Multi-user strong authentication token

US 10,439,822 B2
Filed: 12/28/2018
Issued: 10/08/2019
Est. Priority Date: 09/21/2015
Status: Active Grant

First Claim

Patent Images

1. A method to secure a user'"'"'s interaction with a remotely accessible computer-based application, the method comprising performing at a personal computing device the steps of:

obtaining transaction data;

displaying, by an authentication application running on the personal computing device, the obtained transaction data in a transaction data presentation area of the authentication application on a display of the personal computing device for review by the user;

obtaining a dynamic credential associated with the transaction data;

making the dynamic credential available for verification;

ensuring that at least the step of making the dynamic credential available for verification is not performed or cannot be successfully performed if the authentication application'"'"'s transaction data presentation area is being hidden or obscured partially or entirely by another window that is not displayed by the authentication application;

providing, while performing the step of displaying the obtained transaction data, an approval indication mechanism for the user to indicate an approval or rejection by the user and obtaining by using this mechanism from the user an indication of the user'"'"'s approval or rejection, wherein performing at least the step of making the dynamic credential available for verification is conditional on the authentication application receiving through said approval indication mechanism the indication of the user'"'"'s approval; and

ensuring that the approval indication mechanism is disabled if the authentication application'"'"'s transaction data presentation area is being hidden or obscured partially or entirely by the another window.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Apparatus, methods and systems to secure remotely accessible applications using authentication devices are disclosed. More in particular apparatus, methods and systems are disclosed for thwarting overlay attacks against authentication applications for displaying transaction data and for generating signatures over these transaction data.

6 Citations

23 Claims

1. A method to secure a user'"'"'s interaction with a remotely accessible computer-based application, the method comprising performing at a personal computing device the steps of:
- obtaining transaction data;
  
  displaying, by an authentication application running on the personal computing device, the obtained transaction data in a transaction data presentation area of the authentication application on a display of the personal computing device for review by the user;
  
  obtaining a dynamic credential associated with the transaction data;
  
  making the dynamic credential available for verification;
  
  ensuring that at least the step of making the dynamic credential available for verification is not performed or cannot be successfully performed if the authentication application'"'"'s transaction data presentation area is being hidden or obscured partially or entirely by another window that is not displayed by the authentication application;
  
  providing, while performing the step of displaying the obtained transaction data, an approval indication mechanism for the user to indicate an approval or rejection by the user and obtaining by using this mechanism from the user an indication of the user'"'"'s approval or rejection, wherein performing at least the step of making the dynamic credential available for verification is conditional on the authentication application receiving through said approval indication mechanism the indication of the user'"'"'s approval; and
  
  ensuring that the approval indication mechanism is disabled if the authentication application'"'"'s transaction data presentation area is being hidden or obscured partially or entirely by the another window.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 2. The method of claim 1, wherein at least the step of making the dynamic credential available for verification is not performed or cannot be successfully performed at least as long as the authentication application'"'"'s transaction data presentation area is being hidden or obscured partially or entirely by a window that is not a window of the authentication application.
  - 3. The method of claim 1, wherein the step of ensuring that the approval indication mechanism is disabled if the authentication application'"'"'s transaction data presentation area is being hidden or obscured partially or entirely by the another window comprises the authentication application calling one or more operating system functions that cause the operating system of the personal computing device to block or not pass to the approval indication mechanism a user input event that indicates a user'"'"'s approval when the authentication application'"'"'s transaction data presentation area is being hidden or obscured partially or entirely by the another window.
  - 4. The method of claim 1, further comprising an overlay detection step of the authentication application detecting or verifying whether the authentication application'"'"'s transaction data presentation area is being hidden or obscured partially or entirely by the another window.
  - 5. The method of claim 4, wherein the overlay detection step comprises the authentication application calling one or more operating system functions of the operating system of the personal computing device to detect whether the authentication application'"'"'s transaction data presentation area is being hidden or obscured partially or entirely by the another window.
  - 6. The method of claim 1, comprising an overlay detection step of the authentication application detecting or verifying whether the authentication application'"'"'s transaction data presentation area is being hidden or obscured partially or entirely by the another window and the step of ignoring an indication of the user'"'"'s approval that has been obtained by the approval indication mechanism if it is detected in the overlay detection step that the authentication application'"'"'s transaction data presentation area is being hidden or obscured partially or entirely by the another window.
  - 7. The method of claim 4, wherein performing the step of making the dynamic credential available for verification is conditional on the overlay detection step not indicating that the authentication application'"'"'s transaction data presentation area is being hidden or obscured partially or entirely by the another window.
  - 8. The method of claim 4, further comprising the step of providing the user a visual indication for alerting the user to the presence of an anomaly if the overlay detection step indicates that the authentication application'"'"'s transaction data presentation area is being hidden or obscured partially or entirely by the another window.
  - 9. The method of claim 4, further comprising the step of the authentication application entering a safe mode if the overlay detection step indicates that the authentication application'"'"'s transaction data presentation area is being hidden or obscured partially or entirely by the another window, and the authentication application remaining in the safe mode at least until after the authentication application'"'"'s transaction data presentation area is no longer being hidden or obscured partially or entirely by the another window for at least a minimum period of time.
  - 10. The method of claim 9, wherein as long as the authentication application is in the safe mode, the approval indication mechanism is disabled, or an indication of the user'"'"'s approval that has been obtained by the approval indication mechanism is ignored, or the step of generating the dynamic credential is not performed, or the step of making the dynamic credential available for verification is not performed;
    - orwherein as long as the authentication application is in the safe mode, the authentication application provides a visual indication to alert the user that the authentication application is in the safe mode.
  - 11. The method of claim 1, wherein the approval indication mechanism comprises a visual approval activation element on the display of the personal computing device that the user must activate to indicate the user'"'"'s approval whereby the visual approval activation element has an activation area that is responsive to an action of the user and whereby an area of the display that is covered by the activation area of the visual approval activation element overlaps at least partially with any rectangle on the display that covers all the displayed transaction data.
  - 12. The method of claim 11, whereby at least any part of the activation area of the visual approval activation element that is covered by the another window is not responsive to an action of the user to activate the visual approval activation element;
    - orwhereby at least a part of the displayed transaction data is displayed over the activation area of the visual approval activation element;
      
      orwhereby at least parts of the displayed transaction data are displayed at at least two positions of;
      
      left of, right of, above of or below of the activation area of the visual approval activation element.
  - 13. The method of claim 11, wherein the user activating the visual approval activation element comprises the user clicking or touching or sliding the activation area of the visual approval activation element.
  - 14. The method of claim 13, whereby the visual approval activation element comprises a clickable or touchable button.
  - 15. The method of claim 11, wherein the step of making the dynamic credential available for verification comprises displaying the dynamic credential on the display of the personal computing device whereby the activation area of the visual approval activation element is covered by the displayed transaction data and whereby the area for displaying the dynamic credential is covered by the area for displaying the transaction data, and whereby the dynamic credential is not visible until the user has activated the visual approval activation element.
  - 16. The method of claim 15, whereby activating the visual approval activation element comprises the user touching and sliding at least a part of the visual approval activation element thus sliding away at least a part of the displayed transaction data and revealing a representation of the dynamic credential;
    - or wherein activating the visual approval activation element comprises the user touching and sliding in different directions at least two parts of the visual approval activation element thus sliding away at least a part of the displayed transaction data and revealing a representation of the dynamic credential.
  - 17. The method of claim 16, whereby the user releasing the visual approval activation element results in the displayed transaction data snapping back to the original position and the displayed dynamic credential being no longer visible.
  - 18. The method of claim 1, wherein the step of making the dynamic credential available for verification comprises displaying the dynamic credential on the display of the personal computing device together with the displayed transaction data, whereby the dynamic credential is displayed at the same time and in the same area of the display as the displayed transaction data, such that any rectangle which encloses all the displayed transaction data also encloses at least a part of the dynamic credential.
  - 19. The method of claim 18, whereby the transaction data and the dynamic credential are displayed in an overlapping way or stacked on top of each other;
    - orwhereby the dynamic credential is displayed surrounded by the displayed transaction data.
  - 20. The method of claim 18, wherein a representation of the dynamic credential and a representation of the transaction data on the display have different visual characteristics to enable the user to distinguish the dynamic credential from the transaction data.
  - 21. The method of claim 1, wherein the step of obtaining the dynamic credential associated with the transaction data comprises generating the dynamic credential by cryptographically combining the transaction data with a cryptographic key that comprises or is derived from a secret stored in the personal computing device.

22. A personal computing device to secure a user'"'"'s interaction with a remotely accessible computer-based application, the personal computing device comprising a display for displaying information to the user, a user input interface for receiving inputs from the user, a memory component storing an operating system software and an authentication application software, and a data processing component for running the operating system software and the authentication application;
- wherein the authentication application is configured to cause the personal computing device to;
  
  obtain transaction data;
  
  display the obtained transaction data in a transaction data presentation area of the authentication application on the display for review by the user;
  
  obtain a dynamic credential associated with the transaction data;
  
  make the dynamic credential available for verification;
  
  ensure that at least the step of making the dynamic credential available for verification is not performed or cannot be successfully performed if the authentication application'"'"'s transaction data presentation area is being hidden or obscured partially or entirely by another window that is not displayed by the authentication application; and
  
  provide, while displaying the obtained transaction data, an approval indication mechanism for the user to indicate an approval or rejection by the user and obtain by using this mechanism from the user an indication of the user'"'"'s approval or rejection, wherein making the dynamic credential available for verification is conditional on the authentication application receiving through said approval indication mechanism the indication of the user'"'"'s approval; and
  
  wherein the approval indication mechanism is disabled if the authentication application'"'"'s transaction data presentation area is being hidden or obscured partially or entirely by the another window.

23. A system to secure a user'"'"'s interaction with a remotely accessible computer-based application, the system comprising:
- a remote application server for hosting the remotely accessible computer-based application, an access device for allowing said user'"'"'s interaction with a remotely accessible computer-based application, a credential verification server for verifying the validity of a dynamic credential associated with transaction data of the remotely accessible computer-based application, and a personal computing device comprising a display for displaying information to the user, a user input interface for receiving inputs from the user, a memory component storing an operating system software and an authentication application software, and a data processing component for running the operating system software and the authentication application;
  
  wherein the authentication application is configured to cause the personal computing device to;
  
  obtain the transaction data;
  
  display the obtained transaction data in a transaction data presentation area of the authentication application on the display of the personal computing device for review by the user;
  
  obtain the dynamic credential associated with the transaction data;
  
  make the dynamic credential available for verification; and
  
  ensure that at least the step of making the dynamic credential available for verification is not performed or cannot be successfully performed if the authentication application'"'"'s transaction data presentation area is being hidden or obscured partially or entirely by another window that is not displayed by the authentication application;
  
  provide, while displaying the obtained transaction data, an approval indication mechanism for the user to indicate an approval or rejection by the user and obtain by using this mechanism from the user an indication of the user'"'"'s approval or rejection, wherein performing at least the step of making the dynamic credential available for verification is conditional on the authentication application receiving through said approval indication mechanism the indication of the user'"'"'s approval; and
  
  wherein the approval indication mechanism is disabled if the authentication application'"'"'s transaction data presentation area is being hidden or obscured partially or entirely by the another window.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Onespan North America Incorporated (OneSpan, Inc.)
Original Assignee
Onespan North America Incorporated (OneSpan, Inc.)
Inventors
Fort, Nicolas, Mennes, Frederik, Joly, Ludovic, Teixeron, Guillaume
Primary Examiner(s)
Okeke, Izunna

Application Number

US16/235,151
Publication Number

US 20190140839A1
Time in Patent Office

284 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/42   using separate channels for...

G06F 21/64   Protecting data integrity, ...

G06F 21/84   output devices, e.g. displa...

G06F 3/04847   Interaction techniques to c...

G06F 3/0488   using a touch-screen or dig...

G06Q 20/401   Transaction verification

H04L 63/1466   Active attacks involving in...

H04L 9/3247   involving digital signatures

Multi-user strong authentication token

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

6 Citations

23 Claims

Specification

Use Cases

Quick Links

Others

Multi-user strong authentication token

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

6 Citations

23 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others