GB2504746A

GB2504746A - Matrix Pattern Authentication (MPA) using a divided authentication code

Info

Publication number: GB2504746A
Application number: GB1214201.4A
Authority: GB
Inventors: Steven Jonathan Brittan; Radouane Oudrhiri
Original assignee: Individual
Current assignee: Individual
Priority date: 2012-08-08
Filing date: 2012-08-08
Publication date: 2014-02-12
Also published as: GB201214201D0

Abstract

The invention relates to a method of processing an authentication code (e.g. memorable identification pattern (MIP)) of a user (U), comprises the steps of: obtaining an authentication code of a user, the authentication code comprising a plurality of unique elements, dividing the authentication code into at least two authentication segments each forming a subset of the elements of the authentication code; encoding (e.g. using a one-way hash (SHA-2))) each of the authentication segments so that the authentication segments cannot be retrieved from the encoded authentication segments; and storing the encoded authentication segments for use in a validation in at least one record of a database, wherein the encoded authentication segments are stored in different and independent records in the database. The method also includes generating candidate identification patterns corresponding to at least one portion of a challenge code (OTC). The authentication segments may be chained. The segments may overlap partially and may have different lengths.

Description

Method and system of processing an authentication code The present invention relates to a method and system of processing an authentication code and to parts thereof, particularly but not exclusively in Matrix Pattern Authentication or equivalents or derivatives thereof. Certain aspects of the invention described may be applied to any form of secret information other than Matrix Pattern Authentication, where safeguarding the secret information is important; including passwords, passcodes, and personal information, including biometric information. The invention has particular although not exclusive relevance to personal authentication as an alternative to passwords and Personal Identification Numbers for computerized systems, embedded systems (e.g. for authentication/unlocking to computers and mobile devices), online identification or credit card payment, or any other authentication/unlocking process to any other device or process.

Authentication is a process by which a user validates that they are legitimate, and may access, e.g. a secure service or transaction, protected by an authentication scheme. Matrix Pattern Authentication (MPA) is a generic term describing a form of known authentication which is an alternative to passwords and Personal Identification Numbers (PIN).

Figures 1A and lB show matrices 100 used in a MPA, and comprising elements 101.

In the case of Figure 1A, the matrix 100 is a square pattern of 25 elements 101, and in the case of Figure lB the matrix 100 is a line (i.e. a linear matrix) of 12 elements 101. Figures 2A and 2B show that each matrix 100 is a basic template which a human user employs in order to select a memorable identification pattern (MIF) shown as arrowed and colored. It should be understood that other sizes of matrices and other form factors are possible, depending on the level of security required, and how easy it needs to be for a human user to recall their MIP.

In the context of MPA, the term entropy refers to the degree of variability that a given MPA design will afford humans in their selection of their MIP. Thus a grid, say 25 elements in a 5x5 matrix as in Figure 1A, may be used. It a user was to select a MIP of five elements from the matrix, one could theoretically calculate that there would be 25A5 = 9,765,625 unique possible combinations for any individual MIP.

Figures 3A and 3B show that, in an authentication operation, a challenge matrix 200 is generated by an authentication system and presented to the user. The challenge matrix 200 is populated with a randomized set of signs, such as numbers, letters, or other logos. In the case of Figure 3A, the matrix 200 is a square pattern of 25 elements 201, with numbers 1, 2, 3, 4 and 5, and in the case of Figure 3B, the matrix 200 is a linear matrix of 12 elements 201, with letters A, B, C, D, E and F. The user then enters, in a dedicated space of an interface, separate from the matrix 200, the signs corresponding to their secret MIP and which appear in the matrix elements 201, in the correct order in which the signs appear in their MIP. In the case of Figure 3A, the user would enter the code "1, 2, 3, 4, 5", and in the case of Figure 3B, the user would enter the code "BFCE".

The MIF is only known to the user, and it is critical that the pattern is never divulged.

For effective security, it is essential that the signs presented in a challenge matrix for an authentication operation are in some way randomized at each authentication operation. Thus the code entered by the user has the desirable property that the code changes on each authentication operation -this is denoted by the term one-time code (OTC). Further, it is an essential feature of all matrix pattern authentication approaches that each sign in a matrix is repeated more than once, and preferably many times. This is to ensure that when a user enters their OTC, their secret MIP is not divulged. In the case of Figure 3A, with 25 elements, it each sign is repeated five times, each number entered by the user corresponds to five possible different positions in the matrix. Consequently, the code "1, 2, 3, 4, 5" corresponds to 3125 possible different patterns. In the case of Figure 3B, with the 12 element matrix, each letter corresponds to two possible positions in the matrix. Consequently, a tour element code could represent 16 possible patterns. It is clear that the 25 element matrix, with a five element code and five unique signs is much more secure than the 12 element case.

Furthermore, any authentication system based upon a MIP keeps the pattern secret, in order to prevent hackers from gaining valuable information. Security of MPA technology is essential for their use, e.g. in any online system, especially in the case of financial transactions, access to personal data, etc. Consequently a method of storing sensitive information, particularly the user's MIP, must be employed.

The MIP is therefore usually encoded, in general by hashing. There are many public domain encoding algorithms available. The most appropriate algorithms employ a technique known as "one-way cryptographic hashing". This means that the sensitive information, in this case the MIP, once passed through a one-way hashing function, cannot be reversed. The sensitive information is encoded, and it is highly unlikely that anyone can retrieve the sensitive information. This means that even if a database with the encoded information is stolen, it would still be difficult to retrieve the sensitive information. Standard hashing algorithms (e.g. from the family SHA-2, such as SHA-256) and inclusion of at least one long salt should be applied to maximize the effectiveness of any encoding approach by hashing, and represents standard known best practice.

Typically, in MPA technology, each element 101 in the matrix 100 is given a unique symbol, in order to represent the position of the element 101 within the matrix 100.

Figure 4 shows a numeric indexing approach which is often utilized. For example, in the case of the 25 element matrix 100 of Figure 1A, the elements might be numbered. In the example of Figure 2A, the MIP would be represented by the code "e6, e22, e13, e4, elO".

Figure 5 shows schematically that, in a known processing of the MIP, when a user U selects in Si their MIP, once they have confirmed the selection, the code representing their pattern is usually encoded using a one-way hashing function, in Sli, prior to being stored in S13 on a secure database 11, e.g. as a record.

Preferably, the system will retain any non-coded record of the MIP in a volatile memory which will be immediately discarded after processing such as encoding.

This has the desirable property that the only place where a not encoded record of the MIP is stored is in the user's mind.

The known MPA technology has however drawbacks or deficiencies.

Both the entropy of a five element MIP provided by a 5x5 matrix 100, as in Figure 1A (i.e. 9,765,625 possible MIPs), and the possible different patterns provided by a challenge matrix 200, as in Figure 3A (3125 possible different challenge patterns), may appear to be a lot.

However, the known MPA technology does not provide, in fact, enough entropy in order to allow people to select sufficiently different MIPs from one another. In large scale, i.e. with many users, insufficient entropy becomes a major problem, resulting in many instances of users selecting similar or identical patterns. This effect makes known MPA technology vulnerable to intelligent guessing by a hacker. This in fact is a known vulnerability of PIN based systems, and also password systems, which maybe easily guessed by applying certain, obvious combinations, such as dates.

Also the examples of Figures 2A and 2B are substantially less secure than a conventional four-digit PIN technology, because the probability of guessing a correct MIP from an OTC is higher than guessing a conventional four-digit PIN, i.e. higher than 1110000 (with 10000=1 0). They are therefore not desirable.

However, simply augmenting the length of the MIP is not a solution because a significant issue arises, as explained below.

Consider an example, with a six element MIP and a 36 element matrix 200 with six unique signs (i.e. 1, 2, 3, 4, 5 and 6), each repeated six times. An OTC entered by the user only ambiguously describes the MIP, as each digit of the OTC entered by the user represents six possible element positions on a challenge matrix 200.

Therefore, in fact, any single six digit OTC describes 6A6 = 46,656 possible MIPs.

Only one of these is correct, but an authentication engine has no a priori knowledge as to which of these is the right one, because of the one-way hashing. An authentication engine needs therefore to generate all of the potentially-valid MIP combinations represented by the entered OTC and, in a similar manner as is explained in reference to Figure 5, each of these potentially-valid MIP combinations needs to be passed through the same encoding using the cryptographic one-way hashing function (as in Si i), as the original MIP, prior to comparison with the encoded representation of the user's MIF stored in the database 11. Such repeated generations by encoding and comparisons need to continue until a match is found. It is only at this point that a positive authentication could be confirmed. The number of iterations required is random, albeit with a flat distribution. As a minimum, one iteration is required, as a maximum 46,656 iterations are required, in our example.

Therefore on average 23,328 such iterations, comprising generation and comparison, will be required for a positive authentication. is

An even more undesirable property of simply only augmenting the length of the MIF is that, in the case of an incorrect OTC being entered by the user, the authentication system always has to perform the maximum number of iterations, in order to ensure that all possible valid combinations are examined, before eventually actually rejecting the authentication request.

Whilst this processing overhead might be acceptable in any one individual authentication event, it is completely unacceptable in any multi-user implementation of a MPA system, of significant scale, as is typical. It is estimated that using the strong encoding algorithms that are necessary to defend against hackers (e.g. SHA- 2), each individual encoding on an OTC takes between O.ims and ims on state of the art computer servers. Using 0.2ms as a representative processing speed, and continuing with our example, an average authentication request would take between to iO seconds to approve, in the case of a valid one-time code being entered. In the case of an incorrect OTC being entered, the time taken to produce a rejection of an authentication request will always be approximately 10 seconds (i.e. 46,656 x 0.2ms). In addition some secure system require to hash the MIP and/or password multiple times, which will further increase the processing time.

A further, significant problem is that this long processing time makes an authentication server acutely vulnerable to attack by bombardment of multiple authentication requests leading to a denial of service, which is a technique which is widely known to hackers.

Table 1 demonstrates how the number of iterations required for authentication increases geometrically with the number of elements (or length) of the MIP. In Table 1, a square form factor exemplary matrix 100 is used, for convenience. However, the same geometric increase in processing would be required for any form of MPA implementation or arrangement.

Number Length Number of Number of Average / Max of of MIP unique possible MIP for authentication time for a elements signs in each OTC time of 0.2ms for each in MIP challenge iteration matrix matrix (s) (rejection timerMax authentication time) 36 (6x6) 6 6 6A6 = 46,656 5/10 36 (6x6) 7 6 7A6=117,649 12/24 49 (7x7) 7 7 7A7 = 823,543 82/1 65 64 (8x8) 8 8 8'8r16,777,216 16,68/3,355

Table 1

Table 1 shows that MPA technology using six element MIP is practically unrealizable, although MPA technology with 5x5 matrices does not provide sufficient entropy, and MPA technology using five element MIP does not provide enough security compared to a 4-digit PIN.

Aspects of the invention address or at least ameliorate at least one of the above issues.

According to one aspect, the invention provides a method of processing an authentication code of a user, comprising the steps of: obtaining an authentication code of a user, the authentication code comprising a plurality of unique elements, dividing the authentication code into at least two authentication segments each forming a subset of the elements of the authentication code; encoding each of the authentication segments so that the authentication segments cannot be retrieved from the encoded authentication segments; and storing the encoded authentication segments independently, preferably wherein the encoded authentication segments are stored in different and independent records in the database.

The method may further comprise the steps of: obtaining a challenge code from the user, the challenge code only ambiguously describing the authentication code as being a subset of duplicated signs, only some of the duplicated signs corresponding to the unique elements of the authentication code, dividing the challenge code into at least two portions, each corresponding to an authentication segment respectively; generating candidate identification patterns corresponding to at least one portion of the challenge code, wherein generating candidate identification patterns comprises associating the signs of the challenge code with some unique elements of the authentication code; encoding each of the candidate identification patterns with the same encoding used for the authentication segments; and validating the at least one portion of the challenge code it at least one encoded candidate identification pattern matches a corresponding encoded authentication segment; and validating the challenge code only if each portion of the challenge code corresponding to an authentication segments is validated.

The authentication segments may be chained. Encoding each of the authentication segments may use a one-way hashing function using a salt, and a previous authentication segment may be stored in a first record of the database, and a current salt, used for encoding a current segment stored in a second record of the database, may be stored in the first record of the database along with the previous authentication segment, so that the previous authentication segment needs to be previously validated so that the current segment can be validated.

According to another aspect, the invention provides a method of processing an authentication code of a user, comprising the steps of: obtaining an authentication code of a user, the authentication code comprising a plurality of unique elements, dividing the authentication code into at least two authentication segments each forming a subset of the elements of the authentication code; encoding each of the authentication segments so that the authentication segments cannot be retrieved from the encoded authentication segments; and storing the encoded authentication segments for use in a validation in at least one record of a database; wherein encoding each of the authentication segments uses a one-way hashing function using a salt, and wherein the authentication segments are chained such that a previous authentication segment is stored in a first record of the database, and a current salt, used for encoding a current segment stored in a second record of the database, is stored in the first record of the database along with the previous authentication segment, so that the previous authentication segment needs to be previously validated so that the current segment can be validated.

The segments may overlap at least partially, thereby presenting some redundancy of elements between each other. The segments may have different lengths compared to each other. The first segment may be longer than the other following segments.

The elements of the authentication code may be associated with symbols, and a randomly generated set of codes may be assigned to each symbol for at least one segment, and each randomly generated set of codes may be stored in a record of the database.

For each authentication segment, a different randomly generated set of codes may be assigned to each symbol, so that the authentication segments each comprise respectively at least one element corresponding to different set of codes. Each randomly generated set of codes, and the corresponding encoded segments may be stored as different uncorrelated records in the database.

The obtained authentication code may be discarded as soon as the encoded authentication segments are stored.

The module may store at least a first part of the authentication segments on the device, and the module may store at least a second part of the authentication segments on the database.

A record of the challenge arrangement may be stored in the database and in the device. The device may perform locally at least partially generating candidate identification patterns corresponding to at least one portion of the challenge code, wherein generating candidate identification patterns may comprise associating the signs of the challenge code with some unique elements of the authentication code, using the record of the challenge arrangement stored in the device. An authentication engine may perform remotely from the device at least partially generating candidate identification patterns corresponding to at least one portion of the challenge code, wherein generating candidate identification patterns comprises associating the signs of the challenge code with some unique elements of the -10-authentication code, using the record of the challenge arrangement stored in the database.

According to another aspect, the invention provides a system comprising means adapted for: obtaining an authentication code of a user, the authentication code comprising a plurality of unique elements, dividing the authentication code into at least two authentication segments each forming a subset of the elements of the authentication code; encoding each of the authentication segments so that the authentication segments cannot be retrieved from the encoded authentication segments; and storing the encoded authentication segments for use in a validation in at least one record of a database, wherein the at least two authentication segments are stored in different and independent records in the database.

According to another aspect, the invention provides a system comprising means adapted for: obtaining an authentication code of a user, the authentication code comprising a plurality of unique elements, dividing the authentication code into at least two authentication segments each forming a subset of the elements of the authentication code; encoding each of the authentication segments so that the authentication segments cannot be retrieved from the encoded authentication segments; and storing the encoded authentication segments for use in a validation in at least one record of a database; wherein encoding each of the authentication segments uses a one-way hashing tunction using a salt, and wherein the authentication segments are chained such that a previous authentication segment is stored in a first record of the database, and -11-a current salt, used for encoding a current segment stored in a second record of the database, is stored in the first record of the database along with the previous authentication segment, so that the previous authentication segment needs to be previously validated so that the current segment can be validated.

Aspects of the invention extend to computer program products such as computer readable storage media having instructions stored thereon which are operable to program a programmable processor to carry out a method as described in the aspects and possibilities set out above or recited in the claims and/or to program a suitably adapted computer to provide the system recited in any of the claims.

The invention has advantages over the prior art.

The invention dramatically reduces the processing requirements for authentication, whilst still achieving acceptable security.

Therefore the invention is entirely scalable to large dimension matrices or arrangements with any form factor, particularly although not exclusively where the number of elements in the array is greater than 30, and is also entirely scalable to long MIPs.

The invention enables the use of large square matrices which possess significantly greater entropy compared to known 5x5 matrices. For example, a 36 element (6 x 6) array has 2.1 billion potential combinations with a choice of six elements to make up a MIF.

The invention also enables the use of MIP having a length of at least 6 elements, and therefore ensures that the probability of randomly guessing a MIP from an OTC at authentication is lower than the probability of randomly guess a classic four digit PIN (10,000:1). For example, with a choice of six signs each repeated six times in a -12 -challenge matrix, the probability of guessing the MIP in the random is 1/46,656 (46,656 = 6A6).

Consequently the invention provides a MPA technology which has superior and sufficient entropy compared to the prior art, and also has superior and sufficient resistance to guessing an MIP compared to the prior art.

In some aspects of the invention, a higher security than the prior art is achieved, based on the separation of the segments of the MIP in different independent records and on their chained relationship, e.g. a current segment cannot be validated if the previous segment is not validated.

In some aspects, a first part of the encoded segments is stored on the device of the user, and a second part is stored on a remote database of the system, enhancing security.

Additionally or alternatively, the identification of the device on which the challenge code is entered can also be taken into account, providing a two-factor system.

Further, a biometric data, such as the voice of the user, can also be taken into account in the authentication operation, providing a three-factor system.

The invention has advantages in both online security context and offline security context.

In the context of online security, the invention has the advantage of a short processing time, which constitutes acceptable security because the system of the invention is not vulnerable to attacks from hackers by bombardment of multiple authentication requests, and therefore does not lead to a denial of service.

In the context of offline security, the invention has the advantage of a long hashing processing time, which means that even if a hacker steals the database storing the tables of records of the segments, the database would still be hard and long to -13 -process. If the segments are preferably chained, the hacker would further need to cross each table with itself to find a potential next segment. Preferably at least some of the records are anonymised in such a way that it is not possible to directly relate the record with any particular user identification and the hashing time is multiplied by the number of records in each table.

In some aspects, the segments overlap, and a database storing the tables of records of the segments have more segments than necessary, or even dummy records. In the context of offline security, the invention has therefore the advantages of making the database bigger and therefore longer to process for a hacker.

In some aspects, the segments have different lengths and have redundancy between each other. In the context of offline security, the invention has therefore the advantages of making the database harder to process for a hacker, because it is hard to know both the length of the segments and the correspondence between the patterns of segments and/or the users. In some aspects, the first segment of a chain is longer than the other chained segments. The first segment takes therefore more time to decode, which is advantageous in the context of offline security, and not detrimental in the context of online security, because the invention has then the advantage that the following shorter segments have a shorter processing time, because they comprise at least a part of a previous decoded segment which can be used for validation of the current segment.

Embodiments of the invention will now be described, by way of example, with reference to the accompanying drawings in which: Figures 1A and 1B, already discussed, schematically illustrate MFA matrices; Figures 2A and 2B, already discussed, schematically illustrate MIP in the MPA matrices of Figures 1A and 1 B, respectively; Figures 3A and 3B, already discussed, schematically illustrate challenge matrices corresponding to the MPA matrices of Figures 1A and 1B, respectively; Figure 4, already discussed, schematically illustrates an exemplary indexing of the MPA matrix of Figure 1A; -14 -Figure 5, already discussed, schematically illustrates an exemplary encoding of a MIP; Figure 6 schematically illustrates an authentication system, comprising a processing module and an authentication engine; Figure 7 is a diagram illustrating an exemplary method performed by the authentication system of Figure 6; Figure 8 schematically illustrates an exemplary dividing of a MIP performed by the authentication system of Figure 6; Figure 9 schematically illustrates exemplary steps of the dividing of Figure 8; Figure 10 schematically illustrates a possible generation of codes performed by the authentication system of Figure 6; Figure 11 schematically illustrates exemplary steps of the generation of Figure 10; Figure 12 schematically illustrates an exemplary storing performed by the authentication system of Figure 6; Figure 13 schematically illustrates exemplary steps of the storing of Figure 12; Figures 14 and 15 schematically illustrate an exemplary authentication method performed by the authentication system of Figure 6; and Figure 16 schematically illustrates exemplary steps of the method of Figures 14 and 15; Figure 17 schematically illustrates a two-factor authentication system, comprising a processing module and an authentication engine; Figure 18 is a diagram illustrating an exemplary method performed by the authentication system of Figure 17; Figure 19 schematically illustrates an three-factor authentication system, comprising a processing module and an authentication engine, and Figure 20 is a diagram illustrating an exemplary method performed by the authentication system of Figure 19.

In all of the Figures, similar parts are referred to by like numerical references.

An aspect of the invention will now be described with reference to Figures 4 to 9.

-15 -The invention provides a method of processing an authentication code of a user U, performed by a system comprising at least a processing module 10, a database 11 and an authentication engine 2.

As will be apparent to the skilled in the art, in the following specification the processing module 10 and the authentication engine 2 should not be understood as limited natural entities, but rather refer to physical devices comprising at least a processor and a memory, the memory being comprised in one or more servers which can be located in a single location or can be remote from each other to form a nebulous network (such as server farms). Similarly, the database 11 may be comprised in one or more servers which can be located in a single location or can be remote from each other to form a nebulous network.

As explained in further detail below, a device 3 (such as a laptop, a personal computer, a Personal Digital Assistant, a phone, a smartphone, or a dedicated token, etc.) comprises at least a processor and a memory. The device 3 is linked to the system, and may preferably use wireless technology to communicate with the system. In that case, the system comprises cellular base stations (using mobile technology) and/or other Wireless Access Points (using other wireless communications) such as WiFi Bluetooth or near-field technology (also called sometimes "Near Field Communication" or "NFC"). The device 3 may also use wired access point (such as a wired modem) to communicate with the system. The communication between the device 3 and the system preferably complies with Secure Socket Layer (SSL) or Transport Layer Security (TLS) protocols known by the skilled person in the art.

As will be apparent to the skilled person in the art, in the following specification the device 3 also should not be understood as a limited natural entity, but may rather refer to physical devices comprising at least a processor and a memory, and the processor and the memory may be comprised in one or more apparatuses and/or servers which can be located in a single location or can be remote from each other -16-to form a nebulous network (such as server farms). The device 3 may therefore comprise for instance a laptop, a personal computer, a Personal Digital Assistant, a phone, a smartphone, etc. for selecting the authentication code and transmitting it to the system during a registration operation, and may comprise also a separate dedicated token comprising a display for displaying a challenge arrangement to a user during an authentication operation. Additionally or alternatively, a single device 3 may perform the selecting and transmitting of the authentication code during the registration operation, and also the displaying of the challenge arrangement to a user during an authentication operation.

The device 3 enables the user U to enter and transmit, during an authentication operation e.g. via any Human User interface mechanism, such as part of a logon process for a device 3 being a smartphone or an Internet browser, at least a one time code (OTC) associated with a challenge array to the system. Preferably the device 3 enables the user U to enter also user identification. In some embodiments the device 3 is configured to belong to the user U such that entering of user identification may not be needed.

It should be appreciated that Figure 6 shows functional block diagrams, and that in practice the individual blocks shown in Figure 6 may exist as discrete elements or their functionality may be distributed in different combinations or not individually discernable. In that respect, some of the functionality of the processing module 10 and/or the authentication engine 2 and/or to the device 3 may be distributed in different combinations or may be at least partially merged.

The authentication code has a length L of at least six elements e, and users U are encouraged to have codes greater than six if possible. The code may be allocated to the user by an administrator of the system. However the module 10 is preferably configured to enable the user U to select their authentication code. Optionally, the code is modified at user-configurable or administrator-configurable times, as variable code lengths are a strong security feature, adding significantly to entropy. -17-

The code is associated with a memorable identification pattern (MIP), based on an authentication arrangement, preferably but not exclusively used in a Matrix Pattern Authentication (MPA) and, with that respect and as shown in reference to Figure 4, the elements of the code form a set of the elements of at least one authentication array or arrangement 100 comprising S symbols s, preferably unique symbols.

In some aspects of the invention, once the authentication code is confirmed by the user U, e.g. on the device 3, the processing module 10 divides, in 510, the authentication code into at least two authentication segments, such as ci, c2 or c3, forming each a subset of the elements, not necessarily disjoint, of the authentication code.

The processing module 10 is further configured to encode in Sli each of the authentication segments using a one-way hashing function, using an industry standard, strong algorithm, with appropriate salting, as known by those skilled in the art, e.g. the known one-way hashing functions from the family SHA-2, such as SHA-256.

The module 10 then stores in S13 the encoded authentication segments, e.g. referred to as ci ux and c2ux in the database ii, not as a single entity, but rather as at least two smaller segments.

As explained in further detail below, the segments are preferably chained: validation of a first, previous, segment, by matching it with its corresponding part of the OTC, is needed in order to access a reference (or address or pointer) to a second, following, segment, etc. To that effect, preferably an encoding salt stored with a current segment is not actually used to hash the current segment, but to hash the following segment in the chain.

However the fact that the authentication code is divided in at least two segments provides the advantages that corresponding segments (or portions) of a challenge -18-code can be processed by an authentication engine 2 in an acceptable period of time, whilst still achieving acceptable online and offline security, as explained below.

In some aspects of the invention, described with reference to Figures 5,6 and 14 to 16, the device 3 transmits in S30 the OTC entered by the user during an authentication operation to the engine 2. The OTC comprises a set of elements of the at least one challenge arrangement 200 presented to the user U and comprising signs 201 which are duplicated in the challenge arrangement 200 (i.e. each sign is repeated more than one time, preferably a large number of times). As explained below, in 530 a record of the challenge arrangement 200 presented to the user U is stored, preferably in the database 11.

The authentication engine 2 is configured to divide in 531 the OTC into at least two portions forming each a subset of the elements of the OTC, and each corresponding to an authentication segments, e.g. ci, c2 or c3, respectively.

The authentication engine 2 is adapted to generate, e.g. in 533 and 538, candidate identification patterns corresponding to at least one portion of the OTC, e.g. by associating the signs of the portions with corresponding unique symbols (si, s2, s3, s4.. .s36) of the authentication arrangement 100. To that effect, it is understood that the associating in S33 and 538 uses the record of the challenge arrangement 200 stored in S30. The record of the challenge arrangement 200 provides indeed all the positions of the signs in the challenge arrangement 200, for their association with an element of a corresponding authentication arrangement.

In S34 and S39, the authentication engine 2 encodes the candidate identification patterns using the same one-way hashing function as the one used for encoding the authentication segments in Si 1.

In 534, S35, S39 and S40, the authentication engine 2 validates a candidate identification patterns only if it matches a corresponding encoded authentication segment of the authentication code, as explained in further detail below.

-19 -As can be seen from figure 14, the authentication engine 2 is further configured to validate in S41 the OTC (challenge code) only if each portion of the OTC corresponding to an authentication segments is validated.

As already explained below, the invention applies to any authentication arrangement of size S used in any MPA system, not only those of a square form factor.

However for the sake of the conciseness and clarity, the invention will now be explained in reference to Figure 8, in which the array has a square form factor and: L=6 S =36.

In Figure 8, the MIP authentication code is say s9, s16, s23, s28, s30, s35, and can be divided in SlO into not necessarily disjoint segments, i.e. into either two segments ci andc2, with ci being s9, si6, s23, s28, s30; and with c2 being s16, s23, s28, s30, s35 (i.e. N=5); or three segments ci,c2 and c3, with ci being s9, s16, s23, s28; c2 being s16, s23, s28, s30; and with c3 being s23, s28, s30, s35 (i.e. N=4); or four segments ci,c2, c3 and c4, with ci being s9, s16, s23; c2 being s16, s23, s28; c3 being s23, s28, s30; and with c4 being s28, s30, s35 (i.e. N=3); or five segments ci,c2, c3, c4 and c5, with ci being s9, s16; c2 being s16, s23; c3 being s23, s28; c4 being s28, s30; and with c5 being s30, s35 (i.e. N=2); or six segments ci,c2, c3, c4, c5 and c6, with ci being s9; c2 being si6; c3 being s23; c4 being s28; c5 being s30; and with c6 being s35 (i.e. N=i).

Table 2 shows how many iterations (also referred to as hash searches) are required for an authentication engine 2 to match a portion of an OTC to a corresponding authentication segment of the MIP.

Elements in each Unique symbol Number of hash Approx. elapsed MIP segment combinations per searches to match time to complete segment a segment searcht 6 2176,782336 46,656 lOs 60,466,176 7,776 1.5s 4 1679,616 1,296 0.25s 3 46,656 216 4Oms 2 1,296 36 8ms 1 36 6 1.Sms

v Table2 r

Table 2 also shows an estimate of processing time required to match a portion of an (0 OTC with a corresponding encoded segment of MIP, with a time of O.2ms for each 0 iteration.

Therefore according to some aspects of the invention, the module 10 is configured to divide the authentication code into segments of N elements, with N«=5.

Shorter authentication segments (N<6) and their corresponding portions of the OTC have the very desirable property that they can be processed much more quickly by the authentication engine 2, in order to validate the one time code (6 iterations for segments of Nal, instead of 46656, as explained above, for N=6). It is understood that several processing steps are now required, depending on the length of the MIP and the number of segments. The invention has however the advantage that the increase in processing time required is now linear (each time for an extra processing step adds to the previous times), rather than geometric as a function of Land/or S. A further benefit of the invention is that the time taken to reject an incorrect one-time code is dramatically reduced, and is now 1,296 iterations, instead of 46,656 iterations in the unsegmented scheme.

Therefore, according to some aspects of the invention, if each authentication arrangement 100 comprises S unique symbols (si, s2, s3, s4...s36), with S»=30, and N is a predetermined number of elements in each authentication segment, N is such that: (vT <46656.

According to some further aspects, N is such that: (f xt<5 with t a time, in seconds, of processing an encoding operation by a processor, using a one-way hashing function, from a family such as SHA-2, such as SHA-256. As explained above, t is typically equal to 0.0002 second (0.2ms).

Segmentation of the MIP provides therefore online security, however it introduces a different problem.

In the case of a segment, the number of unique symbols is reduced, and hence if a hacker is in possession of the symbols used to represent the MIP at the time of encoding, it becomes easier to deduce the MIP by trying every possible combination of symbols. With a segment length of 6 (N=6), there are 2.lbillion combinations from any given set of symbols. At the other extreme with the MIP broken into six individual symbols, each just one symbol long (N=1), there are only 36 possible combinations.

This is adjudged to be far too vulnerable to attack. This vulnerability is known to afflict PIN numbers, as they are represented by only 10,000 unique possible combinations, for the same set of 10 unique symbols used four times.

Furthermore the security of an MPA system should be significantly better than that of a PIN number base system.

-22 -Therefore according to some aspects of the invention, the module 10 is configured to divide the authentication code into segments of N elements, with 4 «= 7I.

In some further aspects, with S»=30, N is such that: SN >> iofl.

The invention provides therefore offline security, because the hashing processing time is sufficiently long.

Table 2 shows that the difference on processing speed is marginal between N equal 4 or 5, especially on powerful authentication engine 2.

The segments may differ in length, or all segments may be of equal length.

If the segments have different lengths, it is more difficult for a hacker to process the database ii, because the hacker needs further to know both the length of the segments and the correspondence between the patterns of segments and/or the users.

In that case and if the segments are further chained, preferably the first segment is longer than the other segments (for example N=6 for ci, and N=4 for c2, N=4 or 3 for c3, etc.), because it is longer and harder for a hacker to process and validate the first segment which is necessary for validation of the other segments.

In some aspects of Si 0 as shown in Figure 9, the module 10 is configured to divide, in SiOl, the authentication code into p authentication segments, with (El) wherein is the ceiling of L/N, i.e. the smallest integer greater than or equal to L/N.

-23 -Accordingly, in S31 as shown in Figure 14, the module 10 is configured to divide the OTC into p portions according to (El).

(El) means that for e.g. L=7 and N=4, 7/4=1.75, and then p may be equal to 2 (as in Table 3 below) if preferably the segments overlap at least partially as explained below; and that e.g. for L=8andN=4, 8/4=2, and then p may be equal to 2 (as in Table 3) if the segment are disjoint, or p may be equal to 3 if preferably the segments overlap at least partially; and that e.g. for [=11 and N=4, 11/4=2.75; and then p may be equal to 3 (as in Table 3) if preferably the segments overlap at least partially.

Preferably indeed the segments overlap at least partially and have an extent of redundancy between each other. Therefore the database 11 storing the tables of records of the segments have more segments than necessary, and is bigger and harder for a hacker to process. It is also more difficult for a hacker to process the database 11, because the hacker needs further to know both the length of the segments and the number of segments.

In that case and if the segments are further chained, each current segment has a short processing time during validation, because it comprises at least a part of a previous decoded segment which can be used for validation of the current segment.

Preferably the database might comprise dummy records, so that the database is bigger than necessary for storing the encoded segments. -24-

If the ratio L/N is not a natural number, the module 10 preferably further augments, in S102, at least one segment having fewer elements than N, by duplicating some elements from other segments, so that each segment comprises N elements. The exact symbols duplicated in the segments are not critical.

Tables 3 and 3a below show non limiting examples of the number of segments for MIP lengths of 6 to 12 elements long, but maybe further extended. Table 3 shows that for N=4, a MIP represented by the code el, e2, e3, e4. .. .e12 may be segmented as follows: MIP length Segment ci Segment c2 Segment c3 6 el,e2,e3,e4 e3,e4,e5,e6 n/a 7 el,e2,e3,e4 e4,e5,e6,e7 n/a C') 8 ei,e2,e3,e4 e5,e6,e7,e8 n/a 9 el,e2,e3,e4 e5,e6,e7,e8 e6,e7,e8,e9 el,e2,e3,e4 e5,e6,e7,e8 e7,e8,e9,elO 11 el,e2,e3,e4 e5,e6,e7,e8 e8,e9,elO,ell (0 12 el,e2,e3,e4 e5,e6,e7,e8 e9,elO,ell,e12

Table 3

Table 3 shows re-use of part of the previously derived code (there is preferably at least partial overlapping of the segments, i.e. a "sliding scale"). The overlapping creates only a weak interdependence between the MIPs segments.

Table 3a, below, shows a non-limiting example of overlapping elements in a segment, in order to always break a MIP into three segments, for any length of MIP, up to 12 elements. This has the advantage over the example in table 3 above, in that the use of a third segment will make it harder for a hacker to associate the three, apparently uncorrelated segments together.

MIP length Segment ci Segment c2 Segment c3 6 el,e2,e3,e4 e2,e3,e4,e5 e3,e4,e5,e6 7 el,e2,e3,e4 e3,e4,e5,e6 e4,e5,e6,e7 8 el,e2e3,e4 e2,e3,e5,e6 e5,e6,e7,eS 9 el,e2,e3,e4 e3,e4,e7,e8 e6,e7,e8,e9 el,e2e3,e4 e4,e5,e6,e7 e7,e8,e9,elO 11 el,e2,e3e4 e5,e6,e7,e8 e8,e9,el 0,el 1 12 el,e2,e3,e4 e5,e6,e7,e8 e9,eiO,eil,e12

Table 3a

Table 3b below shows the maximum number of hashing iterations required to find each segment of a user's MIP, for different MIP lengths and N=4. Processing time is based on 0.2ms per hashing operation, and is compared with the processing time c) 5 required to process a single unsplit MIP, with six unique symbols in the OTC.

V" MIP length Iterations Iterations Iterations Total max Indicative Indicative 1-required required required iterations processing processing -ci--c2--c3-time @ time, with (Q 2ms per single, 0 hash unsplit MIP 6 1296 36 -1332 0.26s 92s 7 1296 216 -1512 0.30s 56s 8 1296 1296 -2592 D.52s 6mins 9 1296 1296 6 2598 0.52s 33mins 1296 1296 36 2628 0.53s 3.3hrs 11 1296 1296 216 2808 0.56s 20hrs 12 1296 1296 1296 3888 0.78s 5 days

Table 3b

Another aspect of the invention will now be described with reference to Figures 5, 6 and 10.

As shown in Figure 10, the invention also provides a method of processing the authentication code of the user in which, in some aspects and, in order to further -26-improve security, the symbols are not represented by a simple numeric sequence, but the processing module 10 assigns, in Si, a randomly generated code to each symbol of the at least one arrangement 100. So, in the case of an arrangement 100 being a 6 x 6 matrix, 36 random symbols si. . .s36 are generated. The invention provides therefore the advantage of keeping the pattern even more secret.

Preferably, the module 10 stores in S2 each randomly generated code si, s2, s3.. .s36 in the database ii, and as explained in further detail below, the codes si, s2, s3.. .s36 are recalled only when needed at authentication. i0

Preferably, as shown in Figure ii, the module iO assigns in Si, for each segment, e.g. for ci and c2, and for each array, for example referred to as usrmatrix1 and usrmatrix,, a different randomly generated code to each symbol of the arrangement, so that the segments comprise each respectively at least one element corresponding iS to different arrangements. Preferably the elements of each segment ci or c2 may be encoded using a different unique set of 36 symbols. Thus the symbols used in segment ci are preferably different from those in segment c2 and so on.

Preferably, the two symbols sets are stored in S2 each in a different record on the database ii.

However, in order to minimize the probability of the same code being generated to represent different symbols in the arrangement iOO (namely, a collision), the symbol length needs to be long. Preferably, the symbol code length is at least 256 bits long.

Each symbol is generated using a random number generator. In that case, the probability of a collision occurring between any two symbols is inferior to itio and guarantees that each symbol table is therefore unique.

Another aspect of the invention will now be described with reference to Figures 5, 6, i2andi3. -27-

The invention also provides a method of processing the authentication code of the user U in which, in some aspects, the processing module 10 stores in S2 at least one arrangement of unique symbols and stores in S13 the at least two segments, as different uncorrelated records in the database 11. The invention has therefore the advantages that key pieces of information needed to authenticate a one time code are separated and uncorrelated. Each piece of information required is referenced by a different reference address in the database 11, such that it would be virtually impossible for anyone to correlate all the different components needed to achieve authentication. The referencing address used for this information adds significant protection.

These key pieces of information (or data) may comprise at least one of the following: a user identification, and/or a user name (usr), and/or a private salt (psalt) used in the one-way hashing function (e.g. belonging to the family SHA-2, e.g. SHA-256), and/or each encoded authentication segment c1u or c2u, preferably chained, and/or cryptographic salts (salt1, salt2, salt3,, salt3, etc.) used in the one-way hashing function with a user name or identification in connection with the encoded segments, and/or each authentication arrangement usrmatrix1 or usrmatrix2, as different uncorrelated records in a database 11.

Preferably at least some of the records are anonymised (i.e. cannot be related back to the user identity) and are only referenced using a hashing function applied to the user name (usr).

Figure 13 shows that the data are stored e.g. in four separate tables: Data table 1: referenced by usr, with the data fields salt1 and salt2 (used in the hashing function in Sli for encoding the first segment) and hashing(salt1 c1u) (also referred to as #(salt1x,c1ux; -28-Data table 2: referenced by #(usr, salti, ciu), with the data fields salt3 and #(salt2, c2u); Data table 3: referenced by #(usr, psalt), with the data field usrmatrix1; Data table4: referenced by #(usr, salt2, c1u), with the data field usrmatrix2.

Another aspect of the invention will now be described with reference to Figures 5, 6 and 14 to 16.

In S30, the device 3 enables the user U to enter at least the OTC comprising L signs associated with the challenge arrangement 200, and preferably a user identification usr (alternatively the device 3 may be associated with the user U). The OTC is transmitted to the module 10 and the length L of the one time code is measured by the module 10.

In S31, the module divides the OTC into challenge p portions, preferably using (El).

In S32, the module 10 enables the authentication engine 2 to retrieve, as a function of the user identification usr, at least an initial authentication arrangement usrmatrix1, and an initial authentication segment ci u of the authentication code.

Preferably, in S32 a temporary hash function 320 is run, using usr and psalt, to perform #(usr, psalt) in order locate the data table 3 and usermatrix1. In S32 the module 10 sends to the engine 2 the reference address usr of the record data table 1 and the reference address #(usr, psalt) of the record data table 3 in the database 11. The initial arrangement usrmatrix1 of symbols s11, s12, s13, s14. . .s136 is located in data table 3, and the encoded initial segment ci u of the authentication code is located in data table 1 as #(salti, ci u). It is understood that the initial authentication segment ciu is an encoded subset of the unique symbols s11, s2, s13, s14...s136 of the initial authentication arrangement usrmatrix1.

-29 -In 533, the authentication engine 2 generates initial candidate identification patterns inferred from an initial portion of the OTC and at least the initial array usermatrix1, preferably all the possible initial candidate identification patterns.

In S34, the authentication engine 2 encodes each of the initial candidate identification patterns using the one-way hashing function used in Si 1, using preferably salti provided as a data in data table 1, and compares each of them with the encoded initial segment ci u of the authentication code, also encoded in Sil using salti. A comparison in S35 is performed until a match, if any, can be found. In the example, the authentication engine 2 runs up to 1296 iterations of all possible MIP positions inferred by the first four digits of the OTC, to see if a match can be found with encoded record for ci u.

If no match is found in S35, authentication is failed, and the method is terminated in is 550. If a match is found in 535, then, the device 3 processes a subsequent portion in S36 which then becomes the current portion.

The steps of validating the portions of the challenge code (OTC) are preferably performed sequentially, as this sequential validation is performed with the chained segments by the engine 2, or less preferably may be performed in parallel if the segments are not chained.

For each current portion of the OTC, the module 10 enables in S37 the authentication engine 2 to retrieve, as a function of at least the corresponding previous authentication segment (ci u in our example): at least one current authentication arrangement usrmatrixQ, and an uncorrelated current authentication segment c2u.

The sending in 537 is performed preferably also as a function of the user identification usr. Therefore preferably, in S37 the module iO sends to the engine 2 -30-the reference address #(usr, salt2, ci u) of the record data table 4 in order to locate usrmatrix2, and the reference address #(usr, salti, ciu) of data table 2 containing salt3 and #(salt2 c2u) in the database ii.

It is understood that the reference addresses to locate the records in data tables 2 and 4 are uncorrelated because of the use of different salts. The current usrmatrixQ of symbols s2i, s22, s23, s24.. .s236 is located in data table 4, and the encoded current segment c2u of the authentication code is located in data table 1 as #(salt2, c2u). It is understood that the current authentication segment c2u is an encoded subset of the unique symbols s2i, s22, s23, s24.. .s236 of the current authentication arrangement usrmatrix.

This means that in order to retrieve on the one hand the encoded record for c2u, and on the other hand the symbols matrix usrmatrixQ used to generate it, different unique and uncorrelated reference addresses are required (i.e. #(usr, salt2 c1u) and uncorrelated #(usr, salti, ciu)).

The reference address for where the encoded version of c2u is located can therefore only be found if ciu has already been matched, and it is understood that without c2u, authentication cannot occur.

As already stated, the symbols matrix usrmatrix, used to generated c2u is located at a reference equal to #(usr, salt2, ciu). This means that there is no correlation between the location of the encoded record of c2u (located at a reference equal to #(usr, salt1 ciu)), and the symbols usrmatrix2 used to generate it.

The chained relationship of the segments is preferably reinforced by the fact that current salts, salt1 and salt2 in our example, used in Sii for encoding the current segment c2u and in S39 (as explained below) for encoding the current portion corresponding to segment c2u in data table 2 are stored with the previous authentication segment ci u, in data table 1, as #(salti, ci uk). Also following salts, salt2 and salt3, used in Si i for encoding the following segment c3u and in 539 (as explained below) for encoding the following portion corresponding to segment c3u in data table 2 are stored with the current authentication segment c2u in data table 1, as #(salt2 c2u), etc. Therefore a previous segment needs to be previously validated so that a current segment can be processed and validated.

In S38, the authentication engine 2 generates current candidate identification patterns inferred from the current portion of the OTC and at least the corresponding iO symbols of the current array usermatrix2, preferably all the possible initial candidate identification patterns.

In S39, the authentication engine 2 encodes the current candidate identification patterns using the one-way hashing function used in Sii, using preferably salt3 iS provided as a data in data table 3, and compares them with the encoded current segment c2u of the authentication code, also encoded in Si i using salt3, the comparison being performed until a match, if any, can be found. In the example, the authentication engine 2 runs up to i296 iterations of all possible MIP positions inferred by the four digits of the current portion of the OTC, to see if a match can be found with encoded record for c2u in S40.

If no match is found in S40, authentication is failed, and the method is terminated in S50.

If a match is found in S40 and there are still portions to process (e.g. [=8 with N=4 with overlapping segments, or in the case of a MIP or OTC code length greater than 8 with N=4), then, the module 10 processes a subsequent portion in S36, as a third segment c3u is needed, together with an additional salt, salt4. In this case, after c2u has been matched, c2u is used in the same way as ciu above in order to generate the unique references that point to the encoded record of c3u, and the symbols matrix used to generate c3u. In principle this approach could continue to even longer MIPs.

-32 -If a match is found in S40 and there are no further portions to process, then, the authentication succeeds in S41.

Thus even if someone was to copy or steal the four data tables, it would be nearly impossible to associate the correct symbols with the correct segments, and in the right sequence in order to assemble all the information needed to achieve authentication.

Another aspect of the invention will now be described with reference to Figure 8.

The authentication code is divided into at least two segments, and the segments can be processed by an authentication engine 2 in an acceptable period of time, whilst still achieving acceptable at least offline security. Therefore the invention enables the use of MPA of square form factors and with MIP of a length L with L»=6.

In some aspects of the invention, each authentication arrangement 100 has a square form factor a, wherein a»=6 with a being a linear dimension of the matrix, each matrix having a size S equal to a2 elements 101.

The invention can be applied to an optimal family of matrices of length (or size) S, wherein a balance between the uniqueness of signs s (providing a high level of entropy) and non-reversability of the OTC (given by the duplication of the signs s) is given by the solution of equation (E2): fl-(E2) where n is the number of times each different type of signs are replicated in each challenge arrangement 200, and S/n is the number of different signs in each challenge arrangement 200 (also referred to as m below).

-33 -The solution of (E2) is: Therefore preferably each challenge arrangement 200 has a square form factor a, wherein in = n = a and a»=6 with a being a linear dimension of the matrix, each matrix having a size S equal to a2 elements 201; m (=S/n) being the number of different signs in each challenge arrangement 200; and n being the number of times each different type of signs are replicated in each challenge arrangement 200.

The MPA according to the invention has better practical entropy compared to a one dimensional linear array or arrangement.

As stated above, the invention enables the use of an ideal configuration which has a square pattern and is therefore advantageous compared to a rectangular array which tends to suppress entropy.

Also as stated above, the invention enables the use of the ideal configuration where each symbol of the challenge matrix is repeated n=sqrt(S) times, where S is the number of elements (or the size) in the challenge matrix. Thus, it is desirable that a matrix has a number of elements that is a square number, i.e. 4, 9, 16, 25, 36, 49, 64, 81 etc. This is to ensure that signs in a matrix are repeated an integer number of times, with no bias in favour of any particular sign. Such a bias would compromise security effectiveness.

-34 -Preferably a" is an integer number between six and ten, for example nine unique signs in a 9x9 matrix, and so on.

Therefore a 36 element array with 6 unique different signs with each sign being repeated six times (i.e. a 6 x 6 x 6 x 6 configuration) with a six element MIP is the minimum configuration that has sufficient entropy, having the further advantage of having the property that the probability of guessing a correct OTC (i.e. 1/46,656) is much better than guessing a conventional four-digit PIN number.

In the developments above, the authentication operation only takes into account the OTC entered and transmitted by the user U to the system. It is therefore sometimes referred to as a one-factor system. Even if the authentication segments are stored in different and independent records, e.g. in data table 1 and data table 2, all the records are preferably stored in the database 11.

Another aspect of the invention will now be described with reference to Figure 17.

The authentication operation performed on the system of Figure 17 not only takes into account the OTC entered and transmitted by the user U to the system, but also device identification. It is therefore sometimes referred to as a two-factor system.

The invention has therefore the advantage that even if a hacker knows the MIP of the user U, the OTC will not be validated if the OTC is not entered on the device identified to the system.

Preferably, both a type of device and/or a selected device and a type of authentication operation andlor a selected authentication operation are user-configurable or operator-configurable. The user U may therefore e.g. choose one of his registered devices 3 for authentication regarding bank transactions and another one of his registered devices 3 for online payments. The operator may also e.g. ban a type of devices for highly secure transactions.

-35 -The registration of the device with the system comprises at least transmitting identification of the device 3 to the processing module 10.

Identification of the device 3 may comprise any unique identification, hereafter referred to as HID, such as a serial number of any part of the device and/or an International Mobile Equipment Identity [IMEI), etc. The transmitting of the identification may be performed via e.g. at least one of the following channels: a communication channel complying with known Secure Socket Layer (SSL) or Transport Layer Security (TLS) protocols; a mobile communication channel, such as Global System for Mobile Communications (GSM) or Universal Mobile Telecommunications System (UMTS), where identification is transmitted via a Short Message Service (SMS) or a Multimedia Messaging Service (MMS); a paper/written channel, where the user U provides to an operator of the system the identification of his device via mail or email, and where the operator of the system enters the identification of the device for storing in the database 11; or a voice channel, where the user U provides to an operator of the system the identification of his device orally, for instance via a telephone call, and where the operator of the system enters the identification of the device for storing in the database 11.

The processing module 10 then registers identification of the device 3 in the database 11, as an independent and secure record. The identification of the device is then used in the authentication process Preferably, the unique hardware ID HID is appended to the segments, ci, c2, c3 prior to encoding. This means that the unique hardware ID is never stored unencrypted in any of the data tables. During authentication, the unique hardware is input to S33, such that it may be incorporated in the matching process when S33 generates candidate values for ci, etc. -36-In some aspects of the invention, a part of the method may be performed locally on the device 3, as will now be described with reference to Figure 18.

In S60, the device 3 is registered with the system, as explained above.

Once the device 3 is registered with the authentication system, the steps of processing the authentication code are the same as already described in reference to Figures 7 to 12, and are not repeated here for the sake of conciseness and clarity.

513 is however modified into S131 and S132. In 5131, the module 10 stores at least a first part of the authentication segments on the registered device 3. For example, if the authentication code is divided in two segments, then one segment is stored in a memory 31 of the device 3, and if the authentication code is divided in three segments, then at least one segment is stored in the memory 31 of the device 3. In Si 32, the module 10 stores at least a second part of the authentication segments on the remote database ii. For example, if the authentication code is divided in two segments, then one segment is stored in the database 11, and if the authentication code is divided in three segments and one segment is stored on the memory 31, then two segments are stored in the database 11.

The steps of processing the OTC and authenticating the user U are the same as already described in reference to Figures 13 to 16, and are not repeated here for the sake of conciseness and clarity.

S30 is however modified into S300, where a record of the challenge arrangement presented to the user U is stored in the database ii and in the memory 31 of the device 3. This enables also the device 3 to perform locally at least some of S33 and/or S38, in order to generate at least candidate identification patterns corresponding to at least one portion of the OTC, e.g. by associating the signs of the portions with corresponding unique symbols of the authentication arrangement 100, using the record of the challenge arrangement 200 stored in the memory 31 and -37-providing all the positions of the signs in the challenge arrangement 200. It is understood that the authentication engine 2 also performs at least a part of S33 and/or S38, using the record of the challenge arrangement 200 stored in the database 11. It is also understood that a first pad of the portions, corresponding to the first part of the segments, is also stored at least temporarily on the device 3 during an authentication operation.

This enhances the two-factor feature of the system and method.

In some aspects, the system may be a three-factor system, as will now be described with reference to Figure 19.

The system and device 3 of Figure 19 are similar to the system and device of Figure 17, and are not fully described here for the sake of conciseness and clarity.

However, the device 3 preferably comprises a module 32, adapted for reading and recognizing a biometric data from the user U. The authentication operation of Figure 20 performed on the system of Figure 19 not only takes into account the OTC entered and transmitted by the user U to the system and the device identification of the device on which the OTC is entered, but also a biometric data from the user U. That is why it is therefore referred to as a three-factor system. The invention has therefore the advantage that even if a hacker knows the MIP of the user U and has the registered device on which the OTC must be entered, the OTC will not be validated if the biometric data is not entered on the device identified to the system.

The steps of processing the authentication code and the OTC are the same as already described in reference to Figure 18, and are not repeated here for the sake of conciseness and clarity. -38-

In the method of Figure 20 however S300 is modified in S301 and S302. In S301 the device 3 reads a biometric data of the user U, using the module 32. In S301, the read biometric data is compared with a reference biometric data.

Validation of the first part of the portions of the OTC can only occur if the read biometric data matches the reference biometric data.

Preferably, the reference biometric data is not stored on the database 11, but stored locally on the device 3. Therefore the operator of the system does not store any unnecessary personal information regarding the user U, and no large databases containing many instances of biometric data need to be used.

The biometric data maybe a voice and/or a shape of the face and/or the image of the iris, and/or a fingerprint of the user U. Preferably, the challenge matrix 200 is displayed on the device 3.

Preferably, the user U reads aloud the OTC he wants to enter, and the module 32 of the registered device 3 recognizes both the signs (or digits) of the OTC (using known dictation recognition techniques) and the voice of the user U, for processing and validation. This system is therefore very advantageous, since (i) it comprises all the advantages of security of the MIP in a MPA configuration (it is something that only the user knows), (ii) the authentication can be only performed on the registered device (it is something that only the user has) (iii) the authentication can be only performed by the user himself (it is someone only the user is).

This system is also very convenient because the voice and digit recognition are performed concomitantly on the device 3.

-39 -Alternatively, the user enters the OTC he wants to enter by touching a finger-print enabled keypad, such that the user's fingerprint is read as he types in the OTC. This system shares many of the advantages of the voice recognition system described above, in that the reading of the user's finger print, and recognition of the OTC are performed concomitantly on the device 3.

The system has numerous applications, and can be associated with any type of key code lock, the lock being either an electronic lock (for locking a transaction) or a mechanical lock (for locking a door or the opening of any device).

The present invention may be applied to any form of secret information, and the authentication code described above may be any secret information, such as passwords, passcodes, and personal information, including biometric information, where segmenting, chaining and storing the secret information on different locations preferably not relying on a single large database that can be compromised.

Modifications and Alternatives Detailed embodiments have been described above. As those skilled in the art will appreciate, a number of modifications and alternatives can be made to the above embodiments whilst still benefiting from the inventions embodied therein.

In the embodiments described above, the processing module and the authentication engine are typically implemented as software run by the corresponding controller.

However, in some embodiments, the processing module and the authentication engine may be formed, where appropriate, by hardware, software, firmware or any combination thereof. A software implementation may however be preferred to facilitate the updating of the functionality of a processing module or an authentication engine.

Where software are provided, they may be provided, as appropriate, in compiled or un-compiled form and may be supplied to the processing module, the authentication engine or to the device, as the case may be, as a signal over a computer or -40 -telecommunications network, or on a computer storage medium such as for instance a disc, an optical disc or a CD ROM.

It should of course be appreciated that, although not explicitly shown in Figure 6, the processing module and the authentication engine will have all of the functionality necessary to enable them to operate as the processing module and the authentication engine, respectively, in the particular system in which they are designed to function.

Various other modifications will be apparent to those skilled in the art and will not be described in further detail here. -41 -

Claims

CLAIMS1. A method of processing an authentication code of a user (U), comprising the steps of: obtaining (Si, S2) an authentication code of a user, the authentication code comprising a plurality of unique elements, dividing (510) the authentication code into at least two authentication segments each forming a subset of the elements of the authentication code; encoding (511) each of the authentication segments (ci, c2, c3) so that the authentication segments cannot be retrieved from the encoded authentication segments (ciu, c2u, c3u); and storing (Si3) the encoded authentication segments (ci u, c2u, c3u) independently, preferably wherein the encoded authentication segments (ci u, c2u, c3u) are stored in different and independent records in the database (ii).
2. The method of claim 1, further comprising the steps of: obtaining (S30) a challenge code (OTC) from the user, the challenge code only ambiguously describing the authentication code as being a subset of duplicated signs (201), only some of the duplicated signs corresponding to the unique elements of the authentication code, dividing (531) the challenge code (OTC) into at least two portions, each corresponding to an authentication segment (ci, c2, c3) respectively; generating (S33) candidate identification patterns corresponding to at least one portion of the challenge code (OTC), wherein generating candidate identification patterns comprises associating the signs of the challenge code with some unique elements of the authentication code; encoding (Sil) each of the candidate identification patterns with the same encoding used for the authentication segments; and validating (S34, S35, S39, S40) the at least one portion of the challenge code (OTC) if at least one encoded candidate identification pattern matches a corresponding encoded authentication segment; and -42 -validating (S41) the challenge code (OTC) only if each portion of the challenge code (OTC) corresponding to an authentication segments is validated.
3. The method according to any one of claims 1 or 2, wherein the authentication segments are chained.
4. The method according to claim 3, wherein encoding (Si 1) each of the authentication segments uses a one-way hashing function (SHA-2) using a salt, and wherein a previous authentication segment (ciu) is stored in a first record of the database (ii), and wherein a current salt (salti), used for encoding a current segment (c2u) stored in a second record of the database (11), is stored in the first record of the database (ii) along with the previous authentication segment (ciu), iS so that the previous authentication segment (ciu) needs to be previously validated so that the current segment (c2u) can be validated.
5. A method of processing an authentication code of a user (U), comprising the steps of: obtaining (51, S2) an authentication code of a user, the authentication code comprising a plurality of unique elements, dividing (SiO) the authentication code into at least two authentication segments each forming a subset of the elements of the authentication code; encoding (511) each of the authentication segments (ci, c2, c3) so that the authentication segments cannot be retrieved from the encoded authentication segments (ciu, c2u, c3u); and storing (Si3) the encoded authentication segments (ciu, c2u, c3u) for use in a validation in at least one record of a database (ii); wherein encoding (Sii) each of the authentication segments uses a one-way hashing function (SHA-2) using a salt, and wherein the authentication segments are chained such that -43 -a previous authentication segment (ci u) is stored in a first record of the database (ii), and a current salt (salti), used for encoding a current segment (c2u) stored in a second record of the database (ii), is stored in the first record of the database (ii) along with the previous authentication segment (ciu), so that the previous authentication segment (ciu) needs to be previously validated so that the current segment (c2u) can be validated.
6. The method according to any one of claims 1 to 5, wherein the segments overlap at least partially, thereby presenting some redundancy of elements between each other.
7. The method according to any one of claims 1 to 6, wherein the segments have different lengths compared to each other.
8. The method according to claim 7, wherein the first segment is longer than the other following segments.
9. The method according to any one of claims 1 to 8, wherein the elements of the authentication code are associated with symbols (si, s2, s3, s4.. .s36), and wherein a randomly generated set of codes (si, s2, s3...s36) is assigned (Si) to each symbol for at least one segment, and each randomly generated set of codes (si, s2, s3.. .s36) is stored (S2) in a record of the database (ii).
10. The method according to claim 9, wherein: for each authentication segment (ci, c2, c3), a different randomly generated set of codes (sii, s2, s3. . .s36; 521, s22, 523.. .s236) is assigned (Si) to each symbol, so that the authentication segments (ci, c2, c3) each comprise respectively at least one element corresponding to different set of codes.
11. The method according to claim iO, wherein -44 -each randomly generated set of codes (si, s2, s3.. .s36), and the corresponding encoded segments (ci u, c2u) are stored as different uncorrelated records in the database (11).
12. The method according to any one of claims 1 to ii, wherein the authentication code is divided (SlO) into segments of N elements, with 4 «= N «= 5.
13. The method according to any one of claims ito 12, wherein the challenge code is divided (531) into portions of N elements, with 4«= N«=5.
14. The method according to anyone of claims 12 or 13, wherein the authentication code and the challenge code are divided (SlO; 531) into p authentication segments and portions, respectively, with: rL wherein L is the number of elements in the authentication code or the challenge code; and rt. ..-is the ceiling of UN, i.e. the smallest integer greater than or equal to L/N.
15. The method according to claim 14, wherein, if the ratio L/N is not a natural number, at least one authentication segment having fewer elements than N is further augmented (S102) by duplicating some elements from other authentication segments, so that each authentication segment comprises N elements.
16. The method according to any one of claims 1 to 15, wherein at least one of the following: a user identification, and/or a user name (usr), and/or -45 -a private salt (psalt) used in the one-way hashing function (SHA-2), and/or each encoded authentication segment (ciu, c2u), and/or cryptographic salts (salti, salt2, salt3,, salt3) used in a one-way hashing function with a user name or identification in connection with the encoded segments, and/or each authentication arrangement (100; usrmatrix1; usrmatrix), are stored (Si 3) as different uncorrelated records in the database (ii).
17. The method according to any one of claims 1 to 16, wherein the obtained (Si, 52) authentication code is discarded as soon as the encoded authentication segments (ci u, c2u, c3u) are stored (Si 3).
18. The method according to any one of claims ito 17, wherein the elements of the authentication code are based on a memorable iS identification pattern, MIP, associated with at least one authentication arrangement (100), and wherein the at least one authentication arrangement (100) is a matrix used in a matrix pattern authentication, MPA.
19. The method according to claim 18, wherein each authentication arrangement (100) has a square form factor a, and wherein a»=6 with a being a linear dimension of the matrix, each matrix having a size S equal to a2 elements (101).
20. The method according to anyone of claims 18 or 19, wherein the authentication code comprises at least six elements.
21. The method according to any one of claims 1 to 20, wherein the authentication code is allocated to the user (U) by an administrator of a system of authentication performing the method or selected by the user, optionally the code is modified at user-configurable or administrator-configurable times.

-46 -
22. The method according to any one of claims ito 21, wherein the module (iO) stores (Si31) at least a first part of the authentication segments on the device (3), and wherein the module (10) stores (Si32) at least a second part of the authentication segments on the database (ii).
23. The method according to any one of claims 1 to 22, wherein a record of the challenge arrangement (200) is stored (5300) in the database (ii) and in the device (3).
24. The method according to claim 23, wherein the device (3) performs locally at least partially generating (S33, 538) candidate identification patterns corresponding to at least one portion of the challenge code (OTC), wherein generating candidate identification patterns comprises associating the signs of the challenge code with some unique elements of the authentication code, using the record of the challenge arrangement (200) stored (5300) in the device (3).
25. The method according to any one of claims 23 or 24, wherein an authentication engine (2) performs remotely from the device (3) at least partially: generating (S33, 538) candidate identification patterns corresponding to at least one portion of the challenge code (OTC), wherein generating candidate identification patterns comprises associating the signs of the challenge code with some unique elements of the authentication code, using the record of the challenge arrangement (200) stored (S300) in the database (ii).
26. A system comprising means (ii, iO, 2) adapted for: obtaining (Si, S2) an authentication code of a user, the authentication code comprising a plurality of unique elements, -47 -dividing (510) the authentication code into at least two authentication segments each forming a subset of the elements of the authentication code; encoding (Si i) each of the authentication segments (ci, c2, c3) so that the authentication segments cannot be retrieved from the encoded authentication segments (ciu, c2u, c3u); and storing (Si3) the encoded authentication segments (c1u, c2u, c3u) for use in a validation in at least one record of a database (11), wherein the at least two authentication segments are stored in different and independent records in the database (11).
27. A system comprising means (ii, iO, 2) adapted for: obtaining (Si, S2) an authentication code of a user, the authentication code comprising a plurality of unique elements, dividing (SlO) the authentication code into at least two authentication segments each forming a subset of the elements of the authentication code; encoding (Si i) each of the authentication segments (ci, c2, c3) so that the authentication segments cannot be retrieved from the encoded authentication segments (c1u, c2u, c3u); and storing (Si3) the encoded authentication segments (c1u, c2u, c3u) for use in a validation in at least one record of a database (11); wherein encoding (Sli) each of the authentication segments uses a one-way hashing function (SHA-2) using a salt, and wherein the authentication segments are chained such that a previous authentication segment (ci u) is stored in a first record of the database (11), and a current salt (salt1), used for encoding a current segment (c2u) stored in a second record of the database (11), is stored in the first record of the database (11) along with the previous authentication segment (c1u), so that the previous authentication segment (c1u) needs to be previously validated so that the current segment (c2u) can be validated.-48 -
28. A computer program, computer program product or computer readable medium comprising instructions for carrying out a method according to any of claims 1 to 25.