Robust multi-factor authentication for secure application environments
First Claim
1. A method for authenticating a user, comprising the steps of:
- (a) receiving a claimed identity of a user;
(b) receiving a first authentication sample from said user via a first communication channel;
(c) establishing a second communication channel with said user;
(i) said second communication channel being out-of-band with respect to said first communication channel;
(d) performing at least a portion of a challenge-response protocol, regarding a second authentication sample, with said user over said second communication channel;
(e) verifying at least one of said first and second authentication samples based on a stored template uniquely associated with said claimed identity;
(f) verifying another of said authentication samples in a manner independent of said verifying in (d); and
(g) granting access to said user based on said verifying in steps (e) and (f).
2 Assignments
0 Petitions
Accused Products
Abstract
An improved authentication system utilizes multi-factor user authentication. In an exemplary embodiment, one authentication factor is the user'"'"'s speech pattern, and another authentication factor is a one-time passcode. The speech pattern and the passcode may be provided via voice portal and/or browser input. The speech pattern is routed to a speaker verification subsystem, while the passcode is routed to a passcode validation subsystem. Many other combinations of input types are also possible. For heightened security, the two (or more) authentication factors are preferably, although not necessarily, provided over differing communication channels (i.e., they are out-of-band with respect to each other). If a user is authenticated by the multi-factor process, he is given access to one or more desired secured applications. Policy and authentication procedures may be abstracted from the applications to allow a single sign-on across multiple applications.
336 Citations
26 Claims
-
1. A method for authenticating a user, comprising the steps of:
-
(a) receiving a claimed identity of a user;
(b) receiving a first authentication sample from said user via a first communication channel;
(c) establishing a second communication channel with said user;
(i) said second communication channel being out-of-band with respect to said first communication channel;
(d) performing at least a portion of a challenge-response protocol, regarding a second authentication sample, with said user over said second communication channel;
(e) verifying at least one of said first and second authentication samples based on a stored template uniquely associated with said claimed identity;
(f) verifying another of said authentication samples in a manner independent of said verifying in (d); and
(g) granting access to said user based on said verifying in steps (e) and (f). - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 14, 20, 25)
-
-
13. A method for authenticating a user, comprising the steps of:
-
(a) receiving a claimed identity of a user;
(b) receiving a first authentication sample from said user via a first communication channel;
(c) receiving a second authentication sample from said user via a second communication channel;
(d) verifying at least one of said first and second authentication samples based on a stored template uniquely associated with said claimed identity; and
(e) verifying another of said authentication samples in a manner independent of said verifying in (d); and
(f) granting access to said user based on said verifying in steps (d) and (e).
-
-
15. A method for authenticating a user, comprising the steps of:
-
(a) obtaining a claimed identity of a user to be authenticated;
(b) prompting a user to speak a secure passcode via a communication channel;
(c) biometrically authenticating said user'"'"'s voice by;
(i) obtaining a stored vocal characteristic unique to said claimed identity, (ii) extracting a vocal characteristic of said user based on said spoken secure passcode, and (iii) comparing said stored vocal characteristic and said extracted vocal characteristic;
(d) authenticating said secure passcode by;
(i) obtaining a regenerated passcode corresponding to said claimed identity, and (ii) comparing said regenerated passcode and said spoken passcode; and
(e) granting access to said user if said user'"'"'s voice and said passcode are authenticated based on steps (c) and (d).
-
-
16. A system for providing access to a secure application after user authentication, comprising:
-
(a) a portal subsystem configured to;
(i) receive a first user authentication sample via a first communication channel, (ii) authenticate said first authentication sample via a biometric process;
(b) an authentication subsystem coupled to;
(i) said portal subsystem, and (ii) a second communication channel which is out-of-band with respect to said first communication channel;
(c) said authentication subsystem being configured to;
(i) prompt a user via said portal subsystem to provide a sample over said second communication channel, (ii) receive said second authentication sample via said second communication channel, and (iii) authenticate said second authentication sample; and
(d) an application server;
(i) connected to said portal subsystem and said authentication subsystem, and (ii) providing access to said user upon successful authentication of both said first and second authentication samples.
-
-
17. A system for providing user authentication to control access to a protected application, comprising:
-
(a) an interface, configured to receive a claimed identity of a user;
(b) an interface, connected to a first communication path, configured to receive a first authentication datum associated with said user;
(c) an interface, connected to a second communication path to said user which is out-of-band with respect to said first communication path;
(d) means for performing, over said second communication path, at least a portion of a challenge-response communication regarding a second authentication datum associated with said user;
(e) means for verifying said first authentication datum based on a nominal identity of said user; and
(f) means for verifying said second authentication datum independently of (e); and
(g) means for granting access to said user after both authentication data are verified. - View Dependent Claims (18, 19)
-
-
21. A system for providing user authentication to control access to a protected application, comprising:
-
(a) means for prompting a user to speak a secure passcode to a system interface;
(b) a biometric authenticator configured to;
(i) extract a prosodic feature of said user based on said spoken secure passcode, and (iii) verify said extracted prosodic feature against a stored prosodic template of said user;
(d) a passcode authenticator configured to;
(i) regenerate a passcode corresponding to said spoken passcode, and (ii) verify said regenerated passcode against said spoken passcode; and
(e) means for granting access to said user after authenticating said user'"'"'s voice and said passcode.
-
-
22. A computer-readable medium for authenticating a user, comprising logic instructions that, if executed:
-
(a) receive a claimed identity of a user;
(b) receive a first authentication sample from said user via a first communication path;
(c) establish a second communication path with said user;
(i) said second authentication path being out-of-band with respect to said first communication path;
(e) perform at least a portion of a challenge-response protocol, regarding a second authentication sample, with said user over said second communication path;
(e) verify at least one of said first and second authentication samples based on a stored template uniquely associated with said claimed identity; and
(f) verify another of said authentication samples in a manner independent of said verifying in (e); and
(g) grant access to said user based on said verification in (e) and (f). - View Dependent Claims (23, 24)
-
-
26. A computer-readable medium for authenticating a user, comprising logic instructions that, if executed:
-
(a) obtain a claimed identity of a user to be authenticated;
(b) prompt a user to speak a secure passcode via a communication channel;
(c) biometrically authenticate said user'"'"'s voice by;
(i) obtaining a stored vocal characteristic unique to said claimed identity, (ii) extracting a vocal characteristic of said user based on said spoken secure passcode, and (iii) comparing said stored vocal characteristic and said extracted vocal characteristic;
(d) authenticate said secure passcode by;
(i) obtaining a regenerated passcode corresponding to said claimed identity, and (ii) comparing said regenerated passcode and said spoken passcode; and
(e) grant access to said user if said user'"'"'s voice and said passcode are authenticated based on (c) and (d).
-
Specification