logo

For the Inventor, By the Inventor

The patent badge is an abbreviated version of the USPTO patent document. The patent badge does contain a link to the full patent document.

The patent badge is an abbreviated version of the USPTO patent document. The patent badge covers the following: Patent number, Date patent was issued, Date patent was filed, Title of the patent, Applicant, Inventor, Assignee, Attorney firm, Primary examiner, Assistant examiner, CPCs, and Abstract. The patent badge does contain a link to the full patent document (in Adobe Acrobat format, aka pdf). To download or print any patent click here.

Patent No.:

US 7904946 B1

PDFFull Text
Date of Patent:
Mar. 08, 2011

Filed:

Dec. 11, 2006

Methods and systems for secure user authentication

Applicants:

Ronald King-hang Chu, Los Angeles, CA (US);

Mark Kogen, Torrance, CA (US);

Warren Tan, Thousand Oaks, CA (US);

Simon MA, Torrance, CA (US);

Yosif Smushkovich, Santa Monica, CA (US);

Gerry Glindro, Carson, CA (US);

Jeffrey William Coyte Nicholas, Los Angeles, CA (US);

Inventors:

Ronald King-Hang Chu, Los Angeles, CA (US);

Mark Kogen, Torrance, CA (US);

Warren Tan, Thousand Oaks, CA (US);

Simon Ma, Torrance, CA (US);

Yosif Smushkovich, Santa Monica, CA (US);

Gerry Glindro, Carson, CA (US);

Jeffrey William Coyte Nicholas, Los Angeles, CA (US);

Assignee:

Citicorp Development Center, Inc., Los Angeles, CA (US);

Attorney:

King & Spalding LLP

Primary Examiner:

Nasser Moazzami

Assistant Examiner:

Ghazal Shehni

Int. Cl.
CPC ...
H04L 29/00 (2006.01);
U.S. Cl.
CPC ...
Abstract

Methods and systems for secure user authentication utilizes OTP generation and validation techniques in which the shared secret for generating the OTP is not stored in the user's mobile device but instead is dynamically synthesized based on a PIN that activates the OTP generation and the personalized OTP data. The client software has no knowledge of what the correct PIN should be and always generates a normal looking OTP based on whatever PIN is entered, and the only way to learn whether or not the OTP is correct is to submit it during user login. By limiting the number of failed login attempts before the account is locked, brute-force attacks via the online channel will fail, and further, brute-force attacks to uncover the correct PIN for generating the correct OTP offline will also fail even if a hacker steals the user's mobile device and extracts the data inside for offline hacking, because there is nothing on the client that contains the PIN or encrypted by the PIN.

Find Patent Forward Citations

Loading…