Authentication system and method

US 10,462,120 B2
Filed: 05/25/2017
Issued: 10/29/2019
Est. Priority Date: 05/25/2017
Status: Active Grant

First Claim

Patent Images

1. A computerized method comprising:

receiving at the processing component, a registration request from the end user;

creating by the processing component a unique registration token;

creating by the processing component a database record including an identifier for the end user and the unique registration token;

providing by the processing component to a registration device a mechanism to access an authentication application for initiating registration of the registration device;

receiving, through the authentication application, from the end user, the identifier for the end user and the unique registration token;

collecting an identifier associated with the registration device;

receiving from the registration device a public key, the public key forming a portion of a cryptographic key pair, the cryptographic key pair being created upon the end user authenticating to the registration device, wherein the registration device stores a private key of the cryptographic key pair;

calculating by the processing component a device authentication weight;

storing in a database by the processing component the public key and the device authentication weight;

receiving at a processing component, from a requesting device operated by an end user, data describing a request to access a computer program;

determining by the processing component whether an existing authentication session for the end user exists;

in accordance with a determination that the existing authentication session for the end user does not exist, prompting the end user to authenticate to the processing component;

in accordance with a determination that the existing authentication session for the end user exists, performing a risk assessment comprising a consideration of one or both of (i) one or more request characteristics associated with the request to access the computer program and (ii) one or more computer program access criteria;

in accordance with a determination that the risk assessment is positive, providing the requesting device with access to the computer program;

in accordance with a determination that the risk assessment is negative, prompting the end user to perform an authentication activity and, in response to receiving data indicating that the end user performed the authentication activity and the authentication activity is successful, establishing a new authentication session for the end user and providing the requesting device with access to the computer program.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Data describing a request to access a computer program is received at a processing component from a requesting device operated by an end user. The processing component determines whether an existing authentication session for the end user exists. In accordance with a determination that the existing authentication session for the end user does not exist, the end user is prompted to authenticate to the processing component. In accordance with a determination that the existing authentication session for the end user exists, a risk assessment is performed. The risk assessment comprises a consideration of one or both of (i) one or more request characteristics associated with the request to access the computer program and (ii) one or more computer program access criteria. In accordance with a determination that risk assessment is positive, the requesting device is provided with access to the computer program. In accordance with a determination that risk assessment is negative, the end user is prompted to perform an authentication activity. In response to receiving data indicating that the end user performed the authentication activity, and the authentication activity is successful, a new authentication session is established for the end user and the requesting device is provided with access to the computer program.

Citations

28 Claims

1. A computerized method comprising:
- receiving at the processing component, a registration request from the end user;
  
  creating by the processing component a unique registration token;
  
  creating by the processing component a database record including an identifier for the end user and the unique registration token;
  
  providing by the processing component to a registration device a mechanism to access an authentication application for initiating registration of the registration device;
  
  receiving, through the authentication application, from the end user, the identifier for the end user and the unique registration token;
  
  collecting an identifier associated with the registration device;
  
  receiving from the registration device a public key, the public key forming a portion of a cryptographic key pair, the cryptographic key pair being created upon the end user authenticating to the registration device, wherein the registration device stores a private key of the cryptographic key pair;
  
  calculating by the processing component a device authentication weight;
  
  storing in a database by the processing component the public key and the device authentication weight;
  
  receiving at a processing component, from a requesting device operated by an end user, data describing a request to access a computer program;
  
  determining by the processing component whether an existing authentication session for the end user exists;
  
  in accordance with a determination that the existing authentication session for the end user does not exist, prompting the end user to authenticate to the processing component;
  
  in accordance with a determination that the existing authentication session for the end user exists, performing a risk assessment comprising a consideration of one or both of (i) one or more request characteristics associated with the request to access the computer program and (ii) one or more computer program access criteria;
  
  in accordance with a determination that the risk assessment is positive, providing the requesting device with access to the computer program;
  
  in accordance with a determination that the risk assessment is negative, prompting the end user to perform an authentication activity and, in response to receiving data indicating that the end user performed the authentication activity and the authentication activity is successful, establishing a new authentication session for the end user and providing the requesting device with access to the computer program.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
- - 2. The computerized method of claim 1 wherein the data indicating that the end user performed the authentication activity comprises biometrics data of the end user.
  - 3. The computerized method of claim 1 wherein the data indicating that the end user performed the authentication activity comprises a password selected by the end user.
  - 4. The computerized method of claim 1 wherein the data indicating that the end user performed the authentication activity comprises a one-time password provided by the processing component after receiving the request to access from the requesting device.
  - 5. The computerized method of claim 1 wherein, before the receiving data describing a request to access a computer program step, the existing authentication session for the end user is established using the registration device.
  - 6. The computerized method of claim 1 wherein the requesting device comprises the registration device.
  - 7. The computerized method of claim 1 wherein the requesting device comprises a device other than the registration device.
  - 8. The computerized method of claim 1 wherein the consideration of the one or more of the computer program access criteria dictate that the determination of the risk assessment is negative, regardless of the consideration of the one or more request characteristics.
  - 9. The computerized method of claim 1 wherein the consideration of the one or more of the request characteristics dictate that the determination of the risk assessment is negative, regardless of the consideration of the one or more computer program access criteria.
  - 10. The computerized method of claim 1 wherein the one or more computer program access criteria comprise a minimum authentication weight associated with the computer program.
  - 11. The computerized method of claim 1 wherein the one or more request characteristics comprise the device authentication weight.
  - 12. The computerized method of claim 1 wherein the one or more request characteristics comprise a location of the requesting device.
  - 13. The computerized method of claim 1 wherein the one or more request characteristics comprise a time that has elapsed since the existing authentication session was established.
  - 14. The computerized method of claim 1 wherein the one or more request characteristics comprise whether the requesting device is the registration device.
  - 15. The computerized method of claim 1 wherein the device authentication weight is calculated based on a modality by which the end user authenticates to the registration device.
  - 16. The computerized method of claim 1 wherein the device authentication weight is calculated based on a security assessment of the registration device.
  - 17. The computerized method of claim 10 wherein the minimum authentication weight is determined based on a criticality of the computer program.
  - 18. The computerized method of claim 1 wherein the processing component receives the public key in connection with the end user performing the authentication activity.
  - 19. The computerized method of claim 1 further comprising:
    - receiving at the processing component, from the requesting device, data describing a request to access a resource within the computer program; and
      
      determining whether one or more request characteristics meet one or more computer program resource access criteria, wherein the one or more computer program resource access criterial comprise a minimum authentication weight associated with the resource.
  - 20. The computerized method of claim 1 wherein the existing authentication session is established in connection with the end user accessing another computer program that is not the subject of the request to access.
  - 21. The computerized method of claim 19 wherein the one or more request characteristics comprise a modality in which the existing authentication session in connection with accessing the other computer program was established.
  - 22. The computerized method of claim 1, wherein the computer program is a native application.
  - 23. The computerized method of claim 1, wherein the computer program is a web-based application.
  - 24. The computerized method of claim 1, wherein the computer program is an operating system of the requesting device.
  - 25. The computerized method of claim 1, wherein the consideration of the one or more of the request characteristics and computer program access criteria dictate that the determination of the risk assessment is negative when the device authentication weight does not exceed a minimum authentication weight associated with the computer program.
  - 26. The computerized method of claim 1, wherein the consideration of the one or more of the request characteristics and computer program access criteria dictate that the determination of the risk assessment is negative when a distance between a first location of the requesting device when the request to access was sent and a second location of another device when the existing authentication session was created exceeds a distance threshold.
  - 27. The computerized method of claim 1, wherein the consideration of the one or more of the request characteristics and computer program access criteria dictate that the determination of the risk assessment is negative when a time period between a first time when the request to access was sent and a second time when the existing authentication session was created exceeds a time period threshold.

28. A system comprising:
- a processing component configured to;
  
  receive at the processing component, a registration request from the end user;
  
  create by the processing component a unique registration token;
  
  create by the processing component a database record including an identifier for the end user and the unique registration token;
  
  provide by the processing component to a registration device a mechanism to access an authentication application for initiating registration of the registration device;
  
  receive, through the authentication application, from the end user, the identifier for the end user and the unique registration token;
  
  collect an identifier associated with the registration device;
  
  receive from the registration device a public key, the public key forming a portion of a cryptographic key pair, the cryptographic key pair being created upon the end user authenticating to the registration device, wherein the registration device stores a private key of the cryptographic key pair;
  
  calculate by the processing component a device authentication weight;
  
  store in a database by the processing component the public key and the device authentication weight;
  
  receive, from a requesting device operated by an end user, data describing a request to access a computer program;
  
  determine whether an existing authentication session for the end user exists;
  
  in accordance with a determination that the existing authentication session for the end user does not exist, prompt the end user to authenticate to the processing component;
  
  in accordance with a determination that the existing authentication session for the end user exists, perform a risk assessment comprising a consideration of one or both of (i) one or more request characteristics and (ii) one or more computer program access criteria;
  
  in accordance with a determination that the risk assessment is positive, providing the requesting device with access to the computer program;
  
  in accordance with a determination that the risk assessment is negative, prompting the end user to perform an authentication activity and, in response to receiving data indicating that the end user performed the authentication activity and the authentication activity is successful, establishing a new authentication session for the end user and providing the requesting device with access to the computer program.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Barclays Services Corporation (Barclays PLC)
Original Assignee
Barclays Services Corporation (Barclays PLC)
Inventors
Benayed, Mohamed Karim
Primary Examiner(s)
Okeke, Izunna

Application Number

US15/604,867
Publication Number

US 20180343246A1
Time in Patent Office

887 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/316   by observing the pattern of...

G06F 21/33   using certificates

G06F 21/41   where a single sign-on prov...

G06F 21/62   Protecting access to data v...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0815   providing single-sign-on or...

H04L 63/0823   using certificates cryptogr...

H04L 63/0838   using one-time-passwords

H04L 63/102   Entity profiles

H04L 63/107   wherein the security polici...

H04L 63/108   when the policy decisions a...

H04L 9/32   including means for verifyi...

H04L 9/321   involving a third party or ...

H04L 9/3226   using a predetermined code,...

H04L 9/3228   One-time or temporary data,...

H04L 9/3231   Biological data, e.g. finge...

H04L 9/3263   involving certificates, e.g...

Authentication system and method

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Authentication system and method

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links