SE543011C2 - Password management system and method - Google Patents

Password management system and method

Info

Publication number
SE543011C2
SE543011C2 SE1950366A SE1950366A SE543011C2 SE 543011 C2 SE543011 C2 SE 543011C2 SE 1950366 A SE1950366 A SE 1950366A SE 1950366 A SE1950366 A SE 1950366A SE 543011 C2 SE543011 C2 SE 543011C2
Authority
SE
Sweden
Prior art keywords
server
client device
password
cookie
user
Prior art date
Application number
SE1950366A
Other languages
Swedish (sv)
Other versions
SE1950366A1 (en
Inventor
Aysajan Abidin
Philip Lundin
Original Assignee
Authentico Tech Ab
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Authentico Tech Ab filed Critical Authentico Tech Ab
Priority to SE1950366A priority Critical patent/SE543011C2/en
Publication of SE1950366A1 publication Critical patent/SE1950366A1/en
Publication of SE543011C2 publication Critical patent/SE543011C2/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • H04L9/3228One-time or temporary data, i.e. information which is sent for every authentication or authorization, e.g. one-time-password, one-time-token or one-time-key

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Medical Informatics (AREA)
  • Databases & Information Systems (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Storage Device Security (AREA)

Abstract

The present disclosure relates to a password management system and to a method for operating such a password management system. The password management system operates in communication with a client device (102, 104, 106) running a cookie enabled browser application. The present disclosure also relates to a method for allowing access to restricted information stored at a server (108).

Description

PASSWORD MANAGEMENT SYSTEM AND METHOD TECHNICAL FIELD The present disclosure relates to a password management systemand to a method for operating such a password management system. Thepassword management system operates in communication with a clientdevice running a cookie enabled application. The present disclosure alsorelates to a method for allowing access to restricted information stored at a SSFVGI”.
BACKGROUND OF THE lNVENTlON When storing e.g. user passwords at an Internet connected servercomprising a database, such as a cloud server, it is necessary to place a lotof effort into preventing security breaches such that the passwords becomeavailable to e.g. a hacker. A typical way of increasing the security of thedatabase/cloud server is to encrypt the passwords, such that they only maybe accessed by a user having the correct encryption/decryption key.
However, there is an obvious risk that a third-party with enoughresources will be able to decipher the passwords. That is, in case the cloudserver is hacked this may have serious impact on a large plurality of usershaving stored their passwords data at the cloud server. ln most cases, acentral database will encrypt passwords once received using the same key.Thus, if the system is successfully hacked, all passwords stored at thedatabase can be compromised. Obviously, such an issue could greatly impacton the user's view on the company storing the passwords, thus possiblyhaving a great impact on the business and reputation of said company.
An example of an implementation trying to overcome some of theseproblems is disclosed in US8819444. Specifically, US8819444 implements asolution where the user passwords are never stored at the cloud server.Rather, the user enters his password into a browser and the browser submitse.g. a hashed version of the password to the server for validation. Credentialmanagement is thus decentralized in that encryption and decryption of theuser's personal information happens on the user's system.
The suggested implementation will improve the security of thedatabase/server, however also a hashed version of the password couldpotentially be useful for a hacker. Thus, it would be desirable to additionallyimprove the security when storing e.g. user passwords at a cloudserver/database, ideally limiting the usefulness of the data stored at the cloud server in case of a hacker getting access to the data.
SUMMARY OF THE lNVENTlON According to a first aspect of the disclosure, the above is at least partlymet by a computer implemented method for operating a passwordmanagement system comprising a server arranged in communication with aclient device, the client device running a cookie enabled application, whereinthe method comprises the steps of receiving, at the server, a representationof a user password provided from the client device, storing the representationof the user password at a computer memory associated with the server,receiving, at the server, a server specific key, encrypting, at the server, thepassword using the server specific key, forming, at the server, an accesstoken based on the encrypted password, wherein the access token has apredefined lifetime, forming, at the server, a cookie comprising the accesstoken, and sending, by the server, the cookie to the client device for storagein a computer memory arranged in association with the client device. ln accordance to the present disclosure the user password ispreferably only stored in an intermediate state at the server. Rather, theserver is instead adapted to store an encrypted version of the user password,where the user password has been encrypted with a server specific key.
Thus, an advantage following the scheme applied by the presentdisclosure is that the risk of e.g. a potential hacker getting hold of the "real"user password is reduced, specifically since the hacker in such a case firstmust get hold of the server specific key. ln a preferred embodiment of thepresent disclosure the server further comprises a hardware elementimplemented as a physical unclonable function (PUF), and the server specifickey is formed based on information received from the PUF. Accordingly, theserver specific key may in such an embodiment not easily be stolen and used at “another location" since the PUF/hardware element is physically connectedto the server.
The PUF will by definition be specific for each server and thus notpossible to duplicate and arrange at a second/separate password storagearrangement. Thus, even in case the hacker would get access to theinformation available at the computer memory/database/cloud server, thisinformation will not be useful without the physical access to also the PUF.
The PUF is a function that is embodied in a physical structure and iseasy to evaluate but hard to predict. An individual PUF device must be easyto make but practically impossible to duplicate, even given the exactmanufacturing process that produced it. ln this respect PUF, which are thehardware analog of a one-way function, or essentially random functionsbound to a physical device in such a way that it is computationally andphysically infeasible to predict the output of the function without actuallyevaluating it using the physical device. lt should be understood that the outputfrom the PUF will be slightly different for each time the password is providedas an input, i.e. including a randomness component. Thus, a verificationprocess, as will be discussed further below, will have to take this into accountfor matching the encrypted version of the user password and a representationof a candidate password as provided as an input during such a verificationprocess. ln an embodiment of the present disclosure, receiving therepresentation of the user password comprises the steps of receiving, at theserver, the user password from the client device, and forming, at the server,the representation of the user password based on the user password and anat least partly random number. The at least partly random number may inaccordance to the present disclosure be related to a so called “salt” that isused as an additional input to a one-way function that "hashes" data. The saltis preferably stored at the computer memory associated with the server andmay in some embodiments preferably be specific for an identity of the userdevice. ln accordance to the present disclosure, the encrypted user passwordis used for forming an access token, where the access token has a predefined lifetime. The access token is in turn used in the formation of acookie that may be used for e.g. accessing user specific data that is stored atthe server, such as e.g. user profile data, credit card information, etc. Asunderstood from the elaboration above, the user provides his password andessentially gets a cookie back that is to be used by e.g. an application that isoperated by the user. Once the user is in contact with the server, such aswithin a “session”, the user may continuously access his user data withouthaving to resort to enter his user password. Rather, the cookie may be usedfor accessing the user data (as will be further elaborated below). lt should be understood that the cookie enabled application forexample may be a browser running at the client device. Other possibleapplications exist and are within the scope of the present disclosure. ln a preferred embodiment the lifetime for the access token is based onsuch a session formed between the sever and the client device. That is, oncethe user leaves the session the cookie may be allowed to expire, effectivelymeaning that the user typically will have to again enter his password onceentering into a new session with the server. As an alternative, the lifetime ofthe access token is set by the client device, effectively meaning that thecookie may be allowed to reside with the client device for more (or also less)than a single session.
As indicated above, the computer memory, the PUF and theprocessing circuitry are preferably comprised with the server, whereby theserver is arranged in a networked connection, such as the Internet, to theclient device. The server is preferably a cloud server. The client device istypically provided with a user interface (UI) for receiving the password fromthe user and configured to transmit the user password to the server using thenetwork connection. lt should be understood that it may be desirable to encrypt the userpassword prior to transmitting the password to the server, thus allowing alsothe communication between the client device and the server to be secure. lnsuch an implementation the server will decrypt the password prior to providingthe password as an input to the PUF. The client device may for example be alaptop, mobile, tablet, thereby improving also local password storage.
According to a second aspect of the disclosure there is provided amethod for allowing access to restricted information stored at a server, theserver arranged in communication with a client device, the client devicerunning a cookie enabled application, the method comprising the steps ofreceiving, at the server, a request from the client device for accessing therestricted information, the request including a cookie comprising an accesstoken formed in accordance to any one of the preceding claims, and verifyingthe access token, at the server, for allowing the client device access to therestricted information. ln line with the above discussion, the cookie may be used for e.g.accessing restricted user information that is stored at the server in a verifiablemanner, where the cookie is used for “unlocking” the restricted userinformation. Accordingly, the access token comprised with the cookie (againin line with the above discussion) is decrypted to derive the user specific keyto access the restricted information.
According to a third aspect of the disclosure there is provided apassword management system, the system comprising a server arranged incommunication with a client device, the client device running a cookieenabled application, wherein the server is adapted to receive a representationof a user password provided from the client device, store the representationof the user password at a computer memory associated with the server,receive a server specific key, encrypt the password using the server specifickey, form an access token based on the encrypted password, wherein theaccess token has a predefined lifetime, form a cookie comprising the accesstoken, and send the cookie to the client device for storage in a computermemory arranged in association with the client device. This aspect of theinvention provides similar advantages as discussed above in relation to thefirst aspect of the disclosure.
According to a third aspect of the disclosure there is provided acomputer program product comprising a non-transitory computer readablemedium having stored thereon computer program means for operating apassword management system comprising a server arranged incommunication with a client device, the client device running a cookie enabled application, wherein the computer program product comprises codefor receiving, at the server, a representation of a user password provided fromthe client device, code for storing the representation of the user password at acomputer memory associated with the server, code for receiving, at theserver, a server specific key, code for encrypting, at the server, the passwordusing the server specific key, code for forming, at the server, an access tokenbased on the encrypted password, wherein the access token has apredefined lifetime, code for forming, at the server, a cookie comprising theaccess token, and code for sending, by the server, the cookie to the clientdevice for storage in a computer memory arranged in association with theclient device. Also this aspect of the invention provides similar advantages asdiscussed above in relation to the first aspect of the disclosure.
A software executed by the processing circuitry for operation inaccordance to the invention may be stored on a computer readable medium,being any type of memory device, including one of a removable nonvolatilerandom access memory, a hard disk drive, a floppy disk, a CD-ROM, a DVD-ROM, a USB memory, an SD memory card, or a similar computer readablemedium known in the art.
Further features of, and advantages with, the present disclosure willbecome apparent when studying the appended claims and the followingdescription. The skilled addressee realize that different features of the presentdisclosure may be combined to create embodiments other than thosedescribed in the following, without departing from the scope of the presentdisclosure.
Some portions of the detailed descriptions which follow are presentedin terms of algorithms and symbolic representations of operations. Thesealgorithmic descriptions and representations are the means used by thoseskilled in the data processing arts to most effectively convey the substance oftheir work to others skilled in the art. An algorithm is here, and generally,conceived to be a self-consistent sequence of steps leading to a desiredresult. The steps are those requiring physical manipulations of physicalquantities. Usually, though not necessarily, these quantities take the form ofelectrical or magnetic signals capable of being stored, transferred, combined, compared, and othenivise manipulated. lt has proven convenient at times,principally for reasons of common usage, to refer to these signals as bits,values, elements, symbols, characters, terms, numbers, or the like. lt should be borne in mind, however, that all of these and similar termsare to be associated with the appropriate physical quantities and are merelyconvenient labels applied to these quantities. Unless specifically statedothen/vise as apparent from the following discussion, it is appreciated thatthroughout the description, discussions utilizing terms such as “processing” or“computing” or “calculating” or “determining” or “displaying” or the like, refer tothe action and processes of a computer system, or similar electroniccomputing device, that manipulates and transforms data represented asphysical (electronic) quantities within the computer system's registers andmemories into other data similarly represented as physical quantities withinthe computer system memories or registers or other such information storage,transmission or display devices.
The algorithms and displays presented herein are not inherentlyrelated to any particular computer or other apparatus. Various generalpurpose systems may be used with programs in accordance with theteachings herein, or it may prove convenient to construct more specializedapparatus to perform the required method steps. The required structure for avariety of these systems will appear from the description below. ln addition,the present invention is not described with reference to any particularprogramming language. lt will be appreciated that a variety of programminglanguages may be used to implement the teachings of the invention asdescribed herein.
BRIEF DESCRIPTION OF THE DRAWINGS The various aspects of the disclosure, including its particular featuresand advantages, will be readily understood from the following detaileddescription and the accompanying drawings, in which: Fig. 1 conceptually illustrates a client-server environment where thepresent concept may be applied, Fig. 2 conceptually illustrates the server according to a currentlypreferred embodiment of the present disclosure, and Fig. 3 is a flow chart showing the method steps according to currentlypreferred embodiments of the invention.
DETAILED DESCRIPTION The present disclosure will now be described more fully hereinafterwith reference to the accompanying drawings, in which exampleembodiments of the disclosure are shown. This disclosure may, however, beembodied in many different forms and should not be construed as limited tothe embodiments set forth herein; rather, these embodiments are provided forthoroughness and completeness, and fully convey the scope of the disclosureto the skilled addressee. Like reference characters refer to like elementsthroughout Referring now to the drawings and to Fig. 1 in particular, there isdepicted, conceptually, a client-server environment 100 where the presentconcept may be applied. The client-server environment 100 comprises aplurality of client device 102, 104, 106 and a cloud server 108, where theclient devices 102, 104, 106 and the server 108 are connected by means ofnetwork connection, such as over the Internet 110.
As discussed above, the client devices 102, 104, 106 may for exampleinclude mobile phones, desktop computers, laptops, tablets, etc. eachprovided with a web browser. During operation the individual users of the ofthe client devices 102, 104, 106 may have a desire to access privilegedinformation, for example stored at a database 112 connected to the server108.
To access the information, a client device such as client device 102must be verified as the correct user/device for the specific information. lnaccordance to the invention, with further reference to Fig. 2, the client device102 must first go through an enrollment process whereby a representation ofa user password is stored at a computer memory of the server 108.
The server 108 preferably comprises a control unit 202, a hardwareelement implemented as a physical unclonable function (PUF) 204 and a saltgenerator 206. The server 108 further comprises an external interface forallowing the user password to be received from the client device 102, 104, 106 as well as for providing a cookie to the user device 102, 104, 106 as willbe further elaborated below. The server 108 is also adapted to receive a useridentity, such as a user login. ln accordance to the present disclosure, a unique user specific key isgenerated by the control unit 202 based on the user password received fromthe client device 102, 104, 106, a salt generated by the salt generator 206and a PUF-based key provided by the PUF. Each user*s restricted informationis encrypted with the user specific key. Use of the salt ensures users with thesame password have different keys, and the salt can be the same as inpassword protection. ln line with the present disclosure, the keys aretemporarily stored in e.g. the database 112 or within another form oftemporary computer memory arranged in association with the server 108.When the user session expires or the user logs out, the key is deleted.
The operation of the client-server environment 100 may be exemplifiedby means of the following exemplary scheme, for example including thefollowing steps. ln a first step the user signs up for use of the server 108 by providinghis username and password. The server 108 then generates the user specifickey and temporarily stores the user specific key only temporarily, e.g., in ahardware security module (HSM). A HSM is a physical computing device thatsafeguards and manages digital keys for strong authentication and providescryptoprocessing.
Based on the user specific key the server 108 generates an accesstoken and stores the access token in the database 112, in association withthe username for the user. The access token has a lifetime, e.g., an expirydate/time, to limit the user's session. ln an embodiment the lifetime is nolonger than the session where the client device 102, 104, 106 is operationallyconnected to the server 108.
The access token is specifically “connected“ to a response cookie thatis to be returned to the user's cookie enabled application running at the clientdevice 102, 104, 106, such as e.g. a browser or any other form of applicationgaining use of the operation in accordance to the present disclosure. lt may also be possible to in the response cookie include a protectedcopy of the user specific key, e.g., it can be encrypted with a public keyprovided form the server 108 and used in a signature process. ln a subsequent process of accessing the restricted user informationthe client sends a page request to the server 108 together with the cookie,which contains the access token and protected key. The server 1087 maythen validate the cookie using a process in line with the above discussion,thereby allowing the user access to his restricted user information. ln summary and with further reference to Fig. 3, the present disclosurerelates to a computer implemented method for operating a passwordmanagement system comprising a server arranged in communication with aclient device, the client device running a cookie enabled application, whereinthe method comprises the steps of receiving, S1, at the server 108, arepresentation of a user password provided from the client device, 102,104,106, storing, S2, the representation of the user password at a computermemory 112 associated with the server 108, receiving, S3, at the server 108,a server specific key, encrypting, S4, at the server 108, the password usingthe server specific key, forming, S5, at the server 108, an access token basedon the encrypted password, wherein the access token has a predefinedlifetime, forming, S6, at the server, a cookie comprising the access token, andsending, S7, by the server 108, the cookie to the client device for storage in acomputer memory arranged in association with the client device 102, 104,106.
Advantages following the scheme applied by the present disclosureinclude the possibility of reducing the risk of e.g. a potential hacker gettinghold of the “real” user password is reduced, specifically since the hacker insuch a case first must get hold of the server specific key. Preferably, theserver further comprises a hardware element implemented as a physicalunclonable function (PUF), and the server specific key is formed based oninformation received from the PUF. Accordingly, the server specific key may insuch an embodiment not easily be stolen and used at “another location" sincethe PUF/hardware element is physically connected to the server. 11 The present disclosure contemplates methods and program productson any machine-readable media for accomplishing various operations. Theembodiments of the present disclosure may be implemented using existingcomputer processors, or by a special purpose computer processor for anappropriate system, incorporated for this or another purpose, or by ahardwired system. Embodiments within the scope of the present disclosureinclude program products comprising machine-readable media for carrying orhaving machine-executable instructions or data structures stored thereon.Such machine-readable media can be any available media that can beaccessed by a general purpose or special purpose computer or othermachine with a processor. By way of example, such machine-readable mediacan comprise RAM, ROM, EPROM, EEPROM, CD-ROM or other optical diskstorage, magnetic disk storage or other magnetic storage devices, or anyother medium which can be used to carry or store desired program code inthe form of machine-executable instructions or data structures and which canbe accessed by a general purpose or special purpose computer or othermachine with a processor. When information is transferred or provided over anetwork or another communications connection (either hardwired, wireless, ora combination of hardwired or wireless) to a machine, the machine properlyviews the connection as a machine-readable medium. Thus, any suchconnection is properly termed a machine-readable medium. Combinations ofthe above are also included within the scope of machine-readable media.Machine-executable instructions include, for example, instructions and datawhich cause a general purpose computer, special purpose computer, orspecial purpose processing machines to perform a certain function or groupof functions.
Although the figures may show a specific order of method steps, theorder of the steps may differ from what is depicted. Also two or more stepsmay be performed concurrently or with partial concurrence. Such variation willdepend on the software and hardware systems chosen and on designerchoice. All such variations are within the scope of the disclosure. Likewise,software implementations could be accomplished with standard programmingtechniques with rule based logic and other logic to accomplish the various 12 connection steps, processing steps, comparison steps and decision steps.Additionally, even though the invention has been described with reference tospecific exemplifying embodiments thereof, many different alterations,modifications and the like will become apparent for those skilled in the art.Variations to the disclosed embodiments can be understood and effected bythe skilled addressee in practicing the claimed invention, from a study of thedrawings, the disclosure, and the appended claims. Furthermore, in theclaims, the word "comprising" does not exclude other elements or steps, andthe indefinite article "a" or "an" does not exclude a plurality.

Claims (14)

1.A computer implemented method for operating a passwordmanagement system comprising a server arranged in communication with aclient device, the client device running a cookie enabled application, whereinthe method comprises the steps of: - receiving, at the server, a representation of a user password providedfrom the client device, - storing the representation of the user password at a computermemory associated with the server, - receiving, at the server, a server specific key, - encrypting, at the server, the password using the server specific key, - forming, at the server, an access token based on the encryptedpassword, wherein the access token has a predefined lifetime, - forming, at the server, a cookie comprising the access token, and - sending, by the server, the cookie to the client device for storage in a computer memory arranged in association with the client device.
2. The method according to claim 1, further comprising the step of:- deleting the user password from the computer memory associated with the server.
3. The method according to any one of claims 1 and 2, whereinreceiving the representation of the user password comprises the steps of: - receiving, at the server, the user password from the client device, - forming, at the server, the representation of the user password basedon the user password and an at least partly random number.
4. The method according to claim 3, further comprising the step of:- storing the at least partly random number at the computer memory associated with the server.
5. The method according to claim 4, wherein the at least partly random number is specific for an identity of the user device.
6. The method according to any one of the preceding claims, whereinthe server further comprises a hardware element implemented as a physicalunclonable function (PUF), and the server specific key is formed based oninformation received from the PUF.
7. The method according to any one of the preceding claims, whereinthe lifetime for the access token is based on a session formed between the sever and the client device.
8. The method according to any one of claims 1 - 6, wherein thelifetime of the access token is set by the client device.
9. A method for allowing access to restricted information stored at aserver, the server arranged in communication with a client device, the clientdevice running a cookie enabled application, the method comprising the stepsof: - receiving, at the server, a request from the client device for accessingthe restricted information, the request including a cookie comprising anaccess token formed in accordance to any one of the preceding claims, and - verifying the access token, at the server, for allowing the client deviceaccess to the restricted information.
10. The method according to claim 9, further comprising the steps of:- decrypting the access token to derive the user specific key to access the restricted information.
11. The method according to any one of claims g-fl-(š and iQ-fl-fl, whereinthe cookie is removed or made unusable after a predetermined time period.
12. A password management system, the system comprising a serverarranged in communication with a client device, the client device running acookie enabled application, wherein the server is adapted to: - receive a representation of a user password provided from the clientdevice, - store the representation of the user password at a computer memoryassociated with the server, - receive a server specific key, - encrypt the password using the server specific key, -form an access token based on the encrypted password, wherein theaccess token has a predefined lifetime, -form a cookie comprising the access token, and - send the cookie to the client device for storage in a computer memoryarranged in association with the client device.
13. The system according to claim 12, wherein the server is furtheradapted to:- delete the user password from the computer memory associated with the server.
14. The system according to any one of claims 12 and 13, wherein theserver further comprises a hardware element implemented as a physicalunclonable function (PUF), and the server specific key is formed based oninformation received from the PUF. reaëfable-lättad-iurn--itavingf-s-terfed--titereert-eenappater--pregrfarn--rtteans--feaf operatiifig--a--pas-slftfer-el--managelfteat»system-serffapris-ing---a--seiffer--aizflanged--in- eerapu-terf-rriernerfy--as-seeiated-wittt--ttte--ser-ver; ~--afasie-fišøzf-»reææiving;--aà--ëhe-servezf;"a"sßzfvefifl-sæefsèíia--keyï
SE1950366A 2019-03-25 2019-03-25 Password management system and method SE543011C2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
SE1950366A SE543011C2 (en) 2019-03-25 2019-03-25 Password management system and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
SE1950366A SE543011C2 (en) 2019-03-25 2019-03-25 Password management system and method

Publications (2)

Publication Number Publication Date
SE1950366A1 SE1950366A1 (en) 2020-09-26
SE543011C2 true SE543011C2 (en) 2020-09-29

Family

ID=72603562

Family Applications (1)

Application Number Title Priority Date Filing Date
SE1950366A SE543011C2 (en) 2019-03-25 2019-03-25 Password management system and method

Country Status (1)

Country Link
SE (1) SE543011C2 (en)

Also Published As

Publication number Publication date
SE1950366A1 (en) 2020-09-26

Similar Documents

Publication Publication Date Title
EP3319292B1 (en) Methods, client and server for checking security based on biometric features
US10924289B2 (en) Public-private key pair account login and key manager
US20190305955A1 (en) Push notification authentication
US10848304B2 (en) Public-private key pair protected password manager
JP6399382B2 (en) Authentication system
US9294281B2 (en) Utilization of a protected module to prevent offline dictionary attacks
US9077710B1 (en) Distributed storage of password data
US20170126654A1 (en) Method and system for dynamic password authentication based on quantum states
US20180183777A1 (en) Methods and systems for user authentication
US9887993B2 (en) Methods and systems for securing proofs of knowledge for privacy
US10819522B1 (en) Systems and methods of authentication using entropic threshold
CN107733933B (en) Method and system for double-factor identity authentication based on biological recognition technology
US9942042B1 (en) Key containers for securely asserting user authentication
CN110771190A (en) Controlling access to data
US20180262471A1 (en) Identity verification and authentication method and system
CN105187382A (en) Multi-factor identity authentication method for preventing library collision attacks
WO2017093917A1 (en) Method and system for generating a password
CN113826096A (en) User authentication and signature apparatus and method using user biometric identification data
SE1650475A1 (en) Method and system for secure password storage
US11502840B2 (en) Password management system and method
CN111368271A (en) Method and system for realizing password management based on multiple encryption
CN104009851A (en) One-time pad bidirectional authentication safe logging technology for internet bank
SE543011C2 (en) Password management system and method
US20200374277A1 (en) Secure authentication in adverse environments
Yang et al. Trusted Computing-Based Double Factor Authentication for Mobile Terminals