Two factor authentication with authentication objects

US 10,356,069 B2
Filed: 02/11/2016
Issued: 07/16/2019
Est. Priority Date: 06/26/2014
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

obtaining, from a first device, a request to authenticate an identity;

providing, on a second device, a graphical user interface that makes an authentication object available for selection, the graphical user interface including graphical representations of sets of actions for authenticating by corresponding service provider systems, including a graphical representation that represents a set of actions for authenticating the identity by a service provider system, wherein the authentication object encodes;

a set of credentials usable to authenticate the identity; and

an access policy that specifies a permitted use or a restriction on use of the authentication object; and

is associated with a set of actions for authenticating the identity;

receiving, from the second device, user input indicating selection of the authentication object; and

performing the set of actions by at least;

obtaining an authentication claim generated based at least in part on the request from the first device and the set of credentials encoded in the authentication object selected from the second device; and

causing, at least in part by providing the authentication claim to a computing resource service provider system, the authentication claim to be used to authenticate the identity.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Representations of authentication objects are provided for selection via an interface. An authentication object may be generated to include information obtained from one or more sensors of a device. A selected authentication object may contain information sufficient for authentication with a corresponding system. The interface may provide multiple representations of authentication objects that are usable with different service providers. The interface, executed by a first device, may be configured to authenticate a second device.

109 Citations

23 Claims

1. A computer-implemented method, comprising:
- obtaining, from a first device, a request to authenticate an identity;
  
  providing, on a second device, a graphical user interface that makes an authentication object available for selection, the graphical user interface including graphical representations of sets of actions for authenticating by corresponding service provider systems, including a graphical representation that represents a set of actions for authenticating the identity by a service provider system, wherein the authentication object encodes;
  
  a set of credentials usable to authenticate the identity; and
  
  an access policy that specifies a permitted use or a restriction on use of the authentication object; and
  
  is associated with a set of actions for authenticating the identity;
  
  receiving, from the second device, user input indicating selection of the authentication object; and
  
  performing the set of actions by at least;
  
  obtaining an authentication claim generated based at least in part on the request from the first device and the set of credentials encoded in the authentication object selected from the second device; and
  
  causing, at least in part by providing the authentication claim to a computing resource service provider system, the authentication claim to be used to authenticate the identity.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computer-implemented method of claim 1, wherein the graphical user interface further comprises a plurality of graphical representations corresponding to at least a portion of the set of actions.
  - 3. The computer-implemented method of claim 2, wherein obtaining the authentication claim further comprises:
    - determining information corresponding to a state of an environment where the first device is located; and
      
      providing the information corresponding to the state of the environment to the second device.
  - 4. The computer-implemented method of claim 1, wherein performing the set of actions further comprises obtaining information associated with a state of a computing network to which the first device is connected.
  - 5. The computer-implemented method of claim 1, wherein the authentication object further encodes an attestation of a computing environment of the second device.
  - 6. The computer-implemented method of claim 1, wherein the authentication object further encodes an attestation of sensor data of the second device.
  - 7. The computer-implemented method of claim 1, wherein:
    - the graphical user interface makes the authentication object available for selection via drag-and-drop of a graphical representation of the authentication object; and
      
      the user input indicates a drag-and-drop selection of the authentication object.

8. A system, comprising:
- one or more computing devices including one or more processor and memory, the memory including executable instructions that, as a result of execution by the one or more processors, cause the system to;
  
  receive, from a first computing device of the one or more computing devices, a request to authenticate an identity;
  
  receive, from a second computing device of the one or more computing devices, an authentication object usable to authenticate the identity to a service provider system, the authentication object selected via a graphic interface including graphical representations of sets of actions for authenticating by corresponding systems including the service provider system, the authentication object encoding;
  
  a set of credentials sufficient to authenticate the identity to a service provider system; and
  
  a policy that specifies a type of access associated with the authentication object;
  
  generate, based at least in part on the set of credentials encoded in the authentication object, an authentication claim that corresponds to the request from the first computing device; and
  
  provide the authentication claim to the service provider system to facilitate performance of an operation involving interaction with the service provider system.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15)
- - 9. The system of claim 8, wherein the authentication object is associated with a set of actions performable to provide the authentication claim to enable performance of the operation involving the service provider system.
  - 10. The system of claim 9, wherein the first computing device performs the set of actions to cause the authentication claim to be provided to the second computing device.
  - 11. The system of claim 10, wherein the set of actions includes obtaining information corresponding to a physical environment associated with the one or more computing devices using one or more sensors.
  - 12. The system of claim 11, wherein obtaining the information corresponding to a physical environment includes obtaining an image capture of the second computing device.
  - 13. The system of claim 8, wherein providing the authentication claim to the second computing device further comprises transmitting the authentication claim using near field communication methods wherein providing the authentication claim to the second computing device further comprises transmitting the authentication claim using a near field communication method.
  - 14. The system of claim 8, wherein the memory further includes instructions that, a result of execution by the one or more processors, cause the system to determine a second operation of at least one computing devices of the one or more computing devices requires authentication with the service provider system.
  - 15. The system of claim 14, wherein the memory further includes instructions that, when a result of execution the one or more processors, cause the system to transmit a notification to the first computing device indicating the second operation of the at least one computing devices of the one or more computing devices requires authentication with the service provider system.

16. A non-transitory computer-readable storage medium having stored thereon executable instructions that, as a result of execution by one or more processors of a first computer system, cause the first computer system to at least:
- cause, as a result of an attempt by the first computer system to access a resource of a service provider, a graphical user interface to be displayed on a second computer system, the graphical user interface including a plurality of graphical representations including a graphical representation that represents a set of actions for authenticating an identity by a service provider system, at least a portion of the plurality of graphical representations being associated with;
  
  a set of actions for authenticating the identity with a service provider;
  
  a set of policies specifying permitted uses or restrictions associated with the plurality of graphical representations; and
  
  a set of credentials usable to authenticate the identity with the service provider;
  
  generate, based at least in part on the set of credentials received as a result of a selection from the plurality of graphical representations made via the second computer system, an authentication claim sufficient to authenticate with the service provider; and
  
  access the resource of the service provider at least in part by providing the authentication claim to the service provider for authentication.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23)
- - 17. The non-transitory computer-readable storage medium of claim 16, wherein the executable instructions further comprise instructions that cause the first computer system to:
    - receive a request for additional authentication information from a second computer system;
      
      provide the additional authentication information by at least displaying an indication of one or more user actions to perform in order to confirm an operation of the second computer system; and
      
      detect performance of at least one user action of the one or more user actions.
  - 18. The non-transitory computer-readable storage medium of claim 17, wherein the executable instructions that cause the first computer system to detect performance of the at least one user action further include instructions that cause the first computer system to detect performance of the at least one user action by at least capturing information displayed on a display device of the second computer system.
  - 19. The non-transitory computer-readable storage medium of claim 17, wherein the executable instructions further comprise instructions that, as a result of receiving the request for additional authentication information, cause the first computer system to obtain information corresponding to an environment associated with the second computer system.
  - 20. The non-transitory computer-readable storage medium of claim 19, wherein the executable instructions that cause the first computer system to access the resource of the service provider further include instructions that cause the first computer system to include in the authentication claim the information corresponding to the environment associated with the second computer system.
  - 21. The non-transitory computer-readable storage medium of claim 16, wherein the executable instructions further include instructions that cause the first computer system to determine, using information obtained using one or more sensors of the second computer system, a state of the second computer system.
  - 22. The non-transitory computer-readable storage medium of claim 21, wherein the executable instructions that cause the first computer system to determine the state of the second computer system further include instructions that cause the first computer system to obtain biometric information using the one or more sensors.
  - 23. The non-transitory computer-readable storage medium of claim 22, wherein executable the instructions that cause the first computer system to determine the state of the second computer system further include instructions that cause the first computer system to obtain network information using the one or more sensors.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Johansson, Jesper Mikael, Roth, Gregory Branchek
Primary Examiner(s)
Gergiso, Techane

Application Number

US15/042,071
Publication Number

US 20160164855A1
Time in Patent Office

1,251 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/45   Structures or tools for the...

G09C 1/00   Apparatus or methods whereb...

H04L 2463/082   applying multi-factor authe...

H04L 63/08   for authentication of entit...

H04L 63/0853   using an additional device,...

H04L 9/3215   using a plurality of channe...

H04L 9/3226   using a predetermined code,...

H04L 9/3234   involving additional secure...

H04L 9/3278   using physically unclonable...

Two factor authentication with authentication objects

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

109 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Two factor authentication with authentication objects

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

109 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links