Provisioning a device to be an authentication device

Information

  • Patent Grant
  • 12113788
  • Patent Number
    12,113,788
  • Date Filed
    Monday, November 2, 2020
    4 years ago
  • Date Issued
    Tuesday, October 8, 2024
    a month ago
Abstract
In certain embodiments, a web services system receives a request to provision a device, such as a telephone, as an authentication device. The web services system initiates display of an image communicating a key to allow the telephone to capture the image and to send key information associated with the key. The web services system receives the key and determines that the key information is valid. In response to the determination, the web services system sends a seed to the telephone to provision the telephone to be an authentication device. The telephone can use the seed to generate one-time passcodes to access a service of the web services system.
Description
BACKGROUND

Web service systems may require an entity to be authenticated in order to access a service. Authentication may use one, two, or more independent factors to identify an entity, such as a user. As an example, the user may be required to provide information, such as a passcode. As another example, the user may be required to have a device, such as an authentication device. As yet another example, the user may be required to provide biometric data.


In certain situations, the authentication device may generate information required to access a web service. For example, the authentication device may calculate a one-time passcode that the user enters into a computing system. If the one-time passcode is valid, the user may be able to gain access to the web service through the computing system.





BRIEF DESCRIPTION OF THE DRAWINGS


FIG. 1 illustrates an example of a system that may be used to provision a device to be an authentication device and/or allow a device to authorize an operation;



FIG. 2 illustrates an example of an overview of a method for providing authentication information via an image that may be performed by the system of FIG. 1;



FIG. 3 illustrates an example of a method for provisioning a device to be an authentication device that may be performed by the web services system of FIG. 1; and



FIG. 4 illustrates an example of a method for allowing a device to authorize an operation that may be performed by the web services system of FIG. 1.





DESCRIPTION OF EXAMPLE EMBODIMENTS

Certain embodiments may provide for efficient and/or effective provisioning of an authentication device. In certain embodiments, a web services system may receive a request to provision a device, such as a telephone, as an authentication device. The web services system may initiate display of an image that communicates a key. The telephone may capture (for example, photograph) the image, extract the key from the image, and then send key information associated with the key to the web services system. If the key information is valid, the web services system may send a seed to the telephone, which the telephone may use to generate one-time passcodes. The embodiments may be more efficient than requiring a user to read the key from an image and then manually input the key information. The embodiments may be more effective if they avoid user error in reading and/or inputting the key information.


Certain embodiments may allow a device to authorize an operation. In the embodiments, a server may receive a request sent by a device to authorize an operation. The device has a seed. Display of an image encoding a challenge code is initiated to allow the device to capture the image and extract the challenge code. A response authorizing the operation is calculated by the device using the challenge code and the seed. The response is sent by the device to the server. In certain examples, the request may be received over a first channel, and the response may be received over a second channel distinct from the first channel. In other examples, the response is displayed by the device and input by the user.



FIG. 1 illustrates an example of a system that may be used to provision a device to be an authentication device and/or allow a device to authorize an operation. In the illustrated example, system 10 includes a device 20, a computing system 22, a web services system 24, an application server 26, and a communication network 28 coupled as illustrated.


In certain embodiments, web services system 24 receives a request to provision device 20, such as a telephone, as an authentication device. Web services system 24 initiates display of an image communicating a key to allow the telephone to photograph the image and to send the key information. Web services system 24 receives the key information and determines that the key information is valid. In response to the determination, web services system 24 sends a seed to the telephone to provision the telephone to be an authentication device. The telephone can use the seed to generate one-time passcodes to access a service of web services system 24.


In certain embodiments, web services system 24 receives a request sent by device 20 to authorize an operation. Web services system 24 initiates display of an image encoding a challenge code to allow device 20 to capture the image and extract the challenge code. Device 20 calculates a response using the challenge code and a seed, and sends the response to web services system 24. In certain examples, device 20 may send the request over a first channel and the response over a second channel distinct from the first channel. In other examples, device 20 displays the response and a user inputs the response into computing system 22.


Web services system 24 may include one or more computing systems that provide a resource or perform an operation. An example of a resource is a system or a web service that provides communication between devices over a communication network. Web services system 24 may control access to the resource by requiring an entity requesting access to provide authentication information. An operation may be performed for a user in response to authorization from the user. Examples of operations include providing a resource to the user and performing transaction on a resource (such as a bank account) of the user.


In the illustrated example, web services system 24 includes an interface (IF) 40, logic 42, and one or more memories 44. Logic 42 includes one or more processors 46 and applications such as a provisioning module 48, secret generators 50, and an authentication module 52. Provisioning module 48 may be used to provision device 20 to be an authentication device to allow device 20 to generate authentication information. Examples of methods for provisioning device 20 are described in more detail with reference to FIGS. 2 and 3.


Secret generators 50 generate secret information, such as authentication information, and then generate an image that can communication the secret information. Examples of authentication information include passcodes, seeds, and key information such as keys. A passcode may be a string of one or more characters that may be used for authentication, for example, to prove identity and/or gain access to a resource. A character may be a unit of information that may correspond to a grapheme or a symbol such as a letter, number, or punctuation mark. Seeds and keys are described in more detail below.


Authentication information may be used for authentication to access a resource, or may be used to calculate or obtain additional authentication information used to access the resource. For example, authentication information may include a passcode, a value used to calculate a passcode, or key information that may be used to retrieve a passcode. In certain embodiments, authentication information may comprise seed information and/or key information.


In the example, secret generators 50 include a key generator 60 and a seed generator 62. Key generator 60 generates key information that may include a key itself, information used to generate and/or obtain a key, or information generated using a key. A key may be a sequence with pseudo-random characteristics that can be used as an encryption key at one end of communication, and as a decryption key at the other end. Examples of keys include public/private key sets. In certain embodiments, key information may be used to obtain other authentication information, such as a seed. In certain embodiments, a key may be a one-time use key that can be used only once. In other embodiments, a key may be used more than once.


Seed generator 62 generates seed information that may include a seed itself or information used to generate and/or obtain a seed. A seed may be used to calculate one-time passcodes. A one-time (or one-use or single-use) passcode may be a passcode that is valid for a short period of time and/or that may be used only once. Techniques for generating passcodes, such as one-time passcodes, from a seed is described in more detail below.


In the example, secret generators 50 also includes an image generator 68. Image generator 68 generates images that communicate authentication information. An image may include one or more frames. For example, an image may be a photograph with one frame or a video with a sequence of frames. An image may include any suitable number of pixels, where each pixel may have any suitable pixel value. For example, an image may have an array of m×n pixels, where each pixel may have a value representing a particular intensity and/or wavelength. As another example, an image may be a sequence of frames, each frame having a set of one, two, or more pixels, where the set of pixels have one of two (or more) possible values, such as a light or dark value.


An image may communicate information in any suitable manner. As an example, an image may be an optical machine-readable representation of information where patterns of the image correspond to particular information. Examples of such images include graphical codes (such as barcodes or quick response (QR) codes) that have particular geometric patterns (such as squares, dots, polygons, bars, or other shapes) that can be optically scanned to obtain the information.


As another example, an image may include a human-readable representation of information that may be captured and translated into machine-readable information using optical character recognition. For example, such an image may include human-readable characters that can be photographed or scanned and translated to machine-readable information.


As another example, an image may include a digital watermark that embeds information into the image via subtle changes to the image data. For example, steganography hides the information within an object that can conceal the information. Steganographic coding may be placed inside of a transport layer, such as a document file, image file, program, or protocol.


An image may communicate any other suitable information that may be extracted by device 20 and may be sent to web services system 24. For example, an image may communicate an account identifier. A user may have different accounts for different vendors, applications, etc. As another example, a website identifier may be communicated to identify the website for which device 20 is requesting access. As another example, an image may include instructions for contacting a server, such as application server 26.


Authentication module 52 authenticates an entity attempting to access a resource of web services system 24. Authentication module 52 may request authentication information to authenticate the entity and may check whether the authentication information is valid. For example, valid key information may be required to obtain a seed, and a one-time passcode generated from the seed may be required to access a resource.


Device 20 may be any suitable device that can be provisioned to be an authentication device. In certain embodiments, device 20 may be a general computing device, which may comprise a computing system. In certain embodiments, device 20 may be a mobile device, which may be a handheld device that can communicate wirelessly. Examples of mobile devices include telephones (such as cellular, mobile, or smart), digital assistants (such as personal or enterprise), and gaming devices. In other embodiments, device 20 may be a dedicated authentication device that has image capture capabilities.


An authentication device may be a hardware security token that generates passcodes such as one-time passcodes. An authentication device may be used with zero, one, or more other independent authentication factors. For example, in addition to information generated by an authentication device, a passcode and/or biometric data may be required in order to access a resource.


In certain embodiments, device 20 may capture an image communicating secret information and/or extract the information from the image to yield authentication information that may be used to access a service of web services system 24. In the illustrated example, device 20 includes an image capture module 30 and a secret extractor 32. An image capture module 30 may include a camera and/or scanner. Image capture module 30 may capture an image of an object by recording visible or other light reflected and/or emitted from the object. Image capture module 30 may then output image data generated from the recorded light, which may be used to reproduce and/or analyze the image. Device 20 may or may not have a network connection.


Secret extractor 32 extracts authentication information and may use the authentication information or may calculate additional authentication information from the extracted authentication information to access a service. The additional authentication information may be calculated by applying a mathematical function to the extracted authentication information. In certain embodiments, secret extractor 32 calculates passcodes from a seed by applying a mathematical function to the seed and a parameter that changes. Examples of the changing parameter include a time value (such as a current time), a counter value, a previous passcode, or a challenge code sent by web services system 24.


Computing system 22 may comprise any suitable computing system, and may include one or more interfaces, logic, and one or more memories, which are described in more detail below. Computing system 22 include a display 38, which may be a hardware device that can display an image. In certain embodiments, computing system 22 may receive image data and display an image on display 38 according to the image data.


Application server 26 may be a server that provides applications to device 20. In certain embodiments, application server 26 may be an application store that sells an application to device 20 for payment. In certain situations, it may not be desirable for application server 26 to provide applications that include secret information. Accordingly, device 20 may first obtain the application from application server 26 and then obtain secret information from web services system 24.



FIG. 2 illustrates an example of an overview of a method for providing authentication information via an image that may be performed by the system of FIG. 1. In the example, image generator 68 generates an image that communicates authentication information. Image generator 68 facilitates display of the image by sending image data to computing system 22 to display on display 38. Display 38 displays the image. Image capture module 30 of device 20 captures the image. Secret extractor 32 of device 20 receives the image data and extracts the authentication information from the image data. Device 20 then sends the authentication information to authentication module 52 of web services system 24 in order to facilitate access to a service of web services system.


In certain embodiments, web services system 24 receives a request for certification for device 20 to send messages to a server. The request may be generated by a third-party application on device 20 that sends web service requests to the server. Web services system 24 initiates display of an image communicating certification information to allow the device 20 to photograph the image to use the certification information to send the messages to the server. The certification information may be used by the device to calculate a certification and key information.


In certain embodiments, web services system 24 initiates display of an image communicating a challenge code. Device 20 photographs the image to extract the challenge code. Device 20 calculates a response from the authentication information and the challenge code and sends the response to web services system 24. Web services system 24 may allow access based on the response. The challenge-response may using any suitable protocol, such as the Challenge-Handshake Authentication Protocol (CHAP).



FIG. 3 illustrates an example of a method for provisioning device 20 as an authentication device. The method may be performed by software downloaded onto device 20 and/or web services system 24 of FIG. 1. In certain embodiments, web services system 24 may comprise one or more computing systems that perform the method. For example, one computing system may perform the method, or one computing system may perform a portion of the method and one or more other computing systems may perform other portions of the method.


Computing system 22 requests initiation of a provisioning process at step 110. For example, a user may use computing system 22 to log onto a website of web services system 24 and to access a security credentials page of the website. Provisioning module 48 of web services system 24 sends an instruction to obtain an authentication device application from application server 26 at step 114. For example, the security credentials page may display an instruction to download the authentication device application and provide the website address of application server 26.


Device 20 requests the application from application server 26 at step 118. For example, device 20 may access application server 26 using the given website address. In some situations, application server 26 may be an application store, so device 20 may provide payment in exchange for the application. Application server 26 sends the application to the authentication device at step 120. In certain embodiments, the application does not include secret information needed to provision device 20 as an authentication device, so device 20 may still need to obtain the secret information.


Computing system 22 sends a request to provision device 20 as an authentication device, and web services system 24 receives the request at step 124. Key generator 60 of web services system 24 generates a key at step 128. For example, key generator 60 may generate a pseudo-random key. Image generator 68 of web services system 24 generates an image that communicates the key at step 130. For example, image generator 68 may generate image data with a digital watermark that can be used to display an image that communicates the key.


Web services system 24 initiates display of the image at step 134. In certain embodiments, display of the image may be initiated by sending image data that can be used by a display to generate the image. For example, web services system 24 may send the image data to computing system 22 to display the image. Display 38 of computing system 22 displays the image at step 138. Image capture module 30 of device 20 captures the image at step 140. For example, device 20 may photograph the image to yield image data. Secret extractor 32 extracts the key at step 144. For example, secret extractor 32 determines the key from the digital watermark of the image data.


Device 20 sends key information associated with the key to web services system 24 at step 148. The key information may include the key itself or a signature calculated from the key. For example, device 20 may send the key information using a web service call. The key information is determined to be valid at step 150. For example, web services system 24 may check that the key information conforms to accepted parameters, has been assigned, and/or has not been previously used. In certain embodiments, steps 148 and 150 may be omitted. In these embodiments, web services system 24 may send a seed that is encrypted under the key information, and device can use the key information to decrypt the seed.


In response to the determination, web services system 24 sends a seed to device 20 at step 154 to provision device 20 as an authentication device. The seed may be used to generate one-time passcodes (OTPs). Device 20 generates a one-time passcode from the seed to access a website of web services system 24 at step 158. For example, device 20 may apply a mathematical function to the seed to generate the one-time passcode.


Computing system 22 receives the one-time passcode at step 160. For example, the user may read the one-time passcode from device 20 and input the one-time passcode into computing system 22. Computing system 22 sends the one-time passcode, and web services system 24 receives the one-time passcode at step 164. Web services system 24 authenticates the user using the one-time passcode at step 168. Web services system 24 may then allow the user to access a service of system 24.



FIG. 4 illustrates an example of a method for allowing device 20 to authorize an operation. The method may be performed by software downloaded onto device 20 and/or web services system 24 of FIG. 1. In certain embodiments, web services system 24 may comprise one or more computing systems that perform the method. For example, one computing system may perform the method, or one computing system may perform a portion of the method and one or more other computing systems may perform other portions of the method. In certain embodiments, device 20 may have a seed, which may have been obtained according to a method described herein.


Computing system 22 requests initiation of authorization of an operation at step 204. For example, a user may use computing system 22 to log onto a website of web services system 24. In certain embodiments, the request may be sent over a first communication channel.


Web services system 24 initiates display of an image communicating a challenge code at step 210. In certain embodiments, display of the image may be initiated by sending image data that can be used by a display to generate the image. For example, web services system 24 may send the image data to computing system 22 to display the image. In certain embodiments, web services system 24 may also initiate display one or more other images. Examples of other images include: a confirmation screen describing the operation that the user is authorizing; a request for a response authorizing the operation; and a request for a user passcode to be input into device 20.


Display 38 of computing system 22 displays the image at step 214. Image capture module 30 of device 20 captures the image at step 218. For example, device 20 may photograph the image to yield image data. Secret extractor 32 extracts the challenge code at step 220. For example, secret extractor 32 determines the challenge code from the digital watermark of the image data. Device 20 calculates a response using the challenge code and the seed at step 224. For example, the response may be calculated according to the Challenge-Handshake Authentication Protocol (CHAP).


Step 228 and steps 230 through 238 describe examples of ways that device 20 can provide the response to web services system 24. As a first example, device 20 sends the response to web services system 24 using a second communication channel that is distinct from the first communication channel. Distinct channels may have one, two or more, or all links that are different. As a second example, device 20 displays the response at step 230. The user reads the response and inputs the response into computing system 22 at step 234. Computing system 22 send the response to web services system 24 at step 238. In certain embodiments, web services system 24 may also receive other information. For example, web services system 24 may receive confirmation that a valid user passcode has been input into device 20.


Under certain circumstances, examples of the method may defend against confused deputy attacks. For example, the user can independently verify the operation being authorized, so a keylogger cannot steal the one-time passcode and relay it to an attacker to perform a different transaction before the user hits enter.


Modifications, additions, or omissions may be made to the systems and apparatuses disclosed herein without departing from the scope of the invention. The components of the systems and apparatuses may be integrated or separated. Moreover, the operations of the systems and apparatuses may be performed by more, fewer, or other components. For example, the operations of secret generators 50 and authentication module 52 may be performed by one component, or the operations of authentication module 52 may be performed by more than one component. Additionally, operations of the systems and apparatuses may be performed using any suitable logic comprising software, hardware, and/or other logic. As used in this document, “each” refers to each member of a set or each member of a subset of a set.


Modifications, additions, or omissions may be made to the methods disclosed herein without departing from the scope of the invention. The methods may include more, fewer, or other steps. Additionally, steps may be performed in any suitable order.


In certain embodiments, an entity that performs a first step that precedes (such as leads to) a second step may be regarded as facilitating the second step. For example, if an entity performs step A that precedes step B, the entity also facilitates step B. In certain embodiments, a first entity that performs a first step that precedes a second step that may be performed by a second entity may be regarded as allowing the second entity to perform the second step. For example, if a first entity performs step A that precedes step B that may be performed by a second entity, the first entity also allows the second entity to perform step B.


Systems may include one or more computing systems. A component of the systems and apparatuses disclosed herein (such as a general computing device) may include an interface, logic, memory, and/or other suitable element. An interface receives input, sends output, processes the input and/or output, and/or performs other suitable operation. An interface may comprise hardware and/or software.


Logic performs the operations of the component, for example, executes instructions to generate output from input. Logic may include hardware, software, and/or other logic. Logic may be encoded in one or more tangible media and may perform operations when executed by a computer. Certain logic, such as a processor, may manage the operation of a component. Examples of a processor (or processing unit) include one or more computers, one or more microprocessors, one or more applications, and/or other logic.


In particular embodiments, the operations of the embodiments may be performed by one or more computer readable media encoded with a computer program, software, computer executable instructions, and/or instructions capable of being executed by a computer. In particular embodiments, the operations of the embodiments may be performed by one or more computer readable media storing, embodied with, and/or encoded with a computer program and/or having a stored and/or an encoded computer program.


A memory (or memory unit) stores information. A memory may comprise one or more non-transitory, tangible, computer-readable, and/or computer-executable storage media. Examples of memory include computer memory (for example, Random Access Memory (RAM) or Read Only Memory (ROM)), mass storage media (for example, a hard disk), removable storage media (for example, a Compact Disk (CD) or a Digital Video Disk (DVD)), database and/or network storage (for example, a server), and/or other computer-readable medium.


Components of the systems and apparatuses disclosed may be coupled by any suitable communication network such as communication network 28. A communication network may comprise all or a portion of one or more of the following: a public switched telephone network (PSTN), a public or private data network, a local area network (LAN), a metropolitan area network (MAN), a wide area network (WAN), a local, regional, or global communication or computer network such as the Internet, a wireline or wireless network, an enterprise intranet, other suitable communication link, or any combination of any of the preceding.


Although this disclosure has been described in terms of certain embodiments, alterations and permutations of the embodiments will be apparent to those skilled in the art. Accordingly, the above description of the embodiments does not constrain this disclosure. Other changes, substitutions, and alterations are possible without departing from the spirit and scope of this disclosure, as defined by the following claims.

Claims
  • 1. A computer-implemented method, comprising: causing a computing device to capture an image displayed on a first system, wherein the image is obtained from a second system as a result of the first system submitting a request to the second system through a first communication channel to generate the image;determining a challenge code from the image;generating a response based at least in part on the challenge code and a first authentication information, wherein the first authentication information is obtained by the computing device in response to the computing device transmitting an encryption key generated based on another image to the second system; andsubmitting, from the computing device, the response to the second system through a second communication channel, different from the first communication channel, to verify the computing device to perform one or more operations provided by the second system.
  • 2. The computer-implemented method of claim 1, further comprising: obtaining an indication of verification of the computing device to perform the one or more operations provided by the second system; andperforming the one or more operations using at least one or more services provided by the second system based at least in part on the verification.
  • 3. The computer-implemented method of claim 1, wherein the response is generated in accordance with a Challenge-Handshake Authentication Protocol (CHAP).
  • 4. The computer-implemented method of claim 1, wherein the image comprises at least: a quick response (QR) code;a digital watermark; ora barcode.
  • 5. The computer-implemented method of claim 1, wherein the computing device comprises at least a mobile device executing an application to capture the image displayed on the first system.
  • 6. The computer-implemented method of claim 1, wherein performing the one or more operations include using one or more resources provided by the second system.
  • 7. A system, comprising: one or more processors; andmemory that stores computer-executable instructions that are executable by the one or more processors to cause the system to: obtain an image from a first system, wherein the image is obtained as a result of the first system submitting a request that causes a second system to produce the image;extract a challenge code based at least in part on the image;calculate a response based at least in part on the challenge code and a first authentication information obtained as a result of the system transmitting an encryption key determined based on another image to the second system; andtransmit the response to the second system through a first communication channel to verify the system to perform one or more operations provided by the second system.
  • 8. The system of claim 7, wherein the image is displayed on a webpage displayed on the first system.
  • 9. The system of claim 8, wherein the image displayed on the webpage comprises at least: a confirmation screen;a field value to authorize the one or more operations; ora field value for a passcode.
  • 10. The system of claim 7, wherein the instructions to transmit the response to the second system further include instructions that, as a result of being executed by the one or more processors, cause the system to transmit a passcode to the second system, wherein the passcode is generated based at least in part on the first authentication information.
  • 11. The system of claim 7, wherein the first authentication information is a cryptographic seed.
  • 12. The system of claim 7, wherein the challenge code is determined from a digital watermark of the image.
  • 13. A system, comprising: one or more processors; andmemory that stores computer-executable instructions that are executable by the one or more processors to cause the system to: generate an image as a result of obtaining a request from a computing device;cause the image to be displayed on the computing device, the image encoding an encryption key and enabling an authentication application of a device to obtain a first authentication information based at least in part on the image;provide the first authentication information to the device in response to obtaining the encryption key generated based, at least in part, on the image from the device;obtain a passcode generated based at least in part on the first authentication information;validate the authentication application based at least in part on the passcode and the first authentication information matching a second authentication information;generate another image to be displayed on the computing device; andobtain a response from the device generated based at least in part on; the first authentication information, anda challenge code to verify the device to perform one or more operations, the challenge code determined based at least in part on the another image.
  • 14. The system of claim 13, wherein the passcode is generated based at least in part on a first cryptographic seed that is obtained based at least in part on the first authentication information.
  • 15. The system of claim 13, wherein the first authentication information is usable to generate a plurality of passcodes while the authentication application is valid.
  • 16. The system of claim 13, wherein the memory further includes instructions that, as a result of being executed by the one or more processors, cause the system to provide access to one or more services as a result of validating the authentication application.
  • 17. The system of claim 13, wherein the image further comprises a quick response (QR) code.
  • 18. The system of claim 13, wherein the computing device comprises at least a mobile device executing the authentication application.
  • 19. The system of claim 13, wherein the passcode is a one-time passcode that comprises at least one or more alphanumeric characters.
  • 20. The system of claim 13, the passcode is further generated based at least in part on a time value of the computing device.
CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. patent application Ser. No. 15/488,357, filed Apr. 14, 2017, entitled “PROVISIONING A DEVICE TO BE AN AUTHENTICATION DEVICE,” now U.S. Pat. No. 10,826,892 which is a continuation of U.S. patent application Ser. No. 13/159,711, filed Jun. 14, 2011, entitled “PROVISIONING A DEVICE TO BE AN AUTHENTICATION DEVICE,” now U.S. Pat. No. 9,628,875, the disclosures of which are hereby incorporated herein in their entirety.

US Referenced Citations (129)
Number Name Date Kind
5793966 Amstein et al. Aug 1998 A
6026166 LeBourgeois Feb 2000 A
6215877 Matsumoto Apr 2001 B1
6233232 Chau et al. May 2001 B1
6324581 Xu et al. Nov 2001 B1
6453354 Jiang et al. Sep 2002 B1
6957185 Labaton Oct 2005 B1
6973455 Vahalia et al. Dec 2005 B1
6996722 Fairman Feb 2006 B1
7120631 Vahalia et al. Oct 2006 B1
7155035 Kondo Dec 2006 B2
7650509 Dunning Jan 2010 B1
7685629 White et al. Mar 2010 B1
7783890 Watanabe Aug 2010 B2
7973607 Ciaffi Jul 2011 B1
8112627 Lu et al. Feb 2012 B2
8332323 Stals Dec 2012 B2
8347374 Schneider Jan 2013 B2
8443202 White et al. May 2013 B2
8661254 Sama Feb 2014 B1
8683564 Khan Mar 2014 B2
8745401 Hintz Jun 2014 B1
8838973 Yung Sep 2014 B1
9628875 Roth Apr 2017 B1
10826892 Roth Nov 2020 B2
20010049787 Morikawa Dec 2001 A1
20020095507 Jerdonek Jul 2002 A1
20020095569 Jerdonek Jul 2002 A1
20020099663 Yoshino et al. Jul 2002 A1
20030204726 Kefford Oct 2003 A1
20040187018 Owen Sep 2004 A1
20040228512 Warren Nov 2004 A1
20040250068 Fujisawa Dec 2004 A1
20050104730 Yang May 2005 A1
20050139680 Anttila et al. Jun 2005 A1
20050154896 Widman et al. Jul 2005 A1
20050182843 Reistad et al. Aug 2005 A1
20050188200 Kwok Aug 2005 A1
20050204149 Watanabe Sep 2005 A1
20050251500 Vahalia et al. Nov 2005 A1
20060085844 Buer et al. Apr 2006 A1
20060088166 Karusawa Apr 2006 A1
20060126848 Park Jun 2006 A1
20060136717 Buer et al. Jun 2006 A1
20060136739 Brock Jun 2006 A1
20060161774 Huh et al. Jul 2006 A1
20070067565 Taninaka et al. Mar 2007 A1
20070078938 Hu et al. Apr 2007 A1
20070130472 Buer Jun 2007 A1
20070174198 Kasahara Jul 2007 A1
20070220279 Northcutt et al. Sep 2007 A1
20070220597 Ishida Sep 2007 A1
20070237332 Lyle Oct 2007 A1
20070250923 M'Raihi Oct 2007 A1
20070262852 Yamamura Nov 2007 A1
20080013724 Shamoon et al. Jan 2008 A1
20080034216 Law Feb 2008 A1
20080034440 Holtzman et al. Feb 2008 A1
20080052769 Leone et al. Feb 2008 A1
20080077795 MacMillan Mar 2008 A1
20080083025 Meijer et al. Apr 2008 A1
20080177994 Mayer Jul 2008 A1
20080196084 Hawkes Aug 2008 A1
20080209223 Nandy et al. Aug 2008 A1
20080232563 Chen Sep 2008 A1
20090094687 Jastrebski et al. Apr 2009 A1
20090112753 Gupta et al. Apr 2009 A1
20090122149 Ishii May 2009 A1
20090132819 Lu et al. May 2009 A1
20090150156 Kennewick et al. Jun 2009 A1
20090172402 Tran Jul 2009 A1
20090249076 Reed Oct 2009 A1
20090249077 Gargaro Oct 2009 A1
20090265776 Baentsch et al. Oct 2009 A1
20090282251 Cook et al. Nov 2009 A1
20090285390 Scherer et al. Nov 2009 A1
20090287837 Felsher Nov 2009 A1
20090294539 Kim Dec 2009 A1
20090307767 Semba Dec 2009 A1
20090323959 Hara Dec 2009 A1
20090327138 Mardani et al. Dec 2009 A1
20100017860 Ishida Jan 2010 A1
20100070759 Leon Cobos Mar 2010 A1
20100088754 Ghislanzoni Apr 2010 A1
20100093310 Gbadegesin et al. Apr 2010 A1
20100130171 Palanigounder et al. May 2010 A1
20100131763 Kim May 2010 A1
20100138652 Sela Jun 2010 A1
20100185860 Mishra et al. Jul 2010 A1
20100186074 Stavrou Jul 2010 A1
20100223461 Drader Sep 2010 A1
20100235646 Fu et al. Sep 2010 A1
20100263029 Tohmo Oct 2010 A1
20100275010 Ghirardi Oct 2010 A1
20100310164 Reed Dec 2010 A1
20100313019 Joubert Dec 2010 A1
20110050926 Asano Mar 2011 A1
20110083009 Shamoon et al. Apr 2011 A1
20110113245 Varadarajan May 2011 A1
20110183612 Bregman-Amitai Jul 2011 A1
20110197266 Chu Aug 2011 A1
20110209200 White et al. Aug 2011 A2
20110210171 Brown Sep 2011 A1
20110219427 Hito et al. Sep 2011 A1
20110270751 Csinger Nov 2011 A1
20110276478 Hirson Nov 2011 A1
20110289576 Cheng Nov 2011 A1
20110291797 Tessier et al. Dec 2011 A1
20120011370 Duke Jan 2012 A1
20120054046 Albisu Mar 2012 A1
20120060030 Lamb Mar 2012 A1
20120066120 Ringewald Mar 2012 A1
20120084571 Weis Apr 2012 A1
20120085829 Ziegler Apr 2012 A1
20120089471 Comparelli Apr 2012 A1
20120131331 Benson May 2012 A1
20120138679 Doyle Jun 2012 A1
20120143759 Ritorto, Jr. Jun 2012 A1
20120144461 Rathbun Jun 2012 A1
20120159591 Payne Jun 2012 A1
20120191613 Forbes Jul 2012 A1
20120203697 Morgan Aug 2012 A1
20120272056 Ganesan Oct 2012 A1
20120276868 Martell Nov 2012 A1
20120282893 Kim Nov 2012 A1
20120295580 Corner Nov 2012 A1
20120295587 Paya Nov 2012 A1
20120300931 Ollikainen et al. Nov 2012 A1
20120300938 Kean Nov 2012 A1
Non-Patent Literature Citations (26)
Entry
Sama, U.S. Appl. No. 61/419,640, Specification, Dec. 3, 2010, 10 pages.
Lee, Young Sil; Kim, Nack Hyun; Lim, Hyotaek; Jo, HeungKuk; Lee, Hoon Jae; “Online Banking Authentication System using Mobile-OTP with QR-code”, 5th International Conference on Computer Sciences and Convergence Information Technology, IEEE, Nov. 30-Dec. 2, 2010, pp. 644-648.
Eldefrawy, Mohamed Hamdy; Alghathbar, Knaled; Khan, Muhammad Khurram; “OTP-Based Two-Factor Authentication Using Mobile Phones”, Eighth International Conference on Information Technology: New Generations, IEEE, Apr. 11-13, 2011, pp. 327-331.
Kim, Jae-Jung; Hong, Seng-Phil; A Method of Risk Assessment for Multi-factor Authentication, Journal of Information Processing Systems, vol. 7, No. 1, Mar. 2011, pp. 187-198.
“Getting Started with 2-Step Verification,” Google Accounts Help, retrieved from the internet at <http://www.google.com/support/accounts/bin/static.py?page=guide.cs&guide=1056283&topic=1056285>, Jun. 23, 2011, 2 pages.
Amazon, “AWS Multi-Factor Authentication,” Amazon WebServices, Multi-Factor Authentication, printed Mar. 15, 2011, http://aws.amazon.com/mfa, 2 pages.
Digimarc, “Imperceptible to human senses, Digimarc's digital watermarking technology allows users to embed digital information into audio, images, video and printed materials in a way that is persistent, imperceptible and easily detected by computers and digital devices.”, About Digital Watermarking/Digimarc, printed Mar. 15, 2011, https://www.digimarc.com/tech/dwm.asg, 4 pages.
Doherty et al., “Dynamic Symmetric Key Provisioning Protocol (DSKPP),” Internet Engineering Task Force (IETF), Request for Comments: 6063, Category: Standards Track, ISSN: 2070-1721, Dec. 2010, 106 pages.
Eldefrawy et al., “OTP-Based Two-Factor Authentication Using Mobile Phones,” Eighth International Conference on Information Technology: New Generations, Apr. 11, 2011, 5 pages.
Global Crypto, “Token Authentication,” printed Feb. 24, 2011, http://www.globalcrypto.com/token-authentication/, 1 page.
Google, “Google Authenticator”, Google Apps Administrator Help, printed Apr. 14, 2011, http://www.google.com/support/a/bin/answer.py?answer=l 037451, 2 pages.
Google, “Turning on 2-step verification: Installing Google Authenticator, Google Accounts Help”, printed Apr. 18, 2011, http://www.google.com/support/accounts/bin/answer.py?hl=en&answer=10, 1 page.
Google, “Turning on 2-step verification: Installing Google Authenticator,” Google Accounts Help, printed Apr. 18, 2011, http://www.google.com/support/accounts/bin/answer.py?h1=en&answer=10, 7 pages.
Hsu et al., “Image Authentication based on QR Decomposition and Sinusoid,” The 11th International Conference on Computer Science & Education (ICCSE 2016), Aug. 23-25, 2016, pp. 479-482.
Kamble et al., “Multifactor Authentication using Android Mobile,” IJCA Proceedings on International Conference on Advances in Science and Technology ICAST 2015, published Feb. 25, 2016, pp. 20-23.
Kim et al., “A Method of Risk Assessment for Multi-factor Authentication,” Journal of Information Processing Systems, Mar. 2011, 7(1):187-198.
Lee et al., “Online Banking Authentication System using Mobile-OTP with QR-code”, 5th International Conference on Computer Sciences and Convergence Information Technology, Nov. 30, 2010, 6 pages.
Patel et al., “Problem Statement for Bootstrapping Mobile IPv6 (MIPv6)”, Network Working Group, Request for Comments: 4640, Category: Informational, Sep. 2006, 25 pages.
Phonefactor, “Comparing PhoneFactor to Soft Tokens,” printed Feb. 24, 2011, http://www.phonefactor.com/comparing-phonefactor-soft-tokens, 1 page.
Phonefactor, “FAQs/PhoneFactor,” printed Feb. 24, 2011, http://www.phonefactor.com/how-it-works-faqs, 3 pages.
Phonefactor, “Two-step authentication verifies user logins,” How it Works/PhoneFactor, printed Feb. 24, 2011, http://www.phonefactor.com/how-it-works, 1 page.
Roth et al., “Provisioning a Device to be an Authentication Device,” U.S. Appl. No. 13/159,711, filed Jun. 14, 2011.
Roth et al., U.S. Appl. No. 13/159,840, entitled “Securing Multifactor Authentication,” filed Jun. 14, 2011, 24 pages.
Sama, “Authentication of a Client Using a Mobile Device and an Optical Link,” U.S. Appl. No. 61/419,640, filed Dec. 3, 2010, 10 pages.
Wikipedia, “QR Code,” Wikipedia, the free encyclopedia, printed Mar. 15, 2011, http://en.wikipedia.org/wiki/QR_Code, 1 page.
Wu et al., “Joint SVD and QR Codes for Image Authentication,” Proceedings of APSIPA Annual Summit and Conference 2015, Dec. 16-19, 2015, pp. 1137-1140.
Related Publications (1)
Number Date Country
20210211419 A1 Jul 2021 US
Continuations (2)
Number Date Country
Parent 15488357 Apr 2017 US
Child 17087347 US
Parent 13159711 Jun 2011 US
Child 15488357 US