`
`
`
`
`
`
`
`
`US006993658B1
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`a2, United States Patent
`
`
`US 6,993,658 B1
`(10) Patent No.:
`
`
`
`
`
`
`
`
`’
`
` Engberg etal. 45) Date of Patent: Jan. 31, 2006
`
`
`
`
`
`
`
`
`
`
`
`(54) USE OF PERSONAL COMMUNICATION
`
`
`
`DEVICES FOR USER AUTHENTICATION
`
`
`
`(75)
`
`
`
`
`
`
`
`Inventors: Sten-Olov Engberg, Storvreta (SE);
`
`
`
`
`Ake Jonsson, Fagersta (SE)
`
`
`
`
`
`
`
`(73) Assignee: April System Design AB, Solna (SE)
`
`
`
`
`
`
`
`(*) Notice:
`
`
`
`
`
`
`
`
`
`
`Subject to any disclaimer, the term of this
`
`
`
`
`
`
`patent is extended or adjusted under 35
`
`
`
`
`
`US.C. 154(b) by 0 days.
`
`
`
`
`
`
`
`(21) Appl. No.: 09/519,829
`
`
`
`
`
`AU
`
`5/1998
`
`(Continued)
`OTHER PUBLICATIONS
`
`
`
`
`
`
`
`Menezes, “Handbook of Applied Cryptography,” 1997, p.
`
`390.*
`
`
`
`
`
`6,161,182 A
`12/2000 Nadooshan
`
`
`
`
`
`
`6,173,400 B1
`1/2001 Perlmanetal.
`
`
`
`
`
`6,226,364 B1*
`5/2001 O'Neil 0. 379/114.2
`
`
`
`
`
`
`
`6,795,852 B1*
`9/2004 Kleinrock et al.
`.......... 709/220
`FOREIGN PATENT DOCUMENTS
`
`
`
`
`
`
`A-63545/98
`
`
`
`
`
`
`
`
`
`
`
`
`Mar. 6, 2000
`
`
`
`
`
`
`
`(22)
`
`(51)
`
`
`
`(56)
`
`
`
`
`
`
`
`Filed:
`
`
`Int. Cl.
`
`
`
`(2006.01)
`GO7F 7/10
`
`
`
`(2006.01)
`HOAL 9/32
`
`
`
`(2006.01)
`HO4L 12/14
`
`
`
`(2006.01)
`HO4M 15/00
`(52) U.S. Che cecceccccccccseee 713/185; 379/114.2; 709/219;
`
`
`
`
`
`
`
`
`713/183; 713/201; 713/202
`
`
`
`
`
`
`(58) Field of Classification Search seseeeentseneees 380/247,
`
`
`
`
`
`380/249; 455):411; 713/202, 182, 183, 185;
`
`
`
`. 705/74; 235/382.5; 379/114.2; 709/219
`
`
`
`
`
`
`
`See application file for complete search history.
`:
`
`
`References Cited
`U.S. PATENT DOCUMENTS
`
`
`
`
`
`
`
`
`
`2368158 ‘ : 11/1993 ceeds “tal.oeSrna
`
`
`
`
`
`
`
`
`
`oe 713/202
`6/1994 Glaschick
`5.323.146 A *
`
`
`
`
`
`
`
`
`3/1996 Pellerin ..ecssscscesssseeeee 455/411
`5,497,411 A *
`
`
`
`
`
`
`
`
`
`
`
`
`12/1996 Lee etal.
`5,590,198 A
`
`
`
`
`
`
`
`
`5/1998 Toaderet al. occ 705/14
`5,749,075 A *
`
`
`
`
`
`
`
`
`2/1999 Daly et al. oe 455/411
`5,875,394 A *
`
`
`
`
`
`
`7/1999 Walkeretal.
`5,923,763 A
`
`
`
`
`
`
`9/1999 Angelo ...seeeceeres 713/185
`5,949,882 A *
`
`
`
`
`
`
`9/1999 Janhila seeeceeee eee eeeeeeeeees 455/410
`5,956,633 A *
`
`
`
`
`4/2000 White
`6,049,877 A
`
`
`
`
`
`
`6/2000 Ketcham ....... 713/185
`6,075,860 A *
`
`
`
`
`
`
`6/2000 Schmitz .........ceeeeeceee 705/50
`6,078,908 A
`
`
`
`
`
`
`
`
`
`(Continued)
`
`
`
`
`Primary Examiner—Gilberto Barron,Jr.
`
`
`
`Assistant Examiner—Matthew Heneghan
`
`
`
`
`
`
`
`(74) Attorney, Agent, or Firm—Knobbe, Martens, Olson &
`
`
`Bear LLP
`
`
`
`
`
`7)
`
`ABSTRACT
`
`
`
`A password setting system for a secure system includes a
`
`
`
`
`
`
`
`
`
`
`user token server and a communication module. The user
`
`
`
`
`
`
`
`
`
`token server generates a random token in response to a
`
`
`
`
`
`
`
`
`
`
`request for a new password from a user. The server creates
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`a new password by concatenating a secret passcode that is
`known to the user with the token. The server sets the
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`password associated with the user’s user ID to be the new
`
`
`
`
`
`
`
`password. The communication module transmits the token
`to a personal communication device, such as a mobile phone
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`or a pager carried by the user. The user concatenates the
`
`
`
`
`
`
`
`
`
`
`
`‘Secret passcode with the received token in order to form a
`
`
`
`
`
`
`
`
`
`
`
`valid password, which the user submits to gain access to the
`
`
`
`
`
`
`
`
`
`secure system. Accordingly, access to the system is based
`
`
`
`
`
`
`
`
`
`
`upon: nonsecret information knownto the user, such as the
`
`
`
`
`
`
`
`
`
`
`
`user ID; secret information known to the user, such as the
`
`
`
`
`
`
`
`
`
`passcode; and information provided to the user through an
`
`
`
`
`
`
`
`
`
`object possessed by the user, such as the token.
`
`
`
`
`
`7 Claims, 11 Drawing Sheets
`
`
`
`
`
`
`
`
`
`
`
`
`0 secuRE
`SYSTEM
`
`
`
`
`
`
`
`
`
`162
`
`
`
`
`
`USER WITH PERSONAL
`COMMUNICATION
`
`
`
`DEVICE
`
`
`
`
`
`Page 1 of 20
`
`PETITIONERS' EXHIBIT 1001
`
`L.
`
`ee)
`t
`(2
`a
`
`158
`USER ID
`|
`-~154
`
`
`
`PASSCODE
`
`
`
`PASSWORD4°
`TOKEN 156
`
`
`
`
`a
`e3
`
`108
`
`
`
`760.
`
`,
`
`14
`
` WE.
`
`6
`
`
`
`
`
`SERVER
`ee USER AUTHENTICATION
`
`
`
`
`159
`
`103.
`
`
`
`
`
`AUTHENTICATION
`
`
`LOGIN DATA ——™ \
`
`MODULE.
`
`
`
`
`AUTHENTICATION
`
`CONFIRMATION
`USER ID &
`
`
`PASSWORD
`
`USER
`
`DATABASE
`TOKEN/
`PASSWORD
`
`USER TOKEN
`
`SERVER
`TOKEN
`TOKEN
`REQUEST
`
`
`
`
`_ TOKENREQUEST ~~ COMMUNICATION
`
`
`
`
`
`
`
`MODULE
`{Ce ¢ £077TOKEN198
`107.7
`
`
`
`
`
`
`
`
`
`
`
`
`104
`
`06
`ree
`105
`
`
`
`
`MESSAGING
`SERVICE
`
`
`PROVIDER
`
`
`Las 4
`
`
`PETITIONERS' EXHIBIT 1001
`
`Page 1 of 20
`
`

`

`
`
`US 6,993,658 B1
`
`
`Page 2
`
`
`
`OTHER PUBLICATIONS
`
`
`
`
`
`
`
`
`Security Dynamics-SecurID Tokens Datasheet, http://www.
`
`computerterps.com/internet/security/secdyn/tokens.html.,
`
`
`
`
`
`last modified Jul. 31, 1998.
`
`ACE/Server, http:/Avww.computerps.com/internet/security/
`
`
`
`
`
`
`secdyn/aceserv.html, last modified Jul. 15, 1998.
`
`
`
`FOREIGN PATENT DOCUMENTS
`
`
`
`
`
`
`
`
`
`RSA Security Inc.-RSA SecurID Two-Factor Authenication
`
`
`System,—http://www.securid.com/products/securid/index.
`
`AU
`9863545 A * 11/1998
`
`
`
`
`
`
`
`
`
`
`html., printed on Mar. 3, 2000.
`
`EP 0 875 871 A2=11/1998
`
`
`
`
`
`
`
`
`
`
`
`24-hour cellphone cyberwatch—Internet—printed on May
`
`
`19, 2000.
`
`
`
`
`Monkey as authentication software—Internet—2 pages,
`
`
`
`
`
`printed on May 19, 2000.
`
`
`
`
`
`Monkey (mobile network key)—Internet—6 pages, printed
`
`
`
`
`on May 19, 2000.
`
`
`
`
`
`International Search Report for PCT/US01/07058 (3-pages).
`
`
`
`
`* cited by examiner
`
`
`
`
`
`
`
`
`
`Page 2 of 20
`
`Page 2 of 20
`
`

`

`U.S. Patent
`
`Jan. 31, 2006
`
`Sheet 1 of 11
`
`
`
`
`
`
`
`
`
`US 6,993,658 B1
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`dYOMSS¥d#alwasn
`
`
`
`NOILVOILNSHLAV
`
`AINGOW
`
`/NAaXOL
`
`
`
`d4asn
`
`aSvavivd
`
`
`
`
`
`NOILVOILNSHLAYdaSn
`
`YaAdds
`
`
`
`JINGOW
`
`NOILVYOINNNNOD
`
`
`
`Y4AdaS
`
`NIAOL
`
`1S4no03u
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`ayomssvdPoh|81
`NaXxOLYaSn9¢¢——~NAAOL|onceyg
`COLoo,
`fOreesW3LSAS
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`JOIAYSS
`
`
`
`
`
`
`
`
`
`
`
`——VIVdNIO01
`
`NOILVOILNIHLAY
`
`NOILVAYIINOD
`
`JuNoAs
`
`can
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`—”
`
`j000SSvdC
`
`
`
`
`
`
`
`SOL
`
`ONIOVSSIN
`
`
`
`
`
`WNOSH3dHLIMYasn
`
`J2dys
`
`
`
`
`
`dadlA0dd
`
`
`
`
`
`
`
`NOLLVOINNAWOD
`
`JIIAI
`
`Page 3 of 20
`
`
`
`
`
`
`
`
`

`

`
`U.S. Patent
`
`
`
`Jan. 31, 2006
`
`
`
`Sheet 2 of 11
`
`
`
`
`
`
`
`
`US 6,993,658 B1
`
`
`
`
`
`Logon To Network:
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Note: Your password is your passcode followed by a valid token
`
`
`
`
`FIG, 2A
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Logon To Network:
`Communication Device and will be valid for one minute
`Logon To Network:
`
`
`-IG. 22
`
`
`
`
`
`
`
`
`
`
`
`
`Please enter a user ID to request a Token
`
`
`
`
`
`
`
`
`Token will be instantly transmitted to your registered Personal
`
`
`
`
`
`
`
`
`
`
`
`
`
`FIG 2C
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`F/G. 2D
`
`
`
`Page 4 of 20
`
`Page 4 of 20
`
`

`

`
`U.S. Patent
`
`
`
`Jan.31, 2006
`
`
`
`Sheet 3 of 11
`
`
`
`
`
`
`
`US 6,993,658 B1
`
`
`
`
`
`500
`
`oN
`
`
`
`
`
`
`USER REQUESTS TOKEN
`
`
`
`FROM TOKEN SERVER
`
`
`
`TOKEN SERVER
`
`
`GENERATES TOKEN
`
`
`
`
`
`
`
`
`
`TOKEN SERVER GENERATES PASSWORD
`
`
`
`
`
`BASED UPON PASSCODE AND TOKEN
`
`
`
`
`
`
`TOKEN SERVER UPDATES PASSWORD AND
`
`
`
`
`
`
`ACTIVATES USER ACCOUNT IN USER DATABASE
`
`
`
`
`
`
`TOKEN SERVER TRANSMITS TOKEN TO USER’S
`
`
`
`PERSONAL COMMUNICATION DEVICE
`
`
`
`
`
`
`
`
`USER RECEIVES TOKEN
`
`J?
`
`
`
`
`
`
`
`
`
`
`USER LOGS INTO SECURE SYSTEM
`
`
`
`
`
`USING USER ID AND PASSWORD
`
`
`
`
`
`
`SECURE SYSTEM TRANSMITS LOGIN DATA
`
`
`
`
`TO USER AUTHENTICATION SERVER
`
`
`
`
`
`
`
`
`
`JIS
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`USER AUTHENTICATION SERVER
`
`
`
`
`
`
`AUTHENTICATES USER BASED UPON LOGIN DATA
`
`
`
`
`USER AUTHENTICATION SERVER TRANSMITS
`
`
`
`AUTHENTICATION CONFIRMATIONTO
`
`
`SECURE SYSTEM
`
`
`FIG. J
`
`
`
`
`SECURE SYSTEM ALLOWS
`
`
`USER ACCESS
`
`
`
`Page 5 of 20
`
`Page 5 of 20
`
`

`

`
`U.S. Patent
`
`
`
`Jan. 31, 2006
`
`
`
`
`
`Sheet 4 of 11
`
`
`
`
`
`
`
`
`US 6,993,658 B1
`
`
`
`
`
`
`
`
`
`USER TOKEN SERVER
`
`
`
`
`
`
`
`
`
`CONTROL MODULE
`
`
`ADMINISTRATOR
`
`
`USER INTERFACE
`
`SUPPLEMENTAL
`
`
`USER DATABASE
`
`
`
`
`
`COMMUNICATION MODULE
`
`INTERFACE
`
`TOKEN GENERATION
`
`
`
`MODULE
`
`ZOF
`
`
`
`
`
`404
`
`LOC
`
`
`
`#08
`
`
`
`
`
`
`
`
`
`
`
`f/G. F
`
`Page 6 of 20
`
`Page 6 of 20
`
`

`

`
`U.S. Patent
`
`
`
`Jan. 31, 2006
`
`
`
`Sheet 5 of 11
`
`
`
`
`
`
`
`US 6,993,658 B1
`
`
`
`500—_N
`
`
`
`DEVICE
`
`
`
`
`
`
`
`
`ASSOCIATE USER ID WITH PASSCODE AND PHONE
`
`
`
`
`
`NUMBER OF USER’S PERSONAL COMMUNICATION
`
`
`BO2
`
`
`
`
`
`
`RECEIVE TOKEN REQUEST
`
`
`
`
`ASSOCIATE TOKEN REQUEST
`
`
`
`WITH USER ID
`
`SOF
`
`
`
`BOC
`
`
`
`
`
`GENERATE TOKEN
`
`308
`
`
`
`370
`
`
`
`
`
`
`
`GENERATE PASSWORD BASED UPON
`
`
`
`PASSCODE AND TOKEN
`
`
`
`
`
`
`SET PASSWORD IN USER DATABASE
`
`
`
`
`AND ACTIVATE USER ID
`
`o
`
`12
`
`
`
`374
`
`
`
`
`
`
`
`
`
`
`TRANSMIT TOKEN TO USER’S PERSONAL
`
`
`
`
`
`COMMUNICATION DEVICE BASED UPON PHONE
`
`
`
`
`
`NUMBER ASSOCIATED WITH USER ID
`
`
`
`
`
`
`USER CAN ACCESS SECURE SYSTEM BY
`
`
`
`
`LOGGING IN USING TOKEN
`
`
`
`a
`
`160
`
`
`
`
`TOKEN EXPIRES
`
`
`
`IIE
`
`
`
`320
`
`
`
`
`
`
`DEACTIVATE USER ACCOUNT
`
`
`
`IN USER DATABASE
`
`
`fIG.
`
`
`2B
`
`Page 7 of 20
`
`Page 7 of 20
`
`

`

`
`
`U.S. Patent
`
`Jan. 31, 2006
`
`Sheet 6 of 11
`
`US 6,993,658 B1
`
`
`
`
`
`
`
`
`
`
`
`SOL
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`SNOHd
`
`
`
`
`
`——N31——N30\961\oer
`
`EEEEEEEEEEEEEEEEEEEIEREEEEEEEEEEEEEEEEC
`
`
`
`
`
`
`
`
`
`WALSASSWSGOP
`
`
`
`sovseanSWSsovstanSINS
`
`
`
`
`£09EOPZ09
`
`JIISOW
`
`£09JIISOW30JIGOW
`
`
`
`YACIAOdd
`
`
`
`
`
`
`
`
`
`
`
`JOIANSSANOHdINOHd
`
`
`
`
`
`IWNOSN3dONIOWSS3NLXaLNOILVOINAWNOD
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`201aAYBAIT3G.N3MOL
`
`
`
`ELL
`
`
`
`JOINIOyo7)NOILVSINAWWODNIGIAONFOIAYISJINGOW
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Page 8 of 20
`
`
`
`
`

`

`U.S. Patent
`
`Jan. 31, 2006
`
`
`
`Sheet 7 of 11
`
`US 6,993,658 B1
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`01N30ye>NOILYOINNWWODYIGIAONdJOIANSSFINGOW
`
`
`
`TWNOSU3dONIDVSS3NLXALNOLLVOINAWWOOye
`
`
`20-~aANBAII3GoyN3MOL
`FUSOW|\—groFUSOWJO—=—-NIYOL
`3NOHd99|FOIAN3SJNOHdSZ’X/NGSI
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`AYM3LV9SWS
`
`Moe
`
`
`
`YaGgIAONdNOILOZNNOO
`
`YONOS!
`
`SCX
`
`NOILVOINNNWOS
`
`duvo
`
`ELD
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`—*—_N43MOL
`
`CECCCOCCCECCCCC
`
`\oe:
`
`
`
`JOVSSANSWS
`
`(7°
`
`
`
`Page 9 of 20
`
`
`
`
`

`

`U.S. Patent
`
`Jan. 31, 2006
`
`Sheet 8 of 11
`
`US 6,993,658 B1
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`GOL
`™~
`
`JOIAAG
`ON
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`WNOSY4d
`
`
`
`NOILVOINNNWOO
`
`EO
`
`
`
` —=-—N3MOL\
`
`GEL
`
`GE?
`
`ONIDVd
`
`JOIAYAS
`
`YICIAOYd
`
`VIVOJINOHd
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`ONISVSSAWLX3L
`
`
`
`
`
`YAGIAOYdJDIANSS
`
`
`
`AYSANAGNAMOL
`
`
`
`
`
`
`
`foPOL
`
`
`
`
`
`IGOFF
`
`
`
`
`
`
`
`
`
`cee
`
`
`
`
`
`JNOHd
`
`ysIvId
`
`Coo
`
`NOILVOINNNWOD
`
`—JINGOW
`
`Page 10 of 20
`
`
`
`
`
`
`
`

`

`
`
`U.S. Patent
`
`Jan. 31, 2006
`
`Sheet 9 of 11
`
`US 6,993,658 B1
`
`SOL
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`NOILVOINNWWODYAGIAONdJOIANISJINGON
`
`
`IWNOSY3dONIDVSSAIWLX3LrcigNOLLWOINNNNOD
`
`
`01“ONANJAITSGyyFOLN3MOL
`301A7?~)
`
`ANOHd9O0I~_|FO\IANASJNOHdNOSI
`
`
`
`Y299292)92)2209I)))9909)))00))))))
`LS4AND3YNAMOL—{SANOAYNAMOL—P\001oer
`
`
`
`
`JOVSS3WSWSJOVSS3WSWS
`
` \pesFGOW/£02yeOLA/EO9
`
`
`
`WALSASSWS
`
`
`
`
`
`
`
`
`
`NIGIAONGNOILOINNOD
`
`FGOW\_450FUGOWJO[Ls3ND3yN3MOL—
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Page 11 of 20
`
`
`
`

`

`
`U.S. Patent
`
`
`
`Jan. 31, 2006
`
`
`
`
`
`
`Sheet 10 of 11
`
`
`
`
`
`US 6,993,658 B1
`
`
`
`x
`
`106
`
`
`
`
`
`
`
`
`
`
`
`
`USERWITH
`
`
`
`
`
`
`
`
`
`
`
`PERSONALCOMMUNICATION
`
`DEVICEATWORKSTATION
`“EB
`
`
`
`~t——TOKENREQUEST
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`HIG
`
`
`
`N107
`
`
`TOKENREQUEST
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`NETWORK
`
`INTERFACE
`
`CARD
`
`S02
`
`Page 12 of 20
`
`Page 12 of 20
`
`

`

`
`
`U.S. Patent
`
`Jan. 31, 2006
`
`Sheet 11 of 11
`
`US 6,993,658 B1
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`NOILVOINNWWODJINGOW
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`GOL>»ANGAMSGONW(veSINAC
`
`L{SANOAYNNANOL
`
`
`
`
`
`
`
`
`
`WNOSY4dNOILVOINNNNOD
`
`
`
`
`
`(or
`
`POS
`
`
`
`
`
`LS3NO3YN3MOL——=———N3XOL\OGL(.
`
`JNOHdI13L
`
`COS
`
`
`
`JIIGOWWALSASJSNOdS34
`
`
`
`ANOHdWWDJNOHdQlY3aTIVOHLIM
`
`
`
`
`
`Page 13 of 20
`
`
`
`
`

`

`
`1
`
`
`
`
`USE OF PERSONAL COMMUNICATION
`
`
`
`DEVICES FOR USER AUTHENTICATION
`
`
`
`BACKGROUND OF THE INVENTION
`
`
`
`
`
`
`
`
`
`
`1. Field of the Invention
`
`
`
`
`
`
`
`
`
`
`
`
`
`This invention relates generally to the authentication of
`
`
`
`
`
`
`
`
`
`users of secure systems and, more particularly, the invention
`
`
`
`
`
`
`
`
`
`
`relates to a system through which user tokens required for
`
`
`
`
`
`
`user authentication are supplied through personal commu-
`
`
`
`
`
`
`
`
`nication devices such as mobile telephones and pagers.
`
`
`
`
`
`
`2. Description of the Related Art
`
`
`
`
`
`
`
`
`
`Secure systems have traditionally utilized a user ID and
`
`
`
`
`
`
`
`
`password pair to identify and authenticate system users.
`
`
`
`
`
`
`
`
`Operating systems that control local area networks of work-
`stations within a business or institution such as Novell
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`NetWare, Microsoft NT, Windows 2000, and UNIX/Linux
`
`
`
`
`
`
`
`
`typically require submission of a user ID and password
`
`
`
`
`
`
`
`combination before allowing access to a workstation.
`
`
`
`
`
`
`
`The incorporation of remote connectivity to secure sys-
`tems over the Internet has weakened traditional controls
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`imposed by a user’s required physical presence within a
`
`
`
`
`
`
`
`
`company’s premises and has exposed systems to additional
`
`
`
`
`
`
`
`
`
`security threats. External users accessing by dial-in or over
`
`
`
`
`
`
`
`the Internet, complicated by frequent personnel turnover,
`
`
`
`
`
`
`require frequent changes in passwordlists.
`
`
`
`
`
`
`
`
`Passwords created by users are often combinations of
`
`
`
`
`
`
`
`
`
`
`words and names, which are easy to remember but also
`
`
`
`
`
`
`
`
`easily guessed. Guessing passwords is a frequent technique
`
`
`
`
`
`
`
`
`
`used by “hackers” to break into systems. Therefore, many
`
`
`
`
`
`
`
`systems impose regulations on password formats that
`
`
`
`
`
`
`
`
`
`
`require mixtures ofletters of different cases and symbols and
`
`
`
`
`
`
`
`
`
`
`
`
`that no part of a password be a word in the dictionary. A
`
`
`
`
`
`
`
`user’s inability to remember complex combinationsoflet-
`
`
`
`
`
`
`
`
`ters, numbers, and symbols often results in the password
`
`
`
`
`
`
`
`
`
`
`being written down, sometimes on a note stuck to the side
`of a workstation.
`
`
`
`
`
`
`
`
`
`Present systems face several problems: users dread fre-
`
`
`
`
`
`
`quent password changes, frequent password changes with
`
`
`
`
`
`
`hard-to-remember passwords inevitably result in users sur-
`
`
`
`
`
`
`
`reptitiously writing down passwords, and security is com-
`
`
`
`
`
`
`
`promised when users write down their passwords.
`
`
`
`
`
`
`
`
`The SecurID product, which is distributed by RSA Secu-
`
`
`
`
`
`
`
`
`rity Inc., solves many of the aforementioned problems by
`
`
`
`
`
`
`
`requiring a two-factor authentication process. Thefirst fac-
`
`
`
`
`
`
`
`
`
`
`tor is a user passcode or personal identification number. The
`
`
`
`
`
`
`
`
`
`
`
`second factor is a SecurID card that is possessed by the user.
`
`
`
`
`
`
`
`The SecurID card generates and displays unpredictable,
`
`
`
`
`
`
`
`one-time-only access codes that automatically change every
`
`
`
`
`
`
`
`
`
`60 seconds. The user supplies the displayed code upon
`
`
`
`
`
`
`
`
`
`logging into a system. The system has a corresponding code
`
`
`
`
`
`
`
`
`
`generator that allows verification of possession of the card.
`
`
`
`
`
`
`
`
`
`The SecurID product, however, requires users to carry an
`
`
`
`
`
`
`
`
`
`
`
`additional item on their person in order to access a secure
`
`
`
`
`
`
`
`
`
`
`system. It would be advantageous if the benefits of the
`
`
`
`
`
`
`
`
`
`SecurID system could be achieved using a device that many
`
`
`
`
`
`
`
`users already carry—a personal communication device such
`
`
`
`
`
`
`
`as a mobile phoneor a pager.
`
`
`
`
`
`
`
`
`SUMMARYOF THE INVENTION
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`A preferred embodiment of the present invention is a
`
`
`
`
`
`
`
`
`
`password setting system for setting user passwords for a
`
`
`
`
`
`
`
`
`
`
`
`secure system, such as a computer system or a secure area
`
`
`
`
`
`
`
`
`of a building. The password setting system preferably
`includes a user token server and a communication module.
`
`
`
`
`
`
`
`
`
`
`Page 14 of 20
`
`
`
`10
`
`
`
`15
`
`
`
`20
`
`
`
`25
`
`
`30
`
`
`
`35
`
`
`
`40
`
`
`
`45
`
`
`50
`
`
`
`55
`
`
`
`60
`
`
`
`65
`
`
`
`
`US 6,993,658 B1
`
`
`
`
`2
`
`
`
`
`
`
`
`
`
`The user token server generates a random token in response
`
`
`
`
`
`
`
`
`
`
`
`
`to a request for a new password from a user. The server
`
`
`
`
`
`
`
`
`
`creates a new password by concatenating a secret passcode
`that is knownto the user with the token. The server sets the
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`password associated with the user’s user ID to be the new
`
`
`
`
`
`
`
`password. The communication module transmits the token
`
`
`
`
`
`
`
`
`
`to a personal communication device, such as a mobile phone
`
`
`
`
`
`
`
`
`
`
`
`or a pager carried by the user. The user concatenates the
`
`
`
`
`
`
`
`
`
`
`
`secret passcode with the received token in order to form a
`
`
`
`
`
`
`
`
`
`
`
`valid password, which the user submits to gain access to the
`
`
`
`
`
`
`
`
`
`secure system. Accordingly, access to the system is based
`
`
`
`
`
`
`
`
`
`
`upon: nonsecret information knownto the user, such as the
`
`
`
`
`
`
`
`
`
`
`
`user ID; secret information known to the user, such as the
`
`
`
`
`
`
`
`
`
`passcode; and information provided to the user through an
`
`
`
`
`
`
`
`
`
`object possessed by the user, such as the token.
`
`
`
`
`
`
`
`
`
`
`One aspect of the invention is a method for setting
`
`
`
`
`
`
`
`
`
`passwords. The method includes associating a user ID with
`
`
`
`
`
`
`
`
`a phone number of a personal communication device. The
`
`
`
`
`
`
`
`
`
`method also includes generating a new password based at
`
`
`
`
`
`
`
`
`
`
`least upon a token. The method also includes setting a
`
`
`
`
`
`
`
`
`
`
`password associated with the user ID to be the new pass-
`
`
`
`
`
`
`
`
`
`
`word. The method also includes transmitting the token to the
`
`
`
`
`
`
`
`personal communication device using the phone number
`
`
`
`
`
`
`
`
`
`
`associated with the user ID. In another aspect, the method
`
`
`
`
`
`
`
`
`
`
`also includes associating the user ID with a passcode. In
`
`
`
`
`
`
`
`
`another aspect, the new password is generated based addi-
`
`
`
`
`
`
`
`
`
`tionally upon the passcode. In another aspect, the method
`
`
`
`
`
`
`
`
`
`
`also includes receiving a request for the user token. In
`
`
`
`
`
`
`
`
`another aspect,
`the personal communication device is a
`
`
`
`
`
`
`
`mobile phone. In another aspect, the personal communica-
`
`
`
`
`
`tion device is a pager.
`
`
`
`
`
`
`
`
`
`An additional aspect of the invention is a password setting
`
`
`
`
`
`
`
`
`system. The system includesa first user database configured
`
`
`
`
`
`
`
`
`
`
`
`to associate a user ID with a phone number of a personal
`
`
`
`
`
`
`
`
`communication device. The system also includes a control
`
`
`
`
`
`
`
`
`
`
`module configured to create a password based at least upon
`
`
`
`
`
`
`
`
`
`
`
`a token. The control module is further configured to cause a
`
`
`
`
`
`
`
`
`
`
`second user database to associate the password with the user
`
`
`
`
`
`
`
`
`ID. The system also includes a communication module
`
`
`
`
`
`
`
`
`interface configured to cause a communication module to
`
`
`
`
`
`
`
`
`transmit the token to the personal communication device
`
`
`
`
`
`
`
`
`
`
`using the phone number associated with the user ID. In
`
`
`
`
`
`
`
`
`
`
`another aspect, the first user database and the second user
`
`
`
`
`
`
`
`
`
`
`database are the same database. In another aspect,thefirst
`
`
`
`
`
`
`
`
`
`
`user database is further configured to associate the user ID
`
`
`
`
`
`
`
`
`
`with a passcode, and the control module is further config-
`
`
`
`
`
`
`
`
`
`ured to create the password based additionally upon the
`
`passcode.
`
`
`
`
`
`
`
`
`
`
`An additional aspect of the invention is a method of
`
`
`
`
`
`
`
`
`
`regulating access to a secure system. The method includes
`
`
`
`
`
`
`
`
`transmitting a user token to a personal communication
`
`
`
`
`
`
`
`
`
`device. The method also includes receiving login data in
`
`
`
`
`
`
`
`response to a
`request
`for authentication information,
`
`
`
`
`
`
`
`
`
`
`
`
`wherein the login data is based at least upon the user token.
`
`
`
`
`
`
`
`
`
`The method also includes granting access to the secure
`
`
`
`
`
`
`
`
`
`system based upon the received login data.
`In another
`
`
`
`
`
`
`
`
`
`
`
`aspect, the login data is additionally based upon a user ID.
`
`
`
`
`
`
`
`
`
`
`
`In another aspect, the login data comprises a user ID. In
`
`
`
`
`
`
`
`
`
`
`another aspect, the login data is additionally based upon a
`
`
`
`
`
`
`
`
`
`
`passcode. In another aspect, the login data comprises a user
`
`
`
`
`
`
`
`
`
`ID and a password. In another aspect, the password com-
`
`
`
`
`
`
`
`
`
`
`the
`prises a passcode and the token. In another aspect,
`
`
`
`
`
`
`
`
`
`
`password is a concatenation of the passcode and the token.
`
`
`
`
`
`
`
`
`
`
`In another aspect, the password is a hashed concatenation of
`
`
`
`
`
`
`
`
`
`
`the passcode and the token. In another aspect the method
`
`
`
`
`
`
`
`
`
`
`also includes generating the user token. In another aspect the
`
`
`
`
`
`
`
`
`
`
`method also includes receiving a request for the user token.
`
`Page 14 of 20
`
`

`

`
`
`
`3
`
`
`
`
`
`
`
`
`In another aspect, the personal communication device is a
`
`
`
`
`
`
`
`mobile phone. In another aspect, the personal communica-
`
`
`
`
`
`tion device is a pager.
`
`
`
`
`
`
`
`
`
`
`An additional aspect of the invention is an access control
`
`
`
`
`
`
`
`
`
`system. The system includes a user token server configured
`
`
`
`
`
`
`
`
`
`to transmit a token to a personal communication device. The
`
`
`
`
`
`
`
`
`
`
`user token server is further configured to generate a valid
`
`
`
`
`
`
`
`
`
`
`password based at least upon the token. The system also
`
`
`
`
`
`
`
`
`includes an authentication module configured to receive at
`
`
`
`
`
`
`
`
`
`
`least a submitted password in response to a request for
`authentication of a user. The authentication moduleis further
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`configured to grant access to the user if at least the submitted
`
`
`
`
`
`
`
`
`
`
`
`password is based at least upon the token and matches the
`
`
`
`
`
`
`
`
`
`
`valid password. In another aspect, the user token server is
`
`
`
`
`
`
`
`
`further configured to generate the valid password based
`
`
`
`
`
`
`
`
`
`
`additionally upon a valid passcodethat is knownto the user.
`
`
`
`
`
`
`
`
`
`
`In another aspect, the user token serveris further configured
`
`
`
`
`
`
`
`
`
`
`
`
`
`to transmit the token in response to a request by the user. In
`
`
`
`
`
`
`
`
`
`
`another aspect, the user token server is further configured to
`
`
`
`
`
`
`
`
`
`
`associate the valid password with a valid user ID,
`the
`
`
`
`
`
`
`
`
`authentication module is further configured to receive a
`
`
`
`
`
`
`
`
`
`submitted user ID in response to the request for authentica-
`
`
`
`
`
`
`
`
`
`tion, and the authentication module is further configured to
`
`
`
`
`
`
`
`
`
`
`
`
`grant access to the userif, in addition, the submitted user ID
`matches the valid user ID.
`
`
`
`
`
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`
`
`
`
`
`
`
`
`35
`
`
`
`
`
`
`
`
`
`
`
`The present invention will be described below in connec-
`
`
`
`
`
`
`
`tion with the attached drawings in which:
`
`
`
`
`
`
`
`FIG. 1 illustrates an overview, including system compo-
`
`
`
`
`
`
`
`
`
`nents, of a user authentication system according to a pre-
`
`
`
`
`
`
`ferred embodiment of the present invention;
`
`
`
`
`
`
`
`
`
`FIGS. 2A—D illustrate login screens that can be used in
`
`
`
`
`
`
`
`conjunction with various embodiments of the invention;
`
`
`
`
`
`
`
`
`FIG. 3 illustrates a preferred process performed by the
`
`
`
`
`system to authenticate users;
`
`
`
`
`
`
`
`
`FIG. 4 illustrates a preferred embodimentof a user token
`
`server;
`
`
`
`
`
`
`
`
`
`FIG. 5 illustrates a preferred process by which the user
`
`
`
`
`
`
`token server provides
`tokens
`and administrates user
`
`accounts;
`
`
`FIGS. 6A-C illustrate three embodiments of a token
`
`
`
`
`
`
`
`
`delivery communication link;
`
`
`FIGS. 7A-B illustrate two embodiments of a token
`
`
`
`
`
`
`
`
`
`request communication link; and
`
`
`FIG. 8 illustrates an embodiment of a combined token
`
`
`
`
`
`
`
`
`
`
`
`request and delivery communication link.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`DETAILED DESCRIPTION OF THE
`
`
`
`
`EMBODIMENTS
`
`
`
`
`
`
`
`
`
`
`
`In the following description, reference is made to the
`
`
`
`
`
`
`
`
`accompanying drawings, which form a part hereof, and
`
`
`
`
`
`
`
`
`
`which show, by wayofillustration, specific embodiments or
`
`
`
`
`
`
`
`
`
`processes in which the invention may be practiced. Where
`
`
`
`
`
`
`
`
`possible, the same reference numbers are used throughout
`
`
`
`
`
`
`
`
`
`
`
`the drawings to refer to the same or like components. In
`
`
`
`
`
`
`
`
`
`some instances, numerous specific details are set forth in
`
`
`
`
`
`
`
`
`
`order to provide a thorough understanding of the present
`
`
`
`
`
`
`
`
`invention. The present invention, however, may be practiced
`
`
`
`
`
`
`
`
`the specific details or with certain alternative
`without
`
`
`
`
`
`
`
`
`
`equivalent devices and methodsto those described herein. In
`
`
`
`
`
`
`
`
`other instances, well-known methods and devices have not
`
`
`
`
`
`
`
`
`
`
`been described in detail so as not to unnecessarily obscure
`
`
`
`
`
`aspects of the present invention.
`Page 15 of 20
`
`
`
`US 6,993,658 B1
`
`
`
`
`4
`
`
`
`
`
`I. Overview and System Components
`
`
`
`
`
`
`
`FIG. 1 illustrates an overview, including system compo-
`
`
`
`
`
`
`
`
`
`
`nents, of a user authentication system 100 according to a
`
`
`
`
`
`
`
`
`preferred embodiment of the present invention. FIG. 2A
`
`
`
`
`
`
`
`
`
`
`illustrates a login screen that can be used in accordance with
`
`
`
`
`
`
`
`the preferred embodiment. FIGS. 2B—D illustrate login
`screens that can be used in accordance with alternative
`
`
`
`
`
`
`
`
`
`embodiments.
`
`
`
`
`
`
`
`
`The user authentication system 100 includes an authen-
`
`
`
`
`
`
`
`
`
`
`tication server 102, a text messaging service provider 104, a
`
`
`
`
`
`
`
`
`
`personal communication device 106 carried by a user 108,
`
`
`
`
`
`
`
`
`
`
`and a secure system 110 to which the authentication system
`
`
`
`
`
`
`
`100 regulates access. The personal communication device
`
`
`
`
`
`
`
`
`
`
`
`106 is preferably a pager or a mobile phone having SMS
`
`
`
`
`
`
`
`
`
`(short message service) receive capability. SMS is a secure
`
`
`
`
`
`
`
`
`text messaging capability that
`is incorporated into most
`
`
`
`
`
`
`
`
`
`digital mobile phones. The secure system 110 is preferably
`
`
`
`
`
`
`
`
`
`a Windows NT computer workstation, but may be any
`
`
`
`
`
`
`
`
`
`
`
`
`system, device, account, or area to which it is desired to limit
`
`
`
`
`
`
`
`
`
`
`access to authenticated users. The secure system 110 maybe,
`
`
`
`
`
`
`
`
`
`
`for example, a user account on a network of computer
`
`
`
`
`
`
`
`
`
`
`
`
`workstations, a user account on a web site, or a secure area
`
`
`
`
`
`
`
`
`
`of a building. The secure system 110 is preferably connected
`
`
`
`
`
`
`
`
`
`to the user authentication server 102 by a computer network
`
`
`
`
`
`
`
`
`
`103. In one embodiment, the user authentication server 102
`
`
`
`
`
`
`
`is integrated into the secure system 110.
`
`
`
`
`
`
`
`
`The user authentication server 102 preferably includes a
`
`
`
`
`
`
`
`
`
`
`program or a suite of programs running on a computer
`
`
`
`
`
`
`
`
`system to perform user authentication services. The user
`
`
`
`
`
`
`
`
`authentication server 102 may also include the computer
`
`
`
`
`
`
`
`
`
`
`system and hardware upon which the programsrun. The user
`
`
`
`
`
`
`
`
`authentication server 102 is preferably configured to require
`
`
`
`
`
`
`
`
`that the user 108 supply authentication information through
`
`
`
`
`
`
`
`
`
`
`
`
`the secure system 110 in order to gain access to the secure
`
`
`system 110.
`
`
`
`
`
`
`The authentication information preferably includes a user
`
`
`
`
`
`
`
`
`
`
`
`
`
`ID 152, a passcode 154 and a user token 156. The user 108
`
`
`
`
`
`
`
`
`
`
`preferably commits to memorythe user ID 152 and passcode
`
`
`
`
`
`
`
`
`
`
`
`
`154. The user ID 152 may be publicly known and used to
`
`
`
`
`
`
`
`
`
`
`identify the user 108. The passcode 154 is preferably secret
`
`
`
`
`
`
`
`
`
`
`
`
`and only knownto the user 108. The token 156 is preferably
`
`
`
`
`
`
`
`
`
`
`provided only to the user 108 by the user authentication
`
`
`
`
`
`
`
`server 102 through the user’s personal communication
`
`
`
`
`
`
`
`
`
`
`
`device 106 on an as neededbasis. The token 156 preferably
`
`
`
`
`
`
`
`
`
`
`
`has a limited lifespan, such as 1 minute or 1 day. Accord-
`
`
`
`
`
`
`
`
`
`
`
`
`ingly, the user 108 needsto be in possession of his personal
`
`
`
`
`
`
`
`
`
`
`communication device 106 in order to gain access to the
`
`
`
`
`
`
`
`
`
`
`
`secure system 110. Therefore, if the user’s user ID 152 and
`
`
`
`
`
`
`
`
`passcode 154 are compromised, a malicious party still
`
`
`
`
`
`
`
`
`
`cannot access the secure system without possession of the
`
`
`
`
`personal communication device 106.
`
`
`
`
`
`
`
`
`
`In the preferred embodiment, the user 108 combinesthe
`
`
`
`
`
`
`
`
`
`
`
`token 156 with the passcode 154 to form a password 158.
`
`
`
`
`
`
`
`
`
`
`For example, the user 108 can combine a valid, memorized
`
`
`
`
`
`
`
`
`
`
`
`
`passcode of “abcd” with a valid token of “1234” to form a
`
`
`
`
`
`
`
`
`
`valid passwordof “abcd1234.”In this manner, a login screen
`
`
`
`
`
`
`
`
`
`
`
`
`such asis illustrated in FIG. 2A, whichis similar or identical
`
`
`
`
`
`
`
`
`
`
`
`
`to standard login screens that require a user ID 152 and a
`
`
`
`
`
`
`
`
`
`password 158, can be used. In an alternative embodiment,
`
`
`
`
`
`
`
`
`
`
`the passcode 154 and the token 156 are submitted separately,
`
`
`
`
`
`
`
`
`
`
`as is illustrated in FIG. 2B. In another embodiment, the
`
`
`
`
`
`
`
`
`
`
`
`
`passcode 154 is null in which case the token 156 alone is
`
`
`
`
`
`
`
`
`
`
`used as the password 158. In still another embodiment, the
`
`
`
`
`
`
`
`
`
`
`
`token 156 can be requested through the secure system 110 as
`is illustrated in FIGS. 2C-D.
`
`
`
`
`
`
`
`
`
`
`
`
`
`The user authentication server 102 is preferably a secure
`
`
`
`
`
`
`
`
`
`
`
`system itself and may be a part or componentof the secure
`
`
`
`
`
`
`10
`
`
`
`15
`
`
`
`20
`
`
`
`25
`
`
`30
`
`
`
`40
`
`
`
`45
`
`
`50
`
`
`
`55
`
`
`
`60
`
`
`
`65
`
`
`Page 15 of 20
`
`

`

`
`
`US 6,993,658 B1
`
`
`
`
`
`
`
`6
`5
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`receive capability. The communication module 118 receives
`system 110. The user authentication server 102 preferably
`includes an authentication module 112 and a user database
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`an SMS message from the user’s mobile SMSsend enabled
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`114. The authentication module 112 is preferably identical to
`mobile phone 106, and the token server 116 preferably
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`the code or software provided with operating systems such
`processes the message as a token request 160. The incoming
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`as Windows NT that authenticates users upon login. In
`SMS message is tagged with the sending phone’s phone
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`alternative embodiments,
`the authentication module 112
`number, which the user token server 116 can use to identify
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`may be any code, device, or module capable of authenticat-
`the requesting user and respond with a new token 156. The
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`ing a user based upon a supplied user ID 152 supplemented
`token request 160 may also be in the form of a phonecall,
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`by a supplied password 158 or a passcode 154 and a token
`in which case the user token server 116 may use a caller ID
`10
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`156 combination. The authentication module 112 preferably
`
`feature to identify the calling phone numberasavalid