Personal device network for user identification and authentication

US 10,333,980 B2
Filed: 11/19/2015
Issued: 06/25/2019
Est. Priority Date: 11/19/2014
Status: Active Grant

First Claim

Patent Images

1. A system for authenticating a user of a client device seeking access to a secure resource, the system comprising:

a. an authentication server comprising;

(i) an identity database including entries relating users with wireless devices belonging to the users;

(ii) a memory for storing a security policy governing access to the secure resource; and

(iii) circuitry for communicating with client devices and with the secure resource, andb. a client device comprising;

(i) a processor;

(ii) communication circuitry; and

(iii) a memory containing stored instructions for causing the processor to (A) detect the presence of proximately located devices using the communication circuitry and (B) to communicate with the server,wherein the server and the client device cooperate to determine whether one or more other wireless devices detected by the client communication circuitry are (a) co-located with the client device and (b) listed and related to the user in the identity database, and, if so, whether the device co-location alone satisfies the security policy, wherein neither the server nor the client device receives user-specific authentication information from any of the detected wireless devices, and when the device co-location alone satisfies the security policy, according user access to the secure resource via the client device.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Established user habits in carrying multiple wirelessly detectable devices are used to provide or substantiate authentication. In some embodiments, simply detecting that expected devices are co-located within a limited spatial region is sufficient to establish that the devices are being carried by a single individual. In other embodiments, particularly where the potential for spoofing by multiple individuals is a concern, single-user possession of the devices may be confirmed by various corroborative techniques. This approach affords convenience to users, who may be working at a device that lacks the necessary modality (e.g., a fingerprint or vein reader) for strong authentication.

20 Citations

View as Search Results

34 Claims

1. A system for authenticating a user of a client device seeking access to a secure resource, the system comprising:
- a. an authentication server comprising;
  
  (i) an identity database including entries relating users with wireless devices belonging to the users;
  
  (ii) a memory for storing a security policy governing access to the secure resource; and
  
  (iii) circuitry for communicating with client devices and with the secure resource, andb. a client device comprising;
  
  (i) a processor;
  
  (ii) communication circuitry; and
  
  (iii) a memory containing stored instructions for causing the processor to (A) detect the presence of proximately located devices using the communication circuitry and (B) to communicate with the server,wherein the server and the client device cooperate to determine whether one or more other wireless devices detected by the client communication circuitry are (a) co-located with the client device and (b) listed and related to the user in the identity database, and, if so, whether the device co-location alone satisfies the security policy, wherein neither the server nor the client device receives user-specific authentication information from any of the detected wireless devices, and when the device co-location alone satisfies the security policy, according user access to the secure resource via the client device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The system of claim 1, wherein the client device is configured to detect other devices and intercommunicate therewith over a device network.
  - 3. The system of claim 2, wherein the client device is configured to obtain proximity data from the other devices, the co-location determination being based at least in part on the proximity data.
  - 4. The system of claim 3, wherein the proximity data includes detected signal strengths from the other devices.
  - 5. The system of claim 3, wherein the proximity data includes data tracking device movement.
  - 6. The system of claim 1, wherein, when the security policy is not satisfied by the device co-location alone, the server and client device cooperate to (a) identify at least one additional authentication step whose fulfillment would satisfy the security policy, (b) cause fulfillment of the at least one additional authentication step, and (c) accord user access to the secure resource after fulfillment of the at least one additional authentication step.
  - 7. The system of claim 6, wherein the server and client are configured to search initially for additional authentication steps whose fulfillment would satisfy the security policy and that do not require user action.
  - 8. The system of claim 7, wherein when there are no additional authentication steps that do not require user action but would satisfy the security policy, the client is configured to engage the user to fulfill the at least one additional authentication step.
  - 9. The system of claim 1, wherein the authentication server and the client device are configured to cooperatively update a user'"'"'s entry in the identity database by (i) at the client device, scanning for proximate wireless devices and transmitting registration information therefor to the authentication server, and (ii) at the authentication server, updating the user'"'"'s entry in the identity database by adding registration information for devices not already listed in the user'"'"'s entry.
  - 10. The system of claim 9, wherein the authentication server is further configured to remove a device entry from a user'"'"'s database record when the device has not been detected during more than a threshold number of log-in events at the client device.
  - 11. The system of claim 1, wherein the client device is a wireless device.
  - 12. The system of claim 1, wherein the server and the client device cooperate to determine whether two or more other wireless devices are (a) co-located with the client device and (b) listed and related to the user in the identity database, and, if so, whether the device co-location alone satisfies the security policy, wherein neither the server nor the client device receives user-specific authentication information from any of the detected wireless devices, and when the device co-location alone satisfies the security policy, according user access to the secure resource via the client device.
  - 13. The system of claim 1, wherein the client device lacks any modality for biometric authentication.

14. A method for authenticating a user of a client device seeking access to a secure resource, the method comprising the steps of, at a client wireless device:
- downloading a security policy;
  
  electronically detecting one or more other wireless devices co-located with the client wireless device;
  
  determining whether the one or more other wireless devices are listed and related to the user in an identity database that includes entries relating users with wireless devices belonging to the users;
  
  when the one or more other wireless devices are listed and related to the user in the identity database, determining whether detection of the one or more other wireless devices co-located with the client wireless device is alone sufficient to satisfy the downloaded security policy, wherein the client wireless device does not receive user-specific authentication information from any of the one or more other wireless devices; and
  
  when detection of the one or more other wireless devices co-located with the client wireless device alone is sufficient to satisfy the downloaded security policy, according the user access to the secure resource.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 15. The method of claim 14, wherein the client wireless device communicates with the one or more other wireless devices over a device network.
  - 16. The method of claim 14, further comprising the step of obtaining, by the client wireless device, proximity data from the one or more other wireless devices, the co-location determination being based at least in part on the proximity data.
  - 17. The method of claim 16, wherein the proximity data includes detected signal strengths from the one or more other wireless devices.
  - 18. The method of claim 16, wherein the proximity data includes data tracking device movement.
  - 19. The method of claim 14, further comprising, when the detection of the one or more other wireless devices co-located with the client wireless device is not sufficient to satisfy the security policy alone, identifying at least one additional authentication step whose fulfillment would satisfy the security policy, causing fulfillment of the at least one additional authentication step, and according the user access to the secure resource after fulfillment of the at least one additional authentication step.
  - 20. The method of claim 19, further comprising the step of searching initially for additional authentication steps whose fulfillment would satisfy the security policy and that do not require user action.
  - 21. The method of claim 20, wherein, when there are no additional authentication steps that do not require user action but would satisfy the security policy, causing fulfillment of the at least one additional authentication step comprises engaging the user to fulfill the at least one additional authentication step.
  - 22. The method of claim 19, wherein the identification of at least one additional authentication step whose fulfillment would satisfy the security policy is performed cooperatively with an authentication server.
  - 23. The method of claim 14, wherein the client wireless device and the one or more other wireless devices form an ad hoc network.
  - 24. The method of claim 14, wherein:
    - two or more other wireless devices co-located with the client wireless device are electronically detected; and
      
      wherein determining whether detection of the one or more other wireless devices co-located with the client wireless device alone is sufficient to satisfy the downloaded security policy comprises determining whether detection of the two or more other wireless devices co-located with the client device is sufficient to satisfy the downloaded security policy.
  - 25. The method of claim 14, wherein the client wireless device lacks any modality for biometric authentication.

26. A method for authenticating a user of a client device seeking access to a secure resource, the method comprising the steps of, at a server:
- electronically accessing a security policy;
  
  receiving data from the client device indicative of detection of one or more other wireless devices;
  
  determining, based on the data, whether the one or more detected devices are co-located with the client device;
  
  determining, based on the data, whether the one or more detected devices are listed and related to the user in an identity database that includes entries relating users with wireless devices belonging to the users;
  
  when the one or more detected devices are listed and related to the user in the identity database, determining whether co-location of the one or more other devices with the client device is alone sufficient to satisfy the accessed security policy, wherein the client device does not receive user-specific authentication information from any of the one or more detected devices; and
  
  when the co-location of the one or more other devices with the client device is alone sufficient to satisfy the accessed security policy, according the user access to the secure resource via the client device.
- View Dependent Claims (27, 28, 29, 30, 31, 32, 33, 34)
- - 27. The method of claim 26, further comprising, when the co-location of the one or more other devices with the client device is not sufficient to satisfy the security policy alone, identifying at least one additional authentication step whose fulfillment would satisfy the security policy, causing fulfillment of the at least one additional authentication step, and according the user access to the secure resource after fulfillment of the at least one additional authentication step.
  - 28. The method of claim 27, wherein causing fulfillment of the at least one additional authentication step is performed cooperatively with the client device.
  - 29. The method of claim 27, further comprising the step of searching initially for additional authentication steps whose fulfillment would satisfy the security policy and that do not require user action.
  - 30. The method of claim 29, wherein, when there are no additional authentication steps that do not require user action but would satisfy the security policy, causing fulfillment of the at least one additional authentication step comprises engaging the user to fulfill the at least one additional authentication step.
  - 31. The method of claim 26, wherein:
    - data indicative of detection of two or more other wireless devices is received from the client device; and
      
      determining whether co-location of the other devices with the client device alone is sufficient to satisfy the downloaded security policy comprises determining whether co-location of the two or more other devices with the client device is sufficient to satisfy the downloaded security policy.
  - 32. The method of claim 26, wherein the client device is a wireless device.
  - 33. The method of claim 26, wherein the server does not receive user-specific authentication information from any of the one or more detected devices.
  - 34. The method of claim 26, wherein the client device lacks any modality for biometric authentication.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Imprivata Incorporated
Original Assignee
Imprivata Incorporated
Inventors
Ting, David M. T., Slak, Alain, Vernest, Kyle
Primary Examiner(s)
Siddiqi, Mohammad A

Application Number

US14/945,609
Publication Number

US 20160142443A1
Time in Patent Office

1,314 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

H04L 63/107   wherein the security polici...

H04L 63/20   for managing network securi...

H04W 12/06   Authentication

H04W 12/08   Access security

H04W 12/63   Location-dependent; Proximi...

H04W 4/02   Services making use of loca...

Personal device network for user identification and authentication

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

20 Citations

34 Claims

Specification

Solutions

Use Cases

Quick Links

Personal device network for user identification and authentication

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

20 Citations

34 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links