WO2016042473A1 - Authentification sécurisée à l'aide d'un code secret dynamique - Google Patents

Authentification sécurisée à l'aide d'un code secret dynamique Download PDF

Info

Publication number
WO2016042473A1
WO2016042473A1 PCT/IB2015/057079 IB2015057079W WO2016042473A1 WO 2016042473 A1 WO2016042473 A1 WO 2016042473A1 IB 2015057079 W IB2015057079 W IB 2015057079W WO 2016042473 A1 WO2016042473 A1 WO 2016042473A1
Authority
WO
WIPO (PCT)
Prior art keywords
candidate
multimedia
media
passcode
authenticator
Prior art date
Application number
PCT/IB2015/057079
Other languages
English (en)
Inventor
Puneet Goyal
Nitin Khanna
Radhey Shyam
Joohi Chauhan
Original Assignee
The Registrar, Graphic Era University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by The Registrar, Graphic Era University filed Critical The Registrar, Graphic Era University
Publication of WO2016042473A1 publication Critical patent/WO2016042473A1/fr

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/068Network architectures or network communication protocols for network security for supporting key management in a packet data network using time-dependent keys, e.g. periodically changing keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • H04L9/3228One-time or temporary data, i.e. information which is sent for every authentication or authorization, e.g. one-time-password, one-time-token or one-time-key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/18Network architectures or network communication protocols for network security using different networks or channels, e.g. using out of band channels

Definitions

  • the present subject matter described herein in general, relates to information/data security and/or authentication, and more particularly to a usable secure authentication.
  • Secure Authentication is a crucial aspect for any organization or nation, especially now when world is so much online connected. Although still applicable, but before the beginning of this massively online era, legitimate users used to be authenticated primarily on the basis of their physical presence and/or some valid ID/information. For example: Access to some defense lab is provided only after the security guard visually identifies the person and verifies his/her ID card; The banks or other financial organizations earlier used to allow user to withdraw money from his/her account only after verifying his/her identity and the passbook issued to him/her by the bank. Withdrawal of money using cheque is then later introduced and is allowed only after someone presents to the bank, the valid cheque that was issued to the customer by the bank and after customer's signature's verification.
  • the single factor authentication systems (such as passface/passpoints based systems), and in general, currently used single band authentication systems are implicitly not considered much secure because of snooping, man-in-the-middle (MITM) and other security attacks, which makes it easier for the attackers to succeed sooner or later.
  • MITM man-in-the-middle
  • Two-factor authentication (TFA) schemes address many of these security concerns, for these generally require either use of additional hardware device (like RSA SecurlD, ATM/Credit card reader) or personal mobile devices (for receiving/generating one time passcode i.e. OTP), in addition to the user password, at the time of authentication.
  • additional hardware device like RSA SecurlD, ATM/Credit card reader
  • personal mobile devices for receiving/generating one time passcode i.e. OTP
  • OTP one time passcode
  • US 6993658 discloses a password setting system for a secure system includes a user token server and a communication module, wherein the user concatenates the secret passcode with the random token received (on personal communication device, such as a mobile phone or a pager carried by the user) in order to form a valid password, which is then used for authentication.
  • Another prior-art document US 20080168543 Al discloses a method/system including a number generator residing on a first server to generate first and second OTP tokens from a shared clock, a transmitter residing on the first server to transmit the first and the second OTP tokens, a receiver residing on a second server to receive the first, the second, and a third OTP tokens, and a comparator residing on the second server to compare the second and the third OTP tokens to authenticate an identity of a party who generates the third OTP token.
  • '780 discloses a system to generate a OTP without using a hardware token, but uses the client machine where some functions and parameters are generated and transmitted to, by the server.
  • the client generates a first OTP using a predefined function on the token and the hash value of user password, such that retrieving the hash value of the password from the first OTP is a discrete log problem.
  • a second OTP is generated using a bilinear mapping on the first OTP, such that generating first OTP from second OTP is a bilinear inverse problem.
  • TFA schemes not only adds to the cost (generally in distribution, replacement, maintenance, disposal etc.) but also to user inconvenience, as user needs to carry an additional device, and device can also get stolen. These problems become more severe if one were to carry multiple additional devices for multiple accounts.
  • SMS and then same OTP is then sent (generally Out-of-Band OOB) to authenticate
  • SMS and then same OTP is then sent (generally Out-of-Band OOB) to authenticate
  • sim-cloning sim-swap
  • cellular-network attacks device-theft, Trojan and other attacks
  • SMS OTP based authentication systems are difficult to use for the delays often associated with receiving OTP via SMS.
  • the present invention addresses one of more of the above-described problems of the existing authentication systems and a technical solution is achieved in the present invention by providing security measures such that, the system is much more secure and also reasonably usable.
  • the authentication system as per the present invention is secure even if OTP SMS is compromised that may be via sim-cloning, sim-swap, etc., or one's personal device (that receives/generates OTP) is compromised (that may be via Trojan, malware, stolen, etc.); or one's password is compromised that may be via key-logging attack, shoulder- surfing attack, password once shared with some friend/colleague, etc.
  • the present invention discloses a technique using which candidate shares initially one or more mapping(s) specific to oneself that would be used for generating the transformed passcode (transformed media/multimedia) by either visiting the branch office and/or some secure communication media.
  • the candidate specific mapping(s) are distributed to the specific candidate via registered post or via some other secure means.
  • the present invention discloses a technique in which during the authentication phase, candidate is conveyed the media/multimedia content (like an OTP text, OTP embedded within some other multimedia like audio/image/video/animation etc.,) from the authenticator (authenticating system or server or its representative) on candidate's device (like phone, personal computer, iPad, or some other device used during authentication).
  • the candidate replies with the first passcode which is a transformed media/multimedia (in either text or multimedia form) that is generated using candidate- specific mapping and the media/multimedia content conveyed initially.
  • This candidate- specific mapping is generally neither stored on any user device nor it is transmitted over the communication channel.
  • the media/multimedia conveyed to the candidate is valid for authentication purpose only for specific limited opportunities like for limited number of authentication sessions and/or for limited time period only (for e.g. 15 mins, 1 hour, 1 day, etc.).
  • the media/multimedia content comprises two or more elements, the elements are preferably selected from alpha numeric values, ASCII characters, roman characters, regional language characters, symbols or some other form of information.
  • media/multimedia content is text "47683245" where its eight elements are 4, 7, 6, 8, 3, 2, 4 and 5. Two or more of these elements would be used for generating the dynamic passcode using the candidate specific mapping.
  • the elements of the media/multimedia transmitted are randomly generated (e.g. OTP).
  • the present invention discloses a technique to generate a transformed media/multimedia using the candidate-specific mapping (without necessarily using any software or hardware on the candidate side). So, the present method is secure even against those attacks or security breaches where the client/candidate side system/device or the information shared during authentication over the communication device or channel is once compromised or stolen or intercepted.
  • the candidate-specific mapping used for generating the first passcode includes at least one parameter selected from a group of parameters involving data associated with a current or past transaction/authentication session (like credit/debit account number, amount of money, etc.), unvarying data known to both said candidate and said authenticator (like candidatelD, candidate's date of birth, etc.), varying data accessible to both said candidate and said authenticator (like day, month, year, time, date, region related information when/where access is requested, etc.), or any combination thereof.
  • a group of parameters involving data associated with a current or past transaction/authentication session like credit/debit account number, amount of money, etc.
  • unvarying data known to both said candidate and said authenticator like candidatelD, candidate's date of birth, etc.
  • varying data accessible to both said candidate and said authenticator like day, month, year, time, date, region related information when/where access is requested, etc.
  • the candidate specific mapping used for generating the first passcode includes the mathematical operations, logical operations, permutations, conditionals, or some other operations/mappings including customized operations/mappings. These operations are preferably applied on elements associated with the initially transmitted media/multimedia content and elements associated with the other parameters/data associated with the candidate-specific mapping, in order to generate the valid passcode as authentication key for that particular authentication session.
  • mappings available to choose from enhances the security significantly and making it difficult to guess for the attackers to succeed.
  • the present invention discloses a technique to deal with how the media/multimedia transmitted is transformed using candidate-specific mapping and/or some parameters, and then the transformed media/multimedia is used for authentication.
  • the authenticator also independently generates the second passcode using the media/multimedia content (one that was initially transmitted) and the candidate-specific mapping (and its associated parameters value) associated with that candidate. This second passcode is compared with the first passcode received from the candidate and accordingly the authentication is performed.
  • an authenticator for authenticating a candidate comprises a transmitter module, in responsive to detecting an access request, configured to transmit at least one media/multimedia; a receiver module configured to receive at least one first passcode from said candidate, wherein said first passcode is a transformed media/multimedia obtained from said media/multimedia transmitted; a passcode matching module configured to generate at least one second passcode based on said media/multimedia and a plurality of candidate-specific mapping pre-stored in at least one candidate database associated with said candidate, and match said transformed media/multimedia with said second passcode generated; an authentication module, in responsive to the match of said transformed media/multimedia with said second passcode, authenticating said candidate.
  • a method for authenticating a candidate by an authenticator comprises:
  • a system for authenticating a candidate comprises an authenticator including a transmitter module, in responsive to detecting an access request, configured to transmit at least one media/multimedia; a receiver module configured to receive at least one first passcode from said candidate, wherein said first passcode is a transformed media/ multimedia obtained from said media/ multimedia transmitted; a passcode matching module configured to generate at least one second passcode based on said media/multimedia and a plurality of candidate-specific mapping pre-stored in at least one candidate database associated with said candidate, and match said transformed media/multimedia with said second passcode generated; an authentication module, in responsive to the match of said transformed media/multimedia with said second passcode, authenticating said candidate; and at least one device communicably coupled to said authenticator and configured to provide or enable selection of said candidate-specific mapping for storing in said candidate database, wherein said candidate-specific mapping are pre-stored and customizable.
  • Figure 1 illustrates a network implementation of a system, in accordance with an embodiment of the present subject matter.
  • Figure 2 illustrates an authenticator for authenticating a candidate, in accordance with an embodiment of the present subject matter.
  • Figure 3 illustrates a method for authenticating a candidate, in accordance with an embodiment of the present subject matter.
  • Figure 4 illustrates a method for storing candidate-specific mapping (and associated parameters) in the candidate database, in accordance with an embodiment of the present subject matter.
  • the word candidate used throughout the present invention refers to one making access request, preferably selected from a human user, an artificial intelligence (AI) system, a robot and the like.
  • AI artificial intelligence
  • the person skilled in the art may understand that the usage of the word/expression "candidate” shall not restrict the protection scope of the present invention.
  • the present invention disclose various mechanisms/ techniques to ensure and enhance the security for user authentication even when OTP SMS/information is once compromised or one's personal device (that receives/generates OTP) is once compromised or one's password is once somehow compromised or information shared over communication device or channel is compromised.
  • the candidate may share initially with the authenticating server (bank system, etc.) one or more specific mapping(s) that one plans to use for generating the dynamic passcode (which is used finally for authentication), by either visiting the branch office and/or some secure communication media.
  • candidate specific mapping(s) may also be distributed to the specific candidate via registered post or via some other secure means.
  • the candidate is conveyed the media/multimedia content from the authenticating server.
  • the media/multimedia conveyed to the candidate is valid for authentication purpose only for specific limited opportunities like for limited number of authentication sessions (generally for one-time only) and/or for limited time period only (for e.g. 15 mins, 1 hour, 1 day, etc.).
  • the candidate replies with the dynamic passcode which is a transformed media/multimedia that is generated using original media/multimedia content and the candidate-specific mapping (and its associated parameters).
  • the media/multimedia conveyed to the candidate is based on randomly generated code (like OTP).
  • the way for candidate to access the media/multimedia could be any from a group comprising of email or SMS/MMS or communicated via web-browser or application running on candidate's device (in sync with the authentication server) or via some electronic device (like ATM, token device like SecurlD, Access control mechanisms devices at doors, etc.), and combinations thereof.
  • the media/multimedia content comprises two or more elements, the elements are preferably selected from alpha numeric values, ASCII characters, roman characters, regional language characters, symbols or some other form of information.
  • media/multimedia content is text "47683245" where its eight elements are 4, 7, 6, 8, 3, 2, 4 and 5.
  • the elements are numeric values but it is also well understood by a person skilled in the art that the elements may not be limited to only numeric values but may include other ASCII characters or regional language characters or symbols also. Two or more of these elements may be used for generating the dynamic passcode using the candidate specific mapping. It is also well understood that the media/multimedia content may also be an image or video or some other multimedia content with these elements embedded within.
  • the elements of the media/multimedia transmitted may be completely randomly selected/generated (e.g. OTP).
  • the elements of the media/multimedia transmitted are generated randomly but with some constraints like the elements should all be distinct or only at most two duplicates of an element are allowed or the elements must belong from specific set of characters/symbols only, etc.
  • the dynamic passcode used for authentication and generated using the candidate-specific mapping is based on these elements conveyed as/within media/multimedia transmitted by the authentication server to the candidate.
  • This interception is generally extremely difficult if communication channels used are different (like in out of band authentication systems) but may be possible if using single -band authentication.
  • single -band authentication it may be preferred to provide multiple multimedia (like several CAPTCHA images) for candidate to choose from, so that security is further enhanced.
  • the said candidate-specific mapping may not be stored or transmitted over the communication channel.
  • the candidate who initiates the transaction or authentication request, the candidate who receives (or gets access to) the media/multimedia content transmitted and the candidate who replies with the transformed/dynamic passcode for authentication to proceed further - they may not be all the same.
  • a user initiates the transaction or authentication request.
  • Another or same user receives (or gets access to) the media/multimedia content transmitted by the authenticating server, and provides to his/her colleague or superior or the user who initiated the transaction.
  • the system receiving the access request, the system transmitting the media/multimedia content to the candidate, and the system that receives the dynamic passcode from the candidate and matches with the second passcode computed separately at system level - these systems may not be all the same, although they may be communicating or sharing some common resources/information/database.
  • the limited access is provided depending on comparison/matching result (for e.g. match with different second passcodes may facilitate different degree of access, in some scenarios),
  • the honey pot system may also get activated depending on comparison/matching result, especially in case of some suspicious behavior (for e.g. match with some specific second passcode from given plurality of second passcodes may facilitate initiating honey pot trap in some scenarios).
  • the candidate-specific mapping used for generating the first/second passcode includes at least one parameter selected from a group of parameters involving data associated with a current or past transaction/authentication session (like credit/debit account number, amount of money, etc.), unvarying data known to both said candidate and said authenticator (like candidatelD, candidate's date of birth, etc.), varying data accessible to both said candidate and said authenticator (like day, month, year, time, date, region related information when/where access is requested, etc.), or any combination thereof.
  • the elements associated with the above mentioned parameters may be mapped to numeric values or some other characters or symbols, before applying the candidate specific mapping to compute the dynamic passcode.
  • the first three letters corresponding to the day when authentication is attempted may be mapped as per the order in which the alphabets appear in the English language (A - 01, B-02,...M-13, N-14, 0-15, .... Z-26); so Monday is mapped to 131514.
  • Some other candidate may have chosen the ASCII values corresponding to these days prefix.
  • the candidate-specific mapping used for generating the first/second passcode includes the mathematical operations, logical operations, permutations, conditionals, or some other operations or mappings including customized operations or mappings.
  • the candidate specific mapping may be a series of mappings applied after one another.
  • the candidate-specific mapping is configured to generate at least one output, the output consists of two or more elements, and each element is wherein the output consists of two or more elements, and each element is independently based on at least one parameter selected from a group of parameters involving elements associated with said media/multimedia, data associated with a current or past transaction, unvarying data known to both said candidate and said authenticator like candidatelD, varying data accessible to both said candidate and said authenticator like day, month, year, time, date, region related information when/where access is requested, or any combination thereof.
  • the elements of the output of the candidate specific mapping are independently computed, the candidate specific mapping is considered consisting of several mappings (or operations, likely but not necessarily mathematical operations) as per the number of elements in the output.
  • the transformed media/multimedia thus generated using candidate-specific mapping may be simple concatenation or combination of these elements in the output or may be a multimedia where these elements are embedded within.
  • the transformed media/multimedia i.e. first passcode
  • mappings As combination of element level mappings not only makes it easier for the people in general to apply these mappings (or computations)but also provides them the wide range of mappings (and associated parameters) to choose from; this not addresses the usability concerns but also enhances the security significantly and thus making it difficult to guess for the attackers to succeed.
  • mappings that comprises of 8 element-level mappings and thus generate output with 8 elements, but this is just for illustration purpose, it is well understood by those skilled in the art that the size and combination of these elements in the output could be done in other ways also.
  • Candidate 2 specific mapping (using unvarying data for e.g. 1, 2 and 3 here)
  • candidate specific mappings may include but not limited to:
  • a, ⁇ , ⁇ and/or ⁇ could be some parameters dependent on transaction data (like last 4 digits of credit account number) or user PIN or varying data known to both user and authenticator (like time in hhmm format, or last 4 digits of PIN code of that region) or addition of these parameters.
  • mappings/transformations discussed above are over modulo 10 for each digit, but different candidate may choose other options as well.
  • Some candidate-specific mappings may also use hard-core/customized mappings (like mapping 2 to 5 and vice-versa, mapping 9 to 6 and vice versa) in combination or independent of other mappings.
  • Some candidate-specific mappings may also use alphanumeric or other characters as well like mapping A to 8, mapping 1 to!, etc.
  • some candidate specific mappings be such that it may map the media/multimedia transmitted like "ABCD" (having elements A, B, C, D) to the dynamic passcode "WXYZ". In some embodiments, this may be mapped to "123456" as per some candidate-specific mapping. In some embodiments, this may be mapped to " ⁇ " as per some candidate-specific mapping.
  • ATM pins preferably 4 digit codes
  • 8-digit passcode provides the users the limited range of 10000 passwords (0000 to 9999) to choose for the authentication purpose.
  • much larger number of mappings are possible for a user to choose from. Including the dynamically changing parameters and more operators like min, max, conditional operators, etc. (which were generally simple to compute)in the functional mapping associated with the user, would further extensively increase the possibility to choose from, and thus making it much more difficult for the fraudsters to guess these mappings, and thus making the proposed solution much more secure.
  • the present invention is secure against the security attacks where the client/candidate side system/device or the information shared during authentication over the communication device or channel is once compromised or stolen or intercepted.
  • the passcode is dynamic for being dependent on media/multimedia transmitted (and possibly also on varying parameters associated with candidate-specific mapping), so it is not usable for authentication again and thus secure against the key-logging, snooping or shoulder surfing attacks.
  • candidate-specific mapping makes it even much more difficult for the fraudster to guess the candidate-specific mapping (and associated parameters) even if very less likely event happens that both the bands that users user for authentication are compromised (data there is intercepted/monitored by fraudster) and user is completely unknown about this for long time.
  • Using multimedia as the basis and not just the text makes it further harder for automated attacks to collect the information shared over communication channels and thus failing the fraudsters to succeed in compromising with the authentication system.
  • the authentication system and methods presented in this invention may be used in alone or in combination with other existing authentication methods and systems.
  • the present invention be implemented as single factor authentication. In some embodiments, the present invention be implemented to facilitate multi-factor authentication. In some embodiments, the present invention be used in a single- band system (like one communication channel). In some embodiments, the present invention be used where communication is occurring across two or more channels. Referring now to figure 1, a networked implementation of a system 100 for providing secure authentication using dynamic passcode generated with candidate-specific mappingis illustrated, in accordance with an embodiment of the present subject matter.
  • the authenticator 106 may also be implemented in a variety of computing systems, such as a laptop computer, a desktop computer, a notebook, a workstation, a mainframe computer, a server, a network server, and the like. It will be understood that the authenticator 106 may be accessed by multiple users through one or more user/ electronic devices 102 (102-1, 102-2...102-N devices), referred to as device 102 possessed by the user hereinafter, or applications residing on the user devices 102. Examples of the candidate/user devices 102 may include, but are not limited to, a portable computer, a personal digital assistant, a handheld device, and a workstation. The devices 102 are communicatively coupled to the authenticator 106 through a network 104.
  • the network 104 may be a wireless network, a wired network or a combination thereof.
  • the network 104 can be implemented as one of the different types of networks, such as intranet, local area network (LAN), wide area network (WAN), the internet, and the like.
  • the network 104 may either be a dedicated network or a shared network.
  • the shared network represents an association of the different types of networks that use a variety of protocols, for example, Hypertext Transfer Protocol (HTTP), Transmission Control Protocol/Internet Protocol (TCP/IP), Wireless Application Protocol (WAP), and the like, to communicate with one another.
  • the network 104 may include a variety of network devices, including routers, bridges, servers, computing devices, storage devices, and the like.
  • the candidate may share one or more mapping(s) specific to oneself that would be used for generating the transformed/dynamic/first passcode (transformed media/multimedia) by either visiting the branch office and/or some secure communication media, the sharing of said candidate-specific mapping may be achieved by means of a device 108 dedicated for submitting the candidate specific mapping which may be coupled to the authenticator 106 by means of a new or available network 106. In one implementation, the candidate shares the candidate-specific mapping by either visiting the branch office where said authenticator 106 is located, and/or via some secure communication media a new or said network 106.
  • said candidate specific mapping is provided by said candidate using a dedicated device or selected from a set of pre-stored options provided by said user authentication system.
  • the authenticator 106 may include at least one processor 202, an interface 204, and a memory 206.
  • the at least one processor 202 may be implemented as one or more microprocessors, microcomputers, microcontrollers, digital signal processors, central processing units, state machines, logic circuitries, and/or any devices that manipulate signals based on operational instructions.
  • the at least one processor 202 is configured to fetch and execute computer-readable instructions that may be stored in the form of module/s 208 in the memory 206.
  • the I/O interface 204 may be an input/output (I/O) interface and may include a variety of software and hardware interfaces, for example, a web interface, a graphical user interface, and the like.
  • the I/O interface 204 may allow the authenticator 106 to interact with a user directly or through the user/ client devices 102. Further, the I/O interface 204 may enable the authenticator 106 to communicate with other computing devices, such as web servers and external data servers (not shown).
  • the I/O interface 204 can facilitate multiple communications within a wide variety of networks and protocol types, including wired networks, for example, LAN, cable, etc., and wireless networks, such as WLAN, cellular, or satellite.
  • the I/O interface 204 may include one or more ports for connecting a number of devices to one another or to another server.
  • the memory 206 may include any computer-readable medium known in the art including, for example, volatile memory, such as static random access memory (SRAM) and dynamic random access memory (DRAM), and/or non-volatile memory, such as read only memory (ROM), erasable programmable ROM, flash memories, hard disks, optical disks, and magnetic tapes.
  • volatile memory such as static random access memory (SRAM) and dynamic random access memory (DRAM)
  • non-volatile memory such as read only memory (ROM), erasable programmable ROM, flash memories, hard disks, optical disks, and magnetic tapes.
  • ROM read only memory
  • erasable programmable ROM erasable programmable ROM
  • the modules 208 include routines, programs, objects, components, data structures, etc., which perform particular tasks or implement particular abstract data types.
  • the modules 208 may include a transmitter module 210, a receiver module 212, a passcode matching module 214, and an authentication module 216.
  • the other modules may include programs or coded instructions that supplement applications and functions of the authenticator 106.
  • the database may be a specific database herein after referred to as candidate database 218 to specifically include store said candidate-specific mapping in a candidate database.
  • the other data (not shown) may include data generated as a result of the execution of one or more modules in the other module (not shown).
  • said candidate database also store other information associated with the user that may include but not limited to user identification details like user id, contact number, date of birth, mail address, residential address, etc. Further, said candidate database may also store the password/s associated (preferably in hashed form) with said candidate and/or set be said candidate.
  • an authenticator 106 for authenticating a user comprises a transmitter module 210, in responsive to detecting an access request, configured to transmit at least one media/multimedia; a receiver module 212 configured to receive at least one first passcode, wherein said first passcode is a transformed media/multimedia obtained from said media/multimedia transmitted; a passcode matching module 214 configured to generate at least one second passcode based on said media/multimedia and a plurality of candidate-specific mapping pre-stored in at least one candidate database associated with said candidate, and match said transformed media/multimedia with said second passcode generated; and an authentication module 216, in responsive to the match of said transformed media/multimedia with said second passcode, authenticating said candidate.
  • a system 100 for authenticating a candidate comprises an authenticator 106 including a transmitter module 210, in responsive to detecting an access request, configured to transmit at least one media/multimedia; a receiver module 212 configured to receive at least one first passcode, wherein said first passcode is a transformed media/ multimedia obtained from said media/ multimedia transmitted; a passcode matching module 214 configured to generate at least one second passcode based on said media/multimedia and a plurality of candidate-specific mapping pre-stored in at least one candidate database 218 associated with said candidate, and match said transformed media/multimedia with said second passcode generated; an authentication module 216, in responsive to the match of said transformed media/multimedia with said second passcode, authenticating said candidate; and at least one device 108 communicably coupled to said authenticator and configured to provide or enable selection of said candidate-specific mapping for storing in said candidate database, wherein said candidate-specific mapping are pre-stored and customizable.
  • the device 108 may be a computing system, such as a laptop computer, a desktop computer, a notebook, a workstation, a mainframe computer, a server, a network server, and the like.
  • said access request (or say, attempt to authenticate) is triggered by said user by transmitting at least one request to said authenticator, said request is preferably selected from at least a user identification number, biometric log in, opening an application pre-stored in a device possessed by said user, or any combination thereof.
  • the present invention enhances the security features of the existing authentication systems or provides a complete new authentication solution.
  • the device 108 configured to provide or enable selection of said candidate-specific mapping for storing in said candidate database.
  • said candidate database 218 is a distributed database.
  • said transformed media/multimedia comprises or based on said media/multimedia and at least one parameter selected from a group of parameters involving data associated with a current or past transaction, unvarying candidate-specific data like candidatelD, varying data accessible to both said candidate and said authenticator like day, month, year, time, date, region related information when/where access is requested, or any combination thereof.
  • said user authentication system authenticates said candidate specifically when said second passcode received from said user matches with said confirmation passcode generated.
  • the present invention may be used for validating the authenticity of claimed authenticating system or say web-server, like for protecting against phishing attacks.
  • the system provides both the media/multimedia content transmitted (initial code) and also the dynamic passcode generated using the initial code and candidate-specific mapping, for the user/candidate to validate if the dynamic passcode presented is the one expected.
  • the initial code is presented by the candidate/user to the authentication system and the system responds with the dynamic passcode generated using initial code and candidate-specific mapping. The authenticity of the system is confirmed if the dynamic passcode provided is same as the expected passcode.
  • FIG 3and4 illustrates a method for authenticating a user, and a method for storing candidate-specific mapping (and its associated parameters) in the candidate database, respectfully, in accordance with an embodiment of the present subject matter.
  • the method may be described in the general context of computer executable instructions.
  • computer executable instructions can include routines, programs, objects, components, data structures, procedures, modules, functions, etc., that perform particular functions or implement particular abstract data types.
  • the method may also be practiced in a distributed computing environment where functions are performed by remote processing devices that are linked through a communications network.
  • computer executable instructions may be located in both local and remote computer storage media, including memory storage devices.
  • a request from a user/ candidate / device possessed by the user to get authenticated is received by the authenticator 106.
  • the authenticator/server 106 of the authentication system 100 In responsive to detecting an attempt to authenticate, the authenticator/server 106 of the authentication system 100 generates at least one media/multimedia. The media/multimedia generated is transmitted to the device possessed or nearby the user.
  • the candidate After receiving the media/multimedia generated by the authenticator 106, the candidate generates the first passcode which is a transformed media/multimedia based on specific mapping and its associated parameters.
  • the candidate-specific parameters may be identifiable by the candidate-specific mapping functions that may be pre-stored in the candidate-database possessed by the authenticator or candidate database that may be distributed but coupled to the authenticator.
  • the first passcode which is a transformed media/multimedia generated is then transmitted to the authenticator.
  • the authenticator 106in response to the receipt of the first passcode from the candidate/device possessed/used by the candidate generates at least one second passcode based on said media/multimedia transmitted to the candidate and a plurality of candidate-specific mapping pre-stored in at least one candidate database associated with said candidate.
  • the authenticator 106 After generation of plurality of second passcodes, matches the first passcode received with the plurality of second passcodes.
  • the authenticator 106 if after matching finds that the first passcode matches with at least one of the plurality of passcodes, the authenticator authenticates the candidate and provides the access.
  • the candidate have to pre-store the candidate-specific mapping functions in the authenticator.
  • the authenticator is configured to receive at least one candidate-specific mapping function from at least one dedicated device communicable coupled with the authenticator.
  • the candidate is allowed to customize or update the candidate-specific mapping(s) shared/fed or pre-stored in the authenticator.
  • the updated candidate-specific mapping(s) are stored/saved in the user database.
  • the candidate database may be a distributed database each storing at least one piece of the candidate-specific mapping(s) received.
  • the candidate may visit the authenticator (such as a bank server or an office server located at some location) and submit/share the mapping that may be used for the generation of dynamic passcodes.
  • the mapping(s) are provided in the above sections.
  • the mappings may be pre- stored in the authenticator and are displayed when some candidate wish to select them for passcode generation.
  • the mapping(s) may also be customized as per candidate's requirement or comfort.
  • These candidate specific mapping(s) are associated with the candidate preferably not directly but using some anonymous identifiers and stored accordingly for security purposes. Also, these mapping(s)may be stored in distributed databases. Each candidate- specific mapping may include several element-level mappings and different parameters for each of these mappings.
  • the candidate-specific mappings are stored in pieces in the distributed database and when a candidate attempts to authenticate, the pieces of the mapping functions corresponding to said candidate (by preferably using anonymous identifiers associated with said candidate) are fetched from these distributed databases and combined to form the mapping(s) which is used for generation of the passcode by the authenticator.
  • a dedicated device 108 may be used for submitting/sharing the mapping(s) to the authenticator.
  • the device may be a computer, tablet or phone communicable coupled to the authenticator and configured to provide the required interface to the user so as to easily share the mapping(s) with the authenticator.
  • the dedicated device may have an OCR means to feed the mapping function that may be in written form and brought by the user for submitting.
  • the dedicated device may have camera and/or the audio I/O facility using which the user may feed the mapping(s) to the authenticator such as orally.
  • the authenticator When the candidate request for authentication, the authenticator first checks for the present of the candidate in database.
  • the candidate may request by sending a message (SMS) to the authenticator, or by clicking or tapping on an authenticator application installed in it.
  • SMS message
  • the candidate may send a candidate identification code to the authenticator as a request.
  • the candidate may send the request using a device possessed by him/her.
  • the candidate may even use the biometric trigger and send the scanned biometrics to the authenticator.
  • the device may be mobile phone, computer, laptop, tablet, ATM machine and the like computing devices.
  • the authenticator After the access request is received from the candidate, the authenticator generates a media or multimedia, such as an OTP, a sequence of randomly generated variables or alphabets or audios or images.
  • the authenticator may also generate a multimedia file.
  • the media or multimedia may be generated using techniques that are known now or developed in the future, like random number generator or a sequencer or image generator or audio generator, and the like already existing/future techniques.
  • the media or multimedia generated is sent to the device possessed by the user.
  • the candidate When the candidate receives the media or multimedia from the authenticator, it modifies or transforms the media or multimedia to generate a dynamic passcode (the first passcode or the transformed media/multimedia).
  • the candidate transforms the media or multimedia based on the candidate-specific mapping (and its associated parameters) which may be already provided/shared with the authenticator as explained above.
  • the transformed media or multimedia is computed using element level mappings and the parameters (as discussed above) that may be a part of the pre-shared or pre-stored candidate-specific mapping function at aufhenticator.
  • the dynamic passcode (the first passcode or the transformed media/multimedia) is then sent to the authenticator.
  • the authenticator is configured to generate an authenticator passcode (second passcode / transformed passcode generated by the authenticator) based on the pre-stored candidate- specific mapping and the media or multimedia generated and transmitted to the candidate earlier.
  • the authenticator may generate multiples passcodes based on the plurality of candidate-specific mappings pre-stored.
  • the authenticator may generate passcodes by first retrieving the pieces of candidate-specific mappings stored in the distributed databases to form the candidate-specific mappings thereinafter these mappings may be used for generation of the multiple passcodes.
  • the authenticator after generation of plurality of passcodes, matches the first passcode received from the candidate with the plurality of the authenticator passcodes generated by the authenticator. If at least one match is found in the mapping, the authentication of the candidate is successful or else the candidate is not authenticated.
  • the present invention may be used for number of application scenarios for strengthening the security by using a dynamic passcode instead of a static passcode.
  • This system may be used in any scenario, where a server/authenticating authority can generate a one-time passcode (OTP) and make the same OTP available to the user/client side by some means such as but not limited to directly sending it to the user/client side or by synchronizing with a device on the user/client side.
  • OTP one-time passcode
  • the user may then modify the OTP and sends the transformed passcode (or say, dynamic passcode) for authentication.
  • the server/authenticating authority may use this dynamic passcode, received from the user and may compares with the expected passcode, and accordingly authenticates the user.
  • the transformed passcode may be used in total or in partial along with other authenticating methods or information for enhancing the security.
  • the user or client side may be capable of obtaining the original media/multimedia from the server either by directly receiving through a communication channel or by synchronizing one's device with the server.
  • the client side may be further capable of receiving the original media/multimedia in a manner utilizable for the candidate and sending back the candidate's input (transformed media/multimedia) to the server.
  • the present invention may be used at ATM machine(s) which conveys a random passcode as communicated by the server or as generated in synchronization with the server, every time someone inserts a card into the machine.
  • the random passcode may be conveyed as in text form or in image form (displaying the CAPTCHA images with random passcode embedded within) or in audio form or other multimedia form.
  • the ATM may grant the usage rights to the user only after the user's input (dynamic passcode) matches with the second passcode generated at the server using the mapping specific to that particular user.
  • the ATM device ID and/or user's credentials may also be used as some input/seed for generating the initial random passcode generated by the server. Similar to an ATM, the proposed system can also be used at point of sales (PoS) and other similar systems.
  • PoS point of sales
  • the present invention may be used in scenarios where only single band/communication is available (like mobile banking, ATM etc., or even in cases similar to net-banking when personal devices not used for receiving/generating OTP for some reasons).
  • a plurality of multimedia forms are transmitted (like displaying several CAPTCHA images) to the candidate, and candidate may randomly choose one of these multimedia forms to use as basis for generating the dynamic passcode (or say, first passcode) using candidate-specific mapping and then sending the dynamic passcode to the authentication system which compares the received passcode with the plurality of second passcodes generated using these plurality of multimedia forms transmitted and the candidate- specific mapping.
  • the candidate may have already shared some information (like some specific image) as part of the candidate-specific mapping parameters, that which specific multimedia of the given several options need to be used for generating the first and second passcodes, and accordingly comparison is done for validating the authentication.
  • the present invention may be used for granting access to secure labs (or other premises/places where access to secure information is restricted to legitimate users only).
  • the access control system device displays/provides the media/multimedia to the candidate attempting to access the lab/premises, and the transformed media/multimedia is then provided by the user. Only if the transformed passcode matches with the expected passcode (computed using the original media/multimedia initially provided to the candidate and the candidate-specific mapping), the access is granted or restricted for that candidate.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

La présente invention concerne des procédés et des systèmes d'authentification sécurisée à l'aide d'un code secret dynamique. Dans un mode de réalisation, un candidat spécifie le mappage qu'il projette d'utiliser pour générer le code secret dynamique en se rendant à la filiale et/ou en utilisant certains médias de communication sécurisés. Pendant la phase d'authentification, selon la présente invention, le candidat reçoit au moins un média/multimédia provenant du serveur d'authentification. Le candidat répond avec un code secret dynamique généré en utilisant le mappage spécifique au candidat et les éléments associés au média/multimédia transmis au candidat. En conséquence, l'authentification est basée sur le média/multimédia transmis, sur le mappage spécifique au candidat prémémorisé et sur le code secret dynamique reçu.
PCT/IB2015/057079 2014-09-15 2015-09-15 Authentification sécurisée à l'aide d'un code secret dynamique WO2016042473A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
IN2646DE2014 2014-09-15
IN2646/DEL/2014 2014-09-15

Publications (1)

Publication Number Publication Date
WO2016042473A1 true WO2016042473A1 (fr) 2016-03-24

Family

ID=55521946

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IB2015/057079 WO2016042473A1 (fr) 2014-09-15 2015-09-15 Authentification sécurisée à l'aide d'un code secret dynamique

Country Status (2)

Country Link
CA (1) CA2904646A1 (fr)
WO (1) WO2016042473A1 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11317282B2 (en) 2019-12-19 2022-04-26 Bank Of America Corporation Intelligent method for sim-swap fraud detection and prevention
US20230067023A1 (en) * 2021-09-01 2023-03-02 Visa International Service Association System, method, and computer program product for dynamic passcode communication

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130227661A1 (en) * 2012-02-29 2013-08-29 Infosys Limited Systems and methods for generating and authenticating one time dynamic password based on context information
US8832807B1 (en) * 2010-08-05 2014-09-09 Christine E. Kuo Method and apparatus for asynchronous dynamic password

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8832807B1 (en) * 2010-08-05 2014-09-09 Christine E. Kuo Method and apparatus for asynchronous dynamic password
US20130227661A1 (en) * 2012-02-29 2013-08-29 Infosys Limited Systems and methods for generating and authenticating one time dynamic password based on context information

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11317282B2 (en) 2019-12-19 2022-04-26 Bank Of America Corporation Intelligent method for sim-swap fraud detection and prevention
US20230067023A1 (en) * 2021-09-01 2023-03-02 Visa International Service Association System, method, and computer program product for dynamic passcode communication
US11790356B2 (en) * 2021-09-01 2023-10-17 Visa International Service Association System, method, and computer program product for dynamic passcode communication

Also Published As

Publication number Publication date
CA2904646A1 (fr) 2016-03-15

Similar Documents

Publication Publication Date Title
US10313881B2 (en) System and method of authentication by leveraging mobile devices for expediting user login and registration processes online
US8041954B2 (en) Method and system for providing a secure login solution using one-time passwords
US20190281028A1 (en) System and method for decentralized authentication using a distributed transaction-based state machine
US10491588B2 (en) Local and remote access apparatus and system for password storage and management
US10848304B2 (en) Public-private key pair protected password manager
US9787689B2 (en) Network authentication of multiple profile accesses from a single remote device
KR20180117715A (ko) 개선된 보안성을 갖는 사용자 인증을 위한 방법 및 시스템
WO2015188426A1 (fr) Procédé, dispositif, système, et dispositif associé, d'authentification d'identité
Hammood et al. A review of user authentication model for online banking system based on mobile IMEI number
US20180130056A1 (en) Method and system for transaction security
Singhal et al. Software tokens based two factor authentication scheme
Boonkrong et al. Multi-factor authentication
Pampori et al. Securely eradicating cellular dependency for e-banking applications
EP3756332B1 (fr) Récupération de compte automatisée à l'aide de dispositifs de confiance
CA2611549C (fr) Methode et systeme permettant d'obtenir une ouverture de session protegee au moyen de mots de passe a usage unique
Evseev et al. Two-factor authentication methods threats analysis
WO2016042473A1 (fr) Authentification sécurisée à l'aide d'un code secret dynamique
US10264450B2 (en) Authentication method using ephemeral and anonymous credentials
EP2763346B1 (fr) Système d'authentification mutuelle anti-piraterie dans les jetons logiciels de type smartphone et dans leur sms
Khan et al. Rehashing system security solutions in e-banking
Hakami et al. Secure Transaction Framework based on Encrypted One-time Password and Multi-factor
Umar An Authentication of Significant security for accessing Password through Network System
Matei-Dimitrie Multi-factor authentication. An extended overview
Binu Secure authentication framework for cloud
EP2619940A2 (fr) Authentification

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15842808

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15842808

Country of ref document: EP

Kind code of ref document: A1