System and method of inkblot authentication

US 20030191947A1
Filed: 04/30/2003
Published: 10/09/2003
Est. Priority Date: 04/30/2003
Status: Active Grant

First Claim

Patent Images

1. A computerized system, comprising:

an interface to a graphical output device;

an interface to an input device capable of generating alphanumeric characters; and

an inkblot authentication module configured to, at least;

generate an authentication inkblot image definition from an authentication inkblot seed;

issue at least one authentication inkblot image definition to the graphical output device;

receive at least one alphanumeric character corresponding to input received at the input device in response to each displayed authentication inkblot; and

generate authentication information from the at least one alphanumeric character received in response to each displayed authentication inkblot.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method that uses authentication inkblots to help computer system users first select and later recall authentication information from high entropy information spaces. An inkblot authentication module generates authentication inkblots from authentication inkblot seeds. On request, a security authority generates, stores and supplies an authentication inkblot seed set for a user. In response to an authentication inkblot, a user inputs one or more alphanumeric characters. The responses to one or more authentication inkblots serve as authentication information. A user-computable hash of the natural language description of the authentication inkblot is utilized to speed authentication information entry and provide for compatibility with conventional password-based authentication. Authentication with an authentication information match ratio of less than 100% is possible. Authentication inkblot generation methods are disclosed, as well as a detailed inkblot authentication protocol which makes it difficult for users to opt-out of high entropy authentication information generation.

69 Citations

View as Search Results

50 Claims

1. A computerized system, comprising:
- an interface to a graphical output device;
  
  an interface to an input device capable of generating alphanumeric characters; and
  
  an inkblot authentication module configured to, at least;
  
  generate an authentication inkblot image definition from an authentication inkblot seed;
  
  issue at least one authentication inkblot image definition to the graphical output device;
  
  receive at least one alphanumeric character corresponding to input received at the input device in response to each displayed authentication inkblot; and
  
  generate authentication information from the at least one alphanumeric character received in response to each displayed authentication inkblot.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 2. The system of claim 1, wherein the alphanumeric characters comprise Unicode characters.
  - 3. The system of claim 1, wherein the input device is independent of the graphical output device.
  - 4. The system of claim 1, wherein a user of the input device is able to physically conceal the alphanumeric characters being input on the input device from a person observing the graphical output device.
  - 5. The system of claim 1, wherein the input received at the input device comprises vocal input.
  - 6. The system of claim 1, wherein generating the authentication inkblot image definition from the authentication inkblot seed comprises:
    - initializing a pseudo-random number generator with the authentication inkblot seed; and
      
      determining authentication inkblot parameter values as a function of one or more pseudo-random values generated by the pseudo-random number generator initialized with the authentication inkblot seed.
  - 7. The system of claim 6, wherein the function of one or more pseudo-random values is a linear function.
  - 8. The system of claim 6, wherein the function of one or more pseudo-random values is a polynomial function.
  - 9. The system of claim 6, wherein the function of one or more pseudo-random values results in values greater than a configured minimum and less than a configured maximum.
  - 10. The system of claim 6, wherein the authentication inkblot parameters comprise:
    - a number of blots; and
      
      for each blot;
      
      a blot location;
      
      a blot size;
      
      a blot color; and
      
      a blot rotation.
  - 11. The system of claim 10, wherein the authentication inkblot parameters further comprise:
    - for each blot;
      
      a blot shape; and
      
      a Perlin noise blot shape perturbation;
      
      a number of axes of symmetry; and
      
      for each axis of symmetry;
      
      an offset from the center of an inkblot generation canvas through which the axis of symmetry passes; and
      
      an angle from vertical of the axis of symmetry.
  - 12. The system of claim 1, wherein generating the authentication inkblot image definition from the authentication inkblot seed comprises:
    - initializing a pseudo-random number generator with the authentication inkblot seed;
      
      drawing one or more blots on an authentication inkblot generation canvas and determining each blot parameter value as a function of one or more pseudo-random values generated by the pseudo-random number generator initialized with the authentication inkblot seed; and
      
      reflecting the blots about an axis of symmetry.
  - 13. The system of claim 1, wherein the at least one alphanumeric character received in response to each displayed authentication inkblot is a natural language description of the displayed authentication inkblot.
  - 14. The system of claim 1, wherein the at least one alphanumeric character received in response to each displayed authentication inkblot is a user-computable hash of a natural language description of the displayed authentication inkblot.
  - 15. The system of claim 14, wherein the user-computable hash of the natural language description of the displayed authentication inkblot results in a constant number of alphanumeric characters independent of the length of the natural language description.
  - 16. The system of claim 14, wherein the user-computable hash of the natural language description of the displayed authentication inkblot comprises the first and last characters of the natural language description.
  - 17. The system of claim 1, further comprising a security authority configured to, at least:
    - generate an authentication inkblot seed set for a computer system user; and
      
      respond with the authentication inkblot seed set as the result of a request for the authentication inkblot seed set associated with the computer system user.
  - 18. The system of claim 17, wherein the security authority is further at least configured to store each authentication inkblot seed set to computer system user association.
  - 19. The system of claim 1, wherein the inkblot authentication module is further at least configured to:
    - receive a set of authentication inkblot seeds in a first order;
      
      issue authentication inkblot image definitions generated from the received authentication inkblot seeds to the graphical output device in a second random order;
      
      issue authentication inkblot image definitions generated from the received authentication inkblot seeds to the graphical output device in the first order; and
      
      for each authentication inkblot image definition issued to the graphical output device in the first order, verify that at least one alphanumeric character received in response to the authentication inkblot image definition is the same when the authentication inkblot image definition is issued in the first order as when the authentication inkblot image definition is issued in the second random order.

20. A computer-implemented method, comprising:
- initializing a pseudo-random number generator with an authentication inkblot seed;
  
  drawing one or more blots on an authentication inkblot generation canvas and determining each blot parameter value as a function of one or more pseudo-random values generated by the pseudo-random number generator initialized with the authentication inkblot seed; and
  
  displaying the authentication inkblot generation canvas on a graphical output device.
- View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
- - 21. The method according to claim 20, wherein the number of blots drawn on the authentication inkblot generation canvas is a function of one or more pseudo-random values generated by the pseudo-random number generator initialized with the authentication inkblot seed.
  - 22. The method according to claim 20, wherein the pseudo-randomly determined blot parameters comprise:
    - a blot location;
      
      a blot size;
      
      a blot color; and
      
      a blot rotation.
  - 23. The method according to claim 22, wherein the pseudo-randomly determined blot parameters further comprise a Perlin noise blot shape perturbation.
  - 24. The method according to claim 22, wherein the pseudo-randomly determined blot parameters further comprise:
    - a number of jitter application points around the blot perimeter; and
      
      a radial blot perimeter jitter at each of the jitter application points.
  - 25. The method according to claim 22, wherein the pseudo-randomly determined blot parameters further comprise a blot shape.
  - 26. The method according to claim 20, further comprising reflecting the one or more blots on the authentication inkblot generation canvas about one or more axes of symmetry.
  - 27. The method according to claim 26, wherein the number of axes of symmetry is a function of one or more pseudo-random values generated by the pseudo-random number generator initialized with the authentication inkblot seed.
  - 28. The method according to claim 26, wherein each axis of symmetry passes through a point offset from the center of the authentication inkblot generation canvas, and the offset is a function of one or more pseudo-random values generated by the pseudo-random number generator initialized with the authentication inkblot seed.
  - 29. The method according to claim 26, wherein each axis of symmetry is at an angle to the vertical, and the angle is a function of one or more pseudo-random values generated by the pseudo-random number generator initialized with the authentication inkblot seed.
  - 30. The method according to claim 20, further comprising:
    - randomly generating the authentication inkblot seed for a computer system user at a computer system serving as a security authority;
      
      cryptographically hashing the authentication inkblot seed with an identifier for the computer system serving as a security authority;
      
      cryptographically hashing the authentication inkblot seed with an identifier for the computer system user; and
      
      cryptographically hashing the authentication inkblot seed with a last authentication information change timestamp for the computer system user.
  - 31. The method according to claim 20, further comprising:
    - receiving audio data from an input device in response to each displayed authentication inkblot;
      
      biometrically encoding the audio data; and
      
      sending the encoded audio data to a security authority as authentication information.
  - 32. The method according to claim 20, further comprising:
    - receiving one or more alphanumeric characters from an input device in response to each displayed authentication inkblot; and
      
      sending the one or more alphanumeric characters received in response to each displayed authentication inkblot to a security authority as authentication information.
  - 33. The method according to claim 32, wherein the one or more alphanumeric character received in response to each displayed authentication inkblot is a natural language description of the displayed authentication inkblot.
  - 34. The method according to claim 32, wherein the one or more alphanumeric character received in response to each displayed authentication inkblot is a user-computable hash of a natural language description of the displayed authentication inkblot.
  - 35. The method according to claim 34, wherein the user-computable hash of the natural language description of the displayed authentication inkblot results in a constant number of alphanumeric characters independent of the length of the natural language description.
  - 36. The method according to claim 34, wherein the user-computable hash of the natural language description of the displayed authentication inkblot comprises the first and last characters of the natural language description.

37. A computer-readable medium having thereon computer executable instructions for performing a method comprising:
- initializing a pseudo-random number generator with an authentication inkblot seed;
  
  drawing one or more blots on an authentication inkblot generation canvas and determining each blot parameter value as a function of one or more pseudo-random values generated by the pseudo-random number generator initialized with the authentication inkblot seed; and
  
  displaying the authentication inkblot generation canvas on a graphical output device.

38. A computer-implemented authentication protocol, comprising:
- displaying in a random second order an authentication inkblot associated with each authentication inkblot seed in an authentication inkblot seed set having a first order;
  
  receiving in the random second order one or more alphanumeric characters in response to each authentication inkblot displayed in the random second order;
  
  displaying in the first order the authentication inkblot associated with each authentication inkblot seed in the authentication inkblot seed set;
  
  receiving in the first order one or more alphanumeric characters in response to each authentication inkblot displayed in the first order; and
  
  verifying that the one or more alphanumeric characters received in response to each displayed authentication inkblot are the same when the authentication inkblots were displayed in the first order as when the authentication inkblots were displayed in the random second order.
- View Dependent Claims (39, 40, 41, 42, 43, 44, 45)
- - 39. The authentication protocol according to claim 38, further comprising:
    - sending a get new inkblot seeds message incorporating a username parameter that identifies a computer system user; and
      
      receiving the authentication inkblot seed set, the authentication inkblot seed set associated with the user identified by the usemame parameter, newly generated and in the first order.
  - 40. authentication protocol according to claim 38, further comprising sending, if the verification is successful, a set authentication information message incorporating a username parameter that identifies a computer system user and an authentication information parameter that is the concatenation of the one or more alphanumeric characters received in response to each authentication inkblot when displayed in the first order
  - 41. The authentication protocol according to claim 40, further comprising receiving, in response to an authentication inkblot displayed in the random second order, an indication to exclude the authentication inkblot from the authentication inkblot seed set to be associated with the computer system user identified by the username parameter.
  - 42. The authentication protocol according to claim 41, further comprising requesting one or more newly generated authentication inkblot seeds associated with the computer system user identified by the username parameter.
  - 43. The authentication protocol according to claim 38, wherein the one or more alphanumeric characters received in response to each displayed authentication inkblot is a user-computable hash of a natural language description of the displayed authentication inkblot.
  - 44. The authentication protocol according to claim 38, further comprising receiving a change authentication information message incorporating a username parameter that identifies a computer system user.
  - 45. The authentication protocol according to claim 38, further comprising receiving a create new authentication information message incorporating a username parameter that identifies a computer system user.

46. A computer-implemented authentication protocol, comprising:
- displaying an authentication inkblot associated with each authentication inkblot seed in an authentication inkblot seed set associated with a computer system user identified by a username;
  
  receiving one or more alphanumeric characters in response to each displayed authentication inkblot;
  
  sending an authenticate message incorporating the username parameter that identifies the computer system user and an authentication information parameter that is the concatenation of the one or more alphanumeric characters received in response to each displayed authentication inkblot.
- View Dependent Claims (47, 48, 49, 50)
- - 47. The authentication protocol according to claim 46, further comprising receiving the authentication inkblot seed set associated with the user identified by the username parameter.
  - 48. The authentication protocol according to claim 46, further comprising:
    - receiving an initiate inkblot authentication message incorporating the username parameter that identifies the computer system user; and
      
      sending a get inkblot seeds message incorporating the username parameter that identifies a computer system user.
  - 49. The authentication protocol according to claim 46, wherein the one or more alphanumeric characters received in response to each displayed authentication inkblot is a user-computable hash of a natural language description of the displayed authentication inkblot.
  - 50. The authentication protocol according to claim 46, further comprising authenticating the computer system user if an authentication information match ratio is less than 100% and greater than a minimum authentication information match ratio.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Simon, Daniel R., Stubblefield, Adam

Granted Patent

US 7,549,170 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/183
CPC Class Codes

G06F 21/36 by graphic or iconic repres...

System and method of inkblot authentication

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

69 Citations

50 Claims

Specification

Solutions

Use Cases

Quick Links

System and method of inkblot authentication

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

69 Citations

50 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links