First factor contactless card authentication system and method

US 10,541,995 B1
Filed: 07/23/2019
Issued: 01/21/2020
Est. Priority Date: 07/23/2019
Status: Active Grant

First Claim

Patent Images

1. A method for authorizing accesses to applications by clients includes the steps of:

receiving a request to access an application from a first client device;

identifying a client associated with the first client device;

validating authenticity of the request by forwarding a notification of the request to a second client device associated with the client, the second client device associated with the contactless card;

receiving a response from the second client device, the response comprising authentication information comprising a username and a dynamic password retrieved by the second client device from a contactless card associated with the client, wherein at least the username is encoded using a hash algorithm and the dynamic password relates to a counter maintained for the client and related to a number of times that the username is retrieved from the contactless card;

comparing the username and dynamic password retrieved by the second client device against an expected username and expected dynamic password for the client;

responsive to a match between the username and the expected username and the dynamic password and the expected dynamic password, authenticating the request and launching the application at the first client device; and

updating and storing the dynamic password associated with the client.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A password-less authentication system and method include registering a contactless card of a client with an application service and binding the contactless card to one or more client devices. The contactless card advantageously stores a username and a dynamic password. Accesses by the client to the application service may be made using any client device, and authentication of the accesses may be performed by any client device that includes a contactless card interface and can retrieve the username and dynamic password pair from the contactless card. By storing the username on the card, rather than requiring user input, application security improved because access to and knowledge of login credentials is limited. In addition, the use of a dynamic password reduces the potential of malicious access.

559 Citations

16 Claims

1. A method for authorizing accesses to applications by clients includes the steps of:
- receiving a request to access an application from a first client device;
  
  identifying a client associated with the first client device;
  
  validating authenticity of the request by forwarding a notification of the request to a second client device associated with the client, the second client device associated with the contactless card;
  
  receiving a response from the second client device, the response comprising authentication information comprising a username and a dynamic password retrieved by the second client device from a contactless card associated with the client, wherein at least the username is encoded using a hash algorithm and the dynamic password relates to a counter maintained for the client and related to a number of times that the username is retrieved from the contactless card;
  
  comparing the username and dynamic password retrieved by the second client device against an expected username and expected dynamic password for the client;
  
  responsive to a match between the username and the expected username and the dynamic password and the expected dynamic password, authenticating the request and launching the application at the first client device; and
  
  updating and storing the dynamic password associated with the client.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1 wherein the first client device and the second client device comprise different devices and the second client device is used to authenticate the request made by the first client device.
  - 3. The method of claim 2 wherein the step of launching the application includes the steps of building a communication link between a web session associated with the request and the second client device to enable the second client device to forward an authentication to the web session to launch the application.
  - 4. The method of claim 2 wherein the step of launching the application includes the step of monitoring second client device communications to detect an approval of the request and selectively launching the application in response to detection of the approval.
  - 5. The method of claim 1 wherein the first client device and the second client device comprise the same device.
  - 6. The method of claim 1 further comprising the steps of registering the first client device and second client device to the client.
  - 7. The method of claim 5 wherein at the hash algorithm comprises a SHA-2 hash algorithm, a Triple Data Encryption Algorithm, a symmetric Hash Based Message Authentication (HMAC) algorithm, a symmetric cypher-based message authentication code (CMAC) algorithm or a combination thereof.
  - 8. The method of claim 1 further including the step of prompting the client to retrieve the username and dynamic password from the contactless card associated with the client.
  - 9. The method of claim 1 wherein the dynamic password relates to a counter maintained by the client and related to a number of times that the username is retrieved from the contactless card.

10. A system for controlling accesses to applications by clients includes:
- a processor;
  
  an interface configured to receive an access request, made by a first client device associated with a client, for access to an application;
  
  a non-transitory storage medium comprising a client table configured to store an expected username and an expected dynamic password for the client;
  
  program code stored on the non-transitory storage medium and operable when executed upon by the processor to;
  
  forward a notification of the access request made by the first client device to a second client device associated with the client and the contactless card;
  
  receive a response from the second client device, the response comprising a cryptogram comprising a username and a dynamic password retrieved by the second client device from a contactless card associated with the client, wherein the cryptogram is encoded using a hash algorithm and the dynamic password relates to a counter maintained for the client and related to a number of times that the username is retrieved from the contactless card;
  
  compare the username and dynamic password retrieved by the second client device from the contactless card associated with the client against the expected username and expected dynamic password for the client;
  
  selectively approve the authentication request in response to a first match between the username and the expected username and to a second match between the dynamic password and the expected dynamic password; and
  
  in response to an approval of the authentication request, updating the expected dynamic password for the client.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The system of claim 10 wherein the first client device and the second client device comprise different devices and the second client device is used to authenticate requests made by the first client device.
  - 12. The system of claim 10 wherein the first client device and the second client device comprise the same device.
  - 13. The system of claim 10 wherein the program code is further configured to register the first client device and second client device to the client.
  - 14. The system of claim 10 wherein the hash algorithm includes a SHA-2 hash algorithm, a Triple Data Encryption Algorithm, a symmetric Hash Based Message Authentication (HMAC) algorithm, a symmetric cypher-based message authentication code (CMAC) algorithm, or a combination thereof.
  - 15. The system of claim 10 wherein the program code is further configured to prompt the client to retrieve the username and dynamic password from the contactless card associated with the client.
  - 16. The system of claim 10 wherein the at least one entry of the client table includes a master key and a counter associated with the client, and wherein the program code is further configured to:
    - generate a diversified key for the client in response to the counter and master key for the client; and
      
      decrypt the cryptogram using the diversified key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Capital One Services LLC (Capital One Financial Corporation)
Original Assignee
Capital One Services LLC (Capital One Financial Corporation)
Inventors
Mossler, Lara, Newman, Kaitlin, Osborn, Kevin
Primary Examiner(s)
Ho, Dao Q

Application Number

US16/519,079
Time in Patent Office

182 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/35   communicating wirelessly

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/083   using passwords cryptograph...

H04L 63/0838   using one-time-passwords

H04L 63/0846   using time-dependent-passwo...

H04L 63/0853   using an additional device,...

H04L 9/0861   Generation of secret inform...

H04L 9/3228   One-time or temporary data,...

H04L 9/3242   involving keyed hash functi...

H04W 12/06   Authentication

First factor contactless card authentication system and method

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

559 Citations

16 Claims

Specification

Use Cases

Quick Links

Others

First factor contactless card authentication system and method

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

559 Citations

16 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others