Systems and methods for maintaining split knowledge of web-based accounts

US 10,068,082 B1
Filed: 11/16/2017
Issued: 09/04/2018
Est. Priority Date: 11/16/2017
Status: Active Grant

First Claim

Patent Images

1. A computerized method of enabling multi-factor authentication for a web-based account, the method comprising:

providing a first computing device accessible to a first user and configured with Internet access, a second computing device accessible to the first user, and a backend system accessible to a second user, the backend system in communication with the second computing device via a secure communication network, the backend system having a time-based one-time password (TOTP) token generator and an application programming interface;

creating, by the first user, a web-based account having account details including a username and an account password;

requesting, by the first user, via the first computing device, to enable multi-factor authentication for the web-based account;

displaying, for the first user, via the first computing device, a multi-factor authentication initiation screen including secret information and at least one data field for entering at least one TOTP token;

capturing, by the second computing device, the secret information in memory;

transmitting, by the second computing device, the secret information over the secure communication network to the backend system via the application programming interface;

generating, by the second user, using the TOTP token generator, the at least one TOTP token;

transmitting, by the second user, via the application programming interface, the at least one TOTP token to the second computing device, the second computing device displaying the at least one TOTP token on a token screen;

entering, by the first user, via the multi-factor authentication initiation screen, the at least one TOTP token into a corresponding data field of the at least one data field; and

receiving, by the first computing device, from the web-based account, validation of the at least one TOTP token,wherein only the first user has access to the account password and only the second user has access to the TOTP token generator.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for enabling multi-factor authentication for a web-based account. A first computing device and a second computing device are accessible to a first user. A backend system is accessible to a second user. The backend system communicates with the second computing device via a secure communication network. The first user creates a web-based account and receives a MFA initiation screen including secret information and a field for entering at least one TOTP token. The backend system has a TOTP token generator. The second computing device captures the secret information and transmits it to the backend system. The second user generates at least one TOTP token using the backend system and transmits the at least one TOTP token to the second computing device. The first user enters the at least one TOTP token into the first computing device. The account can then be validated and MFA enabled.

Citations

19 Claims

1. A computerized method of enabling multi-factor authentication for a web-based account, the method comprising:
- providing a first computing device accessible to a first user and configured with Internet access, a second computing device accessible to the first user, and a backend system accessible to a second user, the backend system in communication with the second computing device via a secure communication network, the backend system having a time-based one-time password (TOTP) token generator and an application programming interface;
  
  creating, by the first user, a web-based account having account details including a username and an account password;
  
  requesting, by the first user, via the first computing device, to enable multi-factor authentication for the web-based account;
  
  displaying, for the first user, via the first computing device, a multi-factor authentication initiation screen including secret information and at least one data field for entering at least one TOTP token;
  
  capturing, by the second computing device, the secret information in memory;
  
  transmitting, by the second computing device, the secret information over the secure communication network to the backend system via the application programming interface;
  
  generating, by the second user, using the TOTP token generator, the at least one TOTP token;
  
  transmitting, by the second user, via the application programming interface, the at least one TOTP token to the second computing device, the second computing device displaying the at least one TOTP token on a token screen;
  
  entering, by the first user, via the multi-factor authentication initiation screen, the at least one TOTP token into a corresponding data field of the at least one data field; and
  
  receiving, by the first computing device, from the web-based account, validation of the at least one TOTP token,wherein only the first user has access to the account password and only the second user has access to the TOTP token generator.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1 further comprising entering account details, by the first user, into an account details screen displayed via the second computing device.
  - 3. The method of claim 2 wherein the account details include an account number and a name for the account.
  - 4. The method of claim 2 wherein the second computing device includes a mobile application configured to display the token screen and the account details screen.
  - 5. The method of claim 2 further comprising transmitting the account details, by the second computing device, to the application programming interface of the backend system.
  - 6. The method of claim 5 further comprising storing, by the backend system, the account details in permanent memory of the backend system.
  - 7. The method of claim 6 further comprising receiving confirmation, by the second computing device, from the backend system over the secure communication network, that the account details have been saved and that synchronization of the web-based account with the backend system is complete.
  - 8. The method of claim 1 wherein the secret information is embedded in a Quick Response code.
  - 9. The method of claim 8 wherein the secret information includes account metadata and a secret key for generating the at least one TOTP token.
  - 10. The method of claim 8 wherein transmitting the secret information to the backend system includes determining, based on the Quick Response code, a secret key for generating the at least one TOTP token and transmitting the secret key to the backend system.
  - 11. The method of claim 1 wherein only the second user has access to the system that generates the at least one TOTP token and only the first user has access to the account password.
  - 12. The method of claim 1 wherein the first computing device is a personal computer and the second computing device is a mobile device.
  - 13. The method of claim 1 wherein the backend system includes (i) temporary data storage configured to store the secret information long enough to generate and transmit the at least one TOTP token, and (ii) permanent data storage configured to store the external account details permanently.
  - 14. The method of claim 1 wherein the secret information and the at least one TOTP token are transmitted using a secure communication protocol.
  - 15. The method of claim 1 wherein the at least one TOTP token includes a first TOTP token and a second TOTP token and the at least one corresponding data field includes a first data field and a second data field.
  - 16. The method of claim 15 wherein the first TOTP token and the second TOTP token are generated successively using the same secret information.

17. A TOTP enterprise management system comprising:
- a first computing device accessible to a first user and configured with Internet access, the first computing device configured to (i) create a web-based account having account details including a username and an account password, the web-based account capable of enabling multi-factor authentication, (ii) request to enable multi-factor authentication for the web-based account, (iii) display a multi-factor authentication initiation screen including secret information and at least one data field for entering at least one TOTP token, (iv) receive at least one TOTP token via the at least one data field, and (v) receive from the web-based account validation of the at least one TOTP token;
  
  a second computing device accessible to the first user, the second computing device including a mobile application stored in memory of the second computing device, the mobile application configured to (i) capture the secret information in memory, (ii) transmit the secret information via the mobile application, (iii) receive the at least one TOTP token, and (iv) display the at least one TOTP token on a token screen; and
  
  a backend server computer accessible to a second user, the backend server computer in communication with the second computing device via a secure communication network, the backend server computer including an application programming interface for communicating with the mobile application of the second computing device, a token generation module for generating the at least one TOTP token based on the secret information and transmitting the at least one TOTP token to the second computing device, and an account database for storing the account details,wherein only the first user has access to the account password and only the second user has access to the token generation module.

18. A mobile application enabling multi-factor authentication for a web-based account, the web-based account having details including a username and an account password and being accessible to a first user via a first computing device configured with Internet access, the mobile application comprising:
- a first user-facing module stored in memory of a second computing device and accessible to the first user, the first user-facing module (i) capturing secret information provided by a multi-factor authentication initiation screen displayed via the first computing device, the multi-factor authentication screen including secret information and at least one data field for receiving at least one TOTP token and (ii) transmitting the secret information to a backend system in secure communication with the second computing device via an application programming interface of the backend system;
  
  a second user-facing module stored in memory of the second computing device and accessible to the first user, the second user-facing module displaying one or more TOTP tokens generated by and transmitted from a TOTP token generator of the backend system for entering, by the first user, into the multi-factor authentication initiation screen displayed via the first computing device; and
  
  a third user-facing module accessible to the first user and stored in memory of the second computing device, the third user-facing module receiving account details for the web-based account, the web-based account providing to the first computing device validation of the one or more TOTP tokens,wherein only the first user has access to the account password and only the second user has access to the TOTP token generator.

19. A TOTP enterprise management server for enabling multi-factor authentication for a web-based account, the web-based account having account details including a username and an account password and created by and accessible to a first user via a first computing device configured with Internet access, the TOTP enterprise management server in secure communication with a second computing device that is accessible to the first user, the TOTP enterprise management server comprising:
- an enrollment application programming interface stored in memory of the TOTP enterprise management server and configured to communicate with the second computing device, the enrollment application programming interface receiving secret information from a multi-factor authentication initiation screen displayed for the first user on the first computing device and captured in memory of the second computing device;
  
  a TOTP token generating module stored in memory of the TOTP enterprise management server and accessible by a second user, the TOTP generating module in communication with the enrollment application programming interface, the TOTP token generating module generating one or more TOTP tokens based on secret information transmitted from the second computing device, the one or more TOTP tokens being displayed on a token screen of the second computing device, the first user entering the one or more TOTP tokens into one or more corresponding data fields of the multi-factor authentication initiation screen;
  
  memory for storing an account database having account information, the account database in communication with the enrollment application programming interface;
  
  an administrative module stored in memory of the TOTP enterprise management server, the administrative module in communication with the account database; and
  
  a remediation application programming interface stored in memory of the TOTP enterprise management server, the remediation application programming interface in communication with the administrative module and configured to return one or more TOTP tokens based on requests from a user input having the account information,wherein only the first user has access to the account password and only the second user has access to the TOTP token generating module.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
FMR LLC
Original Assignee
FMR LLC
Inventors
Zheng, Erkang, Kao, Jason Jay, Vetrano, Paul Michael
Primary Examiner(s)
Giddins, Nelson

Application Number

US15/815,465
Time in Patent Office

292 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/34   involving the use of extern...

G06F 21/45   Structures or tools for the...

G06F 21/606   by securing the transmissio...

G06F 21/6218   to a system of files or obj...

H04L 2463/082   applying multi-factor authe...

H04L 63/0838   using one-time-passwords

H04L 63/0846   using time-dependent-passwo...

Systems and methods for maintaining split knowledge of web-based accounts

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for maintaining split knowledge of web-based accounts

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links