WO2012152995A1 - Method and apparatus for navigation-based authentication - Google Patents

Method and apparatus for navigation-based authentication Download PDF

Info

Publication number
WO2012152995A1
WO2012152995A1 PCT/FI2012/050433 FI2012050433W WO2012152995A1 WO 2012152995 A1 WO2012152995 A1 WO 2012152995A1 FI 2012050433 W FI2012050433 W FI 2012050433W WO 2012152995 A1 WO2012152995 A1 WO 2012152995A1
Authority
WO
WIPO (PCT)
Prior art keywords
user
information
combination
inputs
authentication
Prior art date
Application number
PCT/FI2012/050433
Other languages
French (fr)
Inventor
Dhaval Jitendra Joshi
Vijay Narayanan-Saroja
Ari Aarnio
Original Assignee
Nokia Corporation
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nokia Corporation filed Critical Nokia Corporation
Publication of WO2012152995A1 publication Critical patent/WO2012152995A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/36User authentication by graphic or iconic representation
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/316User authentication by observing the pattern of computer usage, e.g. typical user behaviour
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04MTELEPHONIC COMMUNICATION
    • H04M1/00Substation equipment, e.g. for use by subscribers
    • H04M1/66Substation equipment, e.g. for use by subscribers with means for preventing unauthorised or fraudulent calling
    • H04M1/667Preventing unauthorised calls from a telephone set
    • H04M1/67Preventing unauthorised calls from a telephone set by electronic means
    • H04M1/673Preventing unauthorised calls from a telephone set by electronic means the user being required to key in a code

Definitions

  • Service providers and device manufacturers are continually challenged to deliver value and convenience to consumers by, for example, providing compelling network services.
  • user devices, applications and consumer network services require user authentication for providing access to user device, content and services. For example, a user is prompted to fill in a username, a password and possibly other information on some dedicated authentication user interface in an authentication application.
  • a user may need to complete such a process in a public space (e.g., shopping store, bus station, restaurant, etc.), which can expose the authentication information (e.g., user name, user account, user password, etc.) to others in close proximity or to those who are actively seeking to capture that information.
  • a method causing, at least in part, a capture of user interaction with one or more applications information associated with a device.
  • the method also comprises processing and/or facilitating a processing of the user interaction information with the one or more applications to generate one or more authentication credentials, wherein the authentication credentials are for accessing one or more services, one or more resources, one or more applications, one or more resources, or a combination thereof.
  • an apparatus comprising at least one processor, and at least one memory including computer program code for one or more programs, the at least one memory and the computer program code configured to, with the at least one processor, cause, at least in part, a capture of user interaction with one or more applications information associated with a device.
  • the apparatus is further caused to process and/or facilitate a processing of the user interaction information with the one or more applications to generate one or more authentication credentials, wherein the authentication credentials are for accessing one or more services, one or more resources, one or more applications, or a combination thereof.
  • a computer-readable storage medium carrying one or more sequences of one or more instructions which, when executed by one or more processors, cause, at least in part, an apparatus to cause, at least in part, a capture of user interaction with one or more applications information associated with a device.
  • the apparatus is further caused to process and/or facilitate a processing of the user interaction information with the one or more applications to generate one or more authentication credentials, wherein the authentication credentials are for accessing one or more services, one or more resources, one or more applications, or a combination thereof.
  • an apparatus comprises means for causing, at least in part, a capture of user interaction with one or more applications information associated with a device.
  • the apparatus also comprises means for comprises processing and/or facilitating a processing of the user interaction information with the one or more applications to generate one or more authentication credentials, wherein the authentication credentials are for accessing one or more services, one or more applications, one or more resources, one or more resources, or a combination thereof.
  • a method comprising facilitating a processing of and/or processing (1) data and/or (2) information and/or (3) at least one signal, the (1) data and/or (2) information and/or (3) at least one signal based, at least in part, on (including derived at least in part from) any one or any combination of methods (or processes) disclosed in this application as relevant to any embodiment of the invention.
  • a method comprising facilitating access to at least one interface configured to allow access to at least one service, the at least one service configured to perform any one or any combination of network or service provider methods (or processes) disclosed in this application.
  • a method comprising facilitating creating and/or facilitating modifying (1) at least one device user interface element and/or (2) at least one device user interface functionality, the (1) at least one device user interface element and/or (2) at least one device user interface functionality based, at least in part, on data and/or information resulting from one or any combination of methods or processes disclosed in this application as relevant to any embodiment of the invention, and/or at least one signal resulting from one or any combination of methods (or processes) disclosed in this application as relevant to any embodiment of the invention.
  • a method comprising creating and/or modifying (1) at least one device user interface element and/or (2) at least one device user interface functionality, the (1) at least one device user interface element and/or (2) at least one device user interface functionality based at least in part on data and/or information resulting from one or any combination of methods (or processes) disclosed in this application as relevant to any embodiment of the invention, and/or at least one signal resulting from one or any combination of methods (or processes) disclosed in this application as relevant to any embodiment of the invention.
  • the methods can be accomplished on the service provider side or on the mobile device side or in any shared way between service provider and mobile device with actions being performed on both sides.
  • FIG. 1 is a diagram of a system capable of navigation-based authentication, according to one embodiment
  • FIG. 2 is a diagram of the components of user equipment capable of navigation-based authentication, according to one embodiment
  • FIG. 3 is a diagram of the components of an authentication module, according to one embodiment
  • FIGs. 4A-4C are flowcharts of processes for navigation-based authentication, according to one embodiment
  • FIGs. 5A-5B are diagrams of user interface utilized in navigation-based authentication, according to various embodiments.
  • FIGs. 6A-6C are diagrams of user interfaces utilizing map application in navigation-based authentication, according to various embodiments.
  • FIGs. 7A-7C are diagrams showing navigation-based authentication utilizing example routing mechanisms, according to various embodiments.
  • FIG. 8 is a diagram showing navigation-based authentication utilizing virtual routing, according to various embodiments.
  • FIG. 9 is a diagram of hardware that can be used to implement an embodiment of the invention.
  • FIG. 10 is a diagram of a chip set that can be used to implement an embodiment of the invention.
  • FIG. 1 1 is a diagram of a mobile terminal (e.g., handset) that can be used to implement an embodiment of the invention.
  • a mobile terminal e.g., handset
  • authentication refers to a process of determining whether someone or something (e.g., a user-device) is, in fact, who or what it claims to be. Authentication is required to validate one or more unique information for a user (and/or a user-device) so that the user can be granted access to one or more protected resources. For example, in private and public computer networks (including the Internet), authentication is commonly done through the use of authentication credentials (e.g., logon user name, user account, user-device information, password, passcode, pin number, user device identification number, serial number, etc.). Knowledge of the authentication credentials is assumed to assure that the user (and/or the user- device) is authentic.
  • authentication credentials e.g., logon user name, user account, user-device information, password, passcode, pin number, user device identification number, serial number, etc.
  • each user receives or creates authentication credentials (e.g., user name, account, password, etc.) and on each subsequent access, the user must know and use the previously defined/accepted authentication credentials.
  • authentication credentials e.g., user name, account, password, etc.
  • the weakness in the authentication process for significant transactions e.g., banking
  • authentication processes require input of one or more confidential and/or private information, which the users wish to keep from others by, at least, making it difficult for the others (e.g., people nearby) to see and recognize.
  • FIG. 1 is a diagram of a system capable of navigation-based authentication, according to one embodiment.
  • users need to present one or more authentication credentials in order to utilize and/or access different facilities, services, user devices and/or applications.
  • the users may need to perform the authentication process while in different physical environments with limited or no privacy (e.g., public places), they can be exposed to various types of vulnerabilities such as over the shoulder and peripheral presence attack.
  • passwords usually are text based (e.g., alphanumeric, characters, etc.), they can be easy for others to view and remember.
  • a password has limited effectiveness since the user interaction with a keypad on a device can easily be viewed and reproduced.
  • a user may not be familiar with some aspects of an authentication process (e.g., passwords, pin codes, account numbers, etc.).
  • passwords e.g., pin codes, account numbers, etc.
  • many users in emerging markets are not familiar and/or comfortable with concept of password which may be new to them, although, they may be familiar with concept of an identification number, account number, etc.
  • users can benefit from a more secure, discrete and user-friendly method for a user to complete an authentication process and gain access to a targeted facility, service, application, device and the like.
  • the system 100 of FIG. 1 introduces the capability for a navigation- based (e.g., user interface (UI), physical and/or virtual) authentication.
  • a navigation- based (e.g., user interface (UI), physical and/or virtual) authentication e.g., UI), physical and/or virtual
  • UI user interface
  • a sequence of navigation movements or interactions at a device e.g., selecting certain icons, applications items such as contacts, etc.
  • the user can repeat the sequence of navigation movements (e.g., moving within a UI and/or physically or virtually moving the device) at the device.
  • such input can substitute for typing e.g. a passcode or password at the device.
  • authentication processes traditionally require a user to provide one or more user information (e.g., by typing or keying in a password) in order to become authenticated and gain access to restricted resources.
  • user information e.g., by typing or keying in a password
  • there can be issues when a user is trying to interface with an authentication process e.g., privacy, familiarity with the process, etc. which can create risks for the user and/or the targeted resource.
  • the various embodiments of the proposed solutions provide methods whereby navigation in a user interface of a user device (e.g., user interactions or movements in an operating system and/or application user interface), in the physical world (e.g., a user driving or walking on a certain path) and/or in a virtual environment (e.g., navigation on a map application on a user device) can be utilized, at least in part, for authenticating the user and/or the user device.
  • the system 100 processes the navigation movements and/or related information to generate credentials (e.g., a passcode) for authenticating the user or the user's device. It is contemplated that such navigation provides a less noticeable means for specifying authentication credentials, thereby reducing risks that such credentials will be copied or observed by others.
  • the target application/service is not disclosed until the authentication (e.g., sequence of navigation movements) has been completed to further increase the difficulty for the intruder/attacker to observe the authentication credentials or the application/service for which the credentials are intended.
  • the various embodiments are discussed with respect to a navigation-based authentication, it is contemplated that the various embodiments are applicable to other forms of authentication such as context-based, location-based, user-device- orientation based and the like.
  • the system 100 supports network operators, users, user devices and/or service platforms in authenticating users and user devices by utilizing navigation-based information in performing user and/or user device authentication.
  • a user navigates/moves through a user device's UI environment (e.g., selects and utilizes one or more applications, folders, display screens, lists, documents and the like) in a sequence.
  • a user via a user device UI selects a drawing application, an email application, a document, an internet browser application, a phonebook and the like, with a particular sequence.
  • a user with a user device walks, drives, moves from one physical location to another utilizing one or more paths/routes under one or more conditions (e.g., speed, direction, time of day and the like), which the user device, the communication network and/or a services platform can track/log for further use in an authentication process.
  • a user drives from home to user bank or user office; using a particular route, speed, direction, etc.; through a city.
  • a user can utilize one or more applications on a user device to track/move from one point to another.
  • a user utilizes a map application and traces on a map (e.g., with a finger or a stylus) a path from a particular point to another (e.g., from the user's office to the user's bank).
  • a map e.g., with a finger or a stylus
  • FIG. 1 is a diagram of a system 100 capable of navigation-based authentication process, according to one embodiment.
  • Many consumer devices, applications and/or services platforms 1 13a-113n (collectively referenced hereinafter as services platform 113) request user authentication for providing access to one or more, at least in part, restricted resources such as user devices, user specific applications, content and/or services.
  • a user is prompted to fill in a username, a password and possibly other information, together constituting user credentials, on some dedicated authentication user interface (UI) in authentication module 11 1 or one or more of applications 103 (e.g., browser, maps, etc.) on user equipment 101.
  • UI dedicated authentication user interface
  • the authentication module 1 11 and/or applications 103 can cause, at least in part, a transformation of the information and/or submission of the information in a communication channel over the communication network 105, either directly or indirectly to one or more services platform 1 13. Further, the authentication module 1 11 can verify the information against an authentication data store 121, such as a database. If successful, the authentication module 1 11 , at least in part, causes user and/or user device access to UE 101 and/or one or more services platform 1 13. In some embodiments, one or more functions of the authentication services 1 11 are accessed through the authentication module 1 11 and/or one or more UE 101 applications 103. The authentication module 1 11 can be implemented, partially or completely, in one or more services platform 113, and/or in any other components accessible via the communication network 105.
  • the authentication module 1 11 one or more other UE 101 applications and/or modules track and log a user's navigation/actions on the UE 101 (e.g., via a user interface, map application, etc.) in order to utilize the logged information in determining one or more valid authentication credentials for the user.
  • a user navigates and selects (e.g., touch, click) one or more icons/virtual items on a UE 101 UI wherein the selections and sequence of the selections are based on one or more predefined parameters, which were defined/accepted by the user, services platform 113, communication network 105 or a combination thereof.
  • John wants to access his bank account at the services platform 113 while waiting in line at a supermarket and activates navigation-based authentication on his user device.
  • John's authentication is based on selecting four specific icons on his user device's UI, and in a particular sequence. John has to select/highlight the icons of four applications: email, camera, phonebook and web browser in that order.
  • the authentication module 1 11 and/or one or more applications on the UE 101 log the navigation information. Further, the authentication module 1 11 compares the logged navigation information to predefined authentication information (e.g., at authentication data store 121) identified for accessing John's bank account information. If the logged information substantially matches the predefined information, then the authentication module 1 11 creates one or more authentication credentials which can be submitted to the services platform 1 13 and/or applications 103 (e.g., a banking application).
  • predefined authentication information e.g., at authentication data store 121
  • the user accesses the UI on the UE 101 and manipulates one or more characteristics of the UI, for example, moves/rearranges one or more icons in a predefined manner and sequence.
  • the user selects one or more icons/items in a list of icons/items whereby the placement of the selected icons/items (e.g., first, second, fourth, etc.) signifies one or more characteristics, which can be used by the authentication module 1 11 for determining the one or more authentication credentials.
  • one or more characters e.g., alphabet letters
  • present in a name of an icon/item can be utilized by the authentication module 1 11.
  • first letter of first icon, second letter of third icon, third letter of fourth icon and the like can be predefined as information necessary by the authentication module 111.
  • the UE 101 and/or one or more applications/modules on the UE 101 can cause a request for a navigation-based authentication when the user attempts to access one or more restricted applications, a restricted area of the UE 101 and/or services at the services platform 1 13 or the communication network 105 which require authentication.
  • the authentication module 1 11 one or more other UE 101 applications and/or modules track and log a user's physical navigation (e.g., via a location module, GPS, etc.) and one or more other characteristics (e.g., speed, direction, time of day, etc.) during the navigation in order to utilize the logged information in determining one or more valid authentication credentials for the user.
  • a user navigates from point A (e.g., user home) to point B (e.g., user bank) along a predefined path/route (e.g., in a city), speed, direction, time of day wherein the one or more navigation information is logged and utilized by the authentication module 11 1.
  • a user may or may not have visited/travelled on particular routes/paths, but can be presented with a map application of one or more areas (e.g., close to home, hobby, work, etc.) familiar to the user.
  • the navigation-based authentication process requires capture of navigation information for generating a password and/or validation of a user whereby the user is prompted to provide the information by utilizing a map application which is presented on display of the UE 101.
  • the user selects/traces/highlights (e.g., by moving a finger on a touchscreen display, selecting places, moving a cursor, etc.) a route (e.g., along a street, a road, a path, etc.) shown on the map.
  • one or more line segments are shown on the display, and additionally, the selected route information is logged/recorded (e.g., by the data collection module 107) for further use by one or more applications/modules on UE 101.
  • the moving of a finger need not be a continuous touching during the process of generating the password, but the user is given possibility to lift the finger for a moment to see whether or not to select e.g., next turn or continue forward on a current path.
  • there are one or more limits on or more characteristics of the path e.g., turns, length, distance, selection of places on the path, time, etc.
  • the user is given a notice in a form of a progress bar to complete the password in a given amount of time.
  • the time and the strength of the password are shown in the same progress bar, for example, when the user has 20s time for completing the password, the color of the progress bar may change colors (e.g., from red to green) within 15s time (i.e. before expiration of the 20s completion time) indicating the strength of the password whereby a more efficient use of the display area can be realized.
  • indication of allowed and/or remaining time and strength of a password can be shown in one or more different ways (e.g. separately, combined with one or more other indicators/parameters, etc.).
  • a user may confirm a password, when creating a new password or changing an old password.
  • a user, one or more applications, one or more services platforms can request and/or cause changing from a "number" based password/passcode to a navigation-based/map application based password or vice versa.
  • UI of a user device may indicate password setting by prompting the user to select the input of the password from either keyboard or map application.
  • the service will provide the user map application for entering the password if the user has provided the password relating to map application.
  • a user in a login process to a service a user can enter user password in a form of names of POIs he has in the set password.
  • the system 100 comprises user equipment (UE) 101 having connectivity to services platform 113 and authentication service 1 17 (if authentication services/module is, at least in part, implemented on another component) via a communication network 105.
  • the communication network 105 of system 100 includes one or more networks such as a data network (not shown), a wireless network (not shown), a telephony network (not shown), or any combination thereof.
  • the data network may be any local area network (LAN), metropolitan area network (MAN), wide area network (WAN), a public data network (e.g., the Internet), short range wireless network, or any other suitable packet-switched network, such as a commercially owned, proprietary packet-switched network, e.g., a proprietary cable or fiber-optic network, and the like, or any combination thereof.
  • LAN local area network
  • MAN metropolitan area network
  • WAN wide area network
  • a public data network e.g., the Internet
  • short range wireless network e.g., a commercially owned, proprietary packet-switched network, e.g., a proprietary cable or fiber-optic network, and the like, or any combination thereof.
  • the wireless network may be, for example, a cellular network and may employ various technologies including enhanced data rates for global evolution (EDGE), general packet radio service (GPRS), global system for mobile communications (GSM), Internet protocol multimedia subsystem (IMS), universal mobile telecommunications system (UMTS), etc., as well as any other suitable wireless medium, e.g., worldwide interoperability for microwave access (WiMAX), Long Term Evolution (LTE) networks, code division multiple access (CDMA), wideband code division multiple access (WCDMA), wireless fidelity (WiFi), wireless LAN (WLAN), Bluetooth®, Internet Protocol (IP) data casting, satellite, mobile ad-hoc network (MANET), and the like, or any combination thereof.
  • EDGE enhanced data rates for global evolution
  • GPRS general packet radio service
  • GSM global system for mobile communications
  • IMS Internet protocol multimedia subsystem
  • UMTS universal mobile telecommunications system
  • WiMAX worldwide interoperability for microwave access
  • LTE Long Term Evolution
  • CDMA code division multiple
  • the UE 101 is any type of mobile terminal, fixed terminal, or portable terminal including a mobile handset, station, unit, device, multimedia computer, multimedia tablet, Internet node, communicator, desktop computer, laptop computer, notebook computer, netbook computer, tablet computer, personal communication system (PCS) device, personal navigation device, personal digital assistants (PDAs), audio/video player, digital camera/camcorder, positioning device, television receiver, radio broadcast receiver, electronic book device, game device, or any combination thereof, including the accessories and peripherals of these devices, or any combination thereof. It is also contemplated that the UE 101 can support any type of interface to the user (such as "wearable" circuitry, etc.).
  • a protocol includes a set of rules defining how the network nodes within the communication network 105 interact with each other based on information sent over the communication links.
  • the protocols are effective at different layers of operation within each node, from generating and receiving physical signals of various types, to selecting a link for transferring those signals, to the format of information indicated by those signals, to identifying which software application executing on a computer system sends or receives the information.
  • the conceptually different layers of protocols for exchanging information over a network are described in the Open Systems Interconnection (OSI) Reference Model.
  • OSI Open Systems Interconnection
  • Each packet typically comprises (1) header information associated with a particular protocol, and (2) payload information that follows the header information and contains information that may be processed independently of that particular protocol.
  • the packet includes (3) trailer information following the payload and indicating the end of the payload information.
  • the header includes information such as the source of the packet, its destination, the length of the payload, and other properties used by the protocol.
  • the data in the payload for the particular protocol includes a header and payload for a different protocol associated with a different, higher layer of the OSI Reference Model.
  • the header for a particular protocol typically indicates a type for the next protocol contained in its payload.
  • the higher layer protocol is said to be encapsulated in the lower layer protocol.
  • the TLS protocol includes encrypted payloads; and, is encapsulated in the Transmission Control Protocol (TCP).
  • TCP Transmission Control Protocol
  • a client process sends in one or more data packets a message including a request to a server process (also called a service), and the server process responds by providing a service.
  • the server process may also return a message with a response to the client process.
  • client process and server process execute on different computer devices, called hosts, and communicate via a network using one or more protocols for network communications.
  • server is conventionally used to refer to the process that provides the service, or the host on which the process operates.
  • client is conventionally used to refer to the process that makes the request, or the host on which the process operates.
  • client and server and “service” refer to the processes, rather than the hosts, unless otherwise clear from the context.
  • process performed by a server can be broken up to run as multiple processes on multiple hosts (sometimes called tiers) for reasons that include reliability, scalability, and redundancy, among others.
  • a well-known client process available on most devices (called nodes) connected to a communications network is a World Wide Web client (called a “web browser,” or simply “browser”) that interacts through messages formatted according to the hypertext transfer protocol (HTTP) with any of a large number of servers called World Wide Web (WWW) servers that provide web pages.
  • HTTP hypertext transfer protocol
  • the UE 101 at least includes applications 103 (e.g., browser, maps, contacts, calendar, etc.), data collection module 107 (e.g., profile information, use history, preferences, etc.), context sensors (GPS, compass, temperature sensor, location sensor, etc.) and authentication module 1 11 that interact with one or more of the services platform 1 13 and communication network 105.
  • applications 103 e.g., browser, maps, contacts, calendar, etc.
  • data collection module 107 e.g., profile information, use history, preferences, etc.
  • context sensors GPS, compass, temperature sensor, location sensor, etc.
  • authentication module 1 11 that interact with one or more of the services platform 1 13 and communication network 105.
  • the applications and modules of the UE 101 include one or more components for providing navigation-based authentication. It is contemplated that the functions of these components may be combined in one or more components or performed by other components of equivalent functionality, on the same or different hosts connected to the communication network 105.
  • FIG. 2 is a diagram of the components of user equipment capable of secure authentication, according to one embodiment.
  • a UE 101 includes one or more components for a secure authentication process. It is contemplated that the functions of these components may be combined in one or more components or performed by other components of equivalent functionality.
  • the UE 101 includes a data collection module 107 that, for example, may include one or more location modules 201 , magnetometer modules 203, accelerometer modules 205 and environmental sensor modules 207.
  • the UE 101 can also include an authentication module 1 11 to execute/manage one or more authentication processes, a runtime module 209 to coordinate the use of other components of the UE 101 , a user interface 211 , a communication interface 213, a context processing module 215, and memory 217.
  • the authentication module 11 1 can execute/manage one or more authentication processes while running on the runtime module 209 utilizing one or more components/applications of the UE 101.
  • the location module 201 can determine a user's location.
  • the user's location can be determined by a triangulation system such as GPS, assisted GPS (A-GPS), Cell of Origin, or other location extrapolation technologies.
  • Standard GPS and A-GPS systems can use satellites 119 to pinpoint the location of a UE 101.
  • a Cell of Origin system can be used to determine the cellular tower that a cellular UE 101 is synchronized with. This information provides a coarse location of the UE 101 because the cellular tower can have a unique cellular identifier (cell-ID) that can be geographically mapped.
  • the location module 201 may also utilize multiple technologies to detect the location of the UE 101.
  • Location coordinates can give finer detail as to the location of the UE 101 when media is captured.
  • GPS coordinates are stored as context information in the memory 217 and are transmitted/presented to the authentication module 11 1 via, for example, the communication interface 213 and/or the runtime module 209.
  • the GPS coordinates can include an altitude to provide a height.
  • the altitude can be determined using another type of altimeter.
  • the location module 201 can be a means for determining a location of the UE 101 , an image, or used to associate an object in view with a location.
  • the magnetometer module 203 can be used in finding horizontal orientation of the UE 101.
  • a magnetometer is an instrument that can measure the strength and/or direction of a magnetic field. Using the same approach as a compass, the magnetometer is capable of determining the direction of a UE 101 using the magnetic field of the Earth.
  • the front of a media capture device e.g., a camera
  • the front of a media capture device can be marked as a reference point in determining direction.
  • the angle the UE 101 reference point is from the magnetic field is known. Simple calculations can be made to determine the direction of the UE 101.
  • horizontal directional data obtained from a magnetometer can be stored in memory 217 and/or transmitted via the communication interface 213 to the context processing module 215.
  • the accelero meter module 205 can be used to determine vertical orientation of the UE 101.
  • An accelerometer is an instrument that can measure acceleration. Using a three-axis accelerometer, with axes X, Y, and Z, provides the acceleration in three directions with known angles. Once again, the front of a media capture device can be marked as a reference point in determining direction. Because the acceleration due to gravity is known, when a UE 101 is stationary, the accelerometer module 205 can determine the angle the UE 101 is pointed as compared to Earth's gravity.
  • vertical directional data obtained from an accelerometer is embedded into the metadata of captured or streaming media or otherwise associated with the UE 101 by the location services application 109.
  • the magnetometer module 203 and accelerometer module 205 can be means for ascertaining a perspective of a user. This perspective information may be stored in the memory 217 and sent to the context processing module 215.
  • the environmental sensor module 207 can determine atmospheric conditions surrounding the UE 101. Such atmospheric conditions may include humidity, temperature, body temperature of the user, other biometric data of the user, etc. Once again, this information can be stored in the memory 217 and sent to the context processing platform 103. In certain embodiments, information collected from the data collection module 1 11 can be retrieved by the runtime module 209 and stored in memory 217. Then periodically, the information can be transmitted to the context processing module 215.
  • the communication interface 213 can be used to communicate with the one or more services platform 113. Certain communications can be via methods such as an internet protocol, messaging (e.g., SMS, MMS, etc.), or any other communication method (e.g., via the communication network 105).
  • the UE 101 can send context information associated with the UE 101 to the services platform 113.
  • the user can utilize a user interface 21 1 to generate a request for one or more services from one or more services platform 103.
  • the user interface 211 can include various methods of communication.
  • the user interface 211 can have outputs including a visual component (e.g., a screen), an audio component, a physical component (e.g., vibrations), and other methods of communication.
  • User inputs can include a touch-screen interface, a scroll-and-click interface, a button interface, a microphone, etc.
  • Input can be via one or more methods such as voice input, textual input, typed input, typed touch-screen input, other touch-enabled input, etc.
  • the user interface 211 and/or runtime module 209 can be means for causing presentation of one or more applications, programs and the like for processing secure authentication methods.
  • the context processing module 215 may be utilized in determining context information from the data collection module 107 and/or applications 1 13 executing on the runtime module 209. This information may be caused to be transmitted, via the communication interface 213 and/or the runtime module 209 to the authentication module 1 11.
  • the context processing module 215 may additionally be utilized as a means for determining groups based on input criteria and received context information associated with other UEs 101. In certain embodiments, the context processing module 215 can infer higher level context information from the context data such as favorite locations, significant places, common activities, etc.
  • FIG. 3 is a diagram of the components of an authentication module, according to one embodiment.
  • an authentication module 1 11 includes one or more components for a secure authentication process.
  • the authentication module 111 includes a communication interface 301 , password building engine 303, comparison engine 305 and encryption/decryption engine 307. Further, the authentication module 1 11 can include and/or interface with a password database 309 and location context profile 311.
  • the password building engine (PBE) 303 can receive information from the UE 101, the services platform 1 13 and/or one or more network components of the communication network 105 to, at least in part, build one or more passwords.
  • the information may include, for instance, navigation movements and/or related information collected for specifying, generating, validating, and the like, one or more authentication credentials.
  • the PBE 303 can receive information from the user interface 211 , context processing module 215 and the data collection module 107 to process and build one or more passwords to be utilized by the user and/or UE 101.
  • the comparison engine 305 can receive one or more passwords from the PBE 303 and compare to, for example, to one or more passwords available at the password database 309.
  • the comparison engine 305 can receive one or more passwords from one or more applications/modules of UE 101 and compare to one or more passwords available at the password database 309.
  • the one or more passwords can be generated based, at least in part, on the navigation movements in the UI of the UE 101, navigation within a physical and/or virtual space determined at the UE 101, and the like as discussed with respect to the various embodiments described herein.
  • the encryption/decryption engine 307 can utilize one or more algorithms to encrypt or decrypt one or more passwords received from, for example, the PBE 303, one or more applications/modules of UE 101 , the password database 309 and to present to the same and/or the like.
  • FIGs. 4A-4C are flowcharts of processes for a navigation-based authentication process, according to one embodiment.
  • FIG. 4A is a flowchart of a process for capturing and processing user interaction with a user device, according to one embodiment.
  • the authentication module 111 and/or an application 103 of the UE 101 performs the process 400 and is implemented in, for instance, a chip set including a processor and a memory as shown in FIG. 10.
  • the authentication module 1 11 and/or an application 103 of the UE 101 can provide means for accomplishing various parts of the process 400 as well as means for accomplishing other processes in conjunction with other components of the system 100.
  • the authentication module 1 11 is referred to as completing various portions of the process 400, however it is understood that other applications/modules, for example, in the UE 101 can perform some of and/or all of the process steps.
  • one or more user interaction with one or more applications information associated with a device is captured.
  • one or more applications and/or modules of UE 101 capture a user interacting with the UE 101, for example, via the user interface 211.
  • a user touches a touch screen display of the UE 101 and/or utilizes another user interface portion of the UE 101 (e.g., a keypad) in order to interact/utilize one or more applications 103 of the UE 101.
  • the authentication module processes and/or facilitates a processing of the user interaction information to generate one or more authentication credentials for the user and/or the UE 101 utilization in various scenarios.
  • the UE 101 requires one or more credentials in order for the user to be able to utilize/access the UE 101.
  • one or more applications on UE 101 require one or more credentials in order for the user to be able to utilize/access the one or more applications.
  • one or more services at one or more services platform 1 13 require one or more credentials in order for the user to be able to utilize/access the one or more services at the one or more services platform 1 13.
  • the communication network 105 requires one or more credentials in order for the user to be able to utilize/access the communication network 105.
  • step 405 another one or more inputs that at least substantially match the user interaction information are captured.
  • the user is prompted to continue interacting with the UE 101 in order to capture one or more additional interaction information which can be used in the authentication process.
  • the user can select one or more applications, one or more areas/points on the user interface (e.g., touch, click, keypad access, etc.), which can be added to the previous one or more interaction information.
  • the one or more authentication credentials based, at least in part, on the one or more inputs are utilized to access one or more services, one or more applications, one or more resources, or a combination thereof.
  • the authentication module utilizes the one or more captured interaction with one or more applications information for determining one or more user credentials which can be utilized for when trying to access, for example, one or more services, one or more applications, one or more resources, or a combination thereof, which may be on the UE 101 , at the services platform 1 13 and/or on the communication network 105.
  • the credentials can be used for accessing one or more restricted/protected/secured areas/applications on the UE 101 (e.g., a personal data list, a restricted application, etc.) one or more services at the one or more services platform 113 (e.g., an online shopping account, a credit card account, etc.) and/or resources/components on the communication network 105 (e.g., access to a server, access to data bank, etc.).
  • the user interaction information includes, at least in part, a sequence of one or more user actions, one or more device actions, or a combination thereof, and wherein the one or more inputs at least substantially match at least a portion of the sequence.
  • the user substantially sequentially selects (e.g., touches/clicks on a corresponding icon) one or more applications, areas, points, data and the like on the UE 101. Additionally, the sequence of the user actions is substantially according to a predetermined sequence.
  • the one or more user actions, the one or more device actions, a combination thereof include, at least in part: (a) one or more navigation actions within a user interface of the device, within an application of the device, or a combination thereof; (b) one or more virtual movements of the device; (c) one or more physical movements of the device; (d) orientation information of the device; (e) direction information of the device; (f) speed information associated with the one or more device actions; or (g) a combination thereof.
  • FIG. 4B is a flowchart of a process for capturing and processing user navigation and authentication request, according to one embodiment.
  • the authentication module 1 11 and/or an application 103 of the UE 101 performs the process 440 and is implemented in, for instance, a chip set including a processor and a memory as shown in FIG. 10.
  • the authentication module 11 1 and/or an application 103 of the UE 101 can provide means for accomplishing various parts of the process 440 as well as means for accomplishing other processes in conjunction with other components of the system 100.
  • the authentication module 1 11 is referred to as completing various portions of the process 440, however it is understood that other applications/modules, for example, in the UE 101 can perform some of and/or all of the process steps.
  • step 445 progress status information during the capture of the user interaction information, the another capture of the one or more inputs, or a combination thereof is presented.
  • the progress of the authentication process is presented in form of, for example, process steps remaining, process steps completed, percentage of the process completed and/or remaining and the like.
  • step 447 one or more authentication requests are received.
  • the authentication request is caused when the user attempts to access/utilize the user device UE 101 , one or more applications 103 on the UE 101, and one or more services at the services platform 1 13 and/or the communication network 105.
  • the user may wish to access a bank account at or via the services platform 1 13 by launching/executing one or more applications 103 on UE 101, which causes a request for an authentication (e.g., via the authentication module 11 1).
  • the user wishes to access one or more restricted/protected areas, applications, procedures, modules on the UE 101, which causes a request for the authentication.
  • step 449 capture of the user interaction information, the another capture of the one or more inputs, the presentation of the one or more authentication credentials, or a combination thereof is initiated based, at least in part, on the one or more authentication requests.
  • one or more authentication processes are caused, for example, by one or more applications 103 and/or the authentication module 11 1.
  • the one or more authentication requests are received, at least from one of, a user, a user device application, a service platform, a network component and a combination thereof.
  • one or more authentication requests can be caused, at least in part, by the user device UE 101 , one or more applications 103, and one or more services at the services platform 1 13 and/or the communication network 105.
  • the user may wish to access a personal account at or via the services platform 1 13 by launching/executing one or more applications 103 on UE 101 , which causes a request for an authentication (e.g., via the authentication module 111).
  • the user wishes to access one or more restricted/protected areas, applications, procedures, modules on the UE 101 and/or at the communication network 105, which causes a request for the authentication.
  • FIG. 4C is a flowchart of a process for normalizing user information and determining authentication credentials, according to one embodiment.
  • the authentication module 1 11 and/or an application 103 of the UE 101 performs the process 470 and is implemented in, for instance, a chip set including a processor and a memory as shown in FIG. 10.
  • the authentication module 11 1 and/or an application 103 of the UE 101 can provide means for accomplishing various parts of the process 470 as well as means for accomplishing other processes in conjunction with other components of the system 100.
  • the authentication module 1 11 is referred to as completing various portions of the process 470, however it is understood that other applications/modules, for example, in the UE 101 can perform some of and/or all of the process steps.
  • the authentication module 11 1 processes and/or facilitates a processing of the user interaction information, the one or more inputs, or a combination thereof to normalize the user interaction information, the one or more inputs, or a combination thereof.
  • the user interaction information is captured by, for example, the authentication module 1 1 1 and then further processed to obtain necessary information for the authentication and/or password building process.
  • the user is prompted to select (e.g., touch, select, click, etc.) one or more different applications on the UE 101 whereby the selected applications signify further information, for example, the placement/location (e.g., first, last, left top corner, bottom right corner, center, etc.) of the application icons in the display area of the UE 101, place of the application in a list of applications (e.g., first, third, fourth, etc.), one or more characters in each application's name (e.g., "w” for a "drawing” application, "i” for a "writing” application, "1” for a “calculator” application, "d” for a "documentation” application) which, at least in part, can be used to form a password of "wild".
  • the placement/location e.g., first, last, left top corner, bottom right corner, center, etc.
  • the application icons e.g., place of the application in a list of applications (e.g., first, third, fourth
  • the password may be based on the sequence of the applications chosen, such as the first, third, fourth and sixth applications in a list to form a password of "1346".
  • the user interaction can be via a location application (e.g., a map application), which can utilize the user/user-device physical location, physical and/or virtual movement and the like.
  • FIGs. 5A-5B are diagrams of user interface utilized in a secure authentication process, according to various embodiments.
  • FIG. 5A depicts several user interface utilized in the secure authentication process of system 100.
  • 501 shows a user interface on a UE 101 with four application/folder icons "Phonebook, Gallery, Messages and Camera".
  • the user initiates the secure authentication process by choosing the option "Start Login Path" at 513. This interaction will start recording of the user interacting with the UE 101 via one more applications 103, one or more modules, for example, the authentication module 1 11.
  • the user selects an application/folder icon of "Phonebook” 523 and confirms the selection at 527.
  • the user interface shows progress of the authentication process via indicator 527. Furthermore, the user can indicate a stopping point and confirm the completion of the user interaction by utilizing a command such as 529 (e.g., select/press the "# " symbol) and at 531 can select to utilize the authentication credentials for logging into the desired target (e.g., an application, a service, a network component, etc.).
  • the desired target e.g., an application, a service, a network component, etc.
  • the selected application “Phonebook” is opened/expanded to show further detail whereby 543 shows selection of a contact name, which can be utilized by the password building engine 303.
  • one or more characteristics/attributes of the selected item/name/word can have significance and utilized in the password building process and the user can indicate the selection by utilizing a command key such as "use this" at 547.
  • Indicator 547 shows a progress of the authentication process.
  • example passwords determined can be "PhoDha” by utilizing first three letters of the UI element "Phonebook” and phonebook entry of "Dhanu” or in another example, an abbreviation of "PB” for the application name of "Phonebook” and location of the element/entry/name in the phonebook list "4" to form "PB4".
  • FIG. 5B depicts another example embodiment of a user interface utilized in the secure authentication process.
  • the user is presented with one or more choices/lists of target applications and or services for which the processed authentication credentials are to be utilized for and/or the user can define a target not shown in the one or more lists.
  • the user selects a banking service at 563.
  • a login interface 571 is presented to the user whereby one or more authentication credentials, 573 and 575, can be presented for logging onto the target service.
  • the one or more authentication credentials, for example 573 and 575 can be provided, at least in part, by one or more applications, modules and or the user.
  • the user can provide the username 573 in plain alphanumeric text (e.g., "John Smith") and the authentication module can provide password in 575 (e.g., "PhoDha” above in 5A example) determined, at least in part, by the authentication module 1 11.
  • the password provided in 575 can be one that was previously determined and can be reused, at least in part, upon authentication of the user by the authentication module 11 1 and/or one or more applications of UE 101.
  • FIGs. 6A-6C are diagrams of user interfaces utilizing map application in a navigation-based authentication process, according to various embodiments.
  • FIG. 6A shows a map application where indicator 600 shows a portion of a map on which a user navigation path/route segments are indicated by 601-605.
  • the navigation path information is captured, at least in part, by the location module 201 and saved in memory 217 and/or authentication data store 121.
  • the path is from point “A” to/through one or more points (e.g., "B", “C”, “D”, “E”, “F") and back to point "A" wherein the one or more points can represent one or more point of interest visited by the user.
  • a user may not have visited/travelled on particular routes/paths, but can be presented with a map application of one or more areas (e.g., close to home, hobby, work, etc.) familiar to the user.
  • the navigation-based authentication process requires capture of navigation information for generating a password and/or validation of a user whereby the user is prompted to provide the information by utilizing a map application which is presented on display of the UE 101.
  • the user selects/traces/highlights (e.g., by moving a finger on a touchscreen display, moving a cursor, etc.) a route (e.g., along a street, a road, a path, etc.) shown on the map.
  • the map application may not to be connected, for example via GPS, to location based services wherein the password generation process can still function offline, which can improve power consumption of the UE 101
  • the map application is downloaded to memory of the device in advance to avoid possible network connection problems and/or require that the UE 101 be/stay online.
  • one or more line segments are shown on the display, and additionally, the selected route information is logged/recorded (e.g., by the data collection module 107) for further use by one or more applications/modules on UE 101.
  • the logged/recorded information comprise information on the line segments 601-605 which can be in the format of: Park Street 10-14 (10-14 means that line segment 601 starts at Park street #10 and continues to Park street #14), 8 th Avenue 30-28 (30-28 means that line segment 602 starts at 8 th Avenue #30 and continues to 8 l Avenue #28) and so on.
  • information of one or more points of interest (POIs) along the indicated route can be added, shown and/or utilized, for example, the information can include Shell station 8 th Avenue 30 (607, POI-1), Hard Rock cafe Heavy Street 10 (609, POI-2), etc.
  • the POI information can be an altemative method for logging/recording the information of the selected route/path.
  • one or more other methods can be employed for logging/recording the information wherein the methods can include prompts/ hints in order to assist the user in remembering the route/path.
  • scale of a map application can be set to one or more sizes and/or different map areas can be presented to the user for navigating between points of the different areas. For example, a user can navigate along a route/path between cities of Helsinki, Boston, Denver and Kenya (e.g., the user selects the cities respectively), which can be utilized for generating a password and/or can be selected as a user password.
  • the user is given the possibility to select (e.g., by clicking, selecting, etc.) the cities (e.g., the places user likes) user wants to be used in the password generation/building process.
  • the communication interface 301 interfaces with map application.
  • one or more information e.g., strength, length, steps, and the like
  • strength of the password can depend on one or more characteristics of the route/path, for example, length of the path, turns of the path, number of places selected (e.g., POIs) or a combination thereof.
  • GPS information e.g., one or more characters/subsections of coordinates on a map
  • the route/path e.g., at any point along any of the route segments, POIs, etc.
  • the GPS coordinates for the POI-1 and POI-2 are 40° 42' 50.634" and 40° 47' 50.962", respectively, whereby the authentication module 1 11 , the data collections module 107 and/or other applications can utilize one or more of the characters of the two coordinates for generating a password/passcode by utilizing any number of combinations/methods, for example: second, third, and sixth characters of the POI-1 GPS coordinate (040) and first, fourth, and seventh characters of the POI-2 GPS coordinate (479) can be used in generating a password/passcode of 040479, 479040 and the like.
  • additional GPS information e.g., direction
  • FIGs. 7A-7C are diagrams showing navigation-based authentication processes utilizing example routing mechanisms, according to various embodiments.
  • FIG. 7A shows diagram 700 with indicators 701 , 703 and 705.
  • a resource e.g., access to a physical facility and/or a user account at that physical facility/location
  • the user in order for a user to access a resource (e.g., access to a physical facility and/or a user account at that physical facility/location) the user must substantially have travelled along a predefined path such as indicated by 701 for receiving one or more valid authentication credentials from the authentication module 11 1.
  • a user may be authorized to access a particular facility 707 (e.g., an office building via entrance 1) when having travelled a particular physical path 701 (e.g., walk, drive), however, if the same user with same authorization travels via routes 703 and 705 to the same facility 707, the navigation-based authentication will fail and access can be denied.
  • the navigation-based authentication is only part of an authentication process, for example, and the user may need one or more additional authentication credentials to gain access to the same facility 707.
  • a userl authorized to access the facility 707 has misplaces the user device 1 ; a user2 utilizes the misplaced user device 1 and travels the correct path 701 and tries to gain access to facility 707 via entrance 1; however, since one or more additional authentication credentials is necessary for access to facility 707, access can be denied to user2.
  • FIG. 7B shows a map application indicating a user navigation path.
  • navigation path of a user and/or a user device needs to substantially match that of a predefined path required for one or more valid authentication credentials.
  • a user 741 must travel substantially along path/route 743 when wishing to access a restricted resource at 745.
  • one or more characteristics captured during the navigation by one or more modules/applications of UE 101 e.g., speed, starting point, starting time and the like
  • resolution and/or zoom level 81 1 can be utilized to present one or more additional information such as the required zoom level (e.g., at 55%) and/or the map application can utilize the zoom level to calculate one or more map information such as granularity of the coordinates (e.g., 40° 42' 50.6346728" or 40° 42' 50.634" or 40° 42' 50.6"), physical address of point along the 805 route, points of interest on the map and/or the like.
  • map information such as granularity of the coordinates (e.g., 40° 42' 50.6346728" or 40° 42' 50.634" or 40° 42' 50.6"), physical address of point along the 805 route, points of interest on the map and/or the like.
  • the processes described herein for a navigation-based authentication may be advantageously implemented via software, hardware, firmware or a combination of software and/or firmware and/or hardware.
  • the processes described herein may be advantageously implemented via processor(s), Digital Signal Processing (DSP) chip, an Application Specific Integrated Circuit (ASIC), Field Programmable Gate Arrays (FPGAs), etc.
  • DSP Digital Signal Processing
  • ASIC Application Specific Integrated Circuit
  • FPGA Field Programmable Gate Arrays
  • FIG. 9 illustrates a computer system 900 upon which an embodiment of the invention may be implemented.
  • computer system 900 is depicted with respect to a particular device or equipment, it is contemplated that other devices or equipment (e.g., network elements, servers, etc.) within FIG. 9 can deploy the illustrated hardware and components of system 900.
  • Computer system 900 is programmed (e.g., via computer program code or instructions) for a navigation-based authentication as described herein and includes a communication mechanism such as a bus 910 for passing information between other internal and external components of the computer system 900.
  • Information is represented as a physical expression of a measurable phenomenon, typically electric voltages, but including, in other embodiments, such phenomena as magnetic, electromagnetic, pressure, chemical, biological, molecular, atomic, subatomic and quantum interactions. For example, north and south magnetic fields, or a zero and non-zero electric voltage, represent two states (0, 1) of a binary digit (bit). Other phenomena can represent digits of a higher base. A superposition of multiple simultaneous quantum states before measurement represents a quantum bit (qubit). A sequence of one or more digits constitutes digital data that is used to represent a number or code for a character. In some embodiments, information called analog data is represented by a near continuum of measurable values within a particular range. Computer system 900, or a portion thereof, constitutes a means for performing one or more steps of navigation-based authentication process.
  • a bus 910 includes one or more parallel conductors of information so that information is transferred quickly among devices coupled to the bus 910.
  • One or more processors 902 for processing information are coupled with the bus 910.
  • a processor (or multiple processors) 902 performs a set of operations on information as specified by computer program code related to navigation-based authentication process.
  • the computer program code is a set of instructions or statements providing instructions for the operation of the processor and/or the computer system to perform specified functions.
  • the code for example, may be written in a computer programming language that is compiled into a native instruction set of the processor.
  • the code may also be written directly using the native instruction set (e.g., machine language).
  • the set of operations include bringing information in from the bus 910 and placing information on the bus 910.
  • the set of operations also typically include comparing two or more units of information, shifting positions of units of information, and combining two or more units of information, such as by addition or multiplication or logical operations like OR, exclusive OR (XOR), and AND.
  • processors Each operation of the set of operations that can be performed by the processor is represented to the processor by information called instructions, such as an operation code of one or more digits.
  • a sequence of operations to be executed by the processor 902, such as a sequence of operation codes, constitute processor instructions, also called computer system instructions or, simply, computer instructions.
  • Processors may be implemented as mechanical, electrical, magnetic, optical, chemical or quantum components, among others, alone or in combination.
  • Computer system 900 also includes a memory 904 coupled to bus 910.
  • the memory 904 such as a random access memory (RAM) or any other dynamic storage device, stores information including processor instructions for a navigation-based authentication process. Dynamic memory allows information stored therein to be changed by the computer system 900. RAM allows a unit of information stored at a location called a memory address to be stored and retrieved independently of information at neighboring addresses.
  • the memory 904 is also used by the processor 902 to store temporary values during execution of processor instructions.
  • the computer system 900 also includes a read only memory (ROM) 906 or any other static storage device coupled to the bus 910 for storing static information, including instructions, that is not changed by the computer system 900. Some memory is composed of volatile storage that loses the information stored thereon when power is lost.
  • Information including instructions for a navigation-based authentication, is provided to the bus 910 for use by the processor from an external input device 912, such as a keyboard containing alphanumeric keys operated by a human user, or a sensor.
  • an external input device 912 such as a keyboard containing alphanumeric keys operated by a human user, or a sensor.
  • a sensor detects conditions in its vicinity and transforms those detections into physical expression compatible with the measurable phenomenon used to represent information in computer system 900.
  • a display device 914 such as a cathode ray tube (CRT), a liquid crystal display (LCD), a light emitting diode (LED) display, an organic LED (OLED) display, a plasma screen, or a printer for presenting text or images
  • a pointing device 916 such as a mouse, a trackball, cursor direction keys, or a motion sensor, for controlling a position of a small cursor image presented on the display 914 and issuing commands associated with graphical elements presented on the display 914.
  • a pointing device 916 such as a mouse, a trackball, cursor direction keys, or a motion sensor, for controlling a position of a small cursor image presented on the display 914 and issuing commands associated with graphical elements presented on the display 914.
  • one or more of external input device 912, display device 914 and pointing device 916 is omitted.
  • special purpose hardware such as an application specific integrated circuit (ASIC) 920
  • ASIC application specific integrated circuit
  • the special purpose hardware is configured to perform operations not performed by processor 902 quickly enough for special purposes.
  • ASICs include graphics accelerator cards for generating images for display 914, cryptographic boards for encrypting and decrypting messages sent over a network, speech recognition, and interfaces to special external devices, such as robotic arms and medical scanning equipment that repeatedly perform some complex sequence of operations that are more efficiently implemented in hardware.
  • Computer system 900 also includes one or more instances of a communications interface 970 coupled to bus 910.
  • Communication interface 970 provides a one-way or two-way communication coupling to a variety of external devices that operate with their own processors, such as printers, scanners and external disks. In general the coupling is with a network link 978 that is connected to a local network 980 to which a variety of external devices with their own processors are connected.
  • communication interface 970 may be a parallel port or a serial port or a universal serial bus (USB) port on a personal computer.
  • USB universal serial bus
  • communications interface 970 is an integrated services digital network (ISDN) card or a digital subscriber line (DSL) card or a telephone modem that provides an information communication connection to a corresponding type of telephone line.
  • ISDN integrated services digital network
  • DSL digital subscriber line
  • a communication interface 970 is a cable modem that converts signals on bus 910 into signals for a communication connection over a coaxial cable or into optical signals for a communication connection over a fiber optic cable.
  • communications interface 970 may be a local area network (LAN) card to provide a data communication connection to a compatible LAN, such as Ethernet. Wireless links may also be implemented.
  • LAN local area network
  • the communications interface 970 sends or receives or both sends and receives electrical, acoustic or electromagnetic signals, including infrared and optical signals, that carry information streams, such as digital data.
  • the communications interface 970 includes a radio band electromagnetic transmitter and receiver called a radio transceiver.
  • the communications interface 970 enables connection to the communication network 105 for a navigation-based authentication process with the UE 101.
  • Non-transitory media such as nonvolatile media, include, for example, optical or magnetic disks, such as storage device 908.
  • Volatile media include, for example, dynamic memory 904.
  • Transmission media include, for example, twisted pair cables, coaxial cables, copper wire, fiber optic cables, and carrier waves that travel through space without wires or cables, such as acoustic waves and electromagnetic waves, including radio, optical and infrared waves.
  • Signals include man-made transient variations in amplitude, frequency, phase, polarization or other physical properties transmitted through the transmission media.
  • Common forms of computer-readable media include, for example, a floppy disk, a flexible disk, hard disk, magnetic tape, any other magnetic medium, a CD-ROM, CDRW, DVD, any other optical medium, punch cards, paper tape, optical mark sheets, any other physical medium with patterns of holes or other optically recognizable indicia, a RAM, a PROM, an EPROM, a FLASH-EPROM, an EEPROM, a flash memory, any other memory chip or cartridge, a carrier wave, or any other medium from which a computer can read.
  • the term computer-readable storage medium is used herein to refer to any computer-readable medium except transmission media.
  • Logic encoded in one or more tangible media includes one or both of processor instructions on a computer-readable storage media and special purpose hardware, such as ASIC 920.
  • Network link 978 typically provides information communication using transmission media through one or more networks to other devices that use or process the information.
  • network link 978 may provide a connection through local network 980 to a host computer 982 or to equipment 984 operated by an Internet Service Provider (ISP).
  • ISP equipment 984 in turn provides data communication services through the public, world-wide packet-switching communication network of networks now commonly referred to as the Internet 990.
  • a computer called a server host 992 connected to the Internet hosts a process that provides a service in response to information received over the Internet.
  • server host 992 hosts a process that provides information representing video data for presentation at display 914.
  • the components of system 900 can be deployed in various configurations within other computer systems, e.g., host 982 and server 992.
  • At least some embodiments of the invention are related to the use of computer system 900 for implementing some or all of the techniques described herein. According to one embodiment of the invention, those techniques are performed by computer system 900 in response to processor 902 executing one or more sequences of one or more processor instructions contained in memory 904.
  • Such instructions also called computer instructions, software and program code, may be read into memory 904 from another computer-readable medium such as storage device 908 or network link 978. Execution of the sequences of instructions contained in memory 904 causes processor 902 to perform one or more of the method steps described herein.
  • hardware such as ASIC 920, may be used in place of or in combination with software to implement the invention.
  • embodiments of the invention are not limited to any specific combination of hardware and software, unless otherwise explicitly stated herein.
  • Computer system 900 can send and receive information, including program code, through the networks 980, 990 among others, through network link 978 and communications interface 970.
  • a server host 992 transmits program code for a particular application, requested by a message sent from computer 900, through Internet 990, ISP equipment 984, local network 980 and communications interface 970.
  • the received code may be executed by processor 902 as it is received, or may be stored in memory 904 or in storage device 908 or any other non-volatile storage for later execution, or both. In this manner, computer system 900 may obtain application program code in the form of signals on a carrier wave.
  • instructions and data may initially be carried on a magnetic disk of a remote computer such as host 982.
  • the remote computer loads the instructions and data into its dynamic memory and sends the instructions and data over a telephone line using a modem.
  • a modem local to the computer system 900 receives the instructions and data on a telephone line and uses an infra-red transmitter to convert the instructions and data to a signal on an infra-red carrier wave serving as the network link 978.
  • An infrared detector serving as communications interface 970 receives the instructions and data carried in the infrared signal and places information representing the instructions and data onto bus 910.
  • Bus 910 carries the information to memory 904 from which processor 902 retrieves and executes the instructions using some of the data sent with the instructions.
  • the instructions and data received in memory 904 may optionally be stored on storage device 908, either before or after execution by the processor 902.
  • FIG. 10 illustrates a chip set or chip 1000 upon which an embodiment of the invention may be implemented.
  • Chip set 1000 is programmed to accelerate authentication as described herein and includes, for instance, the processor and memory components described with respect to FIG. 9 incorporated in one or more physical packages (e.g., chips).
  • a physical package includes an arrangement of one or more materials, components, and/or wires on a structural assembly (e.g., a baseboard) to provide one or more characteristics such as physical strength, conservation of size, and/or limitation of electrical interaction.
  • a structural assembly e.g., a baseboard
  • the chip set 1000 can be implemented in a single chip. It is further contemplated that in certain embodiments the chip set or chip 1000 can be implemented as a single "system on a chip.” It is further contemplated that in certain embodiments a separate ASIC would not be used, for example, and that all relevant functions as disclosed herein would be performed by a processor or processors.
  • Chip set or chip 1000 constitutes a means for performing one or more steps of providing user interface navigation information associated with the availability of functions.
  • Chip set or chip 1000, or a portion thereof constitutes a means for performing one or more steps of a navigation-based authentication process.
  • the chip set or chip 1000 includes a communication mechanism such as a bus 1001 for passing information among the components of the chip set 1000.
  • a processor 1003 has connectivity to the bus 1001 to execute instructions and process information stored in, for example, a memory 1005.
  • the processor 1003 may include one or more processing cores with each core configured to perform independently.
  • a multi-core processor enables multiprocessing within a single physical package. Examples of a multi-core processor include two, four, eight, or greater numbers of processing cores.
  • the processor 1003 may include one or more microprocessors configured in tandem via the bus 1001 to enable independent execution of instructions, pipelining, and multithreading.
  • the processor 1003 may also be accompanied with one or more specialized components to perform certain processing functions and tasks such as one or more digital signal processors (DSP) 1007, or one or more application-specific integrated circuits (ASIC) 1009.
  • DSP digital signal processors
  • ASIC application-specific integrated circuits
  • a DSP 1007 typically is configured to process real- wo rid signals (e.g., sound) in real time independently of the processor 1003.
  • an ASIC 1009 can be configured to performed specialized functions not easily performed by a more general purpose processor.
  • Other specialized components to aid in performing the inventive functions described herein may include one or more field programmable gate arrays (FPGA) (not shown), one or more controllers (not shown), or one or more other special-purpose computer chips.
  • FPGA field programmable gate arrays
  • the chip set or chip 1000 includes merely one or more processors and some software and/or firmware supporting and/or relating to and/or for the one or more processors.
  • the processor 1003 and accompanying components have connectivity to the memory 1005 via the bus 1001.
  • the memory 1005 includes both dynamic memory (e.g., RAM, magnetic disk, writable optical disk, etc.) and static memory (e.g., ROM, CD-ROM, etc.) for storing executable instructions that when executed perform the inventive steps described herein to a navigation- based authentication process.
  • the memory 1005 also stores the data associated with or generated by the execution of the inventive steps.
  • FIG. 1 1 is a diagram of exemplary components of a mobile terminal (e.g., handset) for communications, which is capable of operating in the system of FIG. 1 , according to one embodiment.
  • mobile terminal 1 101 or a portion thereof, constitutes a means for performing one or more steps of a navigation-based authentication process.
  • a radio receiver is often defined in terms of front-end and back-end characteristics. The front-end of the receiver encompasses all of the Radio Frequency (RF) circuitry whereas the back-end encompasses all of the base-band processing circuitry.
  • RF Radio Frequency
  • circuitry refers to both: (1) hardware-only implementations (such as implementations in only analog and/or digital circuitry), and (2) to combinations of circuitry and software (and/or firmware) (such as, if applicable to the particular context, to a combination of processor(s), including digital signal processor(s), software, and memory(ies) that work together to cause an apparatus, such as a mobile phone or server, to perform various functions).
  • This definition of "circuitry” applies to all uses of this term in this application, including in any claims.
  • the term “circuitry” would also cover an implementation of merely a processor (or multiple processors) and its (or their) accompanying software/or firmware.
  • the term “circuitry” would also cover if applicable to the particular context, for example, a baseband integrated circuit or applications processor integrated circuit in a mobile phone or a similar integrated circuit in a cellular network device or other network devices.
  • Pertinent internal components of the telephone include a Main Control Unit (MCU) 1 103, a Digital Signal Processor (DSP) 1105, and a receiver/transmitter unit including a microphone gain control unit and a speaker gain control unit.
  • a main display unit 1 107 provides a display to the user in support of various applications and mobile terminal functions that perform or support the steps of a navigation-based authentication process.
  • the display 1107 includes display circuitry configured to display at least a portion of a user interface of the mobile terminal (e.g., mobile telephone). Additionally, the display 1107 and display circuitry are configured to facilitate user control of at least some functions of the mobile terminal.
  • An audio function circuitry 1 109 includes a microphone 11 1 1 and microphone amplifier that amplifies the speech signal output from the microphone 1 111. The amplified speech signal output from the microphone 11 1 1 is fed to a coder/decoder (CODEC) 11 13.
  • CDEC coder/decoder
  • a radio section 11 15 amplifies power and converts frequency in order to communicate with a base station, which is included in a mobile communication system, via antenna 1 117.
  • the power amplifier (PA) 1 119 and the transmitter/modulation circuitry are operationally responsive to the MCU 1 103, with an output from the PA 1119 coupled to the duplexer 1121 or circulator or antenna switch, as known in the art.
  • the PA 1 119 also couples to a battery interface and power control unit 1120.
  • a user of mobile terminal 1 101 speaks into the microphone 1 11 1 and his or her voice along with any detected background noise is converted into an analog voltage.
  • the analog voltage is then converted into a digital signal through the Analog to Digital Converter (ADC) 1123.
  • ADC Analog to Digital Converter
  • the control unit 1103 routes the digital signal into the DSP 1 105 for processing therein, such as speech encoding, channel encoding, encrypting, and interleaving.
  • the processed voice signals are encoded, by units not separately shown, using a cellular transmission protocol such as enhanced data rates for global evolution (EDGE), general packet radio service (GPRS), global system for mobile communications (GSM), Internet protocol multimedia subsystem (IMS), universal mobile telecommunications system (UMTS), etc., as well as any other suitable wireless medium, e.g., microwave access (WiMAX), Long Term Evolution (LTE) networks, code division multiple access (CDMA), wideband code division multiple access (WCDMA), wireless fidelity (WiFi), satellite, and the like, or any combination thereof.
  • the encoded signals are then routed to an equalizer 1125 for compensation of any frequency- dependent impairments that occur during transmission though the air such as phase and amplitude distortion.
  • the modulator 1127 After equalizing the bit stream, the modulator 1127 combines the signal with a RF signal generated in the RF interface 1129.
  • the modulator 1127 generates a sine wave by way of frequency or phase modulation.
  • an up- converter 1131 In order to prepare the signal for transmission, an up- converter 1131 combines the sine wave output from the modulator 1127 with another sine wave generated by a synthesizer 1 133 to achieve the desired frequency of transmission.
  • the signal is then sent through a PA 1 119 to increase the signal to an appropriate power level.
  • the PA 1 1 19 acts as a variable gain amplifier whose gain is controlled by the DSP 1105 from information received from a network base station.
  • the signal is then filtered within the duplexer 1121 and optionally sent to an antenna coupler 1135 to match impedances to provide maximum power transfer. Finally, the signal is transmitted via antenna 1 117 to a local base station.
  • An automatic gain control (AGC) can be supplied to control the gain of the final stages of the receiver.
  • the signals may be forwarded from there to a remote telephone which may be another cellular telephone, any other mobile phone or a land-line connected to a Public Switched Telephone Network (PSTN), or other telephony networks.
  • PSTN Public Switched Telephone Network
  • Voice signals transmitted to the mobile terminal 1 101 are received via antenna 1 117 and immediately amplified by a low noise amplifier (LNA) 1 137.
  • LNA low noise amplifier
  • a down-converter 1139 lowers the carrier frequency while the demodulator 1141 strips away the RF leaving only a digital bit stream.
  • the signal then goes through the equalizer 1125 and is processed by the DSP 1105.
  • a Digital to Analog Converter (DAC) 1 143 converts the signal and the resulting output is transmitted to the user through the speaker 1145, all under control of a Main Control Unit (MCU) 1 103 which can be implemented as a Central Processing Unit (CPU) (not shown).
  • MCU Main Control Unit
  • CPU Central Processing Unit
  • the MCU 1103 receives various signals including input signals from the keyboard 1147.
  • the keyboard 1147 and/or the MCU 1103 in combination with other user input components (e.g., the microphone 1 111) comprise a user interface circuitry for managing user input.
  • the MCU 1103 runs a user interface software to facilitate user control of at least some functions of the mobile terminal 1 101 to accelerate authentication.
  • the MCU 1103 also delivers a display command and a switch command to the display 1107 and to the speech output switching controller, respectively.
  • the MCU 1 103 exchanges information with the DSP 1105 and can access an optionally incorporated SIM card 1 149 and a memory 1 151.
  • the MCU 1103 executes various control functions required of the terminal.
  • the DSP 1105 may, depending upon the implementation, perform any of a variety of conventional digital processing functions on the voice signals. Additionally, DSP 1 105 determines the background noise level of the local environment from the signals detected by microphone 1 11 1 and sets the gain of microphone 11 11 to a level selected to compensate for the natural tendency of the user of the mobile terminal 1101.
  • the CODEC 1 113 includes the ADC 1123 and DAC 1 143.
  • the memory 1 151 stores various data including call incoming tone data and is capable of storing other data including music data received via, e.g., the global Internet.
  • the software module could reside in RAM memory, flash memory, registers, or any other form of writable storage medium known in the art.
  • the memory device 1151 may be, but not limited to, a single memory, CD, DVD, ROM, RAM, EEPROM, optical storage, magnetic disk storage, flash memory storage, or any other non-volatile storage medium capable of storing digital data.
  • An optionally incorporated SIM card 1 149 carries, for instance, important information, such as the cellular phone number, the carrier supplying service, subscription details, and security information.
  • the SIM card 1149 serves primarily to identify the mobile terminal 1 101 on a radio network.
  • the card 1 149 also contains a memory for storing a personal telephone number registry, text messages, and user specific mobile terminal settings.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Signal Processing (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Social Psychology (AREA)
  • Navigation (AREA)

Abstract

An approach is provided for a navigation-based authentication process. A user and/or a user device can perform a sequence of navigation movements or interactions at a device (e.g., selecting certain icons, applications items such as contacts, etc.), which can be captured and then used to specify or input authentication credentials. Accordingly, to input authentication credentials, the user can repeat the sequence of navigation movements (e.g., moving within a UI and/or physically or virtually moving the device) at the device. In one embodiment, such input can substitute for typing a passcode or password at the device.

Description

METHOD AND APPARATUS
FOR NAVIGATION-BASED AUTHENTICATION
BACKGROUND
Service providers and device manufacturers (e.g., wireless, cellular, etc.) are continually challenged to deliver value and convenience to consumers by, for example, providing compelling network services. As security and privacy remain important concerns, user devices, applications and consumer network services require user authentication for providing access to user device, content and services. For example, a user is prompted to fill in a username, a password and possibly other information on some dedicated authentication user interface in an authentication application. However, a user may need to complete such a process in a public space (e.g., shopping store, bus station, restaurant, etc.), which can expose the authentication information (e.g., user name, user account, user password, etc.) to others in close proximity or to those who are actively seeking to capture that information. Further, it may be difficult for some users to remember authentication information and/or write the information due to illiteracy, poor eye sight, shaky hands and the like. Accordingly, service providers and device manufacturers face significant technical challenges for enabling users to more easily perform security and authentication processes.
SOME EXAMPLE EMBODIMENTS
Therefore, there is a need for an approach for a navigation-based authentication process. According to one embodiment, a method causing, at least in part, a capture of user interaction with one or more applications information associated with a device. The method also comprises processing and/or facilitating a processing of the user interaction information with the one or more applications to generate one or more authentication credentials, wherein the authentication credentials are for accessing one or more services, one or more resources, one or more applications, one or more resources, or a combination thereof.
According to another embodiment, an apparatus comprising at least one processor, and at least one memory including computer program code for one or more programs, the at least one memory and the computer program code configured to, with the at least one processor, cause, at least in part, a capture of user interaction with one or more applications information associated with a device. The apparatus is further caused to process and/or facilitate a processing of the user interaction information with the one or more applications to generate one or more authentication credentials, wherein the authentication credentials are for accessing one or more services, one or more resources, one or more applications, or a combination thereof.
According to another embodiment, a computer-readable storage medium carrying one or more sequences of one or more instructions which, when executed by one or more processors, cause, at least in part, an apparatus to cause, at least in part, a capture of user interaction with one or more applications information associated with a device. The apparatus is further caused to process and/or facilitate a processing of the user interaction information with the one or more applications to generate one or more authentication credentials, wherein the authentication credentials are for accessing one or more services, one or more resources, one or more applications, or a combination thereof.
According to another embodiment, an apparatus comprises means for causing, at least in part, a capture of user interaction with one or more applications information associated with a device. The apparatus also comprises means for comprises processing and/or facilitating a processing of the user interaction information with the one or more applications to generate one or more authentication credentials, wherein the authentication credentials are for accessing one or more services, one or more applications, one or more resources, one or more resources, or a combination thereof.
In addition, for various example embodiments of the invention, the following is applicable: a method comprising facilitating a processing of and/or processing (1) data and/or (2) information and/or (3) at least one signal, the (1) data and/or (2) information and/or (3) at least one signal based, at least in part, on (including derived at least in part from) any one or any combination of methods (or processes) disclosed in this application as relevant to any embodiment of the invention.
For various example embodiments of the invention, the following is also applicable: a method comprising facilitating access to at least one interface configured to allow access to at least one service, the at least one service configured to perform any one or any combination of network or service provider methods (or processes) disclosed in this application.
For various example embodiments of the invention, the following is also applicable: a method comprising facilitating creating and/or facilitating modifying (1) at least one device user interface element and/or (2) at least one device user interface functionality, the (1) at least one device user interface element and/or (2) at least one device user interface functionality based, at least in part, on data and/or information resulting from one or any combination of methods or processes disclosed in this application as relevant to any embodiment of the invention, and/or at least one signal resulting from one or any combination of methods (or processes) disclosed in this application as relevant to any embodiment of the invention.
For various example embodiments of the invention, the following is also applicable: a method comprising creating and/or modifying (1) at least one device user interface element and/or (2) at least one device user interface functionality, the (1) at least one device user interface element and/or (2) at least one device user interface functionality based at least in part on data and/or information resulting from one or any combination of methods (or processes) disclosed in this application as relevant to any embodiment of the invention, and/or at least one signal resulting from one or any combination of methods (or processes) disclosed in this application as relevant to any embodiment of the invention.
In various example embodiments, the methods (or processes) can be accomplished on the service provider side or on the mobile device side or in any shared way between service provider and mobile device with actions being performed on both sides.
For various example embodiments, the following is applicable: An apparatus comprising means for performing the method of any of originally filed claims 1 -11 , 24-34, and 39-41. Still other aspects, features, and advantages of the invention are readily apparent from the following detailed description, simply by illustrating a number of particular embodiments and implementations, including the best mode contemplated for carrying out the invention. The invention is also capable of other and different embodiments, and its several details can be modified in various obvious respects, all without departing from the spirit and scope of the invention. Accordingly, the drawings and description are to be regarded as illustrative in nature, and not as restrictive.
BRIEF DESCRIPTION OF THE DRAWINGS The embodiments of the invention are illustrated by way of example, and not by way of limitation, in the figures of the accompanying drawings:
FIG. 1 is a diagram of a system capable of navigation-based authentication, according to one embodiment;
FIG. 2 is a diagram of the components of user equipment capable of navigation-based authentication, according to one embodiment;
FIG. 3 is a diagram of the components of an authentication module, according to one embodiment; FIGs. 4A-4C are flowcharts of processes for navigation-based authentication, according to one embodiment;
FIGs. 5A-5B are diagrams of user interface utilized in navigation-based authentication, according to various embodiments;
FIGs. 6A-6C are diagrams of user interfaces utilizing map application in navigation-based authentication, according to various embodiments;
FIGs. 7A-7C are diagrams showing navigation-based authentication utilizing example routing mechanisms, according to various embodiments;
FIG. 8 is a diagram showing navigation-based authentication utilizing virtual routing, according to various embodiments;
FIG. 9 is a diagram of hardware that can be used to implement an embodiment of the invention; FIG. 10 is a diagram of a chip set that can be used to implement an embodiment of the invention; and
FIG. 1 1 is a diagram of a mobile terminal (e.g., handset) that can be used to implement an embodiment of the invention.
DESCRIPTION OF SOME EMBODIMENTS
Examples of a method, apparatus, and computer program are disclosed for navigation-based authentication. In the following description, for the purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the invention. It is apparent, however, to one skilled in the art that the embodiments of the invention may be practiced without these specific details or with an equivalent arrangement. In other instances, well-known structures and devices are shown in block diagram form in order to avoid unnecessarily obscuring the embodiments of the invention.
As used herein the term "authentication" refers to a process of determining whether someone or something (e.g., a user-device) is, in fact, who or what it claims to be. Authentication is required to validate one or more unique information for a user (and/or a user-device) so that the user can be granted access to one or more protected resources. For example, in private and public computer networks (including the Internet), authentication is commonly done through the use of authentication credentials (e.g., logon user name, user account, user-device information, password, passcode, pin number, user device identification number, serial number, etc.). Knowledge of the authentication credentials is assumed to assure that the user (and/or the user- device) is authentic. Initially, each user receives or creates authentication credentials (e.g., user name, account, password, etc.) and on each subsequent access, the user must know and use the previously defined/accepted authentication credentials. However, the weakness in the authentication process for significant transactions (e.g., banking) can be serious when a password may often be stolen, accidentally revealed, or forgotten. In various scenarios, authentication processes require input of one or more confidential and/or private information, which the users wish to keep from others by, at least, making it difficult for the others (e.g., people nearby) to see and recognize.
FIG. 1 is a diagram of a system capable of navigation-based authentication, according to one embodiment. In many instances, users need to present one or more authentication credentials in order to utilize and/or access different facilities, services, user devices and/or applications. However, as the users may need to perform the authentication process while in different physical environments with limited or no privacy (e.g., public places), they can be exposed to various types of vulnerabilities such as over the shoulder and peripheral presence attack. Further, as passwords usually are text based (e.g., alphanumeric, characters, etc.), they can be easy for others to view and remember. Furthermore, masking a password (e.g., with "*, #, -", etc.) has limited effectiveness since the user interaction with a keypad on a device can easily be viewed and reproduced. Moreover, a user may not be familiar with some aspects of an authentication process (e.g., passwords, pin codes, account numbers, etc.). For example, many users in emerging markets are not familiar and/or comfortable with concept of password which may be new to them, although, they may be familiar with concept of an identification number, account number, etc. Thus, users can benefit from a more secure, discrete and user-friendly method for a user to complete an authentication process and gain access to a targeted facility, service, application, device and the like.
To address this problem, the system 100 of FIG. 1 introduces the capability for a navigation- based (e.g., user interface (UI), physical and/or virtual) authentication. In other words, a sequence of navigation movements or interactions at a device (e.g., selecting certain icons, applications items such as contacts, etc.) can be captured and then used to specify or input authentication credentials. Accordingly, to input authentication credentials, the user can repeat the sequence of navigation movements (e.g., moving within a UI and/or physically or virtually moving the device) at the device. In one embodiment, such input can substitute for typing e.g. a passcode or password at the device. For example, authentication processes traditionally require a user to provide one or more user information (e.g., by typing or keying in a password) in order to become authenticated and gain access to restricted resources. However, as mentioned above, there can be issues when a user is trying to interface with an authentication process (e.g., privacy, familiarity with the process, etc.) which can create risks for the user and/or the targeted resource. The various embodiments of the proposed solutions provide methods whereby navigation in a user interface of a user device (e.g., user interactions or movements in an operating system and/or application user interface), in the physical world (e.g., a user driving or walking on a certain path) and/or in a virtual environment (e.g., navigation on a map application on a user device) can be utilized, at least in part, for authenticating the user and/or the user device. In one embodiment, the system 100 processes the navigation movements and/or related information to generate credentials (e.g., a passcode) for authenticating the user or the user's device. It is contemplated that such navigation provides a less noticeable means for specifying authentication credentials, thereby reducing risks that such credentials will be copied or observed by others. For example, navigation through a user interface of device may make it appear that the user is merely using the device in a normal, rather than inputting authentication credentials. Accordingly, this act might not prompt an intruder/attacker to be more attentive to the process. In some embodiments, the target application/service is not disclosed until the authentication (e.g., sequence of navigation movements) has been completed to further increase the difficulty for the intruder/attacker to observe the authentication credentials or the application/service for which the credentials are intended. Although various embodiments are discussed with respect to a navigation-based authentication, it is contemplated that the various embodiments are applicable to other forms of authentication such as context-based, location-based, user-device- orientation based and the like. In one embodiment, the system 100 supports network operators, users, user devices and/or service platforms in authenticating users and user devices by utilizing navigation-based information in performing user and/or user device authentication.
By way of example, in a UI navigation, a user navigates/moves through a user device's UI environment (e.g., selects and utilizes one or more applications, folders, display screens, lists, documents and the like) in a sequence. For example, a user via a user device UI selects a drawing application, an email application, a document, an internet browser application, a phonebook and the like, with a particular sequence. Further, in a physical navigation, a user with a user device walks, drives, moves from one physical location to another utilizing one or more paths/routes under one or more conditions (e.g., speed, direction, time of day and the like), which the user device, the communication network and/or a services platform can track/log for further use in an authentication process. For example, a user drives from home to user bank or user office; using a particular route, speed, direction, etc.; through a city. Furthermore, in a virtual navigation, a user can utilize one or more applications on a user device to track/move from one point to another. For example, a user utilizes a map application and traces on a map (e.g., with a finger or a stylus) a path from a particular point to another (e.g., from the user's office to the user's bank).
FIG. 1 is a diagram of a system 100 capable of navigation-based authentication process, according to one embodiment. Many consumer devices, applications and/or services platforms 1 13a-113n (collectively referenced hereinafter as services platform 113) request user authentication for providing access to one or more, at least in part, restricted resources such as user devices, user specific applications, content and/or services. A user is prompted to fill in a username, a password and possibly other information, together constituting user credentials, on some dedicated authentication user interface (UI) in authentication module 11 1 or one or more of applications 103 (e.g., browser, maps, etc.) on user equipment 101. When the user has provided all such information, for example, the authentication module 1 11 and/or applications 103 can cause, at least in part, a transformation of the information and/or submission of the information in a communication channel over the communication network 105, either directly or indirectly to one or more services platform 1 13. Further, the authentication module 1 11 can verify the information against an authentication data store 121, such as a database. If successful, the authentication module 1 11 , at least in part, causes user and/or user device access to UE 101 and/or one or more services platform 1 13. In some embodiments, one or more functions of the authentication services 1 11 are accessed through the authentication module 1 11 and/or one or more UE 101 applications 103. The authentication module 1 11 can be implemented, partially or completely, in one or more services platform 113, and/or in any other components accessible via the communication network 105.
In one embodiment, the authentication module 1 11 , one or more other UE 101 applications and/or modules track and log a user's navigation/actions on the UE 101 (e.g., via a user interface, map application, etc.) in order to utilize the logged information in determining one or more valid authentication credentials for the user. In one example, a user navigates and selects (e.g., touch, click) one or more icons/virtual items on a UE 101 UI wherein the selections and sequence of the selections are based on one or more predefined parameters, which were defined/accepted by the user, services platform 113, communication network 105 or a combination thereof.
In an example scenario, John wants to access his bank account at the services platform 113 while waiting in line at a supermarket and activates navigation-based authentication on his user device. John's authentication is based on selecting four specific icons on his user device's UI, and in a particular sequence. John has to select/highlight the icons of four applications: email, camera, phonebook and web browser in that order. While John is navigating through the UI, the authentication module 1 11 and/or one or more applications on the UE 101 log the navigation information. Further, the authentication module 1 11 compares the logged navigation information to predefined authentication information (e.g., at authentication data store 121) identified for accessing John's bank account information. If the logged information substantially matches the predefined information, then the authentication module 1 11 creates one or more authentication credentials which can be submitted to the services platform 1 13 and/or applications 103 (e.g., a banking application).
In another embodiment, the user accesses the UI on the UE 101 and manipulates one or more characteristics of the UI, for example, moves/rearranges one or more icons in a predefined manner and sequence. In another embodiment, the user selects one or more icons/items in a list of icons/items whereby the placement of the selected icons/items (e.g., first, second, fourth, etc.) signifies one or more characteristics, which can be used by the authentication module 1 11 for determining the one or more authentication credentials. In another embodiment, one or more characters (e.g., alphabet letters) present in a name of an icon/item can be utilized by the authentication module 1 11. For example, the following sequence of letters in the names of selected icons: first letter of first icon, second letter of third icon, third letter of fourth icon and the like can be predefined as information necessary by the authentication module 111. In another embodiment, the UE 101 and/or one or more applications/modules on the UE 101 can cause a request for a navigation-based authentication when the user attempts to access one or more restricted applications, a restricted area of the UE 101 and/or services at the services platform 1 13 or the communication network 105 which require authentication. In one embodiment, the authentication module 1 11 , one or more other UE 101 applications and/or modules track and log a user's physical navigation (e.g., via a location module, GPS, etc.) and one or more other characteristics (e.g., speed, direction, time of day, etc.) during the navigation in order to utilize the logged information in determining one or more valid authentication credentials for the user. In one example, a user navigates from point A (e.g., user home) to point B (e.g., user bank) along a predefined path/route (e.g., in a city), speed, direction, time of day wherein the one or more navigation information is logged and utilized by the authentication module 11 1.
In various embodiments, a user may or may not have visited/travelled on particular routes/paths, but can be presented with a map application of one or more areas (e.g., close to home, hobby, work, etc.) familiar to the user. In one scenario, the navigation-based authentication process requires capture of navigation information for generating a password and/or validation of a user whereby the user is prompted to provide the information by utilizing a map application which is presented on display of the UE 101. Further, the user selects/traces/highlights (e.g., by moving a finger on a touchscreen display, selecting places, moving a cursor, etc.) a route (e.g., along a street, a road, a path, etc.) shown on the map. As a result, one or more line segments are shown on the display, and additionally, the selected route information is logged/recorded (e.g., by the data collection module 107) for further use by one or more applications/modules on UE 101. In one embodiment, the moving of a finger need not be a continuous touching during the process of generating the password, but the user is given possibility to lift the finger for a moment to see whether or not to select e.g., next turn or continue forward on a current path. In one embodiment, there are one or more limits on or more characteristics of the path (e.g., turns, length, distance, selection of places on the path, time, etc.) to conclude the password. In one scenario, the user is given a notice in a form of a progress bar to complete the password in a given amount of time. In one embodiment the time and the strength of the password are shown in the same progress bar, for example, when the user has 20s time for completing the password, the color of the progress bar may change colors (e.g., from red to green) within 15s time (i.e. before expiration of the 20s completion time) indicating the strength of the password whereby a more efficient use of the display area can be realized. In other embodiments, indication of allowed and/or remaining time and strength of a password can be shown in one or more different ways (e.g. separately, combined with one or more other indicators/parameters, etc.). In various embodiments, a user is given may confirm a password, when creating a new password or changing an old password. Further, a user, one or more applications, one or more services platforms can request and/or cause changing from a "number" based password/passcode to a navigation-based/map application based password or vice versa. In one embodiment, UI of a user device may indicate password setting by prompting the user to select the input of the password from either keyboard or map application. In the login process to the service then the service will provide the user map application for entering the password if the user has provided the password relating to map application. In a further embodiment, in a login process to a service a user can enter user password in a form of names of POIs he has in the set password. As shown in FIG. 1 , the system 100 comprises user equipment (UE) 101 having connectivity to services platform 113 and authentication service 1 17 (if authentication services/module is, at least in part, implemented on another component) via a communication network 105. By way of example, the communication network 105 of system 100 includes one or more networks such as a data network (not shown), a wireless network (not shown), a telephony network (not shown), or any combination thereof. It is contemplated that the data network may be any local area network (LAN), metropolitan area network (MAN), wide area network (WAN), a public data network (e.g., the Internet), short range wireless network, or any other suitable packet-switched network, such as a commercially owned, proprietary packet-switched network, e.g., a proprietary cable or fiber-optic network, and the like, or any combination thereof. In addition, the wireless network may be, for example, a cellular network and may employ various technologies including enhanced data rates for global evolution (EDGE), general packet radio service (GPRS), global system for mobile communications (GSM), Internet protocol multimedia subsystem (IMS), universal mobile telecommunications system (UMTS), etc., as well as any other suitable wireless medium, e.g., worldwide interoperability for microwave access (WiMAX), Long Term Evolution (LTE) networks, code division multiple access (CDMA), wideband code division multiple access (WCDMA), wireless fidelity (WiFi), wireless LAN (WLAN), Bluetooth®, Internet Protocol (IP) data casting, satellite, mobile ad-hoc network (MANET), and the like, or any combination thereof. The UE 101 is any type of mobile terminal, fixed terminal, or portable terminal including a mobile handset, station, unit, device, multimedia computer, multimedia tablet, Internet node, communicator, desktop computer, laptop computer, notebook computer, netbook computer, tablet computer, personal communication system (PCS) device, personal navigation device, personal digital assistants (PDAs), audio/video player, digital camera/camcorder, positioning device, television receiver, radio broadcast receiver, electronic book device, game device, or any combination thereof, including the accessories and peripherals of these devices, or any combination thereof. It is also contemplated that the UE 101 can support any type of interface to the user (such as "wearable" circuitry, etc.).
By way of example, the UE 101 , services platform 113 communicate with each other and other components of the communication network 105 using well known, new or still developing protocols. In this context, a protocol includes a set of rules defining how the network nodes within the communication network 105 interact with each other based on information sent over the communication links. The protocols are effective at different layers of operation within each node, from generating and receiving physical signals of various types, to selecting a link for transferring those signals, to the format of information indicated by those signals, to identifying which software application executing on a computer system sends or receives the information. The conceptually different layers of protocols for exchanging information over a network are described in the Open Systems Interconnection (OSI) Reference Model.
Communications between the network nodes are typically effected by exchanging discrete packets of data. Each packet typically comprises (1) header information associated with a particular protocol, and (2) payload information that follows the header information and contains information that may be processed independently of that particular protocol. In some protocols, the packet includes (3) trailer information following the payload and indicating the end of the payload information. The header includes information such as the source of the packet, its destination, the length of the payload, and other properties used by the protocol. Often, the data in the payload for the particular protocol includes a header and payload for a different protocol associated with a different, higher layer of the OSI Reference Model. The header for a particular protocol typically indicates a type for the next protocol contained in its payload. The higher layer protocol is said to be encapsulated in the lower layer protocol. For example, the TLS protocol includes encrypted payloads; and, is encapsulated in the Transmission Control Protocol (TCP). The headers included in a packet traversing multiple heterogeneous networks, such as the Internet, typically include a physical (layer 1) header, a data-link (layer 2) header, an internetwork (layer 3) header and a transport (layer 4) header, and various application headers (layer 5, layer 6 and layer 7) as defined by the OSI Reference Model. Processes executing on various devices, often communicate using the client-server model of network communications, widely known and used. According to the client-server model, a client process sends in one or more data packets a message including a request to a server process (also called a service), and the server process responds by providing a service. The server process may also return a message with a response to the client process. Often the client process and server process execute on different computer devices, called hosts, and communicate via a network using one or more protocols for network communications. The term "server" is conventionally used to refer to the process that provides the service, or the host on which the process operates. Similarly, the term "client" is conventionally used to refer to the process that makes the request, or the host on which the process operates. As used herein, the terms "client" and "server" and "service" refer to the processes, rather than the hosts, unless otherwise clear from the context. In addition, the process performed by a server can be broken up to run as multiple processes on multiple hosts (sometimes called tiers) for reasons that include reliability, scalability, and redundancy, among others. A well-known client process available on most devices (called nodes) connected to a communications network is a World Wide Web client (called a "web browser," or simply "browser") that interacts through messages formatted according to the hypertext transfer protocol (HTTP) with any of a large number of servers called World Wide Web (WWW) servers that provide web pages.
As depicted in FIG. 1 , the UE 101 at least includes applications 103 (e.g., browser, maps, contacts, calendar, etc.), data collection module 107 (e.g., profile information, use history, preferences, etc.), context sensors (GPS, compass, temperature sensor, location sensor, etc.) and authentication module 1 11 that interact with one or more of the services platform 1 13 and communication network 105.
By way of example, the applications and modules of the UE 101 include one or more components for providing navigation-based authentication. It is contemplated that the functions of these components may be combined in one or more components or performed by other components of equivalent functionality, on the same or different hosts connected to the communication network 105.
Although the UE 101, authentication data store 121, services platform 113, user profile data store 1 15, authentication service 1 17 are shown as integral blocks in a particular arrangement at particular nodes of the communication network 105 for purposes of illustration, in other embodiments, one or more processes, components or data structures, or portions thereof, are arranged in a different order on the same or different number of nodes connected to each other and/or to the communication network 105. FIG. 2 is a diagram of the components of user equipment capable of secure authentication, according to one embodiment. By way of example, a UE 101 includes one or more components for a secure authentication process. It is contemplated that the functions of these components may be combined in one or more components or performed by other components of equivalent functionality. In this embodiment, the UE 101 includes a data collection module 107 that, for example, may include one or more location modules 201 , magnetometer modules 203, accelerometer modules 205 and environmental sensor modules 207. The UE 101 can also include an authentication module 1 11 to execute/manage one or more authentication processes, a runtime module 209 to coordinate the use of other components of the UE 101 , a user interface 211 , a communication interface 213, a context processing module 215, and memory 217. The authentication module 11 1 can execute/manage one or more authentication processes while running on the runtime module 209 utilizing one or more components/applications of the UE 101.
The location module 201 can determine a user's location. The user's location can be determined by a triangulation system such as GPS, assisted GPS (A-GPS), Cell of Origin, or other location extrapolation technologies. Standard GPS and A-GPS systems can use satellites 119 to pinpoint the location of a UE 101. A Cell of Origin system can be used to determine the cellular tower that a cellular UE 101 is synchronized with. This information provides a coarse location of the UE 101 because the cellular tower can have a unique cellular identifier (cell-ID) that can be geographically mapped. The location module 201 may also utilize multiple technologies to detect the location of the UE 101. Location coordinates (e.g., GPS coordinates) can give finer detail as to the location of the UE 101 when media is captured. In one embodiment, GPS coordinates are stored as context information in the memory 217 and are transmitted/presented to the authentication module 11 1 via, for example, the communication interface 213 and/or the runtime module 209. Moreover, in certain embodiments, the GPS coordinates can include an altitude to provide a height. In other embodiments, the altitude can be determined using another type of altimeter. In certain embodiments, the location module 201 can be a means for determining a location of the UE 101 , an image, or used to associate an object in view with a location.
The magnetometer module 203 can be used in finding horizontal orientation of the UE 101. A magnetometer is an instrument that can measure the strength and/or direction of a magnetic field. Using the same approach as a compass, the magnetometer is capable of determining the direction of a UE 101 using the magnetic field of the Earth. The front of a media capture device (e.g., a camera) can be marked as a reference point in determining direction. Thus, if the magnetic field points north compared to the reference point, the angle the UE 101 reference point is from the magnetic field is known. Simple calculations can be made to determine the direction of the UE 101. In one embodiment, horizontal directional data obtained from a magnetometer can be stored in memory 217 and/or transmitted via the communication interface 213 to the context processing module 215.
The accelero meter module 205 can be used to determine vertical orientation of the UE 101. An accelerometer is an instrument that can measure acceleration. Using a three-axis accelerometer, with axes X, Y, and Z, provides the acceleration in three directions with known angles. Once again, the front of a media capture device can be marked as a reference point in determining direction. Because the acceleration due to gravity is known, when a UE 101 is stationary, the accelerometer module 205 can determine the angle the UE 101 is pointed as compared to Earth's gravity. In one embodiment, vertical directional data obtained from an accelerometer is embedded into the metadata of captured or streaming media or otherwise associated with the UE 101 by the location services application 109. In certain embodiments, the magnetometer module 203 and accelerometer module 205 can be means for ascertaining a perspective of a user. This perspective information may be stored in the memory 217 and sent to the context processing module 215.
Moreover, the environmental sensor module 207 can determine atmospheric conditions surrounding the UE 101. Such atmospheric conditions may include humidity, temperature, body temperature of the user, other biometric data of the user, etc. Once again, this information can be stored in the memory 217 and sent to the context processing platform 103. In certain embodiments, information collected from the data collection module 1 11 can be retrieved by the runtime module 209 and stored in memory 217. Then periodically, the information can be transmitted to the context processing module 215.
In one embodiment, the communication interface 213 can be used to communicate with the one or more services platform 113. Certain communications can be via methods such as an internet protocol, messaging (e.g., SMS, MMS, etc.), or any other communication method (e.g., via the communication network 105). In some examples, the UE 101 can send context information associated with the UE 101 to the services platform 113. In other examples, the user can utilize a user interface 21 1 to generate a request for one or more services from one or more services platform 103. The user interface 211 can include various methods of communication. For example, the user interface 211 can have outputs including a visual component (e.g., a screen), an audio component, a physical component (e.g., vibrations), and other methods of communication. User inputs can include a touch-screen interface, a scroll-and-click interface, a button interface, a microphone, etc. Input can be via one or more methods such as voice input, textual input, typed input, typed touch-screen input, other touch-enabled input, etc. In certain embodiments, the user interface 211 and/or runtime module 209 can be means for causing presentation of one or more applications, programs and the like for processing secure authentication methods.
The context processing module 215 may be utilized in determining context information from the data collection module 107 and/or applications 1 13 executing on the runtime module 209. This information may be caused to be transmitted, via the communication interface 213 and/or the runtime module 209 to the authentication module 1 11. The context processing module 215 may additionally be utilized as a means for determining groups based on input criteria and received context information associated with other UEs 101. In certain embodiments, the context processing module 215 can infer higher level context information from the context data such as favorite locations, significant places, common activities, etc. FIG. 3 is a diagram of the components of an authentication module, according to one embodiment. By way of example, an authentication module 1 11 includes one or more components for a secure authentication process. It is contemplated that the functions of these components may be combined in one or more components or performed by other components of equivalent functionality. In this embodiment, the authentication module 111 includes a communication interface 301 , password building engine 303, comparison engine 305 and encryption/decryption engine 307. Further, the authentication module 1 11 can include and/or interface with a password database 309 and location context profile 311.
In one embodiment, the communication interface 301 can be used to communicate with one or more UE 101 applications/modules and/or one or more services platforms 113. Certain communications can be via methods such as an internet protocol, messaging (e.g., SMS, MMS, etc.), or any other communication method (e.g., via the communication network 105) or via a UE 101 local communication bus/protocol with one or more applications/modules of the UE 101 (e.g., data collection module 107).
The password building engine (PBE) 303 can receive information from the UE 101, the services platform 1 13 and/or one or more network components of the communication network 105 to, at least in part, build one or more passwords. The information may include, for instance, navigation movements and/or related information collected for specifying, generating, validating, and the like, one or more authentication credentials. In one embodiment, the PBE 303 can receive information from the user interface 211 , context processing module 215 and the data collection module 107 to process and build one or more passwords to be utilized by the user and/or UE 101. The comparison engine 305 can receive one or more passwords from the PBE 303 and compare to, for example, to one or more passwords available at the password database 309. In another example, the comparison engine 305 can receive one or more passwords from one or more applications/modules of UE 101 and compare to one or more passwords available at the password database 309. In one embodiment, the one or more passwords can be generated based, at least in part, on the navigation movements in the UI of the UE 101, navigation within a physical and/or virtual space determined at the UE 101, and the like as discussed with respect to the various embodiments described herein.
The encryption/decryption engine 307 can utilize one or more algorithms to encrypt or decrypt one or more passwords received from, for example, the PBE 303, one or more applications/modules of UE 101 , the password database 309 and to present to the same and/or the like.
FIGs. 4A-4C are flowcharts of processes for a navigation-based authentication process, according to one embodiment.
FIG. 4A is a flowchart of a process for capturing and processing user interaction with a user device, according to one embodiment. In one embodiment, the authentication module 111 and/or an application 103 of the UE 101 performs the process 400 and is implemented in, for instance, a chip set including a processor and a memory as shown in FIG. 10. As such, the authentication module 1 11 and/or an application 103 of the UE 101 can provide means for accomplishing various parts of the process 400 as well as means for accomplishing other processes in conjunction with other components of the system 100. Throughout this process, the authentication module 1 11 is referred to as completing various portions of the process 400, however it is understood that other applications/modules, for example, in the UE 101 can perform some of and/or all of the process steps. In step 401 , one or more user interaction with one or more applications information associated with a device is captured. In one embodiment, one or more applications and/or modules of UE 101 capture a user interacting with the UE 101, for example, via the user interface 211. For example, a user touches a touch screen display of the UE 101 and/or utilizes another user interface portion of the UE 101 (e.g., a keypad) in order to interact/utilize one or more applications 103 of the UE 101.
In step 403, the authentication module processes and/or facilitates a processing of the user interaction information to generate one or more authentication credentials for the user and/or the UE 101 utilization in various scenarios. In one embodiment, the UE 101 requires one or more credentials in order for the user to be able to utilize/access the UE 101. In another embodiment, one or more applications on UE 101 require one or more credentials in order for the user to be able to utilize/access the one or more applications. In yet another embodiment, one or more services at one or more services platform 1 13 require one or more credentials in order for the user to be able to utilize/access the one or more services at the one or more services platform 1 13. In another embodiment, the communication network 105 requires one or more credentials in order for the user to be able to utilize/access the communication network 105. In step 405, another one or more inputs that at least substantially match the user interaction information are captured. In one embodiment, the user is prompted to continue interacting with the UE 101 in order to capture one or more additional interaction information which can be used in the authentication process. For example, the user can select one or more applications, one or more areas/points on the user interface (e.g., touch, click, keypad access, etc.), which can be added to the previous one or more interaction information.
In step 407, the one or more authentication credentials based, at least in part, on the one or more inputs are utilized to access one or more services, one or more applications, one or more resources, or a combination thereof. In one embodiment, the authentication module utilizes the one or more captured interaction with one or more applications information for determining one or more user credentials which can be utilized for when trying to access, for example, one or more services, one or more applications, one or more resources, or a combination thereof, which may be on the UE 101 , at the services platform 1 13 and/or on the communication network 105. For example, the credentials can be used for accessing one or more restricted/protected/secured areas/applications on the UE 101 (e.g., a personal data list, a restricted application, etc.) one or more services at the one or more services platform 113 (e.g., an online shopping account, a credit card account, etc.) and/or resources/components on the communication network 105 (e.g., access to a server, access to data bank, etc.). In step 409, the user interaction information includes, at least in part, a sequence of one or more user actions, one or more device actions, or a combination thereof, and wherein the one or more inputs at least substantially match at least a portion of the sequence. In one embodiment, the user substantially sequentially selects (e.g., touches/clicks on a corresponding icon) one or more applications, areas, points, data and the like on the UE 101. Additionally, the sequence of the user actions is substantially according to a predetermined sequence.
In step 41 1 , the one or more user actions, the one or more device actions, a combination thereof include, at least in part: (a) one or more navigation actions within a user interface of the device, within an application of the device, or a combination thereof; (b) one or more virtual movements of the device; (c) one or more physical movements of the device; (d) orientation information of the device; (e) direction information of the device; (f) speed information associated with the one or more device actions; or (g) a combination thereof.
FIG. 4B is a flowchart of a process for capturing and processing user navigation and authentication request, according to one embodiment. In one embodiment, the authentication module 1 11 and/or an application 103 of the UE 101 performs the process 440 and is implemented in, for instance, a chip set including a processor and a memory as shown in FIG. 10. As such, the authentication module 11 1 and/or an application 103 of the UE 101 can provide means for accomplishing various parts of the process 440 as well as means for accomplishing other processes in conjunction with other components of the system 100. Throughout this process, the authentication module 1 11 is referred to as completing various portions of the process 440, however it is understood that other applications/modules, for example, in the UE 101 can perform some of and/or all of the process steps.
In step 441 , the one or more virtual movements, the one or more physical movements, the speed information, or a combination using are determined, at least in part, on one or more location- based applications. In one embodiment, one or more applications 103, data collection module 107, context sensors 109 and/or the authentication module 1 1 1 capture one or more information to be utilized, at least in part, in determining one or more authentication credentials. In one embodiment, a global positioning system (GPS) and one or more applications 103 and/or data collection module 107 can, at least in part, determine user/user-device speed and/or location which can be utilized, at least in part, in determining one or more user/user-device credentials. For example, the speed (e.g., walking, running, driving, etc.) and location of the user/user-device can be used, at least in part, in determining authentication credentials for accessing a user application on the UE 101.
In step 443, at least one identifier, a portion of the at least one identifier, or a combination thereof associated with the one or more device actions are determined wherein the one or more authentication credentials are further based, at least in part, on the at least one identifier, the portion of the at least one identifier, or a combination thereof.
In step 445, progress status information during the capture of the user interaction information, the another capture of the one or more inputs, or a combination thereof is presented. In one embodiment, the progress of the authentication process is presented in form of, for example, process steps remaining, process steps completed, percentage of the process completed and/or remaining and the like. In step 447, one or more authentication requests are received. In various embodiments, the authentication request is caused when the user attempts to access/utilize the user device UE 101 , one or more applications 103 on the UE 101, and one or more services at the services platform 1 13 and/or the communication network 105. For example, the user may wish to access a bank account at or via the services platform 1 13 by launching/executing one or more applications 103 on UE 101, which causes a request for an authentication (e.g., via the authentication module 11 1). In another example, the user wishes to access one or more restricted/protected areas, applications, procedures, modules on the UE 101, which causes a request for the authentication.
In step 449, capture of the user interaction information, the another capture of the one or more inputs, the presentation of the one or more authentication credentials, or a combination thereof is initiated based, at least in part, on the one or more authentication requests. In one embodiment, in response to the one or more requests at step 447, one or more authentication processes are caused, for example, by one or more applications 103 and/or the authentication module 11 1.
In step 451 , the one or more authentication requests are received, at least from one of, a user, a user device application, a service platform, a network component and a combination thereof. In various embodiments, one or more authentication requests can be caused, at least in part, by the user device UE 101 , one or more applications 103, and one or more services at the services platform 1 13 and/or the communication network 105. For example, the user may wish to access a personal account at or via the services platform 1 13 by launching/executing one or more applications 103 on UE 101 , which causes a request for an authentication (e.g., via the authentication module 111). In another example, the user wishes to access one or more restricted/protected areas, applications, procedures, modules on the UE 101 and/or at the communication network 105, which causes a request for the authentication.
FIG. 4C is a flowchart of a process for normalizing user information and determining authentication credentials, according to one embodiment. In one embodiment, the authentication module 1 11 and/or an application 103 of the UE 101 performs the process 470 and is implemented in, for instance, a chip set including a processor and a memory as shown in FIG. 10. As such, the authentication module 11 1 and/or an application 103 of the UE 101 can provide means for accomplishing various parts of the process 470 as well as means for accomplishing other processes in conjunction with other components of the system 100. Throughout this process, the authentication module 1 11 is referred to as completing various portions of the process 470, however it is understood that other applications/modules, for example, in the UE 101 can perform some of and/or all of the process steps. In step 471 , the authentication module 11 1 processes and/or facilitates a processing of the user interaction information, the one or more inputs, or a combination thereof to normalize the user interaction information, the one or more inputs, or a combination thereof. In one embodiment, the user interaction information is captured by, for example, the authentication module 1 1 1 and then further processed to obtain necessary information for the authentication and/or password building process. For example, the user is prompted to select (e.g., touch, select, click, etc.) one or more different applications on the UE 101 whereby the selected applications signify further information, for example, the placement/location (e.g., first, last, left top corner, bottom right corner, center, etc.) of the application icons in the display area of the UE 101, place of the application in a list of applications (e.g., first, third, fourth, etc.), one or more characters in each application's name (e.g., "w" for a "drawing" application, "i" for a "writing" application, "1" for a "calculator" application, "d" for a "documentation" application) which, at least in part, can be used to form a password of "wild". In another example, the password may be based on the sequence of the applications chosen, such as the first, third, fourth and sixth applications in a list to form a password of "1346". In another embodiment, the user interaction can be via a location application (e.g., a map application), which can utilize the user/user-device physical location, physical and/or virtual movement and the like.
In step 473, the authentication module 1 11 determines that one or more inputs at least substantially matches the user interaction information based, at least in part, on the normalized user interaction information, the normalized one or more inputs, or a combination thereof. In one embodiment, the user interaction input is processed and compared to one or more previously defined information utilized for building one or more passwords. For example, a sequence of user interaction is captured, processed and compared to a previously defined sequence, which may be stored on the UE 101 (e.g., at password database 309, location context profiles 311 , memory 217 and the like), at the services platform 1 13 (e.g., user profile data store 1 15) and/or at one or more network components of the communication network 105.
In step 475, the authentication module 1 11 processes and/or facilitates a processing of the one or more target inputs to determine one or more targets for receiving the one or more authentication credentials. In one embodiment, one or more applications 103, data collection module 107, context sensors 109 and/or the authentication module 1 11 is identified as the application, service and/or component for receiving the one or more authentication credentials. For example, a banking application can receive the authentication information, which can be further presented to one or more services platforms 113 for utilization and interface with the user and/or the UE 101.
FIGs. 5A-5B are diagrams of user interface utilized in a secure authentication process, according to various embodiments. FIG. 5A depicts several user interface utilized in the secure authentication process of system 100. In one embodiment, 501 shows a user interface on a UE 101 with four application/folder icons "Phonebook, Gallery, Messages and Camera". At 511, the user initiates the secure authentication process by choosing the option "Start Login Path" at 513. This interaction will start recording of the user interacting with the UE 101 via one more applications 103, one or more modules, for example, the authentication module 1 11. At 521 , the user selects an application/folder icon of "Phonebook" 523 and confirms the selection at 527. Further, once the "Login Path" has started, the user interface shows progress of the authentication process via indicator 527. Furthermore, the user can indicate a stopping point and confirm the completion of the user interaction by utilizing a command such as 529 (e.g., select/press the "# " symbol) and at 531 can select to utilize the authentication credentials for logging into the desired target (e.g., an application, a service, a network component, etc.). At 541 the selected application "Phonebook" is opened/expanded to show further detail whereby 543 shows selection of a contact name, which can be utilized by the password building engine 303. For example, one or more characteristics/attributes of the selected item/name/word (e.g., name, one or more characters of the name, placement in the list and the like) can have significance and utilized in the password building process and the user can indicate the selection by utilizing a command key such as "use this" at 547. Indicator 547 shows a progress of the authentication process. In the example shown in 5A, example passwords determined can be "PhoDha" by utilizing first three letters of the UI element "Phonebook" and phonebook entry of "Dhanu" or in another example, an abbreviation of "PB" for the application name of "Phonebook" and location of the element/entry/name in the phonebook list "4" to form "PB4". As it can be imagined, there can be many different interpretations/implementations of one or more algorithms to utilize the information form above examples and build different authentication credentials.
FIG. 5B depicts another example embodiment of a user interface utilized in the secure authentication process. At 561, the user is presented with one or more choices/lists of target applications and or services for which the processed authentication credentials are to be utilized for and/or the user can define a target not shown in the one or more lists. In one example, the user selects a banking service at 563. Once the target application/service is selected "Banking" a login interface 571 is presented to the user whereby one or more authentication credentials, 573 and 575, can be presented for logging onto the target service. In various embodiments, the one or more authentication credentials, for example 573 and 575, can be provided, at least in part, by one or more applications, modules and or the user. For example, the user can provide the username 573 in plain alphanumeric text (e.g., "John Smith") and the authentication module can provide password in 575 (e.g., "PhoDha" above in 5A example) determined, at least in part, by the authentication module 1 11. In another embodiment, the password provided in 575 can be one that was previously determined and can be reused, at least in part, upon authentication of the user by the authentication module 11 1 and/or one or more applications of UE 101.
FIGs. 6A-6C are diagrams of user interfaces utilizing map application in a navigation-based authentication process, according to various embodiments.
FIG. 6A shows a map application where indicator 600 shows a portion of a map on which a user navigation path/route segments are indicated by 601-605. In one embodiment, the navigation path information is captured, at least in part, by the location module 201 and saved in memory 217 and/or authentication data store 121. In one example, the path is from point "A" to/through one or more points (e.g., "B", "C", "D", "E", "F") and back to point "A" wherein the one or more points can represent one or more point of interest visited by the user. In various embodiments, a user may not have visited/travelled on particular routes/paths, but can be presented with a map application of one or more areas (e.g., close to home, hobby, work, etc.) familiar to the user. . In one scenario, the navigation-based authentication process requires capture of navigation information for generating a password and/or validation of a user whereby the user is prompted to provide the information by utilizing a map application which is presented on display of the UE 101. Further, the user selects/traces/highlights (e.g., by moving a finger on a touchscreen display, moving a cursor, etc.) a route (e.g., along a street, a road, a path, etc.) shown on the map. In some embodiments the map application may not to be connected, for example via GPS, to location based services wherein the password generation process can still function offline, which can improve power consumption of the UE 101 In one embodiment the map application is downloaded to memory of the device in advance to avoid possible network connection problems and/or require that the UE 101 be/stay online. As a result, one or more line segments are shown on the display, and additionally, the selected route information is logged/recorded (e.g., by the data collection module 107) for further use by one or more applications/modules on UE 101. In one example, the logged/recorded information comprise information on the line segments 601-605 which can be in the format of: Park Street 10-14 (10-14 means that line segment 601 starts at Park street #10 and continues to Park street #14), 8th Avenue 30-28 (30-28 means that line segment 602 starts at 8th Avenue #30 and continues to 8l Avenue #28) and so on. In another embodiment, information of one or more points of interest (POIs) along the indicated route (e.g., along one or more line segments) can be added, shown and/or utilized, for example, the information can include Shell station 8th Avenue 30 (607, POI-1), Hard Rock cafe Heavy Street 10 (609, POI-2), etc. Furthermore, the POI information can be an altemative method for logging/recording the information of the selected route/path. In other embodiments, one or more other methods can be employed for logging/recording the information wherein the methods can include prompts/ hints in order to assist the user in remembering the route/path. In other embodiments, scale of a map application can be set to one or more sizes and/or different map areas can be presented to the user for navigating between points of the different areas. For example, a user can navigate along a route/path between cities of Helsinki, Boston, Denver and Nairobi (e.g., the user selects the cities respectively), which can be utilized for generating a password and/or can be selected as a user password. Wherein a method of above example is employed, the user is given the possibility to select (e.g., by clicking, selecting, etc.) the cities (e.g., the places user likes) user wants to be used in the password generation/building process. In one embodiment the communication interface 301 interfaces with map application. In various embodiments, one or more information (e.g., strength, length, steps, and the like) related to one or more user passwords are indicated/presented to the user so, for example, the user and/or the navigation-based authentication process can ascertain if the selected/determined password is suitable/acceptable. Further, strength of the password can depend on one or more characteristics of the route/path, for example, length of the path, turns of the path, number of places selected (e.g., POIs) or a combination thereof.
In another embodiment, GPS information (e.g., one or more characters/subsections of coordinates on a map) related to the route/path (e.g., at any point along any of the route segments, POIs, etc.) can be utilized for determining the route/path information as well as for generating one or more authentication credentials. For example, the GPS coordinates for the POI-1 and POI-2 are 40° 42' 50.634" and 40° 47' 50.962", respectively, whereby the authentication module 1 11 , the data collections module 107 and/or other applications can utilize one or more of the characters of the two coordinates for generating a password/passcode by utilizing any number of combinations/methods, for example: second, third, and sixth characters of the POI-1 GPS coordinate (040) and first, fourth, and seventh characters of the POI-2 GPS coordinate (479) can be used in generating a password/passcode of 040479, 479040 and the like. In another embodiment, additional GPS information (e.g., direction) can be used in conjunction with other available information. FIG. 6B shows a map application wherein indicator 640 shows substantially same portion of the map as in FIG. 6A. In one embodiment, the user is prompted to trace the navigation path/route which was previously captured (in FIG. 6A) wherein this example, the user would have to trace a path indicated by 641 in order to match the previously captured trace 601. Further, FIG. 6C shows a similar navigation path as in FIGs. 6A and 6B, however in this 670 embodiment, an additional information point 673 is part of the predefined navigation path wherein 673 can represent one or more actions necessary for the user to perform, for example, to indicate a pause (e.g., user finger or stylus) of one or more seconds, which may be at the start of and/or at the end of the tracing performed by the user. FIGs. 7A-7C are diagrams showing navigation-based authentication processes utilizing example routing mechanisms, according to various embodiments. FIG. 7A shows diagram 700 with indicators 701 , 703 and 705. In one embodiment, in order for a user to access a resource (e.g., access to a physical facility and/or a user account at that physical facility/location) the user must substantially have travelled along a predefined path such as indicated by 701 for receiving one or more valid authentication credentials from the authentication module 11 1. For example, a user may be authorized to access a particular facility 707 (e.g., an office building via entrance 1) when having travelled a particular physical path 701 (e.g., walk, drive), however, if the same user with same authorization travels via routes 703 and 705 to the same facility 707, the navigation-based authentication will fail and access can be denied. In another embodiment, the navigation-based authentication is only part of an authentication process, for example, and the user may need one or more additional authentication credentials to gain access to the same facility 707. For example, a userl authorized to access the facility 707 has misplaces the user device 1 ; a user2 utilizes the misplaced user device 1 and travels the correct path 701 and tries to gain access to facility 707 via entrance 1; however, since one or more additional authentication credentials is necessary for access to facility 707, access can be denied to user2.
FIG. 7B shows a map application indicating a user navigation path. In one embodiment, navigation path of a user and/or a user device needs to substantially match that of a predefined path required for one or more valid authentication credentials. For example, a user 741 must travel substantially along path/route 743 when wishing to access a restricted resource at 745. Further, one or more characteristics captured during the navigation by one or more modules/applications of UE 101 (e.g., speed, starting point, starting time and the like) can be utilized in the navigation-based authentication process.
FIG. 7C shows a navigation route 760 utilized by a user while travelling from a starting point 761 to a destination point 765. In one embodiment, a user has knowledge of a necessary path 763 in order to access a resource at 765. For example, a user can travel on a more direct path from 761 to 765; however, this path can result in a mismatch to the predefined path of 763 required for one or more valid authentication credentials. FIG. 8 is a diagram showing map application 800 utilized for performing a virtual routing for a navigation-based authentication procession. In one embodiment, a user traces (e.g., with a finger 803) route 805 from starting point 807 to end point 809 wherein the route information can be utilized in a navigation-based authentication process. Further, resolution and/or zoom level 81 1 can be utilized to present one or more additional information such as the required zoom level (e.g., at 55%) and/or the map application can utilize the zoom level to calculate one or more map information such as granularity of the coordinates (e.g., 40° 42' 50.6346728" or 40° 42' 50.634" or 40° 42' 50.6"), physical address of point along the 805 route, points of interest on the map and/or the like.
The processes described herein for a navigation-based authentication may be advantageously implemented via software, hardware, firmware or a combination of software and/or firmware and/or hardware. For example, the processes described herein, may be advantageously implemented via processor(s), Digital Signal Processing (DSP) chip, an Application Specific Integrated Circuit (ASIC), Field Programmable Gate Arrays (FPGAs), etc. Such exemplary hardware for performing the described functions is detailed below.
FIG. 9 illustrates a computer system 900 upon which an embodiment of the invention may be implemented. Although computer system 900 is depicted with respect to a particular device or equipment, it is contemplated that other devices or equipment (e.g., network elements, servers, etc.) within FIG. 9 can deploy the illustrated hardware and components of system 900. Computer system 900 is programmed (e.g., via computer program code or instructions) for a navigation-based authentication as described herein and includes a communication mechanism such as a bus 910 for passing information between other internal and external components of the computer system 900. Information (also called data) is represented as a physical expression of a measurable phenomenon, typically electric voltages, but including, in other embodiments, such phenomena as magnetic, electromagnetic, pressure, chemical, biological, molecular, atomic, subatomic and quantum interactions. For example, north and south magnetic fields, or a zero and non-zero electric voltage, represent two states (0, 1) of a binary digit (bit). Other phenomena can represent digits of a higher base. A superposition of multiple simultaneous quantum states before measurement represents a quantum bit (qubit). A sequence of one or more digits constitutes digital data that is used to represent a number or code for a character. In some embodiments, information called analog data is represented by a near continuum of measurable values within a particular range. Computer system 900, or a portion thereof, constitutes a means for performing one or more steps of navigation-based authentication process.
A bus 910 includes one or more parallel conductors of information so that information is transferred quickly among devices coupled to the bus 910. One or more processors 902 for processing information are coupled with the bus 910.
A processor (or multiple processors) 902 performs a set of operations on information as specified by computer program code related to navigation-based authentication process. The computer program code is a set of instructions or statements providing instructions for the operation of the processor and/or the computer system to perform specified functions. The code, for example, may be written in a computer programming language that is compiled into a native instruction set of the processor. The code may also be written directly using the native instruction set (e.g., machine language). The set of operations include bringing information in from the bus 910 and placing information on the bus 910. The set of operations also typically include comparing two or more units of information, shifting positions of units of information, and combining two or more units of information, such as by addition or multiplication or logical operations like OR, exclusive OR (XOR), and AND. Each operation of the set of operations that can be performed by the processor is represented to the processor by information called instructions, such as an operation code of one or more digits. A sequence of operations to be executed by the processor 902, such as a sequence of operation codes, constitute processor instructions, also called computer system instructions or, simply, computer instructions. Processors may be implemented as mechanical, electrical, magnetic, optical, chemical or quantum components, among others, alone or in combination.
Computer system 900 also includes a memory 904 coupled to bus 910. The memory 904, such as a random access memory (RAM) or any other dynamic storage device, stores information including processor instructions for a navigation-based authentication process. Dynamic memory allows information stored therein to be changed by the computer system 900. RAM allows a unit of information stored at a location called a memory address to be stored and retrieved independently of information at neighboring addresses. The memory 904 is also used by the processor 902 to store temporary values during execution of processor instructions. The computer system 900 also includes a read only memory (ROM) 906 or any other static storage device coupled to the bus 910 for storing static information, including instructions, that is not changed by the computer system 900. Some memory is composed of volatile storage that loses the information stored thereon when power is lost. Also coupled to bus 910 is a non-volatile (persistent) storage device 908, such as a magnetic disk, optical disk or flash card, for storing information, including instructions, that persists even when the computer system 900 is turned off or otherwise loses power.
Information, including instructions for a navigation-based authentication, is provided to the bus 910 for use by the processor from an external input device 912, such as a keyboard containing alphanumeric keys operated by a human user, or a sensor. A sensor detects conditions in its vicinity and transforms those detections into physical expression compatible with the measurable phenomenon used to represent information in computer system 900. Other external devices coupled to bus 910, used primarily for interacting with humans, include a display device 914, such as a cathode ray tube (CRT), a liquid crystal display (LCD), a light emitting diode (LED) display, an organic LED (OLED) display, a plasma screen, or a printer for presenting text or images, and a pointing device 916, such as a mouse, a trackball, cursor direction keys, or a motion sensor, for controlling a position of a small cursor image presented on the display 914 and issuing commands associated with graphical elements presented on the display 914. In some embodiments, for example, in embodiments in which the computer system 900 performs all functions automatically without human input, one or more of external input device 912, display device 914 and pointing device 916 is omitted.
In the illustrated embodiment, special purpose hardware, such as an application specific integrated circuit (ASIC) 920, is coupled to bus 910. The special purpose hardware is configured to perform operations not performed by processor 902 quickly enough for special purposes. Examples of ASICs include graphics accelerator cards for generating images for display 914, cryptographic boards for encrypting and decrypting messages sent over a network, speech recognition, and interfaces to special external devices, such as robotic arms and medical scanning equipment that repeatedly perform some complex sequence of operations that are more efficiently implemented in hardware.
Computer system 900 also includes one or more instances of a communications interface 970 coupled to bus 910. Communication interface 970 provides a one-way or two-way communication coupling to a variety of external devices that operate with their own processors, such as printers, scanners and external disks. In general the coupling is with a network link 978 that is connected to a local network 980 to which a variety of external devices with their own processors are connected. For example, communication interface 970 may be a parallel port or a serial port or a universal serial bus (USB) port on a personal computer. In some embodiments, communications interface 970 is an integrated services digital network (ISDN) card or a digital subscriber line (DSL) card or a telephone modem that provides an information communication connection to a corresponding type of telephone line. In some embodiments, a communication interface 970 is a cable modem that converts signals on bus 910 into signals for a communication connection over a coaxial cable or into optical signals for a communication connection over a fiber optic cable. As another example, communications interface 970 may be a local area network (LAN) card to provide a data communication connection to a compatible LAN, such as Ethernet. Wireless links may also be implemented. For wireless links, the communications interface 970 sends or receives or both sends and receives electrical, acoustic or electromagnetic signals, including infrared and optical signals, that carry information streams, such as digital data. For example, in wireless handheld devices, such as mobile telephones like cell phones, the communications interface 970 includes a radio band electromagnetic transmitter and receiver called a radio transceiver. In certain embodiments, the communications interface 970 enables connection to the communication network 105 for a navigation-based authentication process with the UE 101.
The term "computer-readable medium" as used herein refers to any medium that participates in providing information to processor 902, including instructions for execution. Such a medium may take many forms, including, but not limited to computer-readable storage medium (e.g., non-volatile media, volatile media), and transmission media. Non-transitory media, such as nonvolatile media, include, for example, optical or magnetic disks, such as storage device 908. Volatile media include, for example, dynamic memory 904. Transmission media include, for example, twisted pair cables, coaxial cables, copper wire, fiber optic cables, and carrier waves that travel through space without wires or cables, such as acoustic waves and electromagnetic waves, including radio, optical and infrared waves. Signals include man-made transient variations in amplitude, frequency, phase, polarization or other physical properties transmitted through the transmission media. Common forms of computer-readable media include, for example, a floppy disk, a flexible disk, hard disk, magnetic tape, any other magnetic medium, a CD-ROM, CDRW, DVD, any other optical medium, punch cards, paper tape, optical mark sheets, any other physical medium with patterns of holes or other optically recognizable indicia, a RAM, a PROM, an EPROM, a FLASH-EPROM, an EEPROM, a flash memory, any other memory chip or cartridge, a carrier wave, or any other medium from which a computer can read. The term computer-readable storage medium is used herein to refer to any computer-readable medium except transmission media.
Logic encoded in one or more tangible media includes one or both of processor instructions on a computer-readable storage media and special purpose hardware, such as ASIC 920.
Network link 978 typically provides information communication using transmission media through one or more networks to other devices that use or process the information. For example, network link 978 may provide a connection through local network 980 to a host computer 982 or to equipment 984 operated by an Internet Service Provider (ISP). ISP equipment 984 in turn provides data communication services through the public, world-wide packet-switching communication network of networks now commonly referred to as the Internet 990.
A computer called a server host 992 connected to the Internet hosts a process that provides a service in response to information received over the Internet. For example, server host 992 hosts a process that provides information representing video data for presentation at display 914. It is contemplated that the components of system 900 can be deployed in various configurations within other computer systems, e.g., host 982 and server 992. At least some embodiments of the invention are related to the use of computer system 900 for implementing some or all of the techniques described herein. According to one embodiment of the invention, those techniques are performed by computer system 900 in response to processor 902 executing one or more sequences of one or more processor instructions contained in memory 904. Such instructions, also called computer instructions, software and program code, may be read into memory 904 from another computer-readable medium such as storage device 908 or network link 978. Execution of the sequences of instructions contained in memory 904 causes processor 902 to perform one or more of the method steps described herein. In alternative embodiments, hardware, such as ASIC 920, may be used in place of or in combination with software to implement the invention. Thus, embodiments of the invention are not limited to any specific combination of hardware and software, unless otherwise explicitly stated herein.
The signals transmitted over network link 978 and other networks through communications interface 970, carry information to and from computer system 900. Computer system 900 can send and receive information, including program code, through the networks 980, 990 among others, through network link 978 and communications interface 970. In an example using the Internet 990, a server host 992 transmits program code for a particular application, requested by a message sent from computer 900, through Internet 990, ISP equipment 984, local network 980 and communications interface 970. The received code may be executed by processor 902 as it is received, or may be stored in memory 904 or in storage device 908 or any other non-volatile storage for later execution, or both. In this manner, computer system 900 may obtain application program code in the form of signals on a carrier wave.
Various forms of computer readable media may be involved in carrying one or more sequence of instructions or data or both to processor 902 for execution. For example, instructions and data may initially be carried on a magnetic disk of a remote computer such as host 982. The remote computer loads the instructions and data into its dynamic memory and sends the instructions and data over a telephone line using a modem. A modem local to the computer system 900 receives the instructions and data on a telephone line and uses an infra-red transmitter to convert the instructions and data to a signal on an infra-red carrier wave serving as the network link 978. An infrared detector serving as communications interface 970 receives the instructions and data carried in the infrared signal and places information representing the instructions and data onto bus 910. Bus 910 carries the information to memory 904 from which processor 902 retrieves and executes the instructions using some of the data sent with the instructions. The instructions and data received in memory 904 may optionally be stored on storage device 908, either before or after execution by the processor 902. FIG. 10 illustrates a chip set or chip 1000 upon which an embodiment of the invention may be implemented. Chip set 1000 is programmed to accelerate authentication as described herein and includes, for instance, the processor and memory components described with respect to FIG. 9 incorporated in one or more physical packages (e.g., chips). By way of example, a physical package includes an arrangement of one or more materials, components, and/or wires on a structural assembly (e.g., a baseboard) to provide one or more characteristics such as physical strength, conservation of size, and/or limitation of electrical interaction. It is contemplated that in certain embodiments the chip set 1000 can be implemented in a single chip. It is further contemplated that in certain embodiments the chip set or chip 1000 can be implemented as a single "system on a chip." It is further contemplated that in certain embodiments a separate ASIC would not be used, for example, and that all relevant functions as disclosed herein would be performed by a processor or processors. Chip set or chip 1000, or a portion thereof, constitutes a means for performing one or more steps of providing user interface navigation information associated with the availability of functions. Chip set or chip 1000, or a portion thereof, constitutes a means for performing one or more steps of a navigation-based authentication process.
In one embodiment, the chip set or chip 1000 includes a communication mechanism such as a bus 1001 for passing information among the components of the chip set 1000. A processor 1003 has connectivity to the bus 1001 to execute instructions and process information stored in, for example, a memory 1005. The processor 1003 may include one or more processing cores with each core configured to perform independently. A multi-core processor enables multiprocessing within a single physical package. Examples of a multi-core processor include two, four, eight, or greater numbers of processing cores. Alternatively or in addition, the processor 1003 may include one or more microprocessors configured in tandem via the bus 1001 to enable independent execution of instructions, pipelining, and multithreading. The processor 1003 may also be accompanied with one or more specialized components to perform certain processing functions and tasks such as one or more digital signal processors (DSP) 1007, or one or more application-specific integrated circuits (ASIC) 1009. A DSP 1007 typically is configured to process real- wo rid signals (e.g., sound) in real time independently of the processor 1003. Similarly, an ASIC 1009 can be configured to performed specialized functions not easily performed by a more general purpose processor. Other specialized components to aid in performing the inventive functions described herein may include one or more field programmable gate arrays (FPGA) (not shown), one or more controllers (not shown), or one or more other special-purpose computer chips.
In one embodiment, the chip set or chip 1000 includes merely one or more processors and some software and/or firmware supporting and/or relating to and/or for the one or more processors. The processor 1003 and accompanying components have connectivity to the memory 1005 via the bus 1001. The memory 1005 includes both dynamic memory (e.g., RAM, magnetic disk, writable optical disk, etc.) and static memory (e.g., ROM, CD-ROM, etc.) for storing executable instructions that when executed perform the inventive steps described herein to a navigation- based authentication process. The memory 1005 also stores the data associated with or generated by the execution of the inventive steps.
FIG. 1 1 is a diagram of exemplary components of a mobile terminal (e.g., handset) for communications, which is capable of operating in the system of FIG. 1 , according to one embodiment. In some embodiments, mobile terminal 1 101 , or a portion thereof, constitutes a means for performing one or more steps of a navigation-based authentication process. Generally, a radio receiver is often defined in terms of front-end and back-end characteristics. The front-end of the receiver encompasses all of the Radio Frequency (RF) circuitry whereas the back-end encompasses all of the base-band processing circuitry. As used in this application, the term "circuitry" refers to both: (1) hardware-only implementations (such as implementations in only analog and/or digital circuitry), and (2) to combinations of circuitry and software (and/or firmware) (such as, if applicable to the particular context, to a combination of processor(s), including digital signal processor(s), software, and memory(ies) that work together to cause an apparatus, such as a mobile phone or server, to perform various functions). This definition of "circuitry" applies to all uses of this term in this application, including in any claims. As a further example, as used in this application and if applicable to the particular context, the term "circuitry" would also cover an implementation of merely a processor (or multiple processors) and its (or their) accompanying software/or firmware. The term "circuitry" would also cover if applicable to the particular context, for example, a baseband integrated circuit or applications processor integrated circuit in a mobile phone or a similar integrated circuit in a cellular network device or other network devices.
Pertinent internal components of the telephone include a Main Control Unit (MCU) 1 103, a Digital Signal Processor (DSP) 1105, and a receiver/transmitter unit including a microphone gain control unit and a speaker gain control unit. A main display unit 1 107 provides a display to the user in support of various applications and mobile terminal functions that perform or support the steps of a navigation-based authentication process. The display 1107 includes display circuitry configured to display at least a portion of a user interface of the mobile terminal (e.g., mobile telephone). Additionally, the display 1107 and display circuitry are configured to facilitate user control of at least some functions of the mobile terminal. An audio function circuitry 1 109 includes a microphone 11 1 1 and microphone amplifier that amplifies the speech signal output from the microphone 1 111. The amplified speech signal output from the microphone 11 1 1 is fed to a coder/decoder (CODEC) 11 13.
A radio section 11 15 amplifies power and converts frequency in order to communicate with a base station, which is included in a mobile communication system, via antenna 1 117. The power amplifier (PA) 1 119 and the transmitter/modulation circuitry are operationally responsive to the MCU 1 103, with an output from the PA 1119 coupled to the duplexer 1121 or circulator or antenna switch, as known in the art. The PA 1 119 also couples to a battery interface and power control unit 1120.
In use, a user of mobile terminal 1 101 speaks into the microphone 1 11 1 and his or her voice along with any detected background noise is converted into an analog voltage. The analog voltage is then converted into a digital signal through the Analog to Digital Converter (ADC) 1123. The control unit 1103 routes the digital signal into the DSP 1 105 for processing therein, such as speech encoding, channel encoding, encrypting, and interleaving. In one embodiment, the processed voice signals are encoded, by units not separately shown, using a cellular transmission protocol such as enhanced data rates for global evolution (EDGE), general packet radio service (GPRS), global system for mobile communications (GSM), Internet protocol multimedia subsystem (IMS), universal mobile telecommunications system (UMTS), etc., as well as any other suitable wireless medium, e.g., microwave access (WiMAX), Long Term Evolution (LTE) networks, code division multiple access (CDMA), wideband code division multiple access (WCDMA), wireless fidelity (WiFi), satellite, and the like, or any combination thereof. The encoded signals are then routed to an equalizer 1125 for compensation of any frequency- dependent impairments that occur during transmission though the air such as phase and amplitude distortion. After equalizing the bit stream, the modulator 1127 combines the signal with a RF signal generated in the RF interface 1129. The modulator 1127 generates a sine wave by way of frequency or phase modulation. In order to prepare the signal for transmission, an up- converter 1131 combines the sine wave output from the modulator 1127 with another sine wave generated by a synthesizer 1 133 to achieve the desired frequency of transmission. The signal is then sent through a PA 1 119 to increase the signal to an appropriate power level. In practical systems, the PA 1 1 19 acts as a variable gain amplifier whose gain is controlled by the DSP 1105 from information received from a network base station. The signal is then filtered within the duplexer 1121 and optionally sent to an antenna coupler 1135 to match impedances to provide maximum power transfer. Finally, the signal is transmitted via antenna 1 117 to a local base station. An automatic gain control (AGC) can be supplied to control the gain of the final stages of the receiver. The signals may be forwarded from there to a remote telephone which may be another cellular telephone, any other mobile phone or a land-line connected to a Public Switched Telephone Network (PSTN), or other telephony networks.
Voice signals transmitted to the mobile terminal 1 101 are received via antenna 1 117 and immediately amplified by a low noise amplifier (LNA) 1 137. A down-converter 1139 lowers the carrier frequency while the demodulator 1141 strips away the RF leaving only a digital bit stream. The signal then goes through the equalizer 1125 and is processed by the DSP 1105. A Digital to Analog Converter (DAC) 1 143 converts the signal and the resulting output is transmitted to the user through the speaker 1145, all under control of a Main Control Unit (MCU) 1 103 which can be implemented as a Central Processing Unit (CPU) (not shown).
The MCU 1103 receives various signals including input signals from the keyboard 1147. The keyboard 1147 and/or the MCU 1103 in combination with other user input components (e.g., the microphone 1 111) comprise a user interface circuitry for managing user input. The MCU 1103 runs a user interface software to facilitate user control of at least some functions of the mobile terminal 1 101 to accelerate authentication. The MCU 1103 also delivers a display command and a switch command to the display 1107 and to the speech output switching controller, respectively. Further, the MCU 1 103 exchanges information with the DSP 1105 and can access an optionally incorporated SIM card 1 149 and a memory 1 151. In addition, the MCU 1103 executes various control functions required of the terminal. The DSP 1105 may, depending upon the implementation, perform any of a variety of conventional digital processing functions on the voice signals. Additionally, DSP 1 105 determines the background noise level of the local environment from the signals detected by microphone 1 11 1 and sets the gain of microphone 11 11 to a level selected to compensate for the natural tendency of the user of the mobile terminal 1101.
The CODEC 1 113 includes the ADC 1123 and DAC 1 143. The memory 1 151 stores various data including call incoming tone data and is capable of storing other data including music data received via, e.g., the global Internet. The software module could reside in RAM memory, flash memory, registers, or any other form of writable storage medium known in the art. The memory device 1151 may be, but not limited to, a single memory, CD, DVD, ROM, RAM, EEPROM, optical storage, magnetic disk storage, flash memory storage, or any other non-volatile storage medium capable of storing digital data. An optionally incorporated SIM card 1 149 carries, for instance, important information, such as the cellular phone number, the carrier supplying service, subscription details, and security information. The SIM card 1149 serves primarily to identify the mobile terminal 1 101 on a radio network. The card 1 149 also contains a memory for storing a personal telephone number registry, text messages, and user specific mobile terminal settings.
While the invention has been described in connection with a number of embodiments and implementations, the invention is not so limited but covers various obvious modifications and equivalent arrangements, which fall within the purview of the appended claims. Although features of the invention are expressed in certain combinations among the claims, it is contemplated that these features can be arranged in any combination and order.

Claims

1. A method comprising facilitating a processing of and/or processing (1) data and/or (2) information and/or (3) at least one signal, the (1) data and/or (2) information and/or (3) at least one signal based, at least in part, on the following:
a capture of user interaction with one or more applications information associated with a device; and
a processing of the user interaction information with the one or more applications to generate one or more authentication credentials,
wherein the authentication credentials are for accessing one or more services, one or more applications, one or more resources, or a combination thereof.
2. A method of claim 1, wherein the (1) data and/or (2) information and/or (3) at least one signal are further based, at least in part, on the following:
another capture of one or more inputs that at least substantially match the user interaction information; and
access to the one or more services, the one or more resources, the one or more applications, or a combination thereof based, at least in part, on the one or more authentication credentials.
3. A method according to any of claims 1 and 2, wherein the user interaction information includes, at least in part, a sequence of one or more user actions, one or more device actions, or a combination thereof, and wherein the one or more inputs at least substantially match at least a portion of the sequence.
4. A method according to any of claims 1 -3, wherein the one or more user actions, the one or more device actions, a combination thereof include, at least in part: (a) one or more navigation actions within a user interface of the device, within an application of the device, or a
combination thereof; (b) one or more virtual movements of the device; (c) one or more physical movements of the device; (d) orientation information of the device; (e) direction information of the device; (f) speed information associated with the one or more device actions; or (g) a combination thereof.
5. A method of claim 4, wherein the (1) data and/or (2) information and/or (3) at least one signal are further based, at least in part, on the following:
one or more virtual movements, the one or more physical movements, the speed information, or a combination using, at least in part, on one or more location-based applications.
6. A method according to any of claims 1 -5, wherein the (1) data and/or (2) information and/or (3) at least one signal are further based, at least in part, on the following:
at least one identifier, a portion of the at least one identifier, or a combination thereof
associated with the one or more device actions;
wherein the one or more authentication credentials are further based, at least in part, on the at least one identifier, the portion of the at least one identifier, or a combination thereof.
7. A method according to any of claims 1 -6, wherein the (1) data and/or (2) information and/or (3) at least one signal are further based, at least in part, on the following:
a presentation of progress status information during the capture of the user interaction
information, the another capture of the one or more inputs, or a combination thereof.
8. A method according to any of claims 1 -7, wherein the (1) data and/or (2) information and/or (3) at least one signal are further based, at least in part, on the following:
receive one or more authentication requests; and
an initiation of the capture of the user interaction information, the another capture of the one or more inputs, the presentation of the one or more authentication credentials, or a combination thereof based, at least in part, on the one or more authentication requests.
9. A method of claim 8, wherein the one or more authentication requests are received, at least from one of, a user, a user device application, a service platform, a network component and a combination thereof.
10. A method according to any of claims 1-9, wherein the (1) data and/or (2) information and/or (3) at least one signal are further based, at least in part, on the following:
a processing of the user interaction information, the one or more inputs, or a combination thereof to normalize the user interaction information, the one or more inputs, or a combination thereof; and
at least one determination that one or more inputs at least substantially matches the user interaction information based, at least in part, on the normalized user interaction information, the normalized one or more inputs, or a combination thereof.
11. A method according to any of claims 1-10, wherein the (1) data and/or (2) information and/or (3) at least one signal are further based, at least in part, on the following:
a processing of the one or more target inputs to determine one or more targets for receiving the one or more authentication credentials.
12. An apparatus comprising:
at least one processor; and
at least one memory including computer program code for one or more programs, the at least one memory and the computer program code configured to, with the at least one processor, cause the apparatus to perform at least the following,
cause, at least in part, a capture of user interaction with one or more applications information associated with a device; and
process and/or facilitate a processing of the user interaction information with the one or more applications to generate one or more authentication credentials,
wherein the authentication credentials are for accessing one or more services, one or more resources, one or more applications, or a combination thereof.
13. An apparatus of claim 12, wherein the apparatus is further caused to:
cause, at least in part, another capture of one or more inputs that at least substantially match the user interaction information; and
cause, at least in part, access to the one or services, the one or more resources, the one or more applications, or a combination thereof based, at least in part, on the one or more authentication credentials.
14. An apparatus according to any of claims 12 and 13, wherein the user interaction information includes, at least in part, a sequence of one or more user actions, one or more device actions, or a combination thereof, and wherein the one or more inputs at least substantially match at least a portion of the sequence.
15. An apparatus according to any of claims 12-14, wherein the one or more user actions, the one or more device actions, a combination thereof include, at least in part: (a) one or more navigation actions within a user interface of the device, within an application of the device, or a combination thereof; (b) one or more virtual movements of the device; (c) one or more physical movements of the device; (d) orientation information of the device; (e) direction information of the device; (f) speed information associated with the one or more device actions; or (g) a combination thereof.
16. An apparatus of claim 15, wherein the apparatus is further caused to:
determine the one or more virtual movements, the one or more physical movements, the speed information, or a combination using, at least in part, on one or more location-based applications.
17. An apparatus according to any of claims 12-16, wherein the apparatus is further caused to:
determine at least one identifier, a portion of the at least one identifier, or a combination thereof associated with the one or more device actions;
wherein the one or more authentication credentials are further based, at least in part, on the at least one identifier, the portion of the at least one identifier, or a combination thereof.
18. An apparatus according to any of claims 12-17, wherein the apparatus is further caused to:
cause, at least in part, a presentation of progress status information during the capture of the user interaction information, the another capture of the one or more inputs, or a combination thereof.
19. An apparatus according to any of claims 12-18, wherein the apparatus is further caused to:
receive one or more authentication requests; and
cause, at least in part, an initiation of the capture of the user interaction information, the another capture of the one or more inputs, the presentation of the one or more authentication credentials, or a combination thereof based, at least in part, on the one or more authentication requests.
20. An apparatus of claim 19, wherein the one or more authentication requests are received, at least from one of, a user, a user device application, a service platform, a network component and a combination thereof.
21. An apparatus according to any of claims 12-20, wherein the apparatus is further caused to:
process and/or facilitate a processing of the user interaction information, the one or more inputs, or a combination thereof to normalize the user interaction information, the one or more inputs, or a combination thereof; and
determine that one or more inputs at least substantially matches the user interaction
information based, at least in part, on the normalized user interaction information, the normalized one or more inputs, or a combination thereof.
22. An apparatus according to any of claims 12-21 , wherein the apparatus is further caused to:
process and/or facilitate a processing of the one or more target inputs to determine one or more targets for receiving the one or more authentication credentials.
23. An apparatus according to any of claims 12-22, wherein the apparatus is a mobile phone further comprising:
user interface circuitry and user interface software configured to facilitate user control of at least some functions of the mobile phone through use of a display and configured to respond to user input; and
a display and display circuitry configured to display at least a portion of a user interface of the mobile phone, the display and display circuitry configured to facilitate user control of at least some functions of the mobile phone.
24. A method comprising:
causing, at least in part, a capture of user interaction, with one or more applications,
information associated with a device; and
processing and/or facilitating a processing of the user interaction information with the one or more applications to generate one or more authentication credentials,
wherein the authentication credentials are for accessing one or more services, one or more resources, one or more applications, one or more resources, or a combination thereof.
25. A method of claim 24, further comprising:
causing, at least in part, another capture of one or more inputs that at least substantially
match the user interaction information; and
causing, at least in part, access to the one or services, the one or more resources, the one or more applications, or a combination thereof based, at least in part, on the one or more authentication credentials.
26. A method according to any of claims 24 and 25, wherein the user interaction information includes, at least in part, a sequence of one or more user actions, one or more device actions, or a combination thereof, and wherein the one or more inputs at least substantially match at least a portion of the sequence.
27. A method according to any of claims 24-26, wherein the one or more user actions, the one or more device actions, a combination thereof include, at least in part: (a) one or more navigation actions within a user interface of the device, within an application of the device, or a combination thereof; (b) one or more virtual movements of the device; (c) one or more physical movements of the device; (d) orientation information of the device; (e) direction information of the device; (f) speed information associated with the one or more device actions; or (g) a combination thereof.
28. A method according to any of claims 24-27, further comprising:
determining the one or more virtual movements, the one or more physical movements, the speed information, or a combination using, at least in part, on one or more location-based applications.
29. A method according to any of claims 24-26, further comprising:
determining at least one identifier, a portion of the at least one identifier, or a combination thereof associated with the one or more device actions;
wherein the one or more authentication credentials are further based, at least in part, on the at least one identifier, the portion of the at least one identifier, or a combination thereof.
30. A method according to any of claims 24-29, further comprising:
causing, at least in part, a presentation of progress status information during the capture of the user interaction information, the another capture of the one or more inputs, or a combination thereof.
31. A method according to any of claims 24-30, further comprising:
receiving one or more authentication requests; and
causing, at least in part, an initiation of the capture of the user interaction information, the another capture of the one or more inputs, the presentation of the one or more authentication credentials, or a combination thereof based, at least in part, on the one or more authentication requests.
32. A method of claim 31 , wherein the one or more authentication requests are received, at least from one of, a user, a user device application, a service platform, a network component and a combination thereof.
33. A method according to any of claims 24-32, further comprising:
processing and/or facilitating a processing of the user interaction information, the one or more inputs, or a combination thereof to normalize the user interaction information, the one or more inputs, or a combination thereof; and
determining that one or more inputs at least substantially matches the user interaction
information based, at least in part, on the normalized user interaction information, the normalized one or more inputs, or a combination thereof.
34. A method according to any of claims 24-33, further comprising:
processing and/or facilitating a processing of the one or more target inputs to determine one or more targets for receiving the one or more authentication credentials.
35. A computer-readable storage medium carrying one or more sequences of one or more instructions which, when executed by one or more processors, cause an apparatus to perform at least a method of any of claims 24-34.
36. An apparatus comprising means for performing a method of any of claims 24-34.
37. An apparatus of claim 36, wherein the apparatus is a mobile phone further comprising: user interface circuitry and user interface software configured to facilitate user control of at least some functions of the mobile phone through use of a display and configured to respond to user input; and
a display and display circuitry configured to display at least a portion of a user interface of the mobile phone, the display and display circuitry configured to facilitate user control of at least some functions of the mobile phone.
38. A computer program product including one or more sequences of one or more instructions which, when executed by one or more processors, cause an apparatus to at least perform the steps of a method of any of claims 24-34.
39. A method comprising facilitating access to at least one interface configured to allow access to at least one service, the at least one service configured to perform a method of any of claims 24-34.
40. A method comprising facilitating a processing of and/or processing (1) data and/or (2) information and/or (3) at least one signal, the (1) data and/or (2) information and/or (3) at least one signal based, at least in part, on the method of any of claims 24-34.
41. A method comprising facilitating creating and/or facilitating modifying (1) at least one device user interface element and/or (2) at least one device user interface functionality, the (1) at least one device user interface element and/or (2) at least one device user interface functionality based, at least in part, on the method of any of claims 24-34.
PCT/FI2012/050433 2011-05-06 2012-05-04 Method and apparatus for navigation-based authentication WO2012152995A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
IN1591/CHE/2011 2011-05-06
IN1591CH2011 2011-05-06

Publications (1)

Publication Number Publication Date
WO2012152995A1 true WO2012152995A1 (en) 2012-11-15

Family

ID=47138840

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/FI2012/050433 WO2012152995A1 (en) 2011-05-06 2012-05-04 Method and apparatus for navigation-based authentication

Country Status (1)

Country Link
WO (1) WO2012152995A1 (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014200667A1 (en) * 2013-06-13 2014-12-18 Motorola Mobility Llc Method and apparatus for electronic device access
JP2016511867A (en) * 2013-01-23 2016-04-21 マイクロソフト テクノロジー ライセンシング,エルエルシー Restricted use authorization code
WO2016091645A1 (en) * 2014-12-08 2016-06-16 Koninklijke Philips N.V. Method, apparatus and system for processing a user input
EP3073404A1 (en) * 2015-03-25 2016-09-28 NEITEC Spólka z ograniczona odpowiedzialnoscia Method for identification of user's interaction signature
JP2018045719A (en) * 2017-12-18 2018-03-22 株式会社三菱東京Ufj銀行 User authentication device and user authentication program
JP2019029038A (en) * 2018-10-19 2019-02-21 株式会社三菱Ufj銀行 User authentication device and user authentication program
CN112513781A (en) * 2018-12-14 2021-03-16 开利公司 Gesture-based security system
JP2021093149A (en) * 2019-12-06 2021-06-17 チソット・エス アー Method for securely connecting watch to remote server

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070150842A1 (en) * 2005-12-23 2007-06-28 Imran Chaudhri Unlocking a device by performing gestures on an unlock image
WO2008067104A1 (en) * 2006-11-30 2008-06-05 Motorola, Inc. Method and apparatus to facilitate using a path to schedule wireless access point support
US7593000B1 (en) * 2008-05-17 2009-09-22 David H. Chin Touch-based authentication of a mobile device through user generated pattern creation
US20100127991A1 (en) * 2008-11-24 2010-05-27 Qualcomm Incorporated Pictorial methods for application selection and activation

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070150842A1 (en) * 2005-12-23 2007-06-28 Imran Chaudhri Unlocking a device by performing gestures on an unlock image
WO2008067104A1 (en) * 2006-11-30 2008-06-05 Motorola, Inc. Method and apparatus to facilitate using a path to schedule wireless access point support
US7593000B1 (en) * 2008-05-17 2009-09-22 David H. Chin Touch-based authentication of a mobile device through user generated pattern creation
US20100127991A1 (en) * 2008-11-24 2010-05-27 Qualcomm Incorporated Pictorial methods for application selection and activation

Cited By (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10555174B2 (en) 2013-01-23 2020-02-04 Microsoft Technology Licensing, Llc Restricted-use authentication codes
JP2016511867A (en) * 2013-01-23 2016-04-21 マイクロソフト テクノロジー ライセンシング,エルエルシー Restricted use authorization code
US9369870B2 (en) 2013-06-13 2016-06-14 Google Technology Holdings LLC Method and apparatus for electronic device access
WO2014200667A1 (en) * 2013-06-13 2014-12-18 Motorola Mobility Llc Method and apparatus for electronic device access
WO2016091645A1 (en) * 2014-12-08 2016-06-16 Koninklijke Philips N.V. Method, apparatus and system for processing a user input
EA034208B9 (en) * 2015-03-25 2020-03-12 Неитец Сп. З О.О. Method for identification of user's interaction signature
CN107430653A (en) * 2015-03-25 2017-12-01 内泰克有限责任公司 For the method for the interaction signature for identifying user
US10242169B2 (en) 2015-03-25 2019-03-26 Neitec Sp. Z O.O. Method for identification of user's interaction signature
EA034208B1 (en) * 2015-03-25 2020-01-16 Неитец Сп. З О.О. Method for identification of user's interaction signature
WO2016150756A1 (en) * 2015-03-25 2016-09-29 Neitec Sp. Z O.O. Method for identification of user's interaction signature
EP3073404A1 (en) * 2015-03-25 2016-09-28 NEITEC Spólka z ograniczona odpowiedzialnoscia Method for identification of user's interaction signature
CN107430653B (en) * 2015-03-25 2021-04-09 内泰克有限责任公司 Method for identifying an interaction signature of a user
JP2018045719A (en) * 2017-12-18 2018-03-22 株式会社三菱東京Ufj銀行 User authentication device and user authentication program
JP2019029038A (en) * 2018-10-19 2019-02-21 株式会社三菱Ufj銀行 User authentication device and user authentication program
CN112513781A (en) * 2018-12-14 2021-03-16 开利公司 Gesture-based security system
CN112513781B (en) * 2018-12-14 2023-11-03 开利公司 Gesture-based security system
JP2021093149A (en) * 2019-12-06 2021-06-17 チソット・エス アー Method for securely connecting watch to remote server
JP7112468B2 (en) 2019-12-06 2022-08-03 チソット・エス アー How to securely connect your watch to a remote server

Similar Documents

Publication Publication Date Title
US10027723B2 (en) Method and apparatus for initiating communication and sharing of content among a plurality of devices
WO2012152995A1 (en) Method and apparatus for navigation-based authentication
US9667716B2 (en) Method and apparatus for sharing content via encoded data representations
US9591035B2 (en) Method and apparatus for authorizing a user or a user device based on location information
US9197618B2 (en) Method and apparatus for location-based authorization to access online user groups
US8504842B1 (en) Alternative unlocking patterns
EP2771777B1 (en) Method and apparatus for increasing the functionality of a user device in a locked state
US10148709B2 (en) Method and apparatus for updating or validating a geographic record based on crowdsourced location data
US20140303837A1 (en) Method and apparatus for authorizing access and utilization of a vehicle
WO2013087979A1 (en) Method and apparatus for presenting a challenge response input mechanism
US10476870B2 (en) Local claim-based security service with cross-browser compatibility
CN106134148B (en) Device authentication and pairing using machine readable code
US20160182525A1 (en) Security and permission architecture
US11593082B2 (en) Registered applications for electronic devices
WO2011029985A1 (en) Method and apparatus for controlling access
US9350533B2 (en) Method and apparatus for delivering encrypted content to web browsers based on entropy of the content
US20170208463A1 (en) Identifying a Mobile Computing Device
US20180262486A1 (en) Quick response (qr) code for secure provisioning
US9449156B2 (en) Using trusted devices to augment location-based account protection
EP3427173B1 (en) Passcodes for computing devices

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 12782788

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 12782788

Country of ref document: EP

Kind code of ref document: A1