http://www.peertopatent.org/patent/20070250920/activity Security systems for protecting assets are described, including password-based security systems that can provide different levels of access responsive to entry of a primary or secondary password. In some versions, user-configurable security rules can provide customized responses to entry of primary or secondary passwords, including feigned or limited access, security alerts, etc. Passwords comprising overt and covert components can be used to provide enhanced security and improved user control over system response. Improved security systems involving transactions between multiple parties are also considered, with options for user-customized security rules including primary and secondary passwords, and reverse challenge and response methods. Systems for Limited Use Credentials are also disclosed to reduce the risk of identity theft. en-us Security systems for protecting an asset How is claim 1 any different from a system that lets one login is root (primary password) or as a user with a lower level of access (secondary password)? This has been common in Unix/Linux/Mac systems for quite some time. Thu, 07 Feb 2008 22:31:30 -0800 http://www.peertopatent.org/patent/20070250920/discussion Security systems for protecting an asset In the invention description, the applicant makes reference to U.S. Patent Numbers 6,679,422, 5,354,974, and 5,731,575. The trivial extension of using multiple secret PIN values in an ATM machine to using multiple passwords in a more general computing device, as described in Claim 1, is neither novel nor non-obvious. Claim 18 describes a means whereby a user elects to log in under various levels of access control based on the credentials he provides at the time of authentication. For years, systems have existed that currently allow the same agents to manage multiple user accounts, each account with its own level of access. The applicant is claiming that rather than map unique username+password combinations to unique sets of access rules, the system should map unique (username, password) tuples to unique sets of access rules. The security semantics of such a change in mapping are weak, and, as other respondents have pointed out, the existence of numerous well-established RBAC schemes challenge the applicant's claim to his invention's novelty and non-obviousness. Mon, 14 Jan 2008 16:15:00 -0800 http://www.peertopatent.org/patent/20070250920/discussion Security systems for protecting an asset It strikes me that the idea of different passwords providing different levels of access is not very novel. In a role-based access control (RBAC) system, you need to iauthenticate yourself, and if you have different levels of access, you will use different authentication information - equivalent to different passwords. The two cited prior art items cover the feigned access ideas. RBAC is an ANSI standard: ANSI INCITS 359-2004. There is a discussion of this standard in IEEE Security & Privacy for Nov/Dec 2007. Thu, 06 Dec 2007 20:37:55 -0800 http://www.peertopatent.org/patent/20070250920/discussion Security systems for protecting an asset I feel some of the claims in this patent are already implemented. Password generating keychains such as the RSA SecurID, have PINs (Personal Identification Numbers) associated with each user. If ever the user is forced to enter this information to log on to a system, the user can input a special PIN to alert the system that the PIN has been compromised. Thu, 06 Dec 2007 13:56:28 -0800 http://www.peertopatent.org/patent/20070250920/discussion Security systems for protecting an asset The patent under review has many prospects in its future development. The idea of protecting assets digitally against thieves is a dilemma we’ve faced since the advent of technology. A theft occurs in two ways primarily, either physically or electronically. This invention in particular would be quite beneficial for banks, large corporations, and government entities because of the extensive information they contain is vulnerable to attack or theft. The timing for this product may be optimum, since according to TheInfoPro, “56 percent of F1000-size companies plan to increase information security spending in 2008”. Companies and individuals continually are pursuing the latest and greatest technology to protect there information, therefore this invention could fill several niche high-end information security markets. Since this idea of alternative protection is not new, there are some shortcomings of this patent. For instance, an identity thief who infects other computers with spyware can monitor keystrokes and analyze the logic of the algorithm used in the secondary protection system. With months of analyzing the possible connections between codes and decoding, the identity thief can find the weak link in the system and gain access to all the possible functions. As technology advances, it becomes harder to hack into systems, but at the same time, more sophisticated hacking can also occur, leaving the user as vulnerable as ever. Another shortfall is that this patent can also become quite confusing to the user. What if the user is unable to decode the information provided? If security levels are set too high, the user may eventually prohibit their own access causing delays in their search for the necessary information. It is also important to note that a company’s policies and procedures will play a large role in making this patent successful. If a company does not support these guidelines the invention will not be any more beneficial then current security measures. A lot of emphasis is on the user and it is important that the user effectively create security rules. The invention is somewhat complex and covers a wide area of industries. It may be helpful to concentrate on one specific industry to first test how well the invention works. There is a lot of potential to expand but there will need to be a starting point and that is what may help commercialize this patent. Based on the information provided in the patent review, we would recommend approval for the invention. This invention can interact with a variety of software and hardware devices, which gives it the flexibility to be used in many different applications. The idea of secondary passwords is unique in the sense that they can simulate full access has been given to a user when in fact important confidential assets are not displayed. This invention is different from prior inventions because it gives the user the ability to customize their security settings. There is a great need to protect assets and personal information and this invention helps solve the problems of today’s vulnerabilities associated with passwords. Sun, 02 Dec 2007 11:42:16 -0800 http://www.peertopatent.org/patent/20070250920/discussion Security systems for protecting an asset My class was required to pick a patent application and discuss it and give our recommendation if should be granted or not. We will begin with our review and end with our recommendation. This patent application is intended to improve the security of protected assets protected by passwords or personal identification numbers. The system uses primary and secondary passwords to provide additional control over access to the asset. The access granted by the primary and secondary password is configurable to provide a variety of schemes, including full, temporary, limited or feigned access to the asset. This system purports to be especially useful when the user is used under duress, such as when a thief forces the user to divulge the information, or in insecure situations, such as using a public computer. The security system allows customizable rules for access based on user responses that would be stored in the same record as the primary and secondary passwords. Using such levels of passwords would limit the access to less-sensitive information, while protecting sensitive information. An enhancement to this patent would be to force the user to change the password periodically, i.e. every 90 days, and integrate other complex ways to get into the system without the use of a password, such as an ID tag or fingerprint. The inventor of this patent is not proposing anything new. The use of one-time passwords is not unique either. One-time passwords are issued daily by network administrators as a way of allowing first access to a system, which requires the user to create a new password after authenticating. The suggestion for a small one-time password generator that is displayed on a credit card is not unique either. Security tokens, such as RSA SecurID, are small footprint devices that generate passwords on the fly. EMV's integrated circuit smart cards are already equipped with the credit card design the patent maker suggests in this patent. The IC cards work by handshaking with IC POS terminals and ATMs. Smart chips are used to drive the Visa Tap-n-go technology to emulate the one-click online experience that our fast-paced society demands. Because this patent calls for a user to remember more passwords and the type of password, primary or secondary, it is overly complex solution to security. A hardware solution, such as biometrics, smart credit cards, and password generating devices reduce the complexity and increase the security for today's overwhelmed user. The patent maker's recommendation of a one-time password generator is inline with a hardware solution. The use of multiple passwords can be harmful to individuals and companies. Because we live in a world where IT security is so important that people have many passwords for many accounts and Web sites, the only way to remember them is to write them down, on a post-it for example, often times in plain view where anyone can get a hold of it and hack into the system. We have seen many instances of this and the result is never good. Sun, 02 Dec 2007 07:06:47 -0800 http://www.peertopatent.org/patent/20070250920/discussion Security systems for protecting an asset My class was required to pick a patent application and discuss it and give our recommendation if should be granted or not. We will begin with our review and end with our recommendation. This patent application is intended to improve the security of protected assets protected by passwords or personal identification numbers. The system uses primary and secondary passwords to provide additional control over access to the asset. The access granted by the primary and secondary password is configurable to provide a variety of schemes, including full, temporary, limited or feigned access to the asset. This system purports to be especially useful when the user is used under duress, such as when a thief forces the user to divulge the information, or in insecure situations, such as using a public computer. The security system allows customizable rules for access based on user responses that would be stored in the same record as the primary and secondary passwords. Using such levels of passwords would limit the access to less-sensitive information, while protecting sensitive information. An enhancement to this patent would be to force the user to change the password periodically, i.e. every 90 days, and integrate other complex ways to get into the system without the use of a password, such as an ID tag or fingerprint. The inventor of this patent is not proposing anything new. The use of one-time passwords is not unique either. One-time passwords are issued daily by network administrators as a way of allowing first access to a system, which requires the user to create a new password after authenticating. The suggestion for a small one-time password generator that is displayed on a credit card is not unique either. Security tokens, such as RSA SecurID, are small footprint devices that generate passwords on the fly. EMV's integrated circuit smart cards are already equipped with the credit card design the patent maker suggests in this patent. The IC cards work by handshaking with IC POS terminals and ATMs. Smart chips are used to drive the Visa Tap-n-go technology to emulate the one-click online experience that our fast-paced society demands. Because this patent calls for a user to remember more passwords and the type of password, primary or secondary, it is overly complex solution to security. A hardware solution, such as biometrics, smart credit cards, and password generating devices reduce the complexity and increase the security for today's overwhelmed user. The patent maker's recommendation of a one-time password generator is inline with a hardware solution. The use of multiple passwords can be harmful to individuals and companies. Because we live in a world where IT security is so important that people have many passwords for many accounts and Web sites, the only way to remember them is to write them down, on a post-it for example, often times in plain view where anyone can get a hold of it and hack into the system. We have seen many instances of this and the result is never good. Fri, 30 Nov 2007 19:17:01 -0800 http://www.peertopatent.org/patent/20070250920/discussion Security systems for protecting an asset Perhaps I'm missing something here, but I'm struggling to understand how this is novel? Essentially the proposed innovation is for a system which uses two passwords to determine the security access level of the supplicant. A simple prior innovation which implements this would be many current UNIX operating systems where one must login as an unpriviledged user prior to switching into the root user. Have I missed something here? Thu, 06 Dec 2007 14:33:03 -0800 http://www.peertopatent.org/patent/20070250920/discussion