EP1442350A2 - Benutzeridentitätverifikationssystem - Google Patents

Benutzeridentitätverifikationssystem

Info

Publication number
EP1442350A2
EP1442350A2 EP02761938A EP02761938A EP1442350A2 EP 1442350 A2 EP1442350 A2 EP 1442350A2 EP 02761938 A EP02761938 A EP 02761938A EP 02761938 A EP02761938 A EP 02761938A EP 1442350 A2 EP1442350 A2 EP 1442350A2
Authority
EP
European Patent Office
Prior art keywords
identification information
user
server
communication medium
client terminal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
EP02761938A
Other languages
English (en)
French (fr)
Inventor
David Powers
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Netdesigns Ltd
Original Assignee
Netdesigns Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from GB0109200A external-priority patent/GB0109200D0/en
Priority claimed from GB0111528A external-priority patent/GB0111528D0/en
Priority claimed from GB0126583A external-priority patent/GB0126583D0/en
Priority claimed from GB0126929A external-priority patent/GB0126929D0/en
Application filed by Netdesigns Ltd filed Critical Netdesigns Ltd
Publication of EP1442350A2 publication Critical patent/EP1442350A2/de
Ceased legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/313User authentication using a call-back technique via a telephone network
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/34User authentication involving the use of external additional devices, e.g. dongles or smart cards
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/42User authentication using separate channels for security data

Definitions

  • the invention relates in general to the field of user identity verification.
  • the invention relates to a method and apparatus for user identification in a client-server system.
  • Common user identity verification systems are based on passwords that are memorised by the user. Such systems may be subverted if the memorised information becomes publicly available.
  • Another problem associated with passwords for user identity verification is that a user may require passwords for a number of separate computer systems, and therefore has to remember not only a number of passwords, but also which password corresponds to which computer system. This can lead to a user adopting a common password for all computer systems. Having a single universal password poses a considerable increase in risk of a security breach at all the systems due to the increased likelihood of the password becoming publicly available, and public awareness that one password may permit access to more than one separate computer system.
  • Other more sophisticated forms of subvision exist, such as local or remote monitoring of key storkes or screen displays .
  • a known alternative user identity verification technique involves the possession of a token, such as a card comprising identification information.
  • the holder of the token can be identified as an authorised user.
  • a token such as a card comprising identification information.
  • the token comprises an optical disc or a smartcard disc.
  • cards can be stolen or duplicated, allowing unauthorised and/or unidentifiable users to access otherwise secure computer systems.
  • An aim of the present invention is to provide a method and apparatus for verifying identity of a user in a manner which is reliable and which is not vulnerable to subversion.
  • Preferred embodiments of the present invention aim to address the problems of the prior art mentioned above.
  • a method of user identity verification in a system comprising a client terminal couplable to a server by a first communication medium, the method comprising: sending a first identification information over the first communication medium from the client terminal to the server; verifying, at the server, that the first identification information corresponds to a stored user profile; returning a second identification information to a user over a second communication medium according to the stored user profile; sending the second identification information to the server via the client terminal; and verifying user identity, at the server, according to presentation of the second identification information.
  • a user identity verification apparatus comprising: a server comprising a user profile store; a client terminal coupled to a server by a first communication medium; a second communication medium coupled to the server for supply of second identification information to a user, the client terminal being arranged in use to receive the first identification information, and to supply the first identification information over the first communication medium to the server; the server being arranged to verify that the first identification information correspond to a user profile in the user profile store and to supply a second identification information to the user over the second communication medium according to the stored user profile; the client terminal being arranged to receive the second identification information from the user and to supply the second identifier information to the server; and the server being arranged to verify user identity according to presentation of the second identification information.
  • the first identification information includes any one of a username, a memorised access code, information read from a token, or any combination thereof.
  • the first communication medium is different from the second communication medium.
  • the third identification information is supplied to the user over the second communication medium through a mobile communication device.
  • the second identification information is transmitted from the client terminal to the server over the first communication medium.
  • the first identification information is derived from at least one second identification information supplied to a user previously.
  • the first information includes a plurality of second identification information supplied to a user previously, and stored on a token.
  • the token is a removable storage device.
  • the second identification information sent to the user over the second communication medium is regenerated by the server.
  • Figure 1 shows a preferred apparatus for user identity verification
  • Figure 2 shows a flowchart illustrating a preferred method for user identity verification.
  • Figure 1 shows a preferred apparatus for verifying identity of a user 1.
  • the apparatus comprises a client terminal 10 coupled to a server 20 over a first communication link 50.
  • the server 20 is also coupled to a second communication link 60.
  • the first communication link 50 is ideally different to the second communication link 60.
  • the first communication link 50 comprises a computer network such as a local area or wide area network, a- virtual private network, or a more open communication link such as the internet.
  • the second communication link is, for example, a telecommunications network, suitably a wireless telephony network or cellular telephony network.
  • Most preferably the second communication link 60 is a GSM cellular network capable of carrying short messages (SMS) .
  • SMS short messages
  • the apparatus of Figure 1 comprises a user profile store 22 at a suitable verification point.
  • the server 20 it is convenient for the server 20 to comprise the user profile store 22, although it is possible for the user profile store 22 to be remote from the server 20.
  • the client terminal 10 is any suitable form of computing platform, such as a desktop computer or mobile computing device such as a laptop or palmtop computer .
  • Figure 2 shows a preferred method for verifying user identity, for use with the apparatus of Figure 1.
  • the client terminal 10 receives first identification information.
  • the first identification information is supplied to the client terminal 10, such as by the user 1 typing a user name and/or memorised access code into a keyboard input device 12- of the client terminal 10.
  • the first identification information is sent from the client terminal 10 to the server 20 over the first communication link 50.
  • the server 20 uses the received first identification information to retrieve a user profile from the user profile store 22. This provides a preliminary identification of the user 1.
  • the server 20 then generates a second identification information, which is returned over the second communication link 60, to reach the user 1, at step 203.
  • the second identification information is transferred to the client terminal 10, such as by the user 1 typing the second identification information into a keyboard input device 12 of the client terminal 10.
  • the client terminal 10 sends the second • • identification information back to the server 20, over the first communication link 50.
  • the server 20 verifies the identity of the user 1 based on the received second identification information.
  • the second communication link 60 is a message transmission system such as an SMS system for use on GSM cellular networks .
  • the second identification information is received by the user 1 such as by using a mobile communications device 40, i.e. a mobile phone.
  • sending the second identification information to the user's mobile phone 40 according to a predetermined user profile in the user profile store 22, allows increased certainty as to the user's identity.
  • Most users tend to carefully guard their mobile communication device 40 and will notice if it is stolen or subject to subversion. Hence, the user will take precautions to avoid unauthorised use of their mobile communication device 40.
  • possession of the mobile communication device 40 allows a high degree of trust to be placed in the user's identity.
  • the first identification information is provided at least in part from a token 30.
  • the token 30 is readily portable and may be carried by the user 1.
  • the user presents the token 30 to a token reader 11 of the client terminal 10.
  • the token reader 11 extracts the first identification information from the token 30.
  • the first identification information may come only from the token 30.
  • the first identification information can be formed by taking identification information from the token 30, and from a user input such as . a user name and/or memorised access code.
  • the first identification information is received and checked by the server 20, and is used to extract a user profile from the user profile store 22.
  • the user profile store 22 contains information which allows a message to be sent over the second communication link 60 to reach the user 1, suitably at their mobile communication device 40.
  • the user profile store contains a predetermined mobile telephone number of the mobile communication device 40.
  • the second identification information is in the form of a password that is randomly generated by the server 20.
  • the randomly generated password contains a short string (e.g. eight to twelve characters) containing a sequence of letters and numbers.
  • the user 1 may then easily manually transfer the password from their mobile communication device by typing the password into a keyboard input device of the client terminal 10.
  • the password can be automatically transferred from the mobile communication device 40 to the client terminal 10, such as by a short range infra-red communication link.
  • the token 30 is a removable storage medium such as a smart card, or preferably a CD or DVD format storage medium.
  • the token 30 comprises an updateable or re-writable storage medium such as a CD-RW or a re-writable DVD. This provides an additional layer of security, as the client terminal 10 can record passwords from previous occasions onto the token 30, i.e. record an incremental identity derived from the previous passwords.
  • the client terminal 10 can then transmit the incremental token identity back to the server 20 via the first communication link 50, and these can also be checked against a list contained in the user profile store 22. Only if the server 20 is satisfied that the first identification information comprising the incremental identity read from the token 30 matches a stored profile in the user profile store 22 is a new password transmitted to the mobile communication device 40 of the user 1. This makes the cloning of tokens a less effective way to defeat the user identity verification system, since a cloned token will become out of date as soon as the real token 30 is used.
  • other security coding can be included with ⁇ the first identification information on the token 30. The other security coding can also be regenerated and stored on the token 30 to add a yet further layer of security.
  • the token 30 suitably stores operating software which allows the identity verification system to run on the client terminal 10.
  • the token 30 by inserting the token 30 into any suitable computer terminal 10, the user
  • Token 30 can also store other information such as promotional and advertising material.
  • the identification information stored by the token 30 and/or the other information can be strongly encrypted.
  • the token 30 and the* mobile communication device 40 can be incorporated into a single unit.
  • the token 30 can in alternative embodiments further comprise a magnetic strip and/or a microprocessor chip to enable a single token 30 to be used for identification in a number of other existing systems.
  • the token may include other visible identification information, such as a photograph identity.
  • the user identity verification system described herein is able to operate at a number of different levels of security.
  • a system administrator is able to select appropriate levels of security according to the needs of particular user or group of users . For some purposes it may be sufficient simply for possession of the token 30 to be an adequate mechanism for identifying the user 1.
  • the transmission of first and second identification information, via the first and second communication links 50, 60 allows a higher degree of certainty.
  • possession of both the token 30 and the mobile communication device 40 is required.
  • a memorised user name or memorised access code is required, which avoids subversion in the event that the token 30 and. the mobile communication device 40 are stolen.
  • the user identification system can be used to control access to buildings in combination with electronic locking mechanisms .
  • Further example applications include authentication for pay-per-view broadcasting systems, or access to a private electronic messaging system.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Telephonic Communication Services (AREA)
  • Collating Specific Patterns (AREA)
EP02761938A 2001-04-12 2002-04-11 Benutzeridentitätverifikationssystem Ceased EP1442350A2 (de)

Applications Claiming Priority (9)

Application Number Priority Date Filing Date Title
GB0109200A GB0109200D0 (en) 2001-04-12 2001-04-12 Identifier card
GB0109200 2001-04-12
GB0111528 2001-05-11
GB0111528A GB0111528D0 (en) 2001-05-11 2001-05-11 The identifier
GB0126583A GB0126583D0 (en) 2001-11-06 2001-11-06 The identifier system
GB0126583 2001-11-06
GB0126929A GB0126929D0 (en) 2001-11-09 2001-11-09 Identifier card system
GB0126929 2001-11-09
PCT/GB2002/001645 WO2002084456A2 (en) 2001-04-12 2002-04-11 User identity verification system

Publications (1)

Publication Number Publication Date
EP1442350A2 true EP1442350A2 (de) 2004-08-04

Family

ID=27447938

Family Applications (1)

Application Number Title Priority Date Filing Date
EP02761938A Ceased EP1442350A2 (de) 2001-04-12 2002-04-11 Benutzeridentitätverifikationssystem

Country Status (3)

Country Link
EP (1) EP1442350A2 (de)
GB (1) GB2377523B (de)
WO (1) WO2002084456A2 (de)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10250590B2 (en) 2015-08-31 2019-04-02 Samsung Electronics Co., Ltd. Multi-factor device registration for establishing secure communication

Families Citing this family (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8650103B2 (en) 2001-10-17 2014-02-11 Ebay, Inc. Verification of a person identifier received online
JP2004234632A (ja) 2003-01-06 2004-08-19 Sony Corp 認証システム、認証サーバ、認証方法、認証プログラム、端末、認証要求方法、認証要求プログラム、及び記憶媒体
GB2397731B (en) * 2003-01-22 2006-02-22 Ebizz Consulting Ltd Authentication system
DE60320862D1 (de) * 2003-06-18 2008-06-19 Ericsson Telefon Ab L M Anordnung und verfahren in bezug auf ip-netzwerkzugang
US7372839B2 (en) * 2004-03-24 2008-05-13 Broadcom Corporation Global positioning system (GPS) based secure access
TW200602909A (en) * 2004-04-23 2006-01-16 Nec Corp User authentication system and data providing system using the same
GB2413467B (en) * 2004-04-24 2008-10-29 David Hostettler Wain Secure network incorporating smart cards
EP1715402B1 (de) * 2005-04-19 2008-03-26 Nahar Anoop Verfahren zur Breitbanddatenübertragung
EP1868131A1 (de) * 2006-06-14 2007-12-19 Vodafone Holding GmbH Verfahren und System für sichere Benutzerauthentifizierung
DK2359290T3 (en) * 2008-11-10 2017-07-17 Sms Passcode As PROCEDURE AND SYSTEM FOR PROTECTION AGAINST IDENTITY THEFT OR REPLICATION ABUSE
NL1039134C2 (nl) * 2011-10-26 2013-05-01 Antonius Johannes Clemens Zon Systeem voor het controleren van een legitimatiebewijs.
RU2583710C2 (ru) 2013-07-23 2016-05-10 Закрытое акционерное общество "Лаборатория Касперского" Система и способ обеспечения конфиденциальности информации, используемой во время операций аутентификации и авторизации, при использовании доверенного устройства
CN103955637A (zh) * 2014-04-09 2014-07-30 可牛网络技术(北京)有限公司 移动终端用户身份的识别方法及装置
JP6980961B2 (ja) * 2017-04-05 2021-12-15 株式会社日本総合研究所 フィッシング詐欺防止のための合言葉の検証装置、検証方法及びプログラム
US11093732B2 (en) * 2018-09-25 2021-08-17 Advanced New Technologies Co., Ltd. Reduction of search space in biometric authentication systems

Family Cites Families (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4679236A (en) * 1984-12-21 1987-07-07 Davies Richard E Identification verification method and system
US5060263A (en) * 1988-03-09 1991-10-22 Enigma Logic, Inc. Computer access control system and method
AU1390395A (en) * 1994-01-14 1995-08-01 Michael Jeremy Kew A computer security system
US5604803A (en) * 1994-06-03 1997-02-18 Sun Microsystems, Inc. Method and apparatus for secure remote authentication in a public network
US5668876A (en) * 1994-06-24 1997-09-16 Telefonaktiebolaget Lm Ericsson User authentication method and apparatus
FR2745136B1 (fr) * 1996-02-15 1998-04-10 Thoniel Pascal Procede et dispositif d'identification securisee entre deux terminaux
US5684951A (en) * 1996-03-20 1997-11-04 Synopsys, Inc. Method and system for user authorization over a multi-user computer system
GB2328310B (en) * 1996-05-15 1999-12-08 Ho Keung Tse Electronic transaction apparatus and method therefor
US5881226A (en) * 1996-10-28 1999-03-09 Veneklase; Brian J. Computer security system
JP3595109B2 (ja) * 1997-05-28 2004-12-02 日本ユニシス株式会社 認証装置、端末装置、および、それら装置における認証方法、並びに、記憶媒体
GB9929291D0 (en) * 1999-12-11 2000-02-02 Connectotel Limited Strong authentication method using a telecommunications device
US6934858B2 (en) * 1999-12-15 2005-08-23 Authentify, Inc. System and method of using the public switched telephone network in providing authentication or authorization for online transactions
DE20001438U1 (de) * 2000-01-28 2001-06-13 Prestele Eugen Kartuschenkolben
EP1338132A2 (de) * 2000-11-28 2003-08-27 Swivel Technologies Limited Vorrichtung und verfahren zur sicheren übertragung eines datenfiles

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See references of WO02084456A3 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10250590B2 (en) 2015-08-31 2019-04-02 Samsung Electronics Co., Ltd. Multi-factor device registration for establishing secure communication

Also Published As

Publication number Publication date
GB2377523B (en) 2003-11-26
WO2002084456A3 (en) 2003-10-30
WO2002084456A2 (en) 2002-10-24
GB2377523A8 (en) 2003-05-12
GB0208362D0 (en) 2002-05-22
GB2377523A (en) 2003-01-15

Similar Documents

Publication Publication Date Title
EP1969880B1 (de) System und verfahren zur dynamischen mehrfaktorauthentifikation
JP5133248B2 (ja) クライアント/サーバー認証システムにおけるオフライン認証方法
US8365988B1 (en) Dynamic credit card security code via mobile device
US9519764B2 (en) Method and system for abstracted and randomized one-time use passwords for transactional authentication
US8997177B2 (en) Graphical encryption and display of codes and text
US20020087892A1 (en) Authentication method and device
US20090013402A1 (en) Method and system for providing a secure login solution using one-time passwords
US10204217B2 (en) System and method for replacing common identifying data
US20080216172A1 (en) Systems, methods, and apparatus for secure transactions in trusted systems
MX2007007511A (es) Dispositivo y/o metodo de autentificacion.
EP1442350A2 (de) Benutzeridentitätverifikationssystem
WO2010011731A2 (en) Methods and systems for secure key entry via communication networks
EP1604257B1 (de) Verfahren und vorrichtung zur identifizierung eines authorisierten person mittels nicht vorhersagbaren einmal benutzbaren passwortern
JP2008537210A (ja) 安全保証されたデータ通信方法
EP3579595B1 (de) Verbessertes system und verfahren zur internet-altersüberprüfung
CN102822835A (zh) 个人便携式安全网络访问系统
US20050005128A1 (en) System for controlling access to stored data
CA2611549C (en) Method and system for providing a secure login solution using one-time passwords
JP2007065789A (ja) 認証システム及び方法
US20080197971A1 (en) System, method and article for online fraudulent schemes prevention
Proctor et al. Human factors in information security methods
session SAAAAAA SkS U33" flgis;,--CL) tSee
IES85150Y1 (en) Securing access authorisation

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20040311

AK Designated contracting states

Kind code of ref document: A2

Designated state(s): AT BE CH CY DE DK ES FI FR GB GR IE IT LI LU MC NL PT SE TR

17Q First examination report despatched

Effective date: 20041215

17Q First examination report despatched

Effective date: 20041215

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION HAS BEEN REFUSED

18R Application refused

Effective date: 20080624