Visual image authentication and transaction authorization using non-determinism

Abstract

Methods and systems described herein perform a secure transaction. A display presents images that are difficult for malware to recognize but a person can recognize. In at least one embodiment, a person communicates transaction information using visual images received from the service provider system. In at least one embodiment, a universal identifier is represented by images recognizable by a person, but difficult for malware to recognize.In some embodiments, methods and systems are provided for determining whether to grant access, by generating and displaying visual images on a screen that the user can recognize. In an embodiment, a person presses one's finger(s) on the screen to select images as a method for authenticating and protecting communication from malware.In at least one embodiment, quantum randomness helps unpredictably vary the image location, generate noise in the image, or change the shape or texture of the image.

Description

CROSS-REFERENCE TO RELATED APPLICATIONS[0001]This application incorporates herein by reference U.S. Provisional Patent Application No. 61 / 698,675, entitled “No More Passwords”, filed Sep. 9, 2012.FIELD OF THE INVENTION[0002]This specification relates to security in computers, mobile phones and other devices.BACKGROUND[0003]The subject matter discussed in the background section should not be assumed to be prior art merely as a result of its mention in the background section. Similarly, a problem mentioned in the background section or associated with the subject matter of the background section should not be assumed to have been previously recognized in the prior art. The subject matter in the background section merely represents different approaches, which in and of themselves may also be inventions.LIMITATIONS AND WEAKNESSES OF PRIOR ART[0004]A shortcoming in the prior art, recognized by this specification, is that there is a lack of a secure integration of the identity of the user ...

AI Technical Summary

Benefits of technology

The patent text discusses the problem of secure integration in computer security, where the identity of the user is not securely integrated with the protection of their data and the control of their computer. The current methods of authentication and authorization have limitations, such as the lack of a secure link between the authentication of the user and the authorization of an action, and the absence of a secure link between the user's computer and the host domain machine. The technical effects of this patent text include proposing a solution to these limitations and weaknesses, such as incorporating a secure identity for the user and ensuring a secure link between the authentication and authorization processes.

Problems solved by technology

A shortcoming in the prior art, recognized by this specification, is that there is a lack of a secure integration of the identity of the user to the protection of the user's data and the control of the user's computer.

Currently cryptography keys are stored on the user's computer or a chip executing the operating system, which is not secure.

For example, when Bob's computer communicates with Mary's computer, even when using well-implemented Public Key Infrastructure (PKI), Bob's computer can only be sure that it is communicating with Mary's computer.

Similarly, even Bob cannot be certain that the communications he sends Mary are the same as the communications that Mary receives as coming from him.

Sending a secure communication using Public Key Infrastructure (PKI) from one user machine to another user machine ensures communication between the user machines, but may not ensure secure communication between the users of the machines.

In the prior art, each computer cannot be assured of who controls the other computer.

Even the Trusted Platform Module (TPM) has the fundamental cyber security weakness of not knowing who controls the other computer with which a user may be in communication with or who controls the computer which contains the Trusted Platform Module.

Not knowing the other computer with which a current computer is in communication with may be a weakness that is significant when the operating system can directly access the TPM.

Another limitation and weakness of the TPM is that there is no mechanism for binding the identity of the user to the user's cryptography keys and other confidential information that should be bound to the user's true identity.

However, the web browser is where the important connection between authentication of a user and authorization of an action may be broken.

Since the user's computer can be hacked, the lack of a secure and direct link between authenticating the user's computer and authorizing the action may render the act of user verification irrelevant.

In the same way, if this on / off implementation occurs in an untrusted computing environment, then outstanding biometric algorithms and sensor(s) become irrelevant because the biometric authentication can be circumvented between the user authentication and the authorization or confidentiality part of the security system.

However, even with the use of biometrics, if the handling of the biometric information, the storage of the biometric data, or the control of actions based on a biometric verification is done on an unsecured user's computer, the value of the biometrics may be greatly reduced or nullified.

An additional aspect of the weakness of current authentication and authorization processes (such as those using biometrics) is that the action can be hijacked by executing a Trojan attack on the user's computer, for example.

An example of this weakness is the untrusted browser attack used to divert money from a user's bank account.

Since the web browser is executed on the user's computer, the browser cannot be trusted even when using PKI and one-time passcodes!

Yet the manager's computer had a hitchhiker.

Contemporary computers and electronic devices are particularly susceptible to malware attacks due to their processor architecture.

As a consequence, malware has to corrupt or transform only a single machine instruction to initiate execution of malignant code.

This is a deep vulnerability arising from current processor architecture and it cannot be easily rectified.

During machine execution, after the von Neumann machine program has been hijacked by malware, anti-virus software, that is supposed to check the program, might not get executed, may be disabled or in other cases may never detect the malware.

The sequential execution of von Neumann machine instructions hinders a digital computer program from protecting itself

These attacks are not easy to detect or prevent.

In particular, the RSA SecurID breach demonstrated that pseudo-random number generators (i.e., deterministic algorithms), typically used in two-factor authentication solutions cannot prevent “man-in-the-middle” attacks launched by malware.

Malware, however, has a significant weakness: malware is poor at recognizing visual images since computer algorithms cannot match the visual pattern recognition ability of the human brain.

This weakness makes static authentication factors vulnerable to phishing attacks in the host domain or security breaches in the network domain.

Images