Continuous multi-factor authentication

US 10,091,184 B2
Filed: 07/10/2017
Issued: 10/02/2018
Est. Priority Date: 06/27/2013
Status: Active Grant

First Claim

Patent Images

1. A computing device comprising:

processor;

a non-transitory machine-readable medium communicatively coupled to the processor; and

instructions in the machine-readable medium which, when executed by the processor, enable the computing device to;

generate a continuous authentication assertion which indicates that the computing device is continuously monitoring authentication of a user according to a reference time interval, wherein the continuous authentication assertion comprises factor information identifying at least one authenticate factor that was used to authenticate the user;

send the continuous authentication assertion to a key distribution center server;

after sending the continuous authentication assertion to the key distribution center server, receive a ticket from the key distribution center server; and

after receiving the ticket from the key distribution center server, use the ticket to obtain access to a service provider server.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Technologies for continuously authenticating a user via multiple authentication factors include a computing device for generating a continuous authentication assertion indicating that continuous authentication of a user is being monitored, sending the continuous authentication assertion to a key distribution center server, and requesting and receiving an initial ticket from the key distribution center server. Such technologies may also include requesting a service ticket from the key distribution center server for accessing a service provider server, receiving a service ticket from the key distribution center server including the continuous authentication assertion, requesting access to the service provider server with the service ticket including the continuous authentication assertion, and accessing the service provider server in response to the continuous authentication assertion being verified.

133 Citations

20 Claims

1. A computing device comprising:
- processor;
  
  a non-transitory machine-readable medium communicatively coupled to the processor; and
  
  instructions in the machine-readable medium which, when executed by the processor, enable the computing device to;
  
  generate a continuous authentication assertion which indicates that the computing device is continuously monitoring authentication of a user according to a reference time interval, wherein the continuous authentication assertion comprises factor information identifying at least one authenticate factor that was used to authenticate the user;
  
  send the continuous authentication assertion to a key distribution center server;
  
  after sending the continuous authentication assertion to the key distribution center server, receive a ticket from the key distribution center server; and
  
  after receiving the ticket from the key distribution center server, use the ticket to obtain access to a service provider server.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. A computing device according to claim 1, wherein:
    - the ticket comprises the continuous authentication assertion; and
      
      the operation of using the ticket to obtain access to a service provider server comprises;
      
      requesting access to the service provider server by sending the ticket with the continuous authentication assertion to the service provider server; and
      
      obtaining access to the service provider server after the service provider server has verified the continuous authentication assertion.
  - 3. A computing device according to claim 2, wherein:
    - the processor comprises a security co-processor;
      
      the computing device further comprises;
      
      memory communicatively coupled to the security co-processor; and
      
      a second processor communicatively coupled to the memory; and
      
      the security co-processor is configured to use a portion of the memory that is not accessible to the second processor to store one or more encryption keys that facilitate secure communication between the security co-processor and the key distribution center server.
  - 4. A computing device according to claim 3, wherein:
    - the security co-processor comprises a trusted execution environment module; and
      
      the instructions in the machine-readable medium comprise instructions which, when executed by the trusted execution environment module, enable the trusted execution environment module to;
      
      authenticate the user with multiple authentication factors before generating the continuous authentication assertion;
      
      monitor continuous authentication of the user;
      
      determine whether the user should remain authenticated; and
      
      notify the service provider server of a loss of the continuous authentication of the user in response to a determination that the user should not remain authenticated.
  - 5. A computing device according to claim 1, wherein:
    - the ticket from the key distribution center server comprises a service ticket;
      
      the instructions, when executed, further enable the computing device to;
      
      before receiving the service ticket from the key distribution center server, receive an initial ticket from the key distribution center server; and
      
      use the initial ticket to request the service ticket from the key distribution center server; and
      
      the instructions, when executed, enable the computing device to send the continuous authentication assertion to the key distribution center server before receiving the initial ticket from the key distribution center server.
  - 6. A computing device according to claim 1, wherein the instructions, when executed, further enable the computing device to:
    - authenticate the user with multiple authentication factors before generating the continuous authentication assertion;
      
      monitor continuous authentication of the user;
      
      determine whether the user should remain authenticated; and
      
      notify the service provider server of a loss of the continuous authentication of the user in response to a determination that the user should not remain authenticated.
  - 7. A computing device according to claim 1, wherein the instructions, when executed, further enable the computing device to:
    - monitor presence of the user relative to the computing device;
      
      generate a continuous presence assertion to indicate that continuous presence of the user relative to the computing device is monitored;
      
      send the continuous presence assertion to the key distribution center server;
      
      determine whether the user remains present relative to the computing device; and
      
      notify the service provider server of a loss of the continuous presence of the user relative to the computing device in response to a determination that the user did not remain present relative to the computing device.

8. An apparatus comprising:
- at least one non-transitory machine-readable medium; and
  
  instructions in the machine-readable medium that, in response to being executed by a computing device, enable the computing device to;
  
  generate a continuous authentication assertion which indicates that the computing device is continuously monitoring authentication of a user according to a reference time interval, wherein the continuous authentication assertion comprises factor information identifying at least one authenticate factor that was used to authenticate the user;
  
  send the continuous authentication assertion to a key distribution center server;
  
  after sending the continuous authentication assertion to the key distribution center server, receive a ticket from the key distribution center server; and
  
  after receiving the ticket from the key distribution center server, use the ticket to obtain access to a service provider server.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. An apparatus according to claim 8, wherein:
    - the ticket comprises the continuous authentication assertion; and
      
      the operation of using the ticket to obtain access to a service provider server comprises;
      
      requesting access to the service provider server by sending the ticket with the continuous authentication assertion to the service provider server; and
      
      obtaining access to the service provider server after the service provider server has verified the continuous authentication assertion.
  - 10. An apparatus according to claim 9, wherein:
    - the instructions that enable the computing device to generate the continuous authentication assertion, send the continuous authentication assertion to the key distribution center server, receive the ticket from the key distribution center server, and use the ticket to obtain access to a service provider server are adapted to be executed by a security co-processor in the computing device; and
      
      the instructions in the machine-readable medium enable the security co-processor to use a portion of memory of the computing device that is accessible to the security co-processor but that is not accessible to another processor in the computing device to store one or more encryption keys that facilitate secure communication between the security co-processor and the key distribution center server.
  - 11. An apparatus according to claim 8, wherein:
    - the ticket from the key distribution center server comprises a service ticket;
      
      the instructions, when executed, further enable the computing device to;
      
      before receiving the service ticket from the key distribution center server, receive an initial ticket from the key distribution center server; and
      
      use the initial ticket to request the service ticket from the key distribution center server; and
      
      the instructions, when executed, cause the computing device to send the continuous authentication assertion to the key distribution center server before receiving the initial ticket from the key distribution center server.
  - 12. An apparatus according to claim 8, wherein the instructions, when executed, further enable the computing device to:
    - authenticate the user with multiple authentication factors before generating the continuous authentication assertion;
      
      monitor continuous authentication of the user;
      
      determine whether the user should remain authenticated; and
      
      notify the service provider server of a loss of the continuous authentication of the user in response to a determination that the user should not remain authenticated.
  - 13. An apparatus according to claim 8, wherein the instructions, when executed, further enable the computing device to:
    - monitor presence of the user relative to the computing device;
      
      generate a continuous presence assertion to indicate that continuous presence of the user relative to the computing device is monitored;
      
      send the continuous presence assertion to the key distribution center server;
      
      determine whether the user remains present relative to the computing device; and
      
      notify the service provider server of a loss of the continuous presence of the user relative to the computing device in response to a determination that the user did not remain present relative to the computing device.

14. A method comprising:
- at a computing device, generating a continuous authentication assertion which indicates that the computing device is continuously monitoring authentication of a user according to a reference time interval, wherein the continuous authentication assertion comprises factor information identifying at least one authenticate factor that was used to authenticate the user;
  
  sending the continuous authentication assertion to a key distribution center server;
  
  after sending the continuous authentication assertion to the key distribution center server, receiving a ticket from the key distribution center server; and
  
  after receiving the ticket from the key distribution center server, using the ticket to obtain access to a service provider server.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. A method according to claim 14, wherein:
    - the ticket comprises the continuous authentication assertion; and
      
      the operation of using the ticket to obtain access to a service provider server comprises;
      
      requesting access to the service provider server by sending the ticket with the continuous authentication assertion to the service provider server; and
      
      obtaining access to the service provider server after the service provider server has verified the continuous authentication assertion.
  - 16. A method according to claim 15, wherein:
    - the operations of generating the continuous authentication assertion, sending the continuous authentication assertion to the key distribution center server, receiving the ticket from the key distribution center server, and using the ticket to obtain access to a service provider server are managed by a security co-processor in the computing device; and
      
      the method comprises using a portion of memory of the computing device that is accessible to the security co-processor but that is not accessible to another processor in the computing device to store one or more encryption keys that facilitate secure communication between the security co-processor and the key distribution center server.
  - 17. A method according to claim 16, wherein:
    - the security co-processor comprises a trusted execution environment module;
      
      the method further comprises;
      
      authenticating the user with multiple authentication factors before generating the continuous authentication assertion;
      
      monitoring continuous authentication of the user;
      
      determining whether the user should remain authenticated; and
      
      notifying the service provider server of a loss of the continuous authentication of the user in response to a determination that the user should not remain authenticated; and
      
      the operations of authenticating the user, monitoring continuous authentication of the user, determining whether the user should remain authenticated, and notifying the service provider server of a loss of the continuous authentication of the user are managed by the trusted execution environment module.
  - 18. A method according to claim 14, wherein:
    - the ticket from the key distribution center server comprises a service ticket;
      
      the method further comprises;
      
      before receiving the service ticket from the key distribution center server, receiving an initial ticket from the key distribution center server; and
      
      using the initial ticket to request the service ticket from the key distribution center server; and
      
      the operation of sending the continuous authentication assertion to the key distribution center server is performed before receiving the initial ticket from the key distribution center server.
  - 19. A method according to claim 14, further comprising:
    - authenticating the user with multiple authentication factors before generating the continuous authentication assertion;
      
      monitoring continuous authentication of the user;
      
      determining whether the user should remain authenticated; and
      
      notifying the service provider server of a loss of the continuous authentication of the user in response to a determination that the user should not remain authenticated.
  - 20. A method according to claim 14, further comprising:
    - monitoring presence of the user relative to the computing device;
      
      generating a continuous presence assertion to indicate that continuous presence of the user relative to the computing device is monitored;
      
      sending the continuous presence assertion to the key distribution center server;
      
      determining whether the user remains present relative to the computing device; and
      
      notifying the service provider server of a loss of the continuous presence of the user relative to the computing device in response to a determination that the user did not remain present relative to the computing device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Smith, Ned M., Cahill, Conor
Primary Examiner(s)
Vaughan, Michael R

Application Number

US15/644,891
Publication Number

US 20170374055A1
Time in Patent Office

449 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 21/31   User authentication

G06F 21/316   by observing the pattern of...

G06F 21/335   for accessing specific reso...

G06F 21/40   by quorum, i.e. whereby two...

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2141   Access rights, e.g. capabil...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0823   using certificates cryptogr...

H04L 63/12   Applying verification of th...

Continuous multi-factor authentication

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

133 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Continuous multi-factor authentication

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

133 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links