The most commonly understood sector in the security/authentication field involves traditional user access from a fixed or mobile electronic computing device (such as, desktop, laptop, mobile, smart phone, tablet, handset, gaming device, remote control, etc.) to a website, application, service, display, server, and/or network via (1) a username and password, cookie, token, or other type of single-sign-on to identify the user and (2) then some additional method of verification through a second or third factor, out-of-band (OOB) message, shared secret, physical token, certificate, 2D code scan and/or near-field communication protocol.
Another commonly understood authentication/security system is synchronous peer-to-peer communication and interaction between two users from fixed or mobile electronic computing devices via chat, instant message, streaming audio conferencing, streaming video conferencing, gaming, social networking, transmission of resources, or data by email, SMS, or FTP.
Another commonly understood authentication/security system is the asynchronous access or distribution, download, and/or streaming of shared resources between or among two or more users on fixed or mobile electronic computing devices across intermediary cloud storage, social networks, blogs, websites, games, content providers, mobile apps, and the like.
Another commonly understood authentication/security system is the area of payments or the verification of a payment, consumption, download, interaction or approval by or for a user to another user for an asset or access to an asset, across a third-party payment system, requiring some level of entitlement or authorization.
In all of the above present security/authentication systems, the act of identification or direct authentication of one or more users, the computing device, the session, the website, application, server, location, asset and/or the context itself, is required.
Another commonly understood authentication/security system is the area of electronic wearable user authentication whereby a user donning a wearable device with appropriate sensors and communication capabilities can sense, verify, and report the authenticity of the wearer to him or herself, a session, another device, or a general contextual situation requiring such validation and authenticity for the purposes of allowing or denying physical access, digital access, consummation of a transaction, digital payment, file download, session access, login, file stream, mutual validation of another human and/or machine, access to or operation of an automobile or other equipment, devices, terminals or machines requiring verification for permission to access, engage, interact or operate.
The present disclosure covers a new, useful, and non-obvious system and method that overcomes the limitations known in the field of electronic authentication.
One of the limitations solved by the system and method of the present disclosure is that traditional user and mobile device authentication has not allowed for the ability for users to authenticate and authorize other users on mobile devices or wearable devices (sometimes collectively referred to herein as “personal computing devices”) via direct or indirect networked communication or across shared third-party platforms like social networks, email, cloud storage and peer-to-peer e-commerce, streaming media sites, mobile devices, wearable devices, servers or payments without depending upon or requiring third party host cooperation and/or host service security platform interaction. Generally, it was either too costly or too cumbersome to scale and be adopted ubiquitously by the marketplace to protect users, sites, devices, and sessions in this manner or, alternatively, a lack of commercial permission prevented such capabilities from being possible. Authentication methods and systems prior to the present disclosure do not meet the security challenges modern hackers pose nor do they have the simplicity, usability, seamlessness, unobtrusiveness, or privacy demands that personal computing device users require. Contemporary multi-factor or two-factor solutions fail to recognize and exploit the fact that user security is a fabric, not a thread. They also ignore the fact that user identities belong to users, not sites, and the user must be able to control the security, including privacy and resources among peer to peer interactions, across host platforms. This ignorance of contextual realities among devices, sites, users, apps, and networks in business critical and social environments, as well as the costs and implementation details involved, leaves most solutions and the current references disclosing those solutions unable to meet the authentication security challenges at hand, and they offer no capabilities for users to verify other users who access or interact with their session, resources, content, and/or identity. Additional methods that attempt to collapse the acts of identification and authentication into a single process inherit the same liabilities as any other single point of failure of federated systems, regardless of the sophistication or novelty of the flow, and they still require participation by the third-party identity platforms. In addition, no solution provides the ability for peers to independently authenticate each other without the intercession of the host site, service, app or federation. The challenge involves the balance of the market need for real security advancement with innovative usability, privacy, scalability, and low cost. The growing market and the growing ecosystem of users, devices, internet-of-things, mobile transactions, and general digital trust lies with the crowd, not the cloud.
The ideal achievement or solution would be to design something to simply, accurately, securely, and privately authenticate a context of multiple layers of credentials or factors amongst peers users and devices, a server or service, a network, or a user on a fixed or personal computing device taking into account the location, proximity, relationship or association, behaviors, knowledge or attributes of any or all of the above. The structure of the authentication process may be peer-to-peer, client to server, server-to-server or hybrid architecture. The expectation of, and requirement for, privacy, usability, accuracy, simplicity, and strength is and should be the same in all scenarios.
The challenge is to accomplish this simple, mutual, contextual verification between or among users and their mobile devices without depending upon or exposing the process to the traditional security solution shortcomings, such as: cost, lack of privacy, lack of personal intent or voluntary control or influence, interception, replay, usability, reliance upon the user skill, encryption, obfuscation, information seeding, centralized administration, federated identity assumptions, presentation or combined submission and/or transmission of credentials across known or predictable channels, sequential and discrete inspection and evaluation of isolated credentials, unilateral authoritative decision making about the context result status and compliance, permission or participation from intermediary networks, sites, apps or protocols. Traditionally, discrete and private elements about the user, device or session had to be paired with their meanings (key-value pairs), encrypted and sent to a back-end server for verification against a stored copy of the same credentials—no matter how novel the route they take to process. This legacy capture-and-forward approach inappropriately collapses the independent notions of identification (self-reported) and authentication (externally verified) thus exposing the users' private identity information to capture, replay, prediction, theft or misuse in service of their verification—and is a poor candidate for a robust, socially aware, peer-to-peer solution.
A second challenge is to utilize the personal computing electronic device in a peer to peer security context for what is designed for and capable of: being an interactive extension to and participant within the context of the user, site/app and session authentication. Previous incarnations of “bring your own device” (BYOD) or personal computing device authentication treated the mobile computing device as simply a “capture and forward” apparatus. In other terms, the device is used to capture, decode and forward-on credentials, biometric data, keys or tokens, as opposed to participating in the context in a manner in which it is capable. Previous security systems and methods merely relegated the mobile device to be a camera and a hard-drive, a secure element storing obfuscated keys or simple cookies and forwarding them along to the back-end authoritative server for a standard password lookup and match approach. The present system may use authenticated reality, whereby a mobile device is used to interact with the “fabric” of the user, which may include the environment, location, proximity, behavior, and real-world context of the session in a manner that securely, privately and easily revolutionizes the traditional authentication process on a user to device, user to user and/or device to device manner.
A third challenge is to involve the user in a way never before accomplished with respect to their authentication. Previous systems and security solutions were seen as layers or cumbersome steps that had to be taken in the end-user security flow. Users had to respond to certain challenges, maintain custody of bespoke hardware or software credentials, tokens, keys, certificates or select recognizable visual, audible, mathematical or textual components from a number of interfaces and prompts directed by a singular site or per-host security policy. The user has never historically been in control of the complexity, sophistication, application, components, context or essence of their authentication credentials or process, but merely responsible for memorizing, keeping, and then regurgitating those components or steps at the request of the host website or application. The rise of user-side hacking along with the proliferation personal computing devices and expanding user-to-user interaction online, has resulted in a necessary shift away from host-server side, shared-secret, patriarchal view of authentication security, and towards a more interactive, user-focused approach. The user must have interactive control of the depth, manner, method, makeup, and personalization of their authentication security in a way that is stronger, contextual, and more effective than previous techniques, but also simpler, more elegant and highly usable. The system of the present disclosure provides this.
A fourth challenge is creating both a synchronous and asynchronous peer-based multi-factor authentication solution between or amongst end users on personal computing devices that affords users the ability to independently identify, authenticate, and authorize each other, shared resources, access, and/or identity across yet independent of third party platforms and network systems or identity protocols as an added layer of defense in depth, just as host sites and services have traditionally achieved. This level of control and trust achieved via a simple, seamless, mobile peer authentication mechanism would revolutionize the modern personal computing devices security space, giving identity power and privacy back to the end users to whom they belong and opening up infinite opportunities to trust, interact, transact, and protect an increasing amount of network, social, mobile, app and cloud-based activities, events, and capabilities.
A fifth and final challenge involves the Internet of Things (IoT) whereby users can also authenticate and trust other devices, users, and wearables on a peer-to-peer level, without intercession, permission, or participation from centralized platforms or a sole reliance on federated identity mechanisms to accomplish, authorize or officiate such verification. In a sense, the challenge is to achieve a truly orthogonal, democratized authentication based on dynamic, private, and interactive factors as well as digital and physical context verification, in real time, between and among user and device endpoints rather than prescriptive, centralized security policies and enforcement. This fabric of trust may operate alongside, over-and-above, or in lieu of existing identity security policy and technology. The present system is meant to supplement, complement, or replace existing systems from the peer to peer user or device perspective.
The sum of these challenges has generally represented the barrier to security ubiquity that has never been overcome by security systems prior to the present disclosure. The realization that there is not and has never been a single, successful, ubiquitous approach to interactive user authentication in the field speaks volumes to the shortcomings of previous security systems. There is no obvious and de facto technique adopted in the field of peer-to-peer personal computing devices multi-factor authentication that simultaneously solves the security, usability, and interactivity challenges listed herein above.
The solution or goal would be to achieve a successful peer-to-peer context verification and authentication of all parties and factors while remaining immune to threats, hacks, interception, replay, compromise, prediction, collusion, false results of any of the process and/or implementation liabilities, some of which are described above and regardless of, or in addition to, the authentication security policies of intermediary sites, networks, platforms, or protocols. In addition, the secondary problems being solved are to embrace privacy, usability, achieve potential ubiquity with low-tech or no-tech integration and elevate the user's personal computing device to an interactive member of the authentication algorithm, not just an involuntary, passive scan, ping, push, probe, and/or decode and forward component in the flow, while giving the peer users additional voluntary, direct, and personal control over their security via self-selected and “performed” location/behavior/custom factors, independent from and/or above native platform security requirements.
Although there are many generally relevant references within the security system field, these references tend to fall into a definable set of inadequate approaches dating back to the security notions from the early to mid-20th century. The advent of mobile technology has unleashed a series of innovations that utilizes the mobile sensing, processing, and transmission capabilities of the mobile computing devices. The relevant references embody these multi-purpose innovations within stale, well-known authentication paradigms, models of shared-secret, security by obscurity, and flat, non-context-aware, unidirectional processing, regardless of their out-of-band (OOB) characteristics or flow.
The following is a representative selection of relevant references that are inferior to the system and method of the present disclosure, have significant deficiencies, and fail to solve the problems solved by the system and method of the present disclosure.
Application/Pat./Ser. No.TitleNamed InventorU.S. Pat. No. 8,156,332Peer-to-Peer SecuritySimon, Steven NeilAuthentication ProtocolU.S. Pat. No. 8,510,820System and method forOberheide, Jon; Song,embedded authenticationDouglas, Goodman, AdamWO 2000/075760Authentication to a ServiceHaruhiko Sakaguchi, othersProvider(Sony)U.S. Pat. No. 7,870,599 B2Multi-channel device utilizingRam Pemmarajua centralized out-of-bandauthentication system(COBAS)U.S. Pat. No. 7,293,284 B1Codeword enhanced peer-to-Bartram, Lindapeer authenticationSawadsky, NicholasUS 20110283337 A1Method and system forSchatzmayr, Rainerauthenticating network nodesof a peer to peer networkUS 2011/0219427 A1Smart Device UserHito, GentAuthenticationMadrid, Tomas RestrepoAugust 2010, Journal of Networks,A Novel User AuthenticationKuan-Chieh Liao, Wei-HsunVol 5, No. 8 (PDF)Scheme Based on QR CodeLee2009 Fifth International JointA One-Time PasswordKuan-Chieh Liao, Wei-HsunConference on INC, IMS and IDCScheme with QR-Code BasedLee, otherson Mobile Phonehttp://connectid.blogspot.com/2005/11/qr-QR Codes for Two-FactorMadsen, Paul E.codes-for-two-factor-authentication.htmlAuthentication(2005)US 2004/0171399 A1Mobile CommunicationMotoyuki, Uchida, othersTerminal, InformationProcessing Method, DataProcessing Program, AndRecording Medium2009 International ConferenceQR-TAN: Secure MobileGuenther Starnberger, otherson Availability, ReliabilityAuthenticationand SecurityStanford University SecuritySnap2Pass: ConsumerBen Dodson, DebangsuWorkshop, Apr. 30, 2010Friendly Challenge-ResponseSengupta, Dan Boeh, Monica(published)Authentication with a PhoneS. Lam(QR)U.S. Pat. No. 8,181,234 B2 (May 15,Authentication System inNatsuki, Ishida (Hitachi)2012)Client-Server System AndAuthentication MethodThereofWO 2004/008683Automated Network SecurityEngler, HaimSystem MethodU.S. Pat. No. 8,943,306Methods, systems, andMartin, et al.computer readable media fordesignating a security levelfor a communications linkbetween wireless devices8,942,733System and method forJohnson, Williamlocation based exchanges ofdata facilitating distributedlocation applications
These relevant references have relied upon four primary modes of authentication above username/password, single-sign-on (SSO), or federated peer-to-peer identification:                seed and read (store credential, certs on device and reference upon subsequent authorization)        scratch and match (script-based dynamic browser/device recognition, cookies)        ring and ping (out-of-band, one-time passwords or tokens, shared secrets, PINs)        sense, decode, and forward (QR-code or 2D image, sound or other sensing-based model to capture code, match with seeded credential and forward to back-end server for lookup and match)        
In addition, generally relevant references have also relied on traditional, yet insufficient, methods to approach peer-related authentication functionality, such as:                three-party system approaches whereby users trust of other users comes at the behest of the centralized authority to dole and dictate simulated peer-to-peer communication or trust, when the actual verification is merely a mediated experience based on pre-existing policy        peer-to-peer validation that only functions synchronously, as opposed to asynchronously, and depends solely upon the host site security policies, identity mechanisms and verification capabilities        peer-to-peer authentication that relies upon pre-trusted, pre-seeded fixed endpoints, or synchronous verification of digital certificates or session sockets, not content        
Specifically, the shortcomings of the references listed herein above fall under these areas:                no user control over peer authentication initiation, process, or flow        no peer-to-peer capability for validation, verification, and authorization        no independent, asynchronous authentication capabilities across third-party networks        user reliance upon the host identity mechanisms and policies to trust other users        no user to initiation of the trust event without host participation or permission        no ability for a user to independently authenticate another user or user's device        requires out-of-band mechanisms to deliver one-time-codes to yet untrusted devices        
All of the numerous embodiments disclosed in the relevant references have failed to adequately resolve the present security needs as evidenced by the ongoing and often times successful security attacks. In addition, the solutions proposed in the relevant references fail to solve the following problems, aloo of which are solved by the system and method of the present disclosure, namely:                (a) authentication is traditionally shared secret, static, and subject to interception, replay or prediction based on persistent information obfuscated by encryption or session flavoring;        (b) authentication security is expensive, cumbersome, difficult for users to understand or use;        (c) authentication relies on obfuscation, encryption, user skill or secrecy to be effective;        (d) credentials are usually fixed, sequential, and single-mass in depth, intelligence and context;        (e) security information flows backwards, over primary, predictive or known channels such as the browser, together as key-value pairs, towards the unilateral authority in the process;        (f) authentication decisions rely upon a unilateral observation, interrogation, lookup-match;        (g) secret data is often delivered over secure OOB channels, only to have the user or device erroneously re-insert that data back over the primary, unsecured channel for verification;        (h) secret OOB data is often sent to re-establish authentication, but arrives via email or SMS to a device that may be in the wild, compromised but still able to receive such data        (i) user assumes all risk/responsibility, but has no control over enhancing, modifying, or improving security over and above what the authoritative source requires or allows;        (j) security requires re-identification or the user, mixing credentials in the channel;        (k) authentication security is risky when using a mobile device whose integrity is unknown;        (l) to date, there has been no ubiquitous solution to offer defense-in-depth authentication on top of username/pas sword, single-sign-on (SSO), or federated identity management;        (m) defense-in-depth is often relegated to additional passwords or secrets;        (n) wearable solutions represent only store and forward, secure-element based validation;        (o) the lack of contextual approaches whereby all factors are simultaneously assessed as a composite signature, without revealing the underlying components or data;        (p) template approaches have been static containers for traditional literal factor gathering; and        (q) no private, autonomous, asynchronous peer-to-peer verification and authentication mechanisms via mobile devices exists before the present disclosure or have been supported by references prior to the present disclosure.        
Specifically, solutions proposed in the relevant references attempting peer-to-peer authentication across fixed or mobile devices, namely U.S. Pat. No. 8,156,332 (Simon) and the like, are insufficient due to the following limitations and inferior methods:                (a) reliance upon static, embedded credentials on the remote mobile devices;        (b) reliance upon fixed, known or pre-trusted and registered endpoints;        (c) lack of peer control to initialize authentication without central host site or service;        (d) static interrogation of fixed or pre-seeded credentials on devices to achieve authentication; and        (e) lack of consideration of the power and capability of the peer mobile devices.        
Furthermore, solutions proposed in the relevant references using encoded Quick Response (QR) images and mobile device scanning to identify or authenticate a user or device, shown, for example in U.S. Published Patent Application No. 2011/0219427 (Hito, Madrid) and the like, are insufficient due to the following limitations and inferior methods:                (a) reliance upon heavily encoded, encrypted, or obfuscated content within the image or code;        (b) reliance upon expensive, static, seeded, embedded credentials on the mobile device;        (c) reliance on a separate set of those credentials above (b) being deployed, seeded, managed;        (d) unidirectional flow of object scan to transmit towards the authoritative back end;        (e) the store-and-forward approach denies the process interaction and richer context;        (f) the reliance on code encryption requires equal and opposite decryption;        (g) co-mingling of identity and authentication data provides numerous opportunities hack;        (h) improper triangulation, interrogation, measurement and interdependent decision making with respect to the source, integrity and status of the authentication context; and        (i) failure to engage the user, device, session context, location, behavior factors.        
Thus, what is needed is a security method and system that overcomes the deficiencies in the systems currently available. The system and method of the present disclosure solves these problems and represents new, useful, and not obvious innovation in the space of peer-to-peer authentication on a personal computing device.