I. Smartphone Background
Smartphones are basically small, handheld computers. For example, some smartphones permit a user to check email, open remote desktop sessions, use a remote client, and even install a version of the CISCO ANYCONNECT client. A modern smartphone may have, for example, eight core processors, 4 GB of RAM, the ability to accept 2 TB SD cards, and the ability to be cloud-connected.
Employers and employees have been increasingly relying on smartphones over traditional full-size or laptop computers. On the road, employees may use their smartphones like a mobile computer, and at the office, employees may continue to use their mobile devices for work purposes. This is furthered by technology that allows smartphones to alter their user interface based on available hardware. For example, if such a smartphone is used like a phone, it will display a standard touch-friendly user interface; whereas if a monitor and/or keyboard and mouse are plugged into the smartphone, it may replace the user interface with a more desktop-like interface that can leverage the additional hardware. Thus, employees may, at work, connect a smartphone to a monitor, keyboard and mouse for a full computing experience. At home, employees may do the same, and may additionally connect the smartphone to a virtual private network (VPN) into their computing environment, e.g., to access internally hosted applications and data.
Increasingly, data that was traditionally stored locally on laptops and desktops is now being stored on smartphones or accessed from remote cloud locations by smartphones. A number of companies are even replacing laptops with smartphones for their mobile workforce. Such companies reason that giving an employee a bulky laptop to carry around, or even a tablet, is less preferable than giving them a smartphone that has similar functionality, can fit easily in their pocket, and can still store and access necessary business data and applications.
Furthermore, smartphones are increasingly being used as primary computing devices. Populations of developing nations appear to be skipping personal computers and laptops completely, and going straight to the use of mobile devices, which are far more affordable and have greater availability. Even in the U.S., 7% of adults get internet access only from their smartphones, and 34% of adults get most of their Internet access from their smartphones.
Employers are following a parallel trend by increasingly implementing Bring Your Own Device (BYOD) policies. Such policies allow employees to bring their personal devices such as smartphones to work (and/or connect their personal devices to work systems) and use such devices to access private company data and applications. Companies are increasingly supporting BYOD as a strategy to shift the cost of information technology asset purchase and maintenance to their employees. It is estimated that by 2017, half of employers will require employees to supply their own compute devices for work purposes. One important consequence of BYOD policies is that when a device is used for personal and business activities, there is much greater risk of exposing private business data and applications.
In fact, smartphones are often lost or stolen. In 2013, for example, it is estimated that 1.4 million smartphones were lost, and between one million and 3.1 million were stolen. BYOD devices are at a particularly higher risk of being lost or stolen, because they are typically carried to many more locations and used for many more purposes that they would be otherwise.
In sum, smartphones are powerful devices with access to business data and applications; smartphones are increasingly used as the primary computing devices; smartphones are increasingly used for dual purposes (business and personal), and incidents of smartphone theft and loss are increasing every year. Moreover, the problem of lost and stolen devices is becoming more critical due to the purposes smartphones are used for and the data they contain and access.
II. Multi-Factor Authentication Background
As the use of handheld electronic devices to store and operate on personal and business data becomes increasingly more prevalent, the need for securing such devices with robust authentication mechanisms to prevent unauthorized entry and access has also increased. Traditionally, the primary means for securing handheld devices, such as smartphones, has been to require a user to enter a password in order to gain entry to the device. When used as the sole means for granting or denying access, a password-only approach may be considered a “single-factor” authentication scheme.
Single-factor authentication, however, may offer only modest protection against unauthorized access, since it may be necessary to obtain access to only a single authentication credential or object for a malicious user to gain access to the protected data or services. For example, if a smartphone is secured only by a password, then an unauthorized user need only obtain the password in order to gain entry to the smartphone. To address this weakness in single-factor authentication schemes, multi-factor authentication schemes have been devised where a user must demonstrate a right to entry using two or more separate mechanisms.
One example of a multi-factor authentication scheme is the use of a physical security token in conjunction with a password. For example, in order to gain access to a computer system, in addition to supplying a valid password, a user may also present a security badge having a magnetic strip or a radio frequency identification (RFID) tag for scanning. Such a token-based multi-factor authentication scheme provides an additional layer of security, since an unauthorized user would not be able to gain access to the system simply by obtaining knowledge of a valid password (e.g., by glancing over an authorized user's shoulder as he or she typed the password), but would also have to obtain possession of the token associated with the password in order to gain access.
Although token-based multi-factor authentication schemes provide an additional layer of security over single-factor authentication schemes such as purely password-driven systems, they suffer from a number of drawbacks. For example, a security token may be stolen by an unauthorized user or may be misplaced or forgotten by an authorized user, thus preventing the authorized user from being able to gain access. Moreover, because most computers and handheld devices lack native hardware support to detect the presence of a security token, such as a magnetic strip card reader or an RFID token scanner, it is usually necessary to install separate hardware peripheral devices in order to detect presentation of a valid physical security token.
One technique that has been devised to address several flaws in token-based multi-factor authentication schemes is to use biometric information in conjunction with a second authentication factor, such as a password. In a biometric multi-factor authentication scheme, in addition to providing a valid password, a person may also be required to demonstrate that he or she is the authorized holder of the password by providing a fingerprint, retinal scan, or other biometric information sufficient to determine biological identity. Biometric multi-factor authentication schemes have an advantage over token-based multi-factor authentication schemes in that, unlike a physical security token, biometric information may not be stolen or lost by an authorized user.
However, like token-based multi-factor authentication schemes, biometric multi-factor authentication schemes also suffer from the drawback that it is often necessary to purchase and install separate peripheral hardware devices, such as fingerprint readers or retina scanners, in order to authenticate using these techniques. Not only may such peripheral devices be expensive, but their necessity prevents users from implementing biometric scanning security mechanisms using only software upgrades to existing hardware configurations.
The situation may be slightly improved using some forms of biometric scanning, such as speech recognition and facial recognition, that, in some cases, may be able to use existing hardware configurations and rely only on software upgrades to determine biological identity. However, these forms of biometric scanning, even when implemented purely by software, also suffer from a number of drawbacks. For example, the size and complexity of software needed to perform facial or speech recognition is often immense, placing large burdens on memory and processing power that may not be appropriate for or supported by simpler or smaller computing devices such as mobile telephones and smartphones.
Robust and accurate speech or facial recognition software packages may also be prohibitively expensive and complex, making it commercially infeasible to incorporate such software into consumer devices that are intended for mass distribution at significantly cheaper prices. Moreover, because of the innumerable complexities involved in analyzing audio data representing a human voice or image data recognizing a human face, even high-end speech and facial recognition programs are often inaccurate, leading to security-vulnerable false positives or user-frustrating false negatives. For example, such analysis may be unduly sensitive to minor variations in lighting, background noise, varying vocal intonations, etc.
Therefore, there is a need for implementing multi-factor authentication in mobile devices, such as smartphones and other computers, that are able to utilize existing hardware to detect the presence of a valid physical security token using a simple software upgrade that is significantly more accurate than biometric scanning techniques and imposes a significantly lower processing and memory burden. Such a security token should also be capable of easy generation and replication using general purpose hardware and software already commercially available to users.
III. Barcode Background
As used herein, the term “barcode” means an optically-machine-readable graphical pattern that encodes information. Examples of barcodes include traditional (linear or one-dimensional) barcodes that encode information in modulations of widths and spacings of black line segments against a white background. Other barcodes include two-dimensional quality response (QR) codes, which encode information in two-dimensional patterns.
Commercial barcode scanners are configured to project laser light onto a physical surface (on which is printed a barcode) in order to analyze the light as it is reflected off of the physical surface back into optical sensors resident in the barcode scanner. Hardware in such barcode scanners may analyze the reflected light to measure spacings, widths, relative sizes of printed objects, or colors of printed objects to decode binary or textual data encoded in the barcode, which binary or textual data may then be supplied to a processor or other device. Commercial barcode scanners use projected light to measure reflections, and therefore cannot read barcode data simply by sensing environmental light without the use of projected light. Further, commercial barcode scanners either discard or fail to measure graphical data other than the reflected graphical barcode components. Yet further, commercial barcode scanners do not record graphical (as opposed to decoded binary or textual) data in electronic memory.
Summary
According to various embodiments, a computer-implemented method of obtaining compartmentalized authenticated access to a feature on an electronic mobile device including a camera is disclosed. The method includes obtaining data representing a printable authentication pattern, where the printable authentication pattern encodes access information; storing in electronic persistent memory the access information in association with data representing the feature; receiving, at the mobile telephone, a user request to access the feature; capturing, using a camera of the mobile device, an image of an input pattern printed on to a substrate; decoding the input pattern to obtain captured information; determining, by retrieving the access information, that the captured information matches the access information; and providing access to the feature on the mobile device as a consequence of at least the determining.
Various optional features of the above embodiments include the following. The printable authentication pattern may include a QR code. The method may include sending the access information to a remote server, where the obtaining includes obtaining, by the mobile device and from the remote server, the data representing the printable authentication pattern. The obtaining may include generating, within the mobile device, the data representing the printable authentication pattern. The storing may include storing in electronic persistent memory of a remote server the data representing the access information in association with the data representing the feature. The feature may include at least one of: privilege elevation, access to containerized data, and access to at least one application. The feature may include privilege elevation, and where the privilege elevation includes elevation to administrative privileges for an operating system of the mobile device. The feature may include access to at least one application, and where the at least one application includes a virtual private network application. The method may include obtaining a password; and verifying legitimacy of the password; where the providing access may include providing access to the feature on the mobile telephone as a consequence of both the determining and the verifying. The method may include obtaining data representing multiple printable authentication patterns, each of the multiple authentication patterns for accessing a different set of mobile device features.
According to various embodiments, a system for obtaining compartmentalized authenticated access to a feature on an electronic mobile device including a camera, the system including a mobile device and at least one remote server, is disclosed. The system includes at least one of the mobile device and the remote server is configured to obtain data representing a printable authentication pattern, where the printable authentication pattern encodes access information; at least one of the mobile device and the remote server is configured to store in electronic persistent memory the access information in association with data representing the feature; the mobile device is configured to receive a user request to access the feature; the mobile device is configured to capture, using the camera of the mobile device, an image of an input pattern printed on to a substrate; at least one of the mobile device and the remote server is configured to decode the input pattern to obtain captured information; at least one of the mobile device and the remote server is configured to determine, by retrieving the access information, that the captured information matches the access information; and the mobile device is configured to provide access to the feature on the mobile device as a consequence of at least a determination of a match.
Various optional features of the above embodiments include the following. The printable authentication pattern may include a QR code. The mobile device may be configured to obtain from the remote server the data representing the printable authentication pattern. The mobile device may be configured to generate, within the mobile device, the data representing the printable authentication pattern. The remote server may be configured to store in electronic persistent memory the data representing the access information in association with the data representing the feature. The feature may include at least one of: privilege elevation, access to containerized data, and access to at least one application. The feature may include privilege elevation, and where the privilege elevation may include elevation to administrative privileges for an operating system of the mobile device. The feature may include access to at least one application, and where the at least one application includes a virtual private network application. The mobile device may configured to obtain a password; at least one of the mobile device and the remote server may be configured to verify legitimacy of the password; and the mobile device may be configured to provide access to the feature on the mobile telephone as a consequence of a determination of a match and a verification of password legitimacy. At least one of the mobile device and the remote server may be configured to obtain data representing multiple printable authentication patterns, each of the multiple authentication patterns for accessing a different set of mobile device features.