System and method for collecting and utilizing client data for risk assessment during authentication

US 10,366,218 B2
Filed: 03/18/2014
Issued: 07/30/2019
Est. Priority Date: 03/22/2013
Status: Active Grant

First Claim

Patent Images

1. A method implemented on a client device comprising a memory for storing program code, and a processor for processing the program code to implement the method comprising:

collecting client configuration data on a client device using a native code agent running in a client operating system of the client device, the native code agent having secure access to the client configuration data, wherein the client configuration data is collected by the native code agent without disclosing confidential user information to a relying party;

performing an assessment of the client configuration data on the client to determine a risk level associated with the client device, the client configuration data including;

data related to client authentication hardware, including an indication of hardware to implement secure elements or trusted execution environments on the client;

data related to the client operating system, including an indication of a current operating system version installed on the client device and how recently the client operating system has been updated;

data related to anti-virus software configuration, including an indication of whether an anti-virus software has been installed and how recently the anti-virus software has been updated and/or executed; and

data related to firewall configuration, including an indication of whether a firewall is installed and how recently the firewall has been updated;

collecting biometric reference data of the user usable to authenticate the user and storing the biometric reference data in a secure storage of the authentication device used to collect the biometric reference data, the secure storage to cryptographically protect the biometric reference data of the user;

performing authentication for a particular transaction in accordance with the risk level to determine an assurance level that a current user of the client is legitimate, the assurance level determined, at least in part, based on the risk level, and also determined based on a combination of one or more current or prior explicit user authentications using the authentication hardware and one or more non-intrusive authentication techniques;

wherein for relatively higher risk levels, relatively more rigorous authentication techniques are selected to reach an assurance level required for the transaction as specified by the relying party, and for relatively lower risk levels, relatively less rigorous authentication techniques are selected to reach the assurance level required for the transaction as specified by the relying party; and

permitting the transaction when the authentication techniques selected to reach the assurance level required for the transaction as specified by the relying party are successfully completed and denying the transaction when the authentication techniques selected to reach the assurance level required for the transaction as specified by the relying party are not successfully completed.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system, apparatus, method, and machine readable medium are described for performing client risk assessment for authentication. For example, one embodiment of an apparatus comprises: a client risk assessment agent to perform an assessment of client configuration data to determine a risk level associated with a client device; and an authentication engine to performing authentication for a particular transaction in accordance with the risk level.

391 Citations

14 Claims

1. A method implemented on a client device comprising a memory for storing program code, and a processor for processing the program code to implement the method comprising:
- collecting client configuration data on a client device using a native code agent running in a client operating system of the client device, the native code agent having secure access to the client configuration data, wherein the client configuration data is collected by the native code agent without disclosing confidential user information to a relying party;
  
  performing an assessment of the client configuration data on the client to determine a risk level associated with the client device, the client configuration data including;
  
  data related to client authentication hardware, including an indication of hardware to implement secure elements or trusted execution environments on the client;
  
  data related to the client operating system, including an indication of a current operating system version installed on the client device and how recently the client operating system has been updated;
  
  data related to anti-virus software configuration, including an indication of whether an anti-virus software has been installed and how recently the anti-virus software has been updated and/or executed; and
  
  data related to firewall configuration, including an indication of whether a firewall is installed and how recently the firewall has been updated;
  
  collecting biometric reference data of the user usable to authenticate the user and storing the biometric reference data in a secure storage of the authentication device used to collect the biometric reference data, the secure storage to cryptographically protect the biometric reference data of the user;
  
  performing authentication for a particular transaction in accordance with the risk level to determine an assurance level that a current user of the client is legitimate, the assurance level determined, at least in part, based on the risk level, and also determined based on a combination of one or more current or prior explicit user authentications using the authentication hardware and one or more non-intrusive authentication techniques;
  
  wherein for relatively higher risk levels, relatively more rigorous authentication techniques are selected to reach an assurance level required for the transaction as specified by the relying party, and for relatively lower risk levels, relatively less rigorous authentication techniques are selected to reach the assurance level required for the transaction as specified by the relying party; and
  
  permitting the transaction when the authentication techniques selected to reach the assurance level required for the transaction as specified by the relying party are successfully completed and denying the transaction when the authentication techniques selected to reach the assurance level required for the transaction as specified by the relying party are not successfully completed.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method as in claim 1 wherein the recent explicit user authentications are performed using one or more authentication techniques selected from the group consisting of fingerprint authentication, voice authentication, retinal scanning authentication, user password or PIN entry, user entry of a secret.
  - 3. The method as in claim 1 wherein the non-intrusive authentication techniques include authenticating a user without explicitly requesting the user to provide biometric data, a secret code, or other authentication data.
  - 4. The method as in claim 1 further comprising:
    - implementing one or more security techniques to ensure secure access to the client configuration data.
  - 5. The method as in claim 4 wherein an absence of a firewall and/or virus detection software results in a relatively higher risk level.
  - 6. The method as in claim 5 wherein the client configuration data includes an indication as to how recently a virus scan was performed.
  - 7. The method as in claim 6 wherein the client configuration data includes an indication of a current version of the firewall and/or virus detection software.

8. An apparatus comprising a memory for storing program code and a processor for processing the program code, the apparatus comprising:
- at least one sensor to collect data relevant to user authentication;
  
  authentication hardware to perform authentication using the data, the authentication hardware including at least one biometric authentication device to collect biometric data associated with the user, the at least one biometric authentication device further to collect biometric reference data of the user usable to authenticate the user and to store the biometric reference data in a secure storage of the at least one biometric authentication device, the secure storage to cryptographically protect the biometric reference data of the user;
  
  a client risk assessment agent to collect client configuration data on a client device using a native code agent running in a client operating system of the client device, the native code agent having secure access to the client configuration data, wherein the client configuration data is collected by the native code agent without disclosing confidential user information to a relying party, the client risk assessment agent to perform an assessment of client configuration data to determine a risk level associated with the client device, the client configuration data including;
  
  data related to client authentication hardware, including an indication of hardware used for secure elements or trusted execution environments on the client;
  
  data related to the client operating system, including an indication of a current operating system version installed on the client device and how recently the client operating system has been updated;
  
  data related to anti-virus software configuration, including an indication of whether an anti-virus software has been installed and how recently the anti-virus software has been updated and/or executed; and
  
  data related to firewall configuration, including an indication of whether a firewall is installed and how recently the firewall has been updated;
  
  the authentication hardware to perform authentication for a particular transaction in accordance with the risk level associated with the client device by performing the operations of;
  
  performing authentication for a particular transaction in accordance with the risk level to determine an assurance level that a current user of the client is legitimate, the assurance level determined, at least in part, based on the risk level, and also determined based on a combination of one or more current or prior explicit user authentications using the authentication hardware and one or more non-intrusive authentication techniques;
  
  wherein for relatively higher risk levels, relatively more rigorous authentication techniques are selected to reach an assurance level required for the transaction as specified by the relying party, and for relatively lower risk levels, relatively less rigorous authentication techniques are selected to reach the assurance level required for the transaction as specified by the relying party; and
  
  the authentication hardware to permit the transaction when the authentication techniques selected to reach the assurance level required for the transaction as specified by the relying party are successfully completed and deny the transaction when the authentication techniques selected to reach the assurance level required for the transaction as specified by the relying party are not successfully completed.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The apparatus as in claim 8 wherein the recent explicit user authentications are performed using one or more authentication techniques selected from the group consisting of fingerprint authentication, voice authentication, retinal scanning authentication, user password or PIN entry, user entry of a secret.
  - 10. The apparatus as in claim 8 wherein the non-intrusive authentication techniques include authenticating a user without explicitly requesting the user to provide biometric data, a secret code, or other authentication data.
  - 11. The apparatus as in claim 8 wherein the non-intrusive techniques include authenticating a user based on a current location of the client device.
  - 12. The apparatus as in claim 8 wherein an absence of a firewall and/or virus detection software results in a relatively higher risk level.
  - 13. The apparatus as in claim 12 wherein the client configuration data further includes an indication as to how recently a virus scan was performed.
  - 14. The apparatus as in claim 13 wherein the client configuration data further includes an indication of a current version of the firewall and/or virus detection software.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nok Nok Labs Incorporated
Original Assignee
Nok Nok Labs Incorporated
Inventors
Blanke, William J.
Primary Examiner(s)
Popham, Jeffrey D.

Application Number

US14/218,575
Publication Number

US 20140289808A1
Time in Patent Office

1,960 Days
Field of Search

726 25
US Class Current
CPC Class Codes

G06F 21/32   using biometric data, e.g. ...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/2115   Third party

G06Q 20/204   comprising interface for re...

G06Q 20/3224   Transactions dependent on l...

G06Q 20/3274   using a pictured code, e.g....

G06Q 20/3278   RFID or NFC payments by mea...

G06Q 20/4012   Verifying personal identifi...

G06Q 20/40145   Biometric identity checks

G06Q 20/42   Confirmation, e.g. check or...

G06Q 20/425   using two different network...

G07F 19/20   Automatic teller machines [...

H04L 2209/805   Lightweight hardware, e.g. ...

H04L 2463/102   applying security measure f...

H04L 63/0492   by using a location-limited...

H04L 63/08   for authentication of entit...

H04L 63/083   using passwords cryptograph...

H04L 63/0861   using biometrical features,...

H04L 63/20   for managing network securi...

H04L 9/0819   Key transport or distributi...

H04L 9/0822 : using key encryption key

H04L 9/0841 : involving Diffie-Hellman or...

H04L 9/3231 : Biological data, e.g. finge...

H04L 9/3247 : involving digital signatures

H04L 9/3297 : involving time stamps, e.g....

H04W 12/06 : Authentication

H04W 12/065 : Continuous authentication

View All

System and method for collecting and utilizing client data for risk assessment during authentication

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

391 Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for collecting and utilizing client data for risk assessment during authentication

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

391 Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links