Description:
Invention Summary
Most computer systems employ a password verification system for access. A user is identified with a user ID and verified with a password. Although this method is very popular, it is vulnerable to the password guessing attack. However, the attacker doesn't need to guess the user ID because the user IDs are usually public, such as names and email addresses. To make the false login attempts more difficult, our method does not use a publicly known user ID for identification. Instead it uses private information known only to the computer system and the user which is referred as the access token. The user first provides the access token. The computer system looks us the registered access tokens, and presents multiple partial user IDs to the user. Then the user chooses a right user ID. The rest is same as password authentication system.
Market Opportunity
Alternative methods to fortify the authentication method exist, such as special mathematical functions, biometrics, or one-time password. However, they either require specialized devices, the accuracy is limited, they are vulnerable to theft, or cannot be used on public terminals. Thus, their uses have been quite limited and they are not suitable for open services to the general public such as e-commerce. On the other hand, our method does not require any specialized devices, so it is more practical, cheaper, and can be used by a wider audience, including e-commerce providers. Once this method becomes widespread, a huge volume of password attacks in the Internet can be eliminated.
This new authentication method can be used by individual companies or offered by third party providers of identification services. High-security organizations can benefit immediately, such as government agencies or private companies that deal with sensitive information. As any organization that need strong authentication may utilize our method, virtually all IT companies such as Amazon, eBay, MSN, Yahoo, and most banks can be potential licensees. Software vendors of operating sytems, VPN, or database systems can also incorporate our scheme in their products. Eventually, our scheme could be used by large web service companies, such as Google and Facebook.
Features & Benefits
1. Even if a clear-text password is stolen, the attacker cannot log in to the computer system unless he correctly guesses the victim's access token to retrieve the victim's user ID.
2. Password guessing attack is virtually eliminated because the attacker has to retrieve the victim's user ID first before even trying a password guessing attack. The correct user ID can be retrieved only when the correct access token is provided. Thus the chances of successful password guessing attack is greatly reduced.
3. There is another kind of attack called password-cracking attack, where the encrypted password file is stolen and the password is decrypted offline. In this case, the cracked password cannot be used for illegal access unless the access token is known to the attacker. Thus this barrier provides extra protection when the encrypted password file gets stolen.
4. The users also can be protected from a Man-In-The-Middle (MITM) attack, thanks to the automatic mutual authentication feature. That is, a user can verify whether he or she is accessing a legitimate server or not by checking the choices of partial user IDs. If the correct user ID is not presented by the computer system, the user can recognize that the accessed computer system is not a legitimate system. The user is protected from revealing the password to a fake system.
Intellectual Property
Issued US Patent No.: 9,509,682