Multiple choice challenge-response user authorization system and method

US 7,636,855 B2
Filed: 01/30/2004
Issued: 12/22/2009
Est. Priority Date: 01/30/2004
Status: Active Grant

First Claim

Patent Images

1. A user authentication system, comprising:

a dialogue manager, executed on a processor of the user authentication system, adapted to prompt a user with multiple pass-phrases and requests the user to select a proper subset from the prompted multiple pass-phrase during authentication;

wherein the prompted multiple pass-phrases are formed by selecting one or more pass-phrases from a set of pass-phrases satisfying a rule associated with the user and selecting one or more pass-phrases that do not satisfy the rule associated with user, wherein the rule associated with the user is determined prior to authentication and is not suggested to the user during authentication;

a selection recognizer, executed on the processor of the user authentication system, adapted to recognize user selection of a proper subset of the prompted multiple pass-phrases;

a user input adapted to capture a user biometric from the user selection;

a biometric matching module, executed on the processor of the user authentication system, adapted to perform a biometric match between the user biometric and at least one biometric model associated with a potential user identity, wherein said user identity analysis module is adapted to analyze the potential user identity based on the biometric match between the user biometric and the at least one biometric model; and

a user identity analysis module, executed on the processor of the user authentication system, adapted to analyze at least one potential user identity based on whether the pass-phrases in the proper subset of user selection each satisfy the rule associated with the user, wherein said dialogue manager is adapted to recursively prompt the user with new sets of multiple, selectable pass-phrases randomly assembled from a pass-phrase corpus over multiple dialogue turns, and said user identity analysis module is adapted to combine selection results and biometric match results from each dialogue turn to yield dialogue turn results and combine the dialogue turn results from each dialogue turn to form a cumulative result and authorize the user when the cumulative result exceeds a threshold.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A user authentication system includes a dialogue manager adapted to prompt the user with multiple, selectable pass-phrases. A selection recognizer recognizes user selection of at least one of the multiple, selectable pass-phrases. A user identity analysis module analyzes one or more potential user identities based on adherence of user selection of the pass-phrase to predetermined pass-phrase selection criteria assigned one or more enrolled users.

35 Citations

View as Search Results

39 Claims

1. A user authentication system, comprising:
- a dialogue manager, executed on a processor of the user authentication system, adapted to prompt a user with multiple pass-phrases and requests the user to select a proper subset from the prompted multiple pass-phrase during authentication;
  
  wherein the prompted multiple pass-phrases are formed by selecting one or more pass-phrases from a set of pass-phrases satisfying a rule associated with the user and selecting one or more pass-phrases that do not satisfy the rule associated with user, wherein the rule associated with the user is determined prior to authentication and is not suggested to the user during authentication;
  
  a selection recognizer, executed on the processor of the user authentication system, adapted to recognize user selection of a proper subset of the prompted multiple pass-phrases;
  
  a user input adapted to capture a user biometric from the user selection;
  
  a biometric matching module, executed on the processor of the user authentication system, adapted to perform a biometric match between the user biometric and at least one biometric model associated with a potential user identity, wherein said user identity analysis module is adapted to analyze the potential user identity based on the biometric match between the user biometric and the at least one biometric model; and
  
  a user identity analysis module, executed on the processor of the user authentication system, adapted to analyze at least one potential user identity based on whether the pass-phrases in the proper subset of user selection each satisfy the rule associated with the user, wherein said dialogue manager is adapted to recursively prompt the user with new sets of multiple, selectable pass-phrases randomly assembled from a pass-phrase corpus over multiple dialogue turns, and said user identity analysis module is adapted to combine selection results and biometric match results from each dialogue turn to yield dialogue turn results and combine the dialogue turn results from each dialogue turn to form a cumulative result and authorize the user when the cumulative result exceeds a threshold.
- View Dependent Claims (2, 3, 37, 38, 39)
- - 2. The system of claim 1, wherein said selection recognizer is adapted to recognize a sequence of selections of multiple pass-phrases from the user;
    - and said user identity analysis module is adapted to evaluate correctness of said sequence of selections from the user with respect to a sequence of changing selection criteria associated with the potential user identity.
  - 3. The system of claim 1, wherein said dialogue manager is adapted to employ a pass-phrase selection strategy that constrains assembly by random selection of each pass-phrase in the prompt to ensure that selection criteria assigned to each of plural potential user identities are accommodated in the prompt in a distinguishable fashion complementing a user identity analysis technique of said user identity analysis module.
  - 37. The system of claim 1, wherein the pass-phrase selection criteria are predefined by sub-classes of a pass-phrase corpus that is entirely predefined and pre-classified before the enrollment of the user.
  - 38. The system of claim 37, wherein selection by the user of a presented pass-phrase belonging to a sub-class of the corpus constitutes adherence of user selection to a pass-phrase selection criterion for selecting pass-phrases belonging to that sub-class.
  - 39. The system of claim 1 wherein the rule defines a selection criteria of a given pass-phrase in accordance with a relationship of the given pass-phrase to the prompted multiple pass-phrases.

4. A user authentication system, comprising:
- a dialogue manager, executed on a processor of the user authentication system, adapted to prompt a user with multiple pass-phrases and requests the user to select a proper subset from the prompted multiple pass-phrases during authentication, wherein the prompted multiple pass-phrases are formed by selecting one or more pass-phrases from a set of pass-phrases satisfying a rule associated with the user and selecting one or more pass-phrases that do not satisfy the rule associated with the user, where the rule associated with the user is determined prior to authentication and is not suggested to the user during authentication;
  
  a selection recognizer, executed on the processor of the user authentication system, receptive of at least one user selection input and adapted to recognize user selection of a proper subset of the prompted pass-phrases based on the user selection input;
  
  a user biometric matching module, executed on the processor of the user authentication system, receptive of a user biometric input and adapted to make a match based on biometrics of enrolled users; and
  
  a user identity analysis module, executed on the processor of the user authentication system, adapted to analyze at least one potential user identity based on the match between the pass-phrases in the proper subset and the rule associated with the user,wherein said dialogue manager is adapted to recursively prompt the user with new sets of multiple, selectable pass-phrases randomly assembled from a pass-phrase corpus over multiple dialogue turns, and said user identity analysis module is adapted to combine selection results and biometric match results from each dialogue turn to yield dialogue turn results and combine the dialogue turn results from each dialogue turn to form a cumulative result and authorize the user when the cumulative result exceeds a threshold.
- View Dependent Claims (5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 5. The system of claim 4, wherein said dialogue manager is adapted to assemble the multiple, selectable pass-phrases by random selection of pass-phrases from a pass-phrase corpus.
  - 6. The system of claim 4, wherein said user identity analysis module is adapted to determine a user identity based on cumulative results of multiple dialogue turns, and said dialogue manager is adapted to recursively:
    - (a) assemble new pass-phrases in a prompt presenting the multiple, selectable pass-phrases to the user during a single dialogue turn; and
      
      (b) prompt the user until the user identity is determined.
  - 7. The system of claim 4, wherein said user identity analysis module is adapted to confirm the user identity based on non-adherence of user selection of the pass-phrase to predetermined pass-phrase selection criteria assigned to the user on at least one of a previous dialogue turn or a subsequent dialogue turn.
  - 8. The system of claim 4, wherein said user identity analysis module is adapted to analyze the user identity based on adherence to a sequence of selection criteria, wherein enrolled users are assigned multiple selection criteria constrained to sequential use.
  - 9. The system of claim 4, wherein said dialogue manager is adapted to employ a pass-phrase selection strategy that applies constraints to assembly of the multiple, selectable pass-phrases in a prompt presenting the multiple, selectable pass-phrases to the user during a single dialogue turn by applying the constraints to random selection of each pass-phrase in the prompt to ensure that the selection criteria assigned to each potential user identity are accommodated in the prompt in a distinguishable fashion complementing an analysis technique of said user identity analysis module.
  - 10. The system of claim 4, further comprising a user interface at least one of adapted to conceal the prompt from non-users, adapted to mask the prompt by embedding the prompt among other, distracting prompts, or adapted to employ timing constraints restricting availability of an input function of the interface based on temporal relation to the prompt.
  - 11. The system of claim 4, further comprising a datastore of the selection criteria, wherein the selection criteria are predefined to constrain password selection by at least one of pre-determined pass-phrase characteristics, correlation of pass-phrase characteristics within the prompt, or communication characteristics of pass-phrases within the prompt.
  - 12. The system of claim 4, wherein said dialogue manager is adapted to enroll a user by assigning a selection criterion from at least one of the following categories:
    - (a) pass-phrases containing a given letter;
      
      (b) pass-phrases which rhyme with a given word;
      
      (c) pass-phrases selected from a list;
      
      (d) pass-phrases matching a semantic criterion;
      
      (e) pass-phrases containing double letters;
      
      (f) pass-phrases located in a specific position in a prompt;
      
      (g) pass-phrases having a relationship of at least one of alphabetical order or numerical value with respect to other pass-phrases in a prompt;
      
      (h) pass-phrases belonging to a specific class according to a pass-phrase ontology;
      
      (i) pass-phrases immediately following a pass-phrase matching one of the preceding criteria;
      
      or(j) combinations of the above criteria.
  - 13. The system of claim 4, wherein said dialogue manager is adapted to permit the user to specify at least one of:
    - (a) a letter that must be contained in a selected pass-phrase in accordance with a selection criterion assigned to the user;
      
      (b) a word with which a selected pass-phrase must rhyme in accordance with a selection criterion assigned to the user;
      
      (c) a specific position within a prompt in which a selected pass-phrase must be located in accordance with a selection criterion assigned to the user;
      
      (d) a relationship of at least one of alphabetical order or numerical value with respect to other pass-phrases in a prompt that a selected pass-phrase must exhibit in accordance with a selection criterion assigned to the user;
      
      or(e) a specific class to which a selected pass-phrase must belong in a pass-phrase ontology in accordance with a selection criterion assigned to the user.

14. A method of user verification for use with a secure access control system, comprising the steps of:
- (a) receiving an identity claim of the user;
  
  (b) prompting, by a processor of the secure access control system, the user to select a subset of pass-phrases from multiple pass-phrases which are formed by selecting one or more pass-phrases from a set of pass-phrases satisfying a rule associated with the user and selecting one or more pass-phrases from a set of pass-phrases that do not satisfy the rule, where the rule associated with the user is determined prior to authentication and is not suggested to the user during authentication;
  
  (c) receiving from the user a selection of a sub-set of the prompted pass-phrases, where said selection being received as a biometrically verifiable production of the user;
  
  (d) evaluating, by the processor of the secure access control system, correctness of said selection from the user with respect to the rule associated with the user;
  
  (e) performing, by the processor of the secure access control system, biometric verification of said selection which is received as said biometrically verifiable production to yield biometric verification result;
  
  (f) recursively prompting, by the processor of the secure access control system, the user with new sets of multiple pass-phrases randomly assembled from a pass-phrase corpus over multiple dialogue turns;
  
  (g) combining, by the processor of the secure access control system, selection results and biometric verification results from each dialogue turn to yield dialogue turn results;
  
  (h) combining, by the processor of the secure access control system, the dialogue turn results over the multiple dialogue turns to form a cumulative result and authorizing the user when the cumulative result exceeds a threshold.
- View Dependent Claims (15, 16, 17, 18)
- - 15. The method of claim 14, further comprising:
    - repeating steps (b) through (e); and
      
      imposing a condition that the user must perform prompt selection in contradiction of the selection criteria during at least one repetition of steps (b) through (e).
  - 16. The method of claim 14, further comprising:
    - receiving a sequence of selections of multiple prompts from the user; and
      
      evaluating correctness of said sequence of selections from the user with respect to a sequence of selection criteria associated with the claimed identity.
  - 17. The method of claim 14, further comprising evaluating correctness of said selection from the user with respect to a selection criterion from at least one of the following categories:
    - (a) pass-phrases containing a given letter;
      
      (b) pass-phrases which rhyme with a given word;
      
      (c) pass-phrases selected from a list;
      
      (d) pass-phrases matching a semantic criterion;
      
      (e) pass-phrases containing double letters;
      
      (f) pass-phrases located in a specific position in a prompt;
      
      (g) pass-phrases having a relationship of at least one of alphabetical order or numerical value with respect to other pass-phrases in a prompt;
      
      (h) pass-phrases belonging to a specific class according to a pass-phrase ontology;
      
      (i) pass-phrases immediately following a pass-phrase matching one of the preceding criteria;
      
      or(j) combinations of the above criteria.
  - 18. The method of claim 14, further comprising at least one of concealing the prompt from non-users, masking the prompt by embedding the prompt among other, distracting prompts, or employing timing constraints restricting performance of step (c) based on temporal relation to performance of step (b).

19. A method of user identification for use with a secure access control system, comprising the steps of:
- (a) receiving an activation cue from the user;
  
  (b) prompting, by a processor of the secure access control system, the user to select a subset of pass-phrases from multiple pass-phrases which are formed by selecting one or more pass-phrases from a set of pass-phrases satisfying a rule associated with the user and selecting one or more pass-phrases from a set of pass-phrases that do not satisfy the rule, where the rule associated with the user is determined prior to authentication and is not suggested to the user during authentication;
  
  (c) receiving from the user a selection of a sub-set of the prompted pass-phrases, at least one of said activation cue or said selection being received as a biometrically identifiable production of the user;
  
  (d) performing, by the processor of the secure access control system, biometric identification of at least one of said activation cue or said selection which is received as said biometrically identifiable production to yield biometric identification result;
  
  (e) evaluating, by the processor of the secure access control system, correctness of said selection from the user with respect to the rule associated with the user;
  
  (f) recursively prompting, by the processor of the secure access control system, the user with new sets of multiple pass-phrases randomly assembled from a pass-phrase corpus over multiple dialogue turns;
  
  (g) combining, by the processor of the secure access control system, selection result and biometric identification results from each dialogue turn to yield dialogue turn results;
  
  (h) combining, by the processor of the secure access control system, the dialogue turn results over the multiple dialogue turns to form a cumulative result and authorizing the user when the cumulative result exceeds a threshold.
- View Dependent Claims (20, 21, 22, 23)
- - 20. The method of claim 19, further comprising:
    - repeating steps (b) through (e); and
      
      imposing a condition that the user must perform prompt selection in contradiction of the selection criterion during at least one repetition of steps (b) through (e).
  - 21. The method of claim 19, further comprising:
    - receiving a sequence of selections of multiple pass-phrases from the user; and
      
      evaluating correctness of said sequence of selections from the user with respect to a sequence of selection criteria associated with the potential user identity.
  - 22. The method of claim 19, further comprising evaluating correctness of said selection from the user with respect to a selection criterion from at least one of the following categories:
    - (a) pass-phrases containing a given letter;
      
      (b) pass-phrases which rhyme with a given word;
      
      (c) pass-phrases selected from a list;
      
      (d) pass-phrases matching a semantic criterion;
      
      (e) pass-phrases containing double letters;
      
      (f) pass-phrases located in a specific position in a prompt;
      
      (g) pass-phrases having a relationship of at least one of alphabetical order or numerical value with respect to other pass-phrases in a prompt;
      
      (h) pass-phrases belonging to a specific class according to a pass-phrase ontology;
      
      (i) pass-phrases immediately following a pass-phrase matching one of the preceding criteria;
      
      or(j) combinations of the above criteria.
  - 23. The method of claim 19, further comprising at least one of concealing the prompt from non-users, masking the prompt by embedding the prompt among other, distracting prompts, or employing timing constraints restricting performance of step (c) based on temporal relation to performance of step (b).

24. A user authentication method, comprising:
- prompting, by a processor of a secure access control system, a user with multiple, selectable pass-phrases which are formed by selecting one or more pass-phrases from a set of pass-phrases satisfying a rule associated with the user and selecting one or more pass-phrases from a set of pass-phrases that do not satisfy the rule, where the rule associated with the user is determined prior to authentication and is not suggested to the user during authentication;
  
  receiving at least one user selection input and recognizing user selection of at least one of the pass-phrases based on the user selection input;
  
  making, by the processor of the secure access control system, a match based on biometrics of enrolled users and a user biometric input to yield biometric match result;
  
  analyzing, by the processor of the secure access control system, at least one potential user identity based on the match between the pass-phrases in the user selection and the rule associated with the user;
  
  recursively prompting, by the processor of the secure access control system, the user with new sets of multiple, selectable pass-phrases randomly assembled from a pass-phrase corpus over multiple dialogue turns;
  
  combining, by the processor of the secure access control system, the biometric match results with the selection results from each dialogue turn to yield dialogue turn results;
  
  combining, by the processor of the secure access control system, the dialogue turn results over the multiple dialogue turns to form a cumulative result and authorizing the user when the cumulative result exceeds a threshold.
- View Dependent Claims (25, 26, 27, 28, 29, 30, 31, 32, 33)
- - 25. The method of claim 24, further comprising assembling the multiple, selectable pass-phrases by random selection of pass-phrases from a pass-phrase corpus.
  - 26. The method of claim 24, further comprising:
    - determining a user identity based on cumulative results of multiple dialogue turns;
      
      recursively assembling new pass-phrases; and
      
      prompting the user until the user identity is determined.
  - 27. The method of claim 24, further comprising confirming the user identity based on non-adherence of user selection of the pass-phrase to predetermined pass-phrase selection criteria assigned to the user on at least one of a previous dialogue turn or a subsequent dialogue turn.
  - 28. The method of claim 24, further comprising analyzing the user identity based on adherence to a sequence of selection criteria, wherein enrolled users are assigned multiple selection criteria constrained to sequential use.
  - 29. The method of claim 24, further comprising employing a pass-phrase selection strategy that constrains assembly by random selection of each pass-phrase in the prompt to ensure that selection criteria assigned to each potential user identity are accommodated in the prompt in a distinguishable fashion complementing a user identity analysis.
  - 30. The method of claim 24, further comprising at least one of:
    - concealing the prompt from non-users;
      
      masking the prompt by embedding the prompt among other, distracting prompts;
      
      oremploying timing constraints restricting availability of an input function of an interface based on temporal relation to the prompt.
  - 31. The method of claim 24, further comprising accessing a datastore of selection criteria, wherein the selection criteria relate to at least one of pre-determined pass-phrase characteristics, correlation of pass-phrase characteristics within the prompt, or communication characteristics of pass-phrases within the prompt.
  - 32. The method of claim 24, further comprising enrolling a user by assigning a selection criterion from at least one of the following categories:
    - (a) pass-phrases containing a given letter;
      
      (b) pass-phrases which rhyme with a given word;
      
      (c) pass-phrases selected from a list;
      
      (d) pass-phrases matching a semantic criterion;
      
      (e) pass-phrases containing double letters;
      
      (f) pass-phrases located in a specific position in a prompt;
      
      (g) pass-phrases having a relationship of at least one of alphabetical order or numerical value with respect to other pass-phrases in a prompt;
      
      (h) pass-phrases belonging to a specific class according to a pass-phrase ontology;
      
      (i) pass-phrases immediately following a pass-phrase matching one of the preceding criteria;
      
      or(j) combinations of the above criteria.
  - 33. The method of claim 32, further comprising permitting the user to specify at least one of:
    - (a) a letter that must be contained in a selected pass-phrase in accordance with a selection criterion assigned to the user;
      
      (b) a word with which a selected pass-phrase must rhyme in accordance with a selection criterion assigned to the user;
      
      (c) a specific position within a prompt in which a selected pass-phrase must be located in accordance with a selection criterion assigned to the user;
      
      (d) a relationship of at least one of alphabetical order or numerical value with respect to other pass-phrases in a prompt that a selected pass-phrase must exhibit in accordance with a selection criterion assigned to the user;
      
      or(e) a specific class to which a selected pass-phrase must belong in a pass-phrase ontology in accordance with a selection criterion assigned to the user.

34. A user authentication method, comprising:
- prompting, by a processor of a secure access control system, the user with multiple, selectable pass-phrases which are formed by selecting one or more pass-phrases from a set of pass-phrases satisfying a rule associated with the user and selecting one or more pass-phrases from a set of pass-phrases that do not satisfy the rule, where the rule associated with the user is determined prior to authentication and is not suggested to the user during authentication;
  
  recognizing, by the processor of the secure access control system, user selection of at least one of the multiple, selectable pass-phrases;
  
  analyzing, by the processor of the secure access control system, at least one potential user identity based on adherence of user selection of the pass-phrase to the rule associated with the usercapturing a user biometric from the user selection;
  
  performing, by the processor of the secure access control system, a biometric match between the user biometric and at least one biometric model associated with the potential user identity; and
  
  analyzing, by the processor of the secure access control system, the potential user identity based on the biometric match between the user biometric and the at least one biometric model,recursively prompting the user with new sets of multiple, selectable pass-phrases randomly assembled from a pass-phrase corpus over multiple dialogue turns;
  
  combining, by the processor of the secure access control system, the biometric match result with selection results from each to yield dialogue turn results;
  
  combining, by the processor of the secure access control system, the dialogue turn results over the multiple dialogue turns to form a cumulative result and authorizing the user when the cumulative result exceeds a threshold.
- View Dependent Claims (35, 36)
- - 35. The method of claim 34, further comprising:
    - recognizing a sequence of selections of multiple pass-phrases from the user; and
      
      evaluating correctness of said sequence of selections from the user with respect to a sequence of changing selection criteria associated with the potential user identity.
  - 36. The method of claim 34, further comprising employing a pass-phrase selection strategy that constrains assembly by random selection of each pass-phrase in the prompt to ensure that selection criteria assigned to each of plural potential user identities are accommodated in the prompt in a distinguishable fashion complementing a user identity analysis technique.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Panasonic Intellectual Property Corporation of America (Panasonic Holdings Corporation)
Original Assignee
Panasonic Corporation (Panasonic Holdings Corporation)
Inventors
Morin, Philippe, Applebaum, Ted H.
Primary Examiner(s)
Vu; Kimyen
Assistant Examiner(s)
Patel; Nirav

Application Number

US10/769,276
Publication Number

US 20050171851A1
Time in Patent Office

2,153 Days
Field of Search

713/186, 713/182, 726/2, 726/4, 726 17- 19, 726/1, 726/5, 704/246, 704/251, 704/235, 704/200, 705/50, 705/67, 705/44, 705/18, 340/5.2, 340/5.21, 340/5.8, 340/5.81, 340/5.82, 340/5.84, 340/5.85, 382/115
US Class Current

713/186
CPC Class Codes

G06F 21/32   using biometric data, e.g. ...

G06F 21/40   by quorum, i.e. whereby two...

G06Q 20/3674   involving authentication

G07C 9/37   using biometric data, e.g. ...

Multiple choice challenge-response user authorization system and method

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

35 Citations

39 Claims

Specification

Use Cases

Quick Links

Others

Multiple choice challenge-response user authorization system and method

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

35 Citations

39 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others