1. Field of the Invention
The present invention relates generally to devices for identifying and authenticating users to devices and online websites, and more specifically to methods for increasing security levels to meet stringent financial, transaction-level assurance requirements in mobile devices by incorporating three-dimensional colorgram tokens.
2. Description of Related Art
The usual methods commonly employed to identify and authenticate users of mobile electronic appliances have generally not risen to the security levels required for non-trivial financial transactions. Even the common two-factor authentications that require a payment card and a personal-identification-number (PIN) as what-you-have and what-you-know factors have been subject to fraud and other abuses. On-line, card-not-present transactions have been even more difficult to secure.
The average user cannot commit to memory sufficiently complex passcodes that would allow the derivation of a cryptographic key for use to secure transactions and authenticate users, such typically have a 112 bit minimum entropy requirement. Such users are also overly challenged when required to have a different passcode for every secure website they visit. Most users simply repeat the use of a few favorite passcodes and then don't change them often enough. Such passcodes are thus easily compromised via brute force or by carrying over an attack on one website to another.
Authentication factors are manifested in data collections that can be used to authenticate or verify the identity of an individual. Two-factor authentication employs two different authentication factors to increase the level of security beyond what is possible with only one of the constituents. For example, one kind of authentication factor includes what-you-have, e.g., an credit card, the SIM card typical to many mobile devices and Personal Trusted Devices (PTDs), or other type of object that is unique and difficult to duplicate. Another type of authentication factor includes what-you-know, such as a user passcode, a PIN like those used for accessing ATM machines at banks, zip code, or other pieces of personal and private information. A third kind of authentication factor includes who-you-are, for example a personal signature, a voice sample, a fingerprint, an iris scan, or other type of biometric.
Using more than one authentication factor results in what is sometimes called “strong authentication” or “multi-factor authentication.” A very common use of strong authentication generally includes just two different factors, the what-you-know and what-you-have authentication factors.
Barcodes and conventional one or two dimensional (1D, 2D) codes do not have the data storage capacity needed to make an effective what-you-know security factor out of them. They typically have been used for serial numbers and stock keeping unit identifiers. Such traditional devices are so limited that they could not be expected to carry much information. This is usually due to standardized geometries that can't be easily scaled, and standardized use of black and white spaces to delineate data elements.
When smartphones and other personal mobile electronic devices are used for secure access and to make consumer financial transactions, the loss of the device can be devastating and costly unless appropriate measures are taken. What is needed are methods and even a personal mobile security appliance that can prevent unauthorized use even when the appliance itself has fallen into the wrong hands.
Igor Drokov, et al., describe a dynamic multifactor authentication method and system in United States patent application, US 2008/0307515 A1, published Dec. 11, 2008. A user's mobile device is used to optically capture a first token sent to an access computer terminal by a remote authentication server. The user's mobile device is used to derive a second token that is independently returned to the same remote authentication server. If the second token is validated as having been properly derived from the first token, an authentication signal is generated so the transaction can be completed. Such a system may be appropriate for on-line transactions and desktop computer-based transactions, but has not been applied to peer-to-peer transactions using mobile devices.
Desktop and laptop computers have factory calibrated red, green, and blue (“RGB”) color displays that produce consistent colors within a wide color gamut because image size is not a significant concern. But the screens on smartphones have a limited color gamut and smaller displays.
PayPal recently made a “bump technology” Android “app” available to enable peer-to-peer funds transfers between mobile device users. Users and their transactions are authenticated when mobile devices are literally bumped together. The data coincidence of the accelerometer synchronizes in time and the devices coexisting in a single location generates two independent streams of data that can be matched and authenticated by a remote transaction server, in this case PayPal. Consumers are expected to become increasingly comfortable using their cellphones to engage in so-called “micro-transactions”. Highly secure user identification and authentication remains a problem with this fledgling bump technology where phone numbers are the only passcode, in addition to unique, but easily accessed, mobile device-related data from SIM cards, UUID/UDID, MAC address, etc.
Herein, a personal trusted device (PTD) can include feature phones, smartphones, and small laptops. These universally have crypto-libraries, powerful processors, and similar resources that are minimally needed for high security decryption jobs. The primary difference between a feature phone and a smartphone is the user cannot download non-embedded or third party applications (apps) to a feature phone, they are already installed as embedded applications by the manufacturer. A smartphone can download apps, e.g., Android and iPhone apps, to extend functionality.