EP2567502A2 - Verfahren zur authentifizierung eines benutzers bei der anfrage einer transaktion mit einem dienstanbieter - Google Patents

Verfahren zur authentifizierung eines benutzers bei der anfrage einer transaktion mit einem dienstanbieter

Info

Publication number
EP2567502A2
EP2567502A2 EP11723560A EP11723560A EP2567502A2 EP 2567502 A2 EP2567502 A2 EP 2567502A2 EP 11723560 A EP11723560 A EP 11723560A EP 11723560 A EP11723560 A EP 11723560A EP 2567502 A2 EP2567502 A2 EP 2567502A2
Authority
EP
European Patent Office
Prior art keywords
authentication
user
data
mobile terminal
server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP11723560A
Other languages
English (en)
French (fr)
Inventor
Johann Liberman
Panos Chatzikomninos
Jean Pascal Aubert
Benoit Delestre
Didier Hallepee
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
4G SECURE
Original Assignee
4G SECURE
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 4G SECURE filed Critical 4G SECURE
Publication of EP2567502A2 publication Critical patent/EP2567502A2/de
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • GPHYSICS
    • G09EDUCATION; CRYPTOGRAPHY; DISPLAY; ADVERTISING; SEALS
    • G09CCIPHERING OR DECIPHERING APPARATUS FOR CRYPTOGRAPHIC OR OTHER PURPOSES INVOLVING THE NEED FOR SECRECY
    • G09C5/00Ciphering apparatus or methods not provided for in the preceding groups, e.g. involving the concealment or deformation of graphic data such as designs, written or printed messages
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • H04L9/3228One-time or temporary data, i.e. information which is sent for every authentication or authorization, e.g. one-time-password, one-time-token or one-time-key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3297Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving time stamps, e.g. generation of time stamps
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/56Financial cryptography, e.g. electronic payment or e-cash
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless

Definitions

  • the present invention relates to the field of authentication, particularly in a context of securing access and online services offered in the context of banking transactions.
  • authentication In the security of information systems, authentication is said to be “strong” when it uses an identification procedure requiring the concatenation of at least two authentication elements or "factors” chosen from among the entities to be authenticated. authenticate knows, what it holds or what it is.
  • Strong authentication is one of the essential foundations to guarantee the authorization or control of access to a service (ie who can access it), confidentiality (ie who can see the service), integrity (ie who can modify the service) and traceability (ie who accessed it).
  • the choice of an authentication method adapted to each need will be based on a certain level of contractualization defined by means of a risk analysis based on the cost of the means of authentication to be implemented, the cost related to the various risks (sensitivity of the application, data, etc.) and the expected benefits for the user (depending on his level of expertise).
  • This first level better than the identification by simple pair of identifier / password, is based on the implementation of a low level authentication solution, comparable to a strong pseudo authentication.
  • This level can be defined when organizational and technical means are implemented in order to better guarantee the identity of the different actors (for example, authorized users and / or third parties of an e-banking service or e-bank). - chest).
  • a third level of contracting may be set when one is within the perimeter of the strong authentication in which the authentication level (2nd degree) is legally admissible even if in case of dispute the proof of its reliability remains to be brought by the one who implements it.
  • An object of the present invention is to respond to the above problems.
  • the present invention aims to provide a user-friendly authentication system, intuitive, ergonomic, secure and usable by a maximum of customers.
  • the present invention also aims to create a secure transaction context capable of ensuring the transport, the encryption / decryption of dynamic data and the presentation of these data to a server for processing, validation, timestamping and legal archiving. This transaction in uses requiring a high level of trust.
  • the present invention aims in particular to allow uses and services requiring a high level of security, such as payment and electronic signature, with a non-repudiation option.
  • the present invention proposes for this purpose a method of authenticating a user requesting a transaction from a service provider, the method comprising the generation of a user-specific authorization code and the transaction required to from an authentication data read on a screen by means of a mobile terminal, the reading of the authorization code, displayed by the mobile terminal, by means of reading a digital device and sending, by this digital device to the service provider, read authorization code to authenticate the user.
  • the specific character of the authorization code thus generated prevents its reuse by a malicious user during a subsequent transaction. Moreover, reading both the authentication data and the resulting authorization code with means such as a mobile terminal or a computer makes it possible to make the authentication process more user-friendly and to avoid input errors that the user can make when entering codes that may be lengthy.
  • the authorization code is generated by signing the authentication data read by means of a secret code entered by the user on the mobile terminal, which makes it possible to authenticate the user requesting the transaction more reliably.
  • the authorization code is generated by signing the authentication data further by means of an identification data of the mobile terminal, which makes it possible to ensure strong authentication.
  • the authorization code generated is encoded in the form of an image, in particular of a two-dimensional barcode, before being displayed by the mobile terminal.
  • an image in particular of a two-dimensional barcode
  • reading of the authorization code is performed by means of a near-field communication wireless communication technology.
  • the method comprises transmitting the authentication data read from the mobile terminal to the authentication server (AS), generating the authorization code from the authentication data in the server. authentication, and the transmission of the generated authorization code to the terminal mobile.
  • AS authentication server
  • This embodiment alleviates the calculations to be performed at the mobile terminal.
  • the read authentication data is interpreted in the mobile terminal by means of a custom application specific to the user and downloaded from an authentication server, said personalized application generating the authorization code from the authentication data read.
  • the method further comprises a preliminary enrollment step, during which an activation code is transmitted to the mobile terminal, followed by an activation step during which the personalized application is downloaded to the mobile terminal.
  • this activation code being used during the activation step to activate the downloaded custom application, which allows the user to choose when he wants to activate the custom application.
  • the enrollment step comprises a step of verifying the identity of the user before transmitting the activation code, said transmission being performed only if said verification is performed in a positive manner.
  • the activation step comprises the transmission of at least one confidential data specific to the user of the mobile terminal, this confidential data used to encrypt the authentication data in the mobile terminal before transmission. the authentication server and / or decrypting the authorization code received by the mobile terminal. The transfers of the authentication data to the authentication server, on the one hand, and the authorization code to the mobile terminal, on the other hand, are thus secured.
  • the method comprises generating, during the preliminary enrollment step, the personalized application and / or the confidential data as a function of at least one internal identification data generated at from at least one personal identification data sent by the user to the service provider.
  • the authentication data is generated, by the service provider, based on data related to the transaction and personal data received from the user, which prevents the reuse of such data. authentication by a malicious user during a subsequent transaction.
  • the present invention provides a system for authenticating a user requesting a transaction from a service provider, the system comprising a screen arranged to display authentication data received from the service provider, a terminal mobile device comprising means for entering the authentication data displayed on the screen and display means arranged to display an authorization code specific to the user and the required transaction and a digital device comprising input means able to read the authorization code displayed by the mobile terminal and send this authorization code to the service provider in order to authenticate the user.
  • this authentication system further comprises an authentication server as described above.
  • the authentication system comprises a service server, used by the service provider to provide a service required by the user, the service server comprising a reception module arranged to receive at least one data item. of the user and the authorization code issued by the user, computing means arranged to generate at least one internal identification data from at least one of the personal data received, and a transmission module arranged to send the generated internal identification data to the authentication server.
  • FIG. 1A represents the steps of an authentication method according to the principle of the present invention
  • FIG. 1B illustrates a system according to a first embodiment of the "off-line" type implementing the authentication method of the present invention
  • FIG. 2A represents the substeps of the enrollment step of the authentication method according to the principle of the present invention
  • FIG. 2B represents a first embodiment of the system implementing the enrollment step of the authentication method according to the principle of the present invention
  • FIG. 2C represents a second embodiment of the system implementing the authentication method enrollment step according to the principle of the present invention
  • FIG. 3A illustrates the constituent substeps of the activation step of the personalized application according to an embodiment of the present invention
  • FIG. 3B illustrates a system implementing the activation step of the personalized application of the authentication method according to the principle of the present invention
  • FIG. 4A illustrates the constituent sub-steps of the step of generating the authorization code of an authentication method according to a second embodiment of the "on-line" type
  • FIG. 4B illustrates a first embodiment of the system implementing the authentication method according to the second embodiment of the "online" type, where the authorization code is generated in an authentication server AS distinct from the server of the service provider ;
  • FIG. 4C illustrates a second embodiment of the system implementing the authentication method according to the second embodiment of "on-line" type, where the authorization code is generated in the server of the service provider on which Authentication features have been installed.
  • FIG. 1A are illustrated the steps of an authentication method according to the principle of the present invention.
  • This method can start with a step A of enrolling a user Ui with a service provider with whom he wishes to perform a transaction.
  • the user Ui will send to this service provider (for example to an SP service server managed by this service provider) a certain number of personal identification data (here called "d id "), by example by entering them on his computer through a client application associated with the SP server of the service provider.
  • this service provider for example to an SP service server managed by this service provider
  • d id personal identification data
  • Such personal data d id is used to formally identify the user Ui when the one subscribes to a service. Once the SP server has received this personal data, it is controlled by the service provider, in order to subsequently guarantee that the user Ui is the real user.
  • Such a control can be done on the basis of already known data if the user is already known (thanks to data present on a bank statement, for example), by a telephone call from an operator, or by the request of the copy of the identity card of a new user.
  • this personal data is stored securely, for example in the SP server of the service provider or in another server delegated to this task.
  • a step B of activation of a personalized application, generated specifically for the user Ui, on a mobile terminal belonging to the user Ui can be made to at this stage, to allow the user Ui to use his mobile terminal in the authentication procedure with the service provider.
  • An example of such an activation step is described later.
  • the user Ui is ready to perform a transaction requiring authentication with the service provider.
  • the method comprises a step C of displaying an authentication data (referred to aut hr thereafter) on a screen to which access SNA user Ui.
  • a screen can naturally be the screen connected to the personal computer of the user Ui, in which case the authentication data aut h is transmitted beforehand from the SP server of the service provider to this personal computer to be displayed on this screen.
  • This screen can also be a television screen, or even a mobile phone screen.
  • the sending of this authentication data can be conditioned upon receipt by the server SP of a transaction request from the user's personal computer Ui.
  • the user Ui can use his personal computer to access a client application associated with the service provider (for example through the website of this provider) and indicate his intention to carry out a transaction.
  • the server SP generates and sends the authentication data to the personal computer of the user Ui.
  • the aut h of authentication data displayed in step C can take the form of a bar code in two dimensions, a tag, a password to a single use ( "One-Time Password Or OTP in English) or an NFC message (for Near-Field Communication), among others.
  • the graphic representation of this two-dimensional barcode or this tag complies with commonly used standards, such as QR-Code, Datamatrix, PDF 417 , Microsoft tag.
  • the authentication data aut h transmitted by the service provider is generated specifically for the required transaction, based on data related to the transaction and possibly personal data received from the user.
  • this authentication datum aut h is single-use and is generated at each transaction so as to be different for each required transaction.
  • the possible knowledge of this authentication data by interception of a malicious user does not allow him to use this information for subsequent transactions.
  • the user Ui uses his mobile terminal to enter this authentication data, during a step D of reading, so that it is interpreted by the custom application previously activated in step B.
  • this authentication data aut h is read by the user Ui, which manually entered on his mobile terminal.
  • This first embodiment is particularly suitable when the mobile terminal of the user does not have own reading means such as a camera.
  • the authentication datum aut h is read directly by the mobile terminal, which has its own reading means.
  • the user Ui can take a picture of the authentication data aut h displayed on the screen, and the application activated in the software will use the snapshot taken for find the relevant data in the authentication data and interpret them.
  • the mobile terminal when the mobile terminal has an NFC reader, the latter can read an authentication data aut h presented as an NFC message using a communication technology wireless communication type field near, referred to as "Near-Field Communication". This alternative avoids having to aim precisely SCN screen with the mobile terminal.
  • an authorization code cod is generated and then displayed by the mobile terminal, during a step E of code generation. This cod code is used to authenticate the user Ui with the service provider.
  • the authorization code cod is advantageously encoded in the form of an image, a two-dimensional bar code, a tag, a d a single-time password ("One-Time Password" or OTP) or an NFC message, among others.
  • This authorization code generation step E may be implemented according to different embodiments.
  • the authorization code cod is generated entirely by the personalized application installed on the mobile terminal, which makes it possible to use this mobile terminal without it being necessarily connected to the mobile network and limits the transfer of sensitive data that can be recovered by a malicious third party.
  • the personalized application interprets the authentication data aut h read and generates from the interpreted data a cod authorization code, which is displayed by the mobile terminal.
  • the personalized application in addition to the authentication data d aut h, can also use a secret code assigned to the user to generate the authorization code, which reinforces the character specifically related to the user of this code authorization.
  • the codi authorization code is generated, by the personalized application installed on the mobile terminal, from the authorization data aut h read by the mobile terminal and a secret code assigned to the user, this secret code can be used to sign the authorization data aut h to obtain a code of authorization cod, single use, which takes the form of a password to single use ("One-Time Password").
  • the authorization code cod can be generated by signing the authentication data aut h read by such a secret code entered by the user on the mobile terminal TEL, this secret code is also known on the side of the AS authentication server, to allow the decryption of this authorization code.
  • a such authorization code is then not only specific to the required transaction, but serves to authenticate the user requesting this transaction.
  • the cod authorization code is generated by signing the given authentication aut h using not only the secret code of the user, but also of the identification data mobile terminal (for example its IMEI number), which makes it possible to verify, during the subsequent verification step, that the transaction is indeed associated with this user Ui and that it is indeed the user Ui that has generated the code authorization.
  • a time stamp data can also be used to sign the authentication data of aut h, which further complicates the code authorization cod, and allows to date the authentication time of the transaction.
  • the authorization code cod is advantageously encoded in the form of an image, for example in the form of a two-dimensional barcode or tag.
  • the authorization code is then illegible directly by a human being, which allows on the one hand to prevent the authorization code is visually intercepted by a malicious user who can look at the screen of the mobile terminal, while allowing on the other hand its reading, when displayed by the mobile terminal, by optical reading means adapted to read this type of barcode.
  • This embodiment also makes it possible to use authorization codes of considerable length (for example of 256 characters), which are therefore very specific and safer than the authorization codes to be entered manually by a user, and therefore to be limited in length at the risk of causing user input errors.
  • Such an embodiment is particularly adapted to the encoding of a complex code authorization code generated by the signature of authentication data by means of the secret code of the user, a terminal identification data. mobile and time stamp data. Once this authorization code cod, generated, it is displayed on the mobile terminal so that it can be entered by a digital PC device of the user Ui, during a step F of reading this authorization code cod, .
  • the digital device PC used to read this authorization code cod may be a personal computer comprising reading means capable of reading this code (for example a webcam, a digital camera or an NFC reader), or even a mobile phone comprising reading means (e.g. digital camera type or NFC) capable of capturing an image of cod authorization code.
  • reading means capable of reading this code for example a webcam, a digital camera or an NFC reader
  • mobile phone comprising reading means (e.g. digital camera type or NFC) capable of capturing an image of cod authorization code.
  • the reading of the authorization code can be achieved by a near-field communication (NFC) type wireless communication technology, in order not to have to aim precisely the mobile terminal with the reading means of the PC digital device.
  • NFC near-field communication
  • the screen SCN on which is read the authentication data aut h during the reading step D, can belong to the same digital device PC that the reading means used to read the code d 'authorization cod.
  • the authorization code cod has been encoded as an image (in particular in the form of a two-dimensional barcode) before being displayed by the mobile terminal
  • the image is then read by the reading means of the digital device to then be transmitted to the SP server of the service provider.
  • this read image can be decoded at the level of the digital device PC, for example by means of pattern recognition, in order to retrieve the authorization code cod, and to transmit this code in decoded form rather only in the form of an image.
  • the authorization code generated is in the form of an image, that is to say when this authorization code is encoded as an image (for example a two-dimensional barcode), the user then presents this image in front of a webcam connected to his personal computer, so that this image can be automatically transferred to the server of the bank to allow or not its connection.
  • the authorization code cod is generated in a separate server of the mobile terminal, which is then content to interpret the authentication data read and possibly to format it. and encrypting it before transmitting it to this server, which generates the codi authorization code according to the auth authentication data it receives via the mobile terminal and returns this authorization code to the mobile terminal where it is posted.
  • the mobile can, depending on the case, directly transmit this authorization code, or translate and process it before transmitting it to the authentication server.
  • the transaction data and this authorization code cod are sent (step G) to the SP server of the service provider who will perform the verification (step H) of this code in order to authenticate the user Ui and allow the transaction if this authentication is correct.
  • FIG. 1B illustrates a system according to a first embodiment of the "off-line" type, implementing the authentication method of the present invention as previously described in FIG. 1A.
  • Such a system comprises an SP server belonging to the connected service provider, for example via the Internet, to the personal computer ("PC") of the user Ui.
  • PC personal computer
  • This personal computer has a screen ("SCN") which is used to display the authentication data d auth sent by the server SP, as well as reading means (for example a webcam or an optical reader) for reading a authorization code displayed by a mobile terminal.
  • SCN screen
  • reading means for example a webcam or an optical reader
  • the present invention uses a mobile terminal TEL such as a mobile phone, a smartphone, a digital music player, etc. owned by the user Ui, on which is installed an application capable of interpreting the data.
  • a mobile terminal TEL such as a mobile phone, a smartphone, a digital music player, etc. owned by the user Ui, on which is installed an application capable of interpreting the data.
  • authentication device and which has display means (such as an LCD screen) on which an authorization code can be displayed.
  • Figure 2A illustrates the substeps of enrollment step A according to an embodiment of the present invention using an AS authentication server.
  • the user Ui sends the service provider's SP server a certain number of personal identification data id , for example by entering them on his computer through a client application. associated with the SP server of the service provider.
  • This personal identification data id once received by the server SP, are stored in a substep A2 storage.
  • the service provider's SP server sends a request req to an authentication server AS so that it generates a number of elements for the authentication of the user. .
  • this authentication server AS may correspond to the SP server of the service provider on which additional authentication features have been installed.
  • this first embodiment where the authentication, identification and service provisioning functionalities are integrated within the same server, all the exchanges between authentication and service provisioning modules are done within a single server. the same secure environment, which enhances the security of the system.
  • this authentication server AS is a server separate from the SP server of the service provider, in which case the authentication functions are deliberately separated from the transaction and service provisioning functions, which allows a management authentication by an operator separate from the service provider, which does not necessarily have the technical skills or the ability to handle this authentication.
  • the request req is accompanied by a number of user internal identification data dim, based on the personal identification data received by the server SP but different from the latter, in order to enable the generation of the elements used for the authentication of the user in the authentication server AS, while guaranteeing the anonymity of this here from this server.
  • the authentication server AS Following reception of the request req, the authentication server AS generates (sub-step A4) on the one hand the personalized application APP, which will be used to interpret the authentication data d aut h and which is intended to to be installed on the mobile terminal TEL, of the user.
  • Such a personalized application APP may, for example, contain a number of custom elements to customize the application to make it specific to the user Ui.
  • this custom application may contain the user's password signature as well as an algorithm to verify the password.
  • this APP application also contains an algorithm for verifying an activation PIN code.
  • the duration of validity of the APP personalized application is also configurable by the operator of the AS authentication server according to the service provider concerned and according to the needs of this service provider.
  • the authentication server AS can also generate, again during this generation substep A4, a certain number of confidential data, designated by the abbreviation "serves,” in FIG. 2A, according to the identification data. received by the AS server:
  • This confidential data is used, is specific to the user Ui and is generated from the internal data dim which has itself been generated from the user's personal identification data id , for example at the same time as the APP custom application ,. These confidential data serves, are intended to be transmitted to the mobile terminal TEL of the user Ui.
  • Each separate user Ui enrolling with the service provider therefore has confidential data serves, distinct from other users.
  • the copy of the APP custom application, on another mobile terminal than that of the user Ui is useless without the confidential data serves, generated by the AS server.
  • this encryption key is composed of at least a first key for the encryption key. Ui user and a second key for the AS authentication server.
  • the method continues with a step A5 of downloading the personalized application APP, in the mobile terminal of the Ui user.
  • This APP personalized application can be activated later by means of an activation PIN code if this activation option is chosen later.
  • the step A5 then comprises, not the download, but sending a download link pointing to the APP custom application, to the mobile terminal of the user Ui, after generation of this custom application.
  • Such a download link for example a URL
  • SMS Short Streaming Service
  • WiFi Wireless Fidelity
  • Bluetooth Wireless Fidelity
  • NFC Wireless Fidelity
  • This alternative embodiment allows the user to decide when to download.
  • the provision of the link by SMS allows an immediate process without needing to know the availability of the user and does not require a network coverage, unlike the direct download.
  • step A7 sending an activation PIN (generated in step A4) to the mobile terminal is performed.
  • This activation PIN ensures end-to-end authentication, without any initial flaws, from registration to service until later use, to certify that only the user Ui was able to perform these operations.
  • the sending of this activation PIN can be conditioned upon the verification, by the authentication server AS, of the identity of the user during a verification step A6 preceding such sending.
  • a verification can consist, for example, in sending to the authentication server AS an image of the user's identity card Ui, via a webcam of the user's computer or the sound camera. mobile terminal TEL, and the verification by the AS server that the data displayed on this image correspond to the user Ui.
  • the mobile terminal TEL has a link to download a personalized application capable of managing the authentication of the user Ui as well. than an activation PIN to activate such a custom application.
  • the SP server of the service provider stores the personal data of the user Ui, which are only known from this server SP to guarantee their confidentiality and, conversely, the authentication server AS is aware that internal identification data transmitted with the request of the service provider. This separation of data between different servers makes it possible to guarantee better resistance to attacks.
  • FIG. 2B illustrates a first embodiment of a system implementing the enrollment step A according to the principle of the present invention, as described above.
  • Such a system in addition to the elements already described in FIG. 1B, furthermore comprises an AS authentication server which will generate the personalized application and certain confidential data associated with the Ui user on request received from the SP server of the service provider. services.
  • AS authentication server which will generate the personalized application and certain confidential data associated with the Ui user on request received from the SP server of the service provider. services.
  • FIG. 2B the various exchanges made during the enrollment step described in FIG. 2A are illustrated.
  • AS authentication, substep A5 sending the download link of the personalized application to the mobile terminal and sub-step A6 sending the activation PIN of the personalized application to the mobile terminal are indicated.
  • the AS authentication server is separate from the SP server of the service provider.
  • This embodiment is particularly suitable for applications for which the service provider does not wish to manage transaction authentication himself and prefers to delegate this function to a third party operator.
  • FIG. 2C illustrates a second embodiment of a system implementing the enrollment step A according to the principle of the present invention, as described above.
  • Such a system differs from the system according to the first embodiment of FIG. 2B in that the authentication server AS corresponds to the SP server of the service provider. In other words, the same server is used both to perform the authentication and to provide a service.
  • Such a server can take the form of an SP server capable of providing a service on which the authentication functions necessary for the authentication steps described in the present application are installed in the form of complementary modules, for example in the form of modules. complementary software.
  • the authentication server AS customized to the authentication server AS
  • substep A5 sending the download link from the personalized application to the mobile terminal
  • This second embodiment is particularly suitable for applications for which the service provider wishes to manage itself the authentication of transactions, for reasons of security. This can for example be the case when the service provider is a banking operator for online transactions.
  • Figure 3A illustrates the substeps of step B of activating the custom application according to one embodiment of the present invention.
  • a first substep B1 the user Ui downloads the personalized application in his mobile terminal by means of the download link sent to him beforehand during the enrollment step A.
  • activation of the personalized application can then be performed during a substep B2, and this advantageously by means of a PIN code received in advance during the step A enrollment.
  • confidential data generated during the enrollment step A are also downloaded during a substep B3.
  • these confidential data may also include one or more private key (s) encryption, these keys then being used to encrypt the data subsequently exchanged between the server AS and the mobile terminal TEL, for example by means of a asymmetric encryption method.
  • s private key
  • This confidential data is stored securely both in the mobile terminal TEL and in the server AS, for example encrypted.
  • the confidential data stored in the AS authentication server are stored in HSM (Hardware Security Module in English) to avoid possible internal compromise in the operator operating the AS server.
  • HSM Hardware Security Module in English
  • the confidential data is encrypted before being stored in secure areas of the mobile terminal.
  • a substep B4 registration of the initial authentication of the mobile terminal is performed.
  • This substep B4 registration of the initial authentication legally guarantees that the authentication can not be delivered later, which would then weaken the legal value of the entire authentication process.
  • This initial authentication step can be carried out by sending a number of initial authentication data dinit of the mobile terminal of the user Ui to the authentication server AS.
  • the user Ui may be required to present a piece of identification to the camera of his mobile terminal.
  • the snapshot of this piece of identification, taken by this camera, is then encrypted and transmitted to the AS server where it is stored.
  • Such a process may be completely dematerialized or require human intervention to verify the identity of the user Ui.
  • FIG. 3B illustrates the system implementing step B of activation of the personalized application according to the principle of the present invention, as described above.
  • FIG. 3B the various exchanges made during the activation step described in FIG. 3A are illustrated.
  • the data streams corresponding to the sub-step of sending B1 for downloading the personalized application in the mobile terminal TEL, the substep B3 for downloading the confidential data in the mobile terminal TEL and the substep B4 registration of the initial authentication with the AS authentication server are indicated.
  • the SP server of the service provider and the PC computer of the user Ui are not affected by this activation step.
  • FIG. 4A illustrates the substeps of a second embodiment of "on-line" type of step E of generating the authorization code.
  • the authentication data can be transmitted directly to the AS server, as read by the mobile terminal, which simplifies and speeds up the processing at the mobile terminal.
  • the mobile terminal has the function of only reading the authentication data and all other processing is performed on the authentication server AS.
  • the authentication data item can be interpreted and processed at least partly in the mobile terminal in view of its transfer to the AS server.
  • the authentication data can be encrypted, for example with a method asymmetric encryption, before being transmitted to the AS server to prevent anyone from accessing this authentication data.
  • the entire authorization code generation process can be performed in the mobile terminal, in which case the authentication server AS serves only to perform functions unrelated to the generation of the authorization code, such as the storage of this code or the management of the traceability of the transactions made by the user.
  • a substep E3 authentication of the transaction required by the user can then be performed.
  • the authorization code cod itself, is then generated in the authentication server AS during a generation step E4.
  • this authorization code is transmitted (step E5 of transmission of the code) of the authentication server AS to the mobile terminal TEL, possibly in encrypted form by means of one or more key (s) generated (s). ) during step B of activation of the personalized application, to be displayed therein, possibly after having been signed by means of a secret code (or even of an identification data of the mobile terminal) before being encoded as an image.
  • the value of the generated authorization code makes it possible to certify that the authentication data has been understood and used to authenticate the user.
  • step F the authorization code read by the digital device of the user Ui (step F) and once the transactional data transmitted, with the authorization code entered, from the personal computer to the server of the service provider (step G), it is advantageous to carry out, after the actual transaction, a step of timestamping the transaction in order to keep a proof of the time and date on which the transaction was made.
  • a time stamp can be performed by the authentication server AS, in a traceability logic of the transaction.
  • FIG. 4B illustrates the system implementing the authentication method according to a first embodiment of "on-line" type where the authorization code is generated in an authentication server AS distinct from the server of the service provider.
  • step A the data flows corresponding to the enrollment steps (step A), sending an authentication data item (step C), reading this authentication data item (step D), entering the code authorization by the user's computer (step E) and transmission of the transaction to the server of the service provider (step G) are similar to those described in the "off-line" embodiment and illustrated on the Figure 1 B.
  • This first embodiment "on-line” is characterized in that the mobile terminal transfers the authentication data to the authentication server AS during the substep E1, the different substeps of identification of the user , authentication of the transaction and generation of the authorization code cod (substeps E2 to E4) then being performed in this authentication server AS before the authorization code cod, is transmitted to the mobile terminal when of the transmission sub-step E5.
  • the transaction can be time stamped by the SP server of the service provider, to serve as evidence available to the service provider if necessary.
  • the history of timestamped transactions is thus kept within the SP server of the service provider.
  • FIG. 4C illustrates the system implementing the authentication method according to a second embodiment of the "on-line" type where the authorization code is generated in the SP server of the service provider on which the authentication functionalities previously described have been installed.
  • FIG. 4C the different data streams described are similar to those described with reference to FIG. 4B, with the only difference that the authentication server AS and the service provider's server SP form one and the same managed entity. by the service provider.
  • This embodiment is particularly suitable for applications requiring an increased level of security, and in particular in the banking field where strict data confidentiality criteria apply, particularly in terms of data exchange between the transaction module and the data module. 'authentication.
  • this transaction can be time stamped by both the authentication module and the SP server itself, in order to serve as proof for the service provider if applicable. .
  • the history of timestamped transactions is thus kept within the SP server of the service provider.
  • the server SP can also keep in memory other traceability data such as the content of the transaction or the identifier of the user.
  • the authentication method described above makes it possible to withstand most, if not all, known and listed attacks in the context of an authentication and / or signature transaction on the Internet, which are intended to compromise the establishment of a communication between a client and a server and / or altering its operation, the list of which is given below:
  • Malware is an application used for fraudulent purposes. They can access a computer through vulnerabilities of its protection through social engineering. When the malware is running, it can usually take full control of the computer and for example steal the user's information and personal data, enable remote control of the computer, or perform actions. in the name of the user.
  • the only sensitive personal data is stored in secure space, with the server of the service provider, they are out of range of malware.
  • Keylogging attacks are carried out using parasitic programs called “keyloggers” that often spread through viruses, worms or spyware.
  • a keylogger's main function is to spy on all actions performed on the user's computer (typing, opening applications, moving files, etc.). Traces of these actions are stored in a specific location and then sent to a mailbox or website. Some of the most confidential data can be extracted without the knowledge of the user.
  • Some keyloggers are overly sophisticated and are able to select the most important information. They manage, when the user is on his online banking site for example, to identify and retrieve his bank codes. They can also know the content entered in his messages or know precisely what programs are requested by the user.
  • the personal data of the user Ui are neither stored nor used by the personalized application and the data enabling authentication thereof are for single use. Keylogging is therefore inefficient.
  • phishing During a phishing attack, otherwise known as phishing, the attacker uses an email or an instant messenger to lead the user to a website that appears to be trustworthy but is actually a true copy of the site. original and under his control.
  • the e-mail message such as the website can be for example an exact replica of an online banking site commonly visited by the user. He then believes that he is on a trustworthy site (for example, that of his bank) and enters his personal identification data such as his password, a one-time password or his number. credit card.
  • a "phishing" type attack possibly makes it possible to know the unique response to a given authentication datum. However, such a response could not be reused since the authentication data transmitted by the service provider is generated and changes each time.
  • the authentication data enables mutual authentication, which leads to the unveiling of the "fishing" site.
  • a "pharming" attack is a hacking technique exploiting vulnerabilities in the DNS server. This technique operates so that, for a DNS query targeting a particular domain name, it is not the real IP address of the domain name that is given but that of a fraudulent site.
  • the first type is achieved by modifying a local DNS server. Internet users requesting a domain name are directed to the IP address of a fraudulent server.
  • the second type is achieved by means of a malware reconfiguring the network settings of the infected computer hardware, whether it is a workstation or a router. This reconfiguration acts in such a way that the user is redirected, for predetermined domain names, to the IP address of a fraudulent server.
  • attacks of the "pharming" or "whaling" type may make it possible to know the unique response to a given authentication datum.
  • a such a response could not be reused since the authentication data transmitted by the service provider is generated and changes each time.
  • the man-in-the-middle attack is an attack scenario in which an attacker (the "man in the middle” or “man-in-the-middle” attack) "attacker") listens to a communication between two interlocutors and falsifies the exchanges between the client and the host in order to pretend to be one of the parties.
  • This attack involves three protagonists: the client, the server and the attacker.
  • the goal of the attacker is to pretend to be the client with the server and pose as the server to the client. He becomes the man of the middle. This makes it possible to monitor all network traffic between the client and the server, and modify it as much as you like to obtain information such as passwords, system access, and so on.
  • a MiTM attack between the Ui user and the service provider's SP server may allow the authorization code to be intercepted, but the authorization code is single-use and therefore not reusable.
  • MitB intercepts act between the client and its browser.
  • MitB An attack by MitB is designed by installing malicious software (i.e. malware) on the client's computer.
  • malicious software i.e. malware
  • the goal is to allow the attacker to control all unsecured applications and devices connected to the user's computer.
  • the usurpers then use this information to perform one or more transactions by simulating the identity of the defrauded person. For example, a fraudster may make phone calls or make major purchases and direct charges to the defrauded person, and may also withdraw money from that person's bank account.
  • the personal data of the user is not used during the authentication process.
  • An attack of type "ID Theft" is therefore inoperative.
  • a attack of the type "ID Theft” is inoperative because the personal data of the user are not used during the authentication process.
  • the attacker could use personal data obtained on the online commerce channel to connect to the online bank. Therefore, it becomes necessary to proceed to a separation of domains to guard against this type of attack.
  • the confidential data is specific to the service provider, drastically reducing cross-channel attack capabilities.
  • this attack consists of a transaction during which the card is not present on the merchant's site. This includes so-called internet orders, telephone and e-mail, more commonly known as Mail Order / Telephone Order (MoTo).
  • MoTo Mail Order / Telephone Order
  • the present invention also relates to an authentication server AS comprises a receiving module arranged to receive the authentication data of the th and at least one internal identification data d in t from the server SP of the service provider, computing means arranged to generate a cod authorization code, based on the received authentication data and at least one of the received internal identification data, and a transmission module arranged to transmit the code authorization code, generated to the mobile terminal TEL.
  • Such an authentication server AS can be used in the "on-line" embodiment as described in FIG. 4B, in which the authentication functionality of the transaction, by means of the authentication data aut h , is performed in a separate server from the service provider.
  • the present invention also relates to a system for authenticating a user requesting a transaction from a service provider comprising an SCN screen arranged to display an authentication data item received from the service provider, a mobile terminal TEL having access control means. entering the authentication data displayed on the screen and arranged to return a specific authorization code to the user and the required transaction, and PC input means for sending the authorization code to the service provider; service to authenticate the user.
  • This system is for example described in Figure 1 B.
  • this system involves an authentication server as described above.
  • system further comprises the SP server of the service provider, the server being arranged to provide the service required by the user, and comprising a receiving module arranged to receive at least one personal data of the user and the authorization code issued by the user, computing means arranged to generate at least one internal identification data from at least one of the personal data received, and a transmission module arranged for send the generated internal identification data to the AS authentication server.
  • SP server of the service provider the server being arranged to provide the service required by the user, and comprising a receiving module arranged to receive at least one personal data of the user and the authorization code issued by the user, computing means arranged to generate at least one internal identification data from at least one of the personal data received, and a transmission module arranged for send the generated internal identification data to the AS authentication server.
  • Such a service providing server SP can be used in the "on-line" embodiment as described in FIG. 4B, in which the service provisioning functionality is performed in a server separate from that performing the authentication of the service provider. the transaction.
  • service provider previously used covers any operator capable of providing a service in which a transaction is performed.
  • a supplier may be, for example, purely illustrative, a banking operator, an online gaming operator, a telecommunications operator, a rental company for vehicles or bicycles, etc.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Telephonic Communication Services (AREA)
EP11723560A 2010-05-06 2011-05-04 Verfahren zur authentifizierung eines benutzers bei der anfrage einer transaktion mit einem dienstanbieter Withdrawn EP2567502A2 (de)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
FR1053523A FR2959896B1 (fr) 2010-05-06 2010-05-06 Procede d'authentification d'un utilisateur requerant une transaction avec un fournisseur de service
PCT/FR2011/051008 WO2011138558A2 (fr) 2010-05-06 2011-05-04 Procede d'authentification d'un utilisateur requerant une transaction avec un fournisseur de service

Publications (1)

Publication Number Publication Date
EP2567502A2 true EP2567502A2 (de) 2013-03-13

Family

ID=43533165

Family Applications (1)

Application Number Title Priority Date Filing Date
EP11723560A Withdrawn EP2567502A2 (de) 2010-05-06 2011-05-04 Verfahren zur authentifizierung eines benutzers bei der anfrage einer transaktion mit einem dienstanbieter

Country Status (7)

Country Link
US (1) US9038196B2 (de)
EP (1) EP2567502A2 (de)
CN (1) CN103109494A (de)
FR (1) FR2959896B1 (de)
RU (1) RU2012152466A (de)
SG (1) SG185449A1 (de)
WO (1) WO2011138558A2 (de)

Families Citing this family (47)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10581834B2 (en) * 2009-11-02 2020-03-03 Early Warning Services, Llc Enhancing transaction authentication with privacy and security enhanced internet geolocation and proximity
US8806592B2 (en) 2011-01-21 2014-08-12 Authentify, Inc. Method for secure user and transaction authentication and risk management
US10587683B1 (en) 2012-11-05 2020-03-10 Early Warning Services, Llc Proximity in privacy and security enhanced internet geolocation
US9667823B2 (en) * 2011-05-12 2017-05-30 Moon J. Kim Time-varying barcode in an active display
US8752208B2 (en) * 2011-05-13 2014-06-10 Imperva Inc. Detecting web browser based attacks using browser digest compute tests launched from a remote source
US9106632B2 (en) * 2011-05-26 2015-08-11 First Data Corporation Provisioning by delivered items
FR2978891B1 (fr) * 2011-08-05 2013-08-09 Banque Accord Procede, serveur et systeme d'authentification d'une personne
KR101137523B1 (ko) * 2011-09-26 2012-04-20 유승훈 인증매체, 인증단말, 인증서버 및 이들을 이용한 인증방법
GB201106976D0 (en) * 2011-10-03 2011-10-03 Corcost Ltd Corcost-SG002
CN103975615B (zh) * 2011-12-16 2019-09-03 英特尔公司 用自动生成的登录信息经由近场通信登录
US9210146B2 (en) * 2012-02-18 2015-12-08 Daniel S. Shimshoni Secure content transfer using dynamically generated optical machine readable codes
CN103379491A (zh) * 2012-04-12 2013-10-30 中兴通讯股份有限公司 用于密码验证的用户终端、密码交易终端、系统和方法
FR2996187B1 (fr) 2012-10-02 2014-09-05 Renault Sa Systeme de gestion d'un vehicule et son procede associe
CN104063789B (zh) * 2013-03-18 2016-04-20 财付通支付科技有限公司 一种对处理对象进行处理的方法、装置及系统
TWI505128B (zh) * 2013-03-20 2015-10-21 Chunghwa Telecom Co Ltd Method and System of Intelligent Component Library Management
FR3007167A1 (fr) * 2013-06-14 2014-12-19 France Telecom Procede d'authentification d'un terminal par une passerelle d'un reseau interne protege par une entite de securisation des acces
US10425407B2 (en) * 2013-07-28 2019-09-24 Eli Talmor Secure transaction and access using insecure device
US20150040203A1 (en) * 2013-08-01 2015-02-05 Huawei Technologies Co., Ltd. Authentication method of wearable device and wearable device
US9160742B1 (en) * 2013-09-27 2015-10-13 Emc Corporation Localized risk analytics for user authentication
US9734694B2 (en) * 2013-10-04 2017-08-15 Sol Mingso Li Systems and methods for programming, controlling and monitoring wireless networks
JP6170844B2 (ja) * 2014-02-14 2017-07-26 株式会社Nttドコモ 認証情報管理システム
US10057240B2 (en) * 2014-08-25 2018-08-21 Sap Se Single sign-on to web applications from mobile devices
EP2998896A1 (de) * 2014-09-17 2016-03-23 Gemalto Sa Authentifizierungsverfahren eines Benutzers, entsprechende Endgeräte und entsprechendes Authentifizierungssystem
DE102014015814B4 (de) * 2014-10-24 2016-05-04 Unify Gmbh & Co. Kg Verfahren zum Authentifizieren eines Benutzergeräts bei der Anmeldung an einem Server
CN104361267B (zh) * 2014-11-19 2017-11-07 厦门海迈科技股份有限公司 基于非对称加密算法的软件授权与保护装置及方法
US9619636B2 (en) * 2015-02-06 2017-04-11 Qualcomm Incorporated Apparatuses and methods for secure display on secondary display device
US11526885B2 (en) * 2015-03-04 2022-12-13 Trusona, Inc. Systems and methods for user identification using graphical barcode and payment card authentication read data
WO2016153431A1 (en) * 2015-03-26 2016-09-29 Einnovations Holdings Pte. Ltd. System and method for facilitating remittance
CN104917766B (zh) * 2015-06-10 2018-01-05 飞天诚信科技股份有限公司 一种二维码安全认证方法
FR3039948B1 (fr) * 2015-08-04 2017-08-11 Skeyecode Procede de securisation d’une transaction a partir d’un terminal non securise
TWI603222B (zh) * 2015-08-06 2017-10-21 Chunghwa Telecom Co Ltd Trusted service opening method, system, device and computer program product on the internet
US9602284B1 (en) * 2015-09-11 2017-03-21 Bank Of America Corporation Secure offline authentication
US10084782B2 (en) 2015-09-21 2018-09-25 Early Warning Services, Llc Authenticator centralization and protection
US9800580B2 (en) * 2015-11-16 2017-10-24 Mastercard International Incorporated Systems and methods for authenticating an online user using a secure authorization server
US10503890B2 (en) * 2016-02-16 2019-12-10 Arizona Board Of Regents On Behalf Of Northern Arizona University Authentication of images extracted from unclonable objects
US10091007B2 (en) * 2016-04-04 2018-10-02 Mastercard International Incorporated Systems and methods for device to device authentication
US10887113B2 (en) 2016-09-13 2021-01-05 Queralt, Inc. Mobile authentication interoperability for digital certificates
US10771451B2 (en) 2016-09-13 2020-09-08 Queralt, Inc. Mobile authentication and registration for digital certificates
US11431509B2 (en) 2016-09-13 2022-08-30 Queralt, Inc. Bridging digital identity validation and verification with the FIDO authentication framework
US11093940B2 (en) 2016-10-13 2021-08-17 Mastercard International Incorporated Systems and methods for authenticating a user using private network credentials
FR3060818A1 (fr) * 2016-12-19 2018-06-22 Orange Securisation de transaction
US11233634B1 (en) 2017-06-23 2022-01-25 Wells Fargo Bank, N.A. Systems and methods for network authentication with a shared secret
SE542213C2 (en) * 2017-07-21 2020-03-10 Identitrade Ab Method and system for creating a strong authentication for a user using a portable electronic device
NL2019698B1 (en) * 2017-10-10 2019-04-19 Morpho Bv Authentication of a person using a virtual identity card
WO2019081038A1 (en) * 2017-10-27 2019-05-02 Telefonaktiebolaget Lm Ericsson (Publ) REMOTE SUPPLY OF PERSONALIZED PIN / PUK PIN
CN111597539B (zh) * 2020-04-23 2023-04-25 维沃移动通信有限公司 一种身份认证方法、身份认证装置及电子设备
CN114898510A (zh) * 2022-05-11 2022-08-12 中国矿业大学 一种金融密码获取方法、系统、金融设备及可存储介质

Family Cites Families (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
AU5488301A (en) 2000-04-19 2001-08-14 Magicaxess Electronic payment method and device
US7114178B2 (en) * 2001-05-22 2006-09-26 Ericsson Inc. Security system
FR2852471A1 (fr) * 2003-03-13 2004-09-17 France Telecom Dispositif d'authentification du type utilisant un mot de passe a usage unique et dispositif generateur de mot de passe associe
US7578436B1 (en) * 2004-11-08 2009-08-25 Pisafe, Inc. Method and apparatus for providing secure document distribution
US20090293112A1 (en) 2004-12-03 2009-11-26 Stephen James Moore On-line generation and authentication of items
JP4693171B2 (ja) 2006-03-17 2011-06-01 株式会社日立ソリューションズ 認証システム
US8024576B2 (en) * 2008-03-31 2011-09-20 International Business Machines Corporation Method and system for authenticating users with a one time password using an image reader
US20110026716A1 (en) 2008-05-02 2011-02-03 Weng Sing Tang Method And System For On-Screen Authentication Using Secret Visual Message
CN101436280B (zh) 2008-12-15 2012-09-05 北京华大智宝电子系统有限公司 实现移动终端电子支付的方法及系统
FR2944400B1 (fr) * 2009-04-10 2013-01-18 Lynkware Procede d'authentification aupres d'un serveur par un utilisateur d'un appareil mobile

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See references of WO2011138558A2 *

Also Published As

Publication number Publication date
FR2959896A1 (fr) 2011-11-11
WO2011138558A2 (fr) 2011-11-10
WO2011138558A3 (fr) 2012-07-12
US20130133086A1 (en) 2013-05-23
US9038196B2 (en) 2015-05-19
SG185449A1 (en) 2012-12-28
FR2959896B1 (fr) 2014-03-21
CN103109494A (zh) 2013-05-15
RU2012152466A (ru) 2014-06-20

Similar Documents

Publication Publication Date Title
WO2011138558A2 (fr) Procede d'authentification d'un utilisateur requerant une transaction avec un fournisseur de service
US20200404019A1 (en) Mutual authentication security system with detection and mitigation of active man-in-the-middle browser attacks, phishing, and malware and other security improvements
EP3138265B1 (de) Verbesserte sicherheit zur registrierung von authentifizierungsvorrichtungen
EP2619941B1 (de) Verfahren, server und system zur authentifizierung einer person
EP2614458B1 (de) Authentifizierungsverfahren zum zugang auf eine webseite
EP1253564A2 (de) Verfahren und Vorrichtung für elektronische Bezahlung
EP1282288A1 (de) Verfahren und System zur Authentifizierung
US20230091318A1 (en) System and method for pre-registration of fido authenticators
EP3923542A1 (de) It-vorrichtung und verfahren zur authentifizierung eines benutzers
Herzberg et al. Protecting (even) Naive Web Users, or: preventing spoofing and establishing credentials of web sites
US20090177892A1 (en) Proximity authentication
EP2509025A1 (de) Zugriffsverfahren auf eine geschützte Quelle einer gesicherten persönlichen Vorrichtung
EP2568406B1 (de) Verfahren zur Verwendung von kryptografischen Daten eines Benutzers, die in einer Datenbank gespeichert sind, von einem Endgerät aus
US20090271629A1 (en) Wireless pairing ceremony
EP3350973B1 (de) Verfahren zur website-authentifizierung und zur sicherung des zugangs zu einer website
EP3673633B1 (de) Verfahren zur authentifizierung eines benutzers mit einem authentifizierungsserver
Drake et al. Designing a User-Experience-First, Privacy-Respectful, high-security mutual-multifactor authentication solution
WO2007113669A1 (fr) Securisation de transactions electroniques sur un reseau ouvert
EP3570518B1 (de) Authentifizierungssystem und -verfahren, das ein token zur einmaligen verwendung mit begrenzter lebensdauer verwendet
Saini Comparative Analysis of Top 5, 2-Factor Authentication Solutions
WO2017005644A1 (fr) Procédé et système de contrôle d'accès à un service via un média mobile sans intermediaire de confiance
Mannan Authentication and securing personal information in an untrusted internet
Solanki et al. Implementation of an anti-phishing technique for secure login using usb (iatslu)
Gurung Data Authentication Principles for Online Transactions
FR2823929A1 (fr) Procede et dispositif d'authentification

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20121105

AK Designated contracting states

Kind code of ref document: A2

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

DAX Request for extension of the european patent (deleted)
REG Reference to a national code

Ref country code: HK

Ref legal event code: DE

Ref document number: 1181569

Country of ref document: HK

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN

18D Application deemed to be withdrawn

Effective date: 20161201

REG Reference to a national code

Ref country code: HK

Ref legal event code: WD

Ref document number: 1181569

Country of ref document: HK