With the increase in financial fraud and innovative hacking methods, authenticating a user for the purpose of accessing information, especially financial accounts, has become challenging. In the past, basic four digits Personal Identification Numbers (PIN) codes have been used to access information. However, four-digit PIN codes are often insecure, vulnerable to hacks or theft. Although attempts have been made to offset the potential of a PIN being hacked or stolen, the problem of keeping accounts secure still persists.
Personal Identification Numbers are commonly used to authenticate a user by having the user enter “something they know”. Although any number of digits may be used, arguably today the 4-digit PIN, as shown in FIG. 1, is one of the most commonly used methods to add security to access control. A typical 4-digit PIN can use one of nine characters over four digits or about 10,000 possible permutations. A chief limitation of this method for PIN authentication is that it limits authentication to a single factor, i.e., “something you know.”.
To further improve security of PIN based methods, PINs are frequently added to items such as electronic cards, for example, that possess a chip inside. This method is frequently called “chip and PIN”. A “chip and PIN” method adds a second factor to the PIN (something you know) by adding a chip (something you have) inside a card or device.
One example of prior art relating to a PIN concept is described in WO 2011004339 A1. This implementation uses a second identifier to authenticate a user. Under this invention, an identification file consisting of the data from the present transaction is sent to an identifier using direct energy. The identifier then uses the direct energy to encrypt the identification file with a key and attach the PIN. Sending this encrypted package to a payment-processing center, the total package is then decrypted using a public key and the verification of the PIN.
Although this two-factor system does offer some additional protection of a user's assets, it has its limitations. Such limitations include the vulnerability of a third party intercepting the identifier file before it is encrypted. Other problems arise due to the use of only a single key to encrypt the identification file. In order to carry out a successful attack, a third party would only need the correct key and the PIN. Those experienced in the art will recognize that a non-dynamic PIN also increases the chances of a successful “brute force” attack. Hackers can also gain access through the use of a “back door” in either the payment terminal or the payment-processing center, further deteriorating the security of a transaction.
Attempts have also been made, such as in U.S. Pat. No. 8,650,405, to make PIN authentication more secure by incorporating user specific information to produce a PIN. Under this method, a user requesting access is then required to enter specified personal information to access the account. Using this information, a PIN is generated and used to authenticate the user. However, certain problems arise with such authentication methods. For example, a “man in the middle” attack may occur where a third party intercepts the user's information. If this were to occur, the user not only loses personal information, but also the ability to access a given item such as an account. If anything, this compounds the problem by giving the third party additional private information that may also be used to access other accounts.
Another example where user specific information is used to produce a PIN code is described in US published patent application 20120254963. Herein, a user is able to enter his or her credentials into a computer-like device such as a portal. After receiving the credentials, the portal produces a code that is viewed by the user. The user then speaks the code back to the portal, and if the code is correct, then the user is authenticated and granted access.
Some methods for securing a PIN authentication process may include a user entering a “subsequent code” related to an original PIN to verify the PIN code. In CA 2817431 A1, the user is asked for his PIN and a subset of the PIN. Using these two factors the user is authenticated.
In other methods such as described in US published patent application 20020184100, a code is generated and displayed to the user. The user then enters the PIN code to gain access.
A similar method is used in EP 2732594 A1. In this method, a user requests access to an application server. Having received the request, an application server sends out a PIN code to a synthetic voice PIN server, which then converts the PIN into audio stream. The audio is then played to the user, who then enters the code to gain access.
Still other prior art such as US published patent application 20130061057 uses a third party to authenticate a user with a mobile device. This application describes a method wherein a user encrypts a PIN with a separate code and sends it via a mobile device to a third verification party, which decrypts the PIN and authenticates the user.
In WO 2011124267 A1, a reference table of characters is used in connection with characters in an input table. Displaying characters in the reference table, the user is directed to select these characters in the given order on the input table. In one embodiment, the table is scrambled each time the user selects a different character.
In still other prior art such as described in US published patent application 20130047236, a geometric direction of two-paired characters is used to authenticate a user. Herein, a user specifies a direction by dragging his or her finger across a device, such as a display, to illustrate the correct geometric direction. The device then recognizes the said direction to authenticate the user, giving the user access to the system.
Similarly in WO 2011124275 A1, the positions of characters are used to authenticate a user. Under this method, a user is given different characters placed in different locations. In order to be authenticated, the user has to match characters in their correct positions.
Similarly, in US published patent application 20120323788 the geometry of the characters is again used to authenticate a user. The user not only has to enter the correct sequence of buttons, but he or she also has to press those buttons when they are in their specified locations.
Some inventions such as U.S. Pat. No. 7,992,007 simply rearrange characters or “buttons”. The positions of these “buttons” are not used for authentication, but simply for protecting the code that the user inputs by changing the outward appearance of the GUI (graphical user interface).
In EP 2747366 A1, a dynamic PIN consists of a challenge-response method to authenticate a user. The user must arrange different pictures in a given order. The order changes each time. The pictures can also be used with a code, which is hidden in a barcode.
Matching is also used in some PIN authentication methods to further secure the authentication. In US published patent application 20120167199 a user is authenticated when two elements are matched together. This can be achieved through a device such as a touch screen. In some embodiments described, the area used to match specific elements can be made smaller for purposes of making the authentication more accurate.
Similarly, in CA 2765922 A1, a user is given up to three images. One is a base image, while the other is a more transparent image. To authenticate, the user must drag the correct element of the transparent picture over the correct element of the base image. In some embodiments, the elements in the base image can be rearranged when displayed to the user.
Another method authenticates a user when the user aligns three pictures over one another.