Field of the Invention
The present invention relates generally to devices for identifying and authenticating users to other users by shaped-outline colorgram tokens. For example, a matrix of colorgram cells arranged inside a trademark recognizable outline of Pegasus, the winged flying horse, to identify products and services for a particular chain of gas stations.
Description of Related Art
So-called QR-code icons are starting to appear everywhere and are meant to act as invitations and access keys in advertisements and retail shops for smart phone equipped users to download product information, company information, sales locations, etc. The typical QR-code is black and white, square, unattractive and not particularly identified to any one company or product. They are not the type of thing that would ordinarily catch the eye of the average American consumer.
The usual methods commonly employed to identify and authenticate users of mobile electronic appliances have generally not risen to the security levels required for non-trivial financial transactions. Even the common two-factor authentications that require a payment card and a personal-identification-number (PIN) as what-you-have and what-you-know factors have been subject to fraud and other abuses. On-line, card-not-present transactions have been even more difficult to secure.
The average user is unable to remember complex passcodes. But a high degree of complexity is needed to support derivations of cryptographic keys for use to secure transactions and authenticate users, such typically have a 112 bit minimum entropy requirement. Such users are also overly challenged when required to have a different passcode for every secure website they visit. Most users simply repeat the use of a few favorite passcodes and then don't change them often enough. Such passcodes are thus easily compromised via brute force or by carrying over an attack on one website to another.
Authentication factors are manifested in data collections that can be used to authenticate or verify the identity of an individual. Two-factor authentication employs two different authentication factors to increase the level of security beyond what is possible with only one of the constituents. For example, one kind of authentication factor includes what-you-have, e.g., an credit card, the SIM card typical to many mobile devices and Personal Trusted Devices (PTDs), or other type of object that is unique and difficult to duplicate. Another type of authentication factor includes what-you-know, such as a user passcode, a PIN like those used for accessing ATM machines at banks, zip code, or other pieces of personal and private information. A third kind of authentication factor includes who-you-are, for example a personal signature, a voice sample, a fingerprint, an iris scan, or other type of biometric.
Using more than one authentication factor results in what is sometimes called “strong authentication” or “multi-factor authentication.” A very common use of strong authentication generally includes just two different factors, the what-you-know and what-you-have authentication factors.
Barcodes and conventional one or two dimensional (1D, 2D) codes do not have the data storage capacity needed to make an effective what-you-know security factor out of them. They typically have been used for serial numbers and stock keeping unit identifiers. Such traditional devices are so limited that they could not be expected to carry much information. This is usually due to standardized geometries that can't be easily scaled, and standardized use of black and white spaces to delineate data elements.
When smartphones and other personal mobile electronic devices are used for secure access and to make consumer financial transactions, the loss of the device can be devastating and costly unless appropriate measures are taken. What is needed are methods and even a personal mobile security appliance that can prevent unauthorized use even when the appliance itself has fallen into the wrong hands.
Igor Drokov, et al., describe a dynamic multifactor authentication method and system in United States Patent Application, US 2008/0307515 A1, published Dec. 11, 2008. A user's mobile device is used to optically capture a first token sent to an access computer terminal by a remote authentication server. The user's mobile device is used to derive a second token that is independently returned to the same remote authentication server. If the second token is validated as having been properly derived from the first token, an authentication signal is generated so the transaction can be completed. Such a system may be appropriate for on-line transactions and desktop computer-based transactions, but has not been applied to peer-to-peer transactions using mobile devices.
Desktop and laptop computers have factory calibrated red, green, and blue (“RGB”) color displays that produce consistent colors within a wide color gamut because image size is not a significant concern. But the screens on smartphones have a limited color gamut and smaller displays.
PayPal recently made a “bump technology” Android “app” available to enable peer-to-peer funds transfers between mobile device users. Users and their transactions are authenticated when mobile devices are literally bumped together. The data coincidence of the accelerometer synchronizes in time and the devices coexisting in a single location generates two independent streams of data that can be matched and authenticated by a remote transaction server, in this case PayPal. Consumers are expected to become increasingly comfortable using their cellphones to engage in so-called “micro-transactions”. Highly secure user identification and authentication remains a problem with this fledgling bump technology where phone numbers are the only passcode, in addition to unique, but easily accessed, mobile device-related data from SIM cards, UUID/UDID, MAC address, etc.
Herein, a personal trusted device (PTD) can include feature phones, smartphones, and small laptops. These universally have crypto-libraries, powerful processors, and similar resources that are minimally needed for high security decryption jobs. The primary difference between a feature phone and a smartphone is the user cannot download non-embedded or third party applications (apps) to a feature phone, they are already installed as embedded applications by the manufacturer. A smartphone can download apps, e.g., Android and iPhone apps, to extend functionality.