WO2018170192A1 - Two-factor authentication with user-selected passcode modification - Google Patents

Two-factor authentication with user-selected passcode modification Download PDF

Info

Publication number
WO2018170192A1
WO2018170192A1 PCT/US2018/022535 US2018022535W WO2018170192A1 WO 2018170192 A1 WO2018170192 A1 WO 2018170192A1 US 2018022535 W US2018022535 W US 2018022535W WO 2018170192 A1 WO2018170192 A1 WO 2018170192A1
Authority
WO
WIPO (PCT)
Prior art keywords
passcode
user
modification
username
password
Prior art date
Application number
PCT/US2018/022535
Other languages
French (fr)
Inventor
Venkat Mattela
Original Assignee
Redpine Signals, Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Redpine Signals, Inc filed Critical Redpine Signals, Inc
Publication of WO2018170192A1 publication Critical patent/WO2018170192A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/42User authentication using separate channels for security data
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals

Definitions

  • the present invention relates to two-factor authentication.
  • the invention relates to a method for two factor authentication using a passcode modification known only to an authorized user.
  • An infected computer may next attack other hosts exposed to the internet, or those inside a company intranet.
  • passwords for computer systems which find themselves under password attack are typically required to be at least 8 characters long, requiring one or more punctuation
  • Chrome, Navigator and others have a feature where they remember and auto-fill username and password on a per-site basis. This may be helpful to the user, but fully
  • Two factor authentication adds a layer of security by messaging a passcode to the user, typically via cell phone text or call to the account holder's registered phone number. This added security measure now requires the user be possessed of the user's computer as well as the user's mobile phone where the two factor authentication value will typically be sent.
  • the increased power of mobile phones has led to the migration of web
  • a separate "key" may be provided, such as a single-use polynomial generator which is synchronized with time, using either a USB plug or a handheld device (adding "something the user has"
  • a first object of the invention is a method for selection and registration of a two-part authentication modification of a passcode, the method having a login step using at least a username and password followed by a step of selection of a passcode (x) modification f (x) , either by user input or by selection from an list of possible
  • passcode modifications such as permutation, addition, subtraction, repeated digits, or other modification
  • a step of sending a test passcode x s to the user a step of receiving a modified test passcode x r from the user, a step of extracting the unmodified test passcode by performing a reverse modification f (x r ) , a step of comparing the reverse modified received test passcode f ' (x r ) with the sent test passcode x s , and authenticating the user if f ' (x r ) matches the sent test passcode x s .
  • a second object of the invention is a method for two-part authentication, the method having a login step where a username and login password are compared with a password associated with the username, such as from a database table having entries including a username and associated secret password for a particular username, followed by a step of the user selecting a passcode
  • modification function operating on the passcode parameter in parenthesis, the modification function determined either by user input or by selection from a list of passcode modifications such as digit permutation, addition or subtraction by a fixed per-digit value or variable per- digit value, truncated or repeated digits, or other
  • a third object of the invention is a method for two-part authentication where a user selects a non- symmetric modification f ( . ) , the authentication method sending a passcode x s , thereafter receiving a modified code x r user response and comparing the received modified code x r with f (x s ) , authenticating a user if x r matches f (x s ) , and rejecting the authentication if not.
  • a fourth object of the invention is a method for two-part authentication where a user selects a
  • the authentication method sending a passcode x s , thereafter receiving a modified passcode x r , and comparing the sent passcode x s with f ' (x r ) and authenticating the user if they match, and rejecting the authentication if they do not match.
  • a controller is operative on a method for initial selection of a two- factor authentication modifier, the method having a step of user login, such as by username and password, a step of passcode modification f ( . ) selection, such as by
  • test may consist of sending a random test passcode x s such as five or six numerical digits to the phone or computer previously registered to the username of a requester, receiving a modified test passcode response x r from the user, performing the reverse modification f ' (x r ) associated with the username for the received modified passcode, comparing the reverse modified user response f ' (x r ) to the originally sent test passcode x s , authenticating the user if they match.
  • a random test passcode x s such as five or six numerical digits to the phone or computer previously registered to the username of a requester
  • receiving a modified test passcode response x r from the user
  • performing the reverse modification f ' (x r ) associated with the username for the received modified passcode comparing the reverse modified user response f ' (x r ) to the originally sent test passcode x s , authenticating the user if they match.
  • a controller is operative on an authentication method where a user provides a unique username and password, and subsequently also provides a contact number for a message receiving device such as the user's mobile phone, the contact number is then associated with the unique username and also associated with a
  • the method next sends a randomly selected test passcode x s to the message receiving device associated with the username, the user timely replies with response x r which should carry the user selected modification f (x r ) , and upon receipt of a user response, which the user has modified according to a previously selected f (x) , the user response is reverse modified (f (x r ) ) according to the modification associated with the username, and the reverse modified user response f ' (x r ) is compared with the originally sent passcode x s , the system providing authentication if f ' (x r ) matches x s , and denying authentication if not.
  • Figure 1 shows a flowchart for setup of a two- factor authentication modifier.
  • Figure 2 shows a flowchart for authentication using the two-factor authentication modifier
  • Figure 1 shows a flowchart operative on a controller for performing selection of a two-factor
  • a login 104 is performed, such as by a previously selected unique username and a secret login password, using any known prior art method.
  • Successful login results in the registration 105 of a phone number to be associated with the username, which may be a mobile phone number or other device for receiving a text or voice message.
  • the user selects a particular passcode modification, which may be a permutation of digits, an offset of digits by a positive or negative number, or other modifier which is remembered by the user.
  • a random user passcode 110 may be generated and sent to the user's messaging device.
  • the random passcode may be selected from a subset of random passcodes which are easy to recall, such as a random passcode restricted to a smaller set of digits, such as from the set ⁇ 0,1,2,3,4 ⁇ or from a pool of passcodes where each digit is taken from a subset of digits such as ⁇ 0,2,4,6,8 ⁇ , if desired.
  • the user upon receipt of the random passcode that was sent x s , performs the modification f ( . ) of the passcode according to the method previously selected (such as by permuting digits, or whatever method was remembered from the
  • response passcode x r in step 112 performs the reverse transformation f ' (x r ) in step 114, and compares the reverse transformation f ' (x r ) of the received user passcode with the sent passcode x s in step 116. If the reverse modified received user passcode f ' (x r ) matches the sent passcode x s , the modification is validated for future use, and the user is optionally sent a message which confirms completion of the registration.
  • the passcode is sent after
  • the passcode may be accompanied by a generic reminder to modify the passcode (implicitly reminding the user to modify the passcode before sending it back, or the reminder may be sent if the system detects that an
  • FIG. 2 shows a flowchart for a two-factor authentication method operative on a controller.
  • Entry point 202 results in a prior art login step such as by username, password, host IP or cookie, or other device- specific and user-specific information which is part of the login procedure.
  • Successful login results in a lookup by username or other unique identifier of an associated
  • step 210 a random passcode x s is sent to the registered device, such as a 5 or 6 digit numerical code, and the process waits for a reply x r (from the user) during a valid response window of time (not shown) at step 212.
  • a reverse modification f ' (x r ) is performed on the received user response x r using the method associated with the username from step 208, and in step 216, the reverse modification of received user passcode is compared with the sent passcode.
  • f ' (x r ) matches x s
  • the method fully qualifies the user 218, and if it does not, the user gets a number of retries limited by the error counter of step 220, which is compared to a max error count n in step 222. Failure to successfully authenticate after n attempts or over a specified interval of time (not shown) results in a reset back to step 204, or alternatively, a new passcode is sent 210 and the cycle repeats until successful 218 or failure 204 at step 222. [0030] With respect to the passcode modification function f(.) the user selects, where passcode x s is sent and the user returns modified passcode x r , the
  • f ( ⁇ ) when the function f (.) is symmetric (such as digit swapping, digit addition or subtraction, etc.) .
  • f ( ⁇ ) when the function f (.) is symmetric (such as digit swapping, digit addition or subtraction, etc.) .
  • Certain other types of passcode modification are not symmetric. For example, for digit replication, and in the particular case where each digit is replicated twice in sequence but maintaining the number of digits, the code 123456 may become 112233 in one
  • the method may associate f (.) with the username rather than f (.), and compare f (x s ) to x r , authenticating when they match and denying authentication otherwise.
  • extra digits are prepended or appended as padding to x s when forming x r and these extra digits are ignored upon receipt, optionally with or without other modification as previously described.
  • x [xi, X2, X3, X4, xs, ⁇ ]
  • f (x) [xi+n, X2+n, X3+n, X4+n, xs+n, X6+n]
  • f (x) [xi-n, X2 ⁇ n, X3 ⁇ n, X4 ⁇ n, xs ⁇ n, ⁇ - ⁇ ] , where each addition x ⁇ +n or x ⁇ -n is a mod 10 operation.
  • b) Digit transposition the substitution of position of digit placement from one location of x s to form x r .
  • authentication method is operative on a web server, where registration of a user creates a database entry having a username associated with a password, messaging contact, and either passcode modification f ( . ) , or inverse passcode modification f (.) .
  • the method may be operative such that the selection of passcode modification or inverse passcode modification is provided via a web interface.
  • a user has registered a username, password, messaging contact, and passcode
  • the user first provides a username and password, the web interface prompts for the modified passcode, where a random passcode x is sent to the

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

An authentication method has a login step using a username and password, the login step followed by the sending of a random passcode to a user communication device, the user modifying the random passcode and returning the modified random passcode. The system compares the random passcode which was sent after modification according to a passcode modification selected by the user with the returned passcode from the user and authenticating the user if they match, or not authenticating the user if they do not match.

Description

Two-Factor Authentication with User-selected Passcode
Modification [0001] Field of the Invention
[0002] The present invention relates to two-factor authentication. In particular, the invention relates to a method for two factor authentication using a passcode modification known only to an authorized user.
[0003] Background of the Invention
[0004] Computer security continues to be of vital concern to society and users. A fundamental aspect of authorized access to a computer system where sensitive or valuable information may be stored is user authentication, which involves a user challenge to gain access. Various schemes are in use as user challenge, a universally applied approach is to rely on a username and password. More sophisticated methods may rely on a three part challenge, involving: [0005] 1) What the user has (i.e. username and/or email for login (with secret password) , device information or location information such as device/MAC (media access controller) address host IP (internet protocol) address, device hostname, and/or geographical location) . [0006] 2) What the user knows (i.e. a secret
password), answers to security questions (favorite vacation location, pet names, etc.) . [0007] 3) What the user is (i.e. iris scan,
fingerprint, biometric information) . [0008] User authentication by use of enhanced
challenges beyond entry of a username/password for these schemes involves a three-way tradeoff between convenience, security, and cost. [0009] A weakness exists in current computer security systems, particularly internet websites, where a browser "remembers" user passwords as a convenience to the user. The intended design objective of the original internet browsers was to isolate "what the user has" (the user's computer with a web browser) from "what the user knows" (a password which the user has remembered) . [0010] Two-factor authentication is a scheme whereby a user registers a mobile phone number to the user account on a website, and a temporary use 5 or 6 digit code is sent to the user's mobile phone, where the code is valid for a limited duration of time. This greatly improves security, as it involves a second device (a phone) from the first device (the computer having the web browser) . [0011] Secured internet sites require increasingly complex passwords to reduce the likelihood of a successful brute force attack where random or known compromised username and password combinations are tried against a list of web host computers. There are many such types of attacks, one is known as a "dictionary attack", where a dictionary of commonly used passwords are tried in
combination with a known username or email address (when used as part of a login) , or combinations of username and password from successful compromises of the security of other systems are presented using an automated script operative on a compromised host (known as a "bot"), which, after gaining access to a targeted computer's password MD5 hash file containing usernames and password hashes, utilizes a dictionary lookup of hash to password to gain access to user accounts on this or other computers. Such attacks may be mediated by "salting" the hash through the addition of additional pre-hash characters not known to an attacker, which results in a hash which is protected from reverse dictionary attacks to gain the original password which generated the stored hash. An infected computer may next attack other hosts exposed to the internet, or those inside a company intranet. In response, and to greatly increase the number of brute force guesses required, passwords for computer systems which find themselves under password attack are typically required to be at least 8 characters long, requiring one or more punctuation
characters, numbers, a mixture of upper and lower case letters, and the entire password must be changed
periodically with the reuse of any previously used password prohibited. This creates a new problem for users where passwords are forgotten, or transposed between sites, and legitimate users are locked out of their own transactions because the systems have either a timeout or lockout mechanism, where a certain number of failed login attempts results in denial of access to the system. To overcome this problem, web browsers such as Firefox, Mozilla,
Chrome, Navigator and others have a feature where they remember and auto-fill username and password on a per-site basis. This may be helpful to the user, but fully
eliminates the security of a complex password, thereby placing the user at risk to potential identity theft, as the barrier to illicit web login is now reduced to the mere possession of the user's computer in an unlocked state. [0012] Two factor authentication adds a layer of security by messaging a passcode to the user, typically via cell phone text or call to the account holder's registered phone number. This added security measure now requires the user be possessed of the user's computer as well as the user's mobile phone where the two factor authentication value will typically be sent. However, the increased power of mobile phones has led to the migration of web
transactions from personal computers to mobile phones, thereby diminishing the two-factor authentication layer of security, as a prospective thief in unauthorized possession of a mobile phone with a web browser which autofills username and password will be also receiving the two-factor authentication passcode via voice or text message to that same mobile number, thereby defeating the original design intent of two factor authentication that the prospective thief be possessed of two unrelated devices (a computer and a mobile phone) belonging to the rightful user. [0013] In another prior art method, a separate "key" may be provided, such as a single-use polynomial generator which is synchronized with time, using either a USB plug or a handheld device (adding "something the user has"
protection) . Unfortunately, loss of this extra hardware also denies access. [0014] For these reasons, an improved method of computer security is desired which does not require
additional hardware or devices.
[0015] Objects of the Invention [0016] A first object of the invention is a method for selection and registration of a two-part authentication modification of a passcode, the method having a login step using at least a username and password followed by a step of selection of a passcode (x) modification f (x) , either by user input or by selection from an list of possible
passcode modifications such as permutation, addition, subtraction, repeated digits, or other modification, a step of sending a test passcode xs to the user, a step of receiving a modified test passcode xr from the user, a step of extracting the unmodified test passcode by performing a reverse modification f (xr) , a step of comparing the reverse modified received test passcode f ' (xr) with the sent test passcode xs, and authenticating the user if f ' (xr) matches the sent test passcode xs .
[0017] A second object of the invention is a method for two-part authentication, the method having a login step where a username and login password are compared with a password associated with the username, such as from a database table having entries including a username and associated secret password for a particular username, followed by a step of the user selecting a passcode
modification indicated by f ( . ) , where f ( . ) is the
modification function operating on the passcode parameter in parenthesis, the modification function determined either by user input or by selection from a list of passcode modifications such as digit permutation, addition or subtraction by a fixed per-digit value or variable per- digit value, truncated or repeated digits, or other
symmetric or asymmetric modification for which a passcode xs can be formed into a modified passcode f (xs) and modified back to the original passcode xs using an inverse function f' (-) such that f' (f(Xs) ) = Xs, the process having a step of sending a passcode xs to the user, a step of receiving a modified passcode xr from the user, a step of performing a reverse modification f (xr) , a step of comparing the
received modified passcode f ' (xr) with the sent passcode xs, and validating the user modification if the unmodified passcode matches the sent passcode.
[0018] A third object of the invention is a method for two-part authentication where a user selects a non- symmetric modification f ( . ) , the authentication method sending a passcode xs, thereafter receiving a modified code xr user response and comparing the received modified code xr with f (xs) , authenticating a user if xr matches f (xs) , and rejecting the authentication if not.
[0019] A fourth object of the invention is a method for two-part authentication where a user selects a
symmetric modification f ( . ) having a reverse modification f' (-) such that f' (f(x))=x for any x, the authentication method sending a passcode xs, thereafter receiving a modified passcode xr, and comparing the sent passcode xs with f ' (xr) and authenticating the user if they match, and rejecting the authentication if they do not match.
[0020] Summary of the Invention
[0021] In one example of the invention, a controller is operative on a method for initial selection of a two- factor authentication modifier, the method having a step of user login, such as by username and password, a step of passcode modification f ( . ) selection, such as by
presentation of alternative methods such as permutation, addition or subtraction from one or more digits, or digit replication or substitution, and associating the test modification with the user, followed by testing the user's application of the modification. The test may consist of sending a random test passcode xs such as five or six numerical digits to the phone or computer previously registered to the username of a requester, receiving a modified test passcode response xr from the user, performing the reverse modification f ' (xr) associated with the username for the received modified passcode, comparing the reverse modified user response f ' (xr) to the originally sent test passcode xs, authenticating the user if they match.
[0022] In another example of the invention for
authentication of a user, a controller is operative on an authentication method where a user provides a unique username and password, and subsequently also provides a contact number for a message receiving device such as the user's mobile phone, the contact number is then associated with the unique username and also associated with a
passcode modification previously selected by the user. The method next sends a randomly selected test passcode xs to the message receiving device associated with the username, the user timely replies with response xr which should carry the user selected modification f (xr) , and upon receipt of a user response, which the user has modified according to a previously selected f (x) , the user response is reverse modified (f (xr) ) according to the modification associated with the username, and the reverse modified user response f ' (xr) is compared with the originally sent passcode xs, the system providing authentication if f ' (xr) matches xs, and denying authentication if not.
[0023] Brief Description of the Drawings
[0024] Figure 1 shows a flowchart for setup of a two- factor authentication modifier. [0025] Figure 2 shows a flowchart for authentication using the two-factor authentication modifier
[0026] Detailed Description of the Invention [0027] Figure 1 shows a flowchart operative on a controller for performing selection of a two-factor
authentication modification. The process starts at 102, where a login 104 is performed, such as by a previously selected unique username and a secret login password, using any known prior art method. Successful login results in the registration 105 of a phone number to be associated with the username, which may be a mobile phone number or other device for receiving a text or voice message. In step 108, the user selects a particular passcode modification, which may be a permutation of digits, an offset of digits by a positive or negative number, or other modifier which is remembered by the user. To illustrate by way of simple examples, the user may manipulate digit order without changing digit values, such that the permutation method selected and registered by the user changes passcode xs=123456 into xr=654321 for a full reversal example of passcode modification function f (x) , or alternatively a canonical repeated digit reversal is selected such that passcode 123456 becomes 321654 for f (x) , or alternatively xs=123456 is interleaved into xr=135246 for a splined
(grouping odd and even digits) modification (where for x =[Xl, X2, X3, X4, X5, Χβ] , f (X) = [Xl, X4, X2, X5, X3, Χβ] , ΟΓ any other operation which is simple to perform on a short string of digits. Since the passcode is typically a short string of numerical digits (compared to the typically much more complex password which includes alpha-numeric and punctuation characters, but which may be stored in the browser) , the passcode modification provides much greater security for a mobile phone user in user authentication, as the passcode modification is stored in no other location than the registered user's memory. Examples of digit offset for +1 or -1 offsets, respectively, would result in the passcode 123456 transformed into 012345 or 234567, respectively, and a simple scheme of rolling digits over on a mod 10 basis with absolute value for addition or
subtraction may be performed, for example by adding and subtracting 2 on alternating digits, mod 10 (without carryover or sign) . In that example, the passcode 789012 would become 961830 (addition of [+2, -2, +2, -2, +2, -2]), mod 10 (without carryover or negative passcode digits) . Many simple modifiers may be applied which would provide greatly increased security, since an unauthorized user would not be aided by any information provided by the browser or user, and the passcode would have limited time validity and limited number of login attempts. [0028] After the selection of modifier in step 108 and registration of a mobile phone or messaging device in step 105, a random user passcode 110 may be generated and sent to the user's messaging device. The random passcode may be selected from a subset of random passcodes which are easy to recall, such as a random passcode restricted to a smaller set of digits, such as from the set {0,1,2,3,4} or from a pool of passcodes where each digit is taken from a subset of digits such as {0,2,4,6,8}, if desired. The user, upon receipt of the random passcode that was sent xs, performs the modification f ( . ) of the passcode according to the method previously selected (such as by permuting digits, or whatever method was remembered from the
selection in 108), and the system receives the user
response passcode xr in step 112, performs the reverse transformation f ' (xr) in step 114, and compares the reverse transformation f ' (xr) of the received user passcode with the sent passcode xs in step 116. If the reverse modified received user passcode f ' (xr) matches the sent passcode xs, the modification is validated for future use, and the user is optionally sent a message which confirms completion of the registration. When the passcode is sent after
verification, the passcode may be accompanied by a generic reminder to modify the passcode (implicitly reminding the user to modify the passcode before sending it back, or the reminder may be sent if the system detects that an
unmodified passcode has been received, rather than a modified passcode. [0029] Figure 2 shows a flowchart for a two-factor authentication method operative on a controller. Entry point 202 results in a prior art login step such as by username, password, host IP or cookie, or other device- specific and user-specific information which is part of the login procedure. Successful login results in a lookup by username or other unique identifier of an associated
reverse modification for the user, the reverse passcode modification f ' (x) operation being the singular symmetrical inverse operation f (x) which the user had selected in step 108 of figure 1 during registration. In step 210, a random passcode xs is sent to the registered device, such as a 5 or 6 digit numerical code, and the process waits for a reply xr (from the user) during a valid response window of time (not shown) at step 212. Upon receipt within the valid response window of time, a reverse modification f ' (xr) is performed on the received user response xr using the method associated with the username from step 208, and in step 216, the reverse modification of received user passcode is compared with the sent passcode. If f ' (xr) matches xs, the method fully qualifies the user 218, and if it does not, the user gets a number of retries limited by the error counter of step 220, which is compared to a max error count n in step 222. Failure to successfully authenticate after n attempts or over a specified interval of time (not shown) results in a reset back to step 204, or alternatively, a new passcode is sent 210 and the cycle repeats until successful 218 or failure 204 at step 222. [0030] With respect to the passcode modification function f(.) the user selects, where passcode xs is sent and the user returns modified passcode xr, the
authentication may rely on f (·) when the function f (.) is symmetric (such as digit swapping, digit addition or subtraction, etc.) . Certain other types of passcode modification are not symmetric. For example, for digit replication, and in the particular case where each digit is replicated twice in sequence but maintaining the number of digits, the code 123456 may become 112233 in one
illustrative example, from which it is not possible to determine f (.), since information is missing from xr because of truncation. For this case, the method may associate f (.) with the username rather than f (.), and compare f (xs) to xr, authenticating when they match and denying authentication otherwise. In another variation of modification, extra digits are prepended or appended as padding to xs when forming xr and these extra digits are ignored upon receipt, optionally with or without other modification as previously described. [0031] Types of modification associated with a
particular user may include one or more of the following modifications: [0032] a) Digit offset, the addition or subtraction of a value to one or more digits on a per-digit basis or on a per-group basis to the passcode xs sent to the user to form passcode xr of the user response. For an example 6 digit numeric code x=[xi, X2, X3, X4, xs, Χβ] , and the case of a +n offset to each digit, f (x) = [xi+n, X2+n, X3+n, X4+n, xs+n, X6+n] , and f (x) = [xi-n, X2~n, X3~n, X4~n, xs~n, χε-η] , where each addition x±+n or x±-n is a mod 10 operation. [0033] b) Digit transposition, the substitution of position of digit placement from one location of xs to form xr. For an example 6 digit numeric code x=[xi, X2, X3, X , xs, χε] , and a simple transposition of each digit pair, f (x) =[X2, Xi, X4, X3, X6, Xs] . [0034] c) Digit multiplication, the multiplication of each digit by a number known to the user in a particular pattern and applied to xs to form xr. For multiplication by n, if x=[xi, X2, X3, X4, xs, Χβ] , f (x) = [xi*n, X2*n, x3*n, X4*n, X5*n, X6*n] , where each x±*n is taken as a mod 10 value (truncating to an integer value) . [0035] d) Digit replication, the insertion of additional digits to xs to form xr. For example, for the six digit code x=[xi, X2, X3, X , xs, Χβ] , and replication of the first three digits only, f (x) = [xi, xi, X2, X2, X3, X3] · This is an example of a unidirectional transform, as it is not possible to fully derive x from f (x) . [0036] e) Digit truncation, the removal of digits to xs to form xr. For example, for the six digit code x=[xi, X2, X3, X , xs, Χβ] using the first four digits only, f (x) = [xi, X2, X3, X4] . [0037] f) Digit shifting, for example a right barrel shift by one digit for x=[xi, X2, X3, X , xs, χε] would result in f (x) = [X6, xi, X2, X3, X4, X5] . [0038] g) combinations of the above exemplar
operations, performed in a particular order known to the user and maintained in the database associated with the user. [0039] h) temporally varying the modification such as performing a different operation based on date or day
(shifting one digit right for 7AM and two digits left for PM, for example) . [0040] In one example of the invention, the
authentication method is operative on a web server, where registration of a user creates a database entry having a username associated with a password, messaging contact, and either passcode modification f ( . ) , or inverse passcode modification f (.) . The method may be operative such that the selection of passcode modification or inverse passcode modification is provided via a web interface. In another example of the invention, where a user has registered a username, password, messaging contact, and passcode
modification, the user first provides a username and password, the web interface prompts for the modified passcode, where a random passcode x is sent to the
registered messaging device, and the recipient modifies the random passcode from the phone and enters it as f ' (x) into the web interface, which f (x) using x which was sent to the received modified passcode, which completes the
authentication. [0041] The particular examples given are for
understanding the invention rather than limiting the scope to the examples given. The invention may be practiced many different ways and in different combinations of passcode modifications, as described in the claims which follow.

Claims

We claim: 1) A method for selection of a two-factor modifier, the method comprising: a login receiving a username and password and
comparing the username to an associated password; a passcode modification selection whereby a selection of passcode modification f ( . ) is made, the passcode
modification converting a randomly selected sent passcode xs into a modified passcode xr such that f (xs) = r, the passcode modification f ( . ) being symmetrical and unique such that a reverse modification f (·) exists for any y, and such that f' (f(y) ) = y; sending a random passcode xs to a user; receiving a user response xr during a valid window of time; performing said reverse modification f (·) to the user response xr using a reverse passcode modification associated with the username to produce f ' (xr) ; comparing said f ' (xr) with said xs; authenticating the user if said f ' (xr) matches said xs and not authenticating the user otherwise. 2) The method of claim 1 where said sent passcode xs is a fixed number of numerical digits.
3) The method of claim 1 where said passcode
modification is a mod 10 addition or subtraction to at least one passcode digit.
4) The method of claim 1 where said passcode
modification includes a permutation of at least two
passcode digits.
5) The method of claim 1 where said passcode
modification includes a multiplication.
6) The method of claim 1 where said passcode
modification includes a truncation or replication of least one digit.
7 ) A method for authentication of a user in a system having associated for each user a password, a passcode modification, and a contact number, the method comprising: upon successful login with a username and password, sending a random passcode; upon receipt of a modified passcode from a user, performing a passcode modification to the random passcode previously sent; comparing the received modified passcode with the passcode modification to the random passcode previously sent; authenticating the user of said received modified passcode matches the previously sent random passcode after passcode modification according to the passcode
modification associated with the user.
8) The method of claim 7 where said sent passcode xs is a fixed number of numerical digits.
9) The method of claim 7 where said passcode
modification is a mod 10 addition or subtraction to at least one passcode digit. 10) The method of claim 7 where said passcode
modification includes a permutation of at least two
passcode digits.
11) The method of claim 7 where said passcode
modification includes a multiplication.
12) The method of claim 7 where said passcode
modification includes a truncation or replication of at least one digit.
13) The method of claim 7 where said passcode is sent to the contact number associated with said username.
14) A method for authentication of a user, the method comprising: a user login whereby upon receipt of a username and login password, a password associated with the username is compared to the password, the authentication step rejecting the authentication if the password associated with the username does not match the login password; determining a message device identifier and a passcode modification associated with the username; sending a random passcode to the device identifier; receiving a user response in a duration of time; forming a passcode modification value by performing the passcode modification associated with the username to the previously sent random passcode; comparing the received user response with the passcode modification value; authenticating the user if the user response matches the passcode modification value and not authenticating the user if the user response does not match the passcode modification value.
15) The method of claim 14 where said not
authenticating results in the sending of a new random passcode to the user and repeating said receiving a user response step, said comparing step, and said authenticating step.
16) The method of claim 14 where the reverse
modification is a transposition of at least two digits. 17) The method of claim 14 where the reverse modification is the addition or subtraction of at least one constant from at least one digit.
18) The method of claim 14 where the addition or subtraction is performed mod 10 on at least one single digit.
PCT/US2018/022535 2017-03-15 2018-03-15 Two-factor authentication with user-selected passcode modification WO2018170192A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US201715459204A 2017-03-15 2017-03-15
US15/459,204 2017-03-15

Publications (1)

Publication Number Publication Date
WO2018170192A1 true WO2018170192A1 (en) 2018-09-20

Family

ID=63522564

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2018/022535 WO2018170192A1 (en) 2017-03-15 2018-03-15 Two-factor authentication with user-selected passcode modification

Country Status (1)

Country Link
WO (1) WO2018170192A1 (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7058613B1 (en) * 1999-04-21 2006-06-06 Fujitsu Limited Device and method for user identification check based on user-specific formula
US20150163218A1 (en) * 2013-12-09 2015-06-11 Ram Balasubramaniam MOHAN Authentication utilizing a dynamic passcode from a user-defined formula based on a changing parameter value

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7058613B1 (en) * 1999-04-21 2006-06-06 Fujitsu Limited Device and method for user identification check based on user-specific formula
US20150163218A1 (en) * 2013-12-09 2015-06-11 Ram Balasubramaniam MOHAN Authentication utilizing a dynamic passcode from a user-defined formula based on a changing parameter value

Similar Documents

Publication Publication Date Title
US8918849B2 (en) Secure user credential control
Madhusudhan et al. Dynamic ID-based remote user password authentication schemes using smart cards: A review
JP5058600B2 (en) System and method for providing contactless authentication
US7769999B2 (en) Method and system for remote password based authentication using smart cards for accessing a communications network
JP2013509840A (en) User authentication method and system
EP2572489B1 (en) System and method for protecting access to authentication systems
Archana et al. Survey on usable and secure two-factor authentication
CN102457491B (en) Dynamic identity authenticating method and system
Singh et al. A 3-level multifactor Authentication scheme for cloud computing
Touil et al. H-rotation: secure storage and retrieval of passphrases on the authentication process
Kassim et al. Procurepass: A user authentication protocol to resist password stealing and password reuse attack
Jo et al. Mindmetrics: Identifying users without their login IDs
WO2018170192A1 (en) Two-factor authentication with user-selected passcode modification
Umadevi et al. Stronger authentication for password using virtual password and secret little functions
Eldow et al. Literature review of authentication layer for public cloud computing: a meta-analysis
D'Mello An Alternative Approach in Generation and Possession of Backup Codes in Multi-Factor Authentication Scheme
Soni et al. Provably secure and biometric-based secure access of E-Governance services using mobile devices
KR20090013616A (en) Server certification system and method using server certification code
Singh et al. Lightweight cryptography approach for multifactor authentication in internet of things
Sudhakar et al. Secured mutual authentication between two entities
Gu et al. Cryptanalysis and improvement of a biometrics-based multi-server authentication protocol
WO2023197379A1 (en) Identity authentication system and method
Devanapalli et al. Security analysis of Three-Factor Authentication Protocol Based on Extended Chaotic-Maps
EP2523140B1 (en) Secure user credential control
US20230104633A1 (en) Management system and method for user authentication on password based systems

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18767475

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18767475

Country of ref document: EP

Kind code of ref document: A1