Enhanced security authentication system

US 10,623,402 B2
Filed: 04/20/2017
Issued: 04/14/2020
Est. Priority Date: 04/20/2017
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

authenticating transactions of a user across multiple interaction channels using an authentication service executing on a computer system, the authentication service;

receiving a first transaction over a first interaction channel, wherein the first interaction channel is one of the multiple interaction channels;

determining a numeric risk score for the first transaction based on a number of contextual risk factors;

determining a first authentication scheme from a number of authentication schemes for authenticating an identity of the user within a first authentication context, wherein the first authentication scheme is determined based on the first interaction channel and the numeric risk score;

using the first authentication scheme to authenticate the identity of the user within the first authentication context;

in response to successfully authenticating the identity of the user within the first authentication context, determining whether the first transaction is a permitted transaction based on an assurance level associated with the first authentication context;

in response to determining that the first transaction is the permitted transaction, authenticating the first transaction;

receiving a second transaction over a second interaction channel, wherein;

the second interaction channel is one of the multiple interaction channels; and

the second interaction channel is different than the first interaction channels; and

using a second authentication scheme to authenticate the user within a second authentication context different than the first authentication context, wherein the second authentication scheme is a same authentication scheme as the first authentication scheme.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, a computer system, and a computer program product for authenticating a transaction are provided. An authentication system receives the transaction over a particular channel of a plurality of support channels. A risk score is determined for the transaction based on a number of contextual risk factors. An authentication scheme is determined from a number of authentication schemes for authenticating an identity of the user within an authentication context. The authentication scheme is determined based on the particular channel and the risk score. In response to successfully authenticating the identity of the user within the authentication context, the authentication system determines whether the transaction is a permitted transaction based on an assurance level associated with the authentication context. In response to determining that the transaction is the permitted transaction, the transaction is authenticated.

Citations

36 Claims

1. A method, comprising:
- authenticating transactions of a user across multiple interaction channels using an authentication service executing on a computer system, the authentication service;
  
  receiving a first transaction over a first interaction channel, wherein the first interaction channel is one of the multiple interaction channels;
  
  determining a numeric risk score for the first transaction based on a number of contextual risk factors;
  
  determining a first authentication scheme from a number of authentication schemes for authenticating an identity of the user within a first authentication context, wherein the first authentication scheme is determined based on the first interaction channel and the numeric risk score;
  
  using the first authentication scheme to authenticate the identity of the user within the first authentication context;
  
  in response to successfully authenticating the identity of the user within the first authentication context, determining whether the first transaction is a permitted transaction based on an assurance level associated with the first authentication context;
  
  in response to determining that the first transaction is the permitted transaction, authenticating the first transaction;
  
  receiving a second transaction over a second interaction channel, wherein;
  
  the second interaction channel is one of the multiple interaction channels; and
  
  the second interaction channel is different than the first interaction channels; and
  
  using a second authentication scheme to authenticate the user within a second authentication context different than the first authentication context, wherein the second authentication scheme is a same authentication scheme as the first authentication scheme.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein the multiple interaction channels include a web-based authentication channel, a mobile authentication channel, a biometric authentication channel, a voice channel, and a risk-based authentication channel.
  - 3. The method of claim 1, wherein the same authentication context is selected from an identity management context, an organizational context, and a social context.
  - 4. The method of claim 1, wherein authenticating the transactions further includes the authentication service:
    - identifying the number of contextual risk factors based on context parameters of the first transaction; and
      
      wherein the context parameters include a transaction type, and at least one of a current authentication context, a time of day that the first transaction is received, a geographic location from which the first transaction is received, a device type used by the user to submit the first transaction, prior access behavioral patterns of the user, a keyword, and a quality of network.
  - 5. The method of claim 4, wherein the transaction type is selected from a lookup transaction, the transaction for authenticating the user, and managing privileges of an account of the user.
  - 6. The method of claim 4, wherein the first transaction is a lookup transaction, and further comprising the authentication service:
    - identifying a number of accounts based on information and the context parameters of the first transaction;
      
      returning an authentication prompt for information to disambiguate a user account from the number of accounts; and
      
      using the same authentication scheme to authenticate the identity of the user within the first authentication context, wherein the first authentication context is associated with the user account.
  - 7. The method of claim 6, wherein the number of accounts comprises the user account, a second account of the user, an account of a different user, and combinations thereof.
  - 8. The method of claim 4, wherein determining the first authentication scheme further comprises:
    - determining the first authentication scheme from the number of authentication schemes based on the first interaction channel, the numeric risk score, and a policy associated with a user profile.
  - 9. The method of claim 8, wherein the policy is based on one or more of a user preference, a risk level, and an organizational preference.
  - 10. The method of claim 8, further comprising the authentication service:
    - receiving the first transaction over the first interaction channel, wherein the first transaction includes the keyword that is associated with the user, wherein the keyword comprises one or more of a username, an email address, a name of an employer, a client identifier, or a company registration code;
      
      determining the user profile for the user based on the keyword; and
      
      returning an authentication prompt for credentials to authenticate the user according to the same authentication scheme.
  - 11. The method of claim 1, wherein authenticating the transactions further includes the authentication service:
    - generating a token in response to successfully authenticating the identity of the user within the first authentication context;
      
      sending the token to a user device; and
      
      storing the token on the user device, wherein the second transaction, is authenticated using the stored token with the second authentication context.
  - 12. The method of claim 1, wherein authenticating the transactions further includes the authentication service:
    - in response to determining that the first transaction is not the permitted transaction based on an identity assurance level of the first authentication context, determining a step-up authentication scheme for authenticating the identity of the user within a step-up authentication context, wherein the first transaction is the permitted transaction based on an identity assurance level associated with the step-up authentication context; and
      
      returning an authentication prompt for credentials to authenticate the identity of the user according to the step-up authentication scheme.

13. A computer system comprising:
- a hardware processor; and
  
  an authentication system in communication with the hardware processor, the authentication system consistently authenticating a user across multiple interaction channels by;
  
  a first authentication for a first interaction channel for the user performed by;
  
  receiving a first transaction over the first interaction channel, wherein the first interaction channel is one of the multiple interaction channels;
  
  determining a risk score for the first transaction based on a number of contextual risk factors;
  
  determining an authentication scheme from a number of authentication schemes for authenticating an identity of the user within a first authentication context, wherein the authentication scheme is determined based on the first interaction channel and the risk score;
  
  using the authentication scheme to authenticate the identity of the user within the first authentication context;
  
  in response to successfully authenticating the identity of the user within the first authentication context, determining whether the first transaction is a permitted transaction based on an assurance level associated with the first authentication context, wherein the assurance level is a classification of a certainty of identity that is selected based on the first authentication context; and
  
  in response to determining that the first transaction is the permitted transaction, authenticating the first transaction; and
  
  a second authentication for a second interaction channel for the user performed by;
  
  receiving a second transaction over the second interaction channel, wherein;
  
  the second interaction channel is one of the multiple interaction channels; and
  
  the second interaction channel is different than the first interaction channel; and
  
  using the authentication scheme to authenticate the identity of the user within a second authentication context different than the first authentication context.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 14. The computer system of claim 13, wherein the multiple interaction channels include a web-based authentication channel, a mobile authentication channel, a biometric authentication channel, a voice channel, and a risk-based authentication channel.
  - 15. The computer system of claim 13, wherein the first authentication context is selected from an identity management context, an organizational context, and a social context.
  - 16. The computer system of claim 13, wherein the first authentication further includes:
    - identifying the number of contextual risk factors based on context parameters of the first transaction; and
      
      wherein the context parameters include a transaction type and at least one of a current authentication context, a time of day that the first transaction is received, a geographic location from which the first transaction is received, a device type used by the user to submit the first transaction, prior access behavioral patterns of the user, a keyword, and a quality of network.
  - 17. The computer system of claim 16, wherein the transaction type is selected from a lookup transaction, authenticating the identity of the user, managing privileges of an account of the user.
  - 18. The computer system of claim 16, wherein the first transaction is a lookup transaction, and wherein the first authentication further includes:
    - identifying a number of accounts based on information and the context parameters of the first transaction;
      
      returning an authentication prompt for information to disambiguate a user account from the number of accounts; and
      
      using the authentication scheme to authenticate the identity of the user within the first authentication context, wherein the first authentication context is associated with the user account.
  - 19. The computer system of claim 18, wherein the number of accounts comprises the user account, a second account of the user, an account of a different user, and combinations thereof.
  - 20. The computer system of claim 16, wherein in determining the authentication scheme, the first authentication further includes:
    - determining the authentication scheme from the number of authentication schemes based on the first interaction channel, the risk score, and a policy associated with a user profile.
  - 21. The computer system of claim 20, wherein the policy is based on one or more of a user preference, a risk level, and an organizational preference.
  - 22. The computer system of claim 20, wherein the first authentication further includes:
    - receiving the first transaction over the first interaction channel, wherein the first transaction includes the keyword that is associated with the user, wherein the keyword comprises one or more of a username, an email address, a name of an employer, a client identifier, or a company registration code;
      
      determining the user profile for the user based on the keyword; and
      
      returning an authentication prompt for credentials to authenticate the identity of the user according to the authentication scheme.
  - 23. The computer system of claim 13, wherein:
    - the first authentication generates a token in response to successfully authenticating the identity of the user within the first authentication context;
      
      the token is sent from the authentication system to a user device;
      
      the token is stored on the user device; and
      
      the second transaction is authenticated using the token with the second authentication context.
  - 24. The computer system of claim 13, wherein the first authentication further includes:
    - in response to determining that the first transaction is not the permitted transaction based on an identity assurance level of the first authentication context;
      
      determining a step-up authentication scheme for authenticating the identity of the user within a step-up authentication context, wherein the first transaction is the permitted transaction based on an identity assurance level associated with the step-up authentication context; and
      
      returning an authentication prompt for credentials to authenticate the identity of the user according to the step-up authentication scheme.

25. A computer program product comprising:
- a computer readable storage medium having instructions stored thereon for reliably authenticating a user across multiple interaction channels, the instructions comprising;
  
  first program code for receiving a first transaction over a first interaction channel, wherein the first interaction channel is one of the multiple interaction channels;
  
  second program code for determining a risk score for the first transaction based on a number of contextual risk factors, wherein the risk score is a numeric score within a predefined range;
  
  third program code for determining a first authentication scheme from a number of authentication schemes for authenticating an identity of the user within a first authentication context, wherein the first authentication scheme is determined based on the first interaction channel and the risk score;
  
  fourth program code for using the first authentication scheme to authenticate the identity of the user within the first authentication context;
  
  fifth program code for determining, in response to successfully authenticating the identity of the user within the first authentication context, whether the first transaction is a permitted transaction based on an assurance level associated with the first authentication context;
  
  sixth program code for authenticating the first transaction in response to determining that the first transaction is the permitted transaction;
  
  seventh program code for receiving a second transaction over a second interaction channel, wherein;
  
  the second interaction channel is one of the multiple interaction channels; and
  
  the second interaction channel is different than the first interaction channel; and
  
  eighth program code for using a second authentication scheme to authenticate the user within a second authentication context different than the first authentication context, wherein the second authentication scheme is a same authentication scheme as the first authentication scheme.
- View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
- - 26. The computer program product of claim 25, wherein the multiple interaction channels includes a web-based authentication channel, a mobile authentication channel, a biometric authentication channel, a voice channel, and a risk-based authentication channel.
  - 27. The computer program product of claim 25, wherein the first authentication context is selected from an identity management context, an organizational context, and a social context.
  - 28. The computer program product of claim 25, wherein the instructions further comprise:
    - ninth program code for identifying the number of contextual risk factors based on context parameters of the first transaction; and
      
      wherein the context parameters include a transaction type, and at least one of a current authentication context, a time of day that the first transaction is received, a geographic location from which the first transaction is received, a device type used by the user to submit the first transaction, prior access behavioral patterns of the user, keyword, and a quality of network.
  - 29. The computer program product of claim 28, wherein the transaction type is selected from a lookup transaction, authenticating the user and managing privileges of an account of the user.
  - 30. The computer program product of claim 28, wherein the first transaction is a lookup transaction, and the instructions further comprise:
    - tenth program code for identifying a number of accounts based on information and the context parameters of the first transaction;
      
      eleventh program code for returning an authentication prompt, for information to disambiguate a user account from the number of accounts; and
      
      twelfth program code for using the first authentication scheme to authenticate the identity of the user within the first authentication context, wherein the first authentication context is associated with the user account.
  - 31. The computer program product of claim 30, wherein the number of accounts comprises the user account, a second account of the user, an account of a different user, and combinations thereof.
  - 32. The computer program product of claim 28, wherein the third program code further comprises:
    - tenth program code for determining the first authentication scheme from the number of authentication schemes based on the first interaction channel, the risk score, and a policy associated with a user profile.
  - 33. The computer program product of claim 32, wherein the policy is based on one or more of a user preference, a risk level, or an organizational preference.
  - 34. The computer program product of claim 32, wherein the instructions further comprise:
    - eleventh program code for receiving the first transaction over the first interaction channel, wherein the first transaction includes a keyword that is associated with the user, and the keyword comprises one or more of a username, an email address, a name of an employer, a client identifier, or a company registration code;
      
      twelfth program code for determining the user profile for the user based on the keyword; and
      
      thirteenth program code for returning an authentication prompt for credentials to authenticate the user according to the first authentication scheme.
  - 35. The computer program product of claim 25, wherein the instructions further comprise:
    - ninth program code for generating a token in response to successfully authenticating the identity of the user within the first authentication context;
      
      tenth program code for sending the token from an authentication system to a user device, wherein the token is stored on the user device; and
      
      eleventh program code for receiving a second transaction and using the token with the second authentication scheme to authenticate the user within the second authentication context.
  - 36. The computer program product of claim 25, wherein the instructions further comprise:
    - ninth program code for determining, in response to determining that the first transaction is not the permitted transaction based on an identity assurance level of the first authentication context, a step-up authentication scheme for authenticating the identity of the user within a step-up authentication context, wherein the first transaction is the permitted transaction based on an identity assurance level associated with the step-up authentication context; and
      
      tenth program code for returning an authentication prompt for credentials to authenticate the identity of the user according to the step-up authentication scheme.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
ADP, Inc.
Original Assignee
ADP LLC (ADP, Inc.)
Inventors
Villavicencio, Frank, Xu, Zhitao, Civetta, Vincent, Kaushal, Deepak, Kaushik, Nishant
Primary Examiner(s)
Steinle, Andrew J

Application Number

US15/492,968
Publication Number

US 20180309752A1
Time in Patent Office

1,090 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 63/083   using passwords cryptograph...

H04L 63/0853   using an additional device,...

H04L 63/0861   using biometrical features,...

H04L 63/0876   based on the identity of th...

H04L 63/1433   Vulnerability analysis

H04W 12/069   using certificates or pre-s...

H04W 12/61   Time-dependent

H04W 12/63   Location-dependent; Proximi...

H04W 12/67   Risk-dependent, e.g. select...

H04W 12/68   Gesture-dependent or behavi...

Enhanced security authentication system

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

36 Claims

Specification

Solutions

Use Cases

Quick Links

Enhanced security authentication system

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

36 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links