Universal Key to Authentication Authority with Human-Computable OTP Generator

The subject of this paper is an enhanced alternative to the Multi-Factor Authentication (MFA) methods. The improvement lies in the elimination of any supplementary gadgets/devices or theft-sensitive biometric data, by substituting it with direct human-computer authentication optionally supplemented by cognitive biometric. This approach remains secure also in untrusted systems or environments. It allows only one secret as a universal private key for all obtainable online accounts. However, the features of this new solution pretend it to be used by the Authentication Authority with the Single-Sign-On (SSO) method of identity and access management, rather than for individual services. This secret key is used by our innovative challenge-response protocol for human-generated One-Time Passwords (OTP) based on a hard lattice problem with noise introduced by our new method which we call Learning with Options (LWO). This secret has the form of an outline like a kind of handwritten autograph, designed in invisible ink. The password generation process requires following such an invisible contour, similar to a manual autograph, and it can also be done offline on paper documents with an acceptable level of security and usability meeting the requirements for post-quantum symmetric cyphers and commercial implementation also in the field of IoT.


I. INTRODUCTION
D UE TO the growing threat of cyber attacks, multi-factor authentication (MFA) or the two-step verification has recently become a cybersecurity standard.
Step 1 -comprises entering a user ID and static password. For security reasons, it is recommended to use different passwords for each online account. As a result, users often adopt insecure password practices (e.g., reuse or weak password) or they have to frequently reset their passwords. Blocki et al. introduced in [7] an innovative Human-Computable Passwords (HCP) scheme, which ensures that even if an adversary has seen one-hundred of the user's passwords still has high uncertainty about remaining passwords. The disadvantage of their scheme is the need to memorize dozens of pictures, mapping to numbers with the help of associated mnemonics.
In such an HCP scheme the user reconstructs each of his passwords by computing the response to a public challenge, by performing simple mathematical operations i.e. addition modulo 10. A similar approach to the idea of password computing is used by our iChip protocol inspired by the topography of electronic microchips and handwriting (Fig. 1). It requires much less effort to remember the secret in the form of only one (but detailed) picture, and only half the time for authentication. As we show in Section VI, it guarantees a safe generation of many thousands of such passwords. What follows, it can be used as an OTP generator as well.
Step 2 -requires usually an additional electronic device (using the same device in both steps may not be safe), that uses an embedded one-time password (OTP) generator or biometrics. In such cases, the OTP is entered into the verification system automatically, e.g., from a smartcard or an IoT device, or by the user after being read from the screen of a token or personal smartphone via SMS or special application. Unfortunately, this solution does not ensure that the device is being used by its owner; it must be always available, and can be stolen, lost, damaged or cloned. Biometric methods are an alternative, but these can be relatively easily cheated by replay attack using snooped biometric data, and with help of machine learning or AI algorithm if necessary [18].
The MFA obviously requires more time than entering a regular static password. Therefore, a human generated OTP protocol with comparable authentication time and sufficient security, eliminating the long list of drawbacks mentioned above, stands a chance of mass user acceptance.
Many attempts to achieve this goal have been made for over 30 years since Matsumoto's first publication [1] in 1991, but only two protocols have been commercially implemented: HB presented by Hopper and Blum in [2] and GrIDsure (GS) presented in [19]. We will show further that our iChip scheme has security properties better than HB and usability close to GrIDsure, while eliminating their drawbacks.
-The HB is based on the Learning Parity with Noise (LPN) method, which ensures a high level of security, but the time of ca. 668 sec. needed for authentication by a human is too long to be acceptable. Nevertheless, the properties of this protocol or later improved variants (HB+, HB#) are well suited to applicate in resource-constrained devices, such as Internet of Things (IoT) devices or RFID.
-The GrIDsure scheme has exactly the opposite properties confirmed in [19]: the high usability level and very low level of safety, as only 3 samples of challenge-response pairs are sufficient to reveal the secret. In addition, the entropy of this scheme is also low, as detailed research has shown, that users choose secret patterns that are easy to remember and frequently reused, so its scheme is highly vulnerable to dictionary attacks, as the choice is very limited due to the small grid and the small number of secret objects. The only effective improvement proposed in [20] is the use of a few secrets switched by the Out-of-Band (OOB) channel, but that requires the employment of an additional device that we intend to eliminate.
The iChip has similar usability properties to GrIDSure as the secret pattern of cells in the grid is employed by both schemes. However, the similarity is noticeable only in the socalled generator block. The most significant difference lies in the extraordinary mapping method used in iChip, which makes a huge difference in the key space (3e+5 vs 3e+154), and provides many thousands of times greater resistance against peeping attacks than GS. The conclusions about low practical entropy of GS do not apply to the iChip as getting all the easy-to-remember keys from such a huge key space is a task with a difficulty near to brute-force, which is not feasible for current supercomputers.
As mentioned above, the iChip is applicable also in step 1 of the MFA as one universal secret key to the creation of multiple original static passwords for each online account. However, the first step of MFA is redundant in this case as it relates to the same secret as the OTP generator. On the other hand, instead of the 1st step, we propose a discreet introduction of the 2nd factor in the form of cognitive memory using proposed in Section III-E, and Single Sign-On (SSO) method based on the OAuth2.0 protocol [23] under control of authentication server (as an Authenticating Authority) that owns the user identities and credentials, including the iChip secret key or container with multiple pairs of challenges and hashed OTPs.
The contributions of this work are: the challenge-response cryptographic protocol, based on lattice problem with noise, introduced by our Learning with Options (LWO) method as a more effective new variant of the LPN method of easy OTP computation by a human; a graphical interface for the implementation of that protocol, which allows the user to create his secret in the form of an easy-to-remember image, and a special wizard to compose it; both well-proven in usability and security study discussed after the presentation of mathematical rules, illustrated by examples of the iChip core and its TurboChip overlays; further protocol enhancement against active attacks and by cognitive memory usage.
The completed implementation can be tested in an interactive demo or viewed in a short film, either as a professional tutorial or an alternative version made by children participating in the research process; both available online [25]. It is much more effective to understand than a mathematical description.

STRENGTH OF THE PROTOCOL
An important element of the iChip scheme is the implementation of the Learning with Rounding (LWR) method, which is an LPN variant of worst-case hard lattice problem included in the lattice-based cryptography. The implementation of core LPN or Learning with Errors (LWE) methods increase the security of any protocol; however, the degree of usability is reduced, and authentication requires much more time, as the user has to perform additional protocol rounds to compensate for rounds lost to incorrect responses due to reduced resistance to random attacks. In contrast, the LWR and described below LWO methods requires only correct responses. The iChip uses Equation 1 in Section III-A, as its base function which satisfies the criteria of the LWR method of deterministic rounding by x mod p, where p = 10 is admittedly too small to effectively introduce noise, but convenient for human computation. This function is a node for the various protocol variants and for our proposed LWO method of introducing noise, which is far more efficient.

III. THE ICHIP AS AN OTP GENERATOR
The iChip is a challenge-response protocol to authenticate the user to the verifier using the shared secret, where the user has to answer the challenge generated by the verifier (server). The way the iChip scheme worked was inspired by the image of the photolithographic mask used to create conductive paths on the surface of PCBs (Printed Circuit Board) or ICs (Integrated Circuits) like shown in Fig.1. The user composes his secret by designing such a layout in a special wizard by drawing a map of blocks B of masking elements as paths conducting the digital signal from input to output; provided from the generator block. These paths will determine the change in value from V inp at the input to V out at the output and define their properties and mutual logical relations. This layer consists of n × n fields and is represented by the C matrix, containing n × n cells.
The user specifies his secret key S by specifying a list of b blocks that occupy the fields selected by him from the C matrix, and specifies the block elements that act as input or output. For a short and easy explanation, we will use the example of the secret key illustrated in Fig. 2 or Fig. 4 as an iChip layout and the matrix coordinates of the input and output elements encoded hexadecimal in the associated table, while for the description of the protocol, we will use the Python convention. The C matrix is a set of n We use also an alternative compact notation of block elements as: " chip size (the matrices describing both private part of the key and the challenge matrix have size N = n × n); " parameter describing OTP length, L 10; " maximal number of blocks, for the sake of clarity and memorability we restrict 1 b 10; " maximal block length k 10; A. Generating OTP G = B 0 is the first of these blocks in key S, and it is called a generator because it does not contain inputs and the values V G = C[G] from all its L = |B 0 | output elements are mapped by the remaining blocks. The user has to remember the position of all blocks and their order in the S. The verifier generates a challenge matrix C of N random digits. To generate the OTP, the user has to collate the C matrix with the secret key S and calculate all OTP digits, one at each i-th of L = |OTP| rounds of the protocol in the following 3 steps: . If no such coordinates are found in the j-th block, move to the subsequent block. By j = φ denote the index of the current block (φ) in which the searched so-called target input (ψ) has been found first and let 3) The i-th digit of the OTP you will get as To avoid overloading the first blocks, it is recommended to resume the search for V i inp from the block next to the last searched. For additional security, the following three exceptions/rules (*I, *O, *Θ) have been added to the 2nd step of the algorithm; these significantly increase the resistance of the iChip protocol against passive attacks with a statistical algorithm or Gaussian Elimination. For their consideration let However, first, we will present a simple example illustrated in Fig. 2 to explain the principle of calculating the OTP without the exceptions mentioned above. Alternatively, it is recommended to watch the short video tutorial [25]. There are generator block 0 containing 4 light blue cells in the matrix corners and two mapping blocks labeled by their index (1 or 2) in the example above (Fig. 2). In the 1st round, we read the value V 1 inp = 3 from the 1st element of generator block at position (0, 0).
We look for this value sequentially in all mapping blocks from 1 to 2. The first occurrence of this value is in the last element of block 2, i.e. B I 2 [5] in cell (6,6), which is the target input ψ = 5 in the current block φ = 2. Now, we read a value of the output element of this block, which is in cell (8,4), hence V 1 out = C[8, 4] = 5. The 1st round ends with a calculation of the 1st OTP digit according to Equation 1 as: inp be the sum of all input elements of the current block, from ψ to ψ + n, where ψ + n |B I φ | and n 2: This introduces non-linearity to cryptanalysis and protection against Gaussian Elimination, as the number of arguments in Equation 2 varies randomly in each challenge. Depending on the variant of *I, the q modulus can be 10 or omitted as default. *O) If the current block B φ contains more than one output element |B O φ | > 1, then randomly choose one of them as . This is the case of using the LWO method illustrated by Fig. 3: Block 2 with fields labeled by 2 has two outputs/options at positions (3,1) and (3,3). If the value searched for is found in this block, then the user has to choose one of these two options at random.  has a value of 9. Since ψ = 2 < |B I 4 | = 3, then due to rule *I:

C. TurboChip overlays for the iChip protocol
For a radical reduction of an authentication time, we have developed two variants of TurboChip overlays for the iChip scheme. They only uses 1 round of the base iChip protocol and only needs 1 element in the generator block. In the example below ilustrated in Fig.5 The ClickChip generates response as matrix coordinates instead of digits. This approach requires a bit of proficiency from the user, however, it allows cutting the number of protocol rounds in half. It stands as a good trade-off for it and is explained in the example illustrated in Fig. 5. Determining of 3 matrix coordinates in the range of (-8, -8) to (8,8), one at each i-th of 3 rounds of ClickChip protocol is as follows: We go to the i-th element in j = φ + i block. Now, get the value of this element to calculate the distance of d i fields, ) mod 10; to move the virtual pointer on a horizontal, vertical or diagonal line towards the centre of the grid. Important notes: The order of choosing these directions is random, but 1 diagonal and 1 reverse direction must be used if d i is lower than the distance from the edge of the grid. For long blocks: If |B I j | > 3 then the counting of d i cells starts from the element whose value is closest to d i .
To quickly find the endpoint, move the pointer in jumps a'4 fields, with a help of the coloured background lines.

D. Preliminary stage against active attacks
In this stage, User U and Verifier V swap their roles, so V responds to U's challenge. V initiates the authentication process by sending a challenge to U. Then, U randomly clicks on any field in C, and the element of the block closest to that field is used as ψ for the calculation of OTP[0]. U remembers it and sends such a challenge to V. In response, V has to calculate the OTP[0] in this same way, and then generate a new challenge, but the value of V G [0] is set to OTP[0], which is hidden. The next 3 rounds run as usual according to ClickChip.

E. Biometrics, captcha and clock in the iChip scheme
To further strengthen the iChip protocol it is beneficial to increase the entropy of the random option selection in the LWO case by aid of a pseudorandom number generator, the result of which is entered via a cognitive biometric interface working like an OOB channel. This interface (emOTP) is based on the stimulation of emotional states by recalling the knowledge already acquired in the past and preserved in long-term memory. The great advantage of this approach is that the user is not required to remember a secret specially built for this purpose, so they can without much effort, insert a lot of such items into the user's account profile resources in the form of catchwords or pictures, associated with its evaluation in points: +1 as positive, -1 as negative and 0 as neutral; referring to a universal question, e.g., Do you like it? with possible answers: Yes, No, Neutral. The response can be effortlessly applied to choose/address 1 of the 2 or 3 options when using the LWO method.
Increasing the range of ratings to 10 points requires changing the above question to How much do you like it?. Now, the response ranging from 0 to 9 allows the generator block to be completely replaced. Unfortunately, the limitation of such a generator is its inaccuracy, occurring from poor behavioural repeatability. Nevertheless, due to the LWO, the unintended incorrect response to the emOTP challenge does not affect the response correctness. Hence, an additional protocol round to compensate for this mistake is not needed. In other cases than the LWO, such a 3 stage emOTP trigger/generator in the iChip protocol can be used as a biometric factor in the MFA. The emOTP criteria should be quick to evaluate and be personal, rather than popular and predictable. The challenge in the form of an image (as an example in Fig. 7) can work well as a captcha at the same time. As an alternative and much simpler source of entropy for the LWO method, a random moment of reading seconds from the system clock or user's watch can be used.

V. BRIEF ANALYSIS OF USABILITY -Intelligibility
Our time-limited study only focused on a small group of children aged 8-10, assuming that the adult performance should be better, because modular addition and abstract thinking are required, which develops with age [16]. For this group, the iChip protocol was compared with that of a board game, more especially the well-known Monopoly or Jumanji, where the throws of the dice symbolize the operation of the generator block, and all the fields on the board forming the track constitute the iChip blocks, which user have to go to achieve the target field/input and finally make a decision according to the rules of the game protocol The children took 1 standard lesson unit (45') to learn the protocol and the special wizard to design their own microchip.
-Memorizing and Rehearsing The appropriate distribution of block elements is of major importance for entropy level and easy memorization of the entire structure of the secret. To obtain the maximum practical entropy and to make it easier to remember the secret, a suitable background image is very helpful, which can be built individually by the user or proposed by the wizard as a random structure. It is profitable to draw the secret contours in a single sequence like a short piece of text (e.g., Fig. 1) or a simple shape (e.g., Fig. 5). Additionally, since all key elements are used each time, the whole secret image can be easily remembered after 30-45 minutes of repeated authentication training attempts and frequently refreshed at the use stage.

-Authentication Time
The authentication time is proportional to the user's cognitive workload -ranges from 4 to 8 seconds (≈ 6) in each round of response, depending on the composition of the secret and the user's skill. After several searches, visual perception adapts a parallel analysis approach, i.e. the search for an ψ element with V inp is not performed element-by-element, but in blocks, just like reading a text, with whole words being interpreted, rather than individual letters. Each modular addition and block search require ca. 1 sec. For the user who has to look at the keyboard to enter OTP, it will be easier, and faster, to use voice input, which is also a good source of biometric data and a 3-rd authentication factor. After introducing of TurboChip overlay, the authentication time is significantly reduced up to ≈15 seconds if the user becomes an experience in using it.

VI. BRIEF ANALYSIS OF SECURITY
The resistance to a random attack depends on the number of OTP digits calculated by the user. Their number L is arbitrary and depends on the needs of the authentication system, e.g., L = 6 like OTP in most e-banking systems. Using the ClickChip overlay slightly weakens the protocol if the attacker records user responses, as it allows to reduce the number of possible click locations from N = 324 down to 207 (in the worst case - Fig. 6), however, the probability of p=7e-7 of randomly hitting the correct OTP is still lower than for 6 decimal digits, i.e. p=1e-6.
The iChip's resistance to active attacks is ensured in the preliminary stage (see Section 3.4) or by the hashing and signing the authenticated message, as the HHMAC is valid only for the signed message (see Section IV).
As the challenge in the iChip protocol is generated full at random, it is fully immune to frequency analysis.
The iChip's entropy is of course lower in practical use than its key size of 512 bits, but much higher than a text password due to large number of possible fonts and their positioning on the large grid or cell order. A good example is the word iCHIP used in Fig 1. The number of possibilities for designing this contour is enormous, despite the use of many symmetries compared to the number of combinations that the use of lowercase and uppercase letters offer.
The resistance to brute-force and Grover's quantum algorithm is provided by NP-hard lattice problem and huge keys space (see Table 1), estimated as follows: where: Estimating the resistance of an authentication protocol to peeping attacks is very important, but also highly-complex, especially in the case of iChip, as it can simultaneously use many protocol variants, which interfere with each other and further increase their effectiveness (see Appendix). Therefore, we considered them separately, based on the results of related works: [2], [7], [6].
By using the LPN method or its variants, it is possible to efficiently reduce the amount of information leaked about the secret by random injection of erroneous information in the LWE or deterministic rounding in the LWR. Such leakage can also be reduced by modular reduction x mod p, or by randomly selecting one of several correct LWO options.
It also works similar to introducing an error in the expected, acceptable narrow range. However, introducing noise too much here increases vulnerability to random attacks as well.
As shown in [7]: The k number of arguments used in the function f (x 1 , x 2 , ..., x k ) = x 1 +x 2 +...+x k mod p depends on the safety function for the statistical algorithm r(f ) = k/2, however, f cannot be linear, because then the security for Gaussian Elimination is g(f ) = 0 and the Equation 1 for LWR implementation in iChip takes only 2 arguments (k = 2). Therefore, in this case the secret could be recovered even from O(n) challenge-response samples: m = n s , s = min(g, r). Fortunately, the introduction of noise by the LWO method in iChip brings the same effect as LPN in the HB [2], which does not allow the simple use of Gaussian Elimination, and the adversary needs to see O(n 2 ) samples to reveal the secret, also in the case of secret's low entropy [14].
On the other hand, introducing an exception *I gives up to 2 additional arguments by Eq. 2 to this base function, hence 2 k 4. The number of these arguments is not constant but varies randomly in each challenge, so the Eq. 1 becomes highly nonlinear, especially since V out is the result of a previously used mapping, Any statistical adversary needs approximately m = n r(f )/2 samples to recover the secret, where n is the key size (512 bits for iChip), therefore, if both exceptions (*I and *O) are used then estimated safety function is limited by: s = min(g, r) = min(2, 2) = 2, hence m ≈ 262, 144 challenge-response samples are needed to reveal the secret.
We tested the resistance of the protocol against finding the secret key with an advanced Genetic Algorithm, which ran for m=1,000, m=10,000 and m=20,000 samples over several days on a computer with an 18-core CPU (Intel i9). The secret created in the default grid size of N = 256 but without exceptions (*I, *O) was found after approx. 2 hours of operation. After introducing the LWO, the cracker found a secret key only for microparameters i.e. N = 25 (Fig. 3).
With the simultaneous inclusion of *I and *O exceptions, the 2-days search did not give a correct result even for N = 49, represented by the microkey in Fig. 9. The tests conditions and results are available online [25].

VII. RELATED WORK
Referring to the data in Table 1 of the article from 13th NDSS [12] and the latest publications until today, we have compiled in Table 1, the parameters of the best Human Generated Passwords Protocols, that were created in the years 1991-2017 (there is no significant contribution after 2017), as a comparison with iChip. As we can see, the iChip's parameters have a significant advantage over all others, both in terms of security (key size, keyspace, s(f )) and usability (secret's memorizing and authentication time closest to grIDsure). Only HB, HCP, and iChip are protected against linearization [9], where m = O(n s ) strongly depends on the key size n.
The enhanced versions of HB+, Foxtail+ also offer protection against active attacks, but only ClickChip and HHMAC are suitable for the user due to the required authentication time.

VIII. CONCLUSIONS
The result of our work are the iChip protocol and two TurboChip overlays, which significantly accelerate the OTP generation process and all these variants meet the safety and usability criteria required for commercial implementation.
-The FlexiChip is our favorite due to the smaller workload for the user and flexibility in generating passwords of any length L from 1 to k = |S|. As the video tutorial [25] shows, the 6-digit OTP computation time easily reaches 15 seconds. The protection against active adversary attacks is provided by the HHMAC with use of standard hash algorithm, preferable SHA-256 or SHA-512. Such signature can be also performed by the user offline on paper documents without any gadgets and automatically scanned and loaded into the system, where this signature is verified.
-The ClickChip overlay has the advantage of using the preliminary round to immediately detect an active adversary attacks and is more glamorous, but requires more proficiency in determining matrix coordinates. At the level of quasi automatic distance evaluation, the authentication time could be reduced to even 15 seconds, similar to the FlexiChip.
The iChip protocol parameters are well-suited to applicate also in resource-constrained devices, like IoT or RFID.

APPENDIX A INCREASING THE ICHIP ENTROPY
In the sample of 920 students of our university, no secret pattern was repeated. However, the entropy of iChip can be effectively increased by further increasing the key size as shown in subsections A and B, or by using of a suitable background image, which can be built individually by the user or proposed by the wizard as a random structure. The visual structure of such a background image (e.g., Fig. 10) provides reference points for easy remembering the image of the secret and thus allows building a secret key with much higher practical entropy.

A. The iChip as multi-layout interface with 3D key
The iChip interface allows the user to expand the secret not only in 2 dimensions (row x and column y), but also use the 3rd dimension, i.e., the z parameter used here as a layout index (default z = 1), marked in colour of the secret elements and is indicated in the i-th round by z = V G [i + 1]. In this simple way, the key size can even exceed a thousand bits, without increasing the C size, where N |z|=1 = x · y = |C| ≈ 256. Fig. 11 shows an example of a 3D secret that has been adapted from the secret key in Fig. 4, where |z| = 2, N 2 = 450, by adding 2 blocks on 4 additional layers resulting in |z| = 6 and N 6 = 3 · N 2 = 1350. The zoomed fragment of the challenge image in Fig. 11 shows the first round (i = 1) of the OTP calculation: Since z = V G [i + 1] = 7, the search for a value of V G [1] = 4 must start in block 7. It appears in the last element of this block B I 7 [5] at position (6, 2), so we read the value of 3 at the associated output in cell (7,4)

B. The iChip as multi-protocol platform
A solution with a large number of protocol variants that can be combined with each other using a simple settings manager is beneficial for increasing its resistance, and makes the scheme more user-friendly, who only needs to know the variants he choose to create his secret. For example, choosing 5 out of 50 variants, the cracker has to check 2,118,760 additional combinations, which must first be analyzed and coded in such a cracker. This number can still expand as each subtle change in protocol represents a new variant that can be created not only by the scientist, but also by the creative user.
The iChip enables the implementation of other Human-Computable Password Protocols, and acts as an open platform for them. We invite other researchers to use it to compose their own licensed variant of HCPP or an adaptation of a previously developed one.
As an example implementation, we used the Foxtail scheme proposed in 2005 by Li and Shum in [3], adapted in 2020 for the needs of IoT in [6]. There are 4 pass-objects in the challenge given in Fig. 12, hence the response R = 4 mod 2 = 0. For a standard 6-digit OTP, this procedure must be repeated for 20 rounds, each for 1 bit. For implementing the Foxtail protocol on the iChip platform, selected input elements are used as a hidden chain of challenge window in the Foxtail schema. To redirect the binary response of Foxtail, we use two output elements appropriate for the expected binary response (0 or 1) and any 3rd output as an option for the LWO method. Therefore, instead of four protocol rounds for each OTP digit, only one round is needed. To define a trigger for switching between Foxtail and iChip subprotocols, we assume that if the value searched for V G [i] is found in the first block, then all input elements are treated as a challenge for the Foxtail scheme. Otherwise, for the iChip rules. As counted pass-objects, we assume the value of V i inp . After adapting the example in Fig. 4 for the Foxtail implementation illustraded in Fig. 13: The first element V G [1] at position (0, 4) has a value of 8, which appears in the first block; therefore, all input elements in S are treated as a Foxtail challenge. As there are 3 entries with the value of 8, in cells [ (6,4), (5, a), (c, 5)], the response is 3 mod 2 = 1.
However, according to the redirection rules, we use this response for binary addressing of the 2nd element from 2 locations: (d, 7) for 0 and (e, 7) for 1.

APPENDIX B THE ICHIP IMPLEMENTATION IN THE E-BANKING SYSTEM
We have implemented the iChip protocol in the e-banking system, in which it is used both for logging in and for authorizing transactions. The screenshot in Fig. 14, shows a form for entering the personal data and personalizing the virtual token, visualized as an iPad tablet. The form in the background shows a special wizard for designing of a graphic identifier and secret key, i.e. its image on the right side and the associated code table on the left side. This token implements the iChip protocol and the Turbo-Chip overlays. The token window opens on the form to be authorized. The response for the Click-Chip challenge is shown on the token screen.
The e-banking system is available online [25].