CA2644272C - Method and system for securing interface access via visual array paths in combination with hidden operators - Google Patents
Method and system for securing interface access via visual array paths in combination with hidden operators Download PDFInfo
- Publication number
- CA2644272C CA2644272C CA2644272A CA2644272A CA2644272C CA 2644272 C CA2644272 C CA 2644272C CA 2644272 A CA2644272 A CA 2644272A CA 2644272 A CA2644272 A CA 2644272A CA 2644272 C CA2644272 C CA 2644272C
- Authority
- CA
- Canada
- Prior art keywords
- user
- elements
- token
- causing
- array
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/36—User authentication by graphic or iconic representation
Abstract
A method and system for securing interface access via visual array patterns in combination with hidden operations improves the security of computer systems and dedicated terminals. A hint display is generated in at least a quasi-random fashion that may be an array of numerical digit values. A user input is received that represents selection of a pattern of elements chosen from the hint display and combined in an algorithm using one or more mathematical, relational and/or logical operations. A pre-defined pattern and algorithm are used to generate a token from the hint display that is compared with the user input to verify that the user knows the pattern and algorithm. Further ease of use can be provided by dividing a hint display array into sub-arrays while providing a clue such as color to indicate each sub-array to the user.
Description
METHOD AND SYSTEM FOR SECURING INTERFACE ACCESS VIA VISUAL
ARRAY PATHS IN COMBINATION WITH HIDDEN OPERATORS
The present invention relates generally to graphical/textual user interfaces, and more specifically, to a method and system for securing machine s interface access.
BACKGROUND OF THE INVENTION
Computer systems and dedicated devices such as automated teller machines (ATMs) increasingly provide access to interfaces that must be protected from unauthorized use. Typical security on such user interfaces is provided by a password or "personal identification number" PIN) that must be provided to the user interface via an input device prior to further access by an individual (or in some instances another machine) accessing the interface.
The level of security provided by a "weak" password or token such as a password or PIN is generally related to its length and arbitrariness.
However, the same factor is also determinative of the difficulty for a human to remember the token. Also, the number of possible token element values, e.g., just digits versus digits plus letters is generally made larger to improve security, but the input set size increase is generally either thwarted by use of common words or numbers within the total possible space of values.
While it is possible to provide "hints" to a user that will stimulate a recollection of the token, such hints also provide a potential security breach in that the token may be discoverable via guessing once the hint is given. Other systems include a secondary password that has some concrete meaning to the token owner that can be used to reveal the actual token. For example, an interface may use the users mother's maiden name or "favorite animal", etc. as a secondary token to protect the underlying access token if the user forgets.
Two-dimensional textual or graphical hint systems have been proposed, from systems that actually display the password in a form such as a "hidden word" puzzle to systems that use a randomized arrangement of icons that must be selected in order or a particular arrangement of icons that must be selected in a pattern in order to satisfy token entry. All of the above systems have an advantage in that they are not easily overcome by mere repetitive machine input.
However, all of the above systems may reveal their underlying token eventually through human observation, especially when the underlying token hiding mechanism is known a priori. For example, if it is known that the token hiding mechanism is a particular arrangement of icons that must be selected in a pattern, an observer can ignore the actual icons and merely note the pattern, is A token system having improved "strength" can rely on a smaller set of element input values, can use longer-lived passwords and/or can be used across multiple systems without the same risk of compromise as weaker passwords.
Therefore, it would be desirable to provide a method and system for hiding tokens in a hint display that cannot be easily discovered through observation of token entry patterns and values.
SUMMARY OF THE INVENTION
The above objective of hiding tokens in a hint display that cannot be easily discovered through observation of token entry.
is achieved in a method and system.
ARRAY PATHS IN COMBINATION WITH HIDDEN OPERATORS
The present invention relates generally to graphical/textual user interfaces, and more specifically, to a method and system for securing machine s interface access.
BACKGROUND OF THE INVENTION
Computer systems and dedicated devices such as automated teller machines (ATMs) increasingly provide access to interfaces that must be protected from unauthorized use. Typical security on such user interfaces is provided by a password or "personal identification number" PIN) that must be provided to the user interface via an input device prior to further access by an individual (or in some instances another machine) accessing the interface.
The level of security provided by a "weak" password or token such as a password or PIN is generally related to its length and arbitrariness.
However, the same factor is also determinative of the difficulty for a human to remember the token. Also, the number of possible token element values, e.g., just digits versus digits plus letters is generally made larger to improve security, but the input set size increase is generally either thwarted by use of common words or numbers within the total possible space of values.
While it is possible to provide "hints" to a user that will stimulate a recollection of the token, such hints also provide a potential security breach in that the token may be discoverable via guessing once the hint is given. Other systems include a secondary password that has some concrete meaning to the token owner that can be used to reveal the actual token. For example, an interface may use the users mother's maiden name or "favorite animal", etc. as a secondary token to protect the underlying access token if the user forgets.
Two-dimensional textual or graphical hint systems have been proposed, from systems that actually display the password in a form such as a "hidden word" puzzle to systems that use a randomized arrangement of icons that must be selected in order or a particular arrangement of icons that must be selected in a pattern in order to satisfy token entry. All of the above systems have an advantage in that they are not easily overcome by mere repetitive machine input.
However, all of the above systems may reveal their underlying token eventually through human observation, especially when the underlying token hiding mechanism is known a priori. For example, if it is known that the token hiding mechanism is a particular arrangement of icons that must be selected in a pattern, an observer can ignore the actual icons and merely note the pattern, is A token system having improved "strength" can rely on a smaller set of element input values, can use longer-lived passwords and/or can be used across multiple systems without the same risk of compromise as weaker passwords.
Therefore, it would be desirable to provide a method and system for hiding tokens in a hint display that cannot be easily discovered through observation of token entry patterns and values.
SUMMARY OF THE INVENTION
The above objective of hiding tokens in a hint display that cannot be easily discovered through observation of token entry.
is achieved in a method and system.
The method and system disclosed hereinafter displays a hint display that includes a plurality of elements each having a value and a position, which may be an array of numerical digits. The method and system receive a sequence of user input corresponding to selected patterned sequence of the displayed s elements combined in an algorithm using one or more operators to perform one or more operations on the patterned sequence.
The method and system verifies whether or not the user knows the proper pattern and algorithm by computing a token from the hint display and comparing the user input to the token. Access to one or more resources of the system or for which access is controlled by the system is conditioned upon a match of the token to the user input.
The operators employed to compute the token from the pattern may be mathematical (including logical) operators or relational operators. One or more of the pattern elements may be excluded from the token computation, which may be conditioned upon a relational operation or by ignoring one of the pattern elements on a fixed basis.
The method may be embodied in a general-purpose computer system, a browser executing within a general-purpose computer system or a dedicated terminal. The method may also be embodied in a computer program product that encodes program instructions for carrying out the steps of the method.
According to one aspect of the present invention there is provided a method for protecting a resource to be used by a user, comprising:
generating a hint display made up of elements arranged in an array;
providing a predetermined pattern in the array of selected ones of the elements of the array;
The method and system verifies whether or not the user knows the proper pattern and algorithm by computing a token from the hint display and comparing the user input to the token. Access to one or more resources of the system or for which access is controlled by the system is conditioned upon a match of the token to the user input.
The operators employed to compute the token from the pattern may be mathematical (including logical) operators or relational operators. One or more of the pattern elements may be excluded from the token computation, which may be conditioned upon a relational operation or by ignoring one of the pattern elements on a fixed basis.
The method may be embodied in a general-purpose computer system, a browser executing within a general-purpose computer system or a dedicated terminal. The method may also be embodied in a computer program product that encodes program instructions for carrying out the steps of the method.
According to one aspect of the present invention there is provided a method for protecting a resource to be used by a user, comprising:
generating a hint display made up of elements arranged in an array;
providing a predetermined pattern in the array of selected ones of the elements of the array;
each element in the predetermined pattern having a unique position characteristic in the array;
at least one of the elements in the predetermined pattern having a numerical value;
s displaying said hint display to said user;
causing said user to compute a token from said elements of said predetermined pattern of elements of said generated hint display;
during computing of the token causing said user to perform at least one operation performed on said numerical value of said at least one of said to elements falling within said predetermined pattern such that the token comprises at least one hidden numerical value which is not identical to the numerical value of said at least one of said elements upon which the non-identity operation is performed;
causing said user to enter the token into a user interface of an 1s authentication system;
receiving said token from said user;
comparing said at least one hidden numerical value of the token received with at least one corresponding numerical value of a corresponding token generated by the authentication system;
20 and selectively providing access to said resource in conformity with a result of said comparing.
According to a second aspect of the present invention there is provided a computer system including a memory for storing program instructions and data, a processor coupled to said memory for executing said program 25 instructions, a visual display coupled to said processor for displaying a user interface output and an input device coupled to said processor for providing a user interface input, wherein said program instructions within said general-purpose computer comprise program instructions for:
generating a hint display having at least a quasi-random character, 5 said display made up of elements each having a value and a unique position characteristic;
computing a token from values of a predetermined pattern of elements of said generated hint display and at least one operation performed on at least one of said elements falling within said pattern;
displaying said hint display to a user;
receiving input from said user;
comparing said token with said received input; and selectively providing access to a resource in conformity with a result of said comparing.
According to a further aspect of the present invention there is provided a computer program product comprising signal-bearing media encoding program instructions for execution within a computer system, wherein said program instructions comprise program instructions for:
generating a hint display having at least a quasi-random character, said display made up of elements each having a value and a unique position characteristic;
computing a token from values of a predetermined pattern of elements of said generated hint display and at least one operation performed on at least one of said elements falling within said pattern;
displaying said hint display to a user;
at least one of the elements in the predetermined pattern having a numerical value;
s displaying said hint display to said user;
causing said user to compute a token from said elements of said predetermined pattern of elements of said generated hint display;
during computing of the token causing said user to perform at least one operation performed on said numerical value of said at least one of said to elements falling within said predetermined pattern such that the token comprises at least one hidden numerical value which is not identical to the numerical value of said at least one of said elements upon which the non-identity operation is performed;
causing said user to enter the token into a user interface of an 1s authentication system;
receiving said token from said user;
comparing said at least one hidden numerical value of the token received with at least one corresponding numerical value of a corresponding token generated by the authentication system;
20 and selectively providing access to said resource in conformity with a result of said comparing.
According to a second aspect of the present invention there is provided a computer system including a memory for storing program instructions and data, a processor coupled to said memory for executing said program 25 instructions, a visual display coupled to said processor for displaying a user interface output and an input device coupled to said processor for providing a user interface input, wherein said program instructions within said general-purpose computer comprise program instructions for:
generating a hint display having at least a quasi-random character, 5 said display made up of elements each having a value and a unique position characteristic;
computing a token from values of a predetermined pattern of elements of said generated hint display and at least one operation performed on at least one of said elements falling within said pattern;
displaying said hint display to a user;
receiving input from said user;
comparing said token with said received input; and selectively providing access to a resource in conformity with a result of said comparing.
According to a further aspect of the present invention there is provided a computer program product comprising signal-bearing media encoding program instructions for execution within a computer system, wherein said program instructions comprise program instructions for:
generating a hint display having at least a quasi-random character, said display made up of elements each having a value and a unique position characteristic;
computing a token from values of a predetermined pattern of elements of said generated hint display and at least one operation performed on at least one of said elements falling within said pattern;
displaying said hint display to a user;
receiving input from said user;
comparing said token with said received input; and selectively providing access to a resource in conformity with a result of said comparing.
The foregoing and other objectives, features, and advantages of the invention will be apparent from the following, more particular, description of the preferred embodiment of the invention, as illustrated in the accompanying drawings.
BRIEF DESCRIPTION OF THE DRAWINGS
Figure 1 is a block diagram of a system in which an embodiment of the present invention may be practiced.
Figure 2 is a pictorial diagram depicting a user interface in accordance with an embodiment of the present invention.
Figure 3 is a flowchart depicting operation of a system as embodied is in a method in accordance with an embodiment of the invention.
DETAILED DESCRIPTION
The present invention provides improved security for systems accessed through entry of a token or password via a method that is implemented by execution of program instructions. The techniques are applicable to replace traditional password or PIN entry within computer systems or dedicated terminals such ATMs. In computer systems, the present invention may be employed in the operating system of a general-purpose computing system, embedded in a dedicated application, or provided via a web page interface downloaded from a server, for example via an extensible markup language (XML) program or Java script or program. The present invention in general protects access to a resource, such as a login access to a system, financial information and transactional capability at an ATM, or other secured resource such as an application or database.
Rather than merely accepting entry of a password or token and optionally processing the token to compare it to a stored value, as traditional password systems do, the present invention effectively generates a randomized token on-the-fly. The randomized token is generated via rule-based processing from a set of values that are hidden in a hint display that is presented to the user.
There are two components to the processing: 1) a pattern by which the user selects a sequence of elements from the hint display; and 2) an algorithm that uses one or more operators in one or more operations performed on values produced from at least a portion of the sequence of elements in order to generate the token. The hint display can be a randomly generated set of elements bearing no pre-defined relation to the pattern or algorithm other than the values and value 1s ranges of the elements must be suitable for use with the particular algorithm employed and the pattern must fit the display. If the hint display is randomly generated as a signal array or other display, then the display can be generated prior to knowing the user via a user identification code or other means. The sequence is then chosen from the appropriate positions in the hint display once the user is known. Alternatively, if the user is known prior to generating the display, the sequence can be generated first and hidden at particular positions in the hint display that correspond to the positions within the above-mentioned pattern by seeding the non-patterned locations with another randomly generated set of elements.
After the sequence of elements is known, the algorithm is applied to values of the sequence of elements to generate the token, which is generally also a sequence of numbers, but may be a single number, such as a summation of all the digits in the pattern. Operators can combine any number of values from the s sequence and reduce them in the output sequence or expand them in the output sequence. For example, a sum of three values from the pattern elements may represent a reduction of 3:1 in the output sequence but a sum, product and "larger of operator applied to two values in sequence would represent an expansion of 2:3 in the output sequence. The operators used can be mathematical (including logical) or relational, such as "the larger of or "the smaller of operators applied to two numbers. In general, it is not desirable to reduce the number of elements in the output sequence that provides the access token below a certain level, as a short token is easier to "guess".
The user mimics the operation of the patterned sequence selection is and the operator-based algorithm from memory and enters a token value based on the selection and mental computation. The level of complexity of the mental computation required can be adjusted by selecting appropriate operators and the design of the total algorithm, which is user-settable. For example, a simple algorithm could model a horizontal line through an array of digits where the token sequence value is the lesser of each pair of digits from left to right in the line. A
very complex algorithm could combine apparently random positions selected sequentially from an array of values and combine them using a different mathematical operation for each value.
Additionally, the level of security of a system can be varied in without changing the pattern and algorithm for a user. The pattern can be truncated to reduce the length of a required token, changing the range of values allowed for each element, and/or fixing the clue table as a static array. Each of the above techniques do not affect the underlying pattern and algorithm assigned to a user's security mechanism, but adapt the level of security and complexity to a particular s instance of an access to a system or access to a particular system.
The present invention also provides a mechanism for sharing access information on a one-time basis without compromising the underlying pattern and algorithm. If the owner of the access pattern and algorithm knows a particular hint display, then another person can be told the resulting input token without compromising the pattern/algorithm combination.
Referring now to the figures, and in particular to Figure 1, a networked system within which embodiments of the present invention may be practiced is depicted in a block diagram. The depicted system 10 is representative of a general class of computing devices that include a processor 16 and a memory is 17 coupled to processor 16 for storing data and program instructions for execution by processor 17. A graphical display 13 is coupled to system 10 and may in fact be integrated within the same housing, as will generally be the case with ATMs and portable devices such as notebook/tablet computers and personal digital assistants (PDAs). A keyboard or keypad 14 is also coupled to (or integrated within) system 10 to receive user input in accordance with an embodiment of the present invention. A pointing device may be used as an alternative, but as will be noted below, using a pointing device for input requires that elements for all input values be present on the screen of graphical display 13, whereas with a keyboard or keypad, the values need not be present on the screen.
A network connection 12 implements either a wired 15A or wireless 15B interface to processor 16 and although a network connection is not a requirement of the present invention, devices such as ATMs generally require some form of networking for financial access operations.
s Referring now to Figure 2, a user interface in accordance with an embodiment of the present invention is depicted as a screen 20 of graphical display 13. A hint display 23 made up of four 3x3 sub-arrays 24A-D is shown.
Each sub-array contains a plurality of elements 26, each of which has a unique position within hint display 23. Each of elements 26 also has an associated value that may 10 or may not be unique. In the illustrative example, the value is the numerical value of the digit displayed on the face of each element 26. However, the present invention is not limited to numerical digits and the values do not have to match the displayed information on the corresponding elements. For example, graphical icons may be used instead of numbers, selection made via a pointing device and the hidden algorithm that is combined with the selection sequence may be a logical operation that combines the information provided one or more of the icons in a logical fashion.
Also, while a single array may be used to implement the present invention, use of sub-arrays provides another level of hint to the user in that the four sub-arrays shown can be presented in any arrangement on the screen 24A-D.
The user determines the proper sub-array 24A-D for each element the user enters by a clue unique to each sub-array 24A-D such as a unique color of a frame around each sub-array or the color of the values (e.g., digits) displayed on the individual elements 26. Screen 20 also includes fields 20,21 for entry of a username and password, as are generally found on login screens and the like.
However, entry fields are not a requirement of the present invention and screen 20 may consist solely of hint display 23, particularly when all values to be entered have corresponding elements present on screen 20, in which case a pointing device such as a mouse or touch screen may be used to implement the input device that receives the token sequence. User identification field 20 is not needed if the user is known prior, if the pattern/algorithm is common to all users, or if a more relaxed security scheme is tolerable in which multiple tokens are permitted and used via matching to identify the user.
Elements 26 of sub-arrays 24A-D can be randomly or quasi-randomly generated to initialize the array. If so, a pattern of elements 26 is used to select a sequence of values from the elements 26 that will correspond to the correct sequence of elements known by the user. Alternatively, a sequence of elements can be generated, "seeded" in the pattern locations, and then other randomly generated "don't care" values can be filled in the other element 26 locations in sub-arrays 24A-D. If hint display 23 is divided into sub-arrays, then the sequence must also take into account the proper placement in the correct sub-array for each element. For example, if sub-arrays 24A-D are colored respectively:
(red, blue, yellow, green), and the proper element sequence known by the user is top row red, middle row blue, then the sequence according to the illustrated hint display 23 is 8,7,3,5,4,2 assuming left-to-right reading of the row.
The next portion of the security mechanism implemented by the present invention is the combination of the sequence values using a hidden algorithm (as opposed to the visible pattern illustrated above). The selected sequence is then operated on by at least one operator in at least one operation.
The operators may be mathematical operators such as addition, subtraction, multiplication and division, an identity (or "copy" or "repeat") operator that yields the value of the element, or relational operators such as "the smaller of or "the greater of" and may operate on two or more elements or in some cases only one.
Not all of the operations are identity operations, or the algorithm would not be hidden and would merely reveal the sequence above, although a system in accordance with an embodiment of the present invention can additionally implement a "non-hidden" algorithm as an option having a lowered security level. A
non-hidden algorithm is provided by a sequence of identity operators, one for each element in the pattern, such that the output of the algorithm is identical to the input sequence. Hidden constants may also be employed in combination with the above operators, for example "add I to each digit" or "enter digit if > 4" and similar other rules.
As an example of a relational operation, using the above-recited example as the sequence, the algorithm could be return the lowest element of each of the rows, in which case the proper token input would be 3,2. As another example, the algorithm may be add the first two elements of the row for a first value and use the third element for a second value, in which case the correct token would be 15,3,9,2. Operations/algorithms can extend between the sub-arrays, as well. For example, the algorithm may be multiply each element in sequence from the first sub-array with each element from the second sub-array and use those as a token string. The proper token for the above example sequence would be 40,28,6.
As illustrated by the examples, very complex and strong mechanisms may be implemented by the present invention, depending on the relative complexity of the hint display, which may be made arbitrarily large, values of the elements, which may also have arbitrarily large ranges, and the complexity of the algorithms employed. In general, there is a direct trade-off of the ease with which a pattern and algorithm can be memorized and the level of security afforded by the particular combination.
Referring now to Figure 3, a flowchart illustrating a method in accordance with an embodiment of the present invention is depicted. The method may be implemented by program instructions executing within a computing device such as a personal computer, workstation or dedicated terminal such as an ATM.
The program instructions may be embodied in a compute program product comprising media encoding said program instructions. A hint display is generated using a random number generator (step 30) and the hint display is displayed (step 31). The user is then identified via the userid input field 20 and the user's pattern and algorithm are retrieved from storage (step 32). Next, the sequence of values from the hint display are collected in accordance with the predefined pattern of 1s elements (step 33). The token is then computed using the collected values according to the pre-defined algorithm (step 34). When a user inputs a sequence of digits (step 35) the sequence is compared against the token values computed in step 33 and if the input sequence matches, (decision 36), then access to the protected resource is granted (step 37).
A control panel for configuring the algorithm and pattern is also provided in accordance with another embodiment of the present invention, and may be graphically or textually implemented. Graphical control panels will generally permit selection of the pattern sequence via a pointing device and then assign rules to combinations of values or individual values from the elements in the pattern. A textual control panel can accept a string that describes the pattern and algorithm, for example by using the matrix positions as subscripts, each element can be uniquely identified by a position number. Operators can be given their own symbols such as "R" for replicate, "+" for sum, "X" for multiply, "S" for "smaller of and so forth. Any sub-arrays while arranged in their "native" order can be s combined in one matrix for the purposes of encoding the string.
For example, if the position numbers are assigned left-to-right across rows and descending through the hint display, the above-exemplified algorithm multiplies each element in sequence from the first sub-array with each element from the second sub-array and use those as a token string, could be encoded as:
"EIXE25,E2XE26,E3XE27", where X is the "multiply" operator. (Elements 25-27 correspond to the middle row of sub-array 24B as used in the example above.) While the invention has been particularly shown and described with reference to the preferred embodiments thereof, it will be understood by those skilled in the art that the foregoing and other changes in form, and details may be made therein without departing from the spirit and scope of the invention.
comparing said token with said received input; and selectively providing access to a resource in conformity with a result of said comparing.
The foregoing and other objectives, features, and advantages of the invention will be apparent from the following, more particular, description of the preferred embodiment of the invention, as illustrated in the accompanying drawings.
BRIEF DESCRIPTION OF THE DRAWINGS
Figure 1 is a block diagram of a system in which an embodiment of the present invention may be practiced.
Figure 2 is a pictorial diagram depicting a user interface in accordance with an embodiment of the present invention.
Figure 3 is a flowchart depicting operation of a system as embodied is in a method in accordance with an embodiment of the invention.
DETAILED DESCRIPTION
The present invention provides improved security for systems accessed through entry of a token or password via a method that is implemented by execution of program instructions. The techniques are applicable to replace traditional password or PIN entry within computer systems or dedicated terminals such ATMs. In computer systems, the present invention may be employed in the operating system of a general-purpose computing system, embedded in a dedicated application, or provided via a web page interface downloaded from a server, for example via an extensible markup language (XML) program or Java script or program. The present invention in general protects access to a resource, such as a login access to a system, financial information and transactional capability at an ATM, or other secured resource such as an application or database.
Rather than merely accepting entry of a password or token and optionally processing the token to compare it to a stored value, as traditional password systems do, the present invention effectively generates a randomized token on-the-fly. The randomized token is generated via rule-based processing from a set of values that are hidden in a hint display that is presented to the user.
There are two components to the processing: 1) a pattern by which the user selects a sequence of elements from the hint display; and 2) an algorithm that uses one or more operators in one or more operations performed on values produced from at least a portion of the sequence of elements in order to generate the token. The hint display can be a randomly generated set of elements bearing no pre-defined relation to the pattern or algorithm other than the values and value 1s ranges of the elements must be suitable for use with the particular algorithm employed and the pattern must fit the display. If the hint display is randomly generated as a signal array or other display, then the display can be generated prior to knowing the user via a user identification code or other means. The sequence is then chosen from the appropriate positions in the hint display once the user is known. Alternatively, if the user is known prior to generating the display, the sequence can be generated first and hidden at particular positions in the hint display that correspond to the positions within the above-mentioned pattern by seeding the non-patterned locations with another randomly generated set of elements.
After the sequence of elements is known, the algorithm is applied to values of the sequence of elements to generate the token, which is generally also a sequence of numbers, but may be a single number, such as a summation of all the digits in the pattern. Operators can combine any number of values from the s sequence and reduce them in the output sequence or expand them in the output sequence. For example, a sum of three values from the pattern elements may represent a reduction of 3:1 in the output sequence but a sum, product and "larger of operator applied to two values in sequence would represent an expansion of 2:3 in the output sequence. The operators used can be mathematical (including logical) or relational, such as "the larger of or "the smaller of operators applied to two numbers. In general, it is not desirable to reduce the number of elements in the output sequence that provides the access token below a certain level, as a short token is easier to "guess".
The user mimics the operation of the patterned sequence selection is and the operator-based algorithm from memory and enters a token value based on the selection and mental computation. The level of complexity of the mental computation required can be adjusted by selecting appropriate operators and the design of the total algorithm, which is user-settable. For example, a simple algorithm could model a horizontal line through an array of digits where the token sequence value is the lesser of each pair of digits from left to right in the line. A
very complex algorithm could combine apparently random positions selected sequentially from an array of values and combine them using a different mathematical operation for each value.
Additionally, the level of security of a system can be varied in without changing the pattern and algorithm for a user. The pattern can be truncated to reduce the length of a required token, changing the range of values allowed for each element, and/or fixing the clue table as a static array. Each of the above techniques do not affect the underlying pattern and algorithm assigned to a user's security mechanism, but adapt the level of security and complexity to a particular s instance of an access to a system or access to a particular system.
The present invention also provides a mechanism for sharing access information on a one-time basis without compromising the underlying pattern and algorithm. If the owner of the access pattern and algorithm knows a particular hint display, then another person can be told the resulting input token without compromising the pattern/algorithm combination.
Referring now to the figures, and in particular to Figure 1, a networked system within which embodiments of the present invention may be practiced is depicted in a block diagram. The depicted system 10 is representative of a general class of computing devices that include a processor 16 and a memory is 17 coupled to processor 16 for storing data and program instructions for execution by processor 17. A graphical display 13 is coupled to system 10 and may in fact be integrated within the same housing, as will generally be the case with ATMs and portable devices such as notebook/tablet computers and personal digital assistants (PDAs). A keyboard or keypad 14 is also coupled to (or integrated within) system 10 to receive user input in accordance with an embodiment of the present invention. A pointing device may be used as an alternative, but as will be noted below, using a pointing device for input requires that elements for all input values be present on the screen of graphical display 13, whereas with a keyboard or keypad, the values need not be present on the screen.
A network connection 12 implements either a wired 15A or wireless 15B interface to processor 16 and although a network connection is not a requirement of the present invention, devices such as ATMs generally require some form of networking for financial access operations.
s Referring now to Figure 2, a user interface in accordance with an embodiment of the present invention is depicted as a screen 20 of graphical display 13. A hint display 23 made up of four 3x3 sub-arrays 24A-D is shown.
Each sub-array contains a plurality of elements 26, each of which has a unique position within hint display 23. Each of elements 26 also has an associated value that may 10 or may not be unique. In the illustrative example, the value is the numerical value of the digit displayed on the face of each element 26. However, the present invention is not limited to numerical digits and the values do not have to match the displayed information on the corresponding elements. For example, graphical icons may be used instead of numbers, selection made via a pointing device and the hidden algorithm that is combined with the selection sequence may be a logical operation that combines the information provided one or more of the icons in a logical fashion.
Also, while a single array may be used to implement the present invention, use of sub-arrays provides another level of hint to the user in that the four sub-arrays shown can be presented in any arrangement on the screen 24A-D.
The user determines the proper sub-array 24A-D for each element the user enters by a clue unique to each sub-array 24A-D such as a unique color of a frame around each sub-array or the color of the values (e.g., digits) displayed on the individual elements 26. Screen 20 also includes fields 20,21 for entry of a username and password, as are generally found on login screens and the like.
However, entry fields are not a requirement of the present invention and screen 20 may consist solely of hint display 23, particularly when all values to be entered have corresponding elements present on screen 20, in which case a pointing device such as a mouse or touch screen may be used to implement the input device that receives the token sequence. User identification field 20 is not needed if the user is known prior, if the pattern/algorithm is common to all users, or if a more relaxed security scheme is tolerable in which multiple tokens are permitted and used via matching to identify the user.
Elements 26 of sub-arrays 24A-D can be randomly or quasi-randomly generated to initialize the array. If so, a pattern of elements 26 is used to select a sequence of values from the elements 26 that will correspond to the correct sequence of elements known by the user. Alternatively, a sequence of elements can be generated, "seeded" in the pattern locations, and then other randomly generated "don't care" values can be filled in the other element 26 locations in sub-arrays 24A-D. If hint display 23 is divided into sub-arrays, then the sequence must also take into account the proper placement in the correct sub-array for each element. For example, if sub-arrays 24A-D are colored respectively:
(red, blue, yellow, green), and the proper element sequence known by the user is top row red, middle row blue, then the sequence according to the illustrated hint display 23 is 8,7,3,5,4,2 assuming left-to-right reading of the row.
The next portion of the security mechanism implemented by the present invention is the combination of the sequence values using a hidden algorithm (as opposed to the visible pattern illustrated above). The selected sequence is then operated on by at least one operator in at least one operation.
The operators may be mathematical operators such as addition, subtraction, multiplication and division, an identity (or "copy" or "repeat") operator that yields the value of the element, or relational operators such as "the smaller of or "the greater of" and may operate on two or more elements or in some cases only one.
Not all of the operations are identity operations, or the algorithm would not be hidden and would merely reveal the sequence above, although a system in accordance with an embodiment of the present invention can additionally implement a "non-hidden" algorithm as an option having a lowered security level. A
non-hidden algorithm is provided by a sequence of identity operators, one for each element in the pattern, such that the output of the algorithm is identical to the input sequence. Hidden constants may also be employed in combination with the above operators, for example "add I to each digit" or "enter digit if > 4" and similar other rules.
As an example of a relational operation, using the above-recited example as the sequence, the algorithm could be return the lowest element of each of the rows, in which case the proper token input would be 3,2. As another example, the algorithm may be add the first two elements of the row for a first value and use the third element for a second value, in which case the correct token would be 15,3,9,2. Operations/algorithms can extend between the sub-arrays, as well. For example, the algorithm may be multiply each element in sequence from the first sub-array with each element from the second sub-array and use those as a token string. The proper token for the above example sequence would be 40,28,6.
As illustrated by the examples, very complex and strong mechanisms may be implemented by the present invention, depending on the relative complexity of the hint display, which may be made arbitrarily large, values of the elements, which may also have arbitrarily large ranges, and the complexity of the algorithms employed. In general, there is a direct trade-off of the ease with which a pattern and algorithm can be memorized and the level of security afforded by the particular combination.
Referring now to Figure 3, a flowchart illustrating a method in accordance with an embodiment of the present invention is depicted. The method may be implemented by program instructions executing within a computing device such as a personal computer, workstation or dedicated terminal such as an ATM.
The program instructions may be embodied in a compute program product comprising media encoding said program instructions. A hint display is generated using a random number generator (step 30) and the hint display is displayed (step 31). The user is then identified via the userid input field 20 and the user's pattern and algorithm are retrieved from storage (step 32). Next, the sequence of values from the hint display are collected in accordance with the predefined pattern of 1s elements (step 33). The token is then computed using the collected values according to the pre-defined algorithm (step 34). When a user inputs a sequence of digits (step 35) the sequence is compared against the token values computed in step 33 and if the input sequence matches, (decision 36), then access to the protected resource is granted (step 37).
A control panel for configuring the algorithm and pattern is also provided in accordance with another embodiment of the present invention, and may be graphically or textually implemented. Graphical control panels will generally permit selection of the pattern sequence via a pointing device and then assign rules to combinations of values or individual values from the elements in the pattern. A textual control panel can accept a string that describes the pattern and algorithm, for example by using the matrix positions as subscripts, each element can be uniquely identified by a position number. Operators can be given their own symbols such as "R" for replicate, "+" for sum, "X" for multiply, "S" for "smaller of and so forth. Any sub-arrays while arranged in their "native" order can be s combined in one matrix for the purposes of encoding the string.
For example, if the position numbers are assigned left-to-right across rows and descending through the hint display, the above-exemplified algorithm multiplies each element in sequence from the first sub-array with each element from the second sub-array and use those as a token string, could be encoded as:
"EIXE25,E2XE26,E3XE27", where X is the "multiply" operator. (Elements 25-27 correspond to the middle row of sub-array 24B as used in the example above.) While the invention has been particularly shown and described with reference to the preferred embodiments thereof, it will be understood by those skilled in the art that the foregoing and other changes in form, and details may be made therein without departing from the spirit and scope of the invention.
Claims (21)
1. A method for allowing access to a resource for a plurality of separate user sessions by a user, comprising:
wherein the method is carried out by an authentication system having a user interface with a display viewable by the user and an input for entry of data by the user;
generating a hint display for each session made up of a set of elements arranged in an array;
providing a predetermined pattern in the array of selected ones of the elements of the array;
each element in the predetermined pattern having a unique position characteristic in the array;
displaying said hint display to said user;
causing said user to select said elements of said predetermined pattern of elements of said generated hint display and to create a sequence of said elements;
causing said user to compute a token defined by a sequence of a plurality of token elements;
causing said user to enter the token into the user interface of the authentication system;
receiving said token from said user;
comparing said token elements received with token elements of a corresponding token generated by the authentication system;
selectively providing access to said resource in conformity with a result of said comparing;
and during the computing of the token by the user, causing said user to generate each of at least some of said plurality of token elements in said sequence of token elements by performing at least one operation on a respective one or more than one of said selected elements from said sequence of selected elements such that the token element is not identical to the element or elements upon which the operation is performed.
wherein the method is carried out by an authentication system having a user interface with a display viewable by the user and an input for entry of data by the user;
generating a hint display for each session made up of a set of elements arranged in an array;
providing a predetermined pattern in the array of selected ones of the elements of the array;
each element in the predetermined pattern having a unique position characteristic in the array;
displaying said hint display to said user;
causing said user to select said elements of said predetermined pattern of elements of said generated hint display and to create a sequence of said elements;
causing said user to compute a token defined by a sequence of a plurality of token elements;
causing said user to enter the token into the user interface of the authentication system;
receiving said token from said user;
comparing said token elements received with token elements of a corresponding token generated by the authentication system;
selectively providing access to said resource in conformity with a result of said comparing;
and during the computing of the token by the user, causing said user to generate each of at least some of said plurality of token elements in said sequence of token elements by performing at least one operation on a respective one or more than one of said selected elements from said sequence of selected elements such that the token element is not identical to the element or elements upon which the operation is performed.
2. A method for allowing access to a resource for a plurality of separate user sessions by a user, comprising:
wherein the method is carried out by an authentication system of the resource;
providing a user interface connected with the authentication system of the resource and arranged to provide communications between the resource and the interface and having a display viewable by the user and an input for entry of data by the user;
in response to a request for access by the user at the user interface, causing the authentication system to generate a hint display for each session made up of a set of elements arranged in an array of rows and columns;
providing a predetermined pattern in the array of selected ones of the elements of the array wherein the pattern on the array of rows and columns is arranged so as to be remembered and determined visually so that each element in the predetermined pattern has a unique position characteristic in the array;
after said request for access displaying said hint display to said user;
causing said user to select said elements of said predetermined pattern of elements of said generated hint display and to create a sequence of said elements;
causing said user to compute a token defined by a sequence of a plurality of token elements;
causing said user to enter the token into the user interface of the authentication system;
receiving at said authentication system of the resource said token from said user;
comparing at said authentication system of the resource said token elements received with token elements of a corresponding token generated by the authentication system;
said authentication system of the resource selectively providing access to said resource in conformity with a result of said comparing;
and during the computing of the token by the user, causing said user to generate each of at least some of said plurality of token elements in said sequence of token elements by performing at least one operation defined by a mental calculation on a respective one or more than one of said selected elements from said sequence of selected elements such that the token element is not identical to the element or elements upon which the operation is performed.
wherein the method is carried out by an authentication system of the resource;
providing a user interface connected with the authentication system of the resource and arranged to provide communications between the resource and the interface and having a display viewable by the user and an input for entry of data by the user;
in response to a request for access by the user at the user interface, causing the authentication system to generate a hint display for each session made up of a set of elements arranged in an array of rows and columns;
providing a predetermined pattern in the array of selected ones of the elements of the array wherein the pattern on the array of rows and columns is arranged so as to be remembered and determined visually so that each element in the predetermined pattern has a unique position characteristic in the array;
after said request for access displaying said hint display to said user;
causing said user to select said elements of said predetermined pattern of elements of said generated hint display and to create a sequence of said elements;
causing said user to compute a token defined by a sequence of a plurality of token elements;
causing said user to enter the token into the user interface of the authentication system;
receiving at said authentication system of the resource said token from said user;
comparing at said authentication system of the resource said token elements received with token elements of a corresponding token generated by the authentication system;
said authentication system of the resource selectively providing access to said resource in conformity with a result of said comparing;
and during the computing of the token by the user, causing said user to generate each of at least some of said plurality of token elements in said sequence of token elements by performing at least one operation defined by a mental calculation on a respective one or more than one of said selected elements from said sequence of selected elements such that the token element is not identical to the element or elements upon which the operation is performed.
3. The method of Claim 1 or 2, wherein the elements comprise numerical values and each operation is a mathematical function.
4. The method of Claim 1 or 2, wherein said user is caused to generate said plurality of token elements by performing an operation on a respective one only of said selected elements.
5. The method of Claim 4, wherein the selected elements comprise numerical values and wherein the operation comprises adding a value to or subtracting a value from the numerical value of the selected element.
6. The method of Claim 1 or 2, wherein said user is caused to generate each of at least some of said plurality of token elements by comparing a respective two of said selected elements.
7. The method of Claim 3, wherein at least two of the elements in the predetermined pattern have a numerical value and wherein said operation combines said numerical values of said two elements in at least one mathematical operation.
8. The method of Claim 3, wherein at least three of the elements in the predetermined pattern have a numerical value and wherein said computing selects between at least two of said numerical values of said three elements using a relational operator and excludes at least one unselected numerical value of said three elements in determining a result of said computing.
9. The method of any one of Claims 1 to 8 wherein a level of security is varied without changing the pattern and the operation by truncating the pattern to reduce the number of elements in the sequence of selected elements.
10. The method of any one of Claims 1 to 8 wherein a level of security is varied without changing the pattern and the operation by changing a range of values allowed for each element.
11. The method of any one of Claims 1 to 8 wherein a level of security is varied without changing the pattern and the operation by fixing the array of the hint display as a static array.
12. The method of any one of Claims 1 to 11, including the step of allowing a second subsidiary user to obtain access to the resource by:
communicating the hint display including the elements to the subsidiary user, causing the subsidiary user to communicate the elements to the user;
causing the user to use the pattern and the operation to compute the token;
causing said user to communicate the token, without the pattern and operation, to the subsidiary user so as to enter the computed token into the user interface;
causing the system to effect a comparing of said token received with a corresponding token generated by the authentication system;
and selectively providing access by the second subsidiary user to said resource for said session in conformity with a matching result of said comparing.
communicating the hint display including the elements to the subsidiary user, causing the subsidiary user to communicate the elements to the user;
causing the user to use the pattern and the operation to compute the token;
causing said user to communicate the token, without the pattern and operation, to the subsidiary user so as to enter the computed token into the user interface;
causing the system to effect a comparing of said token received with a corresponding token generated by the authentication system;
and selectively providing access by the second subsidiary user to said resource for said session in conformity with a matching result of said comparing.
13. The method of any one of Claims 1 to 12, wherein the pattern and the operation to be used by the user are provided to the user by the authentication system in communication between the authentication system and the user in response to the selection by the user of a degree of difficulty to be used therein.
14. The method of any one of Claims 1 to 13, wherein each element comprises a numerical value defined by a single digit and wherein the operation comprises adding or subtracting a numerical value defined by a single digit.
15. A method for allowing access to a resource for a plurality of separate user sessions by a user comprising:
wherein the method is carried out by an authentication system having a user interface with a display viewable by the user and an input for entry of data by the user;
the system being arranged for each session to generate a hint display made up of a set of elements;
the set of elements including a sub-set of elements;
causing the sub-set to be predetermined prior to the sessions in accordance with a predetermined protocol in communication between the system and the user;
the set of elements defining individual characters;
the characters of at least some of the elements of the set being changed for at least some of the sessions;
displaying said hint display including the set of elements to said user;
to commence a session, causing said user to compute a token by applying a predetermined operation on the characters of the elements of the sub-set of said hint display generated for that session;
causing said user to enter the computed token into the user interface;
causing the system to effect a comparing of said token received with at least one corresponding token generated by the authentication system;
selectively providing access by the user to said resource for said session in conformity with a matching result of said comparing;
and allowing a second subsidiary user to obtain access to the resource for a session by:
communicating the hint display including the set of elements for the session to the subsidiary user;
causing the subsidiary user to communicate the set of elements to the user;
causing the user to use the predetermined protocol and the predetermined operation to compute the token;
causing said user to communicate the token, without the predetermined protocol and the predetermined operation, to the subsidiary user so as to enter the computed token into the user interface;
causing the system to effect a comparing of said token received with at least one corresponding token generated by the authentication system;
and selectively providing access by the user to said resource for said session in conformity with a matching result of said comparing.
wherein the method is carried out by an authentication system having a user interface with a display viewable by the user and an input for entry of data by the user;
the system being arranged for each session to generate a hint display made up of a set of elements;
the set of elements including a sub-set of elements;
causing the sub-set to be predetermined prior to the sessions in accordance with a predetermined protocol in communication between the system and the user;
the set of elements defining individual characters;
the characters of at least some of the elements of the set being changed for at least some of the sessions;
displaying said hint display including the set of elements to said user;
to commence a session, causing said user to compute a token by applying a predetermined operation on the characters of the elements of the sub-set of said hint display generated for that session;
causing said user to enter the computed token into the user interface;
causing the system to effect a comparing of said token received with at least one corresponding token generated by the authentication system;
selectively providing access by the user to said resource for said session in conformity with a matching result of said comparing;
and allowing a second subsidiary user to obtain access to the resource for a session by:
communicating the hint display including the set of elements for the session to the subsidiary user;
causing the subsidiary user to communicate the set of elements to the user;
causing the user to use the predetermined protocol and the predetermined operation to compute the token;
causing said user to communicate the token, without the predetermined protocol and the predetermined operation, to the subsidiary user so as to enter the computed token into the user interface;
causing the system to effect a comparing of said token received with at least one corresponding token generated by the authentication system;
and selectively providing access by the user to said resource for said session in conformity with a matching result of said comparing.
16. The method according to Claim 15 wherein the subset is determined in the set in accordance with said predetermined protocol by displaying the set in a predetermined array and by providing the subset as a predetermined pattern in the array of selected ones of the elements of the array with each element in the predetermined pattern having a unique position characteristic in the array.
17. The method according to Claim 15 or 16 wherein the characters are numerical values.
18. The method according to any one of Claims 15 to 17 wherein the predetermined operation is an arithmetic operation on a numerical value forming at least one of the characters.
19. The method according to any one of Claims 15 to 18 wherein the operation on said character of said at least one of said elements of said predetermined sub-set is arranged such that the token comprises at least one hidden character which is not identical to the character of said at least one of said elements upon which the operation is performed.
20. The method of any one of Claims 15 to 19, wherein the pattern and the operation to be used by the user are provided to the user by the authentication system in communication between the authentication system and the user in response to the selection by the user of a degree of difficulty to be used therein.
21. The method of any one of Claims 15 to 20, wherein each element comprises a numerical value defined by a single digit and wherein the operation comprises adding or subtracting a numerical value defined by a single digit.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CA002689850A CA2689850A1 (en) | 2006-03-01 | 2006-03-01 | Secure access by a user to a resource |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/CA2006/000287 WO2007098569A1 (en) | 2006-03-01 | 2006-03-01 | Method and system for securing interface access via visual array paths in combination with hidden operators |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CA002689850A Division CA2689850A1 (en) | 2006-03-01 | 2006-03-01 | Secure access by a user to a resource |
Publications (2)
Publication Number | Publication Date |
---|---|
CA2644272A1 CA2644272A1 (en) | 2007-09-07 |
CA2644272C true CA2644272C (en) | 2011-08-16 |
Family
ID=38458599
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CA2644272A Expired - Fee Related CA2644272C (en) | 2006-03-01 | 2006-03-01 | Method and system for securing interface access via visual array paths in combination with hidden operators |
CA002689850A Pending CA2689850A1 (en) | 2006-03-01 | 2006-03-01 | Secure access by a user to a resource |
Family Applications After (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CA002689850A Pending CA2689850A1 (en) | 2006-03-01 | 2006-03-01 | Secure access by a user to a resource |
Country Status (5)
Country | Link |
---|---|
EP (1) | EP2002371A4 (en) |
JP (1) | JP2009528601A (en) |
CN (1) | CN101421737B (en) |
CA (2) | CA2644272C (en) |
WO (1) | WO2007098569A1 (en) |
Families Citing this family (19)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP2070234B1 (en) * | 2006-09-07 | 2020-05-06 | Orange | Securing of code for personal entity |
GB0910545D0 (en) | 2009-06-18 | 2009-07-29 | Therefore Ltd | Picturesafe |
CN101882188B (en) * | 2010-06-07 | 2012-11-07 | 天地融科技股份有限公司 | Method and device for enhancing data input security of electronic signature tool |
US9135426B2 (en) | 2010-12-16 | 2015-09-15 | Blackberry Limited | Password entry using moving images |
US9258123B2 (en) | 2010-12-16 | 2016-02-09 | Blackberry Limited | Multi-layered color-sensitive passwords |
US8745694B2 (en) | 2010-12-16 | 2014-06-03 | Research In Motion Limited | Adjusting the position of an endpoint reference for increasing security during device log-on |
US8650635B2 (en) | 2010-12-16 | 2014-02-11 | Blackberry Limited | Pressure sensitive multi-layer passwords |
US8650624B2 (en) | 2010-12-16 | 2014-02-11 | Blackberry Limited | Obscuring visual login |
US8635676B2 (en) | 2010-12-16 | 2014-01-21 | Blackberry Limited | Visual or touchscreen password entry |
US8661530B2 (en) | 2010-12-16 | 2014-02-25 | Blackberry Limited | Multi-layer orientation-changing password |
US8769641B2 (en) | 2010-12-16 | 2014-07-01 | Blackberry Limited | Multi-layer multi-point or pathway-based passwords |
EP2466517B1 (en) * | 2010-12-16 | 2017-05-24 | BlackBerry Limited | Simple algebraic and multi-layered passwords |
US8631487B2 (en) | 2010-12-16 | 2014-01-14 | Research In Motion Limited | Simple algebraic and multi-layer passwords |
US8931083B2 (en) | 2010-12-16 | 2015-01-06 | Blackberry Limited | Multi-layer multi-point or randomized passwords |
US8863271B2 (en) | 2010-12-16 | 2014-10-14 | Blackberry Limited | Password entry using 3D image with spatial alignment |
GB2523885B (en) * | 2011-02-02 | 2015-12-23 | Winfrasoft Corp | A method and system for authenticating a user of a computerised system |
US8769668B2 (en) | 2011-05-09 | 2014-07-01 | Blackberry Limited | Touchscreen password entry |
US9223948B2 (en) | 2011-11-01 | 2015-12-29 | Blackberry Limited | Combined passcode and activity launch modifier |
GB2498350B (en) * | 2012-01-09 | 2015-10-21 | Gopalan Ketheeswaran | Input device |
Family Cites Families (16)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JPS60207956A (en) * | 1984-04-02 | 1985-10-19 | Toshiba Corp | Identification matching system |
JPS63661A (en) * | 1986-06-19 | 1988-01-05 | Omron Tateisi Electronics Co | Card processing system |
JPS6473449A (en) * | 1987-09-14 | 1989-03-17 | Hitachi Ltd | Password number inputting system |
DK136192D0 (en) * | 1992-11-09 | 1992-11-09 | John Reipur | FILTER |
US5425102A (en) * | 1994-06-09 | 1995-06-13 | Datasonix Corporation | Computer security apparatus with password hints |
GB9424791D0 (en) * | 1994-12-08 | 1995-02-08 | Philips Electronics Uk Ltd | Security code input |
US6209104B1 (en) * | 1996-12-10 | 2001-03-27 | Reza Jalili | Secure data entry and visual authentication system and method |
WO2001077792A2 (en) | 2000-04-07 | 2001-10-18 | Rsa Security Inc. | System and method for authenticating a user |
GB2381603B (en) * | 2001-10-30 | 2005-06-08 | F Secure Oyj | Method and apparatus for selecting a password |
EP2557508A3 (en) | 2002-02-13 | 2013-10-30 | Passlogy Co., Ltd. | User verification method and user verification system |
JP4090251B2 (en) * | 2002-03-05 | 2008-05-28 | パスロジ株式会社 | Authentication device, authentication method, and program |
WO2004025488A1 (en) * | 2002-09-12 | 2004-03-25 | Mitsubishi Denki Kabushiki Kaisha | Authentication system, authentication device, terminal device, and authentication method |
US7644433B2 (en) * | 2002-12-23 | 2010-01-05 | Authernative, Inc. | Authentication system and method based upon random partial pattern recognition |
US7577987B2 (en) | 2002-12-23 | 2009-08-18 | Authernative, Inc. | Operation modes for user authentication system based on random partial pattern recognition |
JP4316311B2 (en) * | 2003-07-03 | 2009-08-19 | 株式会社日立製作所 | Authentication method using logical password, information processing apparatus, program, and recording medium |
AU2004282865B2 (en) * | 2003-10-14 | 2009-05-28 | Syferlock Technology Corporation | Authentication system |
-
2006
- 2006-03-01 CA CA2644272A patent/CA2644272C/en not_active Expired - Fee Related
- 2006-03-01 EP EP06705241A patent/EP2002371A4/en not_active Withdrawn
- 2006-03-01 JP JP2008556618A patent/JP2009528601A/en active Pending
- 2006-03-01 WO PCT/CA2006/000287 patent/WO2007098569A1/en active Application Filing
- 2006-03-01 CA CA002689850A patent/CA2689850A1/en active Pending
- 2006-03-01 CN CN 200680054245 patent/CN101421737B/en not_active Expired - Fee Related
Also Published As
Publication number | Publication date |
---|---|
CN101421737A (en) | 2009-04-29 |
CA2644272A1 (en) | 2007-09-07 |
EP2002371A4 (en) | 2010-05-05 |
JP2009528601A (en) | 2009-08-06 |
CA2689850A1 (en) | 2007-09-07 |
CN101421737B (en) | 2011-04-20 |
EP2002371A1 (en) | 2008-12-17 |
WO2007098569A1 (en) | 2007-09-07 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CA2644272C (en) | Method and system for securing interface access via visual array paths in combination with hidden operators | |
CA2689853C (en) | Secure access by a user to a resource | |
US20100199100A1 (en) | Secure Access by a User to a Resource | |
US7992005B2 (en) | Providing pattern based user password access | |
EP1181643B1 (en) | Method and apparatus for secure entry of access codes in a computer environment | |
US7240367B2 (en) | User interface and method for inputting password and password system using the same | |
US20060206919A1 (en) | System and method of secure login on insecure systems | |
CN101183941B (en) | Random concealed inquiry type cipher authentication technique | |
US8307424B2 (en) | Password authentication apparatus and password authentication method | |
US20140053254A1 (en) | Graphical authentication system and method for anti-shoulder surfing attack | |
US20130291096A1 (en) | Fraud resistant passcode entry system | |
GB2502773A (en) | User authentication by inputting code on a randomly generated display | |
US7689831B2 (en) | Method and system for securing interface access via visual array paths in combination with hidden operators | |
US11010467B2 (en) | Multifactor-based password authentication | |
JP2006251985A (en) | Password code input device and program | |
CN102156831B (en) | Method and system for protecting interface access security by combining visual array path with hidden operational character | |
KR101051037B1 (en) | User authentication method | |
Dabeer et al. | A Novel Hybrid User Authentication Scheme Using Cognitive Ambiguous Illusion Images | |
Ray et al. | GPOD: An Efficient and Secure Graphical Password Authentication System by Fast Object Detection | |
Jirjees et al. | RoundPIN: Shoulder Surfing Resistance for PIN Entry with Randomize Keypad | |
KR20210002310U (en) | A Multimodal Password Authentication System | |
KR20190086407A (en) | A Multimodal Password Authentication System and Method Using Image and Text | |
Dhanake et al. | Authentication Scheme for Session Password using matrix Colour and Text |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
EEER | Examination request | ||
MKLA | Lapsed |
Effective date: 20190301 |