EP1442350A2 - Benutzeridentitätverifikationssystem - Google Patents
BenutzeridentitätverifikationssystemInfo
- Publication number
- EP1442350A2 EP1442350A2 EP02761938A EP02761938A EP1442350A2 EP 1442350 A2 EP1442350 A2 EP 1442350A2 EP 02761938 A EP02761938 A EP 02761938A EP 02761938 A EP02761938 A EP 02761938A EP 1442350 A2 EP1442350 A2 EP 1442350A2
- Authority
- EP
- European Patent Office
- Prior art keywords
- identification information
- user
- server
- communication medium
- client terminal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Ceased
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/313—User authentication using a call-back technique via a telephone network
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/34—User authentication involving the use of external additional devices, e.g. dongles or smart cards
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/42—User authentication using separate channels for security data
Definitions
- the invention relates in general to the field of user identity verification.
- the invention relates to a method and apparatus for user identification in a client-server system.
- Common user identity verification systems are based on passwords that are memorised by the user. Such systems may be subverted if the memorised information becomes publicly available.
- Another problem associated with passwords for user identity verification is that a user may require passwords for a number of separate computer systems, and therefore has to remember not only a number of passwords, but also which password corresponds to which computer system. This can lead to a user adopting a common password for all computer systems. Having a single universal password poses a considerable increase in risk of a security breach at all the systems due to the increased likelihood of the password becoming publicly available, and public awareness that one password may permit access to more than one separate computer system.
- Other more sophisticated forms of subvision exist, such as local or remote monitoring of key storkes or screen displays .
- a known alternative user identity verification technique involves the possession of a token, such as a card comprising identification information.
- the holder of the token can be identified as an authorised user.
- a token such as a card comprising identification information.
- the token comprises an optical disc or a smartcard disc.
- cards can be stolen or duplicated, allowing unauthorised and/or unidentifiable users to access otherwise secure computer systems.
- An aim of the present invention is to provide a method and apparatus for verifying identity of a user in a manner which is reliable and which is not vulnerable to subversion.
- Preferred embodiments of the present invention aim to address the problems of the prior art mentioned above.
- a method of user identity verification in a system comprising a client terminal couplable to a server by a first communication medium, the method comprising: sending a first identification information over the first communication medium from the client terminal to the server; verifying, at the server, that the first identification information corresponds to a stored user profile; returning a second identification information to a user over a second communication medium according to the stored user profile; sending the second identification information to the server via the client terminal; and verifying user identity, at the server, according to presentation of the second identification information.
- a user identity verification apparatus comprising: a server comprising a user profile store; a client terminal coupled to a server by a first communication medium; a second communication medium coupled to the server for supply of second identification information to a user, the client terminal being arranged in use to receive the first identification information, and to supply the first identification information over the first communication medium to the server; the server being arranged to verify that the first identification information correspond to a user profile in the user profile store and to supply a second identification information to the user over the second communication medium according to the stored user profile; the client terminal being arranged to receive the second identification information from the user and to supply the second identifier information to the server; and the server being arranged to verify user identity according to presentation of the second identification information.
- the first identification information includes any one of a username, a memorised access code, information read from a token, or any combination thereof.
- the first communication medium is different from the second communication medium.
- the third identification information is supplied to the user over the second communication medium through a mobile communication device.
- the second identification information is transmitted from the client terminal to the server over the first communication medium.
- the first identification information is derived from at least one second identification information supplied to a user previously.
- the first information includes a plurality of second identification information supplied to a user previously, and stored on a token.
- the token is a removable storage device.
- the second identification information sent to the user over the second communication medium is regenerated by the server.
- Figure 1 shows a preferred apparatus for user identity verification
- Figure 2 shows a flowchart illustrating a preferred method for user identity verification.
- Figure 1 shows a preferred apparatus for verifying identity of a user 1.
- the apparatus comprises a client terminal 10 coupled to a server 20 over a first communication link 50.
- the server 20 is also coupled to a second communication link 60.
- the first communication link 50 is ideally different to the second communication link 60.
- the first communication link 50 comprises a computer network such as a local area or wide area network, a- virtual private network, or a more open communication link such as the internet.
- the second communication link is, for example, a telecommunications network, suitably a wireless telephony network or cellular telephony network.
- Most preferably the second communication link 60 is a GSM cellular network capable of carrying short messages (SMS) .
- SMS short messages
- the apparatus of Figure 1 comprises a user profile store 22 at a suitable verification point.
- the server 20 it is convenient for the server 20 to comprise the user profile store 22, although it is possible for the user profile store 22 to be remote from the server 20.
- the client terminal 10 is any suitable form of computing platform, such as a desktop computer or mobile computing device such as a laptop or palmtop computer .
- Figure 2 shows a preferred method for verifying user identity, for use with the apparatus of Figure 1.
- the client terminal 10 receives first identification information.
- the first identification information is supplied to the client terminal 10, such as by the user 1 typing a user name and/or memorised access code into a keyboard input device 12- of the client terminal 10.
- the first identification information is sent from the client terminal 10 to the server 20 over the first communication link 50.
- the server 20 uses the received first identification information to retrieve a user profile from the user profile store 22. This provides a preliminary identification of the user 1.
- the server 20 then generates a second identification information, which is returned over the second communication link 60, to reach the user 1, at step 203.
- the second identification information is transferred to the client terminal 10, such as by the user 1 typing the second identification information into a keyboard input device 12 of the client terminal 10.
- the client terminal 10 sends the second • • identification information back to the server 20, over the first communication link 50.
- the server 20 verifies the identity of the user 1 based on the received second identification information.
- the second communication link 60 is a message transmission system such as an SMS system for use on GSM cellular networks .
- the second identification information is received by the user 1 such as by using a mobile communications device 40, i.e. a mobile phone.
- sending the second identification information to the user's mobile phone 40 according to a predetermined user profile in the user profile store 22, allows increased certainty as to the user's identity.
- Most users tend to carefully guard their mobile communication device 40 and will notice if it is stolen or subject to subversion. Hence, the user will take precautions to avoid unauthorised use of their mobile communication device 40.
- possession of the mobile communication device 40 allows a high degree of trust to be placed in the user's identity.
- the first identification information is provided at least in part from a token 30.
- the token 30 is readily portable and may be carried by the user 1.
- the user presents the token 30 to a token reader 11 of the client terminal 10.
- the token reader 11 extracts the first identification information from the token 30.
- the first identification information may come only from the token 30.
- the first identification information can be formed by taking identification information from the token 30, and from a user input such as . a user name and/or memorised access code.
- the first identification information is received and checked by the server 20, and is used to extract a user profile from the user profile store 22.
- the user profile store 22 contains information which allows a message to be sent over the second communication link 60 to reach the user 1, suitably at their mobile communication device 40.
- the user profile store contains a predetermined mobile telephone number of the mobile communication device 40.
- the second identification information is in the form of a password that is randomly generated by the server 20.
- the randomly generated password contains a short string (e.g. eight to twelve characters) containing a sequence of letters and numbers.
- the user 1 may then easily manually transfer the password from their mobile communication device by typing the password into a keyboard input device of the client terminal 10.
- the password can be automatically transferred from the mobile communication device 40 to the client terminal 10, such as by a short range infra-red communication link.
- the token 30 is a removable storage medium such as a smart card, or preferably a CD or DVD format storage medium.
- the token 30 comprises an updateable or re-writable storage medium such as a CD-RW or a re-writable DVD. This provides an additional layer of security, as the client terminal 10 can record passwords from previous occasions onto the token 30, i.e. record an incremental identity derived from the previous passwords.
- the client terminal 10 can then transmit the incremental token identity back to the server 20 via the first communication link 50, and these can also be checked against a list contained in the user profile store 22. Only if the server 20 is satisfied that the first identification information comprising the incremental identity read from the token 30 matches a stored profile in the user profile store 22 is a new password transmitted to the mobile communication device 40 of the user 1. This makes the cloning of tokens a less effective way to defeat the user identity verification system, since a cloned token will become out of date as soon as the real token 30 is used.
- other security coding can be included with ⁇ the first identification information on the token 30. The other security coding can also be regenerated and stored on the token 30 to add a yet further layer of security.
- the token 30 suitably stores operating software which allows the identity verification system to run on the client terminal 10.
- the token 30 by inserting the token 30 into any suitable computer terminal 10, the user
- Token 30 can also store other information such as promotional and advertising material.
- the identification information stored by the token 30 and/or the other information can be strongly encrypted.
- the token 30 and the* mobile communication device 40 can be incorporated into a single unit.
- the token 30 can in alternative embodiments further comprise a magnetic strip and/or a microprocessor chip to enable a single token 30 to be used for identification in a number of other existing systems.
- the token may include other visible identification information, such as a photograph identity.
- the user identity verification system described herein is able to operate at a number of different levels of security.
- a system administrator is able to select appropriate levels of security according to the needs of particular user or group of users . For some purposes it may be sufficient simply for possession of the token 30 to be an adequate mechanism for identifying the user 1.
- the transmission of first and second identification information, via the first and second communication links 50, 60 allows a higher degree of certainty.
- possession of both the token 30 and the mobile communication device 40 is required.
- a memorised user name or memorised access code is required, which avoids subversion in the event that the token 30 and. the mobile communication device 40 are stolen.
- the user identification system can be used to control access to buildings in combination with electronic locking mechanisms .
- Further example applications include authentication for pay-per-view broadcasting systems, or access to a private electronic messaging system.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Mobile Radio Communication Systems (AREA)
- Telephonic Communication Services (AREA)
- Collating Specific Patterns (AREA)
Applications Claiming Priority (9)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
GB0109200A GB0109200D0 (en) | 2001-04-12 | 2001-04-12 | Identifier card |
GB0109200 | 2001-04-12 | ||
GB0111528 | 2001-05-11 | ||
GB0111528A GB0111528D0 (en) | 2001-05-11 | 2001-05-11 | The identifier |
GB0126583A GB0126583D0 (en) | 2001-11-06 | 2001-11-06 | The identifier system |
GB0126583 | 2001-11-06 | ||
GB0126929A GB0126929D0 (en) | 2001-11-09 | 2001-11-09 | Identifier card system |
GB0126929 | 2001-11-09 | ||
PCT/GB2002/001645 WO2002084456A2 (en) | 2001-04-12 | 2002-04-11 | User identity verification system |
Publications (1)
Publication Number | Publication Date |
---|---|
EP1442350A2 true EP1442350A2 (de) | 2004-08-04 |
Family
ID=27447938
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP02761938A Ceased EP1442350A2 (de) | 2001-04-12 | 2002-04-11 | Benutzeridentitätverifikationssystem |
Country Status (3)
Country | Link |
---|---|
EP (1) | EP1442350A2 (de) |
GB (1) | GB2377523B (de) |
WO (1) | WO2002084456A2 (de) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10250590B2 (en) | 2015-08-31 | 2019-04-02 | Samsung Electronics Co., Ltd. | Multi-factor device registration for establishing secure communication |
Families Citing this family (15)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8650103B2 (en) | 2001-10-17 | 2014-02-11 | Ebay, Inc. | Verification of a person identifier received online |
JP2004234632A (ja) | 2003-01-06 | 2004-08-19 | Sony Corp | 認証システム、認証サーバ、認証方法、認証プログラム、端末、認証要求方法、認証要求プログラム、及び記憶媒体 |
GB2397731B (en) * | 2003-01-22 | 2006-02-22 | Ebizz Consulting Ltd | Authentication system |
DE60320862D1 (de) * | 2003-06-18 | 2008-06-19 | Ericsson Telefon Ab L M | Anordnung und verfahren in bezug auf ip-netzwerkzugang |
US7372839B2 (en) * | 2004-03-24 | 2008-05-13 | Broadcom Corporation | Global positioning system (GPS) based secure access |
TW200602909A (en) * | 2004-04-23 | 2006-01-16 | Nec Corp | User authentication system and data providing system using the same |
GB2413467B (en) * | 2004-04-24 | 2008-10-29 | David Hostettler Wain | Secure network incorporating smart cards |
EP1715402B1 (de) * | 2005-04-19 | 2008-03-26 | Nahar Anoop | Verfahren zur Breitbanddatenübertragung |
EP1868131A1 (de) * | 2006-06-14 | 2007-12-19 | Vodafone Holding GmbH | Verfahren und System für sichere Benutzerauthentifizierung |
DK2359290T3 (en) * | 2008-11-10 | 2017-07-17 | Sms Passcode As | PROCEDURE AND SYSTEM FOR PROTECTION AGAINST IDENTITY THEFT OR REPLICATION ABUSE |
NL1039134C2 (nl) * | 2011-10-26 | 2013-05-01 | Antonius Johannes Clemens Zon | Systeem voor het controleren van een legitimatiebewijs. |
RU2583710C2 (ru) | 2013-07-23 | 2016-05-10 | Закрытое акционерное общество "Лаборатория Касперского" | Система и способ обеспечения конфиденциальности информации, используемой во время операций аутентификации и авторизации, при использовании доверенного устройства |
CN103955637A (zh) * | 2014-04-09 | 2014-07-30 | 可牛网络技术(北京)有限公司 | 移动终端用户身份的识别方法及装置 |
JP6980961B2 (ja) * | 2017-04-05 | 2021-12-15 | 株式会社日本総合研究所 | フィッシング詐欺防止のための合言葉の検証装置、検証方法及びプログラム |
US11093732B2 (en) * | 2018-09-25 | 2021-08-17 | Advanced New Technologies Co., Ltd. | Reduction of search space in biometric authentication systems |
Family Cites Families (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US4679236A (en) * | 1984-12-21 | 1987-07-07 | Davies Richard E | Identification verification method and system |
US5060263A (en) * | 1988-03-09 | 1991-10-22 | Enigma Logic, Inc. | Computer access control system and method |
AU1390395A (en) * | 1994-01-14 | 1995-08-01 | Michael Jeremy Kew | A computer security system |
US5604803A (en) * | 1994-06-03 | 1997-02-18 | Sun Microsystems, Inc. | Method and apparatus for secure remote authentication in a public network |
US5668876A (en) * | 1994-06-24 | 1997-09-16 | Telefonaktiebolaget Lm Ericsson | User authentication method and apparatus |
FR2745136B1 (fr) * | 1996-02-15 | 1998-04-10 | Thoniel Pascal | Procede et dispositif d'identification securisee entre deux terminaux |
US5684951A (en) * | 1996-03-20 | 1997-11-04 | Synopsys, Inc. | Method and system for user authorization over a multi-user computer system |
GB2328310B (en) * | 1996-05-15 | 1999-12-08 | Ho Keung Tse | Electronic transaction apparatus and method therefor |
US5881226A (en) * | 1996-10-28 | 1999-03-09 | Veneklase; Brian J. | Computer security system |
JP3595109B2 (ja) * | 1997-05-28 | 2004-12-02 | 日本ユニシス株式会社 | 認証装置、端末装置、および、それら装置における認証方法、並びに、記憶媒体 |
GB9929291D0 (en) * | 1999-12-11 | 2000-02-02 | Connectotel Limited | Strong authentication method using a telecommunications device |
US6934858B2 (en) * | 1999-12-15 | 2005-08-23 | Authentify, Inc. | System and method of using the public switched telephone network in providing authentication or authorization for online transactions |
DE20001438U1 (de) * | 2000-01-28 | 2001-06-13 | Prestele Eugen | Kartuschenkolben |
EP1338132A2 (de) * | 2000-11-28 | 2003-08-27 | Swivel Technologies Limited | Vorrichtung und verfahren zur sicheren übertragung eines datenfiles |
-
2002
- 2002-04-11 EP EP02761938A patent/EP1442350A2/de not_active Ceased
- 2002-04-11 WO PCT/GB2002/001645 patent/WO2002084456A2/en not_active Application Discontinuation
- 2002-04-11 GB GB0208362A patent/GB2377523B/en not_active Expired - Fee Related
Non-Patent Citations (1)
Title |
---|
See references of WO02084456A3 * |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10250590B2 (en) | 2015-08-31 | 2019-04-02 | Samsung Electronics Co., Ltd. | Multi-factor device registration for establishing secure communication |
Also Published As
Publication number | Publication date |
---|---|
GB2377523B (en) | 2003-11-26 |
WO2002084456A3 (en) | 2003-10-30 |
WO2002084456A2 (en) | 2002-10-24 |
GB2377523A8 (en) | 2003-05-12 |
GB0208362D0 (en) | 2002-05-22 |
GB2377523A (en) | 2003-01-15 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP1969880B1 (de) | System und verfahren zur dynamischen mehrfaktorauthentifikation | |
JP5133248B2 (ja) | クライアント/サーバー認証システムにおけるオフライン認証方法 | |
US8365988B1 (en) | Dynamic credit card security code via mobile device | |
US9519764B2 (en) | Method and system for abstracted and randomized one-time use passwords for transactional authentication | |
US8997177B2 (en) | Graphical encryption and display of codes and text | |
US20020087892A1 (en) | Authentication method and device | |
US20090013402A1 (en) | Method and system for providing a secure login solution using one-time passwords | |
US10204217B2 (en) | System and method for replacing common identifying data | |
US20080216172A1 (en) | Systems, methods, and apparatus for secure transactions in trusted systems | |
MX2007007511A (es) | Dispositivo y/o metodo de autentificacion. | |
EP1442350A2 (de) | Benutzeridentitätverifikationssystem | |
WO2010011731A2 (en) | Methods and systems for secure key entry via communication networks | |
EP1604257B1 (de) | Verfahren und vorrichtung zur identifizierung eines authorisierten person mittels nicht vorhersagbaren einmal benutzbaren passwortern | |
JP2008537210A (ja) | 安全保証されたデータ通信方法 | |
EP3579595B1 (de) | Verbessertes system und verfahren zur internet-altersüberprüfung | |
CN102822835A (zh) | 个人便携式安全网络访问系统 | |
US20050005128A1 (en) | System for controlling access to stored data | |
CA2611549C (en) | Method and system for providing a secure login solution using one-time passwords | |
JP2007065789A (ja) | 認証システム及び方法 | |
US20080197971A1 (en) | System, method and article for online fraudulent schemes prevention | |
Proctor et al. | Human factors in information security methods | |
session SAAAAAA | SkS U33" flgis;,--CL) tSee | |
IES85150Y1 (en) | Securing access authorisation |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
17P | Request for examination filed |
Effective date: 20040311 |
|
AK | Designated contracting states |
Kind code of ref document: A2 Designated state(s): AT BE CH CY DE DK ES FI FR GB GR IE IT LI LU MC NL PT SE TR |
|
17Q | First examination report despatched |
Effective date: 20041215 |
|
17Q | First examination report despatched |
Effective date: 20041215 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE APPLICATION HAS BEEN REFUSED |
|
18R | Application refused |
Effective date: 20080624 |