We currently own the following patents. Please contact us if you want to license any of them.

Protecting passwords and biometrics against back-end security breaches

US Patent 9,887,989. This patent describes a multifactor authentication technique that uses a cryptographic key pair in conjunction with a password and/or a biometric key while protecting the password and biometric data against back-end security breaches. In a two-factor embodiment with a key pair and a password, the user of a web application registers the password and the public key component of the key pair with the back-end of the application. Instead of storing the public key and a salted hash of the password, the back-end stores a joint hash of the public key and the password, then deletes the public key and the password. An attacker who breaches the back-end database and obtains the joint hash cannot mount a brute-force or dictionary attack against the password without knowing the public key, which is unconventionally treated as a joint secret between the browser and the back-end. The password may also be protected against exploits of other back-end vulnerabilities besides database breaches, and against phishing attacks and reuse at malicious or insecure sites, by hashing it at the browser with a secret salt before submitting it to the back-end. Other embodiments are described in this blog post.

Cryptographic authentication techniques for mobile devices

US patent 9,185,111 This patent describes a method of authenticating a computing device to a back-end subsystem. In one embodiment a prover black-box in the computing device regenerates a credential containing a key pair from a PIN and a protocredential, and authenticates cryptographically to a verifier black-box in the back-end subsystem; then the verifier black-box sends an authentication token to the prover black-box as verifiable confirmation of the cryptographic authentication, the prover black-box sends the authentication token to an application front-end in the computing device, the application front-end sends the authentication token to an application back-end in the back-end subsystem, and the application back-end verifies the authentication token.

Facilitating browsing of result sets

US patent 9,069,854 A traditional user interface is geared towards depth-first search, where the user digs deep into the result set of a query before giving up and issuing a different query. But difficult search problems are best tackled by breadth-first search, looking at the first page of results of many different queries, then the second page of all those queries, and so on. US patent 9,069,854 discloses a search history feature that lets the user save not only queries, but also positions within the result sets of queries. After browsing the results of several different queries, the user can go back to an earlier result set and resume browsing at the page and scrolling within the page where he or she left off.

Browsing real-time search results effectively

US patent 8,452,749 Real-time search results change frequently because new results appear and because existing results may go up in rank, displacing other results. Such changes may cause the user to get confused and miss results. For example, the user is likely to miss a result that goes up in rank from position 11, belonging to the second page of results, to position 10, belonging to the first page, as the user navigates from page 1 to page 2. To help the user keep track of changes in the result set, US patent 8,452,749 provides a method of browsing search results where results that have not been seen yet by the user are highlighted in each page of results, and buttons of pages containing such results are highlighted in the page menu.

Protecting a web application against attacks through shared files

US patent 8,341,200 Many Web applications have a file-sharing feature that allows Web users to share files by uploading them to, and downloading them from, a Web-accessible file repository. Shared files may include HTML files and other files containing scripts that are executed by the browser in the security context of the application user who downloads the file. This opens the door to a range of cross-user attacks, including cross-site scripting (XSS) attacks by a user of an application instance against a different instance of the same application. The usual defenses against XSS are not available, because shared files cannot be sanitized. US patent 8,341,200 provides a countermeasure against such attacks that leverages the web’s same origin policy by serving a shared-file using a hostname specific to the collection of shared files of a particular application instance.