The present invention satisfies the need of authenticating a user without the use of tokens or biometrics.
Information relevant to attempts to address this problem can be found in U.S. Pat. Nos. 5,367,572; 6,557,104; 6,842,105; 7,363,494; and 7,380,708; and EP1445917; which are not admitted to be prior art with respect to the present invention by its mention in this Background Section. However, it is desirable to have better apparatuses and/or methods than what is disclosed in the identified references. Relevant fields of art include 235/382, 705/72, 713/183 and 726/17, 21 and 28.
There are three types or “factors” of information used to authenticate a user: what you know, what you have, and who you are. What you know includes passwords. What you have includes tokens, which may produce passwords. Who you are includes biometrics. Authorities are now recommending the use of “multifactor authentication.” In this type of process, measures from more than one type of authentication are combined. For example, a token such as an ATM card is used with a password or PIN. The present invention in its simplest form is a single-factor system and method. It uses passwords only, falling into the type “what you know.” However, it can also function with or approximate a multifactor system. It can function with ATM cards and other cards, replacing or supplementing their passwords. In addition, the time-varying code, by its variable nature differs from fixed passwords and PINS, such that it approximates the function of a token.
One type of password-only system uses one-time passwords. One-time passwords are typically produced by or stored on tokens, such as with InCard Technologies' DisplayCard. DisplayCard is a credit card that contains electronic circuitry and that sports a button and a display. When the card holder—or anyone else—pushes the button, the card displays a one-time password. The user submits the one-time password with his purchase approval, and the bank compares it with what they are expecting. The system does nothing to ensure that the user is the bona fide card holder. It ensures only that the card is in a user's possession. The present invention does not utilize one-time passwords.
Other types of password-only systems utilize tokens that provide what are effectively one-time passwords, often to be used in conjunction with a PIN. As discussed in U.S. Pat. No. 7,380,708, there exists a “prior art system” that uses a token synchronized with a supplier's hardware and software. The token produces a new password every sixty seconds, to which the user appends his Personal Identification Number (PIN). The token's password is hidden and the appending is automatic. The PIN is not an auxiliary code, and it is not time varying. It is simply a PIN. This system also does nothing to ensure that the user is the bona fide card holder. The present invention does not utilize tokens. The present invention utilizes a code that is generated not on a local token but on a remote server. Tokens need to be synchronized with the authentication server. The present invention requires no such synchronization, because it requires no token. The present invention performs the same function as inventions with tokens, that is, it provides an extension to the PIN or password, but it eliminates the token and the synchronization required with such a token.
The present invention also requires the user to manually retrieve the auxiliary code, because he enters it manually when authenticating himself.
The user of the present invention may retrieve his auxiliary code with a fungible communications device, that is, through any telephone, or any computer connected to the Internet. In any case he retrieves the code from the central electronic authentication system, not from a local device or token in his possession. The code is generated at the central electronic authentication system, not at a local device or token in his possession.
The present invention authenticates the user at a central electronic authentication system, not at the user interface.
U.S. Pat. No. 6,842,105 discloses a lockbox that can be programmed to require, in addition to the standard key identifier code, a four-digit permission code. The four-digit permission code does not vary with time. In analogy with the present invention, the four-digit permission code is an auxiliary code. Rather than a fungible communications device, the user needs a proprietary electronic device programmed with his key identifier code to communicate with the lockbox. The key identifier code is transmitted via an infrared link to the lockbox. The user types the four-digit permission code into the proprietary device.
U.S. Pat. No. 5,367,572 utilizes a device in possession of the user to generate automatically a one-time code, which is then mixed automatically with the PIN. The user does not see the one-time code. The verification computer then either strips the one-time code from the PIN, or combines them, to authenticate the user. The point of the one-time code is to mask the PIN from eavesdroppers. In analogy with the present invention, the one-time code is an auxiliary code.
U.S. Pat. No. 6,557,104 duplicates the function of a smart card but it eliminates the smart card. The invention stores a cryptographic key on a removable data storage device or “token.” The storage device is then connected to a computer by the user. The key is read by the computer only when the computer is operating in a secure mode, that is, in which it cannot be interrupted by other interrupts. The computer then reads the key into secure memory. The user may then be prompted to enter a PIN to unlock the key. The user may now request cryptographic services as if the smart card were attached to the computer. The embodiment with the PIN ensures that the user is bona fide. The system still requires the token, that is, the removable data storage device, albeit only to load the key. The key is not time-varying. The user does not see the key, which is an encrypted digital key and thus is not susceptible of manual typed entry by a user. In analogy with the present invention, the key is an auxiliary code.
U.S. Pat. No. 7,363,494 utilizes a user authentication device in possession of the user loaded with a program that computes an authentication code. The program takes as input a secret such as a key, a dynamic value, a PIN value, a generation value, and a verification identification value, and combines them. Except for the PIN, these values are automatically provided and are hidden from the user. The dynamic value is constant for a given time interval, but the generation value changes with generation attempts within the time interval. The time intervals discussed in the embodiments are a minute and an hour. In analogy with the present invention, the dynamic value is an auxiliary code. The point of the invention is to mask the PIN against eavesdroppers.
U.S. Pat. No. 7,380,708 utilizes a portable secure device, that is, a token, to scan an image or video. The device extracts authentication information from the image or video, which the user may then key in to gain access to the website etc. In analogy with the present invention, the authentication information is an auxiliary code.
In EP1445917 the user supplies beside his regular username and password an additional, randomly generated password (one-time code), which is sent to his mobile phone number by the identification system in the form of an SMS message after the identification systems receives the regular username and password from the user. The code is generated and authenticated by a central electronic authentication system, it is manually communicated to the user using a fungible communications device, and it is manually input by the user. However, the code is not manually retrieved by the user, it is sent to the user. Moreover, the code is sent to the user during the transaction; the user does not possess the code prior to the transaction. That means that the user has to wait, possibly with a line of people behind him, for a telephone call before he can finish the transaction; he has to have a cell phone; and he has to have cell phone service, which he might not have for example if he is far from home or in a foreign country. The invention also requires two electronic transactions, the first with his regular username password and the second with the new one-time password.