Password-less authentication for access management

US 10,158,489 B2
Filed: 10/21/2016
Issued: 12/18/2018
Est. Priority Date: 10/23/2015
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, by a computer system of an access management system, from a first device, a request by a user for access to a resource, wherein the first device is a second computer system;

based on the request, determining, by the computer system, that the first device is registered for the user based on an authentication of the user at the first device prior to the request;

generating, by the computer system, security data for determining authentication of the user to access the resource using the first device, wherein the security data includes first data that is based on information related to the user, and wherein the first data is encrypted based on an encryption key;

sending, by the computer system, the encryption key to a second device that the user has registered with the access management system, wherein the second device is a mobile device separate from the first device;

sending, by the computer system, the security data to the first device, wherein the security data includes a quick response (QR) code that is displayed at the first device for presentation to the second device;

receiving, by the computer system, from the second device, second data that is generated by the second device based on decryption of the first data included in the security data, wherein the decryption of the first data is performed by the second device using the encryption key sent to the second device, and wherein the security data is obtained by the second device from the QR code displayed at the first device;

determining whether the second data includes the information that is included in the first data; and

based on determining that the second data includes the information, enabling the first device to access the resource.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An access management system is disclosed that can provide access to resources by password-less authentication. The access management system can provide multiple layers of security for authentication taking into account risk factors (e.g., device, location, etc.) to ensure authentication without compromising access. Contextual details of a user based on a mobile device can be used for authentication based on possession of a device. Password-less authentication of a user may be enabled by registration of devices and/or a location (e.g., a geographic location) as trusted. Security data embedded with encrypted data can be sent to a first device for password-less authentication of a user at the device. A second device registered with the user can obtain the security data from the first device. The second device can decrypts the data and send the decrypted data to the access management system for verification to enable password-less authentication at the first device.

Citations

17 Claims

1. A method comprising:
- receiving, by a computer system of an access management system, from a first device, a request by a user for access to a resource, wherein the first device is a second computer system;
  
  based on the request, determining, by the computer system, that the first device is registered for the user based on an authentication of the user at the first device prior to the request;
  
  generating, by the computer system, security data for determining authentication of the user to access the resource using the first device, wherein the security data includes first data that is based on information related to the user, and wherein the first data is encrypted based on an encryption key;
  
  sending, by the computer system, the encryption key to a second device that the user has registered with the access management system, wherein the second device is a mobile device separate from the first device;
  
  sending, by the computer system, the security data to the first device, wherein the security data includes a quick response (QR) code that is displayed at the first device for presentation to the second device;
  
  receiving, by the computer system, from the second device, second data that is generated by the second device based on decryption of the first data included in the security data, wherein the decryption of the first data is performed by the second device using the encryption key sent to the second device, and wherein the security data is obtained by the second device from the QR code displayed at the first device;
  
  determining whether the second data includes the information that is included in the first data; and
  
  based on determining that the second data includes the information, enabling the first device to access the resource.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the first data included in the security data is embedded in the QR code.
  - 3. The method of claim 1, further comprising:
    - identifying the first device as being registered for the user based on one or more authentication processes for determining the authentication of the user at the first device, and wherein the encryption key is sent to the second device upon identifying the second device as being registered for the user.
  - 4. The method of claim 3, wherein the second device, based on authenticating the user for access at the second device, enables the user to operate the second device to obtain the security data from the QR code displayed at the first device.
  - 5. The method of claim 4, wherein the authenticating the user for access at the second device includes performing biometric authentication of the user based on previous biometric input provided for registration of the user.
  - 6. The method of claim 1, wherein the request includes information identifying the first device, and wherein the computer system identifies the first device as being registered for the user based on the authentication of the user being associated with the information identifying the first device.
  - 7. The method of claim 1, wherein the authentication of the user is determined based on one or more authentication processes including a first authentication process and a second authentication process, wherein the second authentication process is different from the first authentication process, and wherein the method further comprises:
    - prior to the request;
      
      performing the first authentication process, wherein the first authentication process includes verifying credential information of the user received from the first device;
      
      sending temporary access information to the second device;
      
      receiving the temporary access information from the first device; and
      
      performing a second authentication process, wherein the second authentication process includes determining that the received temporary access information matches the temporary access information sent to the second device.
  - 8. The method of claim 7, wherein the temporary access information is a personal identification number associated with a time period for which the temporary access information is valid for the second authentication process.
  - 9. The method of claim 1, further comprising:
    - sending, to the first device, a message indicating that access to the resource is enabled, wherein the first device generates a graphical interface to enable access to the resource at the first device.

10. A system comprising:
- one or more processors; and
  
  a memory accessible to the one or more processors, the memory storing one or more instructions that, upon execution by the one or more processors, cause the one or more processors to;
  
  receive, by an access management system, from a first device, a request by a user for access to a resource, wherein the first device is a second computer system;
  
  based on the request, determine that the first device is registered for the user based on an authentication of the user at the first device prior to the request;
  
  generate security data for determining authentication of the user to access the resource using the first device, wherein the security data includes first data that is based on information related to the user, and wherein the first data is encrypted based on an encryption key;
  
  send the encryption key to a second device that the user has registered with the access management system, wherein the second device is a mobile device separate from the first device;
  
  send the security data to the first device, wherein the security data includes a quick response (QR) code that is displayed at the first device for presentation to the second device;
  
  receive from the second device, second data that is generated by the second device based on decryption of the first data included in the security data, wherein the decryption of the first data is performed by the second device using the encryption key sent to the second device, and wherein the security data is obtained by the second device from the QR code displayed at the first device;
  
  determine whether the second data includes the information that is included in the first data; and
  
  based on determining that the second data includes the information, enable the first device to access the resource.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The system of claim 10, wherein the one or more processors and the memory are included in the access management system.
  - 12. The system of claim 10, wherein the first data included in the security data is embedded in the QR code.
  - 13. The system of claim 10, wherein the one or more instructions, upon the execution by the one or more processors, further cause the one or more processors to:
    - identify the first device as being registered for the user based on one or more authentication processes for determining the authentication of the user at the first device, and wherein the encryption key is sent to the second device upon identifying the second device as being registered for the user.
  - 14. The system of claim 10, wherein the authentication of the user is determined based on one or more authentication processes including a first authentication process and a second authentication process, wherein the second authentication process is different from the first authentication process;
    - andwherein the one or more instructions, upon the execution by the one or more processors, further cause the one or more processors to;
      
      prior to the request;
      
      perform the first authentication process, wherein the first authentication process includes verifying credential information of the user received from the first device;
      
      send temporary access information to the second device;
      
      receive the temporary access information from the first device; and
      
      perform a second authentication process, wherein the second authentication process includes determining that the received temporary access information matches the temporary access information sent to the second device.

15. A non-transitory computer-readable medium storing one or more instructions that, upon execution by one or more processors, cause the one or more processors to:
- receive, by a computer system of an access management system, from a first device, a request by a user for access to a resource, wherein the first device is a second computer system;
  
  based on the request, determine, by the computer system, that the first device is registered for the user based on an authentication of the user at the first device prior to the request;
  
  generate, by the computer system, security data for determining authentication of the user to access the resource using the first device, wherein the security data includes first data that is based on information related to the user, and wherein the first data is encrypted based on an encryption key;
  
  send, by the computer system, the encryption key to a second device that the user has registered with the access management system, wherein the second device is a mobile device separate from the first device;
  
  send, by the computer system, the security data to the first device, wherein the security data includes a quick response (QR) code that is displayed at the first device for presentation to the second device;
  
  receive, by the computer system, from the second device, second data that is generated by the second device based on decryption of the first data included in the security data, wherein the decryption of the first data is performed by the second device using the encryption key sent to the second device, and wherein the security data is obtained by the second device from the QR code displayed at the first device;
  
  determine whether the second data includes the information that is included in the first data; and
  
  based on determining that the second data includes the information, enable the first device to access the resource.
- View Dependent Claims (16, 17)
- - 16. The non-transitory computer-readable medium of claim 15, wherein the first data included in the security data is embedded in the QR code.
  - 17. The non-transitory computer-readable medium of claim 15, wherein the request includes information identifying the first device, and wherein the computer system identifies the first device as being registered for the user based on the authentication of the user being associated with the information identifying the first device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Shastri, Venugopal Padmanabhan, Chitturi, Sreenivasa R., Motukuru, Vamsi, Bhatkhande, Mandar, Joshi, Sunil Kumar
Primary Examiner(s)
Korsak, Oleg

Application Number

US15/299,950
Publication Number

US 20170118025A1
Time in Patent Office

788 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/32   using biometric data, e.g. ...

G06F 21/36   by graphic or iconic repres...

H04L 2463/082   applying multi-factor authe...

H04L 63/0853   using an additional device,...

H04L 63/0861   using biometrical features,...

H04L 9/00   Cryptographic mechanisms or...

H04L 9/006   involving public key infras...

H04L 9/14   using a plurality of keys o...

H04L 9/30   Public key, i.e. encryption...

H04L 9/3228   One-time or temporary data,...

H04L 9/3231   Biological data, e.g. finge...

H04L 9/3234   involving additional secure...

Password-less authentication for access management

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Password-less authentication for access management

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links