System and method for integrating two-factor authentication in a device

US 10,223,520 B2
Filed: 06/04/2018
Issued: 03/05/2019
Est. Priority Date: 02/22/2013
Status: Active Grant

First Claim

Patent Images

1. An online method that enables multi-factor authentication with a third-party application, the online method comprising:

enrolling a first inactivated device application instance associated with a first account into a multi-factor authentication service, the enrolling comprising;

receiving, at a multi-factor authentication service, a first enrollment request from a first service provider that provides the first account, wherein the multi-factor authentication service and the first service provider are distinct entities,in response to receiving the first enrollment request, generating at the multi-factor authentication service a first activation code and, separately, a unique device identifier, wherein the first activation code enables a multi-factor authentication pairing between the inactivated device application instance and the multi-factor authentication service;

receiving, via one or more networks, the first activation code at the first inactivated device application instance operating on a remote user device,processing the first activation code by the first inactivated device application instance, wherein processing the first activation code includes;

implementing an application programming interface (API) call from the inactivated device application instance operating on the remote user device to the multi-factor authentication service;

1) registering the first inactivated device application instance at the multi-factor authentication service and

     2) at the multi-factor authentication service, mapping a communication address of the first inactivated device application instance to the unique device identifier and storing the mapping at the multi-factor authentication service;

in response to successfully

     1) registering and

     2) mapping the communication address of the first inactivated device application instance, identifying the first inactivated device application instance to a first activated device application instance at the multi-factor authentication service, wherein in an activated state the first activated device application receives one or more secondary authentication requests from the multi-factor authentication service in response to authenticating the first user with the first service provider; and

authenticating the first user with the first service provider, the authenticating comprising;

receiving from the first service provider a first authentication request to authenticate the first user, the first authentication request comprising an identification of the first user account,identifying the unique device identifier based on the identification of the first user account;

identifying the communication address of the first activated device application instance based on the mapping of the unique device identifier to the communication address of the first activated device application instance;

using the communication address of the first activated application instance to present by the multi-factor authentication service, at the first activated device application instance, first authentication information associated with the first authentication request,receiving, at the multi-factor authentication service, a user response to the first authentication information,generating, at the multi-factor authentication service, an authentication assessment based on the user response, andtransmitting, from the multi-factor authentication service, the authentication assessment to the first service provider.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for providing secondary-factor authentication with a third party application that can include enrolling a device application instance of an account into a secondary-factor authentication service on behalf of a service provider that includes at the secondary-factor authentication service, receiving a secondary factor of authentication enrollment request of an account, the request received from the service provider, transmitting an activation code, and pairing the device application instance with the account through the activation code; receiving an authentication request identifying the account; transmitting an authentication request to the device application instance paired with the account; validating a response to the application request; and transmitting an assessment to the service provider.

172 Citations

14 Claims

1. An online method that enables multi-factor authentication with a third-party application, the online method comprising:
- enrolling a first inactivated device application instance associated with a first account into a multi-factor authentication service, the enrolling comprising;
  
  receiving, at a multi-factor authentication service, a first enrollment request from a first service provider that provides the first account, wherein the multi-factor authentication service and the first service provider are distinct entities,in response to receiving the first enrollment request, generating at the multi-factor authentication service a first activation code and, separately, a unique device identifier, wherein the first activation code enables a multi-factor authentication pairing between the inactivated device application instance and the multi-factor authentication service;
  
  receiving, via one or more networks, the first activation code at the first inactivated device application instance operating on a remote user device,processing the first activation code by the first inactivated device application instance, wherein processing the first activation code includes;
  
  implementing an application programming interface (API) call from the inactivated device application instance operating on the remote user device to the multi-factor authentication service;
  
  1) registering the first inactivated device application instance at the multi-factor authentication service and
  
       2) at the multi-factor authentication service, mapping a communication address of the first inactivated device application instance to the unique device identifier and storing the mapping at the multi-factor authentication service;
  
  in response to successfully
  
       1) registering and
  
       2) mapping the communication address of the first inactivated device application instance, identifying the first inactivated device application instance to a first activated device application instance at the multi-factor authentication service, wherein in an activated state the first activated device application receives one or more secondary authentication requests from the multi-factor authentication service in response to authenticating the first user with the first service provider; and
  
  authenticating the first user with the first service provider, the authenticating comprising;
  
  receiving from the first service provider a first authentication request to authenticate the first user, the first authentication request comprising an identification of the first user account,identifying the unique device identifier based on the identification of the first user account;
  
  identifying the communication address of the first activated device application instance based on the mapping of the unique device identifier to the communication address of the first activated device application instance;
  
  using the communication address of the first activated application instance to present by the multi-factor authentication service, at the first activated device application instance, first authentication information associated with the first authentication request,receiving, at the multi-factor authentication service, a user response to the first authentication information,generating, at the multi-factor authentication service, an authentication assessment based on the user response, andtransmitting, from the multi-factor authentication service, the authentication assessment to the first service provider.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, wherein the enrolling includes:
    - a. enrolling the first inactivated device application instance operating on a remote user device as an additional factor for multi-factor authentication of the first user with the first service provider, wherein in an inactivated state the first inactivated device application is incapable of receiving secondary authentication requests from the multi-factor authentication service, wherein enrolling the first inactivated device application instance occurs prior to authenticating the first user with the first service provider.
  - 3. The method of claim 1, wherein processing the first activation code includes:
    - i. using the activation code to establish a pairing communication session between the first inactivated device application instance and the multi-factor authentication service.
  - 4. The method of claim 1, further comprisingenrolling the first activated device application instance as an additional factor for multi-factor authentication of the first user with a second service provider, the second service provider distinct from the first service provider, wherein enrolling the first activated device application instance occurs prior to any authentication of the first user with the second service provider.
  - 5. The method of claim 4, wherein enrolling the first activated device application instance as an additional factor for multi-factor authentication of the first user with a second service provider comprises:
    - receiving, at the multi-factor authentication service, a second enrollment request from the second service provider, wherein the multi-factor authentication service, the first service provider, and the second service provider are distinct entities;
      
      in response to receiving the second enrollment request, generating a second activation code at the multi-factor authentication service,transmitting the second activation code to the second service provider,receiving, at the first activated device application instance, the second activation code from the second service provider,processing the second activation code at the first activated device application instance, andin response to processing the second activation code, pairing, at the multi-factor authentication service, the first activated device application instance with a second user account associated with the second service provider and further activating the first activated device application instance as an additional factor for multi-factor authentication of the first user with the second service provider.
  - 6. The method of claim 1:
    - wherein the first authentication request indicates a selection by the first service provider of a notification authentication mode,wherein presenting the first authentication information comprises presenting a notification based on the selection of the notification authentication mode by the first service provider, the notification comprising a user option to confirm the first authentication request, andwherein determining the authentication assessment comprises determining the authentication based on the user response to the user option.
  - 7. The method of claim 1:
    - wherein the first authentication request indicates a selection by a second service provider of a passcode authentication mode,wherein presenting the first authentication information comprises presenting a generated passcode;
      
      wherein the generated passcode is generated using a passcode generation algorithm,wherein the user response comprises a user-submitted passcode, andwherein determining the authentication assessment comprises determining the authentication assessment based on an evaluation of the user-submitted passcode using the passcode generation algorithm.
  - 8. The method of claim 1, further comprising:
    - enrolling a second device application instance as an additional factor for the multi-factor authentication of a second user with the first service provider,wherein enrolling the second device application instance occurs prior to any authentication of the second user with the first service provider.
  - 9. The method of claim 8:
    - wherein authenticating the first user with the first service provider comprises;
      
      receiving the first authentication request indicating a first authentication mode selection by the first service provider, andpresenting, at the first device application instance, the first authentication information based on the first authentication mode selection;
      
      further comprising authenticating the second user for access to a second existing user account at the first service provider, the authenticating comprising;
      
      receiving a second authentication request indicating a second authentication mode selection, the second authentication request identifying the second user account,presenting, at the second device application instance, second authentication information based on the second authentication mode selection,wherein the first and the second authentication modes are different modes, andwherein the first and the second authentication information are non-identical.
  - 10. The method of claim 1 further comprising:
    - receiving authentication interface preferences from the first service provider, the authentication interface preferences comprising an appearance preference,wherein presenting the first authentication information comprises presenting the first authentication information at an authentication interface of the first service provider based on the appearance preference.
  - 11. The method of claim 1:
    - wherein presenting the first authentication information comprises presenting the first authentication information at a user interface of the first activated device application instance;
      
      further comprising receiving, at the user interface of the first activated device application instance, the user response prior to receiving the user response at the multi-factor authentication service; and
      
      in response to receiving the user response at the user interface of the first activated device application instance, transmitting the user response remote to the multi-factor authentication service.
  - 12. The method of claim 1, wherein the first enrollment request comprises an HTTP enrollment request for enrolling the first activated device application instance, and wherein transmitting the first activation code comprises transmitting an HTTP request response to the HTTP request, the HTTP request response comprising the first activation code.
  - 13. The method of claim 12, wherein the first authentication request comprises an HTTP request for authenticating the first user, wherein the HTTP request comprises the identification of the first user account, and wherein authenticating the first user further comprises:
    - in response to receiving the first authentication request, mapping the first user account to the first activated device application instance based on the identification of the user account and the pairing between the first user account and the first activated device application instance.
  - 14. The method of claim 1, wherein authenticating the first user comprises:
    - in response to receiving the first authentication request comprising the identification of the first user account, mapping, at the multi-factor authentication service, the identification of the first user account to an identification of the first activated device application instance based on the pairing between the first pre-existing user account and the first activated device application instance,wherein transmitting the first authentication information comprises transmitting the first authentication information to the first activated device application instance based on the identification of the first activated device application instance.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Duo Security Incorporated (Cisco Systems, Inc.)
Inventors
Oberheide, Jon, Song, Douglas
Primary Examiner(s)
Kabir, Jahangir

Application Number

US15/996,778
Publication Number

US 20180285552A1
Time in Patent Office

274 Days
Field of Search

726 17- 20
US Class Current
CPC Class Codes

G06F 21/40   by quorum, i.e. whereby two...

H04L 2463/082   applying multi-factor authe...

H04L 63/08   for authentication of entit...

H04L 63/0853   using an additional device,...

H04L 63/18   using different networks or...

H04W 12/068   using credential vaults, e....

H04W 12/069   using certificates or pre-s...

System and method for integrating two-factor authentication in a device

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

172 Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for integrating two-factor authentication in a device

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

172 Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links