Personal device network for user identification and authentication
First Claim
1. A system for authenticating a user of a client device seeking access to a secure resource, the system comprising:
- a. an authentication server comprising;
(i) an identity database including entries relating users with wireless devices belonging to the users;
(ii) a memory for storing a security policy governing access to the secure resource; and
(iii) circuitry for communicating with client devices and with the secure resource, andb. a client device comprising;
(i) a processor;
(ii) communication circuitry; and
(iii) a memory containing stored instructions for causing the processor to (A) detect the presence of proximately located devices using the communication circuitry and (B) to communicate with the server,wherein the server and the client device cooperate to determine whether one or more other wireless devices detected by the client communication circuitry are (a) co-located with the client device and (b) listed and related to the user in the identity database, and, if so, whether the device co-location alone satisfies the security policy, wherein neither the server nor the client device receives user-specific authentication information from any of the detected wireless devices, and when the device co-location alone satisfies the security policy, according user access to the secure resource via the client device.
7 Assignments
0 Petitions
Accused Products
Abstract
Established user habits in carrying multiple wirelessly detectable devices are used to provide or substantiate authentication. In some embodiments, simply detecting that expected devices are co-located within a limited spatial region is sufficient to establish that the devices are being carried by a single individual. In other embodiments, particularly where the potential for spoofing by multiple individuals is a concern, single-user possession of the devices may be confirmed by various corroborative techniques. This approach affords convenience to users, who may be working at a device that lacks the necessary modality (e.g., a fingerprint or vein reader) for strong authentication.
20 Citations
34 Claims
-
1. A system for authenticating a user of a client device seeking access to a secure resource, the system comprising:
-
a. an authentication server comprising; (i) an identity database including entries relating users with wireless devices belonging to the users; (ii) a memory for storing a security policy governing access to the secure resource; and (iii) circuitry for communicating with client devices and with the secure resource, and b. a client device comprising; (i) a processor; (ii) communication circuitry; and (iii) a memory containing stored instructions for causing the processor to (A) detect the presence of proximately located devices using the communication circuitry and (B) to communicate with the server, wherein the server and the client device cooperate to determine whether one or more other wireless devices detected by the client communication circuitry are (a) co-located with the client device and (b) listed and related to the user in the identity database, and, if so, whether the device co-location alone satisfies the security policy, wherein neither the server nor the client device receives user-specific authentication information from any of the detected wireless devices, and when the device co-location alone satisfies the security policy, according user access to the secure resource via the client device. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A method for authenticating a user of a client device seeking access to a secure resource, the method comprising the steps of, at a client wireless device:
-
downloading a security policy; electronically detecting one or more other wireless devices co-located with the client wireless device; determining whether the one or more other wireless devices are listed and related to the user in an identity database that includes entries relating users with wireless devices belonging to the users; when the one or more other wireless devices are listed and related to the user in the identity database, determining whether detection of the one or more other wireless devices co-located with the client wireless device is alone sufficient to satisfy the downloaded security policy, wherein the client wireless device does not receive user-specific authentication information from any of the one or more other wireless devices; and when detection of the one or more other wireless devices co-located with the client wireless device alone is sufficient to satisfy the downloaded security policy, according the user access to the secure resource. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
-
-
26. A method for authenticating a user of a client device seeking access to a secure resource, the method comprising the steps of, at a server:
-
electronically accessing a security policy; receiving data from the client device indicative of detection of one or more other wireless devices; determining, based on the data, whether the one or more detected devices are co-located with the client device; determining, based on the data, whether the one or more detected devices are listed and related to the user in an identity database that includes entries relating users with wireless devices belonging to the users; when the one or more detected devices are listed and related to the user in the identity database, determining whether co-location of the one or more other devices with the client device is alone sufficient to satisfy the accessed security policy, wherein the client device does not receive user-specific authentication information from any of the one or more detected devices; and when the co-location of the one or more other devices with the client device is alone sufficient to satisfy the accessed security policy, according the user access to the secure resource via the client device. - View Dependent Claims (27, 28, 29, 30, 31, 32, 33, 34)
-
Specification