1. Field of the Invention
The present invention relates to mobile computing devices, internet security, authentication, and more particularly to devices and methods for authenticating users online to financial institutions and other websites with the aid of cryptographic keys encoded as two-dimensional (2D) encrypted colorgrams as one of the security factors.
2. Description of Related Art
The average user cannot commit to memory complex enough passwords that would allow derivation of a cryptographic key to use to secure transactions and authentication users, which would typically have a 128-bit minimum entropy requirement. Such users are also overly challenged when required to have a different password for every secure website they visit. Most users simply repeat the use of a few favorite passwords and then don't change them often enough. Such passwords are thus easily compromised via brute force or by carrying over an attack on one website to another.
Authentication factors are pieces of information that can be used to authenticate or verify the identity of an individual. Two-factor authentication employs two different authentication factors to increase the level of security beyond what is possible with only one of the constituents. For example, one kind of authentication factor includes what-you-have, e.g., an electromagnetic stripe credit card, the SIM card typical to many mobile devices and Personal Trusted Devices (PTDs), or other object that is unique and difficult to duplicate. Another type of authentication factor includes what-you-know, such as a user password, a PIN like those used for accessing ATM machines at banks, or other pieces of secret information. A third kind of authentication factor includes who-you-are, for example a personal signature, a voice sample, a fingerprint, an iris scan, or other type of biometric.
Using more than one authentication factor results in what is sometimes called “strong authentication” or “multi-factor authentication.” A very common use of strong authentication generally includes just two different factors, the what-you-know and what-you-have authentication factors.
Barcodes and conventional two-dimensional (2D) codes do not have the data storage capacity needed to make an effective what-you-have security factor out of them. They typically have been used for serial numbers and stock keeping unit identifiers. Such traditional devices are so limited that they could not be expected to carry much information. This is usually do to standardized geometries that can't be easily scaled.
When smartphones and other personal mobile electronic devices are used for secure access and to make consumer financial transactions, the loss of the device can be devastating and costly. What is needed are methods and even a personal mobile security appliance that can prevent unauthorized use even when the appliance itself has fallen into the wrong hands.