As remote access of computer systems and applications grows in popularity, the number and variety of transactions which are accessed remotely over public networks such as the Internet has increased dramatically. This popularity has underlined a need for security; in particular: how to ensure that people who are remotely accessing an application are who they claim they are, how to ensure that transactions being conducted remotely are initiated by legitimate individuals, and how to ensure that transaction data has not been altered before being received at an application server.
One technology for authentication and transaction signature capabilities is offered by ‘strong authentication token devices’. Typical examples of strong authentication tokens are the products of the DIGIPASS® line, commercialized by Vasco Data Security Inc. (see the website http://www.vasco.com). A strong authentication token is an autonomous battery-powered device, dedicated to providing authentication and transaction signature functions, usually pocket-size, with its own display and keypad. The main purpose of a strong authentication token is to generate dynamic security values which are usually referred to as ‘One-Time Passwords’ (OTPs).
Typically these OTPs are generated by cryptographically combining a secret that is shared between the token and a verification server with a dynamic value such as a time value, a counter value or a server challenge that is provided to the token, or a combination of these. Some strong authentication tokens can also use data (such as transaction data) that have been provided to the token as dynamic value or in combination with any of the dynamic values mentioned above to generate a security value.
A typical way to provide data to a strong authentication token is by letting the user enter the data manually on the token's keypad. When the amount of data that has to be entered in this way exceeds a few dozen characters, the process is often perceived by users as too cumbersome. To relieve the user, solutions have been devised whereby the input of data doesn't require the manual entry of said data by the user on the token's keypad.
One such solution consists of tokens that allow for data input by means of an optical interface, whereby the user holds the token close to an optical source such as a computer screen that displays a varying optical pattern. Examples of such optical tokens are the Digipass 700 token and the Digipass 300 token, both offered by Vasco Data Security Inc., and the tokens described in EP 1211841 May 6, 2002, EP 1788509 May 23, 2007, U.S. Pat. No. 5,136,644 Apr. 8, 1992.
These tokens are typically used to secure applications such as internet banking. As a consequence they are used by a large number of bank customers with a very broad range of computer screen qualities and environmental lighting conditions and a variety of computer platforms. It also means that, in spite of these heterogeneous operational conditions, these tokens are expected to work very reliably. The tokens must also be convenient to work with i.e. be tolerant on the way they are being handled, offer an acceptable data throughput and allow for independence of the users with respect to access point. Last but not least, because of the high number of users, the tokens are also supposed to be very cost-effective.
Designing tokens that satisfy all these conditions is a significant challenge. The technical problems to be surmounted include:                The great variety in absolute intensity levels of the emitted light among different screens especially between Liquid Crystal Display (LCD) and Cathode Ray Tube (CRT) screens. This means that there is a large dynamic range in the emitted light intensity.        The great variety in relative differences between the different light intensity levels used due to background offsets. The combination of environmental light and the effect of backlit LCD displays means that the contrast between the measured High and Low light intensity levels is often quite low, resulting in a large common mode and little margin for noise.        The completely different characteristics of the light emission pattern in function of the time for the different display technologies: while CRT displays are characterised by discrete short intense pulses of light emission, LCD screens have a much more smooth and continuous emission characteristic. We define the instantaneous intensity of an optical signal emitted by a region of a display as the power of that signal at a particular moment of time, whereas we define the intrinsic intensity of the same optical signal as the average power of that signal over one refresh cycle of the display. With these definitions one can say that for LCD displays the instantaneous intensity of the signal is most of the time more or less constant during a refresh cycle and thus more or less equal to the intrinsic intensity, whereas for CRT displays the energy of the signal emitted during a refresh cycle is concentrated in a short spike such that the instantaneous intensity during most of the refresh cycle is very low and below the intrinsic intensity while it is significantly higher than the intrinsic intensity during the aforementioned short spike.        The relatively low refresh rates of displays. This gives a relatively low upper boundary on the maximum symbol rate.        Variety in refresh rates on different displays, aggravated by the fact that in practice it is difficult if not impossible for the software responsible for emitting the light pattern to figure out which is the actual physical refresh rate of the screen being used. This means that no synchronization between symbol rate and refresh rate can be guaranteed. As a consequence the number of display refresh cycles per symbol clock period can not be assumed to be a constant integer, which in turn means that the total amount of light emitted in one symbol clock period can vary drastically for the same intended light level.        The displays used by end-users and the conditions in which they are used can change in time and can do so frequently e.g. if a user switches regularly between a workstation with a CRT screen and a laptop with an LCD screen. Also, end-users can in general not be assumed to be technology-savvy nor can they in general be relied upon to faithfully and diligently execute complicated operational instructions. These factors exclude solutions which incorporate a user controlled configuration phase in which the user is expected to set some parameters, or an adaptation phase of any appreciable length in which the device tunes certain parameters itself.        
What is therefore needed is a low-cost device that is capable of receiving in a relatively short amount of time a moderate amount of digital data optically emitted by a display that can be used in a reliable and user-convenient way in combination with a wide variety of displays and display types and in a wide variety of environmental conditions.