ID Authentication
This invention relates to ID authentication.
The usual method for ID authentication is by a PIN, a four or more digit number entered,
for example, on a keyboard of a computer or a keyboard or keypad of a mobile phone in
order to access all or at least some of the functions of such equipment, or entered on a
keypad of a credit or debit card payment terminal in a store, to verify that the card
presenter is the card owner, it being assumed that only the card owner would know the
PIN. For credit and debit cards, the RGN is mailed to the card presenter shortly after the
card is mailed. The PIN is machine-generated and not known to the issuing bank or
credit card company.
However, PINs can be compromised, often by careless usage, but also by, for example,
covert surveillance at automatic tellers or keystroke monitoring software infiltrated on to
a computer.
In some online credit and debit card transactions, a PIN, even though associated with a
card, is not used. Instead, a security number printed on the reverse of the card, is used for
verification purposes. If the card has been stolen, clearly the security number is available
to the thief, and this measure provides no protection at all. It protects only against the use
of card receipts on which the embossed card details are printed, but not, of course, the
security number on the reverse. And it does not, even then, protect very well, as only the
last three digits are requested, and, unlike PIN number guessing, which is a three strikes
and out affair, there is no limit to the number of guesses allowed for the three digit
security number. In such transactions, the fraud may not be detected until the monthly
account is received, and even then may pass unnoticed. Sometimes out-of-character
transactions are spotted by the credit card company, but the practice is prevalent and
costly.
Banks and credit card companies are now using one-time password generating devices to
verify on-line transactions. After log-in, using a PIN or password, the user derives a
security number from such a device and inputs it in response to a screen request. The
numbers generated by the device appear random, but in fact are algorithm-derived
numbers that are checked by the company to see if they have or have not been generated
by the algorithm. Presumably, also, as each number is used, it is stored and a number
used twice is rejected.
These devices are not difficult to use in the context of a desktop computer for online
transactions, but quite difficult with a mobile phone or other mobile hand-held
communication equipment, when the user, who may be walking about, needs to hold the
phone in one hand, the device in the other and somehow press an unfamiliar series of
buttons. They are, in any event, application-specific, usable, for example, only with a
specified bank account or credit card.
A system is known from GB2476989 in which a mobile computing device (equivalent to
"equipment" as used herein) such as a mobile telephone is brought into proximity with an
authentication tag (equivalent to "device" as used herein) comprising a passive RFID tag
within the dimensions of a credit card. The device causes the tag to transmit
authentication data that is validated by the device in order to launch a secure application
such as a payment. Instead of a tag ID, the system can use one-time password creation,
there being a counter on the card and on the device. Each time the authentication card is
used, a new password is created using a cryptographic key, the new password acting as a
new tag ID. This is a very convenient system, as it avoids having to remember a PIN,
and it avoids the need to key in a PIN, which makes it suitable for n the go' transactions.
It has a f aw, however, inasmuch as the password on an authentication tag can be read by
another computing device and matched for a validation procedure. If the tag is
comprised in a payment card, a series of fraudulent transactions can take place before
some other countermeasure can be applied.
The present invention provides methods and equipment for ID authentication that have
the same advantages as the system known from GB2476989 and can be used in various
contexts, and that better safeguard against PIN compromise.
The invention comprises a method for ID authentication using communication equipment
that requires entry of a password to authorise its use for carrying out a transaction, in
which the password is supplied by a limited-range communicating device separate from
the communication equipment, the password being a one time password generated by the
communication equipment and transmitted to the device and stored thereon in a password
memory overwritten by a new password at each transaction for use at the next succeeding
transaction, characterised in that the equipment generates the password using an
algorithm unique to the equipment operating on a seed changed at each transaction, and
in that the equipment checks a password supplied to it by the device by applying the
reverse algorithm to generate the seed used to create it.
The seed may be a serial number incremented at each transaction, or a date or timederived
number or some other number having a recognisable format.
The password is not known to the user of the equipment, and cannot therefore be
compromised in the usual ways.
The equipment may comprise a mobile phone or other mobile device operating in a
cellular network, or a computer communicating over the Internet.
The physical separation means that both the equipment - mobile phone or computer -
and the device would need to be compromised for unauthorised access to be possible.
The mobile phone by itself would not allow ID authentication, which needs also the
device. The device can be kept in a separate pocket or wallet, or might even be
incorporated into an artefact that is somehow attached to the person, as a bracelet,
necklace, ear-ring or wristwatch, making accidental loss of both components unlikely and
theft much more difficult. It could even be implanted, after the fashion of pet ID
microchips.
Equipment and device may be mutually dependent - the equipment may need a password
from the device to operate at all, or at least to perform certain specified functions. And it
may be arranged that the device cannot be operated, in whole or in part, except in
conjunction with the equipment.
The device may comprise, or be comprised in, a credit card, a debit card, charge card,
store card, pre-payment card, stored-value card or other transaction card.
The device may comprise a Radio Spectrum RFID (e.g. RFID or Bluetooth) device
having at least one register that can be written to by the equipment. The device may
carry an ID code and a password, which may be in the same or different registers. The
ID code and password will be read by the equipment in an interrogation procedure.
When the password has been verified, a new password will be overwritten.
A Radio Spectrum device may be passive, powered by induction from the equipment.
The reading range may be small, as the device may be approximated to the equipment. It
may be desired in any event to keep the transmission range small, in order to thwart
eavesdroppers, but it may be convenient to have a range of one or two metres so that
wherever the device is kept about the person it will be within range of the equipment.
A Radio Spectrum device may, however, be active, having its own power source, where
greater range is appropriate.
Another level of security may be added by the usual PIN, known only to the user of the
equipment or device. This PIN may be required to open the equipment for use. This
guards against the chance that the equipment and the device are lost or stolen together.
Further optional levels of security may be added using biometrics such as an iris scan
using e.g. a mobile phone camera, or a fingerprint scan, or voice recognition using, again,
functions on a mobile phone.
The invention also comprises apparatus for carrying out a secure transaction using
communication equipment that requires entry of a password to authorise its use for
carrying out transactions, comprising:
a limited-range communicating device separate from the communication equipment,
haying a memory for storing a password;
one-time password generating means in the communication equipment and transmitter
means for transmitting a password generated thereby to the device to be stored in said
memory;
stored password retrieving means in the communication equipment operative during a
transaction to retrieve the stored password to validate the transaction;
retrieved password validating means in the communication equipment;
the password generating means being operative to generate a new password when a
transaction has been validated and transmit it to the device to overwrite the password
stored therein;
characterised in that the password generating means uses an algorithm unique to the
equipment operating on a serial number incremented at each transaction, and in that the
password validating means checks a retrieved password by applying the reverse
algorithm to generate the serial number used to create it, authorising the transaction if it
does, and declining to authorise the transaction if it does not.
Method and equipment for ID authentication according to the invention will now be
described with reference to the accompanying drawings, in which:
Figure 1 is a diagrammatic representation of the method and equipment;
Figure 2 is a diagrammatic representation of a Radio Spectrum device;
Figure 3 is a diagrammatic illustration of the equipment in thee environment; and
Figure 4 is a flowchart showing a procedure for ID authentication.
The drawings illustrate a method for ID authentication, in which equipment 11 involved
in a transaction requests a password from a physically separate but limited-range
communicating device 12, which automatically supplies a password in response to such
request and communicates it to the equipment 1 , the password is assessed as valid or
invalid and the transaction approved or not accordingly.
The equipment 1 comprises a mobile phone or other mobile device operating in an
environment 14 such as a cellular network, or a computer communicating over the
Internet, with a server 15, which requires ID authentication. This might be a credit or
debit card transaction system, or an online banking portal, or any other entity in which
information is stored.
The physical separation means that both the equipment - mobile phone or computer 1 -
and the device would need to be compromised for unauthorised access to be possible.
A mobile phone by itself would not allow ID authentication, which needs also the device
1 . The device 2, for use with a mobile phone or other mobile equipment, can be kept
in a separate pocket or wallet, or might even be incorporated into an artefact that is
somehow attached to the person, such as a bracelet, necklace, ear-ring or wristwatch,
making accidental loss of both components unlikely and theft much more difficult. It
could even be in a body piercing or be implanted, after the fashion of pet ID microchips.
Equipment 11 and device may be mutually dependent - the equipment 1 may need a
password from the device 12 to operate at all, or at least to perform certain specified
functions. And it may be arranged that the device 11 cannot be operated, in whole or in
part, except in conjunction with the equipment 1.
The device 12 may comprise, or be comprised in, a credit, a debit card, charge card, store
card, pre-payment card, stored-value card or other transaction card. This will facilitate
payment for goods or services using the combination of equipment and device. The card
may be issued by a card company such as American Express, Access or Visa, or it may
be provided, as, indeed, may any other manifestation of the device, by the company
providing the equipment. Software for use in the arrangement may be provided already
built in to the device or as an application or other downloadable module.
The password is a one-time password. The device 12 comprises a one-time password
generator, generating passwords recognised by the equipment.
The device as illustrated comprises a Radio Spectrum device 13 having at least one
register, as illustrated, four registers. 1 - 4, at least one of which can be written to by the
equipment . The device 13, for example, carries an ID code in one of the registers and
a password, in the same register or a different register. The ID code and password will be
read by the equipment in an interrogation procedure. When the password has been
verified, the equipment 11 will generate a new password that will be transmitted to the
device 13 to overwrite the password just read. Passwords are produced by an algorithm
from serial numbers or from a date or time value, or some other number having a
recognisable format.
Thus, the equipment can generate a password which might for example be a number
calculated from a serial number, starting, say, at 11 , by an algorithm that calculates,
say, three further digits, which might be 125. In an initialising operation, this password -
1 1 1235 - will be read to a register on the chip 3. The password does not need to be
stored in the equipment 1 . When a transaction needs to be authenticated, the equipment
1 reads the data in the registers on the chip 13. If the ID data is correct, it reads the
password. It then applies a reverse algorithm to the password and if this generates the
serial number 11 , it is accepted and the transaction authorised. The equipment 11
then generates, using the same algorithm, a new password from the next unused serial
number 11112, which might be 12479, and overwrites this as the new password on
the chip.
The Radio Spectrum device 13 may be passive, powered by induction from the
equipment. The reading range will be small, but the device 12 may be approximated as
close as necessary to the equipment 11. It will be desired in any event to keep the
transmission range small, in order to thwart eavesdroppers, but it may be convenient to
have a range of one or two metres so that wherever the device is kept about the person it
will be within range of the equipment.
A Radio Spectrum device may, however, be active, having its own power source, where
greater range is appropriate.
Figure 4 is a flowchart for an ID authenticating operation,
At step I the equipment 1receives an authentication request and initiates the procedure
by searching for the device 12 as step II.. If the device is not in range, a " DEVICE NOT
PRESENT " message is displayed, step III until a decision is taken at step V that the
program has time out or a device is presented. If the program times out, a "DEVICE
NOT PRESENTED" message is displayed and the operation terminated at step VI. If a
device 12 is detected, the equipment reads its ID at step IV. It checks the ID at step VII.
If the ID is incorrect, it causes "INCORRECT CARD" to be displayed and terminates the
transaction at step VIII. If the ID corresponds to the ID stored in the equipment, it moves
to step DC, where it reads the device password and operates on it with an algorithm that is
the inverse of the algorithm that produced the password.
This should produce an integer serial number nnnn, from which the password was
computed, which number is stored in the equipment, and this is checked at step X. If it
does not, the password is incorrect, and the equipment causes "INCORRECT
PASSWORD" to be displayed and terminates the transaction at step XI. It may also take
other action, such as transmitting an advisory message. If it does produce the correct
serial number, the password is correct, and the equipment moves on to step XII in which
it generates a new password by adding 1 to the serial number to make a new seed {nnnn
+ ), storing that new seed for use in the next transaction, and applies the passwordgenerating
algorithm to it to generate a new password, overwriting, at step XIII the
password on the device with this new password. It then takes at step XIV whatever
action is required on authentication of the device ID and terminates the authentication
procedure at XV.
The equipment and device must, of course, first be 'married . If the equipment provider
also provides the device, the ID of the device will already be stored in the memory of the
equipment. This will, generally speaking, be on the SIM card of a mobile device such as
a phone. The device will also have the algorithms for creating passwords from serial
numbers and for testing passwords. The device will be supplied loaded with the first
password.
If the device is provided by a bank, for example, and the device is a card for use on a
customer account, the device ID can be sent to the equipment as a downloadable
application loading the Device ID and the algorithms as well as software running the
authentication procedure. The device ID can be transferred to the SIM card and deleted
from the equipment's internal memory, so that it can be transferred to another mobile
device, leaving no trace on the equipment.
It is, of course, necessary to provide means by which the equipment 11 reads the device
12. A mobile phone equipped with near field communication is ideal. Card readers are
available for desktop and laptop computers.
While Radio Spectrum devices are generally referred above, and RFID and Bluetooth
given as instances, it will be understood that any short range or near field communication
technology may be used.
Another level of security may be added by the usual PIN, k own only to the user of the
equipment or device 13. This PIN may be required to open the equipment for use,
for example, in the normal way, or to cause it to enter 'transaction mode', which may
involve switching on a Radio Spectrum transmitter/receiver or energising an induction
transmitter for communicating with the device. This guards against the chance that the
equipment and the device are lost or stolen together.
Further optional levels of security may be added using biometrics such as iris scan using
e.g. a mobile phone camera, or a fingerprint scan, or voice recognition.
Claims:
A method for ID authentication using communication equipment that requires
entry of a password to authorise its use for carrying out a transaction, in which the
password is supplied by a limited-range communicating device separate from the
communication equipment, the password being a one time password generated by the
communication equipment and transmitted to the device and stored thereon in a password
memory overwritten by a new password at each transaction for use at the next succeeding
transaction, characterised in that the equipment generates the password using an
algorithm unique to the equipment operating on a serial number incremented at each
transaction, and in that the equipment checks a password supplied to it by the device by
applying the reverse algorithm to generate the serial number used to create it.
3 A method according to claim 1 or claim 2, in which the equipment comprises a
mobile phone or other mobile device operating in a cellular network, or a computer
communicating over the Internet.
4 A method according to any one of claims 1to 3, in which the device can be kept
in a separate pocket or wallet, or is incorporated into an artefact that is somehow attached
to the person, as a bracelet, necklace, ear-ring or wristwatch, making accidental loss of
both components unlikely and theft much more difficult.
5 A method according to any one of claims 1 to 4, in which the device is implanted,
after the fashion of pet ID microchips.
6 A method according to any one of claims 1to 4, in which the device comprises, or
is comprised in, a credit, a debit card, charge card, store card, pre-payment card, storedvalue
card or other transaction card.
7 A method according to any one of claims 1 to 6, in which the device comprises a
Radio Spectrum device having at least one register that can be written to by the
equipment.
8 A method according to any one of claims 1 to 7, in which the device carries an ID
code and a password, which may be in the same or different registers.
9 A method according to claim 8, in which the ID code and password are read by
the equipment in an interrogation procedure.
10 A method according to any one of claims 1 to 9, in which the device
comprises a Radio Spectrum device.
I I A method according to claim 10, in which the Radio Spectrum device is passive,
powered by induction from the equipment.
2 A method according to claim 10, in which the Radio Spectrum device is active,
having its own power source.
13 A method according to any one of claims 1 to 12, in which the device comprises a
Bluetooth or other short range wireless device.
4 A method according to any one of claims 1 to 13, in which the device comprises
an RFID device.
15 A method according to any one of claims 1to 14, in which there is an additional
level of protection.
6 A method according to claim 15, in which that additional level of protection
involves a known-to-the-user PIN.
7 A method according to claim 15 or claim 6, in which that additional level of
protection involves a biometric such as an iris scan, a fingerprint scan or voice
recognition.
8 Apparatus for carrying out a secure transaction using communication equipment
that requires entry of a password to authorise its use for carrying out transactions,
comprising:
a limited-range communicating device separate from the communication equipment,
having a memory for storing a password;
one-time password generating means in the communication equipment and transmitter
means for transmitting a password generated thereby to the device to be stored in said
memory;
stored password retrieving means in the communication equipment operative during a
transaction to retrieve the stored password to validate the transaction;
retrieved password validating means in the communication equipment;
the password generating means being operative to generate a new password when a
transaction has been validated and transmit it to the device to overwrite the password
stored therein;
characterised in that the password generating means uses an algorithm unique to the
equipment operating on a serial number incremented at each transaction, and in that the
password validating means checks a retrieved password by applying the reverse
algorithm to generate the serial number used to create it, authorising the transaction if it
does, and declining to authorise the transaction if it does not.
9 Apparatus according to claim 18, in which the equipment comprises a mobile
phone or other mobile device operating in a cellular network, or a computer
communicating over the Internet.
20 Apparatus according to claim 18 or claim 19, in which the device can be kept in a
separate pocket or wallet, or is incorporated into an artefact that is somehow attached to
the person, as a bracelet, necklace, ear-ring or wristwatch, making accidental loss of both
components unlikely and theft much more difficult.
1 Apparatus according to any one of claims 18 to 20, in which the device is
implantable, after the fashion of pet ID microchips.
22 Apparatus according to any one of claims to 20, in which the device
comprises, or is comprised in, a credit, a debit card, charge card, store card, pre-payment
card, stored-value card or other transaction card.
23 Apparatus according to any one of claims to 22, in which the device comprises
a Radio Spectrum device having at least one register that can be written to by the
equipment.
24 Apparatus according to claim 23, in which the device carries an ID code and a
password, which may be in the same or different registers.
25 Apparatus according to any one of claims 8 to 24, in which the device comprises
a Radio Spectrum device.
26 Apparatus according to claim 25, in which the Radio Spectrum device is passive,
powered by induction from the equipment.
27 Apparatus according to claim 25, in which the Radio Spectrum device is active,
having its own power source.
28 Apparatus according to any one of claims 18 to 27, in which the device comprises
a Bluetooth or other short range wireless device.
29 Apparatus according to any one of claims 8 to 27, in which the device comprises
an RFID device.
30 Apparatus according to any one of claims 16 to 29, comprising means affording
an additional level of protection.
31 Apparatus according to claim 32, in which that additional level of protection
involves a known-to-the-user PIN.
32 Apparatus according to claim 30 or claim 31, in which that additional level of
protection involves a biometric such as an iris scan, a fingerprint scan or voice
recognition.