Patent Application
20180109517
The following refers to a method for authenticating a user when logging in at an online service.
For using online services, such as mail accounts, online shops, cloud services and the like, users usually have to log in at those services based on an authentication. In many cases, a simple authentication by specifying a user name and a password is used.
In order to enhance the security of a user authentication, the so-called multi factor authentication is known. This authentication is based on more than one factor for verifying the authenticity of a user.
For a two factor authentication, smartcards, USB sticks or mobile phones may be used. In one variant of this authentication, the authentication is coupled to the additional factor that a smartcard or USB stick is inserted in the device at which the user would like to authenticate. In another variant, an authentication code, such as a PIN, is sent to a mobile phone of the user, e.g. via an SMS message. The user needs to input this code on the device at which he would like to authenticate. The above described variants of the two factor authentication have disadvantage. Either additional equipment has to be carried by the user or an authentication code has to be input manually by the user.
An app for mobile phones is known which is an extension of the two factor authentication. When a user has already authenticated via a device, a request is sent to the app on his mobile device. Only in case that the user confirms the request in the app, a login via the device will be performed.
Moreover, the FIDO alliance has published standards where a user can establish an access to different online services via a single app on one device (e.g. a smart phone). If the user has several devices, the app needs to be installed on each device and a binding for the access to the online services has to be established in each device manually.
Document US 2014/0123224 A1 discloses a wireless security device which can be coupled directly with the device at which a user would like to authenticate. This wireless security device can be used for a multi factor authentication.
Document US 2008/098225 A1 discloses a method for authenticating a user according to the preamble of claim 1.
Document WO 2014/146446 A1 describes a method of identity authentication via a login interface on a user interface of an application client. Identity information and an identifier of the application client is obtained and coded by the client. This code is displayed on the user interface of the client. A mobile terminal obtains this code and decodes this code in order to send inter alfa account information of the mobile terminal to an authentication server for authentication.
Document M. Schuba et al.: “Internet ID—Flexible Re-use of Mobile Phone Authentication Security for Service Access”, INTERNET CITATION, November 2004, describes a method for user authentication in identity management systems by the use of a SIM smartcard in a mobile phone.
In document US 2010/0218241 A1, an authentication scheme is disclosed where an initial portion of a password generated by a password server is received at a mobile communication device and where the remaining portion of the password is received at a password client. The initial portion is communicated from the mobile communication device to a network resource server, where it is passed to the password client, which combines it with the remaining portion to produce a complete password. A value calculated from this complete password is sent to the password server which performs an authentication based on this value.
An aspect relates to an easy and secure authentication of a user when logging in at an online service.
The method of the embodiments of the invention is used for authenticating a user when logging in at an online service, where the online service is provided by a server arrangement (i.e. one or more servers). An online service may e.g. be a mail account, an online shop, a cloud service, a mobile payment service and the like. The method of the embodiments of the invention is based on a communication between the online service and a primary device and between the online service and a secondary device. In other words, the primary device and the secondary device are communication devices.
In a step a) of the method, a user identification specified by the user at the secondary device and not including any credential is received by the online service. The term credential is known for a skilled person and refers to a machine readable information concerning the authenticity of the user.
In a step b), an authentication request is transmitted by the online service to the primary device where the primary device is associated with the user identification. In other words, the online service has the information which primary device is associated with the user identification specified in step a). Hence, the online service can address this primary device in an authentication request.
In a step c), an authentication response comprising at least one credential is transmitted by the primary device to the online service. In one variant of step c), the at least one credential originates from a storage in the primary device, i.e. the at least one credential is pre-stored in a storage of the primary device. The at least one credential originating from this storage is only transmitted through the authentication response upon a successful local authentication of the user at the primary device. In other words, the storage can be regarded as a secure storage only giving access to the at least one credential stored therein in case of a successful local authentication of the user at the primary device. Hence, the authentication response including the at least one credential will only be transmitted when a local authentication of the user succeeds. Otherwise, no authentication response or an authentication response not including the at least one credential will be sent by the primary device.
In another variant of step c), the at least one credential is not pre-stored in a storage of the primary device. Instead, the at least one credential is specified by the user at the primary device, e.g. via an input at a user interface of the primary device or by presenting biometric features at the primary device.
In a step d), the user is logged in at the online service and a confirmation of the login is sent to the secondary device in case of a successful verification of the at least one credential by the online service. If the verification is not successful, the method will be terminated without a login. This termination is preferably notified to the user via the primary and/or secondary device. Such a notification is preferably also implemented for the method terminations described later on.
According to the embodiments of the invention, a verification code (e.g. a randomly generated valve) is transmitted to the primary device and stored therein. Preferably, the authentication request transmitted in step b) by the online service includes this verification code. The verification code is also stored in the secondary device. In one embodiment, the verification code is generated and stored in the secondary device, where this verification code is sent via the online service to the primary device which also stores the verification code. Alternatively, the verification code is generated by the online service which transmits this verification code to both the primary device and the secondary device which store this verification code.
There are several alternatives in order to verify the authentication code. In a first alternative, the verification code stored in the primary device is output at a user interface of the primary device and the verification code stored in the secondary device is output at a user interface of the secondary device. The primary device and/or the secondary device enable a user to accept the verification code being output, e.g. by an accept button. A user will accept the verification code in case that the verification codes at both user interfaces coincide. If the user does not accept the verification code, the method is terminated.
In a second alternative, the verification code stored in the primary device is output at a user interface of the primary device and a user interface of the secondary device enables a user to input the verification code output at the user interface of the primary device for a check by the secondary device whether the verification code input at the user interface of the secondary device coincides with the verification code stored in the secondary device.
In a third alternative, the verification code stored in the secondary device is output at a user interface of the secondary device and a user interface of the primary device enables a user to input the verification code output at the user interface of the secondary device for a check by the primary device whether the verification code input at the user interface of the primary device coincides with the verification code stored in the primary device.
According to the embodiments of the invention, a user may check the authenticity of the secondary device by comparing the verification codes output at the user interfaces. This check of authenticity may also be done automatically by the first or secondary device. In both cases, the method can be terminated either manually by the user or automatically by the first or secondary device if the verification codes do not coincide. The verification code may e.g. refer to data randomly generated in the secondary device. However, the verification code may also be an identification of the secondary device.
The method of the embodiments of the invention has the advantage that a single primary device is used as an authenticator device for retrieving the at least one credential needed for the authentication at an online service. Hence, the authentication method may be used with secondary devices which are not trustful because credentials are not specified at the secondary devices due to the use of a primary authenticator device.
In a preferred embodiment, the at least one credential comprises a password and/or a PIN (PIN=Personal identification Number) and/or biometric data, particularly a fingerprint and/or an iris scan.
In another variant of the invention, the local authentication verifies at least one second credential specified by the user at the primary device. Preferably, the at least one second credential also comprises a password and/or a PIN and/or biometric data such as a fingerprint and/or an iris scan.
In another variant of the method according to the invention, the information that the primary device is to be used for authenticating the user is transmitted by the secondary device to the online service in the above step a). Hence, an authentication via the primary device as described above is only performed when a corresponding information is received by the online service. In one embodiment, the transmittal of this information is initiated by the user. If the information is not transmitted in step a), a conventional authentication where the user specifies the at least one credential at the secondary device will be performed.
In another embodiment of the invention, the authentication request transmitted in step b) by the online service includes an identification of the secondary device where the method of the invention is terminated if the secondary device with this identification is not registered for a user login at the online service. E.g., a list of registered secondary devices may be stored in the primary device which compares the received identification with the entries in the list. This variant of the invention ensures that a login can only take place via specific secondary devices.
In a preferred embodiment of the invention, the authentication response transmitted in step c) by the primary device further includes an identification of the primary device where the method is terminated if the identification of the primary device does not refer to the primary device associated with the user identification as mentioned in above step b). This embodiment enhances the security of the authentication process.
In another variant of the invention, the online service communicates with the secondary device via the Internet. However, the communication may also take place via other communication networks. Preferably, the online service communicates with the primary device via the Internet and/or a mobile communication network. In case of a mobile communication network, the authentication request and/or the authentication response is preferably a SMS message.
The primary device used in the method of the invention is preferably a mobile device which can be easily carried by a user. Particularly, the mobile device is a mobile phone and preferably a smartphone.
Besides the above method, the embodiments of the invention refer to a system for authenticating a user when logging in at an online service, comprising a server arrangement providing the online service as well as a primary device and a secondary device, where the online service and the primary device are adapted to communicate with each other and where the online service and the secondary device are adapted to communicate with each other. The system is adapted to perform a method as set forth herein.
The system of the invention is preferably adapted to perform one or more preferred embodiments of the method according to the invention.
Embodiments of the invention also refer to a server arrangement which is configured to be used as a server arrangement in the above system of embodiments of the invention. In other words, the server arrangement is configured to be used as a server arrangement in the method of the invention or one or more preferred embodiments of the method of the invention.
Embodiments of the invention also refer to a communication device which is configured to be used as a primary device in the system of Embodiments of the the invention. In other words, the communication device is configured to be used as a primary device in the method of the invention or one or more preferred embodiments of the method of the invention.
Moreover, embodiments of the invention refer to a communication device which is configured to be used as a secondary device in the system of the invention. In other words, the communication device is configured to be used as a secondary device in the method of the invention or one or more preferred embodiment of the method of the invention.
Some of the embodiments will be described in detail, with references to the following figures, wherein like designations denote like members, wherein:
In the system of
In the scenario of
In order to log in at the online service OS, a user identification (particularly a user name, such as an email address) and a credential (e.g. a password) have to be transmitted to the online service for authentication. It is the basic idea of embodiments of the invention that the user who wishes to log in at the online service always uses his primary device PD in order to authenticate at the online service, irrespective from which (secondary) device the login is initiated. In the scenario of
In a first embodiment of the invention, the credential (e.g. a PIN, a password or a fingerprint) for authenticating at the online service OS is pre-stored in a secure storage on the mobile phone PD where the secure storage can only be accessed after a successful local authentication of the user at the mobile phone PD. A specific app for the phone PD may used in order to manage the credentials for one or more online services. For the local authentication at the phone PD, an additional credential is used. This credential may also be a PIN, a password, a fingerprint and the like.
After having received the user identification ID, the online service OS sends in step S2 an authentication request ARE to the primary device PD instead of waiting for the input of a password or another credential at the secondary device. There is an association between the address of the primary device PD and the user identification ID which is known in the online service. Hence, the online service OS knows which primary device shall be addressed. The receipt of the authentication request ARE will be indicated on the display of the primary device PD. Then the user initiates a transmission of an authentication response ARS from the primary device PD to the online service OS (step S3). The authentication response ARS comprises the credential CR for the online service.
The transmission in step S3 will only be performed in case of a successful local authentication of the user at the phone PD. E.g., the app in the phone handling the authentication for the online service will request the user to input a credential (being different from credential CR) for local authentication. Particularly, the user may be requested to input a password or a PIN or to identify himself via a fingerprint or other biometric data. Upon a successful local authentication, the access to the secure storage in the phone having stored the credential CR is allowed such that the phone can transmit the authentication response ARS. If the transmission in step S3 is not possible because of an unsuccessful local authentication, the method will be terminated without a login.
Upon receipt of the authentication response ARS by the online service OS, a corresponding confirmation CON is transmitted in step S4 to the secondary device SD. This confirmation informs the user that the login at the online service OS was successful so that the user can now use this online service via the secondary device SD.
In the embodiment described herein, the authentication request ARE and the authentication response ARS are sent via the Internet, analogously to the user identification ID. However, in a modified embodiment, the authentication request as well as the authentication response may also be sent via a mobile communication network, e.g. included in corresponding SMS messages received and transmitted by the mobile phone PD.
In another modification of the above embodiment, an identification of the secondary device SD may be transmitted together with the authentication request ARE in step S2. When receiving the authentication request, the primary device will also check if the secondary device according to the received identification is registered, i.e. included in a corresponding list of allowed secondary devices. If the secondary device is not registered, the method will be terminated so that no authentication at the online service will take place.
In another modification of the above embodiment, a verification code is transmitted together with an authentication request ARE. The verification code originates from the secondary device. Preferably, the verification code was randomly generated in the secondary device. E.g., the verification code is a TAN (TAN=transaction number). The original verification code is kept in the secondary device. In other words, a copy of the original verification code is transmitted together with the authentication request ARE. This copy has been sent beforehand from the secondary device to the online service which adds this code to the authentication request ARE.
The verification code can be used in order to verify the authenticity of the secondary device. E.g., the verification code may be output at the display of the primary device PD while the original verification code is output at the display of the secondary device SD. Then, the user can check whether those codes are the same. If so, the secondary device is authentic. If not, the user can terminate the method by a predefined user command at the primary or secondary device. In another variant, the verification code output at the display of the primary device may also be input by the user at the secondary device. The authentication code which has been input is compared with the original authentication code in the secondary device. If those codes do not coincide, an automatic termination of the method is initiated by the secondary device.
Embodiments of the invention may also be implemented based on a second embodiment. The only difference between the first embodiment and the second embodiment results in the fact that the credential CR included in the authentication response ARS transmitted in step S3 is not taken from a secure storage in the primary device PD. Instead, the credential CR which is known to the user is input by him directly at a user interface of the primary device PD. This embodiment has the advantage that the transmission of the authentication response need not be coupled to a local authentication at the primary device.
The above described embodiments of the invention have several advantages. Particularly, a user friendly authentication via a single primary device can be implemented by using standard hardware like smart phones. Furthermore, a user can login at an online service even via potentially insecure secondary devices due to an authentication via a single primary device associated with the user.
The above described first embodiment enables a credential management for a plurality of online services by storing the credentials for each service in a secure storage in the primary device. Hence, a user needs only to memorize a single credential for a local authorization at the primary device. Thus, weak credentials, e.g. trivial passwords, for authentication by the online services can be avoided.
Although the invention has been illustrated and described in greater detail with reference to the preferred exemplary embodiment, the invention is not limited to the examples disclosed, and further variations can be inferred by a person skilled in the art, without departing from the scope of protection of the invention.
For the sake of clarity, it is to be understood that the use of “a” or “an” throughout this application does not exclude a plurality, and “comprising” does not exclude other steps or elements.
This application claims priority to PCT Application No. PCT/EP2015/058731, having a filing date of Apr. 22, 2015, the entire contents of which are hereby incorporated by reference.
| Filing Document | Filing Date | Country | Kind |
|---|---|---|---|
| PCT/EP2015/058731 | 4/22/2015 | WO | 00 |
