[go: up one dir, main page]

WO2014011027A1 - A system and method for authentication using non-reusable random generated mobile sms key - Google Patents

A system and method for authentication using non-reusable random generated mobile sms key Download PDF

Info

Publication number
WO2014011027A1
WO2014011027A1 PCT/MY2013/000125 MY2013000125W WO2014011027A1 WO 2014011027 A1 WO2014011027 A1 WO 2014011027A1 MY 2013000125 W MY2013000125 W MY 2013000125W WO 2014011027 A1 WO2014011027 A1 WO 2014011027A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
user
key
database
sms key
Prior art date
Application number
PCT/MY2013/000125
Other languages
French (fr)
Inventor
Chong Seak Sea
Kang Siong Ng
Rashidah Haron Galoh
Maniam DHARMADHARSHNI
Hon Loon WONG
Original Assignee
Mimos Berhad
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Mimos Berhad filed Critical Mimos Berhad
Publication of WO2014011027A1 publication Critical patent/WO2014011027A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • H04L63/0838Network architectures or network communication protocols for network security for authentication of entities using passwords using one-time-passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/18Network architectures or network communication protocols for network security using different networks or channels, e.g. using out of band channels
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0863Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • H04L9/3228One-time or temporary data, i.e. information which is sent for every authentication or authorization, e.g. one-time-password, one-time-token or one-time-key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/69Identity-dependent
    • H04W12/72Subscriber identity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/12Messaging; Mailboxes; Announcements
    • H04W4/14Short messaging services, e.g. short message services [SMS] or unstructured supplementary service data [USSD]

Definitions

  • the present invention relates to a system and method for authentication using non- reusable random generated mobile SMS key.
  • Authentication technologies that are widely used is online form-based authentication using username and password. It uses plaint-text password as credentials and send or forward the password directly on network to server for authentication. Therefore using basic authentication technologies without encryption will reveal any secret credentials to all eavesdroppers. Even with strongest SSL/TLS encryption, online plaintext passwords are vulnerable for man-in-the-middle attacks (web application layer) or called phishing attacks. In Form-based username and password authentication, it requires handling of user's password in a web application layer, which caused many users' password leakage accidents in many commercial and financial web sites.
  • the present invention proposes user authentication method to application using non- reusable random generated mobile Short Message System (SMS) Key while retaining user privacy.
  • SMS Short Message System
  • the website redirects user to authentication server.
  • User must enter user mobile phone number and mobile SMS key (K1) which is retrieved from user mobile via SMS message which was sent by the authentication server.
  • Authentication Server generates hash value which is combination information from user and K1. The hash value is use to search for matching hash value between records in the database If record is found, Authentication server will grant access to the user otherwise authentication server will set the status to "Access Denied" and terminate the authentication process.
  • the system Upon successful authentication of user, the system will generate new mobile SMS key (K2). Authentication server sends this new generated mobile SMS key (K2) to SMS gateway.
  • the gateway will forward K2 to user for next login INPUT mobile SMS key.
  • Authentication server then computes hash value based on information of user entering mobile phone and K2. Current database record will be replaced with this new generated hash value.
  • the approach of the present invention is to retain user privacy based on authentication using non- reusable random generated mobile SMS key.
  • the present invention provides a system and method for authentication using non- reusable random generated mobile SMS key while retaining user privacy.
  • the system comprising at least one user (101) with user mobile phone (106); at least one web application (104); at least one authentication service provider (103); at least one authentication server (102); and at least one database (105).
  • the at least one authentication server (102) further comprising at least one authentication interface module (201); at least one authentication verification module (202); at least one SMS key generation module (203); at least one SMS gateway (204); and at least one database interface module (205).
  • the at least one SMS key generation module (203) having means to generate new mobile SMS key (K2); said new mobile SMS key (K2) is a random number; said random number is a non-reusable mobile SMS key for next login to web application after mobile SMS key (K1) has been authenticated in the current transaction.
  • the at least one authentication service provider (103) having means to protect web application site from unauthorized user access while the at least one authentication interface module (201) is an interface to other components of the system; said authentication interface module request user information for authentication.
  • Another aspect of the present invention is the at least one authentication verification module (202) which performs user credential verification by computing hash value (DK1) based on user information and searching database for matching hash value (DK1) to determine successful user authorization in the current transaction.
  • the at least one SMS gateway (204) forwards new mobile SMS key (K2) to user via SMS for next login to web application while the at least one database interface module (205) is a module interface to database for retrieving, inserting and updating user information stored in database.
  • a further aspect of the present invention is a method (300, 400) for authentication using non-reusable random generated mobile SMS key. The method comprising steps of requesting user information for authentication (302); authenticating user information (304); returning authentication status to web application (310); and performing authorization by granting access to user upon successful user authentication (312).
  • the method for authenticating user information comprises steps of computing hash value (DK1) based on user information (402); searching database for matching hash value (DK1) (404); and generating new mobile SMS key (K2) upon locating matching record in database (406).
  • the method for requesting user information for authentication further requires user to enter user mobile phone number and mobile SMS key (K1) (306).
  • a further aspect of the present invention is the method for generating new mobile SMS key (K2) upon locating matching record.
  • the said method further comprises steps of forwarding new mobile SMS key (K2) to user via SMS (408); computing hash value (DK2) by hashing newly generated mobile SMS key (K2) with user mobile phone number (410); and replacing database record containing hash value (DK1) with hash value (DK2) (412).
  • the said new mobile SMS key (K2) is a random number; which is a non- reusable mobile SMS key for next login to web application.
  • FIG. 1.0 illustrates the component integration diagram of the present invention.
  • FIG. 2.0 illustrates the five major modules of the Authentication Server of FIG.1.0.
  • FIG. 3.0 is a flowchart illustrating a method for authentication using non-reusable random generated mobile SMS key.
  • FIG. 4.0 is a flowchart illustrating a further method for authentication of user information of the present invention.
  • FIG. 5.0 illustrates the overall system architecture of the present invention.
  • FIG. 1.0 illustrates the component integration diagram of the present invention while FIG. 2.0 illustrates the five major modules of the Authentication Server of FIG.1.0 and FIG. 5.0 illustrates the overall system architecture of the present invention. As illustrated in FIG.
  • the present invention comprising at least one user (101) with user mobile phone (106); at least one web application (104); at least one authentication service provider (103); at least one authentication server (102); and at least one database (105).
  • the at least one authentication server (102) further comprising at least one authentication interface module (201); at least one authentication verification module (202); at least one SMS key generation module (203); at least one SMS gateway (204); and at least one database interface module (205).
  • the system and method for authentication using non-reusable random generated mobile SMS key begins with the authentication service provider (101).
  • the at least one authentication service provider (103) having means to protect web application site from unauthorized user access wherein the authentication service provider (103) will direct user to authentication server (102) for authentication.
  • the authentication interface module (201) which is an interface to other components of the system will request user information for authentication.
  • the system of the present invention also comprises of at least one authentication verification module (202) that performs user credential verification by computing hash value (DK1) based on user information and searching database for matching hash value (DK1) to determine successful user authorization in the current transaction.
  • FIG. 3.0 is a flowchart illustrating a method for authentication using non-reusable random generated mobile SMS key
  • FIG. 4.0 is a flowchart illustrating a further method for authentication of user information of the present invention.
  • the said methodology begins with the system requesting user information for authentication (302) wherein user is required to enter user mobile phone number and mobile SMS key. Thereafter, authentication server will authenticate user information (304).
  • Authentication of user information further comprises steps of computing hash value (DK1) based on user information (402); searching database for matching hash value (DK1) (404); and generating new mobile SMS key (K2) upon locating matching record in database (406).
  • the new mobile SMS key (K2) is a random number generated by the at least one SMS key generation module (203) of the present invention.
  • the said random number is a non- reusable mobile SMS key for next login of user to web application while retaining user privacy after mobile SMS key (K1) has been authenticated in the current transaction.
  • SMS gateway (204) Upon generating the new mobile SMS key (K2), SMS gateway (204) forwards new mobile SMS key (K2) to user via SMS for next login to web application (408). Thereafter, hash value (DK2) is computed by hashing newly generated mobile SMS key (K2) with user mobile phone number (410) and database record containing hash value (DK1) is replaced with hash value (DK2) (412).
  • the at least one database interface module (205) is a module interface to database for retrieving, inserting and updating user information stored in the database of the present invention.
  • authentication status is returned to web application (310) wherein user is granted authentication (i.e. access is granted to user) when matching hash value (DK1) is found in the database (414). Else, user access is denied when there is no matching hash value (DK1) in the database.
  • the system and method of the present invention provides for authentication using non- reusable random generated mobile SMS key.
  • User privacy is retained as the newly generated mobile SMS key (K2) is a random number and is a non-reusable mobile SMS key for next login to web application.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Telephonic Communication Services (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The system and method of the present invention proposes user authentication using non-reusable random generated mobile SMS key while retaining user privacy. The system of the present invention comprising at least one user (101) with user mobile phone (106); at least one web application (104); at least one authentication service provider (103); at least one authentication server (102); and at least one database (105). The at least one authentication server (102) further comprising at least one authentication interface module (201); at least one authentication verification module (202); at least one SMS key generation module (203); at least one SMS gateway (204); and at least one database interface module (205). The methodology of the present invention comprises steps of requesting user information for authentication (302); authenticating user information (304); returning authentication status to web application (310); and performing authorization by granting access to user upon successful user authentication (312). Authentication of user information comprises steps of computing hash value (DK1) based on user information (402); searching database for matching hash value (DK1) (404); and generating new mobile SMS key (K2) upon locating matching record in database (406) after mobile SMS key (K1) has been authenticated in the current transaction.

Description

A SYSTEM AND METHOD FOR AUTHENTICATION USING NON-REUSABLE RANDOM GENERATED MOBILE SMS KEY
FIELD OF INVENTION
The present invention relates to a system and method for authentication using non- reusable random generated mobile SMS key.
BACKGROUND ART
Authentication technologies that are widely used is online form-based authentication using username and password. It uses plaint-text password as credentials and send or forward the password directly on network to server for authentication. Therefore using basic authentication technologies without encryption will reveal any secret credentials to all eavesdroppers. Even with strongest SSL/TLS encryption, online plaintext passwords are vulnerable for man-in-the-middle attacks (web application layer) or called phishing attacks. In Form-based username and password authentication, it requires handling of user's password in a web application layer, which caused many users' password leakage accidents in many commercial and financial web sites.
To prevent leakage of reusable weak secret password and some application use unencrypted public channels to forward user's credentials over the network, there is a need to place a strongest protection on authentication credentials and token. One of the solutions would be by using the One time password device, but the device could be costly to deploy due to extra cost required for one time password device (for each users) and software license needed for one time password server. The current OTP system requires synchronization management to manage the synchronization of a token for a specified user or token number, since the current time based OTP very sensitive to time. Complexity of user management between OTP token and user causes lack of user privacy options.
The present invention proposes user authentication method to application using non- reusable random generated mobile Short Message System (SMS) Key while retaining user privacy. In the case user needs to access the application website, the website redirects user to authentication server. User must enter user mobile phone number and mobile SMS key (K1) which is retrieved from user mobile via SMS message which was sent by the authentication server. Authentication Server generates hash value which is combination information from user and K1. The hash value is use to search for matching hash value between records in the database If record is found, Authentication server will grant access to the user otherwise authentication server will set the status to "Access Denied" and terminate the authentication process. Upon successful authentication of user, the system will generate new mobile SMS key (K2). Authentication server sends this new generated mobile SMS key (K2) to SMS gateway. Thereafter, the gateway will forward K2 to user for next login INPUT mobile SMS key. Authentication server then computes hash value based on information of user entering mobile phone and K2. Current database record will be replaced with this new generated hash value. The approach of the present invention is to retain user privacy based on authentication using non- reusable random generated mobile SMS key.
The subject matter claimed herein is not limited to embodiments that solve any disadvantages or that operate only in environments such as those described above. Rather, this background is only provided to illustrate one exemplary technology area where some embodiments described herein may be practice.
SUMMARY OF INVENTION
The present invention provides a system and method for authentication using non- reusable random generated mobile SMS key while retaining user privacy. The system comprising at least one user (101) with user mobile phone (106); at least one web application (104); at least one authentication service provider (103); at least one authentication server (102); and at least one database (105). The at least one authentication server (102) further comprising at least one authentication interface module (201); at least one authentication verification module (202); at least one SMS key generation module (203); at least one SMS gateway (204); and at least one database interface module (205). The at least one SMS key generation module (203) having means to generate new mobile SMS key (K2); said new mobile SMS key (K2) is a random number; said random number is a non-reusable mobile SMS key for next login to web application after mobile SMS key (K1) has been authenticated in the current transaction.
The at least one authentication service provider (103) having means to protect web application site from unauthorized user access while the at least one authentication interface module (201) is an interface to other components of the system; said authentication interface module request user information for authentication.
Another aspect of the present invention is the at least one authentication verification module (202) which performs user credential verification by computing hash value (DK1) based on user information and searching database for matching hash value (DK1) to determine successful user authorization in the current transaction. The at least one SMS gateway (204) forwards new mobile SMS key (K2) to user via SMS for next login to web application while the at least one database interface module (205) is a module interface to database for retrieving, inserting and updating user information stored in database. A further aspect of the present invention is a method (300, 400) for authentication using non-reusable random generated mobile SMS key. The method comprising steps of requesting user information for authentication (302); authenticating user information (304); returning authentication status to web application (310); and performing authorization by granting access to user upon successful user authentication (312). The method for authenticating user information comprises steps of computing hash value (DK1) based on user information (402); searching database for matching hash value (DK1) (404); and generating new mobile SMS key (K2) upon locating matching record in database (406). The method for requesting user information for authentication further requires user to enter user mobile phone number and mobile SMS key (K1) (306).
A further aspect of the present invention is the method for generating new mobile SMS key (K2) upon locating matching record. The said method further comprises steps of forwarding new mobile SMS key (K2) to user via SMS (408); computing hash value (DK2) by hashing newly generated mobile SMS key (K2) with user mobile phone number (410); and replacing database record containing hash value (DK1) with hash value (DK2) (412). The said new mobile SMS key (K2) is a random number; which is a non- reusable mobile SMS key for next login to web application.
The present invention consists of features and a combination of parts hereinafter fully described and illustrated in the accompanying drawings, it being understood that various changes in the details may be made without departing from the scope of the invention or sacrificing any of the advantages of the present invention.
BRIEF DESCRIPTION OF ACCOMPANYING DRAWINGS
To further clarify various aspects of some embodiments of the present invention, a more particular description of the invention will be rendered by references to specific embodiments thereof, which are illustrated in the appended drawings. It is appreciated that these drawings depict only typical embodiments of the invention and are therefore not to be considered limiting of its scope. The invention will be described and explained with additional specificity and detail through the accompanying drawings in which: FIG. 1.0 illustrates the component integration diagram of the present invention.
FIG. 2.0 illustrates the five major modules of the Authentication Server of FIG.1.0.
FIG. 3.0 is a flowchart illustrating a method for authentication using non-reusable random generated mobile SMS key.
FIG. 4.0 is a flowchart illustrating a further method for authentication of user information of the present invention. FIG. 5.0 illustrates the overall system architecture of the present invention.
DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS
The present invention provides a system and method for authentication using non- reusable random generated mobile SMS key while retaining user privacy. Hereinafter, this specification will describe the present invention according to the preferred embodiments. It is to be understood that limiting the description to the preferred embodiments of the invention is merely to facilitate discussion of the present invention and it is envisioned without departing from the scope of the appended claims. Reference is first being made to FIG. 1.0, FIG. 2.0 and FIG. 5.0 respectively. FIG. 1.0 illustrates the component integration diagram of the present invention while FIG. 2.0 illustrates the five major modules of the Authentication Server of FIG.1.0 and FIG. 5.0 illustrates the overall system architecture of the present invention. As illustrated in FIG. 1.0, the present invention comprising at least one user (101) with user mobile phone (106); at least one web application (104); at least one authentication service provider (103); at least one authentication server (102); and at least one database (105). As illustrated in FIG. 2.0, the at least one authentication server (102) further comprising at least one authentication interface module (201); at least one authentication verification module (202); at least one SMS key generation module (203); at least one SMS gateway (204); and at least one database interface module (205).
The system and method for authentication using non-reusable random generated mobile SMS key begins with the authentication service provider (101). The at least one authentication service provider (103) having means to protect web application site from unauthorized user access wherein the authentication service provider (103) will direct user to authentication server (102) for authentication. Thereafter, the authentication interface module (201) which is an interface to other components of the system will request user information for authentication. The system of the present invention also comprises of at least one authentication verification module (202) that performs user credential verification by computing hash value (DK1) based on user information and searching database for matching hash value (DK1) to determine successful user authorization in the current transaction.
Reference is now being made to FIG. 3.0 and FIG. 4.0 respectively. FIG. 3.0 is a flowchart illustrating a method for authentication using non-reusable random generated mobile SMS key and FIG. 4.0 is a flowchart illustrating a further method for authentication of user information of the present invention. The said methodology begins with the system requesting user information for authentication (302) wherein user is required to enter user mobile phone number and mobile SMS key. Thereafter, authentication server will authenticate user information (304). Authentication of user information further comprises steps of computing hash value (DK1) based on user information (402); searching database for matching hash value (DK1) (404); and generating new mobile SMS key (K2) upon locating matching record in database (406). The new mobile SMS key (K2) is a random number generated by the at least one SMS key generation module (203) of the present invention. The said random number is a non- reusable mobile SMS key for next login of user to web application while retaining user privacy after mobile SMS key (K1) has been authenticated in the current transaction.
Upon generating the new mobile SMS key (K2), SMS gateway (204) forwards new mobile SMS key (K2) to user via SMS for next login to web application (408). Thereafter, hash value (DK2) is computed by hashing newly generated mobile SMS key (K2) with user mobile phone number (410) and database record containing hash value (DK1) is replaced with hash value (DK2) (412). The at least one database interface module (205) is a module interface to database for retrieving, inserting and updating user information stored in the database of the present invention.
As illustrated in FIG. 3.0, upon successful authentication of user information; authentication status is returned to web application (310) wherein user is granted authentication (i.e. access is granted to user) when matching hash value (DK1) is found in the database (414). Else, user access is denied when there is no matching hash value (DK1) in the database.
The system and method of the present invention provides for authentication using non- reusable random generated mobile SMS key. User privacy is retained as the newly generated mobile SMS key (K2) is a random number and is a non-reusable mobile SMS key for next login to web application.
The present invention may be embodied in other specific forms without departing from its essential characteristics. The described embodiments are to be considered in all respects only as illustrative and not restrictive. The scope of the invention is, therefore indicated by the appended claims rather than by the foregoing description. All changes, which come within the meaning and range of equivalency of the claims, are to be embraced within their scope.

Claims

1. A system (100) for authentication using non-reusable random generated mobile SMS key with at least one user (101) and user mobile phone (106) on at least one web application (104) with at least one authentication service provider (103) to protect web application site from unauthorized user access; at least one authentication server (102); and at least one database (105);
the at least one authentication server ( 02) further comprising:
at least one authentication interface module (201) is an interface to other components of the system; said authentication interface module request user information;
at least one authentication verification module (202) performs user credential verification by computing hash value (DK1) based on user information and searching database for matching hash value (DK1) to determine successful user authorization in the current transaction;
at least one SMS key generation module (203);
at least one SMS gateway (204); and
at least one database interface module (205)
characterized in that
the at least one SMS key generation module (203) having means to generate new mobile SMS key (K2); said new mobile SMS key (K2) is a random number; said random number is a non-reusable mobile SMS key for next login to web application after mobile SMS key (K1) has been authenticated in the current transaction.
2. A system (102) according to Claim 1, wherein the at least one SMS gateway (204) forwards new mobile SMS key (K2) to user via SMS for next login to web application.
3. A system (102) according to Claim 1 , wherein at least one database interface module (205) is a module interface to database for retrieving, inserting and updating user information stored in database.
4. A method (300, 400) for authentication using non-reusable random generated mobile SMS key; the method comprising steps: requesting user information for authentication (302);
authenticating user information (304);
returning authentication status to web application (310); and
performing authorization by granting access to user upon successful user authentication (312)
characterized in that
authenticating user information further comprises steps:
computing hash value (DK1) based on user information (402); searching database for matching hash value (DK1) (404); and generating new mobile SMS key (K2) upon locating matching ■e record in database (406) after mobile SMS key (K1) has been authenticated in the current transaction wherein generating new mobile SMS key (K2) upon locating matching record further comprises steps:
forwarding new mobile SMS key (K2) to user via SMS (408);
computing hash value (DK2) by hashing newly generated mobile SMS key (K2) with user mobile phone number (410); and
replacing database record containing hash value (DK1) with hash value (DK2) (412).
A method according to Claim 4, wherein requesting user information for authentication further requires user to enter user mobile phone number and mobile SMS key (K1) (306).
A method according to Claim 4, wherein generating new mobile SMS key (K2) upon locating matching record; said new mobile SMS key (K2) is a random number; said random number is a non-reusable mobile SMS key for next login to web application.
PCT/MY2013/000125 2012-07-13 2013-07-05 A system and method for authentication using non-reusable random generated mobile sms key WO2014011027A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
MYPI2012003210 2012-07-13
MYPI2012003210A MY172974A (en) 2012-07-13 2012-07-13 A system and method for authentication using non-reusable random generated mobile sms key

Publications (1)

Publication Number Publication Date
WO2014011027A1 true WO2014011027A1 (en) 2014-01-16

Family

ID=48980247

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/MY2013/000125 WO2014011027A1 (en) 2012-07-13 2013-07-05 A system and method for authentication using non-reusable random generated mobile sms key

Country Status (2)

Country Link
MY (1) MY172974A (en)
WO (1) WO2014011027A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104301316A (en) * 2014-10-13 2015-01-21 中国电子科技集团公司第二十八研究所 Single sign-on system and implementation method thereof
CN111465014A (en) * 2015-08-24 2020-07-28 华为技术有限公司 Security authentication method, configuration method and related equipment

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008033065A1 (en) * 2006-09-15 2008-03-20 Comfact Ab Method and computer system for ensuring authenticity of an electronic transaction

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008033065A1 (en) * 2006-09-15 2008-03-20 Comfact Ab Method and computer system for ensuring authenticity of an electronic transaction

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104301316A (en) * 2014-10-13 2015-01-21 中国电子科技集团公司第二十八研究所 Single sign-on system and implementation method thereof
CN111465014A (en) * 2015-08-24 2020-07-28 华为技术有限公司 Security authentication method, configuration method and related equipment
CN111465014B (en) * 2015-08-24 2021-12-28 华为技术有限公司 Security authentication method, configuration method and related equipment
US11343104B2 (en) 2015-08-24 2022-05-24 Huawei Technologies Co., Ltd. Method for establishing secured connection, and related device

Also Published As

Publication number Publication date
MY172974A (en) 2019-12-16

Similar Documents

Publication Publication Date Title
US10904234B2 (en) Systems and methods of device based customer authentication and authorization
CN114788226B (en) Unmanaged tool for building decentralized computer applications
EP3691215B1 (en) Access token management method, terminal and server
US10348715B2 (en) Computer-implemented systems and methods of device based, internet-centric, authentication
US9692603B2 (en) Biometric PKI authentication
JP5619019B2 (en) Method, system, and computer program for authentication (secondary communication channel token-based client-server authentication with a primary authenticated communication channel)
US9529985B2 (en) Global authentication service using a global user identifier
KR101434769B1 (en) Method and apparatus for trusted federated identity management and data access authorization
Arora et al. Cloud security ecosystem for data security and privacy
US8606234B2 (en) Methods and apparatus for provisioning devices with secrets
Lim et al. Security issues and future challenges of cloud service authentication
CN107359998B (en) Establishment and operation method of a portable intelligent password management system
US10250589B2 (en) System and method for protecting access to authentication systems
Gupta et al. An identity based access control and mutual authentication framework for distributed cloud computing services in IoT environment using smart cards
EP2879421B1 (en) Terminal identity verification and service authentication method, system, and terminal
CN103906052B (en) A kind of mobile terminal authentication method, Operational Visit method and apparatus
JP2013504832A (en) Method and apparatus for reliable authentication and logon
DK2414983T3 (en) Secure computer system
CN113569210A (en) Distributed identity authentication method, device access method and device
Zmezm et al. A Novel Scan2Pass Architecture for Enhancing Security towards E-Commerce
WO2014011027A1 (en) A system and method for authentication using non-reusable random generated mobile sms key
Binu et al. A mobile based remote user authentication scheme without verifier table for cloud based services
Rastogi et al. Secured identity management system for preserving data privacy and transmission in cloud computing
JP2017139026A (en) Method and apparatus for reliable authentication and logon
JP2015111440A (en) Method and apparatus for trusted authentication and log-on

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 13748119

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 13748119

Country of ref document: EP

Kind code of ref document: A1