« PreviousContinue »
To provide enhanced security when accessing your information from a public or other insecure environment, please set your login combination now. Click any 8 characters from the login key shown below, in any sequence (forwards and/or backwards) and one at a time,
in the order in which you will enter them to log in. Make sure that the combination you choose is something you will find easy to remember.
The same character may be clicked more than once.
You have selected 1 characters
To provide enhanced security when accessing your information from a public or other insecure environment, please set your login combination now.
Click any 8 characters from the login key shown below, in any sequence (forwards andlor backwards) and one at a time, in the order in which you will enter them to log in. Make sure that the combination you choose is something you will find easy to remember.
The same character may be clicked more than once.
1 METHOD AND SYSTEM FOR PROVIDING A SECURE LOGIN SOLUTION USING ONE-TIME PASSWORDS
This application claims the benefit of U.S. Provisional Application No. 60/868,941, filed Dec. 7, 2006
The present invention relates to methods and systems for a secure login solution for users of computers and systems, local and/ or remote. The present invention further relates to identification means, such as usernames/ IDs, PIN codes and one-time passwords.
BACKGROUND OF THE INVENTION
Every day computer users login to computers and systems that require authentication by providing the authenticating system with infonnation that will positively identify the user. In most cases that information consists of a username/ID and a matching static, reusable password. Replacing such static passwords with single-use passwords and, where possible, using two-factor authentication is one approach for securing corporate networks, applications and information assets.
Unfortunately, use or transfer of sensitive infonnation can create security vulnerabilities for many different reasons. For example, in situations where the user attempts to login to a system from a computer or other electronic device using a communications cormection, such as the Internet, infonnation traveling over the network may be intercepted by unauthorized individuals using network sniffers. This infonnation can then subsequently be used to illegally obtain access to the system. The use of more secure communications protocols, such as Secure Socket Layer (SSL), improves security by encrypting the information being transmitted, thereby making it virtually impossible for others to use it to gain access to the system, even if they manage to intercept the user identifying information. Unfortunately many authenticating systems do not use secure protocols, leaving sensitive ir1fonnation vulnerable to attack.
Another problem with authentication using a static, reusable password is that hackers may be able to gain access to the system by guessing the password. This applies not only to weak passwords that can be uncovered by using dictionary attacks, often passwords include the user’s name, his nickname, spouse’s or pet’s name, etc. Although this threat can be reduced by having the authenticating system impose a maximum number of login attempts before blocking the account, it remains a real threat nonetheless.
One significant security threat involves widely available spyware, including keystroke capturing software which, as the name suggests, captures the keystrokes that are made on a computer’s keyboard and stores this infonnation for later retrieval by or transmission to the person or persons who installed the software or who know of its presence. In many cases, the existence of this software is difficult or virtually impossible to detect. Even if encryption of the information is used during transmission over a network, the presence of t11is type of software on the computer from which a user logs in is not going to provide any security, as the usemame/ID and password have already been captured at the source, before it has been encrypted. This threat is particularly acute when the user is accessing systems from a computer or other electronic device that may not be his own, such as other people’s computers or, more particularly, computers found in public places such as hotels, airports and Internet cafes, to name but a few.
In view of these vulnerabilities and in order to limit the risk of unauthorized access, methods are available that enable the use of one-time passwords (OTP), thereby greatly increasing login security. In such cases, where passwords are only valid for a single login, even capturing or knowing the password will be meaningless as it can only be used once. In broad tenns there are two major types of OTP solutions: (i) hardware based solutions; and (ii) S/KEY based solutions. Hardware Based Solutions
The vast majority of OTP solutions involve the use of some kind of physical device, such as tokens, smart cards, USB flash drives, etc., that will generate them. Companies providing such hardware based solutions include VERISIGNTM, ACTIVIDENTITYTM, VASCOTM and RSA SECURITYTM to name a few. Most, like RSA’s authentication token for example, generate a new 6-digit numeric passcode every 30 or 60 seconds that will be used together with a user’s PIN code to create a one-time password. This is generally referred to as two-factor authentication.
Other approaches, such as the systems and methods taught in European Patent Application No. EP 1 445 917 to Kuclar et al. and U.S. PatentApplication No. 2003/ 01 72272 to Ehlers et al. for example, include the use of a mobile communications device, where the one-time password is sent by the authenticating system to the user’s mobile phone or other mobile device via a Short Message Service (SMS). Other systems, such as those described in U.S. Patent Application No. 2002/ 0038426 to Pettersson et al. and U.S. Pat. No. 6,636,973 to Bagley for example, use biometric devices such as iris scanners and fingerprint scarmers to positively identify the user. All of the above described methods require the use of a physical device.
The use of physical devices however has several distinct disadvantages. In addition to the significant cost of implementing device-based solutions, particularly where the number of users is large, their biggest drawback is that the authentication device may not be available, be rendered useless by abuse or accident or may be lost. In the latter case there is a theoretical chance of an individual gaining unauthorized access to a system where for example key-stroke logging software was running on the computer from which a login was attempted and the usemame/ID and the static password or PIN code have already been captured. Although the risk in the case of loss can be minimized by the immediate reporting of the loss of the device, all scenarios mentioned above will prevent a legitimate user who, for whatever reason, does not have access to the authentication device from obtaining access to the remote system. The use of non-OTP access in that case could of course significantly compromise security. S/KEY Based Solutions
These are software solutions based on S/ KEY, a one-time, challenge-response password scheme developed for use on UNIXTM-like operating systems to authenticate a user based on a one-way hash function. Generic open source implementations can be used to enable its use on other systems.
A user’ s real password is not directly transmitted across the network. Rather, the real password is combined with a short set of characters and a decrementing counter to form a onetime password. As the one-time password is only used once, passwords intercepted by a password sniffer or keystroke logger are not useful to an attacker.
Because the short set of characters does not change until the counter reaches zero, it is possible to prepare a list of single-use passwords, in sequence, that can be carried by the user. Altematively, the user can present the password, char