System and method for adaptive user authentication
First Claim
1. A method implemented by at least one of a client device and a server remotely coupled to the client device of a client, comprising:
- receiving a client request from the client to perform a transaction which requires authentication;
analyzing first data related to the client to determine a risk value associated with the client, wherein the risk value is based on an Internet Protocol (IP) variable of the client device of the client;
determining, based on the risk value, a required assurance level for allowing the client to complete the transaction;
associating an intrusiveness value with authentication techniques available on the client, wherein authentication techniques deemed non-intrusive include location-based authentication techniques and/or user behavior detection techniques, and wherein authentication techniques deemed explicit include biometric authentication modalities including fingerprint, face or speaker authentication and/or user password or personal identification number (PIN) entry;
receiving, from the client, a current assurance level that is based on a comparison between historical measurements and a current measurement by one or more non-intrusive authentication techniques of the client, the non-intrusive authentication techniques including one or more techniques that do not require explicit user input, wherein the measurements include an identity of a computer network to which the client device is connected;
determining an assurance level gain required to arrive at the required assurance level based on the risk value, the assurance level gain to be combined with the current assurance level to arrive at or surpass the required assurance level for allowing the client to complete the transaction;
authenticating the client request using one or more explicit authentication techniques of the client in addition to the one or more non-intrusive authentication techniques, wherein an explicit authentication technique includes one or more techniques that require an explicit user input to unlock the client device, and wherein the one or more explicit authentication techniques are selected based at least in part on the intrusiveness value associated with the explicit authentication techniques, wherein authentication techniques which are relatively less intrusive but which still result in an acceptable assurance level gain are selected above techniques which are relatively more intrusive;
performing the transaction after the authenticating by at least one of the client device and server.
3 Assignments
0 Petitions
Accused Products
Abstract
A system, apparatus, method, and machine readable medium are described for adaptive authentication. For example, one embodiment of an apparatus comprises: an adaptive authentication module to receive a client request to perform a transaction which requires authentication; a risk engine to analyze first data related to a client to determine a risk value associated with the client; an assurance level gain analysis module to determine an assurance level required for allowing the client to complete the transaction and to determine an assurance level gain required to arrive at the assurance level based on the risk value; the adaptive authentication module to select one or more authentication techniques based at least in part on the indication of the assurance level gain.
-
Citations
20 Claims
-
1. A method implemented by at least one of a client device and a server remotely coupled to the client device of a client, comprising:
-
receiving a client request from the client to perform a transaction which requires authentication; analyzing first data related to the client to determine a risk value associated with the client, wherein the risk value is based on an Internet Protocol (IP) variable of the client device of the client; determining, based on the risk value, a required assurance level for allowing the client to complete the transaction; associating an intrusiveness value with authentication techniques available on the client, wherein authentication techniques deemed non-intrusive include location-based authentication techniques and/or user behavior detection techniques, and wherein authentication techniques deemed explicit include biometric authentication modalities including fingerprint, face or speaker authentication and/or user password or personal identification number (PIN) entry; receiving, from the client, a current assurance level that is based on a comparison between historical measurements and a current measurement by one or more non-intrusive authentication techniques of the client, the non-intrusive authentication techniques including one or more techniques that do not require explicit user input, wherein the measurements include an identity of a computer network to which the client device is connected; determining an assurance level gain required to arrive at the required assurance level based on the risk value, the assurance level gain to be combined with the current assurance level to arrive at or surpass the required assurance level for allowing the client to complete the transaction; authenticating the client request using one or more explicit authentication techniques of the client in addition to the one or more non-intrusive authentication techniques, wherein an explicit authentication technique includes one or more techniques that require an explicit user input to unlock the client device, and wherein the one or more explicit authentication techniques are selected based at least in part on the intrusiveness value associated with the explicit authentication techniques, wherein authentication techniques which are relatively less intrusive but which still result in an acceptable assurance level gain are selected above techniques which are relatively more intrusive; performing the transaction after the authenticating by at least one of the client device and server. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. An apparatus comprising at least one of a client device of a client or a server remotely coupled to the client device, the apparatus further comprising:
-
a risk engine to analyze first data received as part of a transaction from the client device of the client to determine a risk value associated with the client, wherein the risk value is based on an Internet Protocol (IP) variable of the client device of the client; an adaptive analysis module associating an intrusiveness value with authentication techniques available on the client, wherein authentication techniques deemed non-intrusive include location-based authentication techniques and/or user behavior detection techniques, and wherein authentication techniques deemed explicit include biometric authentication modalities including fingerprint, face or speaker authentication and/or user password or personal identification number (PIN) entry; an assurance level gain analysis module remotely connected to the client device to determine, based on the risk value, a required assurance level for allowing the client to complete a transaction, an assurance level gain required to arrive at the required assurance level based on the risk value, and a current assurance level, received from the client, that is based on historical measurements and a current measurement by one or more non-intrusive authentication techniques of the client, wherein the measurements include an identity of a computer network to which the client device is connected, the non-intrusive authentication techniques including one or more techniques which do not require explicit user input, wherein the assurance level gain is to be combined with the current assurance level to arrive at or surpass the required assurance level for allowing the client to complete the transaction; an adaptive authentication module remotely connected to the client device to authenticate a client request, using one or more explicit authentication techniques of the client in addition to the one or more non-intrusive authentication techniques, wherein an explicit authentication technique includes one or more techniques that require an explicit user input to unlock the client device, and wherein the one or more explicit authentication techniques are selected based at least in part on the intrusiveness value associated with the explicit authentication techniques, wherein authentication techniques which are relatively less intrusive but which still result in an acceptable assurance level gain are selected above techniques which are relatively more intrusive; and wherein the apparatus is operative to perform the transaction after the authenticating. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
Specification