Browse Prior Art Database

A method and system for dynamic password authentication

IP.com Disclosure Number: IPCOM000241667D
Publication Date: 2015-May-21
Document File: 5 page(s) / 100K

Publishing Venue

The IP.com Prior Art Database

Abstract

This disclosure provides a dynamic, flexible password mechanism which does not require extra hardware device, and it is also easy to use. When user is prompted to input ID/password during authentication, he gets Magic Number on device and then works out the password by a transformation rule. Magic Number is a private, changing data on the device, and the transformation rule was setup on server in advance. After user submits ID/password to authentication server, authentication server will send a request to the device for Magic Number. When authentication server gets Magic Number, it can verify the password by applying the transformation rule.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 53% of the total text.

Page 01 of 5

A method and system for dynamic password authentication

Password is generally used for user authentication on many systems such as mobile device, online shopping, and online banking. However, most people use one fixed password for many systems in a long time. It is good in terms of usability but security is compromised. Password is easily exposed by peepers or recorded on a hacked system while you are typing password. If password is fixed, anyone could disguise as you by stealing your password, and all systems are no more secured.

Dynamic password could solve some problems, but usability is compromised. Dynamic password involves a hardware device which is used to generate passwords. You may need one hardware device for each system, and keep devices on hand anywhere whenever you like to access system.

Our disclosure provides a dynamic, flexible password mechanism which does not require extra hardware device, and it is also easy to use. When user is prompted to input ID/password during authentication, he gets Magic Number on device and then works out the password by a transformation rule.

Magic Number is a private, changing data on the device, and the transformation rule was setup on server in advance.

After user submits ID/password to authentication server, authentication server will send a request to the device for Magic Number.

When authentication server gets Magic Number, it can verify the password by applying the transformation rule.

Advantage:

Replay attack is not possible. (Password is dynamic.)

Both valid user (knows the rule) and valid device (has Magic Number) are required to pass authentication. No specific software token or hardware support is required.

The rule provides protection even communications between client and server are compromised.

The usability and security are flexible that it depends on the rule and Magic Number complexity.

1



Page 02 of 5

Components descriptions:

Transformation rule

Transformation rule(

     The rule is the simple formula that, with the Magic Number, can produce final password for each authentication operation. This rule can involve number calculation, number combination (constant involved), and code mapping etc.

Magic Number

Magic Number(
((sss):

):

):

((sss): ):

A changing data value on the specific device(s), together with the Transformation rule(s) can gener...