WO2018130852A1 - Improved authentication - Google Patents
Improved authentication Download PDFInfo
- Publication number
- WO2018130852A1 WO2018130852A1 PCT/GB2018/050098 GB2018050098W WO2018130852A1 WO 2018130852 A1 WO2018130852 A1 WO 2018130852A1 GB 2018050098 W GB2018050098 W GB 2018050098W WO 2018130852 A1 WO2018130852 A1 WO 2018130852A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- data
- authentication
- format
- credential
- composite
- Prior art date
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/40—User authentication by quorum, i.e. whereby two or more security principals are required
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/32—User authentication using biometric data, e.g. fingerprints, iris scans or voiceprints
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/36—User authentication by graphic or iconic representation
Definitions
- This specification relates to authenticating a user. Particularly, but not exclusively, this specification relates to a method, apparatus, client device and system for authenticating a user.
- an authentication method comprising:
- the authentication method may comprise hashing the data. Hashing the data comprises performing truncation.
- the authentication method may comprise transmitting the combined data to a server for authenticating the user.
- the common format may be a string. Preferably, the common format is a text string.
- the plurality of authentication actions may include one or more of: typing keystrokes on a keyboard, selecting of one or more buttons on a display using a mouse, selecting of one or more images from a plurality of images, uploading one or more files on one or more local devices, accessing one or more online resources using URLs, selecting of one or more points on an image, drawing one or more patterns on an image, receiving a signal from one or more hardware tokens and/or mobile devices, reading one or more biometric features using one or more input devices, performing gesture recognition using an image sensor, and determining contextual information relating to the user.
- the contextual information may be at least one of the user's absolute geo-location, login history, access time, device type, software version, screen resolution, or noise level sensed by an audio sensor.
- Reading one or more biometric features may comprise performing a retinal scan.
- Reading one or more biometric features may comprise reading a finger print. Reading one or more biometric features may comprise performing facial recognition. Reading one or more biometric features may comprise performing voice recognition. Reading one or more biometric features comprises measuring keystroke dynamics.
- the authentication method may comprise validating the plurality of authentication actions.
- This specification provides, according to a second aspect, apparatus configured to carry out the method of the first aspect.
- This specification provides, according to a third aspect, computer-readable instructions which, when executed by computing apparatus, cause the computing apparatus to perform the method of the first aspect.
- This specification provides, according to a fourth aspect, a method of generating a composite credential comprising:
- the data comprises first data in a first format, derived from a first authentication action and second data in a second format, derived from a second authentication action, the first format being different to the second format;
- converting at least one of the first and second data into a common format converting at least one of the first and second data into a common format; generating a composite credential, wherein generating the composite credential comprises combining data in said common format to provide combined data for use in authentication.
- the method of generating a composite credential may comprise hashing the combined data.
- Hashing the combined data may comprise performing data truncation on the combined data.
- the method of generating a composite credential may comprise transmitting the combined data to a server for storage.
- the common format may be a string.
- the common format is a textual string.
- the plurality of authentication actions may include one or more of: typing keystrokes on a keyboard, selecting of one or more buttons on a display using a mouse, selecting of one or more images from a plurality of images, uploading one or more files on one or more local devices, accessing one or more online resources using URLs, receiving selection of one or more points on an image, drawing one or more patterns on an image, receiving a signal from one or more hardware tokens and/ or mobile devices, reading one or more biometric features using one or more input devices, performing gesture recognition using an image sensor, and determining contextual information relating to the user.
- the contextual information may be at least one of the user's absolute geo-location, login history, access time, device type, software version, screen resolution, or noise level sensed by an audio sensor.
- Reading one or more biometric features may comprise performing a retinal scan.
- Reading one or more biometric features may comprise reading a finger print. Reading one or more biometric features may comprise performing facial recognition. Reading one or more biometric features may comprise performing voice recognition. Reading one or more biometric features may comprise measuring keystroke dynamics.
- the method of generating a composite credential may comprise validating the plurality of authentication actions. The method of generating a composite credential may comprise authenticating the user.
- This specification provides, according to a fifth aspect, apparatus configured to carry out the method of the fourth aspect.
- This specification provides, according to a sixth aspect, computer-readable instructions which, when executed by computing apparatus, cause the computing apparatus to perform the method of the fourth aspect.
- This specification provides, according to a seventh aspect, a method comprising:
- the data comprises first data in a first format, derived from a first authentication action and second data in a second format, derived from a second authentication action, the first format being different to the second format;
- an apparatus comprising: one or more input devices, wherein said one or more input devices are configured to generate data derived from a plurality of authentication actions, wherein the data comprises first data in a first format, derived from a first authentication action and second data in a second format, derived from a second authentication action, the first format being different to the second format; and
- a processor configured to:
- the apparatus may further comprise a storage device for storing the stored composite credential.
- the processor may further be configured to hash the combined data. Hashing the combined data may comprise truncating the combined data.
- the processor may be configured to determine contextual information relating to the user in response to a first authentication action being received.
- a client device comprising:
- said one or more input devices are configured to generate data derived from a plurality of different authentication actions, wherein the data comprises first data in a first format, derived from a first
- a processor configured to:
- a transmitter for transmitting the combined data to a server for authenticating the user
- a receiver for receiving a message indicating whether the user is authenticated.
- the client device may be an automatic teller machine.
- This specification provides, according to a tenth aspect, a system for
- a client device comprising:
- said one or more input devices are configured to generate data derived from a plurality of different authentication actions, wherein the data comprises first data in a first format, derived from a first
- a first processor configured to:
- a server comprising:
- a storage device for storing a composite credential
- a second processor for authenticating the user using the combined data and the stored composite credential.
- the second processor may be configured to compare the combined data with the stored composite credential and generate a message indicating whether the user is
- the client device may comprise:
- a transmitter for transmitting the combined data to the server; and a receiver for receiving the message indicating whether the user is authenticated;
- the server may comprise:
- a transmitter for transmitting the message indicating whether the user is authenticated.
- the first processor may be further configured to hash the combined data. Hashing the combined data may comprise truncating the combined data.
- the second processor may be configured to hash the combined data and the stored composite credential may comprise a hash.
- the first and/or second processor may be configured to validate the plurality of authentication actions.
- the client device may be an automatic teller machine.
- Figure ⁇ is a system diagram of a mobile device according to embodiments of the present invention.
- FIG. 2 is a system diagram if a server according to embodiments of the present invention.
- Figure 3 is a schematic diagram of a system for authenticating a user according to embodiments of the present invention.
- FIGS. 4a and 4b show an example of a graphical user interface (GUI) for accessing an account according to embodiments of the present invention.
- GUI graphical user interface
- Figure 5 is a flowchart illustrating a method of authenticating a user according to embodiments of the present invention.
- composite credentials are generated from a plurality of authentication actions which easily recalled by the user.
- These composite credentials are highly secure, and in preferred embodiments comprise textual strings so as to be compatible with known password-based systems.
- FIG. 1 shows a client device 100, which according to the one embodiment is a mobile device.
- client devices include laptop and tablet computers, automatic teller machines (ATMs), desktop computers, television sets and electronic keypads for use with physical security systems such as doors.
- ATMs automatic teller machines
- a client device loo is any electronic device that requires user authentication in order to access to content.
- the content may be content contained on the electronic device itself, physical content such as a vault, or external content.
- External content is, for example, a secure webpage on a server.
- the mobile device 100 has a processor 102, a touch sensitive display 112 comprised of a display part 116 and a tactile interface part 114, hardware keys (not shown), a memory 106, an input interface 103 (wired, serial or parallel), a power source 118 and an interface 104 for transmitting and receiving data.
- the processor 102 is connected to each of the other components in order to control operation thereof.
- the touch sensitive display 112 is optional, and as an alternative a non-touch display may be used with the hardware keys (not shown) and/or a mouse peripheral used to control the mobile device 100 by suitable means.
- the interface 104 according to this embodiment is a wireless interface, however, according to other embodiments the interface 104 is a wired interface.
- the wireless interface may operate using any known communication standard, such as LTE, Wi-Fi or 3G.
- the interface 104 is necessary for transmitting credentials to a server and receiving an authentication message from the server. However, where the
- the interface 104 is not necessary.
- the input interface 103 is for receiving one of a plurality of authentication actions. Where two or more chosen authentication actions can be received by the touch sensitive display 112 or mouse peripheral, the input interface 103 is not necessary. Conversely, in some embodiments there are a plurality of different input interfaces 103.
- the input interface 103 may be an image sensor for receiving a retinal scan, palm print or finger print copy, or recognising a gesture.
- the input interface 103 may be a microphone and speech recognition interface allowing voice input.
- the input interface 103 may also be a photoplethysmogram (PPG) reader for measuring a user's unique heartrate variability features, GPS locator for determining the user's location.
- PPG photoplethysmogram
- the input interface 103 may be a keyboard or mouse or receiving a line drawing or click selection.
- the input interface 103 may be an RF ID reader, wireless receiver, or hardware token receiver (for example, a bank card reader).
- the memory 106 may be a non-volatile memory such as read only memory (ROM) a hard disk drive (HDD) or a solid state drive (SSD).
- the memory 106 stores, amongst other things, an operating system 108 and client software application 110.
- the memory 106 further includes random access memory (RAM), used by the processor 102 for the temporary storage of data.
- the operating system 108 may contain code which, when executed by the processor 102 in conjunction with the RAM, controls operation of each of the hardware components of the mobile device 100.
- the memory 106 includes a database of stored images. In embodiments where one of the authentication actions includes the selection of an audio clip, the memory 106 includes a database of stored audio clips. In further embodiments, the images are stored on a server instead.
- the memory 106 includes a database for storing a composite credential.
- the processor 102 may take any suitable form. For instance, it may be a
- the processor 102 includes circuitry.
- the power source 118 is a secondary battery.
- the client device is a fixed device such as a computer or electronic door lock
- the power source is a mains power supply.
- the client software 110 is configured to generate data for use in authenticating a user.
- the data is a composite of the output of a plurality of authentication actions, where each output is converted into a common format.
- the data is transmitted to a server prior to combination. Further details of the processes performed by the client software 110 will be described with reference to Figure 3.
- FIG. 2 shows a server 200 for use as part of a system for authenticating a user.
- the system also includes the client device 100 described with reference to Figure 1.
- the server 200 has a processor 202, a memory 206, a power source 218 and an interface 204 for transmitting and receiving data.
- the interface 204 according to this embodiment is a wireless interface, however, according to other embodiments the interface 204 is a wired interface.
- the wireless interface may operate using any known communication standard, such as LTE, Wi-Fi or 3G. Where the interface 204 is a wired interface, the interface maybe an Ethernet interface.
- the data may be received via a network such as the Internet.
- the interface 204 is for receiving credentials from a client device 100 and transmitting a message indicating whether the user is authenticated to the client device 100.
- the memory 206 may be a non-volatile memory such as read only memory (ROM) a hard disk drive (HDD) or a solid state drive (SSD).
- the memory 206 stores, amongst other things, an operating system 208 and a server software application 210.
- the memory 206 further includes random access memory (RAM), used by the processor 202 for the temporary storage of data.
- the operating system 208 may contain code which, when executed by the processor 202 in conjunction with the RAM, controls operation of each of the hardware components of the server 200.
- the memory 206 includes a database of stored images.
- the memory 106 on the client device 100 includes a database of stored images instead.
- the server software 210 is configured to authenticate a user using data received from a client device 100.
- the data is a composite of the output of a plurality of authentication actions.
- the data is a plurality of data, each in a different format relating to a specific
- the server software 210 converts the plurality of data into a common format and combines the data in the combined format into combined data. The combined data can then be compared with a stored composite credential in order to authenticate the user. As an additional step, the server 200 may hash the combined data prior to performing the comparison. Further details of the processes performed by the server software 210 will be described with reference to Figure 3.
- the processor 202 may take any suitable form. For instance, it may be a
- the controller includes circuitry.
- the power source 218 according to a preferred embodiment is a mains power supply.
- Figure 3 shows a schematic diagram of an architecture for authenticating a user.
- the architecture is distributed, whereby some aspects are features of a client device 100 and other aspects are features of a server 200.
- the features of the present invention can be distributed in a number of different ways.
- the aspects can be located on the client device 100 or the server 200 depending on the application.
- all aspects are features of the client device 100.
- the aspects may be implemented as hardware or software.
- the database 230 stores a composite credential generated and set by the user as part of a registration process. The registration process will be described with reference to Figure 5.
- the database 230 is stored in the memory 206 of the server 200.
- the baseline components 124, 242, 232 support known password-entry routines.
- the baseline components 124, 242, 232 are independent of modular components 122, 120, 220, 234.
- the baseline components include a baseline editor 124, baseline module 240 having input parameters 250, and baseline data 232 stored in the database 230.
- the baseline data 232 is a stored textual password. In some embodiments, the stored textual password is a hashed textual password.
- the baseline editor 124 can enter a textual password which can be transmitted to the baseline module 242 in the server 200.
- the baseline module 242 performs password verification or/ and hashing.
- the baseline module 242 performs password verification using stored parameters 250. These parameters 250 are updatable by the server 200 operator. For example, the parameters 250 indicate the password must be of a particular length or contain particular characters.
- the entered password can be compared with a stored password in the baseline data 232. This means that the user can continue to use their normal textual password while the system of the present invention is installed on their device.
- the baseline editor 124 is a feature of the client software 110 operating on the client device 100.
- the baseline editor 124 comprises a means for receiving a password, such as a text entry box.
- the baseline module 240 is shown as being a feature of the server software 210 operating on the server 200. However, according to other embodiments, the baseline module 240 is a feature of the client software 110 operating on the client device 100.
- the modular components 122, 120, 220, 234 support advanced credential-entry routines, including the use of multiple authentication actions in the same
- the modular components include a policy controller 122, a plurality of front-end modules i2oa-c, a plurality of back-end modules 220a, 220b, 220c, and additional data 234.
- the front-end modules i2oa-c are features of the client software 110 operating on the client device 100. They are independent, reusable and expandable building blocks of data or interface.
- the front-end modules i2oa-c are plugins to the baseline editor 124 which interact with users to generate a new authentication feature.
- Some front-end modules 120a, 120b have a module counterpart 220a, 220b at the server-side. This is most likely to be the case when establishing a database 230 connection is required.
- the communication between the front-end modules i2oa-c and back-end modules 220a, 220b results in creation of new data or retrieving data from the database 230.
- some other back-end modules 220c which do not communicate with the front-end modules i2oa-c work as support to the other back-end modules 220a, 220b.
- the back-end modules 22oa-c make use of the additional data 234 to enable additional authentication actions.
- the front-end modules i2oa-c can be simple or compound.
- a simple module allows the user to perform one authentication action.
- a compound module binds multiple different modules, which share similar features (e.g. hybrid graphical passwords). For usability purposes, the compound module would provide one interface for performing multiple authentication actions.
- front-end modules i2oa-c are associated with input interfaces 103 or the touch sensitive display 112.
- an input interface 103 may include an image sensor.
- one module 120a may be configured to read a facial image using the image sensor and perform key generation based on robust facial features, where the generated key will be further converted to a common format for being combined with at least one other authentication actions facial recognition.
- the front-end module 120a may convert the received facial image from an array of pixels to a textual string based on further information about the user's face stored on the database 230, working together with a back-end module 220a.
- modules I20a-c include modules for: performing an iris scan; measuring keystroke dynamics; performing voice recognition; reading a finger print; typing keystrokes on a keyboard to create a textual password (for example, a Rich Text Format textual password); clicking one or more buttons on a display using a mouse; selecting of one or more images from a plurality of images; uploading one or more files on one or more local devices; accessing one or more online resources using URLs; selecting of one or more points on an image; drawing one or more patterns on an image; receiving a signal such as an authorisation code or RF ID through a wired or wireless interface from one or more hardware tokens and/or mobile devices; and performing gestures (for example, a hand movement).
- a signal such as an authorisation code or RF ID through a wired or wireless interface from one or more hardware tokens and/or mobile devices
- performing gestures for example, a hand movement
- the authentication actions will be a number of drawing actions (pen down, pen move, and pen up), where the drawing pen can be the user's finger on a touch screen 112.
- the converted data can be a textual presentation of different strokes the user draws (a number of coordinates and separators marking the end of a stroke and the start of a new stoke), encoded following any textual format e.g.
- PassPoints (Wiedenbeck et al. 2005: http://dx.doi.0rg/10.1016/j.ijhcs.2005.04.010): This is a graphical password system where the user clicks a number of points on an image as the "password” to prove his identity. Here the authentication actions will be a number of clicks on an image. Based on a technique called centralized discretization (Chiasson et al. 2008:
- PassPoints can be seen as a special edition of DAS thus the actions can be converted into a textual string in the same way as how this is done for DAS.
- the centralized discretization technique will require additional data 234 to be created in the database 230, which means a back-end module 220a will be required.
- PassFaces http://www.passfaces.com/: This is a commercial graphical password system where the user remembers a number of facial images as the "password" (i.e. credential) and then selects each of such images in a number of decoy images to prove his identity.
- the authentication actions are a number of selection choices the user makes.
- the actions can be converted to a textual string by creating a list of the filenames of the selected images ranked following a particular order e.g. "imagei, image6, imageioo, image2ii, image876".
- PassFaces will require a back-end module 220a as it needs to read pass-images and decoy ones out of a database.
- Action based passwords One can define a number of actions (e.g. gestures to show in front of a webcam) as the "password" (i.e. credential) to prove his identity. Such actions can be converted into a textual string by giving each action a textual name and then simply listing all sequential actions one after the other.
- actions e.g. gestures to show in front of a webcam
- password i.e. credential
- authentication action is the selection of an object.
- a unique name to each possible object (e.g. an URL or DOI)
- the action can be converted into a textual string (the name itself).
- the name is binary
- Pass-Region (Li et al. 2011, unpublished): This is a user authentication scheme where the user selects a region of a given coordinate system as the "password" (i.e. credential) to prove his identity. Examples include a region on a world map, a 3-D world or a complex number plane or part of a multimedia file (e.g. a segment of an audio file, a region of a frame of a video file).
- the authentication action will be to show a smaller region than the pass-region to demonstrate knowledge of the pass-region.
- Such an action can be converted to a textual string by defining an encoding scheme of the coordinates of the pass-region e.g. using the textual presentations of the upper-left and bottom-right corners' coordinates.
- Hardware token that has a private key for digital signature When a hardware token is used for user authentication, one way is to let the user to sign a (often dynamic) message using the hardware token. In this case the authentication action is the use of a specific hardware token for a specific operation. Such an action can be used to sign a fixed message and/or part of the combined data, and then produce a textual presentation of the digital signature using an encoding scheme such as base64.
- the hardware token may also be a mobile device and the communication between the mobile device and the client device (if not the mobile device itself) can be done via a wired (e.g. USB) or wireless (e.g. Bluetooth or NFC) or optical (e.g. QR-code) channel.
- biometric key generation can allow the production of a binary key out of a biometric template. By further converting the binary key into a textual format using a scheme like base64, the authentication action of presenting one or more biometric features to a system can be converted to the common format required. This can allow multiple-modal biometric systems to be implemented in a compound module with several sub-modules.
- Any contextual information used for authentication In some systems the user may want to limit the authentication to be done only when some contextual requirements are met e.g. if the user is physically at a geo-location. Other examples of the contextual information include the user's login history, access time, device type, software version, screen resolution, or noise level sensed by an audio sensor.
- the authentication action is to add the required contextual information (normally from a sensor) to the system.
- the action can be converted into a textual string by following an encoding scheme of the contextual information e.g. for geo-locations it can be the textual presentation of the longitude followed by a comma and the textual presentation of the latitude.
- the associated front-end modules i2oa-c convert the output of each respective authentication action into a common data format.
- the front-end modules i2oa-c convert the output of respective authentication actions to ASCII code (or other language codes) such that the resulting textual credential is backwards-compatible with current textual password systems.
- the outputs are converted into a two-dimensional array of values.
- the outputs are converted to graphical characters.
- the outputs are converted to sign language or spoken languages.
- the processor 102 then combines the data in the common format to create a single password for insertion into the baseline editor 124.
- the combined data is a single string of text.
- the combined data is, for example, an array of values, a string of hexadecimal values, or a string of machine code.
- the processor 102 combines the data by appending data derived from a first-performed authentication action to data derived from a second- performed authentication action. In this way, the order in which authentication actions are performed is in itself a component of the composite credential to be checked as part of the authentication method. According to alternative, less preferred, embodiments, the order in which authentication actions are carried out is independent of the authentication.
- a module refers to computer logic utilised to provide specified functionality.
- a module can be implemented in hardware, firmware and/or software controlling a processor.
- the modules are program files stored on a storage device, loaded into memory and executed by a processor, or can be provided from computer program products, for example computer executable instructions, that are stored in a tangible computer-readable storage medium such as RAM, hard disk, or optical or magnetic media.
- a tangible computer-readable storage medium such as RAM, hard disk, or optical or magnetic media.
- embodiments of the directions system can have different or other modules to the ones described herein, with the described functionalities distributed amongst the modules in a different manner.
- the policy controller 122 is responsible for ensuring restrictions on the authentication actions which are selected and consequently conducted by users for the purpose of registering a composite credential.
- the policy controller 122 is shown in the present embodiment located on the client device 100. However, according to other embodiments the policy controller 122 is located on the server 200. In other embodiments, the policy controller may be split between the client 122 and the server 200. In these embodiments involving the server side, further communication is necessary between the server 200 and the client device 100. Therefore, it is advantageous for the policy controller 122 to be located on the client device 100. However, policies should be defined at the server 200. Nevertheless, both baseline and modular components can operate together easily to allow a hybrid policy across different authentication actions e.g.
- the architecture further includes a post-processor (not shown in Figure 3).
- the postprocessor is located between the baseline editor 124 and the baseline module 240.
- the post-processor is located either or both on the server-side 200 or client device side 100 of the architecture.
- the post-processor is used to post-process the generated combined (or, in other words, composite) credential for different purposes e.g. reducing the length of the combined credential to N characters so that the server 200 can accept it or to circumvent constraints of the underlying communication protocols or software (e.g. maximum length of URL allowed). This can be achieved through a hashing function which includes data compression combined with truncation.
- a hash function is any function that can be used to map data of arbitrary size to data of fixed size.
- the post-processor according to some embodiments is configured to automatically add contextual information not provided by users.
- the adding of contextual information is a further example of an authentication action.
- the contextual information is converted to the same format as the credentials of other selected authentication actions and combined with the credentials in the common format to form a composite credential.
- FIG 4a shows an example of a graphical user interface (GUI) for accessing an account according to embodiments of the present invention.
- GUI graphical user interface
- the GUI is the screen associated with the baseline editor 124.
- the GUI allows a user to enter their username and email address, and a plurality of authentication actions to form a composite credential.
- the plurality of authentication actions are performed using a toolbar 126.
- the toolbar 126 is a JavaScript toolbar, but the skilled person would appreciate that this is just one of many appropriate programming languages.
- the toolbar 126 provides icons allowing the user to select GUIs associated with a plurality of front-end modules i2oa-c.
- the first front-end module 120a is used for receiving and editing text in Rich Text Format (RTF).
- RTF Rich Text Format
- the second front-end module 120b is for allowing a user to select an image.
- the third front-end module 120c is for allowing the user to enter a mathematical equation.
- a fourth front-end module i2od allows the user to edit the combined data directly. Further front-end modules can be incorporated into the toolbar 126 as appropriate. The user may choose to use any of the available authentication actions and in any order.
- Figure 4b shows an example of a GUI displayed if the user selects the second front-end module 120b. Here, the user is able to select one from a plurality of images stored on the client device 100 or on the internet. Once an image is selected, the second front- end module 120b converts the image to a textual string and automatically enters provides the textual string to the baseline editor 124. The GUI then returns to the GUI for accessing an account.
- a pictorial representation of the selected image is displayed in the credential field of the GUI for accessing an account.
- the user is then able to select a second authentication action and the output of which will be converted to text and appended to the text associated with the already-selected image.
- Step S601 a first authentication action is received by the client device 100.
- the authentication action is associated with an input interface 103, such as a card reader or fingerprint scanner.
- a front-end module I20a-c derives data from the authentication action in step S602. The data is in a format unique to that
- step S603 the policy controller 122 validates the first authentication action. In other words, the policy controller 122 ensures the appropriate rules have been followed for the selected authentication action. This step is carried out as part of the registration process, but is skipped as part of the authentication process (i.e. if a composite credential is already stored).
- step S604 the respective front-end module i2oa-c converts the data associated with the first authentication action into a textual string.
- step S605 a second authentication action, of a different type to the first
- a front-end module i2oa-c specific to the second authentication action derives data from the second authentication action in step S606. For example, if the first authentication action is a selection of an image from storage 106 on the client device 100, the second authentication action is the performing of a retinal scan.
- step S607 the policy controller 122 validates the second authentication action similarly to as in step S603. This step is carried out as part of the registration process, but is skipped as part of the authentication process (i.e. if a composite credential is already stored).
- step S608 the respective front-end module i2oa-c converts the data derived from the second authentication action to a textual string. According to other embodiments, one of step S604 and step S608 is not performed, and the performed one of steps S604 and S608 converts the data derived from the respective first authentication action or second authentication action to the same format as the other data.
- the data derived from the first authentication action and the data derived from the second authentication action are converted to be in the same common format, but it is not essential what the format is.
- the common format is an array of values, a hexadecimal string, or a string of graphical characters.
- the policy controller 122 polices hybrid policies.
- step S609 the processor 102 combines the converted data derived from the first authentication action and converted data derived from the second authentication action.
- this combination comprises a concatenation or appendage process.
- a single long textual string password i.e. a composite credential
- the combined textual string is compressed using a post-processer before it is transmitted to a server 200.
- the post-processing comprises hashing for reducing the size of the transmitted data. This is ensures compatibility with servers operating known password-based systems that can process and compare only 60 byte strings.
- the hashing step is a further hashing step to that typically carried out on a server 200 to increase security in known authentication systems.
- step S611 if the composite credential is being generated for the first time (e.g. for account registration), step S611 is performed.
- the composite credential is stored.
- the composite credential is stored in the database 230 of the server 200.
- the server 200 hashes the stored composite credential.
- the composite credential is stored in the memory 106 of the client device 100.
- the process then returns to step S601 such that the user can perform authentication actions in order to access the content for which they have just registered a composite credential.
- Step S612 is performed instead.
- Step S612 is performed on the server 200 when the server 200 is present in the system, otherwise, the client device 100 performs step S611.
- the user is authenticated. In one embodiment, this is achieved by comparting the compressed combined textual string with the stored composite credential. If they match, then the user is authenticated. If the server 200 performs the authentication, the server generates and transmits a message to the client device 100 indicating that the user has been authenticated. The user is then able to login to their account or access the desired content.
- steps S601 to S611 are performed even if a composite credential is already stored.
- Embodiments of the present disclosure may be implemented in software, hardware, application logic or a combination of software, hardware and application logic, or instructions for a human to execute.
- the software, application logic and/or hardware may reside on memory, or any computer media.
- the application logic, software or an instruction set is maintained on any one of various conventional computer-readable media.
- a "computer- readable medium" may be any media or means that can contain, store, communicate, propagate or transport the instructions for use by or in connection with an instruction execution system, apparatus, or device, such as a computer.
- a computer-readable medium may comprise a computer-readable storage medium that may be any tangible media or means that can contain or store the instructions for use by or in connection with an instruction execution system, apparatus, or device, such as a computer as defined previously.
- the computer program may be implemented in a computer program product comprising a tangible computer-readable medium bearing computer program code embodied therein which can be used with a controller for the implementation of the functions described above.
- Reference to "computer-readable storage medium”, “computer program product”, “tangibly embodied computer program” etc., or a “controller” or “processing circuit” etc. should be understood to encompass not only computers having differing architectures such as single/multi controller architectures and sequencers/parallel architectures, but also specialised circuits such as field programmable gate arrays FPGA, application specify circuits ASIC, signal processing devices and other devices.
- References to computer program, instructions, code etc. should be understood to express software for a programmable controller firmware such as the programmable content of a hardware device as instructions for a controller or configured or configuration settings for a fixed function device, gate array, programmable logic device, etc.
- Such "computer-readable storage medium” may mean a non-transitory computer-readable storage medium which may comprise RAM, ROM, EEPROM, CD-ROM or other optical disk storage, magnetic disk storage, or other magnetic storage devices, flash memory, or any other medium that can be used to store desired program code in the form of instructions or data structures and that can be accessed by a computer.
- An exemplary non-transitory computer-readable storage medium is an optical storage disk such as a CD.
- any connection is properly termed a "computer-readable medium”.
- Disk and disc include compact disc (CD), laser disc, optical disc, digital versatile disc (DVD), floppy disk and Blu-ray disc, where disks usually reproduce data magnetically, while discs reproduce data optically with lasers. Combinations of the above should also be included within the scope of "computer- readable medium”.
- controllers such as one or more digital signal controllers (DSPs), general purpose microcontrollers, application specific integrated circuits (ASICs), field programmable logic arrays (FPGAs), or other equivalent integrated or discrete logic circuitry.
- DSPs digital signal controllers
- ASICs application specific integrated circuits
- FPGAs field programmable logic arrays
- controllers may refer to any of the foregoing structure or any other structure suitable for implementation of the techniques described herein.
- the functionality described herein may be provided within dedicated hardware and/or software modules. Also, the techniques could be fully implemented in one or more circuits or logic elements.
- the different steps discussed herein may be performed in a different order and/ or concurrently with each other. Furthermore, if desired, one or more of the above-described steps may be optional or may be combined.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Collating Specific Patterns (AREA)
Abstract
The present invention provides an authentication method. The authentication method comprises: generating data derived from a plurality of different authentication actions. The data comprises first data in a first format, derived from a first authentication action and second data in a second format, derived from a second authentication action. The first format is different to the second format. The method further includes converting at least one of the first and second data into a common format, combining data in said common format to provide combined data for use in authentication, and authenticating the user using the combined data. The present invention also provides a method for generating composite credential, and a client device, an apparatus and a system for authenticating a user.
Description
Improved Authentication
Field
This specification relates to authenticating a user. Particularly, but not exclusively, this specification relates to a method, apparatus, client device and system for authenticating a user.
Background
Due to hacking becoming more sophisticated, it has become necessary to improve upon current user authentication systems, which include textual password-based
authentication systems. One solution is to increase the length and complexity of a password, but these long and complex passwords prove difficult for users to remember. Moreover, users are inclined to use words and phrases that are relatively
straightforward or closely related to their lives, and so are easy for hackers to guess. Therefore, there is a need for highly secure passwords that are still easy for users to recall and compatible with servers operating current authentication systems.
The invention is made in this context. Summary
This specification provides, according to a first aspect, an authentication method comprising:
generating data derived from a plurality of different authentication actions, wherein the data comprises first data in a first format, derived from a first
authentication action and second data in a second format, derived from a second authentication action, the first format being different to the second format,
converting at least one of the first and second data into a common format; combining data in said common format to provide combined data for use in authentication; and
authenticating the user using the combined data.
The authentication method may comprise hashing the data. Hashing the data comprises performing truncation. The authentication method may comprise transmitting the combined data to a server for authenticating the user.
The common format may be a string. Preferably, the common format is a text string.
The plurality of authentication actions may include one or more of: typing keystrokes on a keyboard, selecting of one or more buttons on a display using a mouse, selecting of one or more images from a plurality of images, uploading one or more files on one or more local devices, accessing one or more online resources using URLs, selecting of one or more points on an image, drawing one or more patterns on an image, receiving a signal from one or more hardware tokens and/or mobile devices, reading one or more biometric features using one or more input devices, performing gesture recognition using an image sensor, and determining contextual information relating to the user.
The contextual information may be at least one of the user's absolute geo-location, login history, access time, device type, software version, screen resolution, or noise level sensed by an audio sensor.
Reading one or more biometric features may comprise performing a retinal scan.
Reading one or more biometric features may comprise reading a finger print. Reading one or more biometric features may comprise performing facial recognition. Reading one or more biometric features may comprise performing voice recognition. Reading one or more biometric features comprises measuring keystroke dynamics.
The authentication method may comprise validating the plurality of authentication actions.
This specification provides, according to a second aspect, apparatus configured to carry out the method of the first aspect.
This specification provides, according to a third aspect, computer-readable instructions which, when executed by computing apparatus, cause the computing apparatus to perform the method of the first aspect.
This specification provides, according to a fourth aspect, a method of generating a composite credential comprising:
generating data derived from a plurality of different authentication actions, wherein the data comprises first data in a first format, derived from a first
authentication action and second data in a second format, derived from a second authentication action, the first format being different to the second format;
converting at least one of the first and second data into a common format; generating a composite credential, wherein generating the composite credential comprises combining data in said common format to provide combined data for use in authentication.
The method of generating a composite credential may comprise hashing the combined data. Hashing the combined data may comprise performing data truncation on the combined data.
The method of generating a composite credential may comprise transmitting the combined data to a server for storage.
The common format may be a string. Preferably, the common format is a textual string.
The plurality of authentication actions may include one or more of: typing keystrokes on a keyboard, selecting of one or more buttons on a display using a mouse, selecting of one or more images from a plurality of images, uploading one or more files on one or more local devices, accessing one or more online resources using URLs, receiving selection of one or more points on an image, drawing one or more patterns on an image, receiving a signal from one or more hardware tokens and/ or mobile devices, reading one or more biometric features using one or more input devices, performing gesture recognition using an image sensor, and determining contextual information relating to the user.
The contextual information may be at least one of the user's absolute geo-location, login history, access time, device type, software version, screen resolution, or noise level sensed by an audio sensor.
Reading one or more biometric features may comprise performing a retinal scan.
Reading one or more biometric features may comprise reading a finger print. Reading one or more biometric features may comprise performing facial recognition. Reading one or more biometric features may comprise performing voice recognition. Reading one or more biometric features may comprise measuring keystroke dynamics.
The method of generating a composite credential may comprise validating the plurality of authentication actions. The method of generating a composite credential may comprise authenticating the user.
This specification provides, according to a fifth aspect, apparatus configured to carry out the method of the fourth aspect.
This specification provides, according to a sixth aspect, computer-readable instructions which, when executed by computing apparatus, cause the computing apparatus to perform the method of the fourth aspect. This specification provides, according to a seventh aspect, a method comprising:
generating data derived from a plurality of authentication actions, wherein the data comprises first data in a first format, derived from a first authentication action and second data in a second format, derived from a second authentication action, the first format being different to the second format;
converting at least one of the first and second data into a common format; combining data in said common format to provide combined data for use in authentication;
transmitting the combined data; and
receiving a message indicating whether the user is authenticated.
This specification provides, according to an eighth aspect, an apparatus comprising: one or more input devices, wherein said one or more input devices are configured to generate data derived from a plurality of authentication actions, wherein the data comprises first data in a first format, derived from a first authentication action and second data in a second format, derived from a second authentication action, the first format being different to the second format; and
a processor configured to:
convert at least one of the first and second data into a common format; combine data in said common format to provide combined data for use in authentication; and
authenticate the user using the combined data and a stored credential.
The apparatus may further comprise a storage device for storing the stored composite credential. The processor may further be configured to hash the combined data. Hashing the combined data may comprise truncating the combined data.
The processor may be configured to determine contextual information relating to the user in response to a first authentication action being received.
This specification provides, according to a ninth aspect, a client device, the client device comprising:
one or more input devices, wherein said one or more input devices are configured to generate data derived from a plurality of different authentication actions, wherein the data comprises first data in a first format, derived from a first
authentication action and second data in a second format, derived from a second authentication action, the first format being different to the second format;
a processor configured to:
convert at least one of the first and second data into a common format; and
combine data in said common format to provide combined data for use in authentication;
a transmitter for transmitting the combined data to a server for authenticating the user; and
a receiver for receiving a message indicating whether the user is authenticated.
The client device may be an automatic teller machine.
This specification provides, according to a tenth aspect, a system for
authenticating a user, the system comprising:
a client device comprising:
one or more input devices, wherein said one or more input devices are configured to generate data derived from a plurality of different authentication actions, wherein the data comprises first data in a first format, derived from a first
authentication action and second data in a second format, derived from a second authentication action, the first format being different to the second format;
a first processor configured to:
convert at least one of the first and second data into a common format; and
combine data in said common format to provide combined data for use in authentication; and
a server comprising:
a storage device for storing a composite credential; and
a second processor for authenticating the user using the combined data and the stored composite credential.
The second processor may be configured to compare the combined data with the stored composite credential and generate a message indicating whether the user is
authenticated based on the comparison, and wherein
the client device may comprise:
a transmitter for transmitting the combined data to the server; and a receiver for receiving the message indicating whether the user is authenticated; and
the server may comprise:
a receiver for receiving the combined data; and
a transmitter for transmitting the message indicating whether the user is authenticated.
The first processor may be further configured to hash the combined data. Hashing the combined data may comprise truncating the combined data.
The second processor may be configured to hash the combined data and the stored composite credential may comprise a hash.
The first and/or second processor may be configured to validate the plurality of authentication actions.
The client device may be an automatic teller machine.
All features described herein (including any accompanying claims, abstract and drawings), and/ or all of the steps of any method or process so disclosed, may be
combined with any of the above aspects in any combination, except combinations where at least some of such features and/ or steps are mutually exclusive.
Brief Description of the Figures
Embodiments will now be described, by way of non-limiting examples, with reference to the accompanying drawings, in which:
Figure ι is a system diagram of a mobile device according to embodiments of the present invention;
Figure 2 is a system diagram if a server according to embodiments of the present invention;
Figure 3 is a schematic diagram of a system for authenticating a user according to embodiments of the present invention;
Figures 4a and 4b show an example of a graphical user interface (GUI) for accessing an account according to embodiments of the present invention; and
Figure 5 is a flowchart illustrating a method of authenticating a user according to embodiments of the present invention.
Detailed Description of Embodiments
In the following detailed description, only certain exemplary embodiments of the present invention have been shown and described, simply by way of illustration. As those skilled in the art would realize, the described embodiments may be modified in various different ways, all without departing from the scope of the present invention. Accordingly, the drawings and description are to be regarded as illustrative in nature and not restrictive. Like reference numerals designate like elements throughout the specification.
The following disclosure is made in the context of authenticating a user.
Advantageously, composite credentials are generated from a plurality of authentication actions which easily recalled by the user. These composite credentials are highly secure, and in preferred embodiments comprise textual strings so as to be compatible with known password-based systems.
Figure 1 shows a client device 100, which according to the one embodiment is a mobile device. Further examples of client devices include laptop and tablet computers, automatic teller machines (ATMs), desktop computers, television sets and electronic keypads for use with physical security systems such as doors. In effect, a client device
loo is any electronic device that requires user authentication in order to access to content. The content may be content contained on the electronic device itself, physical content such as a vault, or external content. External content is, for example, a secure webpage on a server.
The mobile device 100 has a processor 102, a touch sensitive display 112 comprised of a display part 116 and a tactile interface part 114, hardware keys (not shown), a memory 106, an input interface 103 (wired, serial or parallel), a power source 118 and an interface 104 for transmitting and receiving data. The processor 102 is connected to each of the other components in order to control operation thereof. The touch sensitive display 112 is optional, and as an alternative a non-touch display may be used with the hardware keys (not shown) and/or a mouse peripheral used to control the mobile device 100 by suitable means. The interface 104 according to this embodiment is a wireless interface, however, according to other embodiments the interface 104 is a wired interface. The wireless interface may operate using any known communication standard, such as LTE, Wi-Fi or 3G. The interface 104 is necessary for transmitting credentials to a server and receiving an authentication message from the server. However, where the
authentication takes place on the mobile device 100, the interface 104 is not necessary.
The input interface 103 is for receiving one of a plurality of authentication actions. Where two or more chosen authentication actions can be received by the touch sensitive display 112 or mouse peripheral, the input interface 103 is not necessary. Conversely, in some embodiments there are a plurality of different input interfaces 103. The input interface 103 may be an image sensor for receiving a retinal scan, palm print or finger print copy, or recognising a gesture. The input interface 103 may be a microphone and speech recognition interface allowing voice input. The input interface 103 may also be a photoplethysmogram (PPG) reader for measuring a user's unique heartrate variability features, GPS locator for determining the user's location. The input interface 103 may be a keyboard or mouse or receiving a line drawing or click selection. The input interface 103 may be an RF ID reader, wireless receiver, or hardware token receiver (for example, a bank card reader). The memory 106 may be a non-volatile memory such as read only memory (ROM) a hard disk drive (HDD) or a solid state drive (SSD). The memory 106 stores, amongst
other things, an operating system 108 and client software application 110. The memory 106 further includes random access memory (RAM), used by the processor 102 for the temporary storage of data. The operating system 108 may contain code which, when executed by the processor 102 in conjunction with the RAM, controls operation of each of the hardware components of the mobile device 100.
In embodiments where one of the authentication actions includes the selection of an image, the memory 106 includes a database of stored images. In embodiments where one of the authentication actions includes the selection of an audio clip, the memory 106 includes a database of stored audio clips. In further embodiments, the images are stored on a server instead.
According to embodiments where the authentication takes place entirely on the client device without the need for a server, the memory 106 includes a database for storing a composite credential.
The processor 102 may take any suitable form. For instance, it may be a
microcontroller, plural microcontrollers, a microprocessor, or plural processors (for example, including a post-processor). The processor 102 includes circuitry.
The power source 118 according to a preferred embodiment is a secondary battery. However, in embodiments where the client device is a fixed device such as a computer or electronic door lock, the power source is a mains power supply. In embodiments herein, the client software 110 is configured to generate data for use in authenticating a user. In preferred embodiments, the data is a composite of the output of a plurality of authentication actions, where each output is converted into a common format. In other embodiments, the data is transmitted to a server prior to combination. Further details of the processes performed by the client software 110 will be described with reference to Figure 3.
Figure 2 shows a server 200 for use as part of a system for authenticating a user. The system also includes the client device 100 described with reference to Figure 1. The server 200 has a processor 202, a memory 206, a power source 218 and an interface 204 for transmitting and receiving data.
The interface 204 according to this embodiment is a wireless interface, however, according to other embodiments the interface 204 is a wired interface. The wireless interface may operate using any known communication standard, such as LTE, Wi-Fi or 3G. Where the interface 204 is a wired interface, the interface maybe an Ethernet interface. The data may be received via a network such as the Internet. The interface 204 is for receiving credentials from a client device 100 and transmitting a message indicating whether the user is authenticated to the client device 100.
The memory 206 may be a non-volatile memory such as read only memory (ROM) a hard disk drive (HDD) or a solid state drive (SSD). The memory 206 stores, amongst other things, an operating system 208 and a server software application 210. The memory 206 further includes random access memory (RAM), used by the processor 202 for the temporary storage of data. The operating system 208 may contain code which, when executed by the processor 202 in conjunction with the RAM, controls operation of each of the hardware components of the server 200.
In some embodiments where one of the authentication actions includes the selection of an image, the memory 206 includes a database of stored images. In other
embodiments where one of the authentication actions includes the selection of an image, the memory 106 on the client device 100 includes a database of stored images instead.
In embodiments herein, the server software 210 is configured to authenticate a user using data received from a client device 100. In preferred embodiments, the data is a composite of the output of a plurality of authentication actions. In other embodiments, the data is a plurality of data, each in a different format relating to a specific
authentication action. Here, the server software 210 converts the plurality of data into a common format and combines the data in the combined format into combined data. The combined data can then be compared with a stored composite credential in order to authenticate the user. As an additional step, the server 200 may hash the combined data prior to performing the comparison. Further details of the processes performed by the server software 210 will be described with reference to Figure 3.
The processor 202 may take any suitable form. For instance, it may be a
microcontroller, plural microcontrollers, a microprocessor, or plural processors (i.e. including a post-processor). The controller includes circuitry. The power source 218 according to a preferred embodiment is a mains power supply.
Figure 3 shows a schematic diagram of an architecture for authenticating a user. The architecture is distributed, whereby some aspects are features of a client device 100 and other aspects are features of a server 200. However, advantageously the features of the present invention can be distributed in a number of different ways. In other words, the aspects can be located on the client device 100 or the server 200 depending on the application. In some embodiments, all aspects are features of the client device 100. As described herein, the aspects may be implemented as hardware or software. The database 230 stores a composite credential generated and set by the user as part of a registration process. The registration process will be described with reference to Figure 5. The database 230 is stored in the memory 206 of the server 200.
The architecture of the shown embodiment comprises a number of baseline
components 124, 242, 232 and a number of modular components 122, 120, 220, 234. The baseline components 124, 242, 232 support known password-entry routines. The baseline components 124, 242, 232 are independent of modular components 122, 120, 220, 234. The baseline components include a baseline editor 124, baseline module 240 having input parameters 250, and baseline data 232 stored in the database 230. The baseline data 232 is a stored textual password. In some embodiments, the stored textual password is a hashed textual password.
Through the baseline editor 124 the user can enter a textual password which can be transmitted to the baseline module 242 in the server 200. The baseline module 242 performs password verification or/ and hashing. The baseline module 242 performs password verification using stored parameters 250. These parameters 250 are updatable by the server 200 operator. For example, the parameters 250 indicate the password must be of a particular length or contain particular characters. Once verified, the entered password can be compared with a stored password in the baseline data 232. This means that the user can continue to use their normal textual password while the system of the present invention is installed on their device.
The baseline editor 124 is a feature of the client software 110 operating on the client device 100. The baseline editor 124 comprises a means for receiving a password, such as a text entry box. The baseline module 240 is shown as being a feature of the server software 210 operating on the server 200. However, according to other embodiments, the baseline module 240 is a feature of the client software 110 operating on the client device 100.
The modular components 122, 120, 220, 234 support advanced credential-entry routines, including the use of multiple authentication actions in the same
authentication process. The modular components include a policy controller 122, a plurality of front-end modules i2oa-c, a plurality of back-end modules 220a, 220b, 220c, and additional data 234. The front-end modules i2oa-c are features of the client software 110 operating on the client device 100. They are independent, reusable and expandable building blocks of data or interface. The front-end modules i2oa-c are plugins to the baseline editor 124 which interact with users to generate a new authentication feature. Some front-end modules 120a, 120b, have a module counterpart 220a, 220b at the server-side. This is most likely to be the case when establishing a database 230 connection is required. Usually, the communication between the front-end modules i2oa-c and back-end modules 220a, 220b results in creation of new data or retrieving data from the database 230. However, some other back-end modules 220c which do not communicate with the front-end modules i2oa-c work as support to the other back-end modules 220a, 220b. The back-end modules 22oa-c make use of the additional data 234 to enable additional authentication actions.
The front-end modules i2oa-c can be simple or compound. A simple module allows the user to perform one authentication action. A compound module binds multiple different modules, which share similar features (e.g. hybrid graphical passwords). For usability purposes, the compound module would provide one interface for performing multiple authentication actions.
In more detail, front-end modules i2oa-c are associated with input interfaces 103 or the touch sensitive display 112. For example, an input interface 103 may include an image sensor. Meanwhile, one module 120a may be configured to read a facial image
using the image sensor and perform key generation based on robust facial features, where the generated key will be further converted to a common format for being combined with at least one other authentication actions facial recognition. Conversely, in other embodiments, rather than perform key generation based on facial features, the front-end module 120a may convert the received facial image from an array of pixels to a textual string based on further information about the user's face stored on the database 230, working together with a back-end module 220a.
Further examples of modules I20a-c (i.e. plugins) include modules for: performing an iris scan; measuring keystroke dynamics; performing voice recognition; reading a finger print; typing keystrokes on a keyboard to create a textual password (for example, a Rich Text Format textual password); clicking one or more buttons on a display using a mouse; selecting of one or more images from a plurality of images; uploading one or more files on one or more local devices; accessing one or more online resources using URLs; selecting of one or more points on an image; drawing one or more patterns on an image; receiving a signal such as an authorisation code or RF ID through a wired or wireless interface from one or more hardware tokens and/or mobile devices; and performing gestures (for example, a hand movement). These examples are not intended to be limiting, and the skilled person would appreciate there are many methods of performing an authentication action. Further details of individual credentials received through example authentication actions in different authentication methods are set out below. Here, the common format is a textual string.
Draw-a-Secret (DAS, Jermyn et al. 1999:
https://www.usenix.org/legacy/events/sec99/full_papers/jermyn/jermyn_html/came ra3.html): This is a graphical password system where the user can draw some stroke on an n x n grid as the "password" (i.e. credential) to prove his identity. Here, the authentication actions will be a number of drawing actions (pen down, pen move, and pen up), where the drawing pen can be the user's finger on a touch screen 112. The converted data can be a textual presentation of different strokes the user draws (a number of coordinates and separators marking the end of a stroke and the start of a new stoke), encoded following any textual format e.g. "{(2,2),(2,i); (4,3),(4,4)}" or "<strokexpoint>2,2</point> <point>2,i</point> </stroke><strokexpoint>4,3</poi ntxpoint>4,4</pointx/stroke>". The conversion can be done without a back-end module 220a.
PassPoints (Wiedenbeck et al. 2005: http://dx.doi.0rg/10.1016/j.ijhcs.2005.04.010): This is a graphical password system where the user clicks a number of points on an image as the "password" to prove his identity. Here the authentication actions will be a number of clicks on an image. Based on a technique called centralized discretization (Chiasson et al. 2008:
https://www.usenix.org/legacy/event/upseco8/tech/full_papers/chiasson/chiasson_h tml/), PassPoints can be seen as a special edition of DAS thus the actions can be converted into a textual string in the same way as how this is done for DAS. The centralized discretization technique will require additional data 234 to be created in the database 230, which means a back-end module 220a will be required.
PassFaces (http://www.passfaces.com/): This is a commercial graphical password system where the user remembers a number of facial images as the "password" (i.e. credential) and then selects each of such images in a number of decoy images to prove his identity. Here the authentication actions are a number of selection choices the user makes. The actions can be converted to a textual string by creating a list of the filenames of the selected images ranked following a particular order e.g. "imagei, image6, imageioo, image2ii, image876". PassFaces will require a back-end module 220a as it needs to read pass-images and decoy ones out of a database.
Action based passwords: One can define a number of actions (e.g. gestures to show in front of a webcam) as the "password" (i.e. credential) to prove his identity. Such actions can be converted into a textual string by giving each action a textual name and then simply listing all sequential actions one after the other.
US 2014/0040627 Al: This known system proposes a rich formatted password where the user can define a sequence of tokens with alterable attributes as the "password" (i.e. credential) where the tokens can be textual characters or graphical symbols and the attributes can be properties like colour, size, and other styles. This patent also explained a way the rich formatted password is converted into an encrypted format, which can then be further converted to a textual string (if not yet) using encoding schemes like base64.
ObPwd (Mann and van Oorschot 2008:
https://www.usenix.org/events/hotseco8/tech/full_papers/mannan/mannan.pdf): This is a user authentication scheme where the user selects an object such as a file on a
computer as the "password" (i.e. credential) to prove his identity. Here the
authentication action is the selection of an object. By assigning a unique name to each possible object (e.g. an URL or DOI), the action can be converted into a textual string (the name itself). If the name is binary, we can use an encoding scheme like base64 to convert it to a textual string. It is also possible to use the content of the object to get the converted text, and in this case a hashing scheme may be used to reduce the length of the converted textual string to a specific length.
Pass-Region (Li et al. 2011, unpublished): This is a user authentication scheme where the user selects a region of a given coordinate system as the "password" (i.e. credential) to prove his identity. Examples include a region on a world map, a 3-D world or a complex number plane or part of a multimedia file (e.g. a segment of an audio file, a region of a frame of a video file). Here, the authentication action will be to show a smaller region than the pass-region to demonstrate knowledge of the pass-region. Such an action can be converted to a textual string by defining an encoding scheme of the coordinates of the pass-region e.g. using the textual presentations of the upper-left and bottom-right corners' coordinates.
Hardware token that has a private key for digital signature: When a hardware token is used for user authentication, one way is to let the user to sign a (often dynamic) message using the hardware token. In this case the authentication action is the use of a specific hardware token for a specific operation. Such an action can be used to sign a fixed message and/or part of the combined data, and then produce a textual presentation of the digital signature using an encoding scheme such as base64. The hardware token may also be a mobile device and the communication between the mobile device and the client device (if not the mobile device itself) can be done via a wired (e.g. USB) or wireless (e.g. Bluetooth or NFC) or optical (e.g. QR-code) channel.
Any biometrics-based user authentication systems: A technique called biometric key generation can allow the production of a binary key out of a biometric template. By further converting the binary key into a textual format using a scheme like base64, the authentication action of presenting one or more biometric features to a system can be converted to the common format required. This can allow multiple-modal biometric systems to be implemented in a compound module with several sub-modules.
Any contextual information used for authentication: In some systems the user may want to limit the authentication to be done only when some contextual requirements are met e.g. if the user is physically at a geo-location. Other examples of the contextual information include the user's login history, access time, device type, software version, screen resolution, or noise level sensed by an audio sensor. The skilled person will appreciate that these are just some of a wide range of contextual information. Here the authentication action is to add the required contextual information (normally from a sensor) to the system. The action can be converted into a textual string by following an encoding scheme of the contextual information e.g. for geo-locations it can be the textual presentation of the longitude followed by a comma and the textual presentation of the latitude.
According to known single-authentication action systems, the output of any
authentication action is data in a format unique to that authentication action. For example, an image is received as an array of pixel values. Other types of data format include machine code, binary, and hexadecimal data. According to embodiments of the present invention, the associated front-end modules i2oa-c convert the output of each respective authentication action into a common data format. According to preferred embodiments, the front-end modules i2oa-c convert the output of respective authentication actions to ASCII code (or other language codes) such that the resulting textual credential is backwards-compatible with current textual password systems. However, in other embodiments, the outputs are converted into a two-dimensional array of values. In further embodiments still, the outputs are converted to graphical characters. In further embodiments still, the outputs are converted to sign language or spoken languages.
The processor 102 then combines the data in the common format to create a single password for insertion into the baseline editor 124. Preferably, the combined data is a single string of text. In other embodiments, the combined data is, for example, an array of values, a string of hexadecimal values, or a string of machine code. According to preferred embodiments, the processor 102 combines the data by appending data derived from a first-performed authentication action to data derived from a second- performed authentication action. In this way, the order in which authentication actions are performed is in itself a component of the composite credential to be checked as part of the authentication method. According to alternative, less preferred, embodiments,
the order in which authentication actions are carried out is independent of the authentication.
Herein, the term "module" refers to computer logic utilised to provide specified functionality. Thus, a module can be implemented in hardware, firmware and/or software controlling a processor. In one embodiment, the modules are program files stored on a storage device, loaded into memory and executed by a processor, or can be provided from computer program products, for example computer executable instructions, that are stored in a tangible computer-readable storage medium such as RAM, hard disk, or optical or magnetic media. It will be appreciated that embodiments of the directions system can have different or other modules to the ones described herein, with the described functionalities distributed amongst the modules in a different manner. The policy controller 122 is responsible for ensuring restrictions on the authentication actions which are selected and consequently conducted by users for the purpose of registering a composite credential. For example, one restriction might be that if one biometric module must be used at least once, at least 8 keys must be pressed in a row. The policy controller 122 is shown in the present embodiment located on the client device 100. However, according to other embodiments the policy controller 122 is located on the server 200. In other embodiments, the policy controller may be split between the client 122 and the server 200. In these embodiments involving the server side, further communication is necessary between the server 200 and the client device 100. Therefore, it is advantageous for the policy controller 122 to be located on the client device 100. However, policies should be defined at the server 200. Nevertheless, both baseline and modular components can operate together easily to allow a hybrid policy across different authentication actions e.g. when one has at least one biometric actions the minimum number of keys required to be pressed is reduced. The architecture further includes a post-processor (not shown in Figure 3). The postprocessor is located between the baseline editor 124 and the baseline module 240. The post-processor is located either or both on the server-side 200 or client device side 100 of the architecture. The post-processor is used to post-process the generated combined (or, in other words, composite) credential for different purposes e.g. reducing the length of the combined credential to N characters so that the server 200 can accept it or to circumvent constraints of the underlying communication protocols or software (e.g.
maximum length of URL allowed). This can be achieved through a hashing function which includes data compression combined with truncation. A hash function is any function that can be used to map data of arbitrary size to data of fixed size. Furthermore, the post-processor according to some embodiments is configured to automatically add contextual information not provided by users. The adding of contextual information is a further example of an authentication action. As explained below, the contextual information is converted to the same format as the credentials of other selected authentication actions and combined with the credentials in the common format to form a composite credential.
Figure 4a shows an example of a graphical user interface (GUI) for accessing an account according to embodiments of the present invention. The GUI is the screen associated with the baseline editor 124. The GUI allows a user to enter their username and email address, and a plurality of authentication actions to form a composite credential. The plurality of authentication actions are performed using a toolbar 126. In preferred embodiments, the toolbar 126 is a JavaScript toolbar, but the skilled person would appreciate that this is just one of many appropriate programming languages. The toolbar 126 provides icons allowing the user to select GUIs associated with a plurality of front-end modules i2oa-c. The first front-end module 120a is used for receiving and editing text in Rich Text Format (RTF). The second front-end module 120b is for allowing a user to select an image.
The third front-end module 120c is for allowing the user to enter a mathematical equation. A fourth front-end module i2od allows the user to edit the combined data directly. Further front-end modules can be incorporated into the toolbar 126 as appropriate. The user may choose to use any of the available authentication actions and in any order. Figure 4b shows an example of a GUI displayed if the user selects the second front-end module 120b. Here, the user is able to select one from a plurality of images stored on the client device 100 or on the internet. Once an image is selected, the second front- end module 120b converts the image to a textual string and automatically enters provides the textual string to the baseline editor 124. The GUI then returns to the GUI for accessing an account. In preferred embodiments, to improve simplicity for the user a pictorial representation of the selected image is displayed in the credential field of the
GUI for accessing an account. The user is then able to select a second authentication action and the output of which will be converted to text and appended to the text associated with the already-selected image. A more general approach for registering a composite credential and authenticating a user will now be described with reference to Figure 5.
In a first step, Step S601, a first authentication action is received by the client device 100. The authentication action is associated with an input interface 103, such as a card reader or fingerprint scanner. A front-end module I20a-c derives data from the authentication action in step S602. The data is in a format unique to that
authentication action. For example, when the authentication action is a selection of an image with a URL, the data is the URL of the image data. In step S603 the policy controller 122 validates the first authentication action. In other words, the policy controller 122 ensures the appropriate rules have been followed for the selected authentication action. This step is carried out as part of the registration process, but is skipped as part of the authentication process (i.e. if a composite credential is already stored).
In step S604 the respective front-end module i2oa-c converts the data associated with the first authentication action into a textual string. Advantageously, this allows backwards compatibility with current authentication systems. In step S605 a second authentication action, of a different type to the first
authentication action, is received. A front-end module i2oa-c specific to the second authentication action derives data from the second authentication action in step S606. For example, if the first authentication action is a selection of an image from storage 106 on the client device 100, the second authentication action is the performing of a retinal scan.
In step S607 the policy controller 122 validates the second authentication action similarly to as in step S603. This step is carried out as part of the registration process, but is skipped as part of the authentication process (i.e. if a composite credential is already stored).
In step S608 the respective front-end module i2oa-c converts the data derived from the second authentication action to a textual string. According to other embodiments, one of step S604 and step S608 is not performed, and the performed one of steps S604 and S608 converts the data derived from the respective first authentication action or second authentication action to the same format as the other data. In other words, the data derived from the first authentication action and the data derived from the second authentication action are converted to be in the same common format, but it is not essential what the format is. Instead of text, in some embodiments the common format is an array of values, a hexadecimal string, or a string of graphical characters.
In a further optional step (not shown), the policy controller 122 polices hybrid policies.
In step S609 the processor 102 combines the converted data derived from the first authentication action and converted data derived from the second authentication action. According to a preferred embodiment, this combination comprises a concatenation or appendage process. In other words, in step S609 a single long textual string password (i.e. a composite credential) not known to the user is generated from two separate, easy to remember, authentication actions. In step S610, which is preferred but not essential, the combined textual string is compressed using a post-processer before it is transmitted to a server 200. According to some embodiments, the post-processing comprises hashing for reducing the size of the transmitted data. This is ensures compatibility with servers operating known password-based systems that can process and compare only 60 byte strings. The hashing step is a further hashing step to that typically carried out on a server 200 to increase security in known authentication systems.
Next, if the composite credential is being generated for the first time (e.g. for account registration), step S611 is performed. Here, the composite credential is stored. In systems comprising a server 200, the composite credential is stored in the database 230 of the server 200. In some embodiments, the server 200 hashes the stored composite credential. In other embodiments, such as those involving a standalone client device 100, the composite credential is stored in the memory 106 of the client device 100. The process then returns to step S601 such that the user can perform authentication actions in order to access the content for which they have just registered a composite credential.
Alternatively, if a composite credential has previously been generated and registered in step S611, Step S612 is performed instead. Step S612 is performed on the server 200 when the server 200 is present in the system, otherwise, the client device 100 performs step S611. In step S612 the user is authenticated. In one embodiment, this is achieved by comparting the compressed combined textual string with the stored composite credential. If they match, then the user is authenticated. If the server 200 performs the authentication, the server generates and transmits a message to the client device 100 indicating that the user has been authenticated. The user is then able to login to their account or access the desired content.
If the user wishes to update their stored composite credential by carrying out different authentication actions, then steps S601 to S611 are performed even if a composite credential is already stored.
Embodiments of the present disclosure may be implemented in software, hardware, application logic or a combination of software, hardware and application logic, or instructions for a human to execute. The software, application logic and/or hardware may reside on memory, or any computer media. In an example embodiment, the application logic, software or an instruction set is maintained on any one of various conventional computer-readable media. In the context of this document, a "computer- readable medium" may be any media or means that can contain, store, communicate, propagate or transport the instructions for use by or in connection with an instruction execution system, apparatus, or device, such as a computer.
A computer-readable medium may comprise a computer-readable storage medium that may be any tangible media or means that can contain or store the instructions for use by or in connection with an instruction execution system, apparatus, or device, such as a computer as defined previously.
According to various embodiments of the previous aspect of the present disclosure, the computer program according to any of the above aspects, may be implemented in a computer program product comprising a tangible computer-readable medium bearing computer program code embodied therein which can be used with a controller for the implementation of the functions described above.
Reference to "computer-readable storage medium", "computer program product", "tangibly embodied computer program" etc., or a "controller" or "processing circuit" etc. should be understood to encompass not only computers having differing architectures such as single/multi controller architectures and sequencers/parallel architectures, but also specialised circuits such as field programmable gate arrays FPGA, application specify circuits ASIC, signal processing devices and other devices. References to computer program, instructions, code etc. should be understood to express software for a programmable controller firmware such as the programmable content of a hardware device as instructions for a controller or configured or configuration settings for a fixed function device, gate array, programmable logic device, etc.
By way of example, and not limitation, such "computer-readable storage medium" may mean a non-transitory computer-readable storage medium which may comprise RAM, ROM, EEPROM, CD-ROM or other optical disk storage, magnetic disk storage, or other magnetic storage devices, flash memory, or any other medium that can be used to store desired program code in the form of instructions or data structures and that can be accessed by a computer. An exemplary non-transitory computer-readable storage medium is an optical storage disk such as a CD. Also, any connection is properly termed a "computer-readable medium". For example, if instructions are transmitted from a website, server, or other remote source using a coaxial cable, fiber optic cable, twisted pair, digital subscriber line (DSL), or wireless technologies such as infrared, radio, and microwave, then the coaxial cable, fiber optic cable, twisted pair, DSL, or wireless technologies such as infrared, radio, and microwave are included in the definition of medium. It should be understood, however, that "computer-readable storage medium" and data storage media do not include connections, carrier waves, signals, or other transient media, but are instead directed to non-transient, tangible storage media. Disk and disc, as used herein, include compact disc (CD), laser disc, optical disc, digital versatile disc (DVD), floppy disk and Blu-ray disc, where disks usually reproduce data magnetically, while discs reproduce data optically with lasers. Combinations of the above should also be included within the scope of "computer- readable medium".
Instructions may be executed by one or more controllers, such as one or more digital signal controllers (DSPs), general purpose microcontrollers, application specific integrated circuits (ASICs), field programmable logic arrays (FPGAs), or other
equivalent integrated or discrete logic circuitry. Accordingly, the term "controller," as used herein may refer to any of the foregoing structure or any other structure suitable for implementation of the techniques described herein. In addition, in some aspects, the functionality described herein may be provided within dedicated hardware and/or software modules. Also, the techniques could be fully implemented in one or more circuits or logic elements.
If desired, the different steps discussed herein may be performed in a different order and/ or concurrently with each other. Furthermore, if desired, one or more of the above-described steps may be optional or may be combined.
Whilst certain embodiments of the invention have been described herein with reference to the drawings, it will be understood that many variations and modifications will be possible without departing from the scope of the invention as defined in the
accompanying claims.
Claims
1. An authentication method comprising:
generating data derived from a plurality of different authentication actions, wherein the data comprises first data in a first format, derived from a first
authentication action and second data in a second format, derived from a second authentication action, the first format being different to the second format,
converting at least one of the first and second data into a common format; combining data in said common format to provide combined data for use in authentication; and
authenticating the user using the combined data.
2. The authentication method according to claim 1, comprising hashing the data.
3· The authentication method according to claim 2, wherein hashing the data comprises performing truncation.
4. The authentication method according to any one of the preceding claims, comprising transmitting the combined data to a server for authenticating the user.
5. The authentication method according to any one of the preceding claims, wherein the common format is a string.
6. The authentication method according to claim 5, wherein the common format is a textual string.
7. The authentication method according to any one of the preceding claims, wherein the plurality of authentication actions includes one or more of: typing keystrokes on a keyboard, selecting of one or more buttons on a display using a mouse, selecting of one or more images from a plurality of images, uploading one or more files on one or more local devices, accessing one or more online resources using URLs, selecting of one or more points on an image, drawing one or more patterns on an image, receiving a signal from one or more hardware tokens and/ or mobile devices, reading one or more biometric features using one or more input devices, performing gesture recognition using an image sensor, and determining contextual information relating to the user.
8. The authentication method according to claim 7, wherein the contextual information is at least one of the user's absolute geo-location, login history, access time, device type, software version, screen resolution, or noise level sensed by an audio sensor.
9. The authentication method according to claim 7 or claim 8, wherein reading one or more biometric features comprises performing a retinal scan.
10. The authentication method according to any one of claims 7 to 9, wherein reading one or more biometric features comprises reading a finger print.
11. The authentication method according to any one of claims 7 to 10, wherein reading one or more biometric features comprises performing facial recognition.
12. The authentication method according to any one of claims 7 to 11, wherein reading one or more biometric features comprises performing voice recognition.
13. The authentication method according to any one of claims 7 to 12, wherein reading one or more biometric features comprises measuring keystroke dynamics.
14. The authentication method according to any one of the preceding claims, comprising validating the plurality of authentication actions.
15. Apparatus configured to carry out the method of any one of the preceding claims.
16. Computer-readable instructions which, when executed by computing apparatus, cause the computing apparatus to perform the method of any one of claims 1 to 14.
17. A method of generating a composite credential comprising:
generating data derived from a plurality of different authentication actions, wherein the data comprises first data in a first format, derived from a first
authentication action and second data in a second format, derived from a second authentication action, the first format being different to the second format;
converting at least one of the first and second data into a common format;
generating a composite credential, wherein generating the composite credential comprises combining data in said common format to provide combined data for use in authentication.
18. The method of generating a composite credential according to claim 17, comprising hashing the combined data.
19. The method of generating a composite credential according to claim 18, wherein hashing the combined data comprises performing data truncation on the combined data.
20. The method of generating a composite credential according to any one of claims 17 to 19, comprising transmitting the combined data to a server for storage.
21. The method of generating a composite credential according to any one of claims 17 to 20, wherein the common format is a string.
22. The method of generating a composite credential according to claim 21, wherein the common format is a textual string.
23. The method of generating a composite credential according to any one of claims 17 to 22, wherein the plurality of authentication actions includes one or more of: typing keystrokes on a keyboard, selecting of one or more buttons on a display using a mouse, selecting of one or more images from a plurality of images, uploading one or more files on one or more local devices, accessing one or more online resources using URLs, receiving selection of one or more points on an image, drawing one or more patterns on an image, receiving a signal from one or more hardware tokens and/or mobile devices, reading one or more biometric features using one or more input devices, performing gesture recognition using an image sensor, and determining contextual information relating to the user.
24. The method of generating a composite credential according to claim 23, wherein the contextual information is at least one of the user's absolute geo-location, login history, access time, device type, software version, screen resolution, or noise level sensed by an audio sensor.
25. The method of generating a composite credential according to claim 23 or claim 24, wherein reading one or more biometric features comprises performing a retinal scan.
26. The method of generating a composite credential according to any one of claims 23 to 25, wherein reading one or more biometric features comprises reading a finger print.
27. The method of generating a composite credential according to any one of claims 23 to 26, wherein reading one or more biometric features comprises performing facial recognition.
28. The method of generating a composite credential according to any one of claims 23 to 27, wherein reading one or more biometric features comprises performing voice recognition.
29. The method of generating a composite credential according to any one of claims 23 to 28, wherein reading one or more biometric features comprises measuring keystroke dynamics.
30. The method of generating a composite credential according to any one of claims 17 to 29, comprising validating the plurality of authentication actions.
31. The method of generating a composite credential according to any one of claims 17 to 30, comprising authenticating the user.
32. Apparatus configured to carry out the method of any one of claims 17 to 31.
33. Computer-readable instructions which, when executed by computing apparatus, cause the computing apparatus to perform the method of any one of claims 17 to 31.
34. A method comprising:
generating data derived from a plurality of authentication actions, wherein the data comprises first data in a first format, derived from a first authentication action and second data in a second format, derived from a second authentication action, the first format being different to the second format;
converting at least one of the first and second data into a common format; combining data in said common format to provide combined data for use in authentication;
transmitting the combined data; and
receiving a message indicating whether the user is authenticated.
35. An apparatus comprising:
one or more input devices, wherein said one or more input devices are configured to generate data derived from a plurality of authentication actions, wherein the data comprises first data in a first format, derived from a first authentication action and second data in a second format, derived from a second authentication action, the first format being different to the second format; and
a processor configured to:
convert at least one of the first and second data into a common format; combine data in said common format to provide combined data for use in authentication; and
authenticate the user using the combined data and a stored credential.
36. The apparatus according claim 35, further comprising a storage device for storing the stored composite credential.
37. The apparatus according to claim 35 or claim 36, wherein the processor is further configured to hash the combined data.
38. The apparatus according to claim 37, wherein hashing the combined data comprises truncating the combined data.
39. The apparatus according to any one of claims 35 to 38, wherein the processor is configured to determine contextual information relating to the user in response to a first authentication action being received.
40. A client device, the client device comprising:
one or more input devices, wherein said one or more input devices are configured to generate data derived from a plurality of different authentication actions, wherein the data comprises first data in a first format, derived from a first
authentication action and second data in a second format, derived from a second authentication action, the first format being different to the second format;
a processor configured to:
convert at least one of the first and second data into a common format; and
combine data in said common format to provide combined data for use in authentication;
a transmitter for transmitting the combined data to a server for authenticating the user; and
a receiver for receiving a message indicating whether the user is authenticated.
41. The client device according to claim 40, wherein the client device is an automatic teller machine.
42. A system for authenticating a user, the system comprising:
a client device comprising:
one or more input devices, wherein said one or more input devices are configured to generate data derived from a plurality of different authentication actions, wherein the data comprises first data in a first format, derived from a first
authentication action and second data in a second format, derived from a second authentication action, the first format being different to the second format;
a first processor configured to:
convert at least one of the first and second data into a common format; and
combine data in said common format to provide combined data for use in authentication; and
a server comprising:
a storage device for storing a composite credential; and
a second processor for authenticating the user using the combined data and the stored composite credential.
43. The system according to claim 42, wherein the second processor is configured to compare the combined data with the stored composite credential and generate a message indicating whether the user is authenticated based on the comparison, and wherein
the client device comprises:
a transmitter for transmitting the combined data to the server; and a receiver for receiving the message indicating whether the user is authenticated; and
the server comprises:
a receiver for receiving the combined data; and
a transmitter for transmitting the message indicating whether the user is authenticated.
44. The system according to claim 42 or claim 43, wherein the first processor is further configured to hash the combined data.
45. The system according to claim 44, wherein hashing the combined data comprises truncating the combined data.
46. The system according to any one of claims 42 to 45, wherein the second processor is configured to hash the combined data and wherein the stored composite credential comprises a hash.
47. The system according to any one of claims 42 to 46, wherein the first and/or second processor is configured to validate the plurality of authentication actions.
48. The system according to any one of claims 42 to 47, wherein the client device is an automatic teller machine.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
GB1700649.5 | 2017-01-13 | ||
GBGB1700649.5A GB201700649D0 (en) | 2017-01-13 | 2017-01-13 | Improved authentication |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2018130852A1 true WO2018130852A1 (en) | 2018-07-19 |
Family
ID=58463462
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/GB2018/050098 WO2018130852A1 (en) | 2017-01-13 | 2018-01-15 | Improved authentication |
Country Status (2)
Country | Link |
---|---|
GB (1) | GB201700649D0 (en) |
WO (1) | WO2018130852A1 (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112231668A (en) * | 2020-09-18 | 2021-01-15 | 同盾控股有限公司 | User identity authentication method based on keystroke behavior, electronic equipment and storage medium |
WO2022172068A1 (en) * | 2021-02-10 | 2022-08-18 | Polu Vishwanath Reddy | System and method for user access control for accessing an authenticated entity |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20060153428A1 (en) * | 2005-01-12 | 2006-07-13 | National University Corporation Gunma University | Device for verifying individual, and method for verifying individual |
US20140095884A1 (en) * | 2012-09-28 | 2014-04-03 | Raghudeep Kannavara | Multi-factor authentication using biometric data |
-
2017
- 2017-01-13 GB GBGB1700649.5A patent/GB201700649D0/en not_active Ceased
-
2018
- 2018-01-15 WO PCT/GB2018/050098 patent/WO2018130852A1/en active Application Filing
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20060153428A1 (en) * | 2005-01-12 | 2006-07-13 | National University Corporation Gunma University | Device for verifying individual, and method for verifying individual |
US20140095884A1 (en) * | 2012-09-28 | 2014-04-03 | Raghudeep Kannavara | Multi-factor authentication using biometric data |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112231668A (en) * | 2020-09-18 | 2021-01-15 | 同盾控股有限公司 | User identity authentication method based on keystroke behavior, electronic equipment and storage medium |
WO2022172068A1 (en) * | 2021-02-10 | 2022-08-18 | Polu Vishwanath Reddy | System and method for user access control for accessing an authenticated entity |
Also Published As
Publication number | Publication date |
---|---|
GB201700649D0 (en) | 2017-03-01 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109076072B (en) | Web service picture password | |
US9813908B2 (en) | Dynamic unlock mechanisms for mobile devices | |
US10223517B2 (en) | Gesture-to-password translation | |
US10395065B2 (en) | Password protection under close input observation based on dynamic multi-value keyboard mapping | |
US9705877B2 (en) | Detecting sharing of passwords for password protected user accounts | |
EP3915026B1 (en) | Browser login sessions via non-extractable asymmetric keys | |
US9548865B2 (en) | Token authentication for touch sensitive display devices | |
JP2023522835A (en) | System and method for cryptographic authentication | |
KR20150050666A (en) | Pattern Inputting Apparatus and Method, and Recording Medium Using the Same | |
US20210397682A1 (en) | Secure Service Interaction | |
KR102615950B1 (en) | Electronic apparatus, method for controlling thereof and the computer readable recording medium | |
WO2019159166A1 (en) | Selecting data items using biometric features | |
US20240061924A1 (en) | Direct access authentication using gestures | |
WO2018130852A1 (en) | Improved authentication | |
US10678895B2 (en) | Data input method, and electronic device and system for implementing the data input method | |
US20160103989A1 (en) | Device authentication | |
US10460094B2 (en) | Method, apparatus, and storage medium for data processing | |
KR20150100130A (en) | System and method for providing security keyboard | |
US20140282839A1 (en) | Unified enterprise device enrollment | |
US20220207131A1 (en) | Secure authentication for young learners | |
JP2016110547A (en) | Id-password output device, and id-password output program | |
JP2023083484A (en) | Information processing device, information processing method, and program | |
TW201729134A (en) | Password-transforming method | |
KR20170135444A (en) | Method and apparatus for authentication using layered pattern | |
TWM500291U (en) | Electronic device and server |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 18700829 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 18700829 Country of ref document: EP Kind code of ref document: A1 |