Single-input multifactor authentication

US 10,693,644 B2
Filed: 06/23/2017
Issued: 06/23/2020
Est. Priority Date: 06/23/2017
Status: Active Grant

First Claim

Patent Images

1. A computer program product for multifactor authentication, the computer program product comprising:

a computer readable storage medium and program instructions stored on the computer readable storage medium, the program instructions comprising;

program instructions to receive, on a first computing device, a multifactor authentication request from a second computing device in response to the first computing device requesting access to a protected resource managed, at least in part, by the second computing device, the multifactor authentication request including a request for a first factor and a request for a second factor;

program instructions to prompt, on the first computing device, a user for a biometric input;

program instructions to authenticate the user based, at least in part, on the biometric input and biometric data stored by a secure element of the first computing device;

program instructions to cause the first computing device to;

send a user credential to the second computing device in response to the request for the first factor;

generate a single-use token using a token generator executing on the secure element, the token generator generating the single-use token based, at least in part, on a token seed stored by the secure element; and

send the single-use token to the second computing device in response to the request for the second factor;

program instructions to receive, on the first computing device, an access status indicator in response to sending the user credential and the single-use token to the second computing device to access the protected resource;

program instructions to receive, by a biometric module executed within a kernel space of the first computing device, the biometric input from the user and the biometric data stored by the secure element;

program instructions to compare, by the biometric module executed within the kernel space of the first computing device, the biometric input to the received biometric data to determine whether the biometric input is a valid match to the biometric data; and

responsive to the biometric module determining that the biometric input is a valid match to the biometric data, program instructions to retrieve by a login module of a security application program interface (API) the user credential, the login module of the security API retrieving the single-use token from the secure element and providing the user credential and the single-use token to an application module of the first computing device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Multifactor authentication is a method to secure data and accounts and to prevent unauthorized access. A first factor can be information that the user knows, such as a username and password combination. A second factor can be something that the user possesses, such as a token generator or a trusted device. The present invention enables a user to present multiple authentication factors through a single biometric input using stored credentials and tokens generated by a secure element.

29 Citations

View as Search Results

16 Claims

1. A computer program product for multifactor authentication, the computer program product comprising:
- a computer readable storage medium and program instructions stored on the computer readable storage medium, the program instructions comprising;
  
  program instructions to receive, on a first computing device, a multifactor authentication request from a second computing device in response to the first computing device requesting access to a protected resource managed, at least in part, by the second computing device, the multifactor authentication request including a request for a first factor and a request for a second factor;
  
  program instructions to prompt, on the first computing device, a user for a biometric input;
  
  program instructions to authenticate the user based, at least in part, on the biometric input and biometric data stored by a secure element of the first computing device;
  
  program instructions to cause the first computing device to;
  
  send a user credential to the second computing device in response to the request for the first factor;
  
  generate a single-use token using a token generator executing on the secure element, the token generator generating the single-use token based, at least in part, on a token seed stored by the secure element; and
  
  send the single-use token to the second computing device in response to the request for the second factor;
  
  program instructions to receive, on the first computing device, an access status indicator in response to sending the user credential and the single-use token to the second computing device to access the protected resource;
  
  program instructions to receive, by a biometric module executed within a kernel space of the first computing device, the biometric input from the user and the biometric data stored by the secure element;
  
  program instructions to compare, by the biometric module executed within the kernel space of the first computing device, the biometric input to the received biometric data to determine whether the biometric input is a valid match to the biometric data; and
  
  responsive to the biometric module determining that the biometric input is a valid match to the biometric data, program instructions to retrieve by a login module of a security application program interface (API) the user credential, the login module of the security API retrieving the single-use token from the secure element and providing the user credential and the single-use token to an application module of the first computing device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The computer program product of claim 1, the program instructions further comprising:
    - program instructions to retrieve the user credential from a storage device of the first computing device located outside of the secure element in response to executing the program instructions to authenticate the user based, at least in part, on the biometric input and the biometric data stored by the secure element of the first computing device.
  - 3. The computer program product of claim 1, wherein the program instructions provide that:
    - the application module executes logic within a user space of the first computing device to interface with the second computing device;
      
      the security API provides an interface between the application module executing within the user space of the first computing device and logic executing within the kernel space of the first computing device; and
      
      the security API provides an interface between the application module executing within the user space of the first computing device and the secure element such that logic executing within the user space cannot communicate directly with the secure element.
  - 4. The computer program product of claim 1, wherein the program instructions cause the login module to retrieve the user credential from a storage device of the first computing device located outside of the secure element.
  - 5. The computer program product of claim 1, wherein the security API includes one or more elements of an operating system kernel such that only the operating system kernel can access the secure element.
  - 6. The computer program product of claim 1, the program instructions further comprising:
    - program instructions to cause the login module of the security API to automatically retrieve the user credential and automatically retrieve the single-use token responsive to the biometric input authenticating the user such that the only user input required to access the protected resource via the multifactor authentication request is the biometric input.
  - 7. The computer program product of claim 6, wherein the biometric input from the user represents a single-step sign-on with respect to the protected resource managed by the second computing device.
  - 8. The computer program product of claim 1, wherein the secure element is implemented as a system on a chip (SoC).

9. A computer system for multifactor authentication, the computer system comprising:
- one or more computer processors;
  
  one or more computer readable storage media;
  
  program instructions stored on the one or more computer readable storage media for execution by at least one of the one or more processors, the program instructions comprising;
  
  program instructions to receive, on a first computing device, a multifactor authentication request from a second computing device in response to the first computing device requesting access to a protected resource managed, at least in part, by the second computing device, the multifactor authentication request including a request for a first factor and a request for a second factor;
  
  program instructions to prompt, on the first computing device, a user for a biometric input;
  
  program instructions to authenticate the user based, at least in part, on the biometric input and biometric data stored by a secure element of the first computing device;
  
  program instructions to cause the first computing device to;
  
  send a user credential to the second computing device in response to the request for the first factor;
  
  generate a single-use token using a token generator executing on the secure element, the token generator generating the single-use token based, at least in part, on a token seed stored by the secure element; and
  
  send the single-use token to the second computing device in response to the request for the second factor;
  
  program instructions to receive, on the first computing device, an access status indicator in response to sending the user credential and the single-use token to the second computing device to access the protected resource;
  
  program instructions to receive, by a biometric module executed within a kernel space of the first computing device, the biometric input from the user and the biometric data stored by the secure element;
  
  program instructions to compare, by the biometric module executed within the kernel space of the first computing device, the biometric input to the received biometric data to determine whether the biometric input is a valid match to the biometric data; and
  
  responsive to the biometric module determining that the biometric input is a valid match to the biometric data, program instructions to retrieve by a login module of a security application program interface (API) the user credential, the login module of the security API retrieving the single-use token from the secure element and providing the user credential and the single-use token to an application module of the first computing device.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The computer system of claim 9, the program instructions further comprising:
    - program instructions to retrieve the user credential from a storage device of the first computing device located outside of the secure element in response to executing the program instructions to authenticate the user based, at least in part, on the biometric input and the biometric data stored by the secure element of the first computing device.
  - 11. The computer system of claim 9, wherein the program instructions provide that:
    - the application module executes logic within a user space of the first computing device to interface with the second computing device;
      
      the security API provides an interface between the application module executing within the user space of the first computing device and logic executing within the kernel space of the first computing device; and
      
      the security API provides an interface between the application module executing within the user space of the first computing device and the secure element such that logic executing within the user space cannot communicate directly with the secure element.
  - 12. The computer system of claim 9, wherein the program instructions cause the login module to retrieve the user credential from a storage device of the first computing device located outside of the secure element.
  - 13. The computer system of claim 9, wherein the security API includes one or more elements of an operating system kernel such that only the operating system kernel can access the secure element.
  - 14. The computer system of claim 9, the program instructions further comprising:
    - program instructions to cause the login module of the security API to automatically retrieve the user credential and automatically retrieve the single-use token responsive to the biometric input authenticating the user such that the only user input required to access the protected resource via the multifactor authentication request is the biometric input.
  - 15. The computer system of claim 14, wherein the biometric input from the user represents a single-step sign-on with respect to the protected resource managed by the second computing device.
  - 16. The computer system of claim 9, wherein the secure element is implemented as a system on a chip (SoC).

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Kozma, Gabriel M., Seo, Carlos E.
Primary Examiner(s)
Lagor, Alexander
Assistant Examiner(s)
Louie, Howard H.

Application Number

US15/631,439
Publication Number

US 20180375657A1
Time in Patent Office

1,096 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/32   using biometric data, e.g. ...

G06F 21/33   using certificates

G06F 21/34   involving the use of extern...

G06F 21/6245   Protecting personal data, e...

H04L 2463/082   applying multi-factor authe...

H04L 63/083   using passwords cryptograph...

H04L 63/0861   using biometrical features,...

H04L 9/3213   using tickets or tokens, e....

H04L 9/3226   using a predetermined code,...

H04L 9/3231   Biological data, e.g. finge...

H04L 9/3234   involving additional secure...

H04W 12/06   Authentication

H04W 12/068   using credential vaults, e....

H04W 12/069   using certificates or pre-s...

Single-input multifactor authentication

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

29 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Single-input multifactor authentication

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

29 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links