Multi-user strong authentication token
First Claim
Patent Images
1. A method to secure a user'"'"'s interaction with a remotely accessible computer-based application, the method comprising performing at a personal computing device the steps of:
- obtaining transaction data;
displaying the obtained transaction data on a display of the personal computing device for review by the user, wherein an authentication application that is running on the personal computing device displays the obtained transaction data in a transaction data presentation area of the display of the personal computing device;
obtaining a dynamic credential associated with the transaction data;
making the dynamic credential available for verification; and
ensuring at the personal computing device that no window of another application that is running on the personal computing device can partially or entirely hide or obscure the authentication application'"'"'s transaction data presentation area,wherein the transaction data presentation area comprises the entirety or a part of a transaction data displaying window of the authentication application on the display of the personal computing device,the method further comprising the step of ensuring at the personal computing device that no other window of another application that is running on the personal computing device can partially or entirely hide or obscure the authentication application'"'"'s transaction data displaying window, including the authentication application calling one or more operating system functions of an operating system of the personal computing device to ensure or enforce that the transaction data displaying window remains on top.
2 Assignments
0 Petitions
Accused Products
Abstract
Apparatus, methods and systems to secure remotely accessible applications using authentication devices are disclosed. More in particular apparatus, methods and systems are disclosed for thwarting overlay attacks against authentication applications for displaying transaction data and for generating signatures over these transaction data.
-
Citations
62 Claims
-
1. A method to secure a user'"'"'s interaction with a remotely accessible computer-based application, the method comprising performing at a personal computing device the steps of:
-
obtaining transaction data; displaying the obtained transaction data on a display of the personal computing device for review by the user, wherein an authentication application that is running on the personal computing device displays the obtained transaction data in a transaction data presentation area of the display of the personal computing device; obtaining a dynamic credential associated with the transaction data; making the dynamic credential available for verification; and ensuring at the personal computing device that no window of another application that is running on the personal computing device can partially or entirely hide or obscure the authentication application'"'"'s transaction data presentation area, wherein the transaction data presentation area comprises the entirety or a part of a transaction data displaying window of the authentication application on the display of the personal computing device, the method further comprising the step of ensuring at the personal computing device that no other window of another application that is running on the personal computing device can partially or entirely hide or obscure the authentication application'"'"'s transaction data displaying window, including the authentication application calling one or more operating system functions of an operating system of the personal computing device to ensure or enforce that the transaction data displaying window remains on top. - View Dependent Claims (2, 3)
-
-
4. A personal computing device to secure a user'"'"'s interaction with a remotely accessible computer-based application, the personal computing device comprising a display for displaying information to the user, a user input interface for receiving inputs from the user, a memory component storing an operating system software and an authentication application software, and a data processing component for running the operating system software and the authentication application;
- wherein the authentication application is configured to cause the personal computing device to;
obtain transaction data; display the obtained transaction data on the display for review by the user in a transaction data presentation area of the display; obtain a dynamic credential associated with the transaction data; make the dynamic credential available for verification; and ensure that no window of another application that is running on the personal computing device can partially or entirely hide or obscure the authentication application'"'"'s transaction data presentation area; and wherein the transaction data presentation area comprises the entirety or a part of a transaction data displaying window of the authentication application on the display of the personal computing device, and wherein the authentication application is further configured to cause the personal computing device to ensure that no other window of another application that is running on the personal computing device can partially or entirely hide or obscure the authentication application'"'"'s transaction data displaying window by calling one or more operating system functions of the operating system software to ensure or enforce that the transaction data displaying window remains on top. - View Dependent Claims (5, 61)
- wherein the authentication application is configured to cause the personal computing device to;
-
6. A system to secure a user'"'"'s interaction with a remotely accessible computer-based application, the system comprising:
- a remote application server for hosting the remotely accessible computer-based application, an access device for allowing said user'"'"'s interaction with a remotely accessible computer-based application, a credential verification server for verifying validity of a dynamic credential associated with transaction data of the remotely accessible computer-based application, and a personal computing device comprising a display for displaying information to the user, a user input interface for receiving inputs from the user, a memory component storing an operating system software and an authentication application software, and a data processing component for running the operating system software and the authentication application;
wherein the authentication application is configured to cause the personal computing device to;obtain the transaction data; display the obtained transaction data on the display for review by the user in a transaction data presentation area of the display; obtain the dynamic credential associated with the transaction data; make the dynamic credential available for verification; and ensure that no window of another application that is running on the personal computing device can partially or entirely hide or obscure the authentication application'"'"'s transaction data presentation area; and wherein the transaction data presentation area comprises the entirety or a part of a transaction data displaying window of the authentication application on the display of the personal computing device, and wherein the authentication application is further configured to cause the personal computing device to ensure that no other window of another application that is running on the personal computing device can partially or entirely hide or obscure the authentication application'"'"'s transaction data displaying window by calling one or more operating system functions of the operating system software to ensure or enforce that the transaction data displaying window remains on top. - View Dependent Claims (7, 62)
- a remote application server for hosting the remotely accessible computer-based application, an access device for allowing said user'"'"'s interaction with a remotely accessible computer-based application, a credential verification server for verifying validity of a dynamic credential associated with transaction data of the remotely accessible computer-based application, and a personal computing device comprising a display for displaying information to the user, a user input interface for receiving inputs from the user, a memory component storing an operating system software and an authentication application software, and a data processing component for running the operating system software and the authentication application;
-
8. A method to secure a user'"'"'s interaction with a remotely accessible computer-based application, the method comprising performing at a personal computing device the steps of:
-
obtaining transaction data; displaying, by an authentication application running on the personal computing device, the obtained transaction data in a transaction data presentation area of the authentication application on a display of the personal computing device for review by the user; obtaining a dynamic credential associated with the transaction data; making the dynamic credential available for verification; and ensuring that at least the step of making the dynamic credential available for verification is not performed or cannot be successfully performed if the authentication application'"'"'s transaction data presentation area is being hidden or obscured partially or entirely by another window that is not displayed by the authentication application; the method further comprising the steps of; providing at the personal computing device, while performing the step of displaying the obtained transaction data, an approval indication mechanism for the user to indicate an approval or rejection by the user and obtaining by using this mechanism from the user an indication of the user'"'"'s approval or rejection, wherein performing at least the step of making the dynamic credential available for verification is conditional on the authentication application receiving through said approval indication mechanism the indication of the user'"'"'s approval; and ensuring that the approval indication mechanism is disabled if the authentication application'"'"'s transaction data presentation area is being hidden or obscured partially or entirely by the another window; wherein the step of ensuring that the approval indication mechanism is disabled if the authentication application'"'"'s transaction data presentation area is being hidden or obscured partially or entirely by the another window comprises the authentication application calling one or more operating system functions that cause the operating system of the personal computing device to block or not pass to the approval indication mechanism a user input event that indicates a user'"'"'s approval when the authentication application'"'"'s transaction data presentation area is being hidden or obscured partially or entirely by the another window. - View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34)
-
-
35. A personal computing device to secure a user'"'"'s interaction with a remotely accessible computer-based application, the personal computing device comprising a display for displaying information to the user, a user input interface for receiving inputs from the user, a memory component storing an operating system software and an authentication application software, and a data processing component for running the operating system software and the authentication application;
- wherein the authentication application is configured to cause the personal computing device to;
obtain transaction data; display the obtained transaction data in a transaction data presentation area of the authentication application on the display for review by the user; obtain a dynamic credential associated with the transaction data; make the dynamic credential available for verification; and ensure that at least the step of making the dynamic credential available for verification is not performed or cannot be successfully performed if the authentication application'"'"'s transaction data presentation area is being hidden or obscured partially or entirely by another window that is not displayed by the authentication application; and wherein the authentication application is further configured to cause the personal computing device; to provide, while performing the step of displaying the obtained transaction data, an approval indication mechanism for the user to indicate an approval or rejection by the user and to obtain by using this mechanism from the user an indication of the user'"'"'s approval or rejection, wherein making the dynamic credential available for verification is conditional on the authentication application receiving through said approval indication mechanism the indication of the user'"'"'s approval; and to ensure that the approval indication mechanism is disabled if the authentication application'"'"'s transaction data presentation area is being hidden or obscured partially or entirely by the another window; wherein causing the personal computing device to ensure that the approval indication mechanism is disabled if the authentication application'"'"'s transaction data presentation area is being hidden or obscured partially or entirely by the another window comprises the authentication application calling one or more operating system functions that cause the operating system of the personal computing device to block or not pass to the approval indication mechanism a user input event that indicates a user'"'"'s approval when the authentication application'"'"'s transaction data presentation area is being hidden or obscured partially or entirely by the another window.
- wherein the authentication application is configured to cause the personal computing device to;
-
36. A system to secure a user'"'"'s interaction with a remotely accessible computer-based application, the system comprising:
- a remote application server for hosting the remotely accessible computer-based application, an access device for allowing said user'"'"'s interaction with a remotely accessible computer-based application, a credential verification server for verifying the validity of a dynamic credential associated with transaction data of the remotely accessible computer-based application, and a personal computing device comprising a display for displaying information to the user, a user input interface for receiving inputs from the user, a memory component storing an operating system software and an authentication application software, and a data processing component for running the operating system software and the authentication application;
wherein the authentication application is configured to cause the personal computing device to;obtain the transaction data; display the obtained transaction data in a transaction data presentation area of the authentication application on the display of the personal computing device for review by the user; obtain the dynamic credential associated with the transaction data; make the dynamic credential available for verification; and ensure that at least the step of making the dynamic credential available for verification is not performed or cannot be successfully performed if the authentication application'"'"'s transaction data presentation area is being hidden or obscured partially or entirely by another window that is not displayed by the authentication application and wherein the authentication application is further configured to cause the personal computing device; to provide, while performing the step of displaying the obtained transaction data, an approval indication mechanism for the user to indicate an approval or rejection by the user and to obtain by using this mechanism from the user an indication of the user'"'"'s approval or rejection, wherein making the dynamic credential available for verification is conditional on the authentication application receiving through said approval indication mechanism the indication of the user'"'"'s approval; and to ensure that the approval indication mechanism is disabled if the authentication application'"'"'s transaction data presentation area is being hidden or obscured partially or entirely by the another window; wherein causing the personal computing device to ensure that the approval indication mechanism is disabled if the authentication application'"'"'s transaction data presentation area is being hidden or obscured partially or entirely by the another window comprises the authentication application calling one or more operating system functions that cause the operating system of the personal computing device to block or not pass to the approval indication mechanism a user input event that indicates a user'"'"'s approval when the authentication application'"'"'s transaction data presentation area is being hidden or obscured partially or entirely by the another window.
- a remote application server for hosting the remotely accessible computer-based application, an access device for allowing said user'"'"'s interaction with a remotely accessible computer-based application, a credential verification server for verifying the validity of a dynamic credential associated with transaction data of the remotely accessible computer-based application, and a personal computing device comprising a display for displaying information to the user, a user input interface for receiving inputs from the user, a memory component storing an operating system software and an authentication application software, and a data processing component for running the operating system software and the authentication application;
-
37. A method to secure an interaction session of a user with a remotely accessible computer-based application, the method comprising performing at a personal computing device the steps of:
-
obtaining transaction data related to said interaction session; displaying, by an authentication application running on the personal computing device, the obtained transaction data on a first area of a display of the personal computing device for review by the user; obtaining a dynamic credential associated with the transaction data; making, by the authentication application, the dynamic credential available for verification using a second area of the display of the personal computing device; and creating a visually perceptible continuity between the first area and the second area by giving a first visually perceptible element of the first area and a second visually perceptible element of the second area the same common specific value, such that the presence of an overlay window that is not displayed by the authentication application and that partially or entirely hides or obscures the first area and that doesn'"'"'t have a third visually perceptible element with the same value as said common specific value for said first and second visually perceptible elements causes a visually perceptible discontinuity between the overlay window and the second area alerting the user to the presence of said overlay window; wherein the step of making the dynamic credential available for verification using a second area of the display of the personal computing device comprises; providing at the personal computing device an approval indication mechanism for the user to indicate an approval or rejection by the user and obtaining by using this mechanism from the user an indication of the user'"'"'s approval or rejection, whereby the approval indication mechanism comprises a visual approval activation element on the display of the personal computing device that the user must activate to indicate the user'"'"'s approval whereby the visual approval activation element has an activation area that is responsive to an action of the user and whereby the activation area of the visual approval activation element is a part of the second area; and
, if said user'"'"'s approval has been obtained, displaying the dynamic credential on the display of the personal computing device or sending over a data communication network the dynamic credential to a server computer if said user'"'"'s approval has been obtained.- View Dependent Claims (38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58)
-
-
59. A personal computing device to secure an interaction session of a user of the personal computing device with a remotely accessible computer-based application, the personal computing device comprising a display for displaying information to the user, a user input interface for receiving inputs from the user, a memory component storing an operating system software and an authentication application software, and a data processing component for running the operating system software and the authentication application;
- wherein the authentication application is configured to cause the personal computing device to;
obtain transaction data related to said interaction session; display the obtained transaction data on a first area of a display of the personal computing device for review by the user; obtain a dynamic credential associated with the transaction data; make the dynamic credential available for verification using a second area of the display of the personal computing device; and create a visually perceptible continuity between the first area and the second area by giving a first visually perceptible element of the first area and a second visually perceptible element of the second area the same common specific value, such that the presence of an overlay window that is not displayed by the authentication application and that partially or entirely hides or obscures the first area and that doesn'"'"'t have a third visually perceptible element with the same value as said common specific value for said first and second visually perceptible elements causes a visually perceptible discontinuity between the overlay window and the second area alerting the user to the presence of said overlay window wherein making the dynamic credential available for verification using a second area of the display of the personal computing device comprises; providing at the personal computing device an approval indication mechanism for the user to indicate an approval or rejection by the user and obtaining by using this mechanism from the user an indication of the user'"'"'s approval or rejection, whereby the approval indication mechanism comprises a visual approval activation element on the display of the personal computing device that the user must activate to indicate the user'"'"'s approval whereby the visual approval activation element has an activation area that is responsive to an action of the user and whereby the activation area of the visual approval activation element is a part of the second area; and
, if said user'"'"'s approval has been obtained, displaying the dynamic credential on the display of the personal computing device or sending over a data communication network the dynamic credential to a server computer if said user'"'"'s approval has been obtained.
- wherein the authentication application is configured to cause the personal computing device to;
-
60. A system to secure a user'"'"'s interaction session with a remotely accessible computer-based application, the system comprising:
- a remote application server for hosting the remotely accessible computer-based application, an access device for allowing said user'"'"'s interaction session with a remotely accessible computer-based application, a credential verification server for verifying the validity of a dynamic credential associated with transaction data of the remotely accessible computer-based application, and a personal computing device comprising a display for displaying information to the user, a user input interface for receiving inputs from the user, a memory component storing an operating system software and an authentication application software, and a data processing component for running the operating system software and the authentication application;
wherein the authentication application is configured to cause the personal computing device to;obtain transaction data related to said interaction session; display the obtained transaction data on a first area of a display of the personal computing device for review by the user; obtain a dynamic credential associated with the transaction data; make the dynamic credential available for verification using a second area of the display of the personal computing device; and create a visually perceptible continuity between the first area and the second area by giving a first visually perceptible element of the first area and a second visually perceptible element of the second area the same common specific value, such that the presence of an overlay window that is not displayed by the authentication application and that partially or entirely hides or obscures the first area and that doesn'"'"'t have a third visually perceptible element with the same value as said common specific value for said first and second visually perceptible elements causes a visually perceptible discontinuity between the overlay window and the second area alerting the user to the presence of said overlay window wherein making the dynamic credential available for verification using a second area of the display of the personal computing device comprises; providing at the personal computing device an approval indication mechanism for the user to indicate an approval or rejection by the user and obtaining by using this mechanism from the user an indication of the user'"'"'s approval or rejection, whereby the approval indication mechanism comprises a visual approval activation element on the display of the personal computing device that the user must activate to indicate the user'"'"'s approval whereby the visual approval activation element has an activation area that is responsive to an action of the user and whereby the activation area of the visual approval activation element is a part of the second area; and
, if said user'"'"'s approval has been obtained, displaying the dynamic credential on the display of the personal computing device or sending over a data communication network the dynamic credential to a server computer if said user'"'"'s approval has been obtained.
- a remote application server for hosting the remotely accessible computer-based application, an access device for allowing said user'"'"'s interaction session with a remotely accessible computer-based application, a credential verification server for verifying the validity of a dynamic credential associated with transaction data of the remotely accessible computer-based application, and a personal computing device comprising a display for displaying information to the user, a user input interface for receiving inputs from the user, a memory component storing an operating system software and an authentication application software, and a data processing component for running the operating system software and the authentication application;
Specification