Multifactor network authentication

US 10,462,665 B2
Filed: 08/17/2017
Issued: 10/29/2019
Est. Priority Date: 08/17/2017
Status: Active Grant

First Claim

Patent Images

1. A network authentication system, comprising:

an authentication server implemented in hardware, configured to;

receive an authentication key request from a first user device associated with a first user, wherein the authentication key request identifies;

an account linked with the first user; and

a second user device associated with a second user;

generate an authentication key in response to receiving the authentication key request;

generate a first authentication key fragment comprising a first portion of the authentication key, wherein the first authentication key fragment is linked with a first set of authentication rules for the first user;

generate a second authentication key fragment comprising a second portion of the authentication key, wherein the second authentication key fragment is linked with a second set of authentication rules for the second user;

send the first authentication key fragment to the first user device;

send the second authentication key fragment to the second user device;

a server in signal communication with the authentication server, configured to;

receive a request to perform an action by the second user on the account linked with the first user, wherein the request comprises the second authentication key fragment;

send an authentication request comprising the second authentication key fragment to the authentication server in response to receiving the request; and

executing the action on the account linked with first user in response to receiving an authentication approval from the authentication server; and

the authentication server further configured to;

interrogate the second user via the second user device using the second set of authentication rules to validate the second authentication key fragment in response to receiving the authentication request;

send an approval request to the first user device in response to validating the second authentication key fragment;

interrogate the first user via the first user device using the first set of authentication rules to validate the first authentication key fragment in response to receiving the first authentication key fragment from the first user device; and

send an authentication approval to the server in response to validating the first authentication key fragment.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network authentication device that includes an authentication engine in signal communication with a network interface. The authentication engine is configured to receive an authentication key request from a first user device that identifies an account linked with a first user and a second user device. The authentication engine is configured to generate an authentication key and to establish a first set of authentication rules for the first user and a second set of authentication rules for the second user. The authentication engine is configured to generate a first authentication key fragment comprising a first portion of the authentication key and a second authentication key fragment comprising a second portion of the authentication key and to send the first authentication key fragment to the first user device and the second authentication key fragment to the second user device.

Citations

20 Claims

1. A network authentication system, comprising:
- an authentication server implemented in hardware, configured to;
  
  receive an authentication key request from a first user device associated with a first user, wherein the authentication key request identifies;
  
  an account linked with the first user; and
  
  a second user device associated with a second user;
  
  generate an authentication key in response to receiving the authentication key request;
  
  generate a first authentication key fragment comprising a first portion of the authentication key, wherein the first authentication key fragment is linked with a first set of authentication rules for the first user;
  
  generate a second authentication key fragment comprising a second portion of the authentication key, wherein the second authentication key fragment is linked with a second set of authentication rules for the second user;
  
  send the first authentication key fragment to the first user device;
  
  send the second authentication key fragment to the second user device;
  
  a server in signal communication with the authentication server, configured to;
  
  receive a request to perform an action by the second user on the account linked with the first user, wherein the request comprises the second authentication key fragment;
  
  send an authentication request comprising the second authentication key fragment to the authentication server in response to receiving the request; and
  
  executing the action on the account linked with first user in response to receiving an authentication approval from the authentication server; and
  
  the authentication server further configured to;
  
  interrogate the second user via the second user device using the second set of authentication rules to validate the second authentication key fragment in response to receiving the authentication request;
  
  send an approval request to the first user device in response to validating the second authentication key fragment;
  
  interrogate the first user via the first user device using the first set of authentication rules to validate the first authentication key fragment in response to receiving the first authentication key fragment from the first user device; and
  
  send an authentication approval to the server in response to validating the first authentication key fragment.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The system of claim 1, wherein:
    - the authentication server is in signal communication with a cloud server, and further configured to;
      
      obtain location history linked with the first user from the cloud server, wherein the location history identifies one or more frequently visited locations by the first user;
      
      receive an authentication request comprising the first authentication key fragment and a current location for the first user device using the first authentication key fragment;
      
      determine the current location is a location from among the one or more frequently visited locations by the first user;
      
      interrogate the first user via the first user device using the first set of authentication rules;
      
      determine the first set of authentication rules are satisfied; and
      
      validate the first authentication key fragment in response to determining the first set of authentication rules are satisfied and determining that the current location of the first user device is a location from among the one or more frequently visited locations by the first user.
  - 3. The system of claim 1, wherein:
    - the authentication server is in signal communication with a cloud server, and further configured to;
      
      obtain device information linked with the first user device from the cloud server, wherein the device information identifies the first user device;
      
      receive an authentication request comprising the first authentication key and device information for a user device using the first authentication key fragment;
      
      determine the device information for the user device matches the device information linked with the first user device;
      
      interrogate the first user via the first user device using the first set of authentication rules;
      
      determine the first set of authentication rules are satisfied; and
      
      validate the first authentication key fragment in response to determining the first set of authentication rules are satisfied and determining that the device information for the user device matches the device information linked with the first user device.
  - 4. The system of claim 1, wherein:
    - the authentication server is in signal communication with a cloud server, and further configured to;
      
      obtain user history information linked with the first user from the cloud server, wherein the user history information identifies;
      
      transactions linked with the first user; and
      
      vendors associated with the transactions linked with the first user;
      
      receive an authentication request comprising a vendor identifier and the first authentication key;
      
      determine the vendor identifier corresponds with one of the vendors associated with the transactions linked with the first user;
      
      interrogate the first user via the first user device using the first set of authentication rules;
      
      determine the first set of authentication rules are satisfied; and
      
      validate the first authentication key fragment in response to determining the first set of authentication rules are satisfied and determining that the vendor identifier corresponds with one of the vendors associated with the transactions linked with the first user.
  - 5. The system of claim 1, wherein:
    - the first set of authentication rules identifies;
      
      a number of authentication rules selected by the first user; and
      
      an authentication type for each authentication rule selected by the first user; and
      
      the second set of authentication rules identifies;
      
      a number of authentication rules selected by the second user; and
      
      an authentication type for each authentication rule selected by the second user.
  - 6. The system of claim 1, wherein the first set of authentication rules comprises at least one authentication rules with a biometric authentication type.

7. A network authentication device comprising:
- a network interface in signal communication with;
  
  a first user device associated with a first user;
  
  a second user device associated with a second user, wherein the second user is different from the first user; and
  
  an authentication engine implemented in hardware, wherein the authentication engine is in signal communication with the network interface, and configured to;
  
  receive an authentication key request from the first user device, wherein the authentication key request identifies;
  
  an account linked with the first user; and
  
  the second user device;
  
  generate an authentication key in response to receiving the authentication key request;
  
  establish a first set of authentication rules for the first user, wherein the first set of authentication rules identifies;
  
  a number of authentication rules selected by the first user; and
  
  an authentication type for each authentication rule selected by the first user;
  
  establish a second set of authentication rules for the second user, wherein the second set of authentication rules identifies;
  
  a number of authentication rules selected by the second user; and
  
  an authentication type for each authentication rule selected by the second user;
  
  generate a first authentication key fragment comprising a first portion of the authentication key;
  
  generate a second authentication key fragment comprising a second portion of the authentication key;
  
  send the first authentication key fragment to the first user device; and
  
  send the second authentication key fragment to the second user device.
- View Dependent Claims (8, 9, 10, 11, 12, 13)
- - 8. The device of claim 7, wherein:
    - the network interface is in signal communication with a third-party server; and
      
      the authentication engine is configured to;
      
      receive an authentication request comprising the second authentication key fragment from the third-party server;
      
      interrogate the second user via the second user device using the second set of authentication rules;
      
      determine the second set of authentication rules are satisfied;
      
      validate the second authentication key fragment in response to determining the second set of authentication rules are satisfied;
      
      send an approval request to the first user device in response to validating the second authentication key fragment;
      
      receive the first authentication key fragment in response to sending the approval request;
      
      interrogate the first user via the first user device using the first set of authentication rules;
      
      determine the first set of authentication rules are satisfied;
      
      validate the first authentication key fragment in response to determining the first set of authentication rules are satisfied; and
      
      send an authentication approval to the third-party server in response to validating the first authentication key fragment, wherein sending the authentication approval to the third-party server triggers an action to be performed with the account linked with the first user.
  - 9. The device of claim 7, wherein:
    - the network interface is in signal communication with a cloud server;
      
      the authentication engine is configured to;
      
      obtain location history linked with the first user from the cloud server, wherein the location history identifies one or more frequently visited locations by the first user;
      
      receive an authentication request comprising the first authentication key fragment and a current location for the first user device using the first authentication key fragment;
      
      determine the current location is a location from among the one or more frequently visited locations by the first user;
      
      interrogate the first user via the first user device using the first set of authentication rules;
      
      determine the first set of authentication rules are satisfied; and
      
      validate the first authentication key fragment in response to determining the first set of authentication rules are satisfied and determining that the current location of the first user device is a location from among the one or more frequently visited locations by the first user.
  - 10. The device of claim 7, wherein:
    - the network interface is in signal communication with a cloud server;
      
      the authentication engine is configured to;
      
      obtain device information linked with the first user device from the cloud server, wherein the device information identifies the first user device;
      
      receive an authentication request comprising the first authentication key and device information for a user device using the first authentication key fragment;
      
      determine the device information for the user device matches the device information linked with the first user device;
      
      interrogate the first user via the first user device using the first set of authentication rules;
      
      determine the first set of authentication rules are satisfied; and
      
      validate the first authentication key fragment in response to determining the first set of authentication rules are satisfied and determining that the device information for the user device matches the device information linked with the first user device.
  - 11. The device of claim 7, wherein:
    - the network interface is in signal communication with a cloud server;
      
      the authentication engine is configured to;
      
      obtain user history information linked with the first user from the cloud server, wherein the user history information identifies;
      
      transactions linked with the first user; and
      
      vendors associated with the transactions linked with the first user;
      
      receive an authentication request comprising a vendor identifier and the first authentication key;
      
      determine the vendor identifier corresponds with one of the vendors associated with the transactions linked with the first user;
      
      interrogate the first user via the first user device using the first set of authentication rules;
      
      determine the first set of authentication rules are satisfied; and
      
      validate the first authentication key fragment in response to determining the first set of authentication rules are satisfied and determining that the vendor identifier corresponds with one of the vendors associated with the transactions linked with the first user.
  - 12. The device of claim 7, wherein:
    - the authentication engine is configured to set a validation timer for the first authentication key fragment and the second key fragment;
      
      the first authentication key fragment and the second authentication key fragment are only valid while the validation timer is active.
  - 13. The device of claim 7, wherein the first set of authentication rules comprises at least one authentication rules with a biometric authentication type.

14. An authentication method, comprising:
- receiving, by an authentication server, an authentication key request from a first user device associated with a first user, wherein the authentication key request identifies;
  
  an account linked with the first user; and
  
  a second user device associated with a second user, wherein the second user is different from the first user;
  
  generating, by the authentication server, an authentication key in response to receiving the authentication key request;
  
  establishing, by the authentication server and the first user device, a first set of authentication rules for the first user, wherein the first set of authentication rules identifies;
  
  a number of authentication rules selected by the first user; and
  
  an authentication type for each authentication rule selected by the first user;
  
  establishing, by the authentication server and the second user device, a second set of authentication rules for the second user, wherein the second set of authentication rules identifies;
  
  a number of authentication rules selected by the second user; and
  
  an authentication type for each authentication rule selected by the second user;
  
  generating, by the authentication server, a first authentication key fragment comprising a first portion of the authentication key;
  
  generating, by the authentication server, a second authentication key fragment comprising a second portion of the authentication key;
  
  sending, by the authentication server, the first authentication key fragment to the first user device; and
  
  sending, by the authentication server, the second authentication key fragment to the second user device.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The method of claim 14, further comprising:
    - receiving, by the authentication server, an authentication request comprising the second authentication key fragment from a third-party server;
      
      interrogating, by the authentication server, the second user via the second user device using the second set of authentication rules;
      
      determining, by the authentication server, the second set of authentication rules are satisfied;
      
      validating, by the authentication server, the second authentication key fragment in response to determining the second set of authentication rules are satisfied;
      
      sending, by the authentication server, an approval request to the first user device in response to validating the second authentication key fragment;
      
      receiving, by the authentication server, the first authentication key fragment in response to sending the approval request;
      
      interrogating, by the authentication server, the first user via the first user device using the first set of authentication rules;
      
      determining, by the authentication server, the first set of authentication rules are satisfied;
      
      validating, by the authentication server, the first authentication key fragment in response to determining the first set of authentication rules are satisfied; and
      
      sending, by the authentication server, an authentication approval to the third-party server in response to validating the first authentication key fragment, wherein sending the authentication approval to the third-party server triggers an action to be performed with the account linked with the first user.
  - 16. The method of claim 14, further comprising:
    - obtaining, by the authentication server, location history linked with the first user from a cloud server, wherein the location history identifies one or more frequently visited locations by the first user;
      
      receiving, by the authentication server, an authentication request comprising the first authentication key fragment and a current location for the first user device using the first authentication key fragment;
      
      determining, by the authentication server, the current location is a location from among the one or more frequently visited locations by the first user;
      
      interrogating, by the authentication server, the first user via the first user device using the first set of authentication rules;
      
      determining, by the authentication server, the first set of authentication rules are satisfied; and
      
      validating, by the authentication server, the first authentication key fragment in response to determining the first set of authentication rules are satisfied and determining that the current location of the first user device is a location from among the one or more frequently visited locations by the first user.
  - 17. The method of claim 14, further comprising:
    - obtaining, by the authentication server, device information linked with the first user device from a cloud server, wherein the device information identifies the first user device;
      
      receiving, by the authentication server, an authentication request comprising the first authentication key and device information for a user device using the first authentication key fragment;
      
      determining, by the authentication server, the device information for the user device matches the device information linked with the first user device;
      
      interrogating, by the authentication server, the first user via the first user device using the first set of authentication rules;
      
      determining, by the authentication server, the first set of authentication rules are satisfied; and
      
      validating, by the authentication server, the first authentication key fragment in response to determining the first set of authentication rules are satisfied and determining that the device information for the user device matches the device information linked with the first user device.
  - 18. The method of claim 14, further comprising:
    - obtaining, by the authentication server, user history information linked with the first user from a cloud server, wherein the user history information identifies;
      
      transactions linked with the first user; and
      
      vendors associated with the transactions linked with the first user;
      
      receiving, by the authentication server, an authentication request comprising a vendor identifier and the first authentication key;
      
      determining, by the authentication server, the vendor identifier corresponds with one of the vendors associated with the transactions linked with the first user;
      
      interrogating, by the authentication server, the first user via the first user device using the first set of authentication rules;
      
      determining, by the authentication server, the first set of authentication rules are satisfied; and
      
      validating, by the authentication server, the first authentication key fragment in response to determining the first set of authentication rules are satisfied and determining that the vendor identifier corresponds with one of the vendors associated with the transactions linked with the first user.
  - 19. The method of claim 14, further comprising setting, by the authentication server, a validation timer for the first authentication key fragment and the second key fragment;
    - andwherein the first authentication key fragment and the second authentication key fragment are only valid while the validation timer is active.
  - 20. The method of claim 14, wherein the first set of authentication rules comprises at least one authentication rules with a biometric authentication type.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Bank of America Corp.
Original Assignee
Bank of America Corp.
Inventors
Kurian, Manu J., Allen, Morgan S., Arora, Ashish, Heddleson, James M.
Primary Examiner(s)
Jeudy, Josnel

Application Number

US15/679,793
Publication Number

US 20190058992A1
Time in Patent Office

803 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/083   using passwords cryptograph...

H04L 63/20   for managing network securi...

H04W 12/06   Authentication

Multifactor network authentication

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Multifactor network authentication

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links