|Publication number||WO2007070014 A1|
|Publication date||21 Jun 2007|
|Filing date||12 Dec 2006|
|Priority date||12 Dec 2005|
|Publication number||PCT/2006/385, PCT/SG/2006/000385, PCT/SG/2006/00385, PCT/SG/6/000385, PCT/SG/6/00385, PCT/SG2006/000385, PCT/SG2006/00385, PCT/SG2006000385, PCT/SG200600385, PCT/SG6/000385, PCT/SG6/00385, PCT/SG6000385, PCT/SG600385, WO 2007/070014 A1, WO 2007070014 A1, WO 2007070014A1, WO-A1-2007070014, WO2007/070014A1, WO2007070014 A1, WO2007070014A1|
|Inventors||Mahtab Uddin Mahmood Syed|
|Applicant||Mahtab Uddin Mahmood Syed|
|Export Citation||BiBTeX, EndNote, RefMan|
|Patent Citations (4), Non-Patent Citations (3), Referenced by (16), Classifications (3), Legal Events (5)|
|External Links: Patentscope, Espacenet|
Antiphishing Login Techniques
The invention relates to a method and apparatus for access control and for providing additional security that makes phishing more difficult to implement. The invention also relates to a method and apparatus for providing enhanced security which may be used in addition to existing access control techniques.
One of the latest computer-related problems to arise is that of phishing. Phishing is the fraudulent act where a perpetrator sends out legitimate-looking e-mails, perhaps by mass-mailing, to e-mail users, the e-mail appearing to come from a well-known and trustworthy source, such as the user's bank. The aim of the phishing e-mail is to gather personal and/or financial information from the recipient which the phisher might use to defraud the e-mail recipient, for example: credit card information; log in details for an on-line banking facility; national identity card/passport information, etc. A phishing expedition is a speculative venture; the phisher puts out the lure hoping to fool at least one of the recipients into divulging that user's sensitive or confidential information. Other tactics see the phishers sending e-mails containing a hyperlink which the user is requested to follow to update personal information. However, instead of being forwarded to a page for this update purpose, "malware" is automatically downloaded to the user's computing device in the background, the being unaware of this. Such malware can be in the form of spyware such as a keylogger and/or keygrabbing trojan horses.
Organised crime frequently attempts to exploit phishing techniques and a black market for stolen information of this nature has developed. To send phishing e-mails is a relatively straightforward process and may be seen by organised criminals to be relatively risk-free as there may be only a small chance of being caught. In the battle against phishers, user authentication techniques offer the first line of defence for, for example, an online financial portal or ecommerce website. However, it is difficult for the system administrators of the portals/website to motivate users to update periodically the authentication information used for access to these sites. As such, it is often easy for phishers to succeed. Generally speaking, the problem of providing controlled access to information of a sensitive or confidential nature has been long known for a significant period of time and extends not only to online banking, but also to, for example, file storage access. An example of a method for and apparatus for access control in a computing device is described in US 6,720,860 which discloses use of a password authentication system for enabling access to secure data stored in an apparatus which, in the described embodiment, is a mobile computing device/appliance. The system disclosed includes a user interface display having a touch sensitive panel for detecting physical user interaction. The device generates a sequence of one of more images for display on the user interface display, the images of the sequence including password elements for the user which are flashed at specific locations on the display interface. The user activates the screen in the correct area of the screen when an image of his password is flashed on screen to select that image as part of the password. However, problems with the system include that the symbols are flashed on screen according to a pre-determined sequence, and, if a phisher had successfully downloaded spyware such as a programme to log screen activation on the mobile computing device, there is a chance that the phisher would be able to capture the user's password sequence and thereby gain unauthorised access to the mobile computing device and the information stored on it. An optional feature of the system of US 6,720,860 allows for one complete sequence of symbols to be presented in one of four areas on the screen randomly but, even if this feature is implemented, the phisher may still be successful in fooling the mobile computing device into believing that the correct password sequence has been entered.
The invention is defined in the independent claims. Some optional features of the invention are defined in the dependent claims.
By randomly arranging the set of interactive display elements on the user's display, each time a user is presented with the set of interactive display elements, the elements which must be selected will be in a different part of the screen each time and a malicious user will be foiled. When the arrangement of the interactive display elements on the screen is randomly generated, keylogger and other user-action monitoring malware programmes will be ineffective; even if they successfully capture a user's actions in entering his "visual password", the next time the plurality of interactive display elements is displayed, either to the bona fide user or the phisher, the arrangement will have been changed from the previous arrangement. As such, the phisher, having only information of the user's activity in the on-screen co-ordinates of the interactive display elements which were activated during one particular log in attempt, should be unable to reproduce the correct selection of interactive display elements and, therefore, be unable to obtain unauthorised access. In embodiments of the invention, the password cannot be regenerated in written form. This alone may be sufficient to inhibit phishing activity; if the password cannot be regenerated in written form, then it will be difficult for the phisher to devise a suitable invitation to the bona fide user to divulge confidential information.
Embodiments of the invention allow for the request for the password to include a subset of interactive display elements which are generated randomly or pseudo-randomly and/or remotely from the user seeking to obtain access additional password security may be provided. The randomly generated subset of interactive display elements can be generated locally (for example at the user's personal computer, PDA, etc.) and/or remotely (e.g. at the financial institution's server) from the user. As such, additional security is provided to- attempt to prevent a situation whereby a malicious or fraudulent person - the phisher - gains unauthorised access to sensitive or confidential information. Fraudulent communications such as phishing emails purporting to be from a trusted source such as the user's bank, may therefore be foiled. The present invention will now be described by way of example only and with reference to the accompanying drawings in which:
Fig. 1 is a schematic representation of systems in which embodiments of the present invention may be implemented;
Fig. 2 illustrates representations of on-screen displays as presented to a user in an implementation of an embodiment of the invention;
Fig. 3 illustrates the first subset of key interactive display elements; Fig. 4 illustrates a container of a set of interactive display elements with a sequence of selection from the container of the first subset of interactive display elements;
Fig. 5 illustrates onscreen displays according to embodiments of the invention;
Fig. 6 illustrates an on-screen display allowing a user to enrol for use of an embodiment of the present invention;
Fig. 7 is a flowchart illustrating the log in process for a user using an embodiment of the present invention;
Fig. 8 is a flowchart illustrating the enrolment process for the user enrolling for use of an implementation of an embodiment of the present invention; Fig. 9 illustrates an on-screen display according to an embodiment of the invention providing further enhanced security;
Fig. 10 is a flow chart illustrating the log in process for the embodiment of Fig. 9; and
Fig. 11 is a flow chart illustrating the enrollment process for the embodiment of Fig. 9.
Referring to Figure Ia, a system in which an embodiment of the present invention is implemented will now be described. A user (noϊ shown) tries to log on to, for example, his online banking facility, at the user equipment 12. The user equipment 12 comprises a display 14 such as a computer monitor, a desktop PC 16, having user interface items keyboard 18 and mouse 20 both of which are connected to the personal computer 16. The user equipment 12 is connected to the internet 22. The software module 24 configured to implement embodiments of the present invention is also connected to the internet. In turn, the software module 24 is connected with the server 26 of a financial institution, which, may also be connected directly to the internet 22 through a separate link. It will be appreciated that in the example of Figure Ia although the software module 24 is shown as a discrete module separate from the financial institution server 26, the software module 24 may be incorporated into the financial institution server 26 as an integral module of that server and may also be incorporated, at least partly, at the user's equipment 12.
Figure Ib illustrates an alternative system in which embodiments of the invention may be implemented. With respect to Figure Ia, like parts are allocated like reference numerals. A user (not shown) tries to log into, for example, his online banking facility, - at the user equipment 12. As in figure Ia, the user equipment 12 may comprise a desktop PC or alternatively, any suitable computing device including mobile computing devices such as a laptop computer/notebook, PDA (including, for example, a touch sensitive display, stylus arid keyboard) or mobile communications device (such as a smart phone equipped with input and output devices such as touch sensitive display, stylus and keyboard). User equipment 12 is also equipped with appropriate client software such as a web browser that supports any or all of the following: Java Scripts, ActiveX, Java Applet, DHTML (or other appropriate technologies) and communicates via a network means over the Internet 22 with a web server(s) 10 provided with network means for linking with Internet. The web server(s) 10 along with other appropriate software consists of a software module 11 configured to implement embodiments of the present invention. Web server(s) 10 and the software module- 11 is further connected with a storage device 13 for storing an image repository 13 containing display elements for the software module 11 and the Internet Application 12 such as e-banking which the user is trying to gain access too.
It will be appreciated that in the example of FIG.1 although the software module 11 is shown as an integrated module with the enterprise application or infrastructure 9 such as the financial institution as an integral module, the software module 11 can be a discrete module separated from the enterprise application 9 (as in Figure Ia) providing services to the enterprise application 9 via web services from the remote location.
The software module 11 can be integrated with windows or other operating systems providing access control independently or along with traditional user-id and password or other authentication mechanism.
Figure 2 illustrates ways in which the container of the plurality of interactive display elements are presented to users. In Figure 2a, a portion of the on-screen display on display 24 is shown. As is conventional, the user will be prompted for his unique user JD at 32, and upon entry of the user ID may submit this information to the authentication process by clicking "Submit" 34 or he can clear the field 32 by clicking "Clear" 36 if an error has been made when entering this information. The user will also be prompted for his password at 48 and again can either "Submit" 50 or "Clear" 52 this information. In between, as an extra level or layer of security, the user is required to enter his visual password "VisPass" (a trademark) 38. A container 40 containing a set of interactive display elements 42a, 42b, ... 42n are presented to the user. The interactive display elements 42 have unique images superimposed thereon to allow the user to distinguish interactive display elements from one another and easily identify the key images of his visual password.
This set of interactive display elements 42 are divided into first and second subsets and will be described below in relation to Figure 4. The user may view further interactive display elements not immediately presented on the screen by manipulation of the scroll bars 44, 46. . . . . .
An alternative display is shown in Figure 2b where the user may enter the user ID and password prior to operation of the visual password container 40.
It will be appreciated that in the illustrated embodiments of Figures 2a and 2b, the container 40 of interactive display elements 42 is used in conjunction with conventional access control techniques to provide an additional security layer. However, the container of interactive display elements can be used also in a stand-alone context for the purpose of access control. An example of this is shown in Figure 2c where a container 54 contains a plurality of interactive display elements 56 each with a unique image superimposed thereon. The container 54 of Figure 2c comprises images and representations which can include effectively any image, ranging from simple geometric shapes such as circles and squares to alphanumeric text strings and to images which are photographs.
Referring now to Figure 3, a visual password according to an embodiment of the present invention is illustrated. The visual password 60 comprises a sequence of images superimposed upon interactive display elements 62, 62b, 62c, 62d and 62n which the user must select in order to obtain access to the secure information and/or area,, for example the online banking facility. In embodiments of the invention, the visual password images and interactive display elements are presented to the user in a container 70 of interactive display elements 62, 64 as shown in Figure 4. A first subset of images 62a, 62b, 62c, 62d, 62e are a set of user-specific key images - that is, they . comprise the key images of the user's password - which the user must select correctly to be granted access. Selection of the images is effected at a receiving device, such as keyboard 18 or mouse 20. The second subset of images 64a, 64b, 64c, 64d, 64n are generated according to a generation criterion. The generation criterion can be that the images are specified by the user; that they are generated remotely by the process implemented in the software module 24 and/or that they are generated randomly (including being generated either remotely from the user or locally at the user equipment 12). When generated randomly, the second subset of images may be updated after an update period, which may be of pre-determined or randomly determined itself.
In embodiments of the invention, the user satisfies a. selection criterion if he selects some or all of the correct images 62 of the password 60 from the container 70. In embodiments of the invention, the images/interactive display elements must be selected according to a pre-defined sequence (e.g. in the correct order) to satisfy the selection criterion. This is an optional feature and will be described further below. When this option as implemented, the user must select the images in the correct order 1, 2, 3, etc as shown by the selection sequence numbers 66. In embodiments of the invention, the images superimposed on each interactive display element 62, 64 are specified at the server, by a system administrator, or by a user as described below. Embodiments of the invention implement a combination of the two techniques; that is, the user specifies some images of the visual password 60 and the system administrator allocates the remainder of images for the visual password.
Embodiments of the invention provide a particular security advantage when an arrangement72, 74 of the interactive display elements on the display 14 is generated randomly. Examples of such a random display generation, are shown in Figures 5a and 5b. Implementation of this optional feature may provide security against keylogger system monitoring programmes, as if such malware manages to capture a single set of operations of user action in selecting the images of the first subset of interactive display elements, the probability of that set of actions being required to be repeated is small and/or the mean time to repetition (i.e. the statistical mean of the length of time required before the same arrangement of interactive display elements on the display 14 is repeated) of those acts is high. For instance, for a first log in attempt, the container 72 of Figure 5 a is displayed and the -user action to select the key images of the. first sμbset of interactive display elements require the user to select the interactive display elements 62 placed fourth, sixth, seventh, ninth and tenth in the displayed order reading left to right in Figure 5a. If the keylogger program manages to capture the. set of user instructions which select, these interactive display elements 62, this arrangement will not be repeated; the container of Figure 5b is presented at the next log in attempt (either to the user or to the phisher attempting to gain unauthorised access). As can be seen, the order of the arrangement of the interactive display elements in the container 74 on the display 14 has been changed through the random arrangement generation feature. If the phisher tries to repeat the previous log in sequence - i.e. by selecting the images presented fourth, sixth, seventh, ninth and tenth in the container of Figure 5b, the phisher will not be able to obtain access as repetition of that sequence will only result in selection of one or more, of the second set of interactive display elements 64 that are not in the subset of key images for that user. This embodiment provides particularly secure access control if implemented in conjunction with the optional feature that interactive display elements comprising key images must be selected according to a predetermined sequence, as described above in relation to Figure 4.
Presentation to the user of the container of images 80 may be implemented in, for example, a Java applet or ActiveX object. In an alternative embodiment of the invention, implemented on a browser base application when Java/ ActiveX is not used, additional security may be implemented where each of the interactive display elements comprise an object having an object name. Each time an arrangement of interactive display elements is generated for presentation to the user, whether transmitted from the server or generated locally at the user equipment, the object name for each object in the container is generated randomly; that is, the object is given a new name. This additional level of security is to attempt to prevent guessing of the password by guessing of HTML source code analysers/sniffer programmes. As such, activity loggers will be unable to monitor a repeating pattern in activity and be unable to obtain unauthorised access.
Figure 6 illustrates an interactive environment presented to a user for enrolment for use of embodiments of the present invention. A repository 80 with a plurality of images . stored at the server is presented to the user. This common image repository is illustrated in Figure 6a and comprises a plurality of interactive display element/images 82 for selection by the user for inclusion in the container 96 (see Figure 6b). Embodiments of the invention allow the user to "drag and drop" images 82 from the repository 80 for use as images on interactive display elements in the container 96. The container 96 presents the set of interactive display elements to the user for each log in attempt. In Figure 6a, the user has the option of viewing more images in the repository of images by use of the scroll bar.84. This embodiment of the invention presents to the user the option of specifying images at the user equipment 12 to form the container 96 presented at each log in attempt. A window 86 is presented to the user with a field 88 for entry of the file name of an image which the user wants to be included in the container 96 and to be superimposed upon an interactive display element. Alternatively, the user may browse the user's equipment 12 storage device (not shown) for a suitable image file by clicking "Browse" button 90. When the user has specified the images he or she wishes to use as images in the container, the user selects the "Add", files button 92 to add these to the container 96. In embodiments of the invention, the specified images for use in the container are uploaded to the server of Figure 1. The container 96 then comprises the plurality of interactive display elements. The user then defines which of the images from the container are to be the key interactive display elements of the visual password which must be selected for successful log. in.
In embodiments of the invention, the user is also presented with the option to specify the number of images/interactive display elements in the container and/or the number of key images required to make up the visual password. Embodiments of the invention allow the size of the container and the number of key images to be specified by the system administrator. Generally speaking, the more images in the container and the visual password, the higher the level of security. As such, the system administrator specifies minimum and maximum numbers for both the size of the container and the size of the visual password in embodiments. Embodiments of the invention also allow the number of key images to be specified automatically as a percentage of the total number of images in the container. Other embodiments of the invention allow for the specification of the container size and visual password length to be fixed.
Too many images in the visual password container 96 may make the visual password cumbersome and not particularly user-friendly. Therefore, setting a minimum and maximum number of images may avoid such circumstances and makes the visual password dynamic. Different users can specify different lengths for the visual password containers.
During the enrolment process, the user can invoke the optional feature whereby the selection of the key images must be made in order, that is, according to a predetermined sequence. During subsequent log in attempts, the selection of the images must be made in precisely the correct order for the user to be granted access, as described above. When this option is not implemented at enrollment, subsequent selection of the interactive display elements comprising the key images in any order will be sufficient to allow access.
With reference to Figure 7, the sequence of events for implementation of an embodiment of the present invention will now be described. The process starts at step 100 and at step 102 the process determines whether the visual password (VisPass) module is enabled. If the module is not enabled, the user is simply granted access to the secure area as is conventional at step 104. At step 106, the software module 24 determines whether it is necessary to rebuild the VisPass container and if so, software module 24 executes steps 108 to 118 where, based on the retrieved VisPass container consisting of the key interactive display elements and non key interactive display elements, the VisPass container and VisPass (Visual Password) rebuilding process takes place. During the rebuilding process, the renaming of the display elements and building of visual password based on the renamed display elements also takes place. In detail, at step 108 software module 24 proceeds to retrieve the user display elements (key and non key elements) associated with the user VisPass container. After doing so, the process assigns a random name to the VisPass display elements (key and non key elements) as described above in relation to Figure 5 at step 110 and builds the VisPass container with the renamed display elements. At step 114, the software module 24 rebuilds the user visual password based on the renamed display elements to facilitate- the comparison conducted at step 356 and 362 of Figure 10. The new container and visual password are stored in memory at step 116, and a Rebuild VisPass container flag is set to false at step 118 and the process proceeds to step 122. The Rebuild VisPass Container flag will be set to true only upon successful login. This is to stop an intruder from obtaining multiple versions of the VisPass key elements names by refreshing the browser or from other methods that may allow the intruder to build statistical tables.
When it is determined at step 106 that the VisPass container is not to be rebuilt, the last built container for the user is retrieved at step 120. An arrangement of the interactive display element/images is then randomly generated at step 122 by shuffling the container to arrange the presentation of interactive display elements. The randomly- generated arrangement of images is then presented to the user on display 14 at step 124. In the first pass of the process, the module simply passes through step 126 which monitors for the user having completed entry/selection of the visual password. The process then waits for the user to mark an image as step 128, 130. The process checks whether the selected image has already been marked at step 132 and, upon determination that the element has not been marked, the marked element is added to the marked elementlist at step 134 and, optionally, the element is highlighted on the display screen.14 at step 136. The process then feeds back to step 126 to determine whether the user has indicated the completion of entry of the visual password. This indication may be made by selection of a Submit button displayed to the user on the display 14.
Returning to step 132, if the display element has already been marked, the marked element is removed from the marked element list at step 138 and the highlight, if made to the marked element at step 136, is then removed at step 14O.The user is then referred back to step 126. When the user has selected all the display elements from the visual password, the user indicates completion. Upon determination of this at step 126, the software module proceeds to step 142 where the last built (step 114,116) visual password (set of key display elements) is retrieved. As step 144, the software module 24 determines whether the optional feature of sequential image selection has been invoked. If the option has been invoked, the software module 24 checks at step 146 whether the selection of the key display elements of the visual password was made in the correct pre-determined sequence. If it has been determined that the selection is made in the correct sequence, the Rebuild VisPass Container flag is set to "true" at step 147 and the user is granted access at step 148. If the display elements were selected in an incorrect sequence, the user is referred to process step 154 where the software module determines whether the maximum number of log in attempts has been exhausted. If not, the Rebuild VisPass Container flag is set to "false" at step 155 and the process indicates failure on. the display screen 14 to the user and prompts the user to retry at step 156 before returning to step 106. Back at step 154, if the software module determines the maximum number of tries has been exceeded, the user is denied access at step 158. Optionally, the user account will be locked and user will have to contact his/her system administrator to unlock the account.
Referring back to step 144, if the software module determines that the interactive display element need not be marked in the order of the predetermined sequence, the module checks at step 150 whether the selected display elements match the stored key display elements in the VisPass. If the user has correctly entered the visual password, the Rebuild VisPass Container flag is set to "true" at step 151 and the user is granted access at step 152. If the password has been entered incorrectly, the software module determines whether the maximum number of log in attempts has been exhausted at step 160 and, if not, indicates failure on the display 14 and prompts the user for a retry at step 162. The Rebuild VisPass Container flag is set to "false" at step 163, before referring the user back to step 154. Back at step 160, if the maximum number of log in attempts is determined to have been exhausted, the user is denied access as step 164.
Referring now to Figure 8, the VisPass enrolment process is described. .The process commences as step 200. At step 202, the Vispass enrolment process is initialised and display elements from the repository are initialized and displayed at step 204. At step 206, an empty VisPass container (i.e. the container 96 of Figure 6b) is initialized. Then at step 208 the software module 24 initializes the VisPass Key Container At step 210, the software module checks whether the user has indicated completion and if so, the process proceeds to Figure 8b through steps 212, 250 as shown in Figure 8b and as discussed below. If the user has not yet indicated completion of the enrolment process, the process moves to step 214 when the user is prompted to add display elements from the personal library by means of display 86 - see Figure 6a. If the user wishes to add an image from his personal library, the process proceeds to the thread beginning with step 216 and checks whether the maximum number of personal images has already been exceeded. If the maximum number of total images has not been exhausted at step 218, the user, is prompted to provide a display element at step 220 by, for example, entering/selecting the relevant information from fields 88 and 90 of Figure 6a. At step 224, the process receives and resizes the user-selected image to an allowed size for inclusion in the container and presentation to the user. The image is stored in the VisPass container at step 226 and the VisPass container 96 of Figure 6b is refreshed to show the selected image at step 228. (As mentioned above, the user may also "drag and drop" images into the container.) At this point, the process works back to step 214 to await selection of another display element from the personal library. If the maximum number of personal display elements has been determined to be exhausted at step 216, the process displays an error message to the user at step 230, before looping back to wait for the user to select a display element image from the repository at step 234.
If the user does not wish to add another image from his/her personal library for inclusion as an interactive display element at this point, the process waits at step 234, 236 for selection by the user of an image from the repository 80 of Figure 6b. Upon determination that the user has selected an image at 236, the process checks as to whether the maximum allowed images has been exhausted at step 238. If the answer to this is yes, the process then displays an error message at step 246. If the answer is no, • the process then determines whether the display element already exists in the container at step 239. If the display element does not already exist, it is store in the VisPass container at step 240 before refreshing the VisPass container display at step 242 before looping back to step 210. . Upon determination that the user has completed the selection of images of the container, the process is passed to step 252 of Figure 8b where the user is prompted to create the VisPass (i.e. mark display elements as his/her key elements). The process then loops around step 254, 256 until the user selects an display element to be added to the subset of key display elements. Upon determination at step 256 that the user has selected display element, the process check at 258 as to whether the maximum number of allowed display elements has been exhausted. If this is the case, an error message is displayed on display 14 at step 262 and the process passes immediately to step 264. If the maximum allowed display elements has not yet been exhausted, the process determines at step 259 whether the selected element has already been placed in the VisPass and, if so, the process displays an error message at step 263 and passes straight to step 264. If not, the selected display element is inserted into the VisPass at step 260 before proceeding to step 264.
At step 264, the process determines whether the user has completed the selection of key display elements for the visual password. When this is completed, the user is prompted to invoke the optional feature that the selected key display elements must be selected according to the pre-determined order at step 266 and step 268. If this feature is not invoked, then the process sets a flag to false at step 272 and VisPass is enabled at 274. If this feature is enabled at step 268, the flag is set to true at step 270 and VisPass is enabled at 274 before the process ends at 276.
A technique providing further enhanced security features will now be described in . relation to Figures 9, 10 and 11. Referring to Figure 9, a repository 400 of images which the user may select as interactive display elements of the container as described above is shown. The user is also able to add images from his/her personal library from window 402 also as described as above in relation to Figure 6. A base container 404 is made up from images from one or both of sources 400, 402 as indicated by arrows 406 and 408. The base container 404 can be seen to be made up from two sub-containers: a fixed container 410 and a dynamic container 412. The interactive display elements 411 of the fixed container 410 will always appear in the base container 404 presented to the user "for login. The interactive display elements 413 of the dynamic container 412 are selected according to a dynamic mechanism for presentation to the user as will be discussed further below. The images of the base container 404 are made up from the fixed element 410 and the dynamic element 412 as illustrated by arrows 414 and 416. The visual password 418 comprises key interactive elements from the fixed container 410 and the dynamic container 412 as illustrated by arrows 420 and 422. The embodiment of Figure 9 seeks to prevent another common problem which besets secure login facilities: the problem of the user inadvertently divulging the user ID, password and/or PIN to a person in his/her proximity observing them undergo the login process. Such an individual may be able to memorise the information the user uses to log in, recording it for their own unauthorised use. Another scenario is that the user enters his/her login details in the presence of someone whom the user trusts and that trusted person may later seek to abuse that trust by using the user's login credentials without the user's consent. In one embodiment, at least one of the key interactive display elements 413 of the dynamic container 412 changes for presentation to the user at each log in attempt. As such, the user will be required to select a slightly different visual password at each attempt. As such, with this embodiment, the user is required only to mark/select the key interactive display elements presented to him/her for that particular log in attempt. For example, the interactive display elements appearing in the visual password 418 of Figure 9a denoted by arrows 422 are presented at this log in attempt. At the next login attempt, for example, one or more of the interactive display elements 417 of the dynamic container 412 may be presented to the user. Of course, depending on the particular dynamic mechanism for selecting the dynamic interactive display elements for display in the container, a mixture the elements 415 and 417 may be presented. In one embodiment, the dynamic interactive display elements selected for display in a container are chosen on a random basis; that is, the dynamic mechanism for selecting interactive display elements from the dynamic container selects the display elements on a random basis. In one embodiment the dynamic mechanism for selecting the dynamic interactive display elements selects the on a rotating basis; that is, the order of the dynamic interactive display elements for selection is chosen according a predefined order. Of course, a mixture of these two techniques may also be applied. As an unauthorised user has seen and copied the authorised user's. visual password then the unauthorised user has seen and copied only a partial visual password; he/she has not copied down the all the elements 415 or 417 of the visual password. At the next login attempt (by either the authorised or unauthorised user), the base container 404 presented to the user .will- contain a slightly different visual password 418. In one embodiment, at least one of the non-key interactive display elements of the dynamic container 452 changes. If only key interactive display elements change and the unauthorised user has knowledge of the manner in which the system works and he copied the users previous visual password then he/she may be able to login with multiple tries.
If the rule where at least one non-key display element changes is applied then the unauthorised user knows that not all dynamic elements are key elements. Therefore, he/she will need more tries before entering the correct visual password. By then the user account will likely be locked for multiple failed login attempts.
In one embodiment, if the unauthorised user tries and fails to log in, the base container 404 previously presented to the unauthorised user for the failed log in attempt is represented to that user, thereby removing the chance that, if the dynamic elements were re-rotated or randomly re-generated after the failed login attempt the user will riot be presented with that container which he/she copied and will not be able to log in using that information. The dynamic mechanism can be configured to ensure a minimum number of container generation operations before a particular configuration of the container is repeated.
Now that the login process has been described, the manner of building the dynamic visual password and dynamic container is described in relation to Figure 9b. The base container 464 is again made up of a fixed container 450 containing interactive display elements 454 and a dynamic container 452 containing interactive display elements 456, 458. All of the interactive display elements 454 of the fixed element 450 go towards making up the base container 464 presented to the user along with a selection of interactive display elements 456, 458 from the dynamic container 452 selected as described above. This is illustrated by the arrows 460, 462. The.base container 464 presented to the users is as shown, and the visual password key elements are grouped together as shown at 466. The visual password comprises dynamic interactive display elements 468 from the dynamic container 452 and interactive display elements 470 from the fixed container 450. An example of a dynamically built visuatpassword container is shown at 472. This container 472 contains only one key dynamic interactive display element 468a as shown and the remainder of the container is made up of non-dynamic key interactive elements and non-key interactive display elements (both dynamic and non-dynamic elements). A further example of a container 474 shows that the dynamically built visual password container 474 as presented to the user at the next login attempt contains two dynamic key interactive display elements 468b. As such, the visual password which would be required to be selected by the user at this login attempt is therefore slightly different from a previous attempt. So as can be seen, unlike the embodiment of Figure 2, the visual password of the embodiment of Figure 9 has three subsets of display element containers: the base container which is made up of the fixed container 450 (all elements from this container are displayed in the base container at all log in attempts) and the one or more elements of the dynamic container (both key and non-key elements) which will change according to the dynamic mechanism.
The underlying mechanism for building the visual password container also allows setting of the minimum and maximum sizes of the visual password container, the fixed container, the dynamic container and the visual password (the number of key interactive display elements). In one example of this feature, a user has added 14 elements into the base container from the image repository and/or the user's personal library. The fixed container has eight of these interactive display elements from the base container and the dynamic container makes up the remaining six elements of the base container. The user specifies that the visual password will comprise seven interactive display elements and that four of these are from the fixed container with the other three coming from the dynamic container. In this embodiment, if the visual password is to contain at least one key element from the dynamic container then a minimum selection requirement for the user to gain access will be to select correctly at least five interactive display elements . from the base container presented to him/her. This is made up from four key elements from the fixed container and at least one key element from the dynamic container. Obviously, the number of key elements which may be required to be selected will vary depending on the actual selection of key dynamic interactive display elements from the dynamic container.
In another example, a system administrator specifies that the visual password container is to contain 11 elements. Therefore, whenever the visual password. is being built it. will contain all eight fixed elements and any three out of six dynamic elements. The system administrator can further specify of the three dynamic elements how many of those should be key elements. This means that a minimum and maximum number of key elements that should be chosen from the three dynamic elements will be presented together with the fixed elements to the user and the visual password container. If the minimum number of key elements allowed from the dynamic container is one and the maximum is two, the visual password container will have, at any given time, a minimum of five key elements out of 11 display elements and a maximum of six key elements out of the 11 display elements. A summary of the position of this example is set out below:
• A visual password container size is 11 display elements
• The visual password base container size is 14 display elements
• The visual password fixed container size is eight display elements • The visual password dynamic container size is six display elements
• The maximum key element in the fixed container is four key elements
• The maximum key element in the dynamic container is three key elements
• The minimum key elements in the visual password container is five key elements (made up from four fixed elements and one dynamic element) . • The maximum key elements in the visual password container is six key elements (made up from four fixed elements and two dynamic elements).
A flow diagram illustrating the visual password login process is now described in relation to Figure 10. Method steps 300 to 306 are the same as those set out in relation to Figure 7 described above. After determining that the visual password container must be rebuilt at step 306, the User Fixed Display Elements are retrieved at step 308 following which the User Fixed Dynamic Display Elements are retrieved at step 310. The process then selects N dynamic display elements consisting at least N key elements at step 312. Decision step 314 determines whether the set of N key elements exists in the Last Shown List which allows a check to determine whether the chosen key elements for display to the user are the same as was chosen for the previous log in attempt. If this was the case, the process works back to step 312 and the random generation of at least one dynamic key interactive display element is re-done. If the dynamic elements chosen are not the same, the last shown list is updated at step 316 with the newly-selected interactive display elements and the visual password container is built with the fixed display elements and the randomly selected N dynamic display elements next step 318. At step 320, random object names are assigned to the visual password display elements, before the user visual password (key elements with newly- named display elements) are built at step 322. The newly-built visual password container and visual password are then stored at step 324 before the Rebuild Visual Password Container flag is set to "false" and the process continues to step 330. The remainder of the method steps 330 to 378 follow the method steps 122 to 158 of Figure 7 as described above.
The visual password enrolment process for the dynamic visual password embodiment is described in relation to Figure 11. Steps 400 to 450 of Figure 11a follow the method steps 200 to 246 of Figure 8a. Turning then to Figure 1 Ib, the user is prompted to add display elements from the visual password base container to the visual password fixed display element container at step 472. The. process loops around steps 474, 476 to wait for the user to make a selection of a display element to be added to the visual password fixed container before checking at step 478 if the display element already exists in that container. If it is found that the element already exists there, the process displays an error message 479 and refers the user back to step 474. If it does not already exist in the container, the process proceeds to step 480 where it determines whether the maximum allowed display elements in the visual password fixed container is exhausted. If yes, an error message is displayed at step 481 before the process passes immediately to step 488. If the maximum number is not exhausted, decision step 482 determines whether the selected element is a repository display element and if it is a repository display element the process checks at 491 whether the maximum number of repository elements is exhausted and accordingly displays an error message at step 492 before passing directly to method step 488 or proceeding to method step 486 to add the repository image to the fixed container. If the image is not a repository display element, it is a display element chosen by the user and a similar check to determine whether the maximum number of personal display elements has been exhausted. Accordingly, upon such determination, the process displays an error message before passing the user directly to process step 488. If the maximum number of personal display elements has not been exhausted, the selected display element is added to visual password fixed display element container at step 486. The process checks to determine whether the user has indicated completion at method step 488. If the answer is yes, the process passes to step 502 via method steps 490 and 500 and if not, the process waits for the user to make another selection in step 474.
Referring now to Figure 11C, the user is prompted to add display elements from the visual password base container to the visual password dynamic display element container at step 502. The process waits at steps 504 and.506 for the user to the make a selection and upon detection of such selection the process determines whether the maximum number of allowed display elements in the visual password dynamic container has been exhausted at step 508. If the maximum number has been exhausted, the process displays an error message at step 510 before passing directly to process step 522. Through steps 512, 514, 516, 518 and 520, the process adds the selected display element into the visual password dynamic container at step 520 or displays an appropriate error message and passes directly to step 522 where a check for user completion is made. If the user has not yet completed the process, the process refers back to step 504 to wait for another selection from the user. If the user has indicated completion of the process of Figure lie, the process then proceeds to step 530, 532 of Figure Hd.
At step 532, the user is prompted to create a visual password by marking display. elements as key elements. At step 534, the process waits for the user to make a selection before checking at step 536 whether the user selected a display element from the visual password fixed container. If the element was selected from this container, a further check is carried out at step 538 to determine whether the maximum allowable number of these elements has been exhausted. A further check is carried out to determine whether the same element exists already in the visual password at step 542 and, if not, the selected display element is added into the visual password at step 544. If appropriate, the process displays error messages at process steps 540 and 546 and. passes directly to step 548. Referring back to process step 536, if the selected display element is not from the visual password fixed container, a check is made to determine whether the maximum allowable number of key elements from a visual password dynamic container has been exhausted at process step 550. If not, a further check to determine whether the same element already exists in the visual password is made at 522. If not, the selected display element is added into the visual password at step 544. This thread of the process displays appropriate error messages at step 554 or 556 before passing directly to step 548. Upon determination that the user has completed the sub-process of Figure 1 Id, the process passes to step 572 of Figure 1 Ie or, otherwise, passes back to process step 534 to wait for another user selection.
With reference now to Figure lie, the user is prompted to enable the optional feature of sequential selection of display elements during authentication at process step 572. If it is confirmed at step 572 that the user has enabled this feature, the Set Sequential Selection flag is set to "true" at step 576 before the visual password is enabled at step 580. If the user does not wish to enable this feature, the Set Sequential Selection flag is set to "false" at step 578. After enabling of the visual password at step 580, the process ends at step 582.
It will be appreciated that the techniques disclosed herein have broad application and • are not limited to the field of online access control. For example, the techniques have application in fields as diverse door-access control and server security.
|Cited Patent||Filing date||Publication date||Applicant||Title|
|EP0947908A2 *||23 Mar 1999||6 Oct 1999||Fujitsu Limited||Electronic information management|
|US20010044906 *||21 Apr 1998||22 Nov 2001||Dimitri Kanevsky||Random visual patterns used to obtain secured access|
|US20030093699 *||15 Nov 2001||15 May 2003||International Business Machines Corporation||Graphical passwords for use in a data processing network|
|US20050240987 *||21 Jun 2005||27 Oct 2005||Akira Taguchi||Password generation and verification system and method therefor|
|1||*||DUNCAN M. ET AL.: 'Visual Security for Wireless Handheld Devices', [Online] May 2004, XP003014545 Retrieved from the Internet: <URL:http://www.bama.ua.edu/~joshua/archive /may04/Duncan%20et%20al.pdf>|
|2||*||JANSEN W. ET AL.: 'Picture Password: A Visual Login Technique for Mobile Devices', [Online] July 2003, XP008073304 Retrieved from the Internet: <URL:http://csrc.nist.gov/publications/nist ir-7030.pdf>|
|3||*||'PassfacesTM for Windows Administration Guide Release 0.9' REAL USER, [Online] September 2002, XP003014546 Retrieved from the Internet: <URL:http://web.archive.org/web/20050316151 106/www.realuser.com/publisher/Passfacesfor WindowsAdminGuide.pdf>|
|Citing Patent||Filing date||Publication date||Applicant||Title|
|WO2009042392A3 *||9 Sep 2008||27 Aug 2009||Apple Inc.||Embedded authentication systems in an electronic device|
|WO2009121437A1 *||15 Dec 2008||8 Oct 2009||Albert Josef Zeier||Dynamic authentication method|
|WO2012022856A1 *||28 Jul 2011||23 Feb 2012||Colette Azulay-Roger||Method of authenticating a user of the internet network|
|US8782775||9 Sep 2008||15 Jul 2014||Apple Inc.||Embedded authentication systems in an electronic device|
|US8799809||25 Sep 2008||5 Aug 2014||United Services Automobile Association (Usaa)||Systems and methods for key logger prevention security techniques|
|US8943580||9 Sep 2008||27 Jan 2015||Apple Inc.||Embedded authentication systems in an electronic device|
|US9038167||27 Dec 2013||19 May 2015||Apple Inc.||Embedded authentication systems in an electronic device|
|US9128601||18 Mar 2015||8 Sep 2015||Apple Inc.||Embedded authentication systems in an electronic device|
|US9134896||27 Dec 2013||15 Sep 2015||Apple Inc.||Embedded authentication systems in an electronic device|
|US9250795||27 Dec 2013||2 Feb 2016||Apple Inc.||Embedded authentication systems in an electronic device|
|US9274647||1 Oct 2015||1 Mar 2016||Apple Inc.||Embedded authentication systems in an electronic device|
|US9304624||5 Sep 2014||5 Apr 2016||Apple Inc.||Embedded authentication systems in an electronic device|
|US9329771||20 Jun 2014||3 May 2016||Apple Inc||Embedded authentication systems in an electronic device|
|US9342674||5 Mar 2015||17 May 2016||Apple Inc.||Man-machine interface for controlling access to electronic devices|
|US9495531||5 Feb 2016||15 Nov 2016||Apple Inc.||Embedded authentication systems in an electronic device|
|US9519771||27 Dec 2013||13 Dec 2016||Apple Inc.||Embedded authentication systems in an electronic device|
|19 Sep 2007||121||Ep: the epo has been informed by wipo that ep was designated in this application|
|6 Dec 2007||DPE1||Request for preliminary examination filed after expiration of 19th month from priority date (pct application filed from 20040101)|
|13 Jun 2008||NENP||Non-entry into the national phase in:|
Ref country code: DE
|21 Jan 2009||122||Ep: pct app. not ent. europ. phase|
Ref document number: 06835980
Country of ref document: EP
Kind code of ref document: A1
|14 Mar 2013||DPE1||Request for preliminary examination filed after expiration of 19th month from priority date (pct application filed from 20040101)|