Authentication method of random partial digitized path recognition with a challenge built into the path

US 7,849,321 B2
Filed: 08/23/2006
Issued: 12/07/2010
Est. Priority Date: 08/23/2006
Status: Active Grant

First Claim

Patent Images

1. An interactive method for authentication of a client, comprising:

storing data defining a graphical representation of a frame of reference adapted for rendering on a display, the frame of reference including a number N of pre-defined locations in the frame of reference having coordinates on the frame of reference;

storing a data set associated with the client in a memory, the data set including a first shared secret and a second shared secret,the first shared secret comprising data identifying a first plurality of the pre-defined locations defining an ordered path on the frame of reference, andthe second shared secret comprising data identifying a second plurality of the pre-defined locations on the frame of reference;

receiving via a first data communication, a client identifier from the client and initiating an authentication session;

presenting via a second data communication, to the client an instance of the graphical representation of the frame of reference in response to the request for use in the authentication session, includingcomposing the instance by positioning characters in the number N of pre-defined locations according to a pattern different than used in other authentication sessions with the client, the characters consisting of members of a character set including M members, where N is greater than 2M, andin which characters in the second plurality of pre-defined locations identified by the second shared secret comprise a challenge pointing to pre-defined locations on the ordered path in which characters comprising a response are positioned in the instance;

accepting input data from the client via a third data communication, the input data including characters entered by the client using an input device; and

determining whether the input data matches the response pointed to by the challenge and if the input data matches, signaling successful authentication, and if the input data does not match, signaling failed authentication.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An interactive method for authentication is based on two shared secrets, including a first shared secret in the form of an ordered path on the frame of reference, and a second shared secret in the form of locations on the frame of reference at which characters identifying a subset of the ordered path are to be displayed. An instance of the frame of reference comprises a set of characters which is arranged in a random or other irregular pattern. Authentication requires that a user enter the characters in the displayed instance of the frame of reference found in the locations in the random subset of the ordered path by indicating characters either in these locations, or any other locations having the same characters. Thus, a secret challenge identifying the random partial subset is embedded within the displayed instance of the graphical representation of the frame of reference.

Citations

18 Claims

1. An interactive method for authentication of a client, comprising:
- storing data defining a graphical representation of a frame of reference adapted for rendering on a display, the frame of reference including a number N of pre-defined locations in the frame of reference having coordinates on the frame of reference;
  
  storing a data set associated with the client in a memory, the data set including a first shared secret and a second shared secret,the first shared secret comprising data identifying a first plurality of the pre-defined locations defining an ordered path on the frame of reference, andthe second shared secret comprising data identifying a second plurality of the pre-defined locations on the frame of reference;
  
  receiving via a first data communication, a client identifier from the client and initiating an authentication session;
  
  presenting via a second data communication, to the client an instance of the graphical representation of the frame of reference in response to the request for use in the authentication session, includingcomposing the instance by positioning characters in the number N of pre-defined locations according to a pattern different than used in other authentication sessions with the client, the characters consisting of members of a character set including M members, where N is greater than 2M, andin which characters in the second plurality of pre-defined locations identified by the second shared secret comprise a challenge pointing to pre-defined locations on the ordered path in which characters comprising a response are positioned in the instance;
  
  accepting input data from the client via a third data communication, the input data including characters entered by the client using an input device; and
  
  determining whether the input data matches the response pointed to by the challenge and if the input data matches, signaling successful authentication, and if the input data does not match, signaling failed authentication.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, wherein said character set consists of digits 0 to 9.
  - 3. The method of claim 1, wherein said second plurality of pre-defined locations consists of a subset of said first plurality of pre-defined locations along said ordered path.
  - 4. The method of claim 1, wherein said characters are positioned randomly or pseudo-randomly on the instance by a server.
  - 5. The method of claim 1, including presenting to the client from a server via a data communication medium, an input construct for entry of said input data, and wherein said accepting input data from the client includes accepting data based on said input construct.
  - 6. The method of claim 1, including presenting said instance of said graphical representation to the client using a graphical user interface, and the graphical user interface includes input fields for inserting characters to fulfill the challenge.
  - 7. The method of claim 1, including presenting to the client an input construct for account set up, and accepting data from the client based on the input construct, to identify the ordered path.
  - 8. The method of claim 1, including presenting to the client an input construct for account set up, and accepting data from the client based on the input construct, to identify the ordered path, wherein the input construct includes a graphical representation of said frame of reference.
  - 9. The method of claim 1, wherein said ordered path set consists of a continuous ordered path on said frame of reference.
  - 10. The method of claim 1, wherein said ordered path consists of a non-continuous ordered path on said frame of reference.
  - 11. The method of claim 1, wherein said client provides input data in a client system coupled to communication media.
  - 12. The method of claim 1, wherein said client provides input data in a client system, including a browser coupled to communication media.
  - 13. The method of claim 1, including:
    - detecting an attempt to access a protected network resource by the user;
      
      presenting, in response to the detected attempt to access a protected network resource, an interface to the client via a data communication medium, the interface supporting said indicating and said accepting; and
      
      if the input data matches, signaling authentication of the client.
  - 14. The method of claim 1, wherein said data set comprises a client identifier;
    - and includingsupplying to the client via a data communication medium using a process executed by a computer system, a prompt for entry the client identifier; and
      
      accepting at the server data from the client via a data communication medium, the data indicating the client identifier for the client, and verifying that the data indicating the client identifier matches the stored client identifier.

15. An authentication system for a client, comprising:
- data processing resources, including a processor, memory and a communication interface;
  
  data stored in said memory defining a graphical representation of a frame of reference adapted for rendering on a display, the frame of reference including pre-defined locations in the frame of reference having coordinates on the frame of reference;
  
  a data set stored in the memory comprising a client identifier, a first shared secret comprising data identifying a first plurality of the pre-defined locations defining an ordered path on the frame of reference, and a second shared secret comprising data identifying a second plurality of the pre-defined locations on the frame of reference; and
  
  an authentication server comprising executable instructions stored in said memory adapted for execution by the data processing resources, includinglogic to receive via a first data communication, a client identifier from the client and initiate an authentication session;
  
  logic to generate and present to the client an instance of the graphical representation of the frame of reference via a second data communication, for use in the authentication session, including composing the instance by positioning characters in the number N of pre-defined locations according to a pattern different than used in other authentication sessions with the client, the characters consisting of members of a character set including M members, where N is greater than 2M, and in which characters in the second plurality of pre-defined locations identified by the second shared secret comprise a challenge pointing to pre-defined locations on the ordered path in which characters comprising a response are positioned in the instance;
  
  logic to accept input data from the client via a third data communication, the input data including characters entered by the client using an input device; and
  
  logic to determine whether the input data matches the response pointed to by the challenge, and if the input data matches, to signal successful authentication, and if the input data does not match, to signal failed authentication.
- View Dependent Claims (16, 17, 18)
- - 16. The system of claim 15, wherein said character set consists of digits 0 to 9.
  - 17. The system of claim 15, wherein the second plurality of pre-defined locations consists of a subset of the first plurality of pre-defined locations along said ordered path.
  - 18. The system of claim 15, wherein said characters in said instance are randomly or pseudo-randomly generated by a server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Authernative
Original Assignee
Authernative
Inventors
Mizrah, Len L.
Primary Examiner(s)
Arani; Taghi T
Assistant Examiner(s)
LEE, JASON T

Application Number

US11/466,697
Publication Number

US 20080072045A1
Time in Patent Office

1,567 Days
Field of Search

713168-171, 713/182, 726/5, 726/6
US Class Current

713/182
CPC Class Codes

G06F 21/36 by graphic or iconic repres...

G06F 21/83 input devices, e.g. keyboar...

Authentication method of random partial digitized path recognition with a challenge built into the path

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Authentication method of random partial digitized path recognition with a challenge built into the path

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links