Server-assisted authentication
First Claim
Patent Images
1. A method comprising:
- receiving, by a user device, a request to access a website server, the request including a password of the user;
generating, in response to receiving the request to access the website server and by the user device, a first set of account data;
transmitting, by the user device, a subset of the first set of account data to a key server sub-system, wherein the subset of the first set of account data includes an authentication token request transcript, wherein the authentication token request transcript is a message and a dataset, and wherein the message and the dataset are derived, at least in part, from the password;
receiving, by the user device and from the key server sub-system, a first authentication token segment;
generating, by the user device, a second authentication token segment;
generating, by the user device, a full authentication token based, at least in part, on;
a first set of authentication key segments of a plurality of authentication key segments, the authentication token request transcript,the first authentication token segment; and
the second authentication token segment;
transmitting, by the user device, the full authentication token to the website server; and
granting, by the key server sub-system, access for the user device to the website server, wherein the transmitting the full authentication token further comprises transmitting a message to website server, wherein storing a subset of the first set of account data further includes storing a second set of authentication key segments, a device secret, an account identifier, and a public key, wherein a first set of account data includes a password that includes a low entropy value, wherein the low entropy password is a voiceprint, a fingerprint, and a retinal scan, wherein generating a second set of account data, responsive to a request from a user to access a website server, further comprises;
validating the authentication token using the public key and the message;
receiving a checker from the key server sub-system to verify proper receipt of the subset of the first set of transmitted account data, wherein the verification is verifying the full authentication token based, at least in part, on a comparison between a generated checker and the received checker;
storing the subset of the first set of account data; and
deleting a portion of the subset of the first set of account data.
1 Assignment
0 Petitions
Accused Products
Abstract
Authentication of a device through a constructed authentication token. Components of an authentication key are distributed across at least a device and a server, diminishing a likelihood that an individual account is compromised by an attack.
-
Citations
16 Claims
-
1. A method comprising:
-
receiving, by a user device, a request to access a website server, the request including a password of the user; generating, in response to receiving the request to access the website server and by the user device, a first set of account data; transmitting, by the user device, a subset of the first set of account data to a key server sub-system, wherein the subset of the first set of account data includes an authentication token request transcript, wherein the authentication token request transcript is a message and a dataset, and wherein the message and the dataset are derived, at least in part, from the password; receiving, by the user device and from the key server sub-system, a first authentication token segment; generating, by the user device, a second authentication token segment; generating, by the user device, a full authentication token based, at least in part, on; a first set of authentication key segments of a plurality of authentication key segments, the authentication token request transcript, the first authentication token segment; and the second authentication token segment; transmitting, by the user device, the full authentication token to the website server; and granting, by the key server sub-system, access for the user device to the website server, wherein the transmitting the full authentication token further comprises transmitting a message to website server, wherein storing a subset of the first set of account data further includes storing a second set of authentication key segments, a device secret, an account identifier, and a public key, wherein a first set of account data includes a password that includes a low entropy value, wherein the low entropy password is a voiceprint, a fingerprint, and a retinal scan, wherein generating a second set of account data, responsive to a request from a user to access a website server, further comprises; validating the authentication token using the public key and the message; receiving a checker from the key server sub-system to verify proper receipt of the subset of the first set of transmitted account data, wherein the verification is verifying the full authentication token based, at least in part, on a comparison between a generated checker and the received checker; storing the subset of the first set of account data; and deleting a portion of the subset of the first set of account data. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A computer program product comprising:
-
one or more non-transitory computer-readable storage media and program instructions stored on at least one of the one or more non-transitory computer-readable storage media, the program instructions executable by a processor, the program instructions comprising; program instructions to receive, by a user device, a request to access a website server, the request including a password of the user; program instructions to generate, in response to receiving the request to access the website server and by the user device, a first set of account data; program instructions to transmit, by the user device, a subset of the first set of account data to a key server sub-system, wherein the subset of the first set of account data includes an authentication token request transcript, wherein the authentication token request transcript is a message and a dataset, and wherein the message and the dataset are derived, at least in part, from the password; program instructions to receive, by the user device and from the key server sub-system, a first authentication token segment; program instructions to generate, by the user device, a second authentication token segment; program instructions to, by the user device, a full authentication token based, at least in part, on; a first set of authentication key segments of a plurality of authentication key segments, the authentication token request transcript, the first authentication token segment; and the second authentication token segment; program instructions to, by the user device, the full authentication token to the website server; and program instructions to grant, by the key server sub-system, access for the user device to the website server, wherein transmitting the full authentication token further comprises transmitting a message to website server, wherein storing a subset of the first set of account data further includes storing a second set of authentication key segments, a device secret, an account identifier, and a public key, wherein a first set of account data includes a password that includes a low entropy value, wherein the low entropy password is a voiceprint, a fingerprint, and a retinal scan, wherein generating a second set of account data, responsive to a request from a user to access a website server, further comprises; program instructions to validate the authentication token using the public key and the message; program instructions to receive a checker from the key server sub-system to verify proper receipt of the subset of the first set of transmitted account data, wherein the verification is verifying the full authentication token based, at least in part, on a comparison between a generated checker and the received checker; program instructions to store the subset of the first set of account data; program instructions to delete a portion of the subset of the first set of account data. - View Dependent Claims (8, 9, 10, 11, 12)
wherein; the second set of account data further includes a hashed password.
-
-
12. The computer program product of claim 11, further comprising:
-
program instructions to generate the hashed password by hashing the second password, wherein the result is combined with a salt, wherein the hashing is performed using a hashing function; wherein; the salt is a pseudo-randomly generated value, and the second password is received from a user.
-
-
13. A method comprising:
-
receiving, by a key server sub-system, a request to initialize a user account that includes a password of the user; receiving, by the key server sub-system, a request to generate a first authentication token segment for access to the requested user account; receiving, by the key server sub-system, a first set of account data generated by a user device and in response to a request to access a website server, wherein the first set of account data includes an authentication token request transcript, wherein the authentication token request transcript is a message and a dataset, and wherein the message and the dataset are derived, at least in part, from the password; generating, by the key server sub-system and the user device, the first authentication token segment, wherein the first authentication token segment is based, at least in part, on; a first set of authentication key segments of a plurality of authentication key segments, and the authentication token request transcript; the first authentication token segment; and generating, by the key server sub-system and the user device, a second authentication token segment; granting, by the key server sub-system, access for the user device to the requested user account; transmitting, by the key server sub-system, the first authentication token segment to the user device subsystem; receiving, by the key server sub-system, a second set of account data, wherein the second set of account data includes the first set of authentication key segments; and verifying the first set of account data based, at least in part, on a comparison of a first double-hashed password to a second double-hashed password; wherein; the first set of account data further includes the first double-hashed password, the second double-hashed password is generated by hashing a hashed password, wherein the result is combined with a salt, wherein the hashing is performed using a hashing function, and wherein the salt is the authentication token request transcript, and the second set of account data further includes the second double-hashed password. - View Dependent Claims (14, 15, 16)
-
Specification