Methods and systems for secure user authentication

US 9,002,750 B1
Filed: 04/23/2007
Issued: 04/07/2015
Est. Priority Date: 12/09/2005
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for secure user authentication using a one-time password, comprising:

storing, on a first computing device, a one-time password application;

storing on a back-end server a valid personal identification number (PIN) value and a valid shared secret for the user;

receiving entry on the first computing device of a purported PIN value of the user;

dynamically synthesizing a purported shared secret on the first computing device by the one-time password application using the purported PIN value of the user, wherein no part of the valid PIN value is stored on the first computing device;

generating a purported one-time password value on the first computing device based on the purported shared secret;

receiving entry of the purported one-time password value by the back-end server in an attempt to log on the back-end server from a second computing device;

calculating a time frame window of one-time password values by the back-end server and comparing with the one-time password value received; and

allowing log on to the back-end server from the second computing device when a one-time password value in the window corresponds to the received one-time password value.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

For secure user authentication using a one-time password (OTP) application is pre-stored on a device for generating a OTP value responsive to entry of a valid PIN, no part of the PIN is stored on the device and pre-storing on a server the PIN and a valid shared secret for the user. Upon receiving entry a purported PIN, a purported shared secret is dynamically synthesized on the device by the OTP application based on the purported PIN of the user and a purported OTP value is generated based on the purported shared secret. When entry of the purported OTP value is received by the server in an attempt to log on the server from another device, the server cryptographically calculates a purported shared secret based on the purported OTP value, and log on to the server from the other device is allowed if the calculated purported shared secret corresponds to the pre-stored shared secret.

Citations

30 Claims

1. A computer-implemented method for secure user authentication using a one-time password, comprising:
- storing, on a first computing device, a one-time password application;
  
  storing on a back-end server a valid personal identification number (PIN) value and a valid shared secret for the user;
  
  receiving entry on the first computing device of a purported PIN value of the user;
  
  dynamically synthesizing a purported shared secret on the first computing device by the one-time password application using the purported PIN value of the user, wherein no part of the valid PIN value is stored on the first computing device;
  
  generating a purported one-time password value on the first computing device based on the purported shared secret;
  
  receiving entry of the purported one-time password value by the back-end server in an attempt to log on the back-end server from a second computing device;
  
  calculating a time frame window of one-time password values by the back-end server and comparing with the one-time password value received; and
  
  allowing log on to the back-end server from the second computing device when a one-time password value in the window corresponds to the received one-time password value.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
- - 2. The method of claim 1, wherein storing the one-time password application on the first computing device further comprises storing the one-time password application on one of a mobile phone, a PDA, a PC, a laptop computer, a hardware token, and an ATM.
  - 3. The method of claim 1, wherein storing the one-time password application on the first computing device further comprises storing an algorithm on the first computing device that employs a moving factor for generating successive different valid one-time password values responsive to receiving entry of the valid PIN value of the user.
  - 4. The method of claim 3, wherein storing the algorithm on the first computing device that employs the moving factor further comprises storing an algorithm on the first computing device that employs an incrementing event counter that is synchronized with an incremental event counter on the back-end server for generating successive different valid one-time passwords responsive to receiving entry of the valid PIN value of the user.
  - 5. The method of claim 3, wherein storing the algorithm on the first computing device that employs the moving factor further comprises storing the algorithm on the first computing device that employs a clock that is synchronized with a clock on the back-end server for generating successive different valid one-time passwords responsive to receiving entry of the valid PIN value of the user.
  - 6. The method of claim 3, wherein storing the algorithm on the first computing device that employs the moving factor further comprises storing the algorithm on the first computing device that employs both an incrementing event counter that is synchronized with an incrementing event counter on the back-end server and a clock that is synchronized with a clock on the back-end server for generating successive different valid one-time passwords in response to receiving entry of the valid PIN of the user.
  - 7. The method of claim 6, wherein storing the algorithm on the first computing device that employs both the incrementing event counter and the clock for generating successive different valid one-time passwords further comprises storing the algorithm on the first computing device that employs both the incrementing event counter and the clock for generating successive different valid one-time passwords within successive moving time windows in response to receiving entry of the valid PIN of the user.
  - 8. The method of claim 1, wherein storing the valid PIN and the valid shared secret for the user on the back-end server further comprises allowing the user to create the valid PIN in an interactive enrollment session between the user at the first computing device and the back-end server.
  - 9. The method of claim 8, wherein storing the valid PIN and the valid shared secret on the back-end server further comprises allowing the user at the first computing device to change the user'"'"'s PIN in a succeeding interactive session between the user at the first computing device and the back-end server.
  - 10. The method of claim 1, wherein storing the valid PIN and the valid shared secret for the user on the back-end server further comprises storing a key for a cryptographic calculation for the user on the back-end server.
  - 11. The method of claim 1, wherein receiving entry on the first computing device of the purported PIN value of the user further comprises receiving entry on the first computing device of one of the valid PIN value of the user and an invalid PIN value.
  - 12. The method of claim 1, wherein dynamically synthesizing the purported shared secret on the first computing device by the one-time password application based on the purported PIN value of the user further comprises employing the purported PIN value as part of an algorithm process to dynamically synthesize the purported shared secret by the one-time password application.
  - 13. The method of claim 1, wherein dynamically synthesizing the purported shared secret on the first computing device by the one-time password application based on the purported PIN value of the user and generating the purported one-time password value on the first computing device based on the purported shared secret further comprises dynamically synthesizing a purported shared secret on the first computing device by the one-time password application based on the purported PIN value of the user and generating the purported one-time password value on the first computing device based on the purported shared secret regardless of whether the purported PIN value is the valid PIN value of the user.
  - 14. The method of claim 1, further comprising denying log on to the back-end server from the second computing device if the calculated window of one-time password values fails to correspond to the received one-time password value.
  - 15. The method of claim 14, further comprising blocking further log on attempts after a pre-determined number of denied attempts to log on to the back-end server.
  - 16. The method of claim 1, further comprising storing a web site verifier function of the one-time password application on the first computing device for generating a valid random challenge code on the first computing device responsive to receiving entry of the valid PIN value on the first computing device.
  - 17. The method of claim 16, further comprising storing a web site verifier function of the shared secret for the user on the back-end server for generating a valid response code responsive to receiving entry of the valid random challenge code from the second computing device when the random challenge code is valid.
  - 18. The method of claim 17, further comprising receiving entry on the first computing device of the purported PIN value and a selection of the web site verifier function on the first computing device.
  - 19. The method of claim 18, further comprising generating the random challenge code for mutual authentication of a web site for the user by the web site verifier function on the first computing device of the user.
  - 20. The method of claim 19, further comprising receiving entry of the random challenge code by the back-end server from the second computing device.
  - 21. The method of claim 20, further comprising cryptographically calculating the response code by the back-end server based on the random challenge code and displaying the calculated response code on the second computing device.
  - 22. The method of claim 21, further comprising receiving entry on the first computing device of the displayed response code and displaying an affirmative indicator on the first computing device if the entered response code corresponds to the generated random challenge code by the web-site verifier function on the first computing device.
  - 23. The method of claim 1, further comprising storing an email verifier function of the one-time password application on the first computing device for generating a valid response code on the first computing device responsive to receiving entry of the valid PIN value and a challenge code associated with an email message received on a second computing device.
  - 24. The method of claim 23, further comprising storing an email verifier function of the shared secret for the user on the back-end server for generating the valid response code responsive to receiving entry of the valid random challenge code from the second computing device when the random challenge code is valid.
  - 25. The method of claim 24, further comprising cryptographically calculating the random challenge code by the back-end server based on the shared secret value and including the calculated challenge code in association with an email.
  - 26. The method of claim 25, further comprising receiving entry on the first computing device of the purported PIN value and a selection of the email verifier function and the random challenge code associated with the email received on the second computing device.
  - 27. The method of claim 26, further comprising generating the response code for authenticating the email for the user by the email verifier function on the first computing device of the user.
  - 28. The method of claim 27, further comprising allowing the user to authenticate the email if the displayed response code corresponds to the response code generated on the first computing device.
  - 29. The method of claim 1, further comprising storing an update function of the one-time password application on the first computing device for initiating any of a token policy change, a one-time password algorithm change, and a parameter update responsive to receiving entry of an update code on the first computing device without requiring a change to the user'"'"'s PIN value.

30. A computer system for secure user authentication using a one-time password, comprising:
- a first computing device storing a one-time password application;
  
  a back-end server storing a valid personal identification number (PIN) value and a valid shared secret for the user;
  
  the first computing device being programmed for receiving entry of a purported PIN value of the user;
  
  the first computing device being further programmed for dynamically synthesizing a purported shared secret on the first computing device using the one-time password application using the purported PIN value of the user, wherein no part of the valid PIN value is stored on the first computing device;
  
  the first computing device being further programmed for generating a purported one-time password value on the first computing device based on the purported shared secret;
  
  the back-end server being programmed for receiving entry of the purported one-time password value by the back-end server in an attempt to log on the back-end server from a second computing device;
  
  the back-end server being further programmed for calculating a time frame window of one-time password values by the back-end server; and
  
  the back-end server being additionally programmed for allowing log on to the back-end server from the second computing device when a calculated one-time password value in the window corresponds to the received one-time password value.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citicorp Credit Services Incorporated (Citigroup Incorporated)
Original Assignee
Citicorp Credit Services Incorporated (Citigroup Incorporated)
Inventors
Chu, Ronald King-Hang, Kogen, Mark, Tan, Warren, Ma, Simon, Smushkovich, Yosif, Glindro, Gerry, Nicholas, Jeffrey William Coyte
Primary Examiner(s)
Myhre, James W

Application Number

US11/789,054
Time in Patent Office

2,906 Days
Field of Search

705/72, 705/55
US Class Current

705/72
CPC Class Codes

G06F 21/123   by using dedicated hardware...

G06F 21/31   User authentication

G06Q 20/4012   Verifying personal identifi...

H04L 2463/102   applying security measure f...

H04L 63/0838   using one-time-passwords

H04L 63/168   above the transport layer

H04W 12/04   Key management, e.g. using ...

H04W 12/068   using credential vaults, e....

H04W 88/02   Terminal devices

Methods and systems for secure user authentication

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and systems for secure user authentication

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links