Browse Prior Art Database

Mobile Authentication with One-Time Passwords (OTP)

IP.com Disclosure Number: IPCOM000202704D
Publication Date: 2010-Dec-23
Document File: 4 page(s) / 75K

Publishing Venue

The IP.com Prior Art Database

Abstract

Sensitive information, such as passwords and other identifying attributes, are captured by Web browsers to perform certain operations, such as login. Most popular Web browsers provide features to help prevent the unauthorised interception of sensitive details (such as network encryption) and periodic flushing of memory caches and permanent purging of cookies. However, risks remain, especially with the increasingly popular use of public Internet terminals, around how personal details are captured and stored for later use. For instance, Web browsers that are not correctly configured to clear its cache at the end of a session may retain the user name and password of the previous user. These details may then be retrieved and reused in a later session without the knowledge of the account owner. This invention provides a mechanism to ensure that unauthorised access to a Web application is not possible by reviewing (and replaying) the contents of a Web browser?s cache. This mechanism is suitable for use with public Internet terminals (or Web browsers that offer no such protections) whereby a password is entered to gain access to a personal account with the confidence that the password, if captured, cannot be reused to gain access to the account by other users.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 25% of the total text.

Page 01 of 4

Mobile Authentication with One-Time Passwords (OTP)

Current solutions offer various approaches to solving this problem. Several vendors appear to understand the benefits of one-time passwords (OTP) but have overlooked key security requirements. For instance, some of the referenced solutions below assume that the user is interacting with a protected terminal when entering sensitive account details. Others describe a solution that depends on the protection of a mobile device, thus moving the security problem around, without reducing its risk.

    This solution, which also uses OTPs, is designed with a more complete set of security requirements and does not make the same assumptions regarding the protections offered by the mobile device and the Internet terminal. This solution also targets a minimum specification device for displaying the OTP -- SMS connectivity and a screen suitable for displaying a text message are required; no keyboard is necessary since the user does not enter information/confirmation on the mobile device -- only on the terminal. None-the-less, this solution allows for OTP generation on an application- and user-specified basis, without revealing which applications or users the OTP relates to. Further protections are provided, so that in the event that it is stolen or otherwise manipulated, the user can disable its use without access to the device. Furthermore, a physical connection between the terminal and the mobile device is not required in this solution.

Current mobile OTP generator solutions include:
1. http://motp.sourceforge.net/ -- uses a Java applet to generate time-sensitive OTPs; however, there is no way to specify which application to generate the OTP for (unless it was extended to include an application menu -- insecure). Used for access to network resources, neither application- nor user-aware.

Benefits of this solution over known solutions:
this solution differs by allowing the user to select which application, or account, to generate an OTP for -- in other words, it is application and user aware. This provides a far more flexible approach with one system managing many accounts across many applications.
2. http://www.fireid.com/products/overview.html -- can operate when the device is offline and does not synchronise with a server during the OTP generation. Therefore, the OTP generation process is contained entirely on the device and so must be protected from unauthorised manipulation -- a requirement that does not appear to have been met in the design. It is application-aware but exposes a list of all applications on the device screen.

Benefits of this solution over known solutions:
centralised OTP generation, which ensures that the process and any salting are contained on a secure server, rather than exposed on the device;
does not expose a list of applications on the device, thereby reducing the amount of information an impostor has access to.
3. www.i-sprint.com/download/doc/DataSheet-UAS-OTP-SMS.pdf -- a...