System and method for adaptive user authentication

US 10,706,132 B2
Filed: 12/31/2013
Issued: 07/07/2020
Est. Priority Date: 03/22/2013
Status: Active Grant

First Claim

Patent Images

1. A method implemented by at least one of a client device and a server remotely coupled to the client device of a client, comprising:

receiving a client request from the client to perform a transaction which requires authentication;

analyzing first data related to the client to determine a risk value associated with the client, wherein the risk value is based on an Internet Protocol (IP) variable of the client device of the client;

determining, based on the risk value, a required assurance level for allowing the client to complete the transaction;

associating an intrusiveness value with authentication techniques available on the client, wherein authentication techniques deemed non-intrusive include location-based authentication techniques and/or user behavior detection techniques, and wherein authentication techniques deemed explicit include biometric authentication modalities including fingerprint, face or speaker authentication and/or user password or personal identification number (PIN) entry;

receiving, from the client, a current assurance level that is based on a comparison between historical measurements and a current measurement by one or more non-intrusive authentication techniques of the client, the non-intrusive authentication techniques including one or more techniques that do not require explicit user input, wherein the measurements include an identity of a computer network to which the client device is connected;

determining an assurance level gain required to arrive at the required assurance level based on the risk value, the assurance level gain to be combined with the current assurance level to arrive at or surpass the required assurance level for allowing the client to complete the transaction;

authenticating the client request using one or more explicit authentication techniques of the client in addition to the one or more non-intrusive authentication techniques, wherein an explicit authentication technique includes one or more techniques that require an explicit user input to unlock the client device, and wherein the one or more explicit authentication techniques are selected based at least in part on the intrusiveness value associated with the explicit authentication techniques, wherein authentication techniques which are relatively less intrusive but which still result in an acceptable assurance level gain are selected above techniques which are relatively more intrusive;

performing the transaction after the authenticating by at least one of the client device and server.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system, apparatus, method, and machine readable medium are described for adaptive authentication. For example, one embodiment of an apparatus comprises: an adaptive authentication module to receive a client request to perform a transaction which requires authentication; a risk engine to analyze first data related to a client to determine a risk value associated with the client; an assurance level gain analysis module to determine an assurance level required for allowing the client to complete the transaction and to determine an assurance level gain required to arrive at the assurance level based on the risk value; the adaptive authentication module to select one or more authentication techniques based at least in part on the indication of the assurance level gain.

Citations

20 Claims

1. A method implemented by at least one of a client device and a server remotely coupled to the client device of a client, comprising:
- receiving a client request from the client to perform a transaction which requires authentication;
  
  analyzing first data related to the client to determine a risk value associated with the client, wherein the risk value is based on an Internet Protocol (IP) variable of the client device of the client;
  
  determining, based on the risk value, a required assurance level for allowing the client to complete the transaction;
  
  associating an intrusiveness value with authentication techniques available on the client, wherein authentication techniques deemed non-intrusive include location-based authentication techniques and/or user behavior detection techniques, and wherein authentication techniques deemed explicit include biometric authentication modalities including fingerprint, face or speaker authentication and/or user password or personal identification number (PIN) entry;
  
  receiving, from the client, a current assurance level that is based on a comparison between historical measurements and a current measurement by one or more non-intrusive authentication techniques of the client, the non-intrusive authentication techniques including one or more techniques that do not require explicit user input, wherein the measurements include an identity of a computer network to which the client device is connected;
  
  determining an assurance level gain required to arrive at the required assurance level based on the risk value, the assurance level gain to be combined with the current assurance level to arrive at or surpass the required assurance level for allowing the client to complete the transaction;
  
  authenticating the client request using one or more explicit authentication techniques of the client in addition to the one or more non-intrusive authentication techniques, wherein an explicit authentication technique includes one or more techniques that require an explicit user input to unlock the client device, and wherein the one or more explicit authentication techniques are selected based at least in part on the intrusiveness value associated with the explicit authentication techniques, wherein authentication techniques which are relatively less intrusive but which still result in an acceptable assurance level gain are selected above techniques which are relatively more intrusive;
  
  performing the transaction after the authenticating by at least one of the client device and server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method as in claim 1 wherein the operations of determining the required assurance level and assurance level gain are performed on the server remote from the client.
  - 3. The method as in claim 1 wherein the risk value comprises an implicit assurance level, wherein the assurance level gain added to the implicit assurance level must be sufficient to arrive at the required assurance level for allowing the client to complete the transaction.
  - 4. The method as in claim 1 wherein the operation of selecting one or more explicit authentication techniques based at least in part on an indication of an assurance level gain is performed on a server remote from the client.
  - 5. The method as in claim 1 wherein the operation of selecting one or more explicit authentication techniques based at least in part on the indication of the assurance level gain is performed on the client.
  - 6. The method as in claim 1 wherein the first data related to the client includes an amount of time since a last successful explicit authentication.
  - 7. The method as in claim 6 wherein the first data further includes an indication of a current location and/or user behavior data collected from sensors on the client.
  - 8. The method as in claim 7 wherein current locations known to be visited by a user result in a relatively lower risk value.
  - 9. The method as in claim 8 further comprising:
    - initially registering one or more locations where the user performs authentications as specified by the user; and
      
      determining the risk value based, at least in part, on current distance from the one or more locations specified by the user.
  - 10. The method as in claim 8 wherein the user behavior data includes gait data associated with the user, wherein gait data matching a known gait of the user results in a relatively lower risk value.

11. An apparatus comprising at least one of a client device of a client or a server remotely coupled to the client device, the apparatus further comprising:
- a risk engine to analyze first data received as part of a transaction from the client device of the client to determine a risk value associated with the client, wherein the risk value is based on an Internet Protocol (IP) variable of the client device of the client;
  
  an adaptive analysis module associating an intrusiveness value with authentication techniques available on the client, wherein authentication techniques deemed non-intrusive include location-based authentication techniques and/or user behavior detection techniques, and wherein authentication techniques deemed explicit include biometric authentication modalities including fingerprint, face or speaker authentication and/or user password or personal identification number (PIN) entry;
  
  an assurance level gain analysis module remotely connected to the client device to determine, based on the risk value, a required assurance level for allowing the client to complete a transaction, an assurance level gain required to arrive at the required assurance level based on the risk value, and a current assurance level, received from the client, that is based on historical measurements and a current measurement by one or more non-intrusive authentication techniques of the client, wherein the measurements include an identity of a computer network to which the client device is connected, the non-intrusive authentication techniques including one or more techniques which do not require explicit user input, wherein the assurance level gain is to be combined with the current assurance level to arrive at or surpass the required assurance level for allowing the client to complete the transaction;
  
  an adaptive authentication module remotely connected to the client device to authenticate a client request, using one or more explicit authentication techniques of the client in addition to the one or more non-intrusive authentication techniques, wherein an explicit authentication technique includes one or more techniques that require an explicit user input to unlock the client device, and wherein the one or more explicit authentication techniques are selected based at least in part on the intrusiveness value associated with the explicit authentication techniques, wherein authentication techniques which are relatively less intrusive but which still result in an acceptable assurance level gain are selected above techniques which are relatively more intrusive;
  
  and wherein the apparatus is operative to perform the transaction after the authenticating.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The apparatus as in claim 11 wherein the operations of determining the required assurance level and assurance level gain are performed on the server remote from the client.
  - 13. The apparatus as in claim 11 wherein the risk value comprises an implicit assurance level, wherein the assurance level gain added to the implicit assurance level must be sufficient to arrive at the required assurance level for allowing the client to complete the transaction.
  - 14. The apparatus as in claim 11 wherein the adaptive authentication module selecting one or more explicit authentication techniques based at least in part on an indication of an assurance level gain is on a server remote from the client.
  - 15. The apparatus as in claim 11 wherein the adaptive authentication module selecting one or more explicit authentication techniques based at least in part on the indication of the assurance level gain is on the client.
  - 16. The apparatus as in claim 11 wherein the first data related to the client includes an amount of time since a last successful explicit authentication.
  - 17. The apparatus as in claim 16 wherein the first data further includes an indication of a current location and/or user behavior data collected from sensors on the client.
  - 18. The apparatus as in claim 17 wherein current locations known to be visited by a user result in a relatively lower risk value.
  - 19. The apparatus as in claim 18 wherein one or more locations where the user performs authentications are initially specified by the user;
    - and wherein the risk value is determined, at least in part, on current distance from the one or more locations specified by the user.
  - 20. The apparatus as in claim 18 wherein the user behavior data includes gait data associated with the user, wherein gait data matching a known gait of the user results in a relatively lower risk value.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nok Nok Labs Incorporated
Original Assignee
Nok Nok Labs Incorporated
Inventors
Lindemann, Rolf, Baghdasaryan, Davit
Primary Examiner(s)
Walsh, Daniel I

Application Number

US14/145,466
Publication Number

US 20140289820A1
Time in Patent Office

2,380 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/32   using biometric data, e.g. ...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/2115   Third party

G06Q 20/204   comprising interface for re...

G06Q 20/3224   Transactions dependent on l...

G06Q 20/3274   using a pictured code, e.g....

G06Q 20/3278   RFID or NFC payments by mea...

G06Q 20/4012   Verifying personal identifi...

G06Q 20/40145   Biometric identity checks

G06Q 20/42   Confirmation, e.g. check or...

G06Q 20/425   using two different network...

G07F 19/20   Automatic teller machines [...

H04L 2209/805   Lightweight hardware, e.g. ...

H04L 2463/102   applying security measure f...

H04L 63/0492   by using a location-limited...

H04L 63/08   for authentication of entit...

H04L 63/083   using passwords cryptograph...

H04L 63/0861   using biometrical features,...

H04L 63/20   for managing network securi...

H04L 9/0819   Key transport or distributi...

H04L 9/0822 : using key encryption key

H04L 9/0841 : involving Diffie-Hellman or...

H04L 9/3231 : Biological data, e.g. finge...

H04L 9/3247 : involving digital signatures

H04L 9/3297 : involving time stamps, e.g....

H04W 12/06 : Authentication

H04W 12/065 : Continuous authentication

View All

System and method for adaptive user authentication

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for adaptive user authentication

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links