NZ702130B2 - Method and System for Abstracted and Randomized One-Time Use Passwords for Transactional Authentication - Google Patents
Method and System for Abstracted and Randomized One-Time Use Passwords for Transactional Authentication Download PDFInfo
- Publication number
- NZ702130B2 NZ702130B2 NZ702130A NZ70213012A NZ702130B2 NZ 702130 B2 NZ702130 B2 NZ 702130B2 NZ 702130 A NZ702130 A NZ 702130A NZ 70213012 A NZ70213012 A NZ 70213012A NZ 702130 B2 NZ702130 B2 NZ 702130B2
- Authority
- NZ
- New Zealand
- Prior art keywords
- user
- code
- security matrix
- matrix
- security
- Prior art date
Links
- 239000011159 matrix material Substances 0.000 claims abstract description 107
- 230000000875 corresponding Effects 0.000 claims description 11
- 229940035295 Ting Drugs 0.000 claims description 3
- 150000002500 ions Chemical class 0.000 claims description 2
- LFVLUOAHQIVABZ-UHFFFAOYSA-N Iodofenphos Chemical compound COP(=S)(OC)OC1=CC(Cl)=C(I)C=C1Cl LFVLUOAHQIVABZ-UHFFFAOYSA-N 0.000 claims 1
- 238000000034 method Methods 0.000 description 8
- 238000010200 validation analysis Methods 0.000 description 7
- 230000001010 compromised Effects 0.000 description 2
- 241001439061 Cocksfoot streak virus Species 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000002085 persistent Effects 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Abstract
security system and method for authenticating a user's access to a system is disclosed. The security system receives an authentication request from the user and responds by generating a security matrix based on a previously stored user keyword and user preference data, the security matix being different for each authentication request. The security system sends the security matrix to the user and awaits a one-time code in response to the security matrix. The user forms the one-time code based on the user keyword, the user preferences, and the security matrix. The security system validates the one-time code against the security matrix, the keyword, and the user preferences, and responds by sending an authentication result to the user that either permits or denies access to the system. Additionally, the security system sends a success or fail message to the system to be accessed. ferent for each authentication request. The security system sends the security matrix to the user and awaits a one-time code in response to the security matrix. The user forms the one-time code based on the user keyword, the user preferences, and the security matrix. The security system validates the one-time code against the security matrix, the keyword, and the user preferences, and responds by sending an authentication result to the user that either permits or denies access to the system. Additionally, the security system sends a success or fail message to the system to be accessed.
Description
METHOD AND SYSTEM FOR ABSTRACTED AND RANDOMIZED ONE-TIME
USE PASSWORDS FOR TRANSACTIONAL TICATION
FIELD OF THE INVENTION
The present invention relates generally to authentication systems and methods
and more particularly to authentication systems that are highly secure.
DESCRIPTION OF THE RELATED ART
Security ng to personal identity has become the fundamental cornerstone
of all transactions in the modern electronic world, with high levels of investment being
applied to security and authentication methods, the technology to support it, and also to
the hacking thereof. Most of the banking world depends on a pre-arranged personal
identification number (PIN), which is a secret numeric password shared between a user
and a system to ticate the user to the system, while most electronic systems with
full-text aces depend upon Passwords.
It is common practice to trust heavily in cryptographic hash functions (CHF).
These deterministic procedures take arbitrary data and return a atically calculated
hash value that is unique to the data. A well-documented example of a CHF is the MD5
algorithm. Hash functions and smart security methods between the client and the server
make it difficult to e-engineer the individual's Password or PIN from a copy of the
data. However, using visual observation along with phishing techniques, most passwords
or PINs can be compromised thereby ng fraudulent transactions to be processed.
ore, it is desirable to have a security scheme that reduces the likelihood that an
authentication can be compromised.
BRIEF SUMMARY OF THE INVENTION
In one aspect, the invention provides a user authentication method comprising
execution, by a processing , of the steps of:
receiving a request from a user to initiate an authentication n, the
request comprising a unique identifier of the user;
accessing, using the unique identifier, a record stored in memory associated
with the user, the stored record comprising at least code value complexity preference data
and a user-defined keyword ting of an ordered sequence of s sing
members of a predetermined symbol set selected from one or more symbol sets supported
by the processing system, wherein the symbols of the ordered sequence have been
previously selected by the user independently of other users’ selections;
generating a one-time security matrix which is valid only for the user during
the authentication session, and which comprises a mapping between each symbol within
the symbol set and a code value which is specific to the authentication session and
randomly selected from a code set which is distinct from the symbol set;
transmitting the me security matrix for presentation to the user;
receiving an ordered sequence of code values selected from the one-time
security matrix and input by the user, based upon the user-defined keyword and the code
value complexity ence data, in se to presentation of the me security
matrix;
validating the received ordered sequence of code values by comparison with a
corresponding sequence of code values generated, but not transmitted, by the sing
system based upon the user-defined keyword in the stored record, the code value
complexity preference data and the one-time security matrix; and
generating an authentication result of the authentication session based upon
the comparison.
[0005] In another aspect, the ion provides a user tication apparatus
comprising:
a data store containing one or more records, each of which is associated with a
user by a unique identifier and comprises at least code value complexity preference data
and a user-defined keyword consisting of an ordered sequence of symbols comprising
members of a predetermined symbol set selected from one or more symbol sets supported
by the processing system, wherein the symbols of the ordered sequence have been
previously selected by the user independently of other users’ selections; and
a processor sing a processing unit and stored program instructions
which, when executed, cause the processing unit to:
receive a request from a user to initiate an authentication session, the
request comprising the unique identifier ated with the user;
access in the data store, using the unique identifier, the stored record
associated with the user;
generate a one-time security matrix which is valid only for the user during
the tication session, and which comprises a mapping between each symbol within
the symbol set and a code value which is specific to the authentication n and
ly selected from a code set which is distinct from the symbol set;
transmit the one-time security matrix for presentation to the user;
receive an ordered sequence of code values selected from the one-time
security matrix and input by the user, based upon the user-defined keyword and the code
value complexity preference data, in response to presentation of the one-time security
matrix;
validate the received ordered sequence of code values by comparison with
a corresponding sequence of code values ted, but not transmitted, by the processing
system based upon the user-defined keyword in the stored record, the code value
complexity preference data and the one-time ty matrix; and
generate an authentication result of the tication session based upon
the comparison.
In r aspect, the invention es a security system comprising:
a user-authentication apparatus as above;
a secure system for which a user requires authentication, and which is
configured to:
receive a unique identifier of the user;
transmit a request to initiate an authentication session to the thentication
apparatus, the request comprising the unique identifier of the user;
receive, from the user-authentication apparatus, the one-time security
matrix;
present the one-time security matrix to the user;
receive, from the user, the ordered sequence of code values selected from
the one-time security matrix;
transmit the ordered sequence of code values to the user-authentication
apparatus; and
receive, from the user-authentication apparatus, the authentication result.
Under present method, there is no correlation between the User's Keyword
and the Security Matrix ed to the user for him to validate against. A Security
System randomly ucts The Security Matrix and the User employs the Security
Matrix to determine the One-Time Code that is valid for that User and for that Security
Matrix. Each request to authenticate results in a new Security Matrix being calculated
ensuring the probability of determining the d to be minimal.
CONTINUES ON PAGE 3
2012/052006
The present invention is a novel approach to tication security, allowing the
user to define one or more Keywords, which are then used as a personal reference, enabling the
User to create a One-Time Code from a randomized, system—generated Security Matrix. A
Keyword is never directly entered during the authentication process at any stage and should
never be disclosed or shared.
By separating the authentication process into three phases, (i) request to
authenticate, (ii) validation of credentials, and (iii) the transmittal of the ization details, a
security method is produced that can have all transactional authentication requests observed,
recorded, and analyzed n the User, the Client Interface, and the Security System, while
keeping it improbable that the user’s keyword can be identified.
The strength of the Security Matrix can be altered by the user to make
determination simpler or more complex, not the system he is authenticating against.
The method of the present invention can be applied to any system requiring User
Authentication with minimal changes to the Secure System or the User experience. Because the
Security Matrix and the me Code are fully abstracted from the Keyword, there is no
ng security requirement to encode them for transmission in either direction. Thus, method
of the present invention is highly suited to any system where the connection between the Client
Interface and the Secure System can easily be monitored or observed.
The method can be implemented for a single system, multiple systems, or as a
unified public validation system, and works against any transaction that requires a user to
validate his identity.
BRIEF DESCRIPTION OF THE GS
These and other es, aspects and advantages of the present invention will
become better understood with regard to the following description, appended claims, and
accompanying drawings where:
shows an tication request;
shows a Validation request;
shows a first example of a One-Time Code in which an offset is used;
shows a second example of a One-Time Code in which an offset and crawl are
used;
shows a third example of a One-Time Code in which a crawl is used;
shows a fourth example of a One-Time Code in which a jump is used;
shows an e architecture of an al Security Server for Local
Authentication;
shows portions of the Client Interface during the authentication process;
shows an example architecture of an Internal Security Server for Remote Web
Authentication;
shows an example architecture of an al Secuirty Server for Remote Web
Authentication;
shows an example architecture of an Internal Security Server for Internal and
External Web Authentication and Internal System Authentication;
shows Message Structure Definitions;
shows User Preferences;
shows Secure System Preferences;
shows a flow chart of an embodiment of the present invention; and
shows a flow chart of an embodiment for ting and sending the one-time
code.
ED DESCRIPTION OF THE INVENTION
[0014] In the following description the following identifications are used.
The Secure System 20 is a system that requires a User to authenticate as a pre-
requisite to processing transactions or ts for information.
The Security System 30 is the system in which the User’s Keyword and
Preferences, the Secure Systems preferences are stored and where processing for the Security
System’s interfaces is performed.
0 tication Request 11
0 Security Matrix 31
0 One-Time Code 12
0 Authentication Result 32
0 Success Message 33
The User Preferences 40 are defined in Table 3 and are stored internally by the
Security System 30.
A keyword 41 is a linear string of alpha characters that is d by the User 10.
In the es given, the keyword is limited to being alpha characters only (A to Z) however,
the method and system supports Alpha (case sensitive or case insensitive), Numeric, Symbolic or
any combination thereof.
The Secure System Preferences 50 are defined in Table 4 and are stored internally
by the Security System 30.
A Client Interface 60 is the Human Machine Interface (HMI) where a User 10 is
required to ct with a keyboard, touch , pin pad, or other entry device to provide
authentication details, e.g., an Automated Teller Machine or a logon screen to an internet service.
In a User 10 has usly provided to the ty System 30 User
Preferences 40 and a Keyword 41. The Keyword 41 is stored in an encrypted form on the
Security System 30 and is never transmitted in any function.
[0022] In a User 10 requests to authenticate at a Client Interface 60, which in turn
sends the Authentication Request 11 to the Secure System 20 which forwards the Authentication
Request 11 to the Security System 30.
In the Secure System Preferences data 50 is used to determine the format
required and the limitations of the Client Interface 60. The User Preferences data 40 is used to
determine the complexity level of the Security Matrix 11 that the User 10 prefers. The security
system 30 produces a Security Matrix 31 and sends it back to the Secure System 20, which then
forwards the Security Matrix 31 directly to the Client Interface 60 or uses the information within
it to build a custom entation of the Security Matrix 31, which it then presents to the User
. The format of the user ID is system independent and can be any unique ID across all systems
being supported by the security server. Examples of a user ID are a er ID or an email
address.
In a User 10 ticates, using the presented Security Matrix 31 to
determine the One-Time Code number 12 by applying the User Preferences 40 in association
with the Keyword 41. This One-Time Code number 12 is entered into the Client ace 60,
which is then sent to the Secure System 20 and then to the Security System 30 where it is
validated by the Security System 30 by using the Security Matrix 31 data in conjunction with the
One-Time Code 12, the User’s 10 stored keyword 41, and the User Preferences 40. In se
to the request, the security system 30 then returns an tication Result 32 back to the Secure
System 20, which is then sent back to the Client Interface 60. A second interaction occurs in
parallel in which the security system 30, upon a successful authentication, then initiates a send of
the Success Message 33 to the Secure System 30’s success notification point as detailed in the
Secure System ences 50.
Every tication Request 11 and every One-Time Code 12 validation, results
in the Security Matrix 31 being re-randomized to prevent reuse. A log of Authentication
Requests 11 and One-Time Code12 ts is maintained for limiting the maximum number of
attempts in a given timeframe to prevent brute force attacks and for providing an auditable trace.
The example in shows a Security Matrix 31, the user preference data 40
and the user Keyword 41. The User 10 uses his keyword and User Preferences data 40 to
generate the me Code 12.
[0027] In this example, the User 10 s:
(a) The Security matrix 31 be displayed Alphabetically; and
(b) To add 1 to the displayed number that corresponds to the keyword letters
Obtaining the matrix value for each character of the Keyword yields 17572.
Adding an offset of +1 to the matrix result gives 28683 as the One-Time Code 12.
The example in shows a Security Matrix 31, the user preferences 40 and
the user Keyword 41. The User 10 uses his keyword and User Preferences 40 to generate the
me Code 12.
In this example, the User 10 prefers:
(a) The Security matrix 31 be displayed in Random order;
(b) To add 1 to the number displayed against the keyword letters; and
(c) To add an extra 3 to the first keyword letter, and extra 6 to the second keyword letter and so
Obtaining the matrix value for each character of the key word yields 28672.
Adding a +1 offset yields 39783. Adding a +3 crawl yields 65608, which is the One-Time Code.
Note that in the example addition is modulo ten but can be any modulo addition.
The example in shows a Security Matrix 31, the user preferences 40 and
the user Keyword 41. The User 10 uses his keyword and User Preferences 40 to generate the
One-Time Code 12.
In this example, the User 10 prefers:
(a) The Security matrix 31 be displayed in Random order;
(b) To add 2 to the first keyword letter, 4, to the second keyword letter and so on; and
(c) The second and fourth s to be any number the user wishes in this example, a valid
One-Time Code response is
a. 41215
b. 42225
c. 43235
d. 41235
e. 49285
f. and so on — only the first, third and fifth numbers are relevant.
Obtaining the matrix value for each character of the key word yields 2#8#9.
Adding a +2 crawl gives 4#2#5, which is the One-Time Code. Note again that on is
modulo 10.
[0035] The example in shows a Security Matrix 31, the user preferences 40 and
the user d 41. The User 10 uses his keyword and User Preferences 40 to generate the
One-Time Code 12.
In this example, the User 10 s:
(a) The Security matrix 31 be displayed in Random order;
(b) To add 1 to the first keyword letter, subtract 1 from the second keyword letter, add 1 to the
third keyword letter and so on.
Obtaining the matrix value for each character of the key word yields 98428.
Adding a +1 jump gives 07519, which is the One-Time Code. Again, addition or subtraction is
modulo 10.
[0038] In , an internally hosted Security System 30 is utilized by a Secure
System 20 to te users 60 that are logging onto it through a Local Network 70 to which the
user is connected either by wire or wirelessly via wireless transceiver 72.
Step 1: User accesses Secure System logon portal — only requested to supply User ID,
which could be an email address, in accordance with 82 and 84 of .
Step 2: User enters User ID, as in 84 of .
Step 3: Secure System sends User ID and System ID to Security System, which performs
validation and returns a ty Matrix 31 as in 86 of , which is then displayed by the Secure
System 20 back to the User 60.
Step 4: User enters One-Time Code 12 and logs in as normal, as in 86 of .
Secure System 20 sends One-Time Code 12, User ID, and System ID to Security System 30, which
validates the code and provides a Session ID to the Secure System 20 if it is valid.
In an internally hosted Security System 30 is utilized by a Secure System
to validate users 60 that are logging onto it h the et 90, say through modem 96.
Step 1: Remote User accesses Secure System logon portal — only requested to supply
User ID, which could be an email address, in accordance with 82 and 84 of .
[0045] Step 2: User enters User ID, as in 84 of .
Step 3: Secure System sends User ID and System ID to ty System 30, which
performs validation and returns a Security Matrix 31, which is then displayed by the Secure System 20
back to the User 60.
Step 4: User enters One-Time Code and logs in as normal as, in 86 of . Secure
System 20 sends One-Time Code 12, User ID, and System ID to Security System 30, which validates the
code and provides a Session ID to the Secure System 20 if it is valid.
In a publicly hosted Security System 30 is utilized by a Secure System 20
to validate users 60 that are logging onto it through the Internet 90. In this configuration, a single
Security System 30 can service multiple Secure s 20, allowing Users 60 to have one
keyword for all registered systems. As before, remote users 60 connect through a modem 96 to
the Internet 90.
Step 1: Remote User 60 accesses Secure System 20 logon portal — only ted to
supply User ID, which could be an email address, in accordance with 82 and 84 of .
[0050] Step 2: User 60 enters User ID, as in 84 of .
Step 3: Secure System 20 sends User ID and System ID to Security System 30, which
performs validation and returns a Security Matrix 31, which is then yed by the Secure System 20
back to the User 60.
Step 4: User 60 enters me Code and logs in as normal. Secure System 20 sends
One-Time Code, User ID, and System ID to Security System 30, which validates the code and provides a
Session ID to the Secure System 20 if it is valid.
In , an internal security system 30 is configured to e a financial
institution across its entire business, effectively replacing standard authentication systems such
as passwords and PIN numbers for debit and credit systems at the counter, ATM (Automated
Teller Machine), merchant sale or Internet. The example above shows:
(a) Internet banking via the internet
(b) Other internet es such as shares or foreign exchange
(c) ATMs
(d) Points of sale
(e) Customer Service PC
(f) Office PCs.
The above systems are described below.
et Banking Via The et
If a user logs onto the bank’s Internet portal 90 as normal, however the logon
s only requests that the user’s User ID be submitted, in accordance with 82, 84 in .
Upon receiving the user ID, the Bank Computer 20 contacts the Security System 30 with the
User’s ID and the Bank’s System ID. Upon validating the User ID and System ID, the Security
System 30 generates a Security Matrix and returns it to the Bank Computer 20, which then
displays it to the User 110 along with a request to enter the One-Time Code, as in 86 of .
Using the Security Matrix, the User works out the One-Time Code and enters it into the system.
The One-Time Code is returned to the Bank Computer 20, which then forwards the One-Time
Code, User ID, and Bank System ID back to the Security System 30 where the One-Time Code
is validated. If Valid, a Session ID is created and passed back to the Bank Computer 20, which
is then passed back to the Internet ation 110 to form part of all subsequent requests made
to the Bank Computer 20.
Other Internet Services Such As Shares Or Foreign Exchange
A user logs onto the bank’s internet portal as normal, however the logon process
only requests that the user‘s User ID be submitted, in accordance with 82, 84 in . Upon
receiving the user ID, the Bank er 20 contacts the Security System 30 with the User’s ID
and the Bank’s System ID. Upon validating the User ID and System ID, the Security System 30
generates a Security Matrix and returns it to the Bank er 20, which then displays the
matrix to the User 112 along with a request to enter the One-Time Code. Using the Security
Matrix, the User 112 works out the One-Time Code and enters it into the system. The One-Time
Code is returned to the Bank Computer 20, which then forwards the One-Time Code, User ID,
and Bank System ID back to the Security System 30 where the One-Time Code is validated. If
Valid, a Session ID is d and passed back to the Bank Computer 20 which is then passed
back to the Internet Application 112 and forms part of all subsequent requests made to the Bank
er 20.
ATMs
A user inserts an ATM or Credit Card into the bank’s ATM 102a, 102b as normal
upon which the ATM transmits the user ID and any other pertinent information to the Bank
Computer 20 via the Bank ATM network 116. The Bank Computer 20 then contacts the
Security System 30 with the User ID and the Bank’s System ID. Upon validating the User ID
and System ID, the Security System 30 generates a Security Matrix and returns it to the Bank
Computer 20, which then s the matrix to the ATM 102a, 102b to be displayed to the User.
Using the Security , the User 102a, 102b works out the One-Time Code and enters it into
the ATM keypad. The One-Time Code is returned via the Bank ATM network 116 to the Bank
Computer 20, which then forwards the One-Time Code, User ID, and Bank System ID back to
the ty System 30 where the One-Time Code is validated. If Valid, a Session ID is created
and passed back to the Bank System 20 to form part of all subsequent requests made to the Bank
Computer 20.
WO 61171
Point Of Sale
A user enters/swipes an ATM or Credit Card into the vendor’s point of sale device
104 and the sale price is entered by the vendor as normal and information is sent back to the
Bank Computer 20 via the Bank Credit Card Network 114. The Bank Computer 20 then
contacts the Security System 30 with the User ID and the Bank’s System ID. Upon validating
the User ID and System ID, the Security System 30 generates a Security Matrix and returns it to
the Bank Computer 20, which then s it to the point of sale device 104 to be either displayed
on the screen if it is capable or printed on the paper receipt. Using the Security Matrix, the User
works out the One-Time Code and enters it into the point of sale keypad 104. The One-Time
Code is ed to the Bank Computer 20, which then forwards the One-Time Code, User ID
and Bank System ID back to the Security System 30 where the me Code is validated. If
Valid, a Session ID is created and passed back to the Bank System 20 which then processes the
rest of the transaction as normal.
Customer Service PC
Upon approaching a customer e point within a Branch of the Bank, the User
identifies himself using Banking Cards or any other valid identification method that allows the
Customer Service Representative to identify the user’s User ID and enter it into the Customer
Service Portal 108. The Customer Service PC 108 sends the User ID to the Bank’s Computer
. The Bank Computer 20 then contacts the Security System 30 with the User ID and the
Bank’s System ID. Upon validating the User ID and System ID, the Security System 30
generates a Security Matrix and returns it to the Bank er 20, which then s it to the
Customer Service PC 108 to be displayed to the User. Using the input device provided, the User
works out the One-Time Code and enters it in the Customer Service PC 108. The One-Time
Code is returned to the Bank Computer 20, which then forwards the One-Time Code, User ID,
and Bank System ID back to the Security System 30 where the One-Time Code is validated. If
Valid, a Session ID is created and passed back to the Bank System 20, which is then passed back
to the Customer Service PC 108 to form part of all subsequent ts made to the Bank
Computer.
Office PCs
A user logs onto the corporate k by logging in through the normal portal
106, however the logon process only asks for the user’s user ID to be submitted. Upon
submitting the user ID, the Bank Computer contacts the Security System 30 with the User’s ID
and the Bank’s System ID. Upon validating the User ID and System ID, the Security System 30
generates a Security Matrix and returns it to the Bank Computer 20, which then displays it to the
User along with a t to enter the One-Time Code. Using the Security Matrix the User
works out the One-Time Code and enters it into the Office PC system 106. The One-Time Code
is returned to the Bank Computer 20, which then forwards the One-Time Code, User ID, and
Bank System ID back to the Security System 30 where the One-Time Code is validated. If
Valid, a Session ID is created and passed back to the Bank Computer 20 which then passes it
back to the Office PC 106 to form part of all subsequent requests made to the Bank Computer
20.
User Panic Support
In one embodiment, the security system is further enhanced to allow for panic
support. In this embodiment, a user or the system owner uses a particular prefix number or an
alternative d instead of the normal keyword to form the one-time code from the ty
. When the Security System 30 validates the one-time code and ines that the
alternative keyword was used, it triggers a panic alert that is passed onto the Secure System 20.
This provides an opportunity for the Secure System 20 to respond in a manner which protects the
person under duress, e. g., by showing a significantly reduced available balance for internet or
ATM systems 102a, 102b, or reporting to security while providing “sandboxed” access to a
business system.
shows Message Structure Definitions. The messages are Authentication
t Message 11, One-Time Code Message, Security Matrix Message 31, Authentication
Result Message 32, and the Success Message 33. The Authentication Request Message 11
includes the Unique User ID, and in some embodiments, the ID of the system requesting
Authentication. The One-Time Code e es the Unique User ID, and in some
embodiments, the ID of the system Requesting Authentication, and the One-Time Code as
WO 61171
entered by the user. The Security Matrix Message 31 es the collection of Key, Value pairs
composed in accordance with the Secure System ences 50. The Authentication Result
Message 32 includes in some embodiments the Session ID, a success indication or an error
indication. The Success Message 33 es a Unique User ID and in some embodiments the ID
of the system validated against and the Session ID.
shows User Preferences. The user preferences include an order parameter,
an offset parameter, a crawl parameter, a jump parameter, a mask parameter and a randomizer.
According to the order parameter, a linear abstraction means that the Matrix has the key letters
presented in linear order from A to Z and from 0 to 9. A random abstraction means that the
Matrix has the key letters presented in a randomized order.
The offset ter specifies either a positive offset or a negative offset. With a
positive offset, a positive amount is added to each Value associated with the Key. Addition is
modulo 10 and letters are modulo 26, so that 2+1 = A. With a negative offset, a negative amount
is added to each Value assocated with a Key. Addition is modulo 10 for numbers and modulo 26
for letters.
The Crawl parameter specifies either a positive increment or a negative increment.
A positive increment means that a positive specified amount is added to a Value associated with
a Key and then incremented by the specified amount for the next addition. A negative increment
means that a negative specified amount is added to a Value associated with a Key and then
incremented by the specified amount for the next addition. Again, addition is modulo 10 for
numbers and modulo 26 for letters.
The Jump parameter specifies either an odd or even amount for a jump. If Odd is
specified, then a specified amount is added to every Value associated with a Key at an odd index
of the Keyword and cted from every Value located at an even index of the Keyword. If
Even is specified, then a specified amount is cted from every Value associated with a Key
at an odd index and added to every Value located at an even index of the Keyword. Addition or
substraction is modulo 10 for numbers and modulo 26 for letters.
The Mask parameter specifies that a ied ter at one or more indices in
the Keyword is not to be altered by an other Parameter. Additionally, the hash mark (#) at a
location in the Keyword ents a rd match at which the user can enter any number or
symbol in that location.
2012/052006
The Randomizer can be either a letter or a word having the same number of
characters as the d. If the Randomizer is a letter, its numerical value from the matrix is
added modulo 10 to each numerical value of the Keyword. If the Randomizer is a word, then the
value of each letter in the Randomizer word is added to the corresponding letter in the keyord
modulo 10.
shows Secure System Preferences. These preferences specify a Return
Format, a Key Scope and a Value Scope. The Return Format can be either XML, HTML, an
Image, or CSV text. The Key Scope specifies that the Security System should build the Security
Matrix Keys using the specified characters. The Value Scope specifies that the Security System
should build the Security Matrix Values using the specified ters.
shows a flow chart of an embodiment of the present invention. The flow
chart describes the steps that the client interface, the secure system, and the security system take
to authenticate a user requesting access to the secure system. In step 150, the user provides a
keyword and his user preferences to the Security , which receives these items in step 152,
and saves them in persistent storage.
In step 154, the user makes an authorization t at a Client Interface, which,
in step 156, sends the request to the Secure System. In step 158, the Secure System receives the
Authentication Request and forwards it along with the System ID to the Security System, which
receives the Authentication Request in step 160. The Security System then generates the Security
Matrix in step 162 and send the Matrix to the Secure System in step 164a or 164b. In Step 164a,
the Secure System forwards the Matrix to the Client Interface, which receives the Matrix in step
166. In step 164b, the Secure System builds a custom representation of the Security Matrix and
sends it to the Client Interface, which receives it in step 166.
In step 166, the User also creates the One-Time Code using the Security ,
the User Keyword, and the Uer Preferences and enters the One-Time Code into the Client
Interface in step 168. The Client Interface then sends the One-Time Code to the Secure System
in step 170, which receives the One-Time Code in step 172 and forwards it, along with the User
ID and System ID, to the ty , which receives it in step 174. In step 174, the Security
System validates the One-Time Code using the ty Matrix it previously sent, the User
Keyword, and the User Preferences. In step 176, the Security System sends the results of its
Authentication to the Secure System, along with a Session ID, if the Authentication Result was
2012/052006
successful. In step 178, the Secure System forwards the Result to the Client Interface. Separately,
in step 182, the Security System sends a success or fail message to the Secure System, which
receives the message in step 184.
shows a flow chart of an embodiment for generating and sending the one-
time code. In step 190, the Security Matrix is displayed on the Client Interface. The Matrix can
be in either Alphabetic or Random Order as specified by the User Preferences. In step 192, the
user creates a One-Time Code using the Keyword, the Security Matrix, and the User Preferences,
which specify whether Offsets, Crawls, Jumps and Masks, or any combination thereof should be
used to form the One-Time Code. In step 194, the user inputs the me Code into the Client
Interface so that it can be erred to the Secure System.
Although the present invention has been described in considerable detail with
reference to certain preferred ns thereof, other versions are possible. Therefore, the spirit
and scope of the appended claims should not be limited to the ption of the preferred
versions contained herein.
Claims (15)
1. A user authentication method comprising ion, by a processing system, of the steps of: receiving a request from a user to initiate an authentication session, the request comprising a unique identifier of the user; ing, using the unique identifier, a record stored in memory associated with the user, the stored record comprising at least code value complexity preference data and a user-defined keyword consisting of an ordered sequence of symbols comprising members of a predetermined symbol set selected from one or more symbol sets ted by the processing system, wherein the symbols of the ordered sequence have been usly selected by the user independently of other users’ selections; ting a one-time security matrix which is valid only for the user during the authentication n, and which comprises a mapping between each symbol within the symbol set and a code value which is specific to the authentication session and randomly selected from a code set which is distinct from the symbol set; transmitting the one-time security matrix for presentation to the user; receiving an ordered sequence of code values selected from the one-time security matrix and input by the user, based upon the user-defined keyword and the code value complexity preference data, in response to presentation of the one-time security matrix; validating the received ordered sequence of code values by comparison with a corresponding ce of code values generated, but not transmitted, by the processing system based upon the user-defined keyword in the stored record, the code value complexity preference data and the one-time security ; and generating an authentication result of the authentication session based upon the comparison.
2. The method of claim 1 wherein the step of generating the one -time security matrix comprises arranging the symbols within the symbol set in a random order.
3. The method of claim 1 whe rein the step of generating the one -time security matrix comprises arranging the symbols within the symbol set in an alphabetical order.
4. The method of claim 1 wherein: the step of receiving the request from the user comprises receiving the request from a secure system distinct from the processing system, the secure system having a corresponding secure system identifier; the request further comprises the secure system identifier; and the step of generating the one -time security matrix is based upon prefer ences associated with the secure system identifier.
5. The method of claim 4 wherein the step of itting the one -time ty matrix for presentation to the user ses: transmitting the one -time security matrix to the secure ; the secure sys tem constructing a custom representation of the one -time security matrix ; and the secure system presenting the custom entation of the one -time security matrix to the user.
6. The method of claim 4 wherein the step of generating the one -time security ma trix includes randomly selecting code values from a code set determined in accordance with preferences associated with the secure system identifier.
7. The method of claim 1 wherein the predetermined symbol set comprises etical characters, and wherein t he code set is a set of numerical values.
8. The method of claim 7 wherein the stored record associated with the user comprises user preferences including an offset value, and wherein the step of validating the ed ordered ce of code values compri ses generating a corresponding sequence of code values based upon the user -defined keyword in the stored , the one -time security matrix mapping of symbols to the numerical values of the code set, and calculation of modified code values based upon the offset value.
9. The m ethod of claim 7 wherein the stored record associated with the user ses user ences including a crawl value, and wherein the step of validating the received ordered sequence of code values comprises generating a corresponding sequence of code values based upon the user -defined keyword in the stored record, the one -time security matrix mapping of s to the numerical values of the code set, and calculation of modified code values based upon the crawl value.
10. The method of cl aim 7 wherein the stored record associated with the user comprises user preferences ing a jump value, and wherein the step of validating the received ordered sequence of code values comprises generating a corresponding sequence of code values based u pon the user -defined keyword in the stored record, the one -time security matrix mapping of symbols to the numerical values of the code set, and calculation of modified code values based upon the jump value.
11. The method of claim 7 wherein the stored record a ssociated with the user comprises user preferences including a mask value, and wherein the step of validating the received d sequence of code values comprises generating a corresponding sequence of code values based upon the user -defined keyword in the stored record, the one -time security matrix mapping of symbols to the numerical values of the code set, and ation of modified code values based upon the mask value.
12. The method of claim 7 wherein the stored record associated with a user comprises an alternative efined keyword consisting of an ordered sequence of symbols selected from the predetermined symbol set, and wherein: the step of validating the received ordered sequence of code values further comprises performing a comparison with a corresponding sequence of code values generated, but not transmitted, by the processing system based upon the alternative userdefined keyword in the stored record, the code value complexity preference data and the one-time security matrix; and in the event that the comparison results in a match, generating the authentication result of the authentication session comprising a panic tion.
13. A user authentication apparatus comprising: a data store containing one or more records, each of which is associated with a user by a unique fier and comprises at least code value complexity ence data and a efined keyword consisting of an ordered sequence of symbols comprising members of a predetermined symbol set selected from one or more symbol sets supported by the processing system, wherein the symbols of the ordered sequence have been previously ed by the user independently of other users’ selections; and a processor comprising a processing unit and stored program instructions which, when executed, cause the processing unit to: receive a request from a user to initiate an authentication session, the request sing the unique identifier associated with the user; access in the data store, using the unique identifier, the stored record associated with the user; generate a one-time security matrix which is valid only for the user during the authentication session, and which comprises a mapping between each symbol within the symbol set and a code value which is specific to the authentication session and randomly ed from a code set which is ct from the symbol set; transmit the me security matrix for presentation to the user; receive an ordered sequence of code values ed from the me security matrix and input by the user, based upon the user-defined keyword and the code value complexity ence data, in response to presentation of the one-time security matrix; validate the received ordered sequence of code values by comparison with a corresponding sequence of code values generated, but not transmitted, by the processing system based upon the user-defined keyword in the stored record, the code value complexity preference data and the me security matrix; and generate an authentication result of the authentication session based upon the comparison.
14. A security system comprising: a user-authentication apparatus according to claim 13; a secure system for which a user requires authentication, and which is ured receive a unique identifier of the user; transmit a request to te an authentication session to the userauthentication apparatus, the t comprising the unique identifier of the user; receive, from the user-authentication apparatus, the one-time security matrix; t the one-time security matrix to the user; receive, from the user, the ordered sequence of code values selected from the one-time security matrix; transmit the d sequence of code values to the user-authentication apparatus; and receive, from the user-authentication apparatus, the authentication result.
15. The security system of claim 14 wherein the secure system comprises one of: a web server interface, wherein input is received from the user and the one-time security matrix is presented to the user via a web browser operated by the user; an automatic teller machine; or a point-of-sale terminal. OM GROUP LTD WATERMARK PATENT AND TRADE MARKS ATTORNEYS P38832NZPC
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US41827610P | 2010-11-30 | 2010-11-30 | |
| PCT/IB2012/052006 WO2013061171A1 (en) | 2010-11-30 | 2012-04-20 | Abstracted and randomized one-time passwords for transactional authentication |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| NZ702130A NZ702130A (en) | 2016-09-30 |
| NZ702130B2 true NZ702130B2 (en) | 2017-01-05 |
Family
ID=
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| AU2012328082B2 (en) | Abstracted and randomized one-time passwords for transactional authentication | |
| US9305152B2 (en) | Automatic pin creation using password | |
| EP1615181B1 (en) | A method of secure data communication | |
| US9112847B2 (en) | Authentication method | |
| EP2359310A1 (en) | Method and apparatus for an end user identity protection suite | |
| WO2006095203A1 (en) | A method of secure data communication | |
| US20130099891A1 (en) | Authentication method | |
| US8566957B2 (en) | Authentication system | |
| JP2015170227A (en) | Personal authentication system and cash management system | |
| US20130104212A1 (en) | Authentication method | |
| US8533802B2 (en) | Authentication system and related method | |
| US8505079B2 (en) | Authentication system and related method | |
| NZ702130B2 (en) | Method and System for Abstracted and Randomized One-Time Use Passwords for Transactional Authentication | |
| US20130104209A1 (en) | Authentication system |