The most commonly understood realm in this field refers to traditional user access from a fixed or mobile electronic computing device (desktop, laptop, mobile, smart phone, tablet, handset, remote control) to a website, application, service, display, server or network utilizing a username and password, cookie, token or single-sign-on to identify the user and then some additional method of verification through a second or third factor, out-of-band (OOB) message, shared secret, physical token, certificate, 2D code scan or near-field communication protocol.
Another area commonly understood in this field is the area of synchronous peer-to-peer communication and interaction between two users from fixed or mobile electronic computing devices via chat, instant message, streaming audio conferencing, streaming video conferencing, gaming, social networking, transmission of resources or data by email, SMS, or FTP.
Another area commonly understood is the asynchronous access or distribution, download, streaming of shared resources between or among two or more users on fixed or mobile electronic computing devices across intermediary cloud storage, social networks, blogs, websites, games, content providers and mobile apps.
Another area commonly understood is the area of payments or the verification of a payment, consumption, download, interaction or approval by or for a user to another user for an asset or access to an asset, across a third party payment system, requiring some level of entitlement or authorization. In any or all of the above, the act of identification or authentication of one or more users, the computing device, the session, the website, application, server, location, asset and/or the context itself, is required.
Another area commonly understood is the area of electronic wearable user authentication whereby a user donning a wearable device with appropriate sensors and communication capabilities can sense, verify and report the authenticity of the wearer to him or herself, a session, another device or a general contextual situation requiring such validation and authenticity for the purposes of allowing or denying physical access, digital access, consummation of a transaction, digital payment, file download, session access, login, file stream, mutual validation of another human and/or machine, access to or operation of an automobile or other equipment, devices, terminals or machines requiring verification for permission to access, engage, interact or operate.
The present invention discloses a new, novel and patentable system and method that offers a superior solution in the field, science, and area of electronic authentication.
One of the problems solved by this new invention is that traditionally, user and mobile device authentication has never addressed the ability for users to authenticate and authorize other users on mobile devices or wearable devices via direct or indirect networked communication or across shared third-party platforms like social networks, email, cloud storage and peer-to-peer e-commerce, streaming media sites, mobile devices, wearable devices, servers or payments without depending upon or requiring third party host cooperation and/or host service security platform interaction. It was either too costly or too cumbersome to scale and be adopted ubiquitously by the marketplace to protect users, sites, devices, and sessions in this manner or lack of commercial permission prevented such capabilities from being possible. Current authentication methods and systems do not meet security challenges modern hackers pose nor do they have the simplicity, usability, seamlessness or privacy demands that mobile users require. Contemporary multi-factor or two-factor solutions fail to recognize and exploit the fact that user security is a fabric, not a thread. They also ignore the fact that user identities belong to users, not sites, and the user must be able to control the security of its privacy and its resources among peer to peer interactions across host platforms. This ignorance of contextual realities among devices, sites, users, apps, and networks in business critical and social environments, as well as the costs and implementation details involved, leaves most solutions and the current references disclosing those solutions woefully unable to meet the authentication security challenges at hand and offer no capabilities for users to verify other users who access or interact with their session, resources, content or identity. Additional methods that attempt to collapse the acts of identification and authentication into a single process inherit the same liabilities as any other single point of failure of federated systems, regardless of the sophistication or novelty of the flow, and still require participation by the third party identity platforms. In addition, no solution provides the ability for peers to independently authenticate each other without the intercession of the host site, service, app or federation. The challenge has been to balance these market needs of real security advancement with innovative usability, privacy, scalability and low cost. The growing market and the growing ecosystem of users, devices, internet-of-things, mobile transactions and general digital trust lies with the crowd, not the cloud.
The ideal achievement or solution would be to design something to simply, accurately, securely, and privately authenticate a context of multiple layers of credentials or factors amongst peers users and devices, a server or service, a network, or a user on a fixed or mobile or wearable device taking into account the location, proximity, relationship or association, behaviors, knowledge or attributes of any or all of the above. The structure of the authentication process may be peer-to-peer, client to server, server-to-server or hybrid architecture. The expectation of, and requirement for, privacy, usability, accuracy, simplicity, and strength is and should be the same in all scenarios.
The challenge is to accomplish this simple, mutual, contextual verification between or among users and their mobile devices without depending upon or exposing the process to the traditional security solution shortcomings, such as: cost, lack of privacy, lack of personal intent or voluntary control or influence, interception, replay, usability, reliance upon the user skill, encryption, obfuscation, information seeding, centralized administration, federated identity assumptions, presentation or combined submission and/or transmission of credentials across known or predictable channels, sequential and discrete inspection and evaluation of isolated credentials, unilateral authoritative decision making about the context result status and compliance, permission or participation from intermediary networks, sites, apps or protocols. Traditionally, discrete and private elements about the user, device or session had to be paired with their meanings (key-value pairs), encrypted and sent to a back-end server for verification against a stored copy of the same credentials—no matter how novel the route they take to process. This legacy capture-and-forward approach inappropriately collapses the independent notions of identification (self-reported) and authentication (externally verified) thus exposing the users' private identity information to capture, replay, prediction, theft or misuse in service of their verification—and is a poor candidate for a robust, socially aware, peer-to-peer solution.
The second challenge is to utilize the mobile or wearable electronic device in a peer to peer security context for what is designed for and capable of: being an interactive extension to and participant within the context of the user, site/app and session authentication. Previous incarnations of “bring your own device” (BYOD) or mobile or wearable device authentication treated the mobile computing device as simply a “capture and forward” apparatus. The device is used to capture, decode and forward on credentials, biometric data, keys or tokens, as opposed to participating in the context in a manner in which it is capable. The previous inventions merely relegated the mobile device to be a camera and a hard-drive, a secure element storing obfuscated keys or simple cookies and forwarding them along to the back-end authoritative server for a standard password lookup and match approach. This new innovation can be termed “authenticated reality”, whereby mobile device is used to interact with the fabric of the user, environment, location, proximity, behavior and real-world context of the session in a manner that securely, privately and easily revolutionizes the traditional authentication process on a user to device, user to user and device to device manner.
The third challenge is to involve the user in a way never before accomplished with respect to their authentication. Previous innovations and security solutions were seen as layers or cumbersome steps in the end-user security flow. Users had to respond to certain challenges, maintain custody of bespoke hardware or software credentials, tokens, keys, certificates or select recognizable visual, audible, mathematical or textual components from a number of interfaces and prompts directed by a singular site or per-host security policy. The user has never historically been in control of the complexity, sophistication, application, components, context or essence of their authentication credentials or process, but merely responsible for responding or regurgitating those components or steps at the request of the host website or application. The rise of user-side hacking along with the proliferation mobile and wearable devices and expanding user-to-user interaction online, has resulted in a necessary shift away from host-server side, shared-secret, patriarchal view of authentication security towards a more interactive, user-focused approach. The user must have interactive control of the depth, manner, method, makeup and personalization of their authentication security in a way that is stronger, contextual and more effective than previous techniques, but also simpler, more elegant and highly usable.
The fourth challenge represents the culmination of all of these challenges in creating both a synchronous and asynchronous peer-based multi-factor authentication solution between or amongst end users on mobile devices that affords users the ability to independently identify, authenticate and authorize each other, shared resources, access and identity across yet independent of third party platforms and network systems or identity protocols as an added layer of defense in depth, just as host sites and services have traditionally achieved. This level of control and trust achieved via a simple, seamless, mobile peer authentication mechanism would revolutionize the modern mobile and wearable security space, giving identity power and privacy back to the end users to whom they belong and opening up infinite opportunities to trust, interact, transact and protect an increasing amount of network, social, mobile, app and cloud-based activities, events and capabilities.
A fifth and final challenge involves the Internet of Things (IoT) whereby users can also authenticate and trust other devices, users and wearables on a peer-to-peer level, without intercession, permission or participation from centralized platforms or a sole reliance on federated identity mechanisms to accomplish, authorize or officiate such verification. In a sense, the challenge is to achieve a truly orthogonal, democratized authentication based on dynamic, private and interactive factors as well as digital and physical context verification, in real time, between and among user and device endpoints rather than prescriptive, centralized security policies and enforcement. This fabric of trust may operate alongside, over-and-above or in lieu of existing identity security policy and technology it is meant to supplement, complement or replace from the peer to peer user or device perspective.
The sum total of these challenges has represented the barrier to ubiquity that has never been overcome by prior art. The realization that there is not and has never been a single, successful, ubiquitous approach to interactive user authentication in the field speaks volumes to the shortcomings of prior art, innovations and implementations. There is no obvious and de facto technique adopted in the field of peer-to-peer mobile and wearable multi-factor authentication that simultaneously solves the security, usability and interactivity challenges stated herein.
The solution goal would be to achieve the successful peer-to-peer context verification and authentication of all parties and factors while remaining immune to threats, hacks, interception, replay, compromise, prediction, collusion, false results or any of the process, method or implementation liabilities described above and irrespective of or in addition to the authentication security policies of intermediary sites, networks, platforms or protocols. In addition, the secondary problems being solved are to embrace privacy, usability, achieve potential ubiquity with low-tech or no-tech integration and elevate the user's mobile or wearable device to an interactive member of the authentication algorithm, not just an involuntary, passive scan, ping, push, probe, decode and forward component in the flow, while giving the peer users voluntary and direct additional, personal control over their security via self-selected and “performed” location/behavior/custom factors, independent from and above native platform security requirements.
Although there are many related, relevant references within the field of the present invention, these references tend to fall into a definable set of inadequate approaches dating back to the security notions from the early to mid-20th century. The advent of mobile technology has unleashed a series of new art and innovation that utilizes the mobile sensing, processing and transmission capabilities of the mobile computing devices. Unfortunately, most of the relevant references embody these multi-purpose innovations within stale authentication paradigms, models of shared-secret, security by obscurity and flat, non-context-aware, unidirectional processing, regardless of their out-of-band (OOB) characteristics or flow.
The following is a representative selection of relevant references that are inferior to the present invention, have significant deficiencies, and fail to solve the problems solved by the present invention.
Application/Patent/SerialNumberTitleNamed InventorU.S. Pat. No. 8,156,332Peer-to-Peer SecuritySimon, Steven NeilAuthentication ProtocolU.S. Pat. No. 8,510,820System and method forOberheide, Jon; Song,embedded authenticationDouglas, Goodman, AdamWO 2000/075760Authentication to a ServiceHaruhiko Sakaguchi, othersProvider(Sony)U.S. Pat. No. 7,870,599 B2Multi-channel device utilizingRam Pemmarajua centralized out-of-bandauthentication system(COBAS)U.S. Pat. No. 7,293,284 B1Codeword enhanced peer-to-Bartram, Lindapeer authenticationSawadsky, NicholasUS 20110283337 A1Method and system forSchatzmayr, Rainerauthenticating network nodesof a peer to peer networkUS 2011/0219427 A1Smart Device UserHito, GentAuthenticationMadrid, Tomas RestrepoAugust 2010, Journal ofA Novel User AuthenticationKuan-Chieh Liao, Wei-HsunNetworks, Vol 5, No. 8 (PDF)Scheme Based on QR CodeLee2009 Fifth International JointA One-Time PasswordKuan-Chieh Liao, Wei-HsunConference on INC, IMS andScheme with QR-Code BasedLee, othersIDCon Mobile Phonehttp://connectid.blogspot.com/QR Codes for Two-FactorMadsen, Paul E.2005/11/qr-codes-for-two-Authenticationfactor-authentication.html(2005)US 2004/0171399 A1Mobile CommunicationMotoyuki, Uchida, othersTerminal, InformationProcessing Method, DataProcessing Program, AndRecording Medium2009 International ConferenceQR-TAN: Secure MobileGuenther Starnberger, otherson Availability, ReliabilityAuthenticationand SecurityStanford University SecuritySnap2Pass: ConsumerBen Dodson, DebangsuWorkshop, Apr. 30, 2010Friendly Challenge-ResponseSengupta, Dan Boeh, Monica(published)Authentication with a PhoneS. Lam(QR)U.S. Pat. No. 8,181,234 B2 (May 15,Authentication System inNatsuki, Ishida (Hitachi)2012)Client-Server System AndAuthentication MethodThereofWO 2004/008683Automated Network SecurityEngler, HaimSystem MethodU.S. Pat. No. 8,943,306Methods, systems, andMartin, et al.computer readable media fordesignating a security levelfor a communications linkbetween wireless devices8,942,733System and method forJohnson, Williamlocation based exchanges ofdata facilitating distributedlocation applications
These relevant references have relied upon four primary modes of authentication above username/password, single-sign-on (SSO) or federated peer-to-peer identification:                seed and read (store credential, certs on device and reference upon subsequent auth)        scratch and match (script-based dynamic browser/device recognition, cookies)        ring and ping (out-of-band, one-time passwords or tokens, shared secrets, PINs)        sense, decode and forward (QR-code or 2D image, sound or other sensing-based model to capture code, match with seeded credential and forward to back-end server for lookup and match)        
In addition, the prior art has also relied up these traditional yet insufficient methods to approach peer-related authentication functionality:                three-party system approaches whereby users trust of other users comes at the behest of the centralized authority to dole and dictate simulated peer-to-peer communication or trust, when the actual verification is merely a mediated experience based on pre-existing policy        peer-to-peer validation that only functions synchronously, as opposed to asynchronously, and depends solely upon the host site security policies, identity mechanisms and verification capabilities        peer-to-peer authentication that relies upon pre-trusted, pre-seeded fixed endpoints, or synchronous verification of digital certificates or session sockets, not content        
Specifically the shortcomings of the relevant references listed above fall under these areas:                no user control over peer authentication initiation, process or flow        no peer-to-peer capability for validation, verification and authorization        no independent, asynchronous authentication capabilities across 3rd party networks        user reliance upon the host identity mechanisms and policies to trust other users        no user to initiation of the trust event without host participation or permission        no ability for a user to independently authenticate another user or users device        requires out-of-band mechanisms to deliver one-time-codes to yet untrusted devices        
Various embodiments disclosed in the relevant references have failed to adequately resolve the present security needs as evidenced by the ongoing successful security attacks. In addition, the solutions proposed in the relevant references fail to solve the following problems, and which are solved by the present invention, namely:                (a) authentication is traditionally shared secret, static, and subject to interception, replay or prediction based on persistent information obfuscated by encryption or session flavoring;        (b) authentication security is expensive, cumbersome, difficult for users to understand or use;        (c) authentication relies on obfuscation, encryption, user skill or secrecy to be effective;        (d) credentials are usually fixed, sequential and single-mass in depth, intelligence and context;        (e) security information flows backwards, over primary, predictive or known channels such as the browser, together as key-value pairs, towards the unilateral authority in the process;        (f) authentication decisions rely upon a unilateral observation, interrogation, lookup-match;        (g) secret data is often delivered over secure OOB channels, only to have the user or device erroneously re-insert that data back over the primary, unsecured channel for verification;        (h) secret OOB data is often sent to re-establish authentication, but arrives via email or SMS to a device that may be in the wild, compromised but still able to receive such data        (i) user assumes all risk/responsibility, but has no control over enhancing, modifying, or improving security over and above what the authoritative source requires or allows;        (j) security requires re-identification or the user, mixing credentials in the channel;        (k) authentication security is risky when using a mobile device whose integrity is unknown;        (l) to date, there has been no ubiquitous solution to offer defense-in-depth authentication on top of username/password, single-sign-on (SSO) or federated identity management;        (m) defense-in-depth is often relegated to additional passwords or secrets;        (n) wearable solutions represent only store and forward, secure-element based validation;        (o) the lack of contextual approaches whereby all factors are simultaneously assessed as a composite signature, without revealing the underlying components or data;        (p) template approaches have been static containers for traditional literal factor gathering; and        (q) no private, autonomous, asynchronous peer-to-peer verification and authentication mechanisms via mobile devices exist or have been supported by prior art.        
Specifically, solutions proposed in the relevant references attempting peer-to-peer authentication across fixed or mobile devices, namely prior art U.S. Pat. No. 8,156,332 (Simon) and the like, are insufficient due to the following limitations and inferior methods:                (a) reliance upon static, embedded credentials on the remote mobile devices;        (b) reliance upon fixed, known or pre-trusted and registered endpoints;        (c) lack of peer control to initialize authentication without central host site or service;        (d) static interrogation of fixed or pre-seeded credentials on devices to achieve authentication; and        (e) lack of consideration of the power and capability of the peer mobile devices.        
Specifically, solutions proposed in the relevant references using encoded QR (Quick Response) images and mobile device scanning to identify or authenticate a user or device, namely prior art US 2011/0219427 (Hito, Madrid) and the like, are insufficient due to the following limitations and inferior methods:                (a) reliance upon heavily encoded, encrypted, or obfuscated content within the image or code;        (b) reliance upon expensive, static, seeded, embedded credentials on the mobile device;        (c) reliance on a separate set of those credentials above (b) being deployed, seeded, managed;        (d) unidirectional flow of object scan to transmit towards the authoritative back end;        (e) the store-and-forward approach denies the process interaction and richer context;        (f) the reliance on code encryption requires equal and opposite decryption;        (g) co-mingling of identity and authentication data provides numerous opportunities hack;        (h) improper triangulation, interrogation, measurement and interdependent decision making with respect to the source, integrity and status of the authentication context; and        (i) failure to engage the user, device, session context, location, behavior factors.        
Thus, what is needed is a method and system that overcomes the deficiencies in the systems currently available. This invention solves these problems and represents new, novel and patentable innovation in the space of peer-to-peer authentication on a mobile device.