As remote access of computer systems and applications grows in popularity, the number and variety of transactions which are accessed remotely over public networks such as the Internet has increased dramatically. This popularity has underlined a need for security; in particular: how to ensure that people who are remotely accessing an application are who they claim they are, how to ensure that transactions being conducted remotely are initiated by legitimate individuals, and how to ensure that transaction data has not been altered before being received at an application server. In the context of this description, and unless otherwise indicated or clear from the context, application refers to a remotely accessible computer based application which is hosted by one or more application server computers and which may be remotely accessed by a user who is locally interacting with a client computing device whereby the user's client computing device and the application server or application servers are connected by means of a computer network. For example, the user may be interacting with a personal computer or a smartphone running a web browser whereby the personal computer or smartphone may be connected by means of the internet with a webserver hosting the application and whereby the web browser and the webserver may exchange for example Hypertext Transfer Protocol (HTTP) messages. In another example the user may be interacting with a mobile app running on a smartphone that is connected with a remote server. The application may for example comprise an online banking application.
One way to secure access to remote applications is the use of so-called strong authentication tokens. In the context of this description a strong authentication token (or authentication token or token in short) is a compact handheld electronic device comprising data processing means capable of certain cryptographic calculations. The device is adapted to generate dynamic authentication credentials on behalf of a user by performing a cryptographic algorithm on one or more inputs comprising at least one dynamic variable whereby the cryptographic algorithm is parameterized by one or more secret cryptographic keys that may be associated with that user. The dynamic variable may for example comprise a time value (which may be provided by a real-time clock comprised in the authentication token), it may comprise the value of a challenge which may be provided to the authentication token (e.g. a string of decimal digits entered into the authentication token), it may comprise the value of a counter that may be maintained by the authentication token and that may for example be incremented (or decremented) each time that the counter is used to generate a credential, it may comprise a value derived from a previously generated credential (it may for example comprise the previous value of the credential), it may comprise data representing a transaction that needs to be authenticated, and it may comprise any combination of the above.
In case the token has generated the dynamic authentication credential using just a time, counter, or challenge value, the generated credential may also be referred to as a one-time password. If the token has generated the dynamic authentication credential using transaction data, then the dynamic authentication credential may also be referred to as a signature or transaction data signature.
The strong authentication token may present the generated dynamic authentication credential to the user so that the user can forward the generated credential to an application so that the application can verify the credential. For example a strong authentication token may generate a dynamic authentication credential consisting of a string of digits and may present the dynamic authentication credential to the user by displaying the string of digits on the token's display.
Some strong authentication tokens are relatively simple and may offer only basic one-time password functionality and may have only a very limited user interface comprising nothing more than just a single on/off-button and a 7-segment display to display a 6-digit one-time password. Other strong authentication tokens are more complex. For example some high-end strong authentication tokens may be capable of offering a range of functionality including generating signatures over transaction data and may comprise for example a camera to capture an image encoded with relatively large amounts of data to be signed, more powerful data processing means to process and decode the captured images and a more sophisticated user interface capable of presenting relatively large amounts of data to the user through for example a graphical display.
The discussion of the background to the invention herein is included to explain the context of the invention. This shall not be taken as an admission that any of the material discussed above was published, known or part of the common general knowledge at the priority date of this application.