WO2016038060A1 - Method for verifying a personal pin code of a user, corresponding system, wearable smart glasses and trusted server - Google Patents

Method for verifying a personal pin code of a user, corresponding system, wearable smart glasses and trusted server Download PDF

Info

Publication number
WO2016038060A1
WO2016038060A1 PCT/EP2015/070542 EP2015070542W WO2016038060A1 WO 2016038060 A1 WO2016038060 A1 WO 2016038060A1 EP 2015070542 W EP2015070542 W EP 2015070542W WO 2016038060 A1 WO2016038060 A1 WO 2016038060A1
Authority
WO
WIPO (PCT)
Prior art keywords
user
pin code
pin
screen
pin pad
Prior art date
Application number
PCT/EP2015/070542
Other languages
French (fr)
Inventor
Didier Hugot
Jean-François Rubon
Original Assignee
Gemalto Sa
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Gemalto Sa filed Critical Gemalto Sa
Publication of WO2016038060A1 publication Critical patent/WO2016038060A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/36User authentication by graphic or iconic representation
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/32Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices
    • G06Q20/321Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices using wearable devices
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/32Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices
    • G06Q20/322Aspects of commerce using mobile devices [M-devices]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/401Transaction verification
    • G06Q20/4012Verifying personal identification numbers [PIN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/69Identity-dependent
    • H04W12/77Graphical identity

Definitions

  • the invention relates to a method for entering a secret code (hereinafter called PIN code), in a device.
  • the device is for example a Point Of Sales (POS), a cash dispenser, a personal computer, a smartphone,... and permits to authentify the user.
  • POS Point Of Sales
  • POS Point Of Sales
  • personal computer a personal computer
  • smartphone a smartphone
  • the keys can be numerical keys (0-9), represent images, colors, letters or symbols, or a mix there from.
  • the keys can be virtual keys displayed on a screen (pointed by a mouse) or on a touch sensitive screen or physical keys of a physical keyboard.
  • the present invention proposes a solution to this problem.
  • the invention proposes to secure an entry of a PIN code in a device by a scrambled PIN pad shared between two devices:
  • One device for example a POS terminal or a cash dispenser
  • a second device is used by the end user to enter his PIN code, by using the keys order displayed on the first device.
  • the invention proposes a method for verifying a personal PIN code of a user at a first device comprising a screen or at a trusted server, this first device being able to display a scrambled PIN pad on his screen, this method consisting in:
  • step -A- is preceded by a step consisting in generating the scrambled PIN pad at the level of the trusted server.
  • the scrambled PIN pad is generated at the level of the first device and sent to the trusted server.
  • the second device comprises advantageously a camera at its rear side, the front side of the second device showing a virtual screen with the empty PIN pad to be superposed by the user to the scrambled PIN pad seen by the camera, in order to help the user to enter his personal PIN code.
  • the empty PIN pad can be a virtual PIN pad or a physical PIN pad.
  • the second device is preferably a smartphone.
  • the first device has a transparent display.
  • the first device is preferably constituted by smart glasses.
  • the invention also concerns a device, called first device, this first device comprising a screen for displaying a scrambled PIN pad and:
  • This first device is preferably constituted by a POS, a cash dispenser or smart glasses.
  • the invention also concerns a device (second device) comprising a screen and:
  • - means for sending to another device, called first device, or to a trusted server, a sequence of successively pressed keys by a user of this second device.
  • the second device is preferably a smartphone.
  • the invention also concerns a system for verifying a personal PIN code of a user at a first device comprising a screen, the first device being able to display a scrambled PIN pad on his screen, this system comprising: - Means for displaying on the screen of a second device a virtual PIN pad;
  • the invention also concerns wearable smart glasses comprising a transparent display to display a scrambled PIN pad between at least one eye of a user of these smart glasses and a second device on which an empty PIN pad is displayed.
  • the invention concerns a trusted server for verifying a personal PIN code of a user at a first device comprising a screen, this first device being able to display a scrambled PIN pad on his screen, the trusted server comprising means for comparing a PIN code entered by the user in an empty PIN pad of a second device with his personal PIN code, in order to verify if the PIN code entered by the user on the second device corresponds to the personal PIN code.
  • Figure 1 represents the general method according to the invention.
  • a first device 10 for example a Point Of Sales (POS), a cash dispenser, a personal computer or a smartphone, comprises a screen 12 or is connected to this screen.
  • POS Point Of Sales
  • a scrambled PIN pad is displayed on the screen 12.
  • the user should have successively touched the buttons corresponding to his PIN code for authenticating himself.
  • the authentication of the user is done by using a second device 1 1 , pertaining to the user.
  • This second device 1 1 communicates directly (for example through a Bluetooth channel, Wifi or IrDA) or indirectly (through a trusted server) with the first device 10 and displays here on its screen 13 a virtual PIN pad, for example an empty PIN pad like represented.
  • the screen 13 is a touch sensitive screen.
  • the user enters his personal PIN code on the screen 13, for example 2076, in the virtual PIN pad, by successively pressing the virtual pads 2, 0, 7 and 6 corresponding to those displayed on the screen 12 of the first device 10.
  • a mapping of the code entered by the user on the screen 13 with the scrambled PIN pad displayed on the screen 12 is realized in order to compare the PIN code entered by the user on the second device 1 1 with the personal PIN code, in order to verify if the PIN code entered by the user on the second device 1 1 corresponds to the personal PIN code.
  • This mapping can be done in different ways:
  • the pattern (positions of the successively typed pads) typed by the user on device 1 1 can be sent to device 10 (for example through a short range wireless communication channel like NFC, infra-red or Bluetooth, or through a wired link) and device 10 treats this pattern as if it would have been typed directly on the screen 12. This corresponds to a match by device 10 of the code entered on device 1 1 ;
  • This pattern can be sent to a trusted server, as it will be described in relation to figures 2 and 3.
  • Fig. 2 represents a first implementation of the invention.
  • a trusted third party entity 20 like a trusted server, generates a scrambled PIN pad and sends it (step 21 ) to the first device 10.
  • the first device 10 displays the scrambled PIN pad on his screen 12 to the owner of the second device 1 1 .
  • the second device 1 1 then displays a virtual PIN pad, for example an empty PIN pad or a blank PIN pad.
  • An empty PIN pad is a PIN pad where the shapes of the keys are visible but the keys themselves are undifferentiated (no numeric figures or symbols).
  • the end user then enters his PIN code on device 1 1 using the key mapping displayed on the screen 12 of device 10.
  • the second device 1 1 then sends the pattern entered by the user to the trusted server 20 (step 22) that matches it with the scrambled PIN pad sent to the first device (at step 21 ) to retrieve the PIN code and to verify it.
  • the trusted server 20 sends the result of the comparison ("PIN code OK" or "PIN code NOT OK") to the first device 10.
  • the matching is realized by comparing the positions of the typed pads with the positions of the displayed digits in the scrambled PIN pad.
  • the trusted server 20 is able to know the PIN code, so any malwares running on devices 10 or 1 1 won't be able to retrieve it.
  • Figure 3 represents a second implementation of the invention.
  • the first device 10 that generates a scrambled PIN pad, displays it to the owner of the second device 1 1 and sends it (step 30) to a trusted server 20.
  • the second device 1 1 owned by the user, displays an empty PIN pad to the user and the user enters his personal PIN code in the empty PIN pad using key mapping displayed on the first device's screen 12.
  • the first device 1 1 then sends (step 31 ) the pattern entered by the user of the second device 1 1 to the trusted server 20 which matches it with the scrambled PIN pad received from the first device at step 30 to retrieve the PIN code and to verify it.
  • the trusted server 20 sends the result of the comparison ("PIN code OK" or "PIN code NOT OK" to the first device 10.
  • Figure 4 represents a third implementation of the present invention.
  • the virtual PIN pad 13 on the second device 1 1 is a software overlay (preferably with empty and transparent pads) on top of the camera view. It means that the user device's screen displays the camera view (video stream captured by the camera) and another software layer displays the virtual PIN pad.
  • the camera of the second device 1 1 shows behind the empty PIN pad the image of the scrambled PIN pad displayed on the screen 12 of the first device 10.
  • the user can then superpose the second device 1 1 over the scrambled PIN pad displayed by the first device 10 and press the pads corresponding to his PIN code. This helps the user to enter his PIN code since he does not need to look at the scrambled PIN pad as this one is displayed on the second device 1 1 .
  • This solution has however the drawback that if a malware is installed on the second device 1 1 , it could get a snapshot of user's pressures on the empty PIN pad 13 which is displaying the scrambled PIN pad.
  • Figure 5 represents a fourth implementation of the present invention.
  • the user enters his personal PIN code on the second device 1 1 by looking at the scrambled PIN pad displayed on the first device 10.
  • the scrambled PIN pad is here positioned aside the virtual PIN pad, thus avoiding the drawback of the embodiment of figure 4.
  • a malware installed on the second device 1 1 would only be able to retrieve user touch coordinates without being able to link them with the scrambled PIN pad.
  • Figure 6 represents a fifth implementation of the present invention.
  • the method for verifying a personal PIN code consists in providing at the second device 1 1 a virtual (empty) PIN pad (physical or displayed).
  • This second device is an ATM, a POS or a smartphone for example.
  • the method consists in displaying on the screen of the first device 10 a scrambled PIN pad.
  • This first device is for example constituted by smart glasses with local or remote connectivity means.
  • the user has to execute an action for getting the scrambled PIN pad, or the latter can be transmitted to the first device when an event occurs.
  • the user enters a PIN code on the second device 1 1 in the empty PIN pad.
  • the PIN code is
  • the key sequence is transmitted to the first device 10 or to a trusted server 20.
  • the PIN code entered by the user on the second device 1 1 is compared with the user's personal PIN code, in order to verify if the PIN code entered by the user on the second device corresponds to the personal PIN code.
  • the user is using the first device 10 with a transparent display 12 (for instance wearable smart glasses, like Google GlassTM) to display the scrambled PIN pad between at least one of his eyes and the second device 1 1 on which the empty PIN pad is displayed.
  • a transparent display 12 for instance wearable smart glasses, like Google GlassTM
  • An Oculus RiftTM can also be used in order to present a PIN pad to the user in a simulated or augmented reality view.
  • This solution is more secured than the one illustrated in figure 4 because even if a malware on the second device 1 1 would be able to retrieve the PIN code, it is not the device on which the application requiring the PIN is running.
  • the first device 10 displaying the scrambled PIN pad comprises:
  • the first device 10 can for example be constituted by a POS, a cash dispenser or smart glasses.
  • the second device 1 1 according to the invention is preferably constituted by a smartphone and comprises:
  • the means for displaying the empty PIN pad can be constituted by a software installed in the second device or in a secure element (like a SIM card) contained in the second device 1 1 .
  • the sending means cooperate with means for registering the sequence of the keys successively pressed by the user.
  • the invention also concerns a system for verifying a personal PIN code of a user at a first device 10 comprising a screen 12, the first device 10 being able to display a scrambled PIN pad on his screen 12, this system comprising:
  • the invention also concerns wearable smart glasses comprising a transparent display 12 to display a scrambled PIN pad between one eye of the user of these smart glasses and the second device 1 1 on which a virtual PIN pad is displayed.
  • the invention also concerns the trusted server 20 for verifying a personal PIN code of the user at the first device 10, this first device 10 being able to display a scrambled PIN pad on his screen 12, the server 20 comprising means for
  • the invention is not limited to PIN codes: It encompasses a secret code, a secret passphrase, or any secret owned by the user.

Landscapes

  • Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Accounting & Taxation (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Strategic Management (AREA)
  • General Business, Economics & Management (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Signal Processing (AREA)
  • Finance (AREA)
  • Software Systems (AREA)
  • Computing Systems (AREA)
  • Cash Registers Or Receiving Machines (AREA)

Abstract

The invention concerns notably a method for verifying a personal PIN code of a user at a first device (10) comprising a screen or at a trusted server, the first device (10) being able to display a scrambled PIN pad on its screen. According to the invention, the method consists in: A - Entering, by the user, a PIN code on a second device (11), in an empty PIN pad, the PIN code being constituted by a key sequence of successively pressed keys; B - Transmitting the key sequence to the first device (10) or to the trusted server; C - Comparing at the first device (10) or at the trusted sever, the key sequence with the personal PIN code, in order to verify if the key sequence corresponds to the personal PIN code.

Description

Method for verifying a personal PIN code of a user, corresponding system, wearable smart glasses and trusted server
The invention relates to a method for entering a secret code (hereinafter called PIN code), in a device. The device is for example a Point Of Sales (POS), a cash dispenser, a personal computer, a smartphone,... and permits to authentify the user.
Entering a secret code in a mobile environment is known to have
weaknesses as it could be spied by a malicious application.
Hackers can exploit mobile OS vulnerabilities to deploy their malwares that spy user's actions (for example with a key logger) in order to steal sensitive data. It is also possible for a hacker to install a camera near to the device in order to film the sequence of digits entered by the user (keys pressed successively by the user).
Use of a scrambled PIN pad is also not solving this issue since it is possible for the hackers to capture the mobile screen image in order to analyse the PIN pad and then determine where the keys are. Then it remains to record the coordinates where the user is touching the screen to retrieve the PIN code.
The keys can be numerical keys (0-9), represent images, colors, letters or symbols, or a mix there from. The keys can be virtual keys displayed on a screen (pointed by a mouse) or on a touch sensitive screen or physical keys of a physical keyboard.
The present invention proposes a solution to this problem.
The invention proposes to secure an entry of a PIN code in a device by a scrambled PIN pad shared between two devices: One device (for example a POS terminal or a cash dispenser) is responsible for displaying the scrambled PIN pad to the end user and a second device is used by the end user to enter his PIN code, by using the keys order displayed on the first device.
More precisely, the invention proposes a method for verifying a personal PIN code of a user at a first device comprising a screen or at a trusted server, this first device being able to display a scrambled PIN pad on his screen, this method consisting in:
A - Entering, by the user, a PIN code on a second device, in an empty PIN pad, this PIN code being constituted by a key sequence of successively pressed keys; B - Transmitting this key sequence to the first device or to the trusted server;
C - Comparing at the first device or at the trusted sever, the key sequence with the personal PIN code, in order to verify if the key sequence corresponds to the personal PIN code.
Preferably, step -A- is preceded by a step consisting in generating the scrambled PIN pad at the level of the trusted server.
Alternatively, the scrambled PIN pad is generated at the level of the first device and sent to the trusted server.
The second device comprises advantageously a camera at its rear side, the front side of the second device showing a virtual screen with the empty PIN pad to be superposed by the user to the scrambled PIN pad seen by the camera, in order to help the user to enter his personal PIN code.
The empty PIN pad can be a virtual PIN pad or a physical PIN pad.
The second device is preferably a smartphone.
Advantageously, the first device has a transparent display.
The first device is preferably constituted by smart glasses.
The invention also concerns a device, called first device, this first device comprising a screen for displaying a scrambled PIN pad and:
- means for receiving, from a second device, a sequence of successively pressed keys by a user of the second device in an empty PIN pad;
- means for comparing this sequence with a personal PIN code, in order to verify if the key sequence corresponds to the personal PIN code.
This first device is preferably constituted by a POS, a cash dispenser or smart glasses.
The invention also concerns a device (second device) comprising a screen and:
- means for displaying on this screen an empty PIN pad comprising keys;
- means for sending to another device, called first device, or to a trusted server, a sequence of successively pressed keys by a user of this second device.
The second device is preferably a smartphone.
The invention also concerns a system for verifying a personal PIN code of a user at a first device comprising a screen, the first device being able to display a scrambled PIN pad on his screen, this system comprising: - Means for displaying on the screen of a second device a virtual PIN pad;
- Means for entering, by this user, a PIN code on the second device in the virtual PIN pad;
- Means for comparing the PIN code entered by the user on the second device with the personal PIN code, in order to verify if the PIN code entered by the user on the second device corresponds to the personal
PIN code.
The invention also concerns wearable smart glasses comprising a transparent display to display a scrambled PIN pad between at least one eye of a user of these smart glasses and a second device on which an empty PIN pad is displayed.
Finally, the invention concerns a trusted server for verifying a personal PIN code of a user at a first device comprising a screen, this first device being able to display a scrambled PIN pad on his screen, the trusted server comprising means for comparing a PIN code entered by the user in an empty PIN pad of a second device with his personal PIN code, in order to verify if the PIN code entered by the user on the second device corresponds to the personal PIN code.
Other features and advantages of the present invention will appear in the following description of the figures that represent:
- Fig. 1 the general method according to the invention;
- Fig 2 a first implementation of the invention;
- Fig 3 a second implementation of the invention;
- Fig 4 a third implementation of the invention;
- Fig 5 a fourth implementation of the invention;
- Fig 6 a fifth implementation of the invention.
Figure 1 represents the general method according to the invention. In this figure, a first device 10, for example a Point Of Sales (POS), a cash dispenser, a personal computer or a smartphone, comprises a screen 12 or is connected to this screen. In order to authenticate a user, a scrambled PIN pad is displayed on the screen 12. In the prior art system, the user should have successively touched the buttons corresponding to his PIN code for authenticating himself.
According to the invention, the authentication of the user is done by using a second device 1 1 , pertaining to the user. This second device 1 1 communicates directly (for example through a Bluetooth channel, Wifi or IrDA) or indirectly (through a trusted server) with the first device 10 and displays here on its screen 13 a virtual PIN pad, for example an empty PIN pad like represented. The screen 13 is a touch sensitive screen.
For authentication purposes, the user enters his personal PIN code on the screen 13, for example 2076, in the virtual PIN pad, by successively pressing the virtual pads 2, 0, 7 and 6 corresponding to those displayed on the screen 12 of the first device 10.
Finally, a mapping of the code entered by the user on the screen 13 with the scrambled PIN pad displayed on the screen 12 is realized in order to compare the PIN code entered by the user on the second device 1 1 with the personal PIN code, in order to verify if the PIN code entered by the user on the second device 1 1 corresponds to the personal PIN code.
This mapping can be done in different ways:
- The pattern (positions of the successively typed pads) typed by the user on device 1 1 can be sent to device 10 (for example through a short range wireless communication channel like NFC, infra-red or Bluetooth, or through a wired link) and device 10 treats this pattern as if it would have been typed directly on the screen 12. This corresponds to a match by device 10 of the code entered on device 1 1 ;
This pattern can be sent to a trusted server, as it will be described in relation to figures 2 and 3.
Fig. 2 represents a first implementation of the invention.
In this mode, a trusted third party entity 20, like a trusted server, generates a scrambled PIN pad and sends it (step 21 ) to the first device 10. The first device 10 then displays the scrambled PIN pad on his screen 12 to the owner of the second device 1 1 . The second device 1 1 then displays a virtual PIN pad, for example an empty PIN pad or a blank PIN pad. An empty PIN pad is a PIN pad where the shapes of the keys are visible but the keys themselves are undifferentiated (no numeric figures or symbols). The end user then enters his PIN code on device 1 1 using the key mapping displayed on the screen 12 of device 10. The second device 1 1 then sends the pattern entered by the user to the trusted server 20 (step 22) that matches it with the scrambled PIN pad sent to the first device (at step 21 ) to retrieve the PIN code and to verify it. During a step 23, the trusted server 20 sends the result of the comparison ("PIN code OK" or "PIN code NOT OK") to the first device 10.
The matching is realized by comparing the positions of the typed pads with the positions of the displayed digits in the scrambled PIN pad.
In this embodiment, only the trusted server 20 is able to know the PIN code, so any malwares running on devices 10 or 1 1 won't be able to retrieve it.
Figure 3 represents a second implementation of the invention.
In this embodiment, it is the first device 10 that generates a scrambled PIN pad, displays it to the owner of the second device 1 1 and sends it (step 30) to a trusted server 20. The second device 1 1 , owned by the user, displays an empty PIN pad to the user and the user enters his personal PIN code in the empty PIN pad using key mapping displayed on the first device's screen 12. The first device 1 1 then sends (step 31 ) the pattern entered by the user of the second device 1 1 to the trusted server 20 which matches it with the scrambled PIN pad received from the first device at step 30 to retrieve the PIN code and to verify it. During a step 32, the trusted server 20 sends the result of the comparison ("PIN code OK" or "PIN code NOT OK") to the first device 10.
Like previously, any malwares running on devices 10 or 1 1 won't be able to retrieve the PIN code.
Figure 4 represents a third implementation of the present invention.
In this embodiment, the virtual PIN pad 13 on the second device 1 1 (here a smartphone) is a software overlay (preferably with empty and transparent pads) on top of the camera view. It means that the user device's screen displays the camera view (video stream captured by the camera) and another software layer displays the virtual PIN pad. The camera of the second device 1 1 shows behind the empty PIN pad the image of the scrambled PIN pad displayed on the screen 12 of the first device 10. The user can then superpose the second device 1 1 over the scrambled PIN pad displayed by the first device 10 and press the pads corresponding to his PIN code. This helps the user to enter his PIN code since he does not need to look at the scrambled PIN pad as this one is displayed on the second device 1 1 . This solution has however the drawback that if a malware is installed on the second device 1 1 , it could get a snapshot of user's pressures on the empty PIN pad 13 which is displaying the scrambled PIN pad.
Figure 5 represents a fourth implementation of the present invention.
In this embodiment, the user enters his personal PIN code on the second device 1 1 by looking at the scrambled PIN pad displayed on the first device 10. The scrambled PIN pad is here positioned aside the virtual PIN pad, thus avoiding the drawback of the embodiment of figure 4. A malware installed on the second device 1 1 would only be able to retrieve user touch coordinates without being able to link them with the scrambled PIN pad.
Figure 6 represents a fifth implementation of the present invention.
Here, the method for verifying a personal PIN code consists in providing at the second device 1 1 a virtual (empty) PIN pad (physical or displayed). This second device is an ATM, a POS or a smartphone for example.
In a first step, the method consists in displaying on the screen of the first device 10 a scrambled PIN pad. This first device is for example constituted by smart glasses with local or remote connectivity means. Like with a smartphone or any mobile terminal, the user has to execute an action for getting the scrambled PIN pad, or the latter can be transmitted to the first device when an event occurs.
In a second step, the user enters a PIN code on the second device 1 1 in the empty PIN pad. Like described in regard to figures 2 to 5, the PIN code is
constituted by a key sequence of successively pressed keys.
In a third step, the key sequence is transmitted to the first device 10 or to a trusted server 20.
Finally, in a fourth step, the PIN code entered by the user on the second device 1 1 is compared with the user's personal PIN code, in order to verify if the PIN code entered by the user on the second device corresponds to the personal PIN code.
In this embodiment, the user is using the first device 10 with a transparent display 12 (for instance wearable smart glasses, like Google Glass™) to display the scrambled PIN pad between at least one of his eyes and the second device 1 1 on which the empty PIN pad is displayed. An Oculus Rift™ can also be used in order to present a PIN pad to the user in a simulated or augmented reality view. This solution is more secured than the one illustrated in figure 4 because even if a malware on the second device 1 1 would be able to retrieve the PIN code, it is not the device on which the application requiring the PIN is running.
The first device 10 displaying the scrambled PIN pad comprises:
- means for receiving, from the second device 1 1 , a sequence of successively pressed keys by the user of the second device 1 1 in an empty PIN pad;
- means for comparing this sequence with the personal PIN code of the user, in order to verify if the key sequence corresponds to the personal PIN code.
The first device 10 can for example be constituted by a POS, a cash dispenser or smart glasses.
The second device 1 1 according to the invention is preferably constituted by a smartphone and comprises:
- means for displaying on its screen an empty PIN pad comprising keys, and
- means for sending to the first device 10, or to the trusted server 20, a sequence of successively pressed keys by a user of the second device 1 1 .
The means for displaying the empty PIN pad can be constituted by a software installed in the second device or in a secure element (like a SIM card) contained in the second device 1 1 . The sending means cooperate with means for registering the sequence of the keys successively pressed by the user.
The invention also concerns a system for verifying a personal PIN code of a user at a first device 10 comprising a screen 12, the first device 10 being able to display a scrambled PIN pad on his screen 12, this system comprising:
- Means for displaying on the screen 13 of a second device 1 1 an empty PIN pad;
- Means for entering, by this user, a PIN code on the second device 1 1 in the empty PIN pad;
- Means for comparing the PIN code entered by the user on the second device 1 1 with the personal PIN code, in order to verify if the PIN code entered by the user on the second device 1 1 corresponds to the personal PIN code.
The invention also concerns wearable smart glasses comprising a transparent display 12 to display a scrambled PIN pad between one eye of the user of these smart glasses and the second device 1 1 on which a virtual PIN pad is displayed.
The invention also concerns the trusted server 20 for verifying a personal PIN code of the user at the first device 10, this first device 10 being able to display a scrambled PIN pad on his screen 12, the server 20 comprising means for
comparing a PIN code entered by the user on the screen 13 of the second device 1 1 in a virtual PIN pad with the personal PIN code, in order to verify if the PIN code entered by the user on the second device 1 1 corresponds to the personal PIN code.
The invention is not limited to PIN codes: It encompasses a secret code, a secret passphrase, or any secret owned by the user.

Claims

1 . Method for verifying a personal PIN code of a user at a first device (10)
comprising a screen or at a trusted server (20), said first device (10) being able to display a scrambled PIN pad on said screen, wherein it consists in:
A - Entering, by said user, a PIN code on a second device (1 1 ), in an empty PIN pad, said PIN code being constituted by a key sequence of successively pressed keys;
B - Transmitting said key sequence to said first device (10) or to said trusted server (20);
C - Comparing at said first device (10) or at said trusted sever (20), said key
sequence with said personal PIN code, in order to verify if said key sequence corresponds to said personal PIN code.
2. Method according to claim 1 , wherein step -A- is preceded by a step consisting in generating said scrambled PIN pad at the level of said trusted server (20) and sending it to said first device (10).
3. Method according to claim 1 , wherein said scrambled PIN pad is generated at the level of said first device (10) and sent to said trusted server (20).
4. Method according to any of the claims 1 to 3, wherein said second device (1 1 ) comprises a camera at the rear side of said second device (1 1 ), the front side of said second device (1 1 ) showing a virtual screen with said empty PIN pad to be superposed by said user to the scrambled PIN pad seen by said camera, in order to help said user to enter said personal PIN code.
5. Method according to any of the claims 1 to 4, wherein said empty PIN pad is a virtual PIN pad or a physical PIN pad.
6. Method according to any of the claims 1 to 5, wherein said second device (1 1 ) is a smartphone.
7. Method according to any of the claims 1 to 5, wherein said first device (10) has a transparent display.
8. Method according to any of the claims 1 to 7, wherein said first device (10) is constituted by smart glasses.
9. Device, called first device (10), said first device (10) comprising a screen (12) for displaying a scrambled PIN pad, wherein it comprises:
- means for receiving, from another device, called second device (1 1 ), a sequence of successively pressed keys by a user of said second device (1 1 ) in an empty PIN pad;
- means for comparing said sequence with a personal PIN code, in order to verify if said key sequence corresponds to said personal PIN code.
10. Device according to claim 9, wherein it is constituted by a smartphone, a Point of Sale (POS), a cash dispenser (ATM) or smart glasses.
1 1 . Device, called second device (1 1 ), said second device (1 1 ) comprising a screen (13), wherein it comprises:
- means for displaying on said screen (13) an empty PIN pad comprising keys;
- means for sending to another device, called first device (10), or to a trusted server (20), a sequence of successively pressed keys by a user of said second device (1 1 ).
12. Device according to claim 1 1 , wherein it is constituted by a smartphone, a Point of Sale (PoS) or a cash dispenser (ATM).
13. System for verifying a personal PIN code of a user at a first device (10) comprising a screen (12), said first device (10) being able to display a scrambled PIN pad on his screen (12), said system comprising:
- Means for displaying on the screen (13) of a second device (1 1 ) an
empty PIN pad; - Means for entering, by said user, a PIN code on said second device (1 1 ) in said empty PIN pad;
- Means for comparing the PIN code entered by said user on said second device (1 1 ) with said personal PIN code, in order to verify if the PIN code entered by said user on said second device (1 1 ) corresponds to said personal PIN code.
14. Wearable smart glasses comprising a transparent display (12) to display a
scrambled PIN pad between at least one eye of a user of said smart glasses and a second device (1 1 ) on which an empty PIN pad (13) is displayed.
15. Trusted server (20) for verifying a personal PIN code of a user at a first device (10) comprising a screen (12), said first device (10) being able to display a scrambled PIN pad on said screen (12), wherein said trusted server (20) comprises means for comparing a PIN code entered by said user in an empty PIN pad (13) of a second device (1 1 ) with said personal PIN code, in order to verify if the PIN code entered by said user on said second device (1 1 ) corresponds to said personal PIN code.
PCT/EP2015/070542 2014-09-10 2015-09-09 Method for verifying a personal pin code of a user, corresponding system, wearable smart glasses and trusted server WO2016038060A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US201414482736A 2014-09-10 2014-09-10
US14/482,736 2014-09-10

Publications (1)

Publication Number Publication Date
WO2016038060A1 true WO2016038060A1 (en) 2016-03-17

Family

ID=54266524

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2015/070542 WO2016038060A1 (en) 2014-09-10 2015-09-09 Method for verifying a personal pin code of a user, corresponding system, wearable smart glasses and trusted server

Country Status (1)

Country Link
WO (1) WO2016038060A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3979102A1 (en) * 2020-09-30 2022-04-06 Rubean AG Electronic device for performing an authentication operation

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130159196A1 (en) * 2011-12-20 2013-06-20 Ebay, Inc. Secure PIN Verification for Mobile Payment Systems

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130159196A1 (en) * 2011-12-20 2013-06-20 Ebay, Inc. Secure PIN Verification for Mobile Payment Systems

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
ANDREA FORTE ET AL: "EyeDecrypt -- Private Interactions in Plain Sight", INTERNATIONAL ASSOCIATION FOR CRYPTOLOGIC RESEARCH,, vol. 20140625:194801, 25 June 2014 (2014-06-25), pages 1 - 19, XP061016074 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3979102A1 (en) * 2020-09-30 2022-04-06 Rubean AG Electronic device for performing an authentication operation

Similar Documents

Publication Publication Date Title
US10643210B2 (en) Secure transactions using a personal device
US11089009B2 (en) System and methods for secure entry of a personal identification number (PIN)
KR101916173B1 (en) Pin verification
US20160092877A1 (en) Secure user authentication interface technologies
US20190260747A1 (en) Securing a transaction performed from a non-secure terminal
US20170324726A1 (en) Digital authentication using augmented reality
US11580208B2 (en) System and method for PIN entry on mobile devices
KR20120116902A (en) A personalized multifunctional access device possessing an individualized form of authenticating and controlling data exchange
EP2713328B1 (en) Validating a transaction with a secure input without requiring pin code entry
US20150006405A1 (en) System and methods for secure entry of a personal identification number (pin) using multi-touch trackpad technologies
Guerar et al. Color wheel pin: Usable and resilient ATM authentication
KR101272349B1 (en) User authentication method using plural one time password
EP3423984B1 (en) Secure display device
WO2016038060A1 (en) Method for verifying a personal pin code of a user, corresponding system, wearable smart glasses and trusted server
US9715585B2 (en) Optical authentication of operations for a mobile device
US9992193B2 (en) High-safety user multi-authentication system and method
US11861034B2 (en) Devices, methods and computer readable mediums for security and authentication
AU2013324127B2 (en) Secure entry of PIN using a smart card
JP6403975B2 (en) Confidential information input system and program
KR20120119966A (en) Authentication device and authentication method of portable information terminal
JP2017534961A (en) User authentication method, corresponding terminal and authentication system
Harish et al. An RTOS based implementation of SteganoPIN for safe PIN entry
US20150288684A1 (en) Device assembly for carrying out or enabling an electronic service and a method for securely inputting authorization data

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15777611

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15777611

Country of ref document: EP

Kind code of ref document: A1