Techniques for access management based on multi-factor authentication including knowledge-based authentication

US 10,157,275 B1
Filed: 10/12/2017
Issued: 12/18/2018
Est. Priority Date: 10/12/2017
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

performing a first authentication of a user in response to receiving, from a first device of the user, a request to access a resource;

based on the first authentication being successful, performing a second authentication of the user to determine whether to permit access to the resource, the second authentication comprising;

identifying, by a computer system of an access management system, a second device associated with the user, wherein the second device is registered with the access management system as a trusted device for the user, and wherein the second device is different from the first device;

transmitting, by the computer system, via a communication system, to the second device, encrypted data including a first identifier, wherein the first identifier is used by an application on the second device when communicating with the access management system;

receiving, from the application, a request to perform the second authentication;

determining that the request to perform the second authentication includes a second identifier;

responsive to determining that the second identifier matches the first identifier, obtaining authentication data, the authentication data including media content provided by the user at the first device for use in connection with the second authentication, one or more questions related to the media content, and one or more answers corresponding to the one or more questions;

sending, to the second device, the media content, wherein the application displays the media content to the user at the second device;

sending, to the first device, the one or more questions related to the media content, wherein the first device displays the one or more questions to the user;

receiving, from the first device, a response by the user to the one or more questions; and

determining, by the computer system, whether the response satisfies the one or more answers corresponding to the one or more questions; and

based on determining that the response satisfies the one or more answers corresponding to the one or more questions, permitting the first device to access the resource.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An access management system is disclosed that can employ multi-factor authentication (MFA) using multiple types of authentication. In at least one embodiment, techniques may include implementing multi-factor authentication (MFA) including knowledge-based authentication (KBA). MFA may be based on multiple factors, such as “what you know” (e.g., a password or an answer to a question known by a user) and “what you have” (e.g., a trusted device registered for a user). In at least one embodiment, multiple devices (e.g., a desktop computer and a mobile device) may be utilized to provide for stronger authentication using a combination of what a user has. The combination of MFA based on what you know (e.g., KBA) and what you have (e.g., a trusted device) may further ensure authentication is not compromised. The techniques disclosed herein may provide for a stronger form of authentication to reduce, if not eliminate, possible vulnerabilities for access management.

Citations

20 Claims

1. A method comprising:
- performing a first authentication of a user in response to receiving, from a first device of the user, a request to access a resource;
  
  based on the first authentication being successful, performing a second authentication of the user to determine whether to permit access to the resource, the second authentication comprising;
  
  identifying, by a computer system of an access management system, a second device associated with the user, wherein the second device is registered with the access management system as a trusted device for the user, and wherein the second device is different from the first device;
  
  transmitting, by the computer system, via a communication system, to the second device, encrypted data including a first identifier, wherein the first identifier is used by an application on the second device when communicating with the access management system;
  
  receiving, from the application, a request to perform the second authentication;
  
  determining that the request to perform the second authentication includes a second identifier;
  
  responsive to determining that the second identifier matches the first identifier, obtaining authentication data, the authentication data including media content provided by the user at the first device for use in connection with the second authentication, one or more questions related to the media content, and one or more answers corresponding to the one or more questions;
  
  sending, to the second device, the media content, wherein the application displays the media content to the user at the second device;
  
  sending, to the first device, the one or more questions related to the media content, wherein the first device displays the one or more questions to the user;
  
  receiving, from the first device, a response by the user to the one or more questions; and
  
  determining, by the computer system, whether the response satisfies the one or more answers corresponding to the one or more questions; and
  
  based on determining that the response satisfies the one or more answers corresponding to the one or more questions, permitting the first device to access the resource.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein sending the media content and sending the one or more questions occurs concurrently.
  - 3. The method of claim 1, further comprising:
    - generating security data for use in communication between the application and the access management system; and
      
      sending a portion of the security data to the second device in connection with registration of the second device.
  - 4. The method of claim 3, wherein the request to perform the second authentication is encrypted using the portion of the security data sent to the second device.
  - 5. The method of claim 3, wherein the media content sent to the second device is encrypted using the security data.
  - 6. The method of claim 1, wherein the media content is an image.
  - 7. The method of claim 1, wherein the media content is a video.
  - 8. The method of claim 1, further comprising:
    - generating the first identifier, wherein the first identifier is a transaction identifier generated for the second device.
  - 9. The method of claim 1, wherein the communication system is a push notification system.
  - 10. The method of claim 1, wherein the second device is a mobile device.

11. An access management system comprising:
- one or more processors; and
  
  a memory accessible to the one or more processors, the memory storing one or more instructions that, upon execution by the one or more processors, cause the one or more processors to;
  
  perform a first authentication of a user in response to receiving, from a first device of the user, a request to access a resource;
  
  based on the first authentication being successful, perform a second authentication of the user to determine whether to permit access to the resource, the second authentication comprising;
  
  identifying a second device associated with the user, wherein the second device is registered with the access management system as a trusted device for the user, and wherein the second device is different from the first device;
  
  transmitting, via a communication system, to the second device, encrypted data including a first identifier, wherein the first identifier is used by an application on the second device when communicating with the access management system;
  
  receiving, from the application, a request to perform the second authentication;
  
  determining that the request to perform the second authentication includes a second identifier;
  
  responsive to determining that the second identifier matches the first identifier, obtaining authentication data, the authentication data including media content provided by the user at the first device for use in connection with the second authentication, one or more questions related to the media content, and one or more answers corresponding to each of the one or more questions;
  
  sending, to the second device, the media content, wherein the application displays the media content to the user at the second device;
  
  sending, to the first device, the one or more questions related to the media content, wherein the first device displays the one or more questions to the user;
  
  receiving, from the first device, a response by the user to the one or more questions; and
  
  determining whether the response satisfies the one or more answers corresponding to the one or more questions; and
  
  based on determining that the response satisfies the one or more answers corresponding to the one or more questions, permit the first device to access the resource.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The access management system of claim 11, wherein sending the media content and sending the one or more questions occurs concurrently.
  - 13. The access management system of claim 11, wherein the instructions, upon execution by the one or more processors, further cause the one or more processors to:
    - generate security data for use in communication between the application and the access management system; and
      
      send a portion of the security data to the second device in connection with registration of the second device.
  - 14. The access management system of claim 13, wherein the request to perform the second authentication is encrypted using the portion of the security data sent to the second device.
  - 15. The access management system of claim 13, wherein the media content sent to the second device is encrypted using the security data.
  - 16. The access management system of claim 11, wherein the instructions, upon execution by the one or more processors, further cause the one or more processors to:
    - generate the first identifier, wherein the first identifier is a transaction identifier generated for the second device.

17. A non-transitory computer-readable medium storing one or more instructions that, upon execution by one or more processors, causes the one or more processors to:
- perform a first authentication of a user in response to receiving, from a first device of the user, a request to access a resource;
  
  based on the first authentication being successful, perform a second authentication of the user to determine whether to permit access to the resource, the second authentication comprising;
  
  identifying, at an access management system, a second device associated with the user, wherein the second device is registered with the access management system as a trusted device for the user, and wherein the second device is different from the first device;
  
  transmitting, via a communication system, to the second device, encrypted data including a first identifier, wherein the first identifier is used by an application on the second device when communicating with the access management system;
  
  receiving, from the application, a request to perform the second authentication;
  
  determining that the request to perform the second authentication includes a second identifier;
  
  responsive to determining that the second identifier matches the first identifier, obtaining authentication data, the authentication data including media content provided by the user at the first device for use in connection with the second authentication, one or more questions related to the media content, and one or more answers corresponding to the one or more questions;
  
  sending, to the second device, the media content, wherein the application displays the media content to the user at the second device;
  
  sending, to the first device, the one or more questions related to the media content, wherein the first device displays the one or more questions to the user;
  
  receiving, from the first device, a response by the user to the one or more questions; and
  
  determining whether the response satisfies the one or more answers corresponding to the one or more questions; and
  
  based on determining that the response satisfies the one or more answers corresponding to the one or more questions, permit the first device to access the resource.
- View Dependent Claims (18, 19, 20)
- - 18. The non-transitory computer-readable medium of claim 17, wherein the one or more instructions, upon execution by the one or more processors, further cause the one or more processors to:
    - generate security data for use in communication between the application and the access management system; and
      
      send a portion of the security data to the second device in connection with registration of the second device.
  - 19. The non-transitory computer-readable medium of claim 17, wherein the one or more instructions, upon execution by the one or more processors, further cause the one or more processors to:
    - generate the first identifier, wherein the first identifier is a transaction identifier generated for the second device.
  - 20. The non-transitory computer-readable medium of claim 17, wherein sending the media content and sending the one or more questions occurs concurrently.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Venkatasamy, Satishkumar, Rana, Rima, Panda, Durga Harini, Ramadoss, Lakshmi
Primary Examiner(s)
Hirl, Joseph P
Assistant Examiner(s)
Beheshti Shirazi, Sayed Aresh

Application Number

US15/782,700
Time in Patent Office

432 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/10   Protecting distributed prog...

G06F 21/36   by graphic or iconic repres...

G06F 21/40   by quorum, i.e. whereby two...

G06F 21/42   using separate channels for...

H04L 2463/082   applying multi-factor authe...

H04L 63/0428   wherein the data content is...

H04L 63/0853   using an additional device,...

H04L 63/0861   using biometrical features,...

H04L 63/18   using different networks or...

H04L 9/3215   using a plurality of channe...

H04L 9/3226   using a predetermined code,...

Techniques for access management based on multi-factor authentication including knowledge-based authentication

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Techniques for access management based on multi-factor authentication including knowledge-based authentication

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links