This invention relates to an authentication system, particularly but not exclusively for making bank payments, and a card reader for use in the system.

Smart cards can be used for a variety of applications, such as payment systems, loyalty card systems, on-line shopping, and computer access & security. In the case of applications involving payments, security is a very important issue, particularly when the payments are being made remotely, for example on-line or by fax. The use of smart cards can increase security, in particular when they are combined with a device that uses a smart card to generate security codes.

An example of a known device for reading smart cards and generating security codes is shown in Figure 1. This is available commercially as the Vasco Digipass 800. The security code generation device 100 is a small hand-held device, which comprises a display 102, a plurality of function buttons 104, a numeric keypad 106, a cancel or "C" button 108, an "OK" button 110 and a power button 112. A smart card 114 may be inserted into a card slot 116 located in the top of the device. The device can interact with the card to perform a variety of functions to provide enhanced security. For example, upon inserting a valid smart card and entering a personal identification number (PIN) known to the user on the numeric keypad 106, the device 100 may display a number known as a one-time password. This password is dynamic, and changes each time to increase security. This onetime password may be used to as a further level of authentication, for example on a web page, in addition to a user name and password.

Another function provided by the device 100 is known as a challenge/response operation. Upon inserting a valid smart card, the user is prompted to enter a number that has been provided to the user. This number may have been provided to the user, for example, on a web page. The number entered contains a check digit. The device 100 then verifies that the

check digit is correct for the entered number, and if so it prompts the user to enter a PIN. Upon entering the correct PIN, the device 100 calculates and displays a number known as a signature, which can be used as a further level of authentication.

Another function of the device 100 is in the generation of signatures for providing security when bank payments are made by fax. Upon entering a valid smart card, the user is promoted to enter a code that corresponds to the currency in which the payment is being made. Following this, the user enters the amount of the payment being made, the account number of the user, and the account number of the payee. The device 100 then prompts the user to enter a PIN on the numeric keypad 106. The device 100 then uses the information to calculate the signature number and displays it on the screen 102. The user may then include number on the fax as a means of authentication.

The functions of the device 100 may be described as transaction-based or user-based authentication methods. The fax signature generation function is an example of a transaction-based authentication method, as this uses information such as the account numbers and the value of the payment to authenticate the transaction that is taking place. The one-time password and challenge/response functions are user-based authentication methods as they are designed to authenticate a particular user of a system.

A typical smart card is shown in Figure 2. The smart card 200 comprises a card substrate 202 typically made of plastic and an integrated circuit (IC) embedded in the card from which electrical contacts 204 are made available at the top surface 206 of the card. The IC embedded in the card contains cryptographic information, such as a cryptographic key and a count of the number of times the key has been accessed. This cryptographic information may be utilised in the generation of the security codes, when combined with the device 100 above.

A problem with security code generation devices such as that shown in Figure 1 is that they may be very difficult for disabled people to use effectively. The UK Disability Discrimination Act (DDA) 1995 gives rights to disabled people for access to goods, facilities and services. The providers of such goods, facilities and services must therefore ensure that they are not discriminating against disabled people. The card reader device shown in Figure 1 is a small unit, and therefore the buttons and display are also small. Those with visual impairments may find it difficult to distinguish the buttons and their labels due to their small size and colouring. In addition, they may find it difficult to read the display, due to its size and the contrast of the image. They may also find it difficult to locate the card slot and align the smart card in the slot itself. This task may also be difficult for the elderly or those with reduced motor skills or coordination. Further difficulties will be had by those with reduced motor skills or coordination in accurately pressing the correct buttons on the keypad, which is essential for the device to function (for example when entering a PIN code).

A solution to this problem would be to develop a new security code generation device that was much larger in dimensions. This would have large buttons and a large display, in order to make it easier for a disabled person to enter and read information on the device. Furthermore, the device would need to be coloured such that those with visual impairments could operate the device effectively. A means of permitting easier alignment and insertion of the smart card into the device would also be required. Completely redesigning the device to make it DDA compliant would be a very expensive and time- consuming operation. In addition, a single redesigned device could never be expected to satisfy the needs of every disabled person, whose requirements may be significantly different depending on the disability. There is therefore a need for a more flexible and cost effective way of providing a DDA compliant authentication system.

According to one aspect of the present invention there is provided an authentication system comprising card reading means arranged to receive a card of a user to be authenticated; processing means having an interface

connected to receive card data from the card reading means and remote therefrom; display means operating under control of the processing means to display a representation of a set of controls used to control operation of the authentication system; and a user interface arranged to respond to user input for entering user data based on the representation on the display means, said processing means being arranged to receive said card data and said user data and operable to generate authentication information

According to one embodiment of the present invention, the display means is adapted for use by disabled people.

According to another embodiment of the present invention, the processing means, display means and user interface are provided by a personal computer.

According to another embodiment of the present invention, the processing means uses an operating system which is adapted to allow operation by disabled people, with an application for generating authentication information running on top of it.

According to another embodiment of the present invention, the processing means uses an application which generates the authentication information and which is adapted to allow operation by disabled people.

According to another embodiment of the present invention, the interface connected to the card reading means is a USB interface.

According to another embodiment of the present invention, the user interface comprises a keyboard.

According to another embodiment of the present invention, the user interface comprises a pointing device. Furthermore, in embodiments of the present invention the pointing device is a computer mouse.

According to another aspect of the present invention there is provided a method of generating authentication information in an authentication system, comprising the steps of: receiving card data from a card of a user to be authenticated; displaying on a display means a representation of a set of controls used to control operation of the authentication system; receiving user data from a user interface arranged to respond to user input for entering user data based on the representation on the display means; and generating authentication information from the card data and the user data.

According to one aspect of the present invention, there is provided a method of making payments using the above defined method of generating authentication information.

The authentication information can be transaction based or user based.

According to another aspect of the present invention, there is provided a computer program product comprising program code means which when loaded into a computer controls the computer to carry out the above defined method of generating authentication information.

According to another aspect of the present invention there is provided a card reader for reading a smart card comprising a card insertion slot of dimensions substantially similar to the dimensions of the card to be inserted, the card insertion slot terminating in a guide portion with guide walls sloping from an open end of dimensions substantially larger than the smart card to be inserted into said card insertion slot, said guide walls guiding a smart card inserted in said guide portion into said card insertion slot.

According to one embodiment of the present invention, the card reader guide portion is coloured.

According to another embodiment of the present invention, the inner walls of the card reader guide portion are smooth.

According to another embodiment of the present invention, the inner walls of the card reader guide portion have rounded edges.

According to another embodiment of the present invention, the card reader is connected to a personal computer. Furthermore, in embodiments of the present invention the connection between the card reader and the personal computer is a LJSB connection.

According to another embodiment of the present invention, the smart card comprises a notch. Furthermore, in embodiments of the present invention the card reader comprises a notch which is aligned with the notch in the smart card when the smart card is inserted in the card reader.

According to another aspect of the present invention there is provided an authentication system with card reading means provided by the card reader as defined above.

For a better understanding of the present invention and to show how to put the invention into effect, reference will now be made, by way of example, to the following drawings in which:

Figure 1 shows a known security code generation device;

Figure 2 shows a typical smart card as used in security code generation devices;

Figure 3 shows the structure and functionality of an authentication system;

Figure 4 shows the hardware and software components of the authentication system;

Figure 5 shows a first on-screen display of the authentication system;

Figure 6 shows a second on-screen display of the authentication system;

Figure 7 shows a flowchart of a challenge/response operation;

Figure 8 shows a known card reader;

Figure 9 shows a modified smart card;

Figure 10 shows a card reader for use in the authentication system; and

Figure 11 is a schematic diagram of the authentication system.

Reference will first be made to Figure 3, which shows the structure and functionality of a DDA compliant authentication system 300 embodying one aspect of the invention. The system 300 comprises a card reader unit 304, a microprocessor 306, a display device 308, and a user interface in the form of a keyboard 310 and/or a pointing device 312. In a preferred embodiment of the present invention, the microprocessor 306, display device 308, keyboard 310 and pointing device 312 are part of a personal computer (PC), although other types of workstations or computers could be used. The system operates with a smart card 302.

The smart card 302 provides the same functionality as the smart card shown in Figure 2. This provides cryptographic information to the system through the use of a card applet 314. This applet generates security codes based on the cryptographic information stored in the card and count, as described previously, and as known to the person skilled in the art.

The card reader unit 304 provides the means by which the smart card may be connected to the microprocessor. The card reader unit 304 does not itself have any buttons or display means, and only provides a means of access between the smart card 302 and the microprocessor 306. Furthermore, it only provides functionality for generic smart card access 316, and does not provide functionality specific to the type or application of the smart cards used in the present embodiment. In one embodiment, the generic card access functionality simply provides a means for passing specific card access functions between the microprocessor and the smart card.

In some embodiments of the invention, the card reader unit 304 could be a standard smart card for connection to a PC as are already known. In preferred embodiments, however, the card reader unit is a DDA compliant card reader, as will be described hereinafter. The card reader unit is remote from the microprocessor, and is connected to the microprocessor through a suitable card reader interface 318.

The microprocessor 306 stores and executes a set of programs providing different functions. A card application programming interface (API) 320 enables the microprocessor to access specific functions of the smart card used in the present embodiment. This is in contrast to the card reader unit, which only provided generic access functions for any type of smart card. In particular, the card API 320 sends commands to the smart card and receives responses and data from the smart card. The commands to be sent to the smart card come from a device layer program 322, and the responses from the card are passed back to the device layer. Apart from sending commands to the smart card via the card API, the device layer 322 provides functions such as data formatting of the information returned from the smart card. The device layer also performs some processing on the information, such as the calculation of check digits.

A user needs to interact with the system and be presented with the desired information in a manner that is understandable, and this functionality is handled by a presentation layer program 324. The presentation layer 324 provides on the display 308 a menu through which the user can control the operation of the system. The microprocessor is connected to the display 308 through a suitable interface 326. The presentation layer 324 also provides the means whereby the user can input data. Data input can be through the keyboard 310 or the pointing device 312, or a combination of both. In preferred embodiments, the pointing device is a computer mouse. In other embodiments, the pointing device may be a trackball, touchpad or stylus- based input method. For the system to be fully usable by disabled people, the system must be capable of being operated entirely by either the keyboard or the pointing device, and not require a combination of the two. This is because some disabilities may make it very difficult to use a keyboard, whereas others may make it difficult to use a pointing device.

To the end user of the system 300, the presentation layer 324 provides exactly the same functionality as the security code generation device shown in Figure 1. However, instead of the device utilising a set of hardware buttons and a small dedicated display, the functionality is instead controllable by a

user interface associated with a PC, and represented on the screen of a PC. However, in terms of behaviour, it is identical to the device in Figure 1.

For rendering the system DDA compliant, an operating system 328 can run on the microprocessor to provide built-in tools to allow use of the computer by a disabled person. In preferred embodiments of the invention, this operating system is the Microsoft Windows operating system, which provides its own set of accessibility tools. However, other operating systems could also be used. Third-party accessibility tools could also be used in combination with an operating system. These accessibility tools include screen magnifiers to make the information shown on screen much larger and screen readers which provide a speech-based audio translation of the text on the screen. In addition, the user can also specify aspects such as font sizes and colours, in order to make the display as easy to read as possible.

Therefore, by providing the functionality of a hand-held security code generation device as shown in Figure 1 through software implemented on a PC, it can be seen that the tools that the disabled user would normally use to access a computer can be reused to provide the security code generation functionality in a manner that is accessible. Furthermore, this provides a very flexible system that can be easily tailored to the disabled user under question, and can be adapted to their particular requirements through the underlying operating system tools.

Reference is now made to Figure 4, which shows the hardware and software components of an embodiment of the invention, as they would be presented to a user of the system. The hardware parts comprise a smart card 302, a card reader 304 and a PC 402. The disabled user may have their own PC, which is already set up to provide the accessibility tools they require. Running on the PC is the software comprising the card API 320, the device layer 322 and the presentation layer 324, as discussed previously. This software may be provided on storage means 404, such as a CD, DVD, floppy disk or memory card. Alternatively, the software may be provided over a computer network. The user may be required to install this software on the PC.

Reference is now made to Figure 5, which shows a screen displayed on the display 308 of the PC. The screen 500 comprises a display bar 502 that shows the menus and prompts for the user, and provides visual feedback on the data the user is entering. The screen also comprises a set of function buttons 504, a numerical keypad 506, a cancel or "C" button 508, an "OK" button 510 and an "OFF" button 512. It should be noted that the buttons presented on the display of the PC in this embodiment are identical to those present on the hardware device shown in Figure 1 , though of course that is not necessary. Since an "off" button is not required in the same sense as it is on a hand-held hardware device such as that shown in Figure 1 , the "OFF" button 512 performs the same function as pressing the "X" button 514 in the top left of the window, i.e. it closes the program.

In the example screen shown in Figure 5, the display 502 is showing the message 516 "ENTER PIN" which is prompting the user to enter a PIN number for the smart card that is inserted in the card reader connected to the PC. The line below the prompt in the display 502 shows feedback on what the user has entered. In this case the user has entered the PIN "12345678". The PIN may of course be of different lengths and comprise different numbers. The user may enter data using a pointing device to point at the buttons represented on screen and clicking on them. Alternatively, the user may use keys on the PC keyboard which represent each of the keys on the display. For example, the function buttons 504 may be represented by the "P", "M" and "R" keys on the PC keyboard, the numeric buttons 506 by the number keys on the PC keyboard, the cancel button 508 by the backspace key on the PC keyboard and the "OK" button by the enter key on the PC keyboard. Other mappings of keyboard keys to on-screen keys would also be possible. Furthermore, the on-screen display can also be controlled by having a button highlighted, such that the currently highlighted button can be selected with a key on the keyboard, and the currently highlighted button can also be changed using a different key. As such, the on-screen display can be controlled with only two buttons. The software is compliant with known conventions for navigating displayed buttons under a particular operating

system. For example, the tab key on the PC keyboard moves the highlighted button, and the space key activates the currently highlighted button.

Figure 6 shows the same screen as that shown in Figure 5, but the display 502 now shows a different message 602. In this case the user is being prompted to enter a string of numbers that have been provided to the user, for example from a web page. The lower line of the display indicates that there are 12 numbers to be entered, and each time a number is entered it replaces one of the dashes on the display. This operation forms part of a "challenge/response" security code generation process, which is one example of the functions that the system of the present embodiment implements. This process will be described in more detail with reference to Figure 7.

Figure 7 shows a flowchart 700 outlining the operation of the challenge/response security code generation process. When the challenge/response function is selected from the menu, the first step 702 is to insert a smart card into the card reader. The smart card is validated at step 704. Obviously, if the smart card is not valid, the process cannot proceed any further. Assuming that the smart card is valid, the display 502 shows the message "CHALL/RESP" on the top line of the display, and " — , — , — , — " on the bottom line of the display at step 706. This indicates to the user that the system is expecting the user to enter a 12 digit number, which has been provided to the user as part of the challenge/response process. This number may be shown to the user, for example, on a web page. This 12 digit number may be made up of 11 digits and a check digit. In other embodiments, the number may be of a different length, or contain a different number of check digits.

At step 708, the system waits for the user to enter the 12 digits and press the "OK" button. As the numbers are entered, they replace the dashes shown on the bottom line of the display. The check digit is then calculated for the numbers entered by the user at 710, and compared to the check digit entered at 712. If the check digit is incorrect, the user is informed by displaying "WRONG INPUT" at 714. The system then waits for 6 seconds or until the

"OK" button is pressed at 716, before returning to step 706, where the 12 digit number may be re-entered.

If the check digit is correct at 712, the user is prompted to enter the PIN number at step 718. The display 502 shows the message "ENTER PIN" on the top line, and " " on the bottom line. This indicates to the user that the PIN may be up to a maximum of 12 digits long. However, the PIN may be shorter or longer than 12 digits, depending on what the user has selected. At step 720, the system waits for the PIN to be entered by the user, followed by the "OK" button. In other embodiments, the system may not wait for the user to press the "OK" button, but may automatically read the PIN when a certain number of digits have been entered. As the numbers are entered, they replace the dashes shown on the bottom line of the display.

The PIN entered is verified at step 722. If the PIN entered is not correct, then the display shows "WRONG PIN" to the user at 724, and waits for the user to confirm this message by pressing any key at 726. The user is then returned to step 718, where the PIN may be re-entered. The system may also include functionality to monitor the number of times an incorrect PIN is entered, and lock the card if the number of incorrect PIN entries is exceeded. The card may then be unlocked by entering a valid PIN unlocking key (PUK) code. This functionality is not shown here for clarity.

If the PIN entered is found to be correct at step 722, the display 502 shows the message "SIGNATURE- ¹ on the top line of the display at 728. The signature number is then generated at 730, using the cryptographic key and count information on the smart card. Finally, at step 732, the generated signature is formatted, and is shown on the bottom line of the display 502 in the form "XXX-XXX-XXX", where "X" represents a digit. In other embodiments the signature could be formatted in a different way, or comprise a different number of digits.

It will readily be appreciated that there are a number of different authentication functions, as described for example in the introductory portion, which can be

implemented using the representation on the display in a similar manner to that shown in Figure 7.

The system as described so far provides a solution to the problem of a disabled person being able to operate an authentication system, insofar as the inputting of information and reading the display are concerned. This has been solved by implementing the functionality of the system in software on a PC, with a separate card reader attached to the PC. However, the problem remains of the actual operation of inserting the card into the card reader, in order to read the information stored on a smart card and use the system.

Since the reader is connected to a PC, and all the card specific functions are implemented in the software on the PC, it is possible for the card reader to be of a generic known type already available. A known smart card reader is shown in Figure 8. This card reader 800 consists of a housing 802 defining a cavity and having a top part forming a slot 804 the dimensions of which are such that they allow a smart card to be inserted. Inside the cavity is located a set of electrical contacts 806, which are positioned such that they make contact with the appropriate part of the smart card when it is inserted. The reader also comprises circuitry 808 that is adapted to read the information from the card and transmit it through a cable 810 to another entity, such as a personal computer or workstation. One such reader is manufactured by Gemplus.

To use the smart card reader, the user must align the smart card 200 (as shown in Figure 2) with the slot 804 in the top of the card reader 800. The user must then apply a downward force to the card to insert the smart card 200 into the slot and push the card past the electrical contacts 806 of the card reader. In particular, the user must apply sufficient force to depress the contacts 806, such that they can mount the top surface 206 of the smart card, in order that the electrical contacts 806 may align with the IC contacts 204 of the smart card.

A problem with these card readers is that the slot 804 is of similar dimensions to the smart card itself. This can make the insertion of a card in the slot a difficult task for people with disabilities. For example, those with visual impairment may find it hard to locate the card slot, or those in a wheel chair may have difficulty due to their lower position relative to the card reader, which may mean there is not a direct line of sight to the card slot. In addition, the task may be difficult for the elderly or those with reduced motor skills or coordination. The requirement of needing a certain amount of downward force to be applied to the card further augments this problem, as the user may be less inclined to apply the required force when there is an uncertainty as to whether the card correctly aligned in the card slot. This can lead to the card not being fully inserted into the reader. Therefore, these problems can lead to a delay in inserting the card correctly in the reader or the user requiring assistance from another person. This can lead to particular problems where the card reader is used for payments, and reduces the security of the system.

One of the initial issues that may be faced when disabled users are using a card reader is that of inserting the card into the card slot with the correct orientation. In order for the electrical contacts on the card to connect with those in the reader, the card may only be inserted one way around. Since those with visual impairment may not be able to see where the electrical contacts are on the card, this may be a difficult operation. In order to solve this problem a modified smart card is shown in Figure 9. The smart card is the same as that shown in Figure 2, except it has a notch 902 removed from the top edge of the card. A disabled user can easily feel for this notch in order to ascertain the orientation of the card. The notch could be located anywhere on the card that it sufficiently distinctive to indicate its orientation.

Reference is now made to Figure 10 in which is shown a card reader 1000 according to an embodiment of the present invention. A main housing 1002 of the card reader is similar to that of known card readers shown in Figure 1. In common with the known card readers, the card reader also has a card insertion slot 1004 of similar dimensions to the card to be inserted. The card reader reads smart cards of the same type as those shown in Figure 2. The

card reader comprises electrical contacts 1006 for connecting to the inserted smart card, and card reader circuitry 1008 to read the information from the card and transmit it through a cable 1010. The electrical contacts 1006, card reader circuitry 1008 and communications cable 1010 are similar to those used in known card readers.

The card insertion slot 1004 terminates in a guide portion in the form of a flared bezel 1012. The bezel defines an opening which increases in size along its height away from the slot. The bezel has a narrow opening at one end (the slot end) that corresponds to the dimensions of the card insertion slot 1004, and is connected thereto. The other end of the bezel defines another opening 1014, which is larger in its dimensions than the card insertion slot. The inner walls 1016 of the bezel act as guide walls and are manufactured to provide a smooth transition between the larger size of the opening 1014 and the smaller opening of the same size as the card insertion slot 1004.

To use the card reader, the user inserts the smart card into the open end of the flared bezel 1014. Once the smart card is aligned with the opening of the bezel then a downward force is applied by the user. The smooth inner walls 1016 guide the smart card of the user correctly into the card insertion slot. The inner walls 1016 may have rounded edges to further aid in guiding the smart card into the card insertion slot. Once the card is inserted into the reader, the contacts 1006 can make electrical connections with the IC contacts 204 of the smart card.

The card reader described herein may, therefore, be used to solve the above- identified problems with known card readers. In order to locate the card insertion slot, the user need now only align their smart card with the larger opening 1014 of the flared bezel, and not with the smaller opening of the card insertion slot 1004. This is a significantly simpler operation, as it requires less accuracy and coordination on the part of the user. The user may be more confident in applying a downward force, as they do not need to be concerned with whether the card is correctly aligned with the card insertion slot. They may therefore be more likely to fully insert the card into the reader, and make

an electrical connection between the contacts 1006 and the IC contacts of the smart card 204.

In a preferred embodiment of the present invention, the bezel 1012 may be made out of a brightly coloured material. Making the bezel brightly coloured makes it easier for a disabled person (particularly those with visual impairment) to see where to insert their smart card. The material of the bezel may be plastic, although it will be appreciated that other materials may also be used.

In another preferred embodiment, the bezel may have a notch 1018 removed from it, which is the same size and shape as the notch removed from the smart card 902. This gives a further indication to the user of how the card should be inserted, as it defines an association between the smart card and the card reader. In particular, the notch is offset to one side of the card and the bezel, such that if the user orients the card such that the notch is at the same side as that of the bezel, the card can be ensured of being in the correct orientation.

Reference will now be made to Figure 11 , which shows a card reader according to an embodiment of the present invention used in a security code generation system 1100. The security code generation system 1100 comprises a card reader 1000, into which has been inserted a smart card 900, as described above. The card reader 1000 is connected via a communications link 1102 to an interface unit 1104. The interface unit 1104 is part of a computer terminal 1106, with a display 1108.

In preferred embodiments of the present invention, the communications link 1102 may be a Universal Serial Bus (USB) link, and the interface unit 1104 may be a USB interface. However, it will be appreciated that other communications links and interfaces may also be used, for example another serial communications standard, such as RS-232 or FireWire (IEEE 1394), a parallel communications link, or a wireless connection such as Bluetooth.

Alternatively, the card reader may be separated from the communications interface 1104 by a network, such as an Ethernet network or the Internet.

In preferred embodiments of the invention the computer terminal 1106 is a personal computer (PC). However, it will be appreciated that it may be a different type of workstation, or the terminal 1106 could be a handheld terminal. Furthermore, the terminal 1106 could be a remote server to which the card reader connects via a network. It will also be appreciated that the card reader 1000 and the terminal 1106 may be integrated into a single unit.

The security code generation system 1100 shown in Figure 11 may be used in a preferred embodiment of the invention for a payment system. However, it may also be used for other applications, such as computer access authentication or security, on-line shopping, home banking, loyalty schemes or identity (ID) systems.