Methods and apparatus for risk-based authentication between two servers on behalf of a user
First Claim
1. A method for controlling access by a consumer to a service provider on behalf of a user, the method comprising the steps of:
- obtaining by an authentication manager and gateway one or more rules from said user specifying one or more permissions of the consumer;
issuing an authentication request responsive to an initial access request from the consumer to access the service provider on behalf of the user in accordance with a server-to-server protocol;
providing an access token to the consumer upon approval from the user to grant access to the consumer on behalf of said user, wherein said access token authorizes the consumer to act on behalf of said user until said access token is revoked;
enabling said consumer to use said access token for initial access to the service provider on behalf of the user;
receiving, using at least one processing device of the authentication manager and gateway, a subsequent access request from the consumer with said access token to access the service provider on behalf of the user, wherein the subsequent access request is subsequent to said initial access to the service provider;
performing a risk analysis, using at least one processing device of the authentication manager and gateway, in response to receiving from said consumer said subsequent access request with said access token authorizing the consumer to act on behalf of said user when said access token has not been revoked, to improve security by detecting an anomalous access request by said authorized consumer, wherein said risk analysis (i) determines when the subsequent access request from said consumer to act on behalf of said user should be granted, and (ii) determines when said subsequent access request demonstrates anomalous behavior comprising one or more of abnormal, risky and atypical behavior relative to (a) prior transactions, stored in at least one memory, performed by said consumer on behalf of said user, and (b) said one or more rules, stored in said at least one memory, specified by said user who has granted access to the consumer on behalf of said user;
initiating an investigating by the user when the subsequent access request is denied by the authentication manager and gateway based upon said risk analysis; and
prompting said user, by the authentication manager and gateway, based on said risk analysis, to specify whether to allow said subsequent access request by said consumer when said subsequent access request is determined to demonstrate said anomalous behavior;
receiving an updating of the one or more rules by the user based upon the results of the user investigating when the subsequent access request was denied; and
validating the updated one or more rules by the authentication manager and gateway.
4 Assignments
0 Petitions
Accused Products
Abstract
Methods and apparatus are provided for risk-based authentication between two servers on behalf of a user. A method is provided for controlling access by a consumer to a service provider on behalf of a user. An authentication request is issued responsive to an initial access request from the consumer to access the service provider on behalf of the user. An access token is provided to the consumer upon approval from the user to grant access to the consumer. Upon receiving a subsequent access request from the consumer with the access token to access the service provider on behalf of the user; a risk analysis is performed to determine if the subsequent access request should be granted. The risk analysis can determine if the subsequent access complies with one or more rules of the user. The user is optionally prompted to specify whether to allow the subsequent access request and/or future similar transactions.
-
Citations
20 Claims
-
1. A method for controlling access by a consumer to a service provider on behalf of a user, the method comprising the steps of:
-
obtaining by an authentication manager and gateway one or more rules from said user specifying one or more permissions of the consumer; issuing an authentication request responsive to an initial access request from the consumer to access the service provider on behalf of the user in accordance with a server-to-server protocol; providing an access token to the consumer upon approval from the user to grant access to the consumer on behalf of said user, wherein said access token authorizes the consumer to act on behalf of said user until said access token is revoked; enabling said consumer to use said access token for initial access to the service provider on behalf of the user; receiving, using at least one processing device of the authentication manager and gateway, a subsequent access request from the consumer with said access token to access the service provider on behalf of the user, wherein the subsequent access request is subsequent to said initial access to the service provider; performing a risk analysis, using at least one processing device of the authentication manager and gateway, in response to receiving from said consumer said subsequent access request with said access token authorizing the consumer to act on behalf of said user when said access token has not been revoked, to improve security by detecting an anomalous access request by said authorized consumer, wherein said risk analysis (i) determines when the subsequent access request from said consumer to act on behalf of said user should be granted, and (ii) determines when said subsequent access request demonstrates anomalous behavior comprising one or more of abnormal, risky and atypical behavior relative to (a) prior transactions, stored in at least one memory, performed by said consumer on behalf of said user, and (b) said one or more rules, stored in said at least one memory, specified by said user who has granted access to the consumer on behalf of said user; initiating an investigating by the user when the subsequent access request is denied by the authentication manager and gateway based upon said risk analysis; and prompting said user, by the authentication manager and gateway, based on said risk analysis, to specify whether to allow said subsequent access request by said consumer when said subsequent access request is determined to demonstrate said anomalous behavior; receiving an updating of the one or more rules by the user based upon the results of the user investigating when the subsequent access request was denied; and validating the updated one or more rules by the authentication manager and gateway. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. An apparatus for controlling access by a consumer to a service provider on behalf of a user, the apparatus comprising:
-
a memory; and at least one processing device, coupled to the memory, operative to implement the following steps; obtaining by an authentication manager and gateway one or more rules from said user specifying one or more permissions of the consumer; issuing an authentication request responsive to an initial access request from the consumer to access the service provider on behalf of the user in accordance with a server-to-server protocol; providing an access token to the consumer upon approval from the user to grant access to the consumer on behalf of said user, wherein said access token authorizes the consumer to act on behalf of said user until said access token is revoked; enabling said consumer to use said access token for initial access to the service provider on behalf of the user; receiving, using at least one processing device of the authentication manager and gateway, a subsequent access request from the consumer with said access token to access the service provider on behalf of the user, wherein the subsequent access request is subsequent to said initial access to the service provider; performing a risk analysis, using at least one processing device of the authentication manager and gateway, in response to receiving from said consumer said subsequent access request with said access token authorizing the consumer to act on behalf of said user when said access token has not been revoked, to improve security by detecting an anomalous access request by said authorized consumer, wherein said risk analysis (i) determines when the subsequent access request from said consumer to act on behalf of said user should be granted, and (ii) determines when said subsequent access request demonstrates anomalous behavior comprising one or more of abnormal, risky and atypical behavior relative to (a) prior transactions, stored in at least one memory, performed by said consumer on behalf of said user, and (b) said one or more rules, stored in said at least one memory, specified by said user who has granted access to the consumer on behalf of said user; initiating an investigating by the user when the subsequent access request is denied by the authentication manager and gateway based upon said risk analysis; and prompting said user, by the authentication manager and gateway, based on said risk analysis, to specify whether to allow said subsequent access request by said consumer when said subsequent access request is determined to demonstrate said anomalous behavior; receiving an updating of the one or more rules by the user based upon the results of the user investigating when the subsequent access request was denied; and validating the updated one or more rules by the authentication manager and gateway. - View Dependent Claims (9, 10, 11, 12, 13)
-
-
14. An article of manufacture for controlling access by a consumer to a service provider on behalf of a user, comprising a non-transitory machine readable recordable medium containing one or more programs which when executed implement the steps of:
-
obtaining by an authentication manager and gateway one or more rules from said user specifying one or more permissions of the consumer; issuing an authentication request responsive to an initial access request from the consumer to access the service provider on behalf of the user in accordance with a server-to-server protocol; providing an access token to the consumer upon approval from the user to grant access to the consumer on behalf of said user, wherein said access token authorizes the consumer to act on behalf of said user until said access token is revoked; enabling said consumer to use said access token for initial access to the service provider on behalf of the user; receiving, using at least one processing device of the authentication manager and gateway a subsequent access request from the consumer with said access token to access the service provider on behalf of the user, wherein the subsequent access request is subsequent to said initial access to the service provider; performing a risk analysis, using at least one processing device of the authentication manager and gateway, in response to receiving from said consumer said subsequent access request with said access token authorizing the consumer to act on behalf of said user when said access token has not been revoked, to improve security by detecting an anomalous access request by said authorized consumer, wherein said risk analysis (i) determines when the subsequent access request from said consumer to act on behalf of said user should be granted, and (ii) determines when said subsequent access request demonstrates anomalous behavior comprising one or more of abnormal, risky and atypical behavior relative to (a) prior transactions, stored in at least one memory, performed by said consumer on behalf of said user, and (b) said one or more rules, stored in said at least one memory, specified by said user who has granted access to the consumer on behalf of said user; initiating an investigating by the user when the subsequent access request is denied by the authentication manager and gateway based upon said risk analysis; and prompting said user, by the authentication manager and gateway, based on said risk analysis, to specify whether to allow said subsequent access request by said consumer when said subsequent access request is determined to demonstrate said anomalous behavior; receiving an updating of the one or more rules by the user based upon the results of the user investigating when the subsequent access request was denied; and validating the updated one or more rules by the authentication manager and gateway. - View Dependent Claims (15, 16, 17, 18, 19, 20)
-
Specification