The present invention relates to systems enabling access of users to services and, in particular, to an arrangement that allows a user to create a customisable access token for such services and to the fast retrieval of multiple level information from customized cards. The invention has been developed primarily for secure access to digital services and will be described hereinafter with reference to these and related applications. However, it will be appreciated, particularly in view of the number of alternative examples given, that the invention is not limited to these fields of use.
In the provision of digital services to users, access is typically controlled by some secret that is shared between the user and the provider of the service. This secret is often known by names such as a xe2x80x9ckeyxe2x80x9d, a xe2x80x9cpasswordxe2x80x9d, a xe2x80x9cpersonal identification numberxe2x80x9d (PIN) and so forth.
The security level associated with the provision of the service is typically enhanced through the use of lengthy or complicated secrets. Unfortunately, people are typically poor at remembering long or complex secrets and such secrets are also cumbersome to input to some checking system. As a consequence, secrets that are shared amongst a small group of people tend to be short, for example four or six digits in length. Such results in lower levels of security than is desirable. This is particularly the case in the realm of services accessed via computer through the Internet where unscrupulous persons can mount an automated attack upon the provision of the service or the service itself. This is to be contrasted with automatic teller machines where the gateway to the service is controlled by the provider of the service (eg. the bank).
One way to increase the security level without requiring individuals to remember long secrets, is to store the secret in some convenient form, for example in a smartcard device, known per se. In the context of this specification, such smartcard devices relate to those devices which contain a computing capacity within the device and not merely the simple xe2x80x9cmemory onlyxe2x80x9d smartcard devices commonly used as telephone cards and for other basic applications. An example of a device including a computing capacity that is currently available is the xe2x80x9cJavaCardxe2x80x9d manufactured by Schlumberger Industries of France.
To protect the smartcard device from unauthorised use by a thief or other unscrupulous person, such devices are generally configured to require a short secret (eg. a PIN) to be entered prior to use being enabled. An example of a similar such device currently in use are credit-card sized organisers that can hold many passwords, all protected by a master password (eg. the PIN) arranged on the organiser. These devices are often used by administrators of computer systems who are required to remember many passwords. However, such an arrangement is quite vulnerable to compromise because if an attacker can obtain the device, an attack can be mounted upon it. The only change from the previous case being that the channel between the user and the service is more secure because longer secrets are used in such an arrangement. The weak link in the security arrangement is the secret implemented by the user to obtain access to the service (eg. the master PIN).
It is known to those skilled in the computing sciences that the need for a user and the service to share a secret can be removed by using public-key cryptography. The user holds the private half of the key-pair and the service (in fact the world in general) may be given the public half of the key-pair. The service authenticates the user by issuing a challenge to the user""s input by requesting a known datum to be encoded by the user""s key. If the encoded datum can be decoded correctly by the service issuing the user""s public key, then provided the user has kept the private key a secret, it can then be said, with a very high level of confidence, that the user is authentic. Such a scheme makes a device having a computing capacity mandatory because humans cannot perform the arithmetic operations required for authentication at an appropriate speed. Advanced smartcards, such as the smartcards discussed above, having a computing capability can provide such capacity.
There still remains the problem of how to adequately protect the private key held in such a smartcard.
It has been proposed to use a scheme where a user is posed a series of questions relating to the user""s personal history. For example, xe2x80x9cmy most memorable moment was in . . . xe2x80x9d, where the user is expected to fill in a geographic location of the xe2x80x9cmemorable momentxe2x80x9d. Another example includes xe2x80x9cthe day Kennedy died, I was . . . xe2x80x9d. In this example, any attacker to the system has no knowledge as to which Kennedy is meant by the user. In such systems, the assumption is that an attacker would not know the answers to a sufficiently large number of obscurely phrased questions relating to the user""s personal history. In contrast, the user would know the answers to such questions and would remember those answers well because they are in some way significant in the user""s mind. Such an arrangement may provide some leeway for incorrect answers to be entered thereby permitting access to the service provided a sufficiently large number of correct answers are returned by the user. The security scheme just described has the disadvantage that a computer and an input device, such a keyboard, are required to provide implementation. Such reliance upon relatively large devices inhibits broader use of digital services, especially in electronic commerce, where the user may not wish to trust the computer being used by the service provider, but also does not wish to carry a computer and associated input device.
Complex computer systems used in everyday life today make use of multiple levels of interaction to make computer applications substantially simpler to navigate. Users typically must navigate through multiple levels of interaction to locate information or perform operations that are of interest. Content retrieval applications generally organize content in a tree or hierarchical type structure and allow navigation to more detailed xe2x80x9cbranchesxe2x80x9d on the tree. Searching methods and associated software are typically provided to guide the user through various levels of the tree to a desired node thereof. Similarly, there are many computer applications which perform a task, where that task is specified by a number of key presses or menu choices. It is the combination of these key presses or menu choices which specifies the form of task to be performed. Thus a complex task can be completed through a number of simple key presses or menu options. Many navigating techniques and navigating engines are known in the prior art and are available for use in performing this process.
However, these prior art approaches have several drawbacks which can make it difficult to effectively locate the desired materials or operations. One disadvantage is that applications are likely to provide only first level entries which are apparent to the user. Available navigation paths are unknown to the user before navigation commences, can thus become easily confused as to which level he is currently on, and how many levels are left to be traversed before the destination is reached. In addition, the user may also be unaware of which button(s) is/are enabled and which is/are disabled until a button is pressed and a response is received. If the application makes use of a standard keyboard layout and mouse pointer, it is likely that only a small minority of the available keys will be mapped to functions. Thus, some prior knowledge of the mapped keys is needed in order to reduce frustration, unless very clear instructions are given. The resulting user interface is therefore not simple to use and assumes some experience or knowledge from the user.
Apart from the lack of pre-shown searching paths on a fixed user interface, another disadvantage is that user interfaces keep changing. This is especially evident in many menu driven graphical user interfaces (GUI""s), which are often used to minimize the amount of prior expertise necessary to use an application. Such interfaces can alter the display of the menus shown depending on the state of the application. Menu options that have no prescribed effect at a given time are often removed or greyed out. Information may be presented and retrieved during routing through all entries, which may confuse the user with changing content, and can also be slow. It would be more efficient if less detailed indications or guidelines were needed to be presented prior to reaching the tree index leaf nodes.
Yet another disadvantage of the prior art is that a specific user interface or interface device is generally required for each application. Fixed interface and special requirements make it difficult to create a device which can generate a customized user interface coupled to numerous applications.
Smart cards and interface cards having user selectable indicia and which do not have any levels suffer from the problem that a limit to the number of different actions which can be accessed is quickly reached. One limit is the size of the tip of the human finger which determines a minimum size for the indicia or associated button. Another limit is the size of the card itself. For a credit card size, a smartcard a limit of about 20-30 icons/indicia is quickly reached.
It is an object of the present invention to substantially overcome or ameliorate one or more problems associated with prior art arrangements.
In accordance with one aspect of the present disclosure there is provided a secure access device comprising:
a card portion having a surface onto which are formed a plurality of user interpretable icons; and
electronic apparatus attached to said card portion, said apparatus comprising:
a memory in which are retained at least a plurality of character strings each associated with a corresponding one of said icons;
processor means coupled to said memory means; and
communication means for coupling said processor means to a reading device configured to facilitate reading of said secure access device;
wherein said processor means is configured to relate reading signals generated from a user selection of at least one of said icons and received via said communication means with at least one of said retained character strings to thus perform a secure access checking function for enabling or rejecting user access to a desired service.
In accordance with another aspect of the present disclosure there is provided a method of personally configuring a device for use by a user, said device comprising:
a card portion having a surface; and
electronic apparatus attached to said card portion, said electronic apparatus comprising a memory, processor means coupled to said memory means, and communication means for coupling said processor means to a configuring system arranged for configuring said device;
said method comprising the steps of:
(a) obtaining secure data from said user, said obtaining comprising the sub-steps of:
(aa) prompting said user to devise a question, an answer to which is known by said user;
(ab) receiving data comprising a character string from said user corresponding to said known answer; and
(ac) associating an icon with said character string;
(b) configuring said device as a secure access device, said configuring comprising the sub-steps of:
(ba) storing in said memory said character string;
(bb) forming said associated icon onto said surface; and
(bc) storing in said memory a positional relationship of said icon on said surface associated with said character string; and
(c) forming an interface for manipulation by said user, said forming comprising the sub-steps of:
(ca) providing a (first) set of icons onto said surface; and
(cb) storing in said memory a positional relationship between each said icon of said first set and a corresponding character retained by said memory.
In accordance with another aspect of the present disclosure there is provided a method of using a secure access device to obtain access to a secure service, said secure access device comprising:
a card portion having a surface onto which are formed a plurality of user interpretable icons; and
electronic apparatus attached to said card portion, said apparatus comprising:
a memory in which is retained at least one character string associated with a corresponding one of said icons;
processor means coupled to said memory means; and
communication means for coupling said processor means to a reading device configured to facilitate reading said secure access device and to provide access to said service;
wherein said processor means is configured to relate reading signals generated from a user selection of at least one of said icons and received via said communication means with at least one of said retained character strings to thus perform a secure access checking function for enabling or rejecting user access to a desired service;
said reading device comprising:
a communications processor for connecting said communication means to said service; and
a data entry device providing for user selection of individual ones of said icons and forming said reading signals,
said method comprising the steps of:
(a) obtaining data from said user, said obtaining comprising the sub-steps of:
(aa) detecting a selection by said user of a first one of said icons; and
(ab) detecting subsequent sequential selection by said user of a plurality of said icons;
(b) checking said data, said checking comprising the sub-steps of:
(ba) associating said selection of said first icon with a stored said character string whereby failure to associate said selected first icon with a stored said character string aborts said checking function and inhibits access to said service by said user;
(bb) associating each said icon of said subsequent sequential selection with a corresponding character to form an interrogating character string; and
(bc) comparing said interrogating character string with said selected stored character string wherein a valid comparison provides for access of said user to said service.
In accordance with another aspect of the present disclosure there is provided a multiple level user interface card for interfacing between a user provided with a card reader communicating with a computer and an application program having a multiplicity of hierarchical operating or ordering levels operating on, or operated by, said computer, said card comprising:
a smart card having a plurality of user activatable regions thereon and an electronic memory with data stored therein corresponding to each of said regions, wherein said regions and said data are arranged in a hierarchy with a multiplicity of levels corresponding to said application program levels, and each level has a plurality of regions, and wherein selecting a region of each said level in the sequence of said hierarchy activates said stored data in said hierarchical sequence to operate said application program at the operating or ordering level corresponding to the last selected region.
In accordance with another aspect of the present disclosure there is provided a method of interfacing at multiple levels between a user and an application program operating upon a computer, said application program having a multiplicity of hierarchical operating or ordering levels, said method comprising the steps of:
(a) providing said user with a smart card or interface card (known per se) having a plurality of user activated regions thereof and an electronic memory with data stored therein corresponding to each of said regions;
(b) arranging said regions and said data in a hierarchy with a multiplicity of levels corresponding to said application program levels, each of said levels having a plurality of regions;
(c) providing said user with a smart card reader communicating with said computer,
(d) inserting said card into said smart card reader, and
(e) selecting a region of each said level in the sequence of said hierarchy to activate said stored data in said hierarchical sequence to operate said application program at the operating or ordering level corresponding to the last selected region.
In accordance with another aspect of the present disclosure there is provided a secure access device for interfacing between a user thereof and application program having a plurality of hierarchical operating levels and being operable by a computer, said secure access device comprising:
a card portion having a surface on which are formed a plurality of user interpretable icons, there being at least one security icon associated with a security function for enabling access to at least one of said hierarchical operating levels, and at least one functional icon associated with each said hierarchical operating level, said functional icons being arranged into regions on said surface and associated with a corresponding one of said operating levels; and
electronic apparatus associated with said card portion, said apparatus comprising:
a memory comprising a mapping between each said icon and stored data associated therewith, at least each said security icon each having a corresponding stored character string;
processor means coupled to said memory means; and
communication means for coupling said processor means to said computer and a reading device, said reading device being configured to enable user selection of a function associated with a corresponding one of said icons;
wherein said processor means is configured to relate reading signals generated from a user selection of at least one of said security icons and received via said communication means with at least one of said retained character strings to thus perform a secure access checking function for enabling or rejecting user access to at least one of said hierarchical operating levels;
whereupon user selection of a said icon in a said region in a sequence of said hierarchy activates said stored data in said hierarchical sequence to operate said application program at the operating level corresponding to the last selected region.
Other aspects are also disclosed.