Dynamic authorization with adaptive levels of assurance
First Claim
1. A method for authorizing a requested transaction from a Client Device during an active session, the method comprising:
- receiving over a first secure communication channel, at a level of assurance (LOA) server having a secured configurable memory, a request from a Relying Party (RP) Services Application for the requested transaction from the Client Device;
determining, at the LOA Server, that the requested transaction requires a higher level of assurance than a current level of assurance associated with the active session of the Client Device based on i) new levels of service required by the requested transaction, or ii) different levels of risk calculated by a plurality of contextual identifiers based on a context of the Client Device, network or an LOA Provider device provisioned by the Client Device;
sending over a second secure communication channel, by the LOA Server, an authorization request for the requested transaction to the LOA Provider device, wherein the authorization request comprises information indicating a higher level of authorization credentials required for elevating the level of assurance of the active session;
receiving over a third secure communication channel, at the LOA Server, from the LOA Provider device at least one of a plurality of required authorization credentials including proximity of the LOA Provider to the Client Device for elevating the LOA associated with the active session;
determining, at the LOA Server, that the at least one of the plurality of authorization credentials received from the LOA Provider device is sufficient to elevate the active session to the higher LOA; and
sending authorization for servicing of the Client Device requested transaction to the RP Services Application.
7 Assignments
0 Petitions
Accused Products
Abstract
A system and method for issuing an authorization token and performing real time multi-factor authentication using a unique device or devices to enable authorization to perform secure services for an online service based on desired on demand level of assurance. The level of assurance of the authentication may be on a distributed and dynamic authenticated system. This dynamic system delivers on-demand level of assurance depending on the Relying Party'"'"'s (RP) requirements, orchestrated by policies set by the RP and/or the consumer (or user agent), and possibly augmented by other regulatory requirement based on a fine-grain control requirement of the authentication token(s). The level of assurance throttles up and down depending each transaction authentication requirement.
-
Citations
28 Claims
-
1. A method for authorizing a requested transaction from a Client Device during an active session, the method comprising:
-
receiving over a first secure communication channel, at a level of assurance (LOA) server having a secured configurable memory, a request from a Relying Party (RP) Services Application for the requested transaction from the Client Device; determining, at the LOA Server, that the requested transaction requires a higher level of assurance than a current level of assurance associated with the active session of the Client Device based on i) new levels of service required by the requested transaction, or ii) different levels of risk calculated by a plurality of contextual identifiers based on a context of the Client Device, network or an LOA Provider device provisioned by the Client Device; sending over a second secure communication channel, by the LOA Server, an authorization request for the requested transaction to the LOA Provider device, wherein the authorization request comprises information indicating a higher level of authorization credentials required for elevating the level of assurance of the active session; receiving over a third secure communication channel, at the LOA Server, from the LOA Provider device at least one of a plurality of required authorization credentials including proximity of the LOA Provider to the Client Device for elevating the LOA associated with the active session; determining, at the LOA Server, that the at least one of the plurality of authorization credentials received from the LOA Provider device is sufficient to elevate the active session to the higher LOA; and sending authorization for servicing of the Client Device requested transaction to the RP Services Application. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 26, 27, 28)
-
-
11. A method comprising:
-
receiving a request over a first secure communication channel for a Client Device registration of level of assurance (LOA) Provider device at an LOA Server having a secure configurable memory, said request for the Client Device registration including a plurality of attributes and credentials, wherein the attributes are at least a unique identification information associated with the Client Device and the credentials are at least unique information associated with the LOA Provider device; identifying at the LOA Server the identity of the LOA Provider device by performing a plurality of verification steps on the plurality of attributes and credentials including proximity of the LOA Provider Device to the Client Device; storing verified attributes and verified credentials at the LOA Server with a predetermined time to live value, wherein time to live is a predetermined time that the attributes or verified credentials are valid; performing a refresh to at least some of the verified attributes and the verified credentials based on predetermined policies and on demand from a Relying Party Server; receiving at the LOA server, a requested transaction from the Client Device; determining, at the LOA Server, that the requested transaction requires a higher level of assurance than a current level of assurance associated with an active session of the Client Device based on i) new levels of service required by the requested transaction, or ii) different levels of risk calculated by a plurality of contextual identifiers based on a context of the Client Device, network or an LOA Provider device; and sending authorization from the LOA Server for servicing of the higher level of assurance requested transaction to the Client Device. - View Dependent Claims (12, 13, 14, 15)
-
-
16. A method for facilitating an interaction of a Level of Assurance (LOA) Server with a Relying Party (RP) Server in a sequence of transactions with different Levels of Assurance (LOA), said method comprising:
-
enrolling with the LOA Server having a configurable memory at least one of a plurality of LOA Provider devices associated with an entity; uniquely identifying each of said entity enrolled LOA Provider devices to the RP Server; receiving at the LOA Server from an entity Client Device authentication of the enrolled LOA Provider devices to approve a secure interaction between the Client Device and the RP Server; authenticating at the LOA Server the Client Device up to a predetermined LOA using a plurality of contextual factors including proximity of the Client Device and at least one of the LOA Provider devices to be provided on demand from the at least one of the LOA Provider devices and sending real time authorization and authentication over a secure communication channel to the RP Server; performing selective policy enforcement at the LOA Server on the LOA Provider devices based on criteria received from the Client Device, a desired LOA, and criteria set by the RP Server; and selectively approving or denying interactions at the LOA Server for the RP Server for transactions. - View Dependent Claims (17)
-
-
18. A method comprising:
-
authenticating at a Level Of Assurance (LOA) Server from an RP Service Application executing on a Client Device, over secure communication channels both an RP Server and an LOA Provider to enable an interaction based on a LOA; receiving at the LOA Server a request from the Client Device to register the LOA Provider device, the request including a first unique identifier, said first unique identifier including at least one of a group consisting of;
a unique user identification, a unique identity of the person, an International Mobile Equipment Identity (IMEI), a phone number, and a first secret message;receiving at the LOA Server over a secure communication channel from the LOA Provider device an LOA Provider registration message; receiving at the LOA server a request from the RP Services Application a requested transaction; determining, at the LOA Server, that a requested transaction requires a higher level of assurance than a current level of assurance associated with the active session of the Client Device based on i) new levels of service required by the requested transaction, or ii) different levels of risk calculated by a plurality of contextual identifiers based on a context of the Client Device, network or an LOA Provider device; and sending authorization from the LOA Server for servicing of the higher level of assurance requested transaction to the RP Services Application. - View Dependent Claims (19, 20, 21, 22, 23, 24, 25)
-
Specification