Enhanced multi factor authentication

US 10,122,715 B2
Filed: 11/28/2016
Issued: 11/06/2018
Est. Priority Date: 11/16/2006
Status: Active Grant

First Claim

Patent Images

1. An authentication computer system comprising:

one or more processors; and

one or more computer-readable hardware storage devices having stored thereon computer-executable instructions that are executable by the one or more processors and that cause the authentication computer system to authenticate a resource access request by causing the authentication computer system to;

receive, from a first client device associated with a user, a request to access one or more resources, wherein the request is received at the authentication computer system via a first communication channel, the request including a username and password;

search a credential data file to determine whether the received username and password are authorized credentials, wherein the username is associated with multiple different passwords in the data file, and wherein each of the multiple different passwords is associated with a different resource;

determine that the received username and password correspond to the requested one or more resources such that the received username and password are authorized credentials for the requested one or more resources;

issue a system-initiated authentication request from the authentication computer system, wherein the system-initiated authentication request is transmitted to a second client device of the user via a second communication channel, and wherein the system-initiated authentication request includes a customized communication;

receive, from the second client device via the second communication channel, a response to the system-initiated authentication request, the response corresponding to the customized communication, wherein the response includes a set of user-provided authentication information, the set of user-provided authentication information including an oral message that was recorded personally by the user and that is associated with the customized communication;

based at least on a determination that the set of user-provided authentication information is valid, grant the first client device access to the one or more resources; and

based at least on a detection of a failure relating to (1) the request to access the one or more resources or (2) the response to the system-initiated authentication request, deny access to the one or more resources and transmit an error message to both the first client device via the first communication channel and the second client device via the second communication channel.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment, a network element comprises one or more processors, and a memory module communicatively coupled to the processor. The memory module comprises logic instructions which, when executed by the processor, configure the processor to receive, via a first communication channel, a primary authentication request transmitted from a user from a first device, process the primary authentication request to determine whether the user is authorized to access one or more resources, in response to a determination that the user is authorized to access one or more resources, initiate, a secondary authentication request, and transmit the secondary authentication request from the network element to the user via a second communication channel, different from the first communication channel.

135 Citations

20 Claims

1. An authentication computer system comprising:
- one or more processors; and
  
  one or more computer-readable hardware storage devices having stored thereon computer-executable instructions that are executable by the one or more processors and that cause the authentication computer system to authenticate a resource access request by causing the authentication computer system to;
  
  receive, from a first client device associated with a user, a request to access one or more resources, wherein the request is received at the authentication computer system via a first communication channel, the request including a username and password;
  
  search a credential data file to determine whether the received username and password are authorized credentials, wherein the username is associated with multiple different passwords in the data file, and wherein each of the multiple different passwords is associated with a different resource;
  
  determine that the received username and password correspond to the requested one or more resources such that the received username and password are authorized credentials for the requested one or more resources;
  
  issue a system-initiated authentication request from the authentication computer system, wherein the system-initiated authentication request is transmitted to a second client device of the user via a second communication channel, and wherein the system-initiated authentication request includes a customized communication;
  
  receive, from the second client device via the second communication channel, a response to the system-initiated authentication request, the response corresponding to the customized communication, wherein the response includes a set of user-provided authentication information, the set of user-provided authentication information including an oral message that was recorded personally by the user and that is associated with the customized communication;
  
  based at least on a determination that the set of user-provided authentication information is valid, grant the first client device access to the one or more resources; and
  
  based at least on a detection of a failure relating to (1) the request to access the one or more resources or (2) the response to the system-initiated authentication request, deny access to the one or more resources and transmit an error message to both the first client device via the first communication channel and the second client device via the second communication channel.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The authentication computer system of claim 1, wherein the determination that the set of user-provided authentication information is valid comprises comparing the oral message that was recorded personally by the user with a previously recorded oral message that was also recorded by the user.
  - 3. The authentication computer system of claim 1, wherein the determination that the set of user-provided authentication information is valid comprises analyzing the oral message to determine whether the user spoke a certain set of required words.
  - 4. The authentication computer system of claim 1, wherein the response to the system-initiated authentication request includes a sequence of keystrokes entered by the user, and wherein determining that the set of user-provided authentication information is valid comprises analyzing the sequence of keystrokes to determine whether the sequence of keystrokes is valid.
  - 5. The authentication computer system of claim 1, wherein the first client device and the second client device are a same network device, and wherein the same network device is logically separable such that the same network device includes functionality corresponding to the first client device and includes functionality corresponding to the second client device.
  - 6. The authentication computer system of claim 1, wherein the set of user-provided authentication information is stored in a memory cache for a predetermined period of time.
  - 7. The authentication computer system of claim 6, wherein execution of the computer-executable instructions further causes the authentication computer system to:
    - detect that the user is attempting to access the one or more resources for a second time;
      
      detect that the predetermined period of time has not yet elapsed; and
      
      grant the user access to the one or more resources without requiring the user to present additional authentication information.
  - 8. The authentication computer system of claim 6, wherein execution of the computer-executable instructions further causes the authentication computer system to:
    - when the request to access the one or more resources was received, detect a network address of the first client device;
      
      detect that the user is attempting to access the one or more resources for a second time, the second time being later than when the request to access the one or more resources was received;
      
      detect that the predetermined period of time has not yet elapsed;
      
      detect a current network address that the user is currently using; and
      
      upon a condition in which the current network address and the network address detected when the request to access the one or more resources was received are a same address, grant the user access to the one or more resources without requiring the user to present additional authentication information.
  - 9. The authentication computer system of claim 1, wherein execution of the computer-executable instructions further causes the authentication computer system to:
    - record a number of times the user attempts to access the one or more resources yet provides invalid authentication information; and
      
      upon a condition in which the number of times reaches a predetermined number of times, perform corrective action.
  - 10. The authentication computer system of claim 9, wherein the corrective action is flagging the user as a suspect for fraudulent access.

11. A method, implemented at a computer system that includes one or more processors, for authenticating a resource access request, the method comprising:
- receiving, from a first client device associated with a user, a request to access one or more resources, wherein the request is received at the computer system via a first communication channel, the request including a username and password;
  
  searching a credential data file to determine whether the received username and password are authorized credentials, wherein the username is associated with multiple different passwords in the data file, and wherein each of the multiple different passwords is associated with a different resource;
  
  issuing a system-initiated authentication request from the computer system, wherein the system-initiated authentication request is transmitted to a second client device of the user via a second communication channel, and wherein the system-initiated authentication request includes a customized communication;
  
  receiving, from the second client device via the second communication channel, a response to the system-initiated authentication request, the response corresponding to the customized communication, wherein the response includes a set of user-provided authentication information, the set of user-provided authentication information including an oral message that was recorded personally by the user and that is associated with the customized communication;
  
  based at least on a determination that the set of user-provided authentication information is valid, granting the first client device access to the one or more resources; and
  
  based at least on a detection of a failure relating to (1) the request to access the one or more resources or (2) the response to the system-initiated authentication request, denying access to the one or more resources and transmit an error message to both the first client device via the first communication channel and the second client device via the second communication channel.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The method of claim 11, wherein determining that the set of user-provided authentication information is valid comprises comparing the oral message that was recorded personally by the user with a previously recorded oral message that was also recorded by the user.
  - 13. The method of claim 11, wherein determining that the set of user-provided authentication information is valid comprises analyzing the oral message to determine whether the user spoke a certain set of required words.
  - 14. The method of claim 11, wherein the response to the system-initiated authentication request includes a sequence of keystrokes entered by the user, and wherein determining that the set of user-provided authentication information is valid comprises analyzing the sequence of keystrokes to determine whether the sequence of keystrokes is valid.
  - 15. The method of claim 11, wherein the first client device and the second client device are a same network device, and wherein the same network device is logically separable such that the same network device includes functionality corresponding to the first client device and includes functionality corresponding to the second client device.

16. One or more hardware storage devices having stored thereon computer-executable instructions that are executable by one or more processors of a computer system and that cause the computer system to authenticate a resource access request by causing the computer system to:
- receive, from a first client device associated with a user, a request to access one or more resources, wherein the request is received at the computer system via a first communication channel, the request including a username and password;
  
  search a credential data file to determine whether the received username and password are authorized credentials, wherein the username is associated with multiple different passwords in the data file, and wherein each of the multiple different passwords is associated with a different resource;
  
  determine that the received username and password correspond to the requested one or more resources such that the received username and password are authorized credentials for the requested one or more resources;
  
  issue a system-initiated authentication request from the computer system, wherein the system-initiated authentication request is transmitted to a second client device of the user via a second communication channel, and wherein the system-initiated authentication request includes a customized communication;
  
  receive, from the second client device via the second communication channel, a response to the system-initiated authentication request, the response corresponding to the customized communication, wherein the response includes a set of user-provided authentication information, the set of user-provided authentication information including an oral message that was recorded personally by the user and that is associated with the customized communication;
  
  based at least on a determination that the set of user-provided authentication information is valid, grant the first client device access to the one or more resources; and
  
  based at least on a detection of a failure relating to (1) the request to access the one or more resources or (2) the response to the system-initiated authentication request, deny access to the one or more resources and transmit an error message to both the first client device via the first communication channel and the second client device via the second communication channel.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The one or more hardware storage devices of claim 16, wherein the set of user-provided authentication information is stored in a memory cache for a predetermined period of time.
  - 18. The one or more hardware storage devices of claim 17, wherein execution of the computer-executable instructions further causes the computer system to:
    - detect that the user is attempting to access the one or more resources for a second time;
      
      detect that the predetermined period of time has not yet elapsed; and
      
      grant the user access to the one or more resources without requiring the user to present additional authentication information.
  - 19. The one or more hardware storage devices of claim 17, wherein execution of the computer-executable instructions further causes the computer system to:
    - when the request to access the one or more resources was received, detect a network address of the client device;
      
      detect that the user is attempting to access the one or more resources for a second time, the second time being later than when the request to access the one or more resources was received;
      
      detect that the predetermined period of time has not yet elapsed;
      
      detect a current network address that the user is currently using; and
      
      upon a condition in which the current network address and the network address detected when the request to access the one or more resources was received are a same address, grant the user access to the one or more resources without requiring the user to present additional authentication information.
  - 20. The one or more hardware storage devices of claim 16, wherein execution of the computer-executable instructions further causes the computer system to:
    - record a number of times the user attempts to access the one or more resources yet provides invalid authentication information; and
      
      upon a condition in which the number of times reaches a predetermined number of times, perform corrective action.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Dispensa, Stephen T.
Primary Examiner(s)
Su, Sarah

Application Number

US15/362,719
Publication Number

US 20170078284A1
Time in Patent Office

708 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0869   for achieving mutual authen...

H04L 63/166   at the transport layer

H04L 63/168   above the transport layer

H04L 63/18   using different networks or...

Enhanced multi factor authentication

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

135 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Enhanced multi factor authentication

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

135 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links