Field

This specification relates to authenticating a user. Particularly, but not exclusively, this specification relates to a method, apparatus, client device and system for authenticating a user.

Background

Due to hacking becoming more sophisticated, it has become necessary to improve upon current user authentication systems, which include textual password-based

authentication systems. One solution is to increase the length and complexity of a password, but these long and complex passwords prove difficult for users to remember. Moreover, users are inclined to use words and phrases that are relatively

straightforward or closely related to their lives, and so are easy for hackers to guess. Therefore, there is a need for highly secure passwords that are still easy for users to recall and compatible with servers operating current authentication systems.

The invention is made in this context. Summary

This specification provides, according to a first aspect, an authentication method comprising:

generating data derived from a plurality of different authentication actions, wherein the data comprises first data in a first format, derived from a first

authentication action and second data in a second format, derived from a second authentication action, the first format being different to the second format,

converting at least one of the first and second data into a common format; combining data in said common format to provide combined data for use in authentication; and

authenticating the user using the combined data.

The authentication method may comprise hashing the data. Hashing the data comprises performing truncation. The authentication method may comprise transmitting the combined data to a server for authenticating the user. The common format may be a string. Preferably, the common format is a text string.

The plurality of authentication actions may include one or more of: typing keystrokes on a keyboard, selecting of one or more buttons on a display using a mouse, selecting of one or more images from a plurality of images, uploading one or more files on one or more local devices, accessing one or more online resources using URLs, selecting of one or more points on an image, drawing one or more patterns on an image, receiving a signal from one or more hardware tokens and/or mobile devices, reading one or more biometric features using one or more input devices, performing gesture recognition using an image sensor, and determining contextual information relating to the user.

The contextual information may be at least one of the user's absolute geo-location, login history, access time, device type, software version, screen resolution, or noise level sensed by an audio sensor.

Reading one or more biometric features may comprise performing a retinal scan.

Reading one or more biometric features may comprise reading a finger print. Reading one or more biometric features may comprise performing facial recognition. Reading one or more biometric features may comprise performing voice recognition. Reading one or more biometric features comprises measuring keystroke dynamics.

The authentication method may comprise validating the plurality of authentication actions.

This specification provides, according to a second aspect, apparatus configured to carry out the method of the first aspect.

This specification provides, according to a third aspect, computer-readable instructions which, when executed by computing apparatus, cause the computing apparatus to perform the method of the first aspect.

This specification provides, according to a fourth aspect, a method of generating a composite credential comprising:

generating data derived from a plurality of different authentication actions, wherein the data comprises first data in a first format, derived from a first authentication action and second data in a second format, derived from a second authentication action, the first format being different to the second format;

converting at least one of the first and second data into a common format; generating a composite credential, wherein generating the composite credential comprises combining data in said common format to provide combined data for use in authentication.

The method of generating a composite credential may comprise hashing the combined data. Hashing the combined data may comprise performing data truncation on the combined data.

The method of generating a composite credential may comprise transmitting the combined data to a server for storage.

The common format may be a string. Preferably, the common format is a textual string.

The plurality of authentication actions may include one or more of: typing keystrokes on a keyboard, selecting of one or more buttons on a display using a mouse, selecting of one or more images from a plurality of images, uploading one or more files on one or more local devices, accessing one or more online resources using URLs, receiving selection of one or more points on an image, drawing one or more patterns on an image, receiving a signal from one or more hardware tokens and/ or mobile devices, reading one or more biometric features using one or more input devices, performing gesture recognition using an image sensor, and determining contextual information relating to the user.

The contextual information may be at least one of the user's absolute geo-location, login history, access time, device type, software version, screen resolution, or noise level sensed by an audio sensor.

Reading one or more biometric features may comprise performing a retinal scan.

Reading one or more biometric features may comprise reading a finger print. Reading one or more biometric features may comprise performing facial recognition. Reading one or more biometric features may comprise performing voice recognition. Reading one or more biometric features may comprise measuring keystroke dynamics. The method of generating a composite credential may comprise validating the plurality of authentication actions. The method of generating a composite credential may comprise authenticating the user.

This specification provides, according to a fifth aspect, apparatus configured to carry out the method of the fourth aspect.

This specification provides, according to a sixth aspect, computer-readable instructions which, when executed by computing apparatus, cause the computing apparatus to perform the method of the fourth aspect. This specification provides, according to a seventh aspect, a method comprising:

generating data derived from a plurality of authentication actions, wherein the data comprises first data in a first format, derived from a first authentication action and second data in a second format, derived from a second authentication action, the first format being different to the second format;

converting at least one of the first and second data into a common format; combining data in said common format to provide combined data for use in authentication;

transmitting the combined data; and

receiving a message indicating whether the user is authenticated.

This specification provides, according to an eighth aspect, an apparatus comprising: one or more input devices, wherein said one or more input devices are configured to generate data derived from a plurality of authentication actions, wherein the data comprises first data in a first format, derived from a first authentication action and second data in a second format, derived from a second authentication action, the first format being different to the second format; and

a processor configured to:

convert at least one of the first and second data into a common format; combine data in said common format to provide combined data for use in authentication; and

authenticate the user using the combined data and a stored credential. The apparatus may further comprise a storage device for storing the stored composite credential. The processor may further be configured to hash the combined data. Hashing the combined data may comprise truncating the combined data.

The processor may be configured to determine contextual information relating to the user in response to a first authentication action being received.

This specification provides, according to a ninth aspect, a client device, the client device comprising:

one or more input devices, wherein said one or more input devices are configured to generate data derived from a plurality of different authentication actions, wherein the data comprises first data in a first format, derived from a first

authentication action and second data in a second format, derived from a second authentication action, the first format being different to the second format;

a processor configured to:

convert at least one of the first and second data into a common format; and

combine data in said common format to provide combined data for use in authentication;

a transmitter for transmitting the combined data to a server for authenticating the user; and

a receiver for receiving a message indicating whether the user is authenticated.

The client device may be an automatic teller machine.

This specification provides, according to a tenth aspect, a system for

authenticating a user, the system comprising:

a client device comprising:

one or more input devices, wherein said one or more input devices are configured to generate data derived from a plurality of different authentication actions, wherein the data comprises first data in a first format, derived from a first

authentication action and second data in a second format, derived from a second authentication action, the first format being different to the second format; a first processor configured to:

convert at least one of the first and second data into a common format; and

combine data in said common format to provide combined data for use in authentication; and

a server comprising:

a storage device for storing a composite credential; and

a second processor for authenticating the user using the combined data and the stored composite credential.

The second processor may be configured to compare the combined data with the stored composite credential and generate a message indicating whether the user is

authenticated based on the comparison, and wherein

the client device may comprise:

a transmitter for transmitting the combined data to the server; and a receiver for receiving the message indicating whether the user is authenticated; and

the server may comprise:

a receiver for receiving the combined data; and

a transmitter for transmitting the message indicating whether the user is authenticated.

The first processor may be further configured to hash the combined data. Hashing the combined data may comprise truncating the combined data.

The second processor may be configured to hash the combined data and the stored composite credential may comprise a hash.

The first and/or second processor may be configured to validate the plurality of authentication actions.

The client device may be an automatic teller machine.

All features described herein (including any accompanying claims, abstract and drawings), and/ or all of the steps of any method or process so disclosed, may be combined with any of the above aspects in any combination, except combinations where at least some of such features and/ or steps are mutually exclusive.

Brief Description of the Figures

Embodiments will now be described, by way of non-limiting examples, with reference to the accompanying drawings, in which:

Figure ι is a system diagram of a mobile device according to embodiments of the present invention;

Figure 2 is a system diagram if a server according to embodiments of the present invention;

Figure 3 is a schematic diagram of a system for authenticating a user according to embodiments of the present invention;

Figures 4a and 4b show an example of a graphical user interface (GUI) for accessing an account according to embodiments of the present invention; and

Figure 5 is a flowchart illustrating a method of authenticating a user according to embodiments of the present invention.

Detailed Description of Embodiments

In the following detailed description, only certain exemplary embodiments of the present invention have been shown and described, simply by way of illustration. As those skilled in the art would realize, the described embodiments may be modified in various different ways, all without departing from the scope of the present invention. Accordingly, the drawings and description are to be regarded as illustrative in nature and not restrictive. Like reference numerals designate like elements throughout the specification.

The following disclosure is made in the context of authenticating a user.

Advantageously, composite credentials are generated from a plurality of authentication actions which easily recalled by the user. These composite credentials are highly secure, and in preferred embodiments comprise textual strings so as to be compatible with known password-based systems.

Figure 1 shows a client device 100, which according to the one embodiment is a mobile device. Further examples of client devices include laptop and tablet computers, automatic teller machines (ATMs), desktop computers, television sets and electronic keypads for use with physical security systems such as doors. In effect, a client device loo is any electronic device that requires user authentication in order to access to content. The content may be content contained on the electronic device itself, physical content such as a vault, or external content. External content is, for example, a secure webpage on a server.

The mobile device 100 has a processor 102, a touch sensitive display 112 comprised of a display part 116 and a tactile interface part 114, hardware keys (not shown), a memory 106, an input interface 103 (wired, serial or parallel), a power source 118 and an interface 104 for transmitting and receiving data. The processor 102 is connected to each of the other components in order to control operation thereof. The touch sensitive display 112 is optional, and as an alternative a non-touch display may be used with the hardware keys (not shown) and/or a mouse peripheral used to control the mobile device 100 by suitable means. The interface 104 according to this embodiment is a wireless interface, however, according to other embodiments the interface 104 is a wired interface. The wireless interface may operate using any known communication standard, such as LTE, Wi-Fi or 3G. The interface 104 is necessary for transmitting credentials to a server and receiving an authentication message from the server. However, where the

authentication takes place on the mobile device 100, the interface 104 is not necessary.

The input interface 103 is for receiving one of a plurality of authentication actions. Where two or more chosen authentication actions can be received by the touch sensitive display 112 or mouse peripheral, the input interface 103 is not necessary. Conversely, in some embodiments there are a plurality of different input interfaces 103. The input interface 103 may be an image sensor for receiving a retinal scan, palm print or finger print copy, or recognising a gesture. The input interface 103 may be a microphone and speech recognition interface allowing voice input. The input interface 103 may also be a photoplethysmogram (PPG) reader for measuring a user's unique heartrate variability features, GPS locator for determining the user's location. The input interface 103 may be a keyboard or mouse or receiving a line drawing or click selection. The input interface 103 may be an RF ID reader, wireless receiver, or hardware token receiver (for example, a bank card reader). The memory 106 may be a non-volatile memory such as read only memory (ROM) a hard disk drive (HDD) or a solid state drive (SSD). The memory 106 stores, amongst other things, an operating system 108 and client software application 110. The memory 106 further includes random access memory (RAM), used by the processor 102 for the temporary storage of data. The operating system 108 may contain code which, when executed by the processor 102 in conjunction with the RAM, controls operation of each of the hardware components of the mobile device 100.

In embodiments where one of the authentication actions includes the selection of an image, the memory 106 includes a database of stored images. In embodiments where one of the authentication actions includes the selection of an audio clip, the memory 106 includes a database of stored audio clips. In further embodiments, the images are stored on a server instead.

According to embodiments where the authentication takes place entirely on the client device without the need for a server, the memory 106 includes a database for storing a composite credential.

The processor 102 may take any suitable form. For instance, it may be a

microcontroller, plural microcontrollers, a microprocessor, or plural processors (for example, including a post-processor). The processor 102 includes circuitry.

The power source 118 according to a preferred embodiment is a secondary battery. However, in embodiments where the client device is a fixed device such as a computer or electronic door lock, the power source is a mains power supply. In embodiments herein, the client software 110 is configured to generate data for use in authenticating a user. In preferred embodiments, the data is a composite of the output of a plurality of authentication actions, where each output is converted into a common format. In other embodiments, the data is transmitted to a server prior to combination. Further details of the processes performed by the client software 110 will be described with reference to Figure 3.

Figure 2 shows a server 200 for use as part of a system for authenticating a user. The system also includes the client device 100 described with reference to Figure 1. The server 200 has a processor 202, a memory 206, a power source 218 and an interface 204 for transmitting and receiving data. The interface 204 according to this embodiment is a wireless interface, however, according to other embodiments the interface 204 is a wired interface. The wireless interface may operate using any known communication standard, such as LTE, Wi-Fi or 3G. Where the interface 204 is a wired interface, the interface maybe an Ethernet interface. The data may be received via a network such as the Internet. The interface 204 is for receiving credentials from a client device 100 and transmitting a message indicating whether the user is authenticated to the client device 100.

The memory 206 may be a non-volatile memory such as read only memory (ROM) a hard disk drive (HDD) or a solid state drive (SSD). The memory 206 stores, amongst other things, an operating system 208 and a server software application 210. The memory 206 further includes random access memory (RAM), used by the processor 202 for the temporary storage of data. The operating system 208 may contain code which, when executed by the processor 202 in conjunction with the RAM, controls operation of each of the hardware components of the server 200.

In some embodiments where one of the authentication actions includes the selection of an image, the memory 206 includes a database of stored images. In other

embodiments where one of the authentication actions includes the selection of an image, the memory 106 on the client device 100 includes a database of stored images instead.

In embodiments herein, the server software 210 is configured to authenticate a user using data received from a client device 100. In preferred embodiments, the data is a composite of the output of a plurality of authentication actions. In other embodiments, the data is a plurality of data, each in a different format relating to a specific

authentication action. Here, the server software 210 converts the plurality of data into a common format and combines the data in the combined format into combined data. The combined data can then be compared with a stored composite credential in order to authenticate the user. As an additional step, the server 200 may hash the combined data prior to performing the comparison. Further details of the processes performed by the server software 210 will be described with reference to Figure 3. The processor 202 may take any suitable form. For instance, it may be a

microcontroller, plural microcontrollers, a microprocessor, or plural processors (i.e. including a post-processor). The controller includes circuitry. The power source 218 according to a preferred embodiment is a mains power supply.

Figure 3 shows a schematic diagram of an architecture for authenticating a user. The architecture is distributed, whereby some aspects are features of a client device 100 and other aspects are features of a server 200. However, advantageously the features of the present invention can be distributed in a number of different ways. In other words, the aspects can be located on the client device 100 or the server 200 depending on the application. In some embodiments, all aspects are features of the client device 100. As described herein, the aspects may be implemented as hardware or software. The database 230 stores a composite credential generated and set by the user as part of a registration process. The registration process will be described with reference to Figure 5. The database 230 is stored in the memory 206 of the server 200.

The architecture of the shown embodiment comprises a number of baseline

components 124, 242, 232 and a number of modular components 122, 120, 220, 234. The baseline components 124, 242, 232 support known password-entry routines. The baseline components 124, 242, 232 are independent of modular components 122, 120, 220, 234. The baseline components include a baseline editor 124, baseline module 240 having input parameters 250, and baseline data 232 stored in the database 230. The baseline data 232 is a stored textual password. In some embodiments, the stored textual password is a hashed textual password.

Through the baseline editor 124 the user can enter a textual password which can be transmitted to the baseline module 242 in the server 200. The baseline module 242 performs password verification or/ and hashing. The baseline module 242 performs password verification using stored parameters 250. These parameters 250 are updatable by the server 200 operator. For example, the parameters 250 indicate the password must be of a particular length or contain particular characters. Once verified, the entered password can be compared with a stored password in the baseline data 232. This means that the user can continue to use their normal textual password while the system of the present invention is installed on their device. The baseline editor 124 is a feature of the client software 110 operating on the client device 100. The baseline editor 124 comprises a means for receiving a password, such as a text entry box. The baseline module 240 is shown as being a feature of the server software 210 operating on the server 200. However, according to other embodiments, the baseline module 240 is a feature of the client software 110 operating on the client device 100.

The modular components 122, 120, 220, 234 support advanced credential-entry routines, including the use of multiple authentication actions in the same

authentication process. The modular components include a policy controller 122, a plurality of front-end modules i2oa-c, a plurality of back-end modules 220a, 220b, 220c, and additional data 234. The front-end modules i2oa-c are features of the client software 110 operating on the client device 100. They are independent, reusable and expandable building blocks of data or interface. The front-end modules i2oa-c are plugins to the baseline editor 124 which interact with users to generate a new authentication feature. Some front-end modules 120a, 120b, have a module counterpart 220a, 220b at the server-side. This is most likely to be the case when establishing a database 230 connection is required. Usually, the communication between the front-end modules i2oa-c and back-end modules 220a, 220b results in creation of new data or retrieving data from the database 230. However, some other back-end modules 220c which do not communicate with the front-end modules i2oa-c work as support to the other back-end modules 220a, 220b. The back-end modules 22oa-c make use of the additional data 234 to enable additional authentication actions.

The front-end modules i2oa-c can be simple or compound. A simple module allows the user to perform one authentication action. A compound module binds multiple different modules, which share similar features (e.g. hybrid graphical passwords). For usability purposes, the compound module would provide one interface for performing multiple authentication actions.

In more detail, front-end modules i2oa-c are associated with input interfaces 103 or the touch sensitive display 112. For example, an input interface 103 may include an image sensor. Meanwhile, one module 120a may be configured to read a facial image using the image sensor and perform key generation based on robust facial features, where the generated key will be further converted to a common format for being combined with at least one other authentication actions facial recognition. Conversely, in other embodiments, rather than perform key generation based on facial features, the front-end module 120a may convert the received facial image from an array of pixels to a textual string based on further information about the user's face stored on the database 230, working together with a back-end module 220a.

Further examples of modules I20a-c (i.e. plugins) include modules for: performing an iris scan; measuring keystroke dynamics; performing voice recognition; reading a finger print; typing keystrokes on a keyboard to create a textual password (for example, a Rich Text Format textual password); clicking one or more buttons on a display using a mouse; selecting of one or more images from a plurality of images; uploading one or more files on one or more local devices; accessing one or more online resources using URLs; selecting of one or more points on an image; drawing one or more patterns on an image; receiving a signal such as an authorisation code or RF ID through a wired or wireless interface from one or more hardware tokens and/or mobile devices; and performing gestures (for example, a hand movement). These examples are not intended to be limiting, and the skilled person would appreciate there are many methods of performing an authentication action. Further details of individual credentials received through example authentication actions in different authentication methods are set out below. Here, the common format is a textual string.

Draw-a-Secret (DAS, Jermyn et al. 1999:

https://www.usenix.org/legacy/events/sec99/full_papers/je rmyn/jermyn_html/came ra3.html): This is a graphical password system where the user can draw some stroke on an n x n grid as the "password" (i.e. credential) to prove his identity. Here, the authentication actions will be a number of drawing actions (pen down, pen move, and pen up), where the drawing pen can be the user's finger on a touch screen 112. The converted data can be a textual presentation of different strokes the user draws (a number of coordinates and separators marking the end of a stroke and the start of a new stoke), encoded following any textual format e.g. "{(2,2),(2,i); (4,3),(4,4)}" or "<strokexpoint>2,2</point> <point>2,i</point> </stroke><strokexpoint>4,3</poi ntxpoint>4,4</pointx/stroke>". The conversion can be done without a back-end module 220a. PassPoints (Wiedenbeck et al. 2005: http://dx.doi.0rg/10.1016/j.ijhcs.2005.04.010): This is a graphical password system where the user clicks a number of points on an image as the "password" to prove his identity. Here the authentication actions will be a number of clicks on an image. Based on a technique called centralized discretization (Chiasson et al. 2008:

https://www.usenix.org/legacy/event/upseco8/tech/full_pap ers/chiasson/chiasson_h tml/), PassPoints can be seen as a special edition of DAS thus the actions can be converted into a textual string in the same way as how this is done for DAS. The centralized discretization technique will require additional data 234 to be created in the database 230, which means a back-end module 220a will be required.

PassFaces (http://www.passfaces.com/): This is a commercial graphical password system where the user remembers a number of facial images as the "password" (i.e. credential) and then selects each of such images in a number of decoy images to prove his identity. Here the authentication actions are a number of selection choices the user makes. The actions can be converted to a textual string by creating a list of the filenames of the selected images ranked following a particular order e.g. "imagei, image6, imageioo, image2ii, image876". PassFaces will require a back-end module 220a as it needs to read pass-images and decoy ones out of a database.

Action based passwords: One can define a number of actions (e.g. gestures to show in front of a webcam) as the "password" (i.e. credential) to prove his identity. Such actions can be converted into a textual string by giving each action a textual name and then simply listing all sequential actions one after the other.

US 2014/0040627 Al: This known system proposes a rich formatted password where the user can define a sequence of tokens with alterable attributes as the "password" (i.e. credential) where the tokens can be textual characters or graphical symbols and the attributes can be properties like colour, size, and other styles. This patent also explained a way the rich formatted password is converted into an encrypted format, which can then be further converted to a textual string (if not yet) using encoding schemes like base64.

ObPwd (Mann and van Oorschot 2008:

https://www.usenix.org/events/hotseco8/tech/full_papers/m annan/mannan.pdf): This is a user authentication scheme where the user selects an object such as a file on a computer as the "password" (i.e. credential) to prove his identity. Here the

authentication action is the selection of an object. By assigning a unique name to each possible object (e.g. an URL or DOI), the action can be converted into a textual string (the name itself). If the name is binary, we can use an encoding scheme like base64 to convert it to a textual string. It is also possible to use the content of the object to get the converted text, and in this case a hashing scheme may be used to reduce the length of the converted textual string to a specific length.

Pass-Region (Li et al. 2011, unpublished): This is a user authentication scheme where the user selects a region of a given coordinate system as the "password" (i.e. credential) to prove his identity. Examples include a region on a world map, a 3-D world or a complex number plane or part of a multimedia file (e.g. a segment of an audio file, a region of a frame of a video file). Here, the authentication action will be to show a smaller region than the pass-region to demonstrate knowledge of the pass-region. Such an action can be converted to a textual string by defining an encoding scheme of the coordinates of the pass-region e.g. using the textual presentations of the upper-left and bottom-right corners' coordinates.

Hardware token that has a private key for digital signature: When a hardware token is used for user authentication, one way is to let the user to sign a (often dynamic) message using the hardware token. In this case the authentication action is the use of a specific hardware token for a specific operation. Such an action can be used to sign a fixed message and/or part of the combined data, and then produce a textual presentation of the digital signature using an encoding scheme such as base64. The hardware token may also be a mobile device and the communication between the mobile device and the client device (if not the mobile device itself) can be done via a wired (e.g. USB) or wireless (e.g. Bluetooth or NFC) or optical (e.g. QR-code) channel.

Any biometrics-based user authentication systems: A technique called biometric key generation can allow the production of a binary key out of a biometric template. By further converting the binary key into a textual format using a scheme like base64, the authentication action of presenting one or more biometric features to a system can be converted to the common format required. This can allow multiple-modal biometric systems to be implemented in a compound module with several sub-modules. Any contextual information used for authentication: In some systems the user may want to limit the authentication to be done only when some contextual requirements are met e.g. if the user is physically at a geo-location. Other examples of the contextual information include the user's login history, access time, device type, software version, screen resolution, or noise level sensed by an audio sensor. The skilled person will appreciate that these are just some of a wide range of contextual information. Here the authentication action is to add the required contextual information (normally from a sensor) to the system. The action can be converted into a textual string by following an encoding scheme of the contextual information e.g. for geo-locations it can be the textual presentation of the longitude followed by a comma and the textual presentation of the latitude.

According to known single-authentication action systems, the output of any

authentication action is data in a format unique to that authentication action. For example, an image is received as an array of pixel values. Other types of data format include machine code, binary, and hexadecimal data. According to embodiments of the present invention, the associated front-end modules i2oa-c convert the output of each respective authentication action into a common data format. According to preferred embodiments, the front-end modules i2oa-c convert the output of respective authentication actions to ASCII code (or other language codes) such that the resulting textual credential is backwards-compatible with current textual password systems. However, in other embodiments, the outputs are converted into a two-dimensional array of values. In further embodiments still, the outputs are converted to graphical characters. In further embodiments still, the outputs are converted to sign language or spoken languages.

The processor 102 then combines the data in the common format to create a single password for insertion into the baseline editor 124. Preferably, the combined data is a single string of text. In other embodiments, the combined data is, for example, an array of values, a string of hexadecimal values, or a string of machine code. According to preferred embodiments, the processor 102 combines the data by appending data derived from a first-performed authentication action to data derived from a second- performed authentication action. In this way, the order in which authentication actions are performed is in itself a component of the composite credential to be checked as part of the authentication method. According to alternative, less preferred, embodiments, the order in which authentication actions are carried out is independent of the authentication.

Herein, the term "module" refers to computer logic utilised to provide specified functionality. Thus, a module can be implemented in hardware, firmware and/or software controlling a processor. In one embodiment, the modules are program files stored on a storage device, loaded into memory and executed by a processor, or can be provided from computer program products, for example computer executable instructions, that are stored in a tangible computer-readable storage medium such as RAM, hard disk, or optical or magnetic media. It will be appreciated that embodiments of the directions system can have different or other modules to the ones described herein, with the described functionalities distributed amongst the modules in a different manner. The policy controller 122 is responsible for ensuring restrictions on the authentication actions which are selected and consequently conducted by users for the purpose of registering a composite credential. For example, one restriction might be that if one biometric module must be used at least once, at least 8 keys must be pressed in a row. The policy controller 122 is shown in the present embodiment located on the client device 100. However, according to other embodiments the policy controller 122 is located on the server 200. In other embodiments, the policy controller may be split between the client 122 and the server 200. In these embodiments involving the server side, further communication is necessary between the server 200 and the client device 100. Therefore, it is advantageous for the policy controller 122 to be located on the client device 100. However, policies should be defined at the server 200. Nevertheless, both baseline and modular components can operate together easily to allow a hybrid policy across different authentication actions e.g. when one has at least one biometric actions the minimum number of keys required to be pressed is reduced. The architecture further includes a post-processor (not shown in Figure 3). The postprocessor is located between the baseline editor 124 and the baseline module 240. The post-processor is located either or both on the server-side 200 or client device side 100 of the architecture. The post-processor is used to post-process the generated combined (or, in other words, composite) credential for different purposes e.g. reducing the length of the combined credential to N characters so that the server 200 can accept it or to circumvent constraints of the underlying communication protocols or software (e.g. maximum length of URL allowed). This can be achieved through a hashing function which includes data compression combined with truncation. A hash function is any function that can be used to map data of arbitrary size to data of fixed size. Furthermore, the post-processor according to some embodiments is configured to automatically add contextual information not provided by users. The adding of contextual information is a further example of an authentication action. As explained below, the contextual information is converted to the same format as the credentials of other selected authentication actions and combined with the credentials in the common format to form a composite credential.

Figure 4a shows an example of a graphical user interface (GUI) for accessing an account according to embodiments of the present invention. The GUI is the screen associated with the baseline editor 124. The GUI allows a user to enter their username and email address, and a plurality of authentication actions to form a composite credential. The plurality of authentication actions are performed using a toolbar 126. In preferred embodiments, the toolbar 126 is a JavaScript toolbar, but the skilled person would appreciate that this is just one of many appropriate programming languages. The toolbar 126 provides icons allowing the user to select GUIs associated with a plurality of front-end modules i2oa-c. The first front-end module 120a is used for receiving and editing text in Rich Text Format (RTF). The second front-end module 120b is for allowing a user to select an image.

The third front-end module 120c is for allowing the user to enter a mathematical equation. A fourth front-end module i2od allows the user to edit the combined data directly. Further front-end modules can be incorporated into the toolbar 126 as appropriate. The user may choose to use any of the available authentication actions and in any order. Figure 4b shows an example of a GUI displayed if the user selects the second front-end module 120b. Here, the user is able to select one from a plurality of images stored on the client device 100 or on the internet. Once an image is selected, the second front- end module 120b converts the image to a textual string and automatically enters provides the textual string to the baseline editor 124. The GUI then returns to the GUI for accessing an account. In preferred embodiments, to improve simplicity for the user a pictorial representation of the selected image is displayed in the credential field of the GUI for accessing an account. The user is then able to select a second authentication action and the output of which will be converted to text and appended to the text associated with the already-selected image. A more general approach for registering a composite credential and authenticating a user will now be described with reference to Figure 5.

In a first step, Step S601, a first authentication action is received by the client device 100. The authentication action is associated with an input interface 103, such as a card reader or fingerprint scanner. A front-end module I20a-c derives data from the authentication action in step S602. The data is in a format unique to that

authentication action. For example, when the authentication action is a selection of an image with a URL, the data is the URL of the image data. In step S603 the policy controller 122 validates the first authentication action. In other words, the policy controller 122 ensures the appropriate rules have been followed for the selected authentication action. This step is carried out as part of the registration process, but is skipped as part of the authentication process (i.e. if a composite credential is already stored).

In step S604 the respective front-end module i2oa-c converts the data associated with the first authentication action into a textual string. Advantageously, this allows backwards compatibility with current authentication systems. In step S605 a second authentication action, of a different type to the first

authentication action, is received. A front-end module i2oa-c specific to the second authentication action derives data from the second authentication action in step S606. For example, if the first authentication action is a selection of an image from storage 106 on the client device 100, the second authentication action is the performing of a retinal scan.

In step S607 the policy controller 122 validates the second authentication action similarly to as in step S603. This step is carried out as part of the registration process, but is skipped as part of the authentication process (i.e. if a composite credential is already stored). In step S608 the respective front-end module i2oa-c converts the data derived from the second authentication action to a textual string. According to other embodiments, one of step S604 and step S608 is not performed, and the performed one of steps S604 and S608 converts the data derived from the respective first authentication action or second authentication action to the same format as the other data. In other words, the data derived from the first authentication action and the data derived from the second authentication action are converted to be in the same common format, but it is not essential what the format is. Instead of text, in some embodiments the common format is an array of values, a hexadecimal string, or a string of graphical characters.

In a further optional step (not shown), the policy controller 122 polices hybrid policies.

In step S609 the processor 102 combines the converted data derived from the first authentication action and converted data derived from the second authentication action. According to a preferred embodiment, this combination comprises a concatenation or appendage process. In other words, in step S609 a single long textual string password (i.e. a composite credential) not known to the user is generated from two separate, easy to remember, authentication actions. In step S610, which is preferred but not essential, the combined textual string is compressed using a post-processer before it is transmitted to a server 200. According to some embodiments, the post-processing comprises hashing for reducing the size of the transmitted data. This is ensures compatibility with servers operating known password-based systems that can process and compare only 60 byte strings. The hashing step is a further hashing step to that typically carried out on a server 200 to increase security in known authentication systems.

Next, if the composite credential is being generated for the first time (e.g. for account registration), step S611 is performed. Here, the composite credential is stored. In systems comprising a server 200, the composite credential is stored in the database 230 of the server 200. In some embodiments, the server 200 hashes the stored composite credential. In other embodiments, such as those involving a standalone client device 100, the composite credential is stored in the memory 106 of the client device 100. The process then returns to step S601 such that the user can perform authentication actions in order to access the content for which they have just registered a composite credential. Alternatively, if a composite credential has previously been generated and registered in step S611, Step S612 is performed instead. Step S612 is performed on the server 200 when the server 200 is present in the system, otherwise, the client device 100 performs step S611. In step S612 the user is authenticated. In one embodiment, this is achieved by comparting the compressed combined textual string with the stored composite credential. If they match, then the user is authenticated. If the server 200 performs the authentication, the server generates and transmits a message to the client device 100 indicating that the user has been authenticated. The user is then able to login to their account or access the desired content.

If the user wishes to update their stored composite credential by carrying out different authentication actions, then steps S601 to S611 are performed even if a composite credential is already stored.

Embodiments of the present disclosure may be implemented in software, hardware, application logic or a combination of software, hardware and application logic, or instructions for a human to execute. The software, application logic and/or hardware may reside on memory, or any computer media. In an example embodiment, the application logic, software or an instruction set is maintained on any one of various conventional computer-readable media. In the context of this document, a "computer- readable medium" may be any media or means that can contain, store, communicate, propagate or transport the instructions for use by or in connection with an instruction execution system, apparatus, or device, such as a computer.

A computer-readable medium may comprise a computer-readable storage medium that may be any tangible media or means that can contain or store the instructions for use by or in connection with an instruction execution system, apparatus, or device, such as a computer as defined previously.

According to various embodiments of the previous aspect of the present disclosure, the computer program according to any of the above aspects, may be implemented in a computer program product comprising a tangible computer-readable medium bearing computer program code embodied therein which can be used with a controller for the implementation of the functions described above. Reference to "computer-readable storage medium", "computer program product", "tangibly embodied computer program" etc., or a "controller" or "processing circuit" etc. should be understood to encompass not only computers having differing architectures such as single/multi controller architectures and sequencers/parallel architectures, but also specialised circuits such as field programmable gate arrays FPGA, application specify circuits ASIC, signal processing devices and other devices. References to computer program, instructions, code etc. should be understood to express software for a programmable controller firmware such as the programmable content of a hardware device as instructions for a controller or configured or configuration settings for a fixed function device, gate array, programmable logic device, etc.

By way of example, and not limitation, such "computer-readable storage medium" may mean a non-transitory computer-readable storage medium which may comprise RAM, ROM, EEPROM, CD-ROM or other optical disk storage, magnetic disk storage, or other magnetic storage devices, flash memory, or any other medium that can be used to store desired program code in the form of instructions or data structures and that can be accessed by a computer. An exemplary non-transitory computer-readable storage medium is an optical storage disk such as a CD. Also, any connection is properly termed a "computer-readable medium". For example, if instructions are transmitted from a website, server, or other remote source using a coaxial cable, fiber optic cable, twisted pair, digital subscriber line (DSL), or wireless technologies such as infrared, radio, and microwave, then the coaxial cable, fiber optic cable, twisted pair, DSL, or wireless technologies such as infrared, radio, and microwave are included in the definition of medium. It should be understood, however, that "computer-readable storage medium" and data storage media do not include connections, carrier waves, signals, or other transient media, but are instead directed to non-transient, tangible storage media. Disk and disc, as used herein, include compact disc (CD), laser disc, optical disc, digital versatile disc (DVD), floppy disk and Blu-ray disc, where disks usually reproduce data magnetically, while discs reproduce data optically with lasers. Combinations of the above should also be included within the scope of "computer- readable medium".

Instructions may be executed by one or more controllers, such as one or more digital signal controllers (DSPs), general purpose microcontrollers, application specific integrated circuits (ASICs), field programmable logic arrays (FPGAs), or other equivalent integrated or discrete logic circuitry. Accordingly, the term "controller," as used herein may refer to any of the foregoing structure or any other structure suitable for implementation of the techniques described herein. In addition, in some aspects, the functionality described herein may be provided within dedicated hardware and/or software modules. Also, the techniques could be fully implemented in one or more circuits or logic elements.

If desired, the different steps discussed herein may be performed in a different order and/ or concurrently with each other. Furthermore, if desired, one or more of the above-described steps may be optional or may be combined.

Whilst certain embodiments of the invention have been described herein with reference to the drawings, it will be understood that many variations and modifications will be possible without departing from the scope of the invention as defined in the

accompanying claims.