Single-input multifactor authentication
First Claim
Patent Images
1. A computer program product for multifactor authentication, the computer program product comprising:
- a computer readable storage medium and program instructions stored on the computer readable storage medium, the program instructions comprising;
program instructions to receive, on a first computing device, a multifactor authentication request from a second computing device in response to the first computing device requesting access to a protected resource managed, at least in part, by the second computing device, the multifactor authentication request including a request for a first factor and a request for a second factor;
program instructions to prompt, on the first computing device, a user for a biometric input;
program instructions to authenticate the user based, at least in part, on the biometric input and biometric data stored by a secure element of the first computing device;
program instructions to cause the first computing device to;
send a user credential to the second computing device in response to the request for the first factor;
generate a single-use token using a token generator executing on the secure element, the token generator generating the single-use token based, at least in part, on a token seed stored by the secure element; and
send the single-use token to the second computing device in response to the request for the second factor;
program instructions to receive, on the first computing device, an access status indicator in response to sending the user credential and the single-use token to the second computing device to access the protected resource;
program instructions to receive, by a biometric module executed within a kernel space of the first computing device, the biometric input from the user and the biometric data stored by the secure element;
program instructions to compare, by the biometric module executed within the kernel space of the first computing device, the biometric input to the received biometric data to determine whether the biometric input is a valid match to the biometric data; and
responsive to the biometric module determining that the biometric input is a valid match to the biometric data, program instructions to retrieve by a login module of a security application program interface (API) the user credential, the login module of the security API retrieving the single-use token from the secure element and providing the user credential and the single-use token to an application module of the first computing device.
1 Assignment
0 Petitions
Accused Products
Abstract
Multifactor authentication is a method to secure data and accounts and to prevent unauthorized access. A first factor can be information that the user knows, such as a username and password combination. A second factor can be something that the user possesses, such as a token generator or a trusted device. The present invention enables a user to present multiple authentication factors through a single biometric input using stored credentials and tokens generated by a secure element.
29 Citations
16 Claims
-
1. A computer program product for multifactor authentication, the computer program product comprising:
-
a computer readable storage medium and program instructions stored on the computer readable storage medium, the program instructions comprising; program instructions to receive, on a first computing device, a multifactor authentication request from a second computing device in response to the first computing device requesting access to a protected resource managed, at least in part, by the second computing device, the multifactor authentication request including a request for a first factor and a request for a second factor; program instructions to prompt, on the first computing device, a user for a biometric input; program instructions to authenticate the user based, at least in part, on the biometric input and biometric data stored by a secure element of the first computing device; program instructions to cause the first computing device to; send a user credential to the second computing device in response to the request for the first factor; generate a single-use token using a token generator executing on the secure element, the token generator generating the single-use token based, at least in part, on a token seed stored by the secure element; and send the single-use token to the second computing device in response to the request for the second factor; program instructions to receive, on the first computing device, an access status indicator in response to sending the user credential and the single-use token to the second computing device to access the protected resource; program instructions to receive, by a biometric module executed within a kernel space of the first computing device, the biometric input from the user and the biometric data stored by the secure element; program instructions to compare, by the biometric module executed within the kernel space of the first computing device, the biometric input to the received biometric data to determine whether the biometric input is a valid match to the biometric data; and responsive to the biometric module determining that the biometric input is a valid match to the biometric data, program instructions to retrieve by a login module of a security application program interface (API) the user credential, the login module of the security API retrieving the single-use token from the secure element and providing the user credential and the single-use token to an application module of the first computing device. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A computer system for multifactor authentication, the computer system comprising:
-
one or more computer processors; one or more computer readable storage media; program instructions stored on the one or more computer readable storage media for execution by at least one of the one or more processors, the program instructions comprising; program instructions to receive, on a first computing device, a multifactor authentication request from a second computing device in response to the first computing device requesting access to a protected resource managed, at least in part, by the second computing device, the multifactor authentication request including a request for a first factor and a request for a second factor; program instructions to prompt, on the first computing device, a user for a biometric input; program instructions to authenticate the user based, at least in part, on the biometric input and biometric data stored by a secure element of the first computing device; program instructions to cause the first computing device to; send a user credential to the second computing device in response to the request for the first factor; generate a single-use token using a token generator executing on the secure element, the token generator generating the single-use token based, at least in part, on a token seed stored by the secure element; and send the single-use token to the second computing device in response to the request for the second factor; program instructions to receive, on the first computing device, an access status indicator in response to sending the user credential and the single-use token to the second computing device to access the protected resource; program instructions to receive, by a biometric module executed within a kernel space of the first computing device, the biometric input from the user and the biometric data stored by the secure element; program instructions to compare, by the biometric module executed within the kernel space of the first computing device, the biometric input to the received biometric data to determine whether the biometric input is a valid match to the biometric data; and responsive to the biometric module determining that the biometric input is a valid match to the biometric data, program instructions to retrieve by a login module of a security application program interface (API) the user credential, the login module of the security API retrieving the single-use token from the secure element and providing the user credential and the single-use token to an application module of the first computing device. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
Specification