving the characteristics of at least two authentication marks and receiving positions of the authentication marks; and
wherein comparing the characteristics comprises comparing the positions between the authentication marks with positions of the reference marks.
3. The method of claim 1 wherein receiving the characteristics of the one or more authentication marks comprises receiving the characteristics of at least two authentication marks;
wherein the method further comprises:
defining regions for each authentication mark; and
determining relative regional relationships between each of the authentication marks; and
wherein comparing the characteristics comprises comparing the regional relationships between each of the authentication marks to regional relationships between the reference marks.
4. The method of claim 3 further comprising a two-dimensional reference system based on positions of two predefined points.
5. The method of any one of claims 1 through 4, wherein receiving the characteristics of the one or more authentication marks comprises receiving a pattern for each authentication mark; and
wherein comparing the characteristics comprises comparing the patterns of the authentication marks with patterns of the reference marks.
6. The method of any one of claims 1 through 5, wherein receiving the characteristics of the one or more authentication marks comprises receiving a color for each authentication mark; and
wherein comparing the characteristics comprises comparing the colors of the authentication marks with colors of the reference marks.
7. A computer program which, when executed, causes the method of any one of claims 1 through 6 to be performed.
8. An apparatus comprising at least one processor and at least one memory comprising computer program code, the at least one memory and the computer program code configured to, with the at least one processor, direct the apparatus at least to:
receive characteristics of one or more authentication marks within a user input field, wherein the characteristics of each authentication mark comprise at least one of an appearance characteristic of the authentication mark or a positional characteristic of the authentication mark;
compare the characteristics of the one or more authentication marks to
characteristics of one or more reference marks, the characteristics of each reference mark comprising at least one of an appearance characteristic of the reference mark or a positional characteristic of the reference mark, and wherein being directed to compare the characteristics comprises being directed to compare the appearance characteristics of the authentication marks to the appearance characteristics of the reference marks or comparing the positional characteristics of the authentication marks to the positional characteristics of the reference marks; and based at least on the comparison of the characteristics, determine whether a user is successfully authenticated.
9. The apparatus of claim 8, wherein being directed to receive the
characteristics of the one or more authentication marks comprises receiving the characteristics of at least two authentication marks and being directed to receive positions of the authentication marks; and
wherein being directed to compare the characteristics comprises being directed to compare the positions between the authentication marks with positions of the reference marks.
10. The apparatus of claim 8, wherein the apparatus directed to receive the characteristics of the one or more authentication marks includes being directed to receive the characteristics of at least two authentication marks;
wherein the apparatus is further directed to:
define regions for each authentication mark; and
determine relative regional relationships between each of the authentication marks; and
wherein being directed to compare the characteristics comprises being directed to compare the regional relationships between each of the authentication marks to regional relationships between the reference marks.
11. The apparatus of claim 10 wherein the apparatus is further directed to define a two-dimensional reference system based on positions of two predetermined points.
12. The apparatus of any one of claims 8 through 11, wherein being directed to receive the characteristics of the one or more authentication marks comprises being directed to receive a pattern for each authentication mark; and
wherein being directed to compare the characteristics comprises being directed to compare the patterns of the authentication marks with patterns of the reference marks.
13. The apparatus of any one of claims 8 through 12, wherein being directed to receive the characteristics of the one or more authentication marks comprises being directed to receive a color for each authentication mark; and
wherein being directed to compare the characteristics comprises being directed to compare the colors of the authentication marks with colors of the reference marks.
14. The apparatus of any one of claims 8 through 13, wherein the apparatus comprises a mobile device.
15. The apparatus of claim 14, wherein the apparatus further comprises user interface circuitry and components comprising the touch screen display configured to detect a touch and capture attributes of the touch for deriving characteristics of the plurality of authentication marks.
16. A computer program product comprising a non-transitory memory having program code stored thereon, the program code configured to direct an apparatus to: receive characteristics of one or more authentication marks within a user input field, wherein the characteristics of each authentication mark comprise at least one of an appearance characteristic of the authentication mark or a positional characteristic of the authentication mark;
compare the characteristics of the one or more authentication marks to
characteristics of one or more reference marks, the characteristics of each reference mark comprising at least one of an appearance characteristic of the reference mark or a positional characteristic of the reference mark, and wherein the program code configured to direct the apparatus to compare the characteristics comprises being configured to direct the apparatus to compare the appearance characteristics of the authentication marks to appearance characteristics of the reference marks or comparing the positional
characteristics of the authentication marks to positional characteristics of the reference marks; and
based at least on the comparison of the characteristics, determine whether a user is successfully authenticated.
17. The computer program product of claim 16, wherein the program code configured to direct the apparatus to receive the characteristics of the one or more authentication marks comprises being configured to direct the apparatus to receive the characteristics of at least two authentication marks and receive positions of the
authentication marks; and
wherein the program code configured to direct the apparatus to compare the characteristics comprises being configured to direct the apparatus to compare the positions between the authentication marks with positions of the reference marks.
18. The computer program product of claim 16, wherein the program code configured to direct the apparatus to receive the characteristics of the one or more authentication marks includes being configured to receive the characteristics of at least two authentication marks;
wherein the program code is further configured to direct the apparatus to:
define regions for each authentication mark; and
determine relative regional relationships between each of the authentication marks; and
wherein being directed to compare the characteristics comprises being directed to compare the regional relationships between each of the authentication marks to regional relationships between the reference marks.
19. The computer program product of claim 18 wherein the program code is further configured to define a two-dimensional reference system based on positions of two predefined points.
20. The computer program product of any one of claims 16 through 19, wherein the program code configured to direct the apparatus to receive the characteristics of the one or more authentication marks comprises being configured to direct the apparatus to receive a pattern for each authentication mark; and
wherein the program code configured to direct the apparatus to compare the characteristics comprises being configured to direct the apparatus to compare the patterns of the authentication marks with patterns of the reference marks.
21. The computer program product of any one of claims 16 through 20, wherein the program code configured to direct the apparatus to receive the characteristics of the one or more authentication marks comprises being configured to direct the apparatus to receive a color for each authentication mark; and
wherein the program code configured to direct the apparatus to compare the characteristics comprises being configured to direct the apparatus to compare the colors of the authentication marks with colors of the reference marks.
22. An apparatus comprising:
means for receiving characteristics of one or more authentication marks within a user input field, wherein the characteristics of each authentication mark comprise at least one of an appearance characteristic of the authentication mark or a positional characteristic of the authentication mark;
means for comparing the characteristics of the one or more authentication marks to characteristics of one or more reference marks, the characteristics of each reference mark comprising at least one of an appearance characteristic of the reference mark or a positional characteristic of the reference mark, and wherein the means for comparing the characteristics comprises means for comparing the appearance characteristics of the authentication marks to the appearance characteristics of the reference marks or comparing the positional characteristics of the authentication marks to the positional characteristics of the reference marks; and
means for determining whether a user is successfully authenticated based at least on the comparison of the characteristics.
23. The apparatus of claim 22, wherein the means for receiving the
characteristics of the one or more authentication marks comprises means for receiving the characteristics of at least two authentication marks and receive positions of the
authentication marks; and
wherein the means for comparing the characteristics comprises means for comparing the positions between the authentication marks with positions of the reference marks.
24. The apparatus of claim 22, wherein the means for receiving the
characteristics of the one or more authentication marks includes means for receiving the characteristics of at least two authentication marks; wherein the apparatus further comprises:
means for defining regions for each authentication mark; and means for determining relative regional relationships between each of the authentication marks;
wherein the means for comparing the characteristics comprises means for comparing the regional relationships between each of the authentication marks to regional relationships between the reference marks.
25. The apparatus of claim 24 further comprising means for defining a two- dimensional reference system based on positions of two predetermined points.
26. The apparatus of any one of claims 22 through 25, wherein the means for receiving the characteristics of the one or more authentication marks comprises means for receiving a pattern for each authentication mark; and
wherein the means for comparing the characteristics comprises means for comparing the patterns of the authentication marks with patterns of the reference marks.
27. The apparatus of any one of claims 22 through 26, wherein the means for receiving the characteristics of one or more of authentication marks comprises means for receiving a color for each authentication mark; and
wherein the means for comparing the characteristics comprises means for comparing the colors of the authentication marks with colors of the reference marks.
PCT/IB2010/055754 2010-12-10 2010-12-10 Method, apparatus, and computer program product for implementing graphical authentication WO2012076939A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/IB2010/055754 WO2012076939A1 (en) 2010-12-10 2010-12-10 Method, apparatus, and computer program product for implementing graphical authentication

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/IB2010/055754 WO2012076939A1 (en) 2010-12-10 2010-12-10 Method, apparatus, and computer program product for implementing graphical authentication

Publications (1)

Publication Number Publication Date
WO2012076939A1 true WO2012076939A1 (en) 2012-06-14

Family

ID=46206654

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IB2010/055754 WO2012076939A1 (en) 2010-12-10 2010-12-10 Method, apparatus, and computer program product for implementing graphical authentication

Country Status (1)

Country Link
WO (1) WO2012076939A1 (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5465084A (en) * 1990-03-27 1995-11-07 Cottrell; Stephen R. Method to provide security for a computer and a device therefor
US20040111646A1 (en) * 2002-12-10 2004-06-10 International Business Machines Corporation Password that associates screen position information with sequentially entered characters
US7543154B2 (en) * 2000-09-29 2009-06-02 Patev Gmbh & Co., Kg Method and device for determining an access code

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5465084A (en) * 1990-03-27 1995-11-07 Cottrell; Stephen R. Method to provide security for a computer and a device therefor
US7543154B2 (en) * 2000-09-29 2009-06-02 Patev Gmbh & Co., Kg Method and device for determining an access code
US20040111646A1 (en) * 2002-12-10 2004-06-10 International Business Machines Corporation Password that associates screen position information with sequentially entered characters

Similar Documents

Publication Publication Date Title
AU2012227187B2 (en) Location-based security system for portable electronic device
US9910975B2 (en) Method for authenticating user using icon combined with input pattern, and password input device
US9767338B2 (en) Method for identifying fingerprint and electronic device thereof
US8849200B2 (en) Controlling pairing of entities responsive to motion challenges and responses
TWI604328B (en) Method and apparatus for dynamic modification of authentication requirements of a processing system
US9119068B1 (en) Authentication using geographic location and physical gestures
US20140098141A1 (en) Method and Apparatus for Securing Input of Information via Software Keyboards
KR101556599B1 (en) Pattern Inputting Apparatus and Method, and Recording Medium Using the Same
US20140025957A1 (en) Method for entering password and portable electronic device and unlocking method and data authenticating method
US20150131878A1 (en) Method and mobile device for fingerprint authentication
US9576123B2 (en) Pattern-based password with dynamic shape overlay
US20160162677A1 (en) Performing authentication based on user shape manipulation
US20150281214A1 (en) Information processing apparatus, information processing method, and recording medium
US9531709B2 (en) Securely unlocking a device using a combination of hold placement and gesture
US9557820B2 (en) Methods and systems for commencing a process based on motion detection
US20200201977A1 (en) Method for authenticating a first user and corresponding first device and system
US20200342077A1 (en) Method and system for recognizing input using index of variable grid
WO2012046099A1 (en) Method, apparatus, and computer program product for implementing sketch-based authentication
US20210390293A1 (en) Electronic device, server, and signature authentication method using same
US9613201B1 (en) Access control by a mobile device using an image
US11696140B1 (en) Authentication based on user interaction with images or objects
US20180239884A1 (en) Detection System, Fingerprint Sensor, and Method of Finger Touch Authentication Thereof
Zhang et al. Tracing one’s touches: Continuous mobile user authentication based on touch dynamics
WO2012076939A1 (en) Method, apparatus, and computer program product for implementing graphical authentication
CN114547581A (en) Method and apparatus for providing a captcha system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 10860499

Country of ref document: EP

Kind code of ref document: A1

WWE Wipo information: entry into national phase

Ref document number: 2010860499

Country of ref document: EP

NENP Non-entry into the national phase

Ref country code: DE