Multi-factor authentication system
First Claim
1. In a system wherein both a PIN of a user authorized to access a network resource and a first key of an asymmetric key pair of the authorized user are maintained in association with a first primary identification by an authentication authority such that each of the PIN and the first key are retrievable based on the first primary identification, a method performed by the authentication authority whereby the authorized user gains access to the network resource from an access authority with a passcode, the method comprising the steps of:
- (a) receiving the first primary identification and a suspect PIN from a suspect user;
(b) authenticating the first primary identification by considering at least one authentication factor, including comparing the suspect PIN with the PIN of the authorized user maintained in association with the first primary identification by the authentication authority; and
(c) following a successful authentication of the first primary identification, (i) generating the passcode, (ii) encrypting the passcode using the first key of the asymmetric key pair of the authorized user, and (iii) communicating the encrypted passcode to the suspect user for subsequent decryption and presentation to the access authority.
2 Assignments
0 Petitions
Accused Products
Abstract
A suspect user (110) seeks access to a network resource from an access authority (150) utilizing a passcode received from an authentication authority (130). Initially, an ID of a device is bound with a PIN, the device ID is bound with a private key of the device, and the device ID is bound with a user ID that has been previously bound with a password of an authorized user. The device ID is bound with the user ID by authenticating the user ID using the password. Thereafter, the suspect user communicates the device ID and the PIN from the device over an ancillary communications network (112); the authentication authority responds back over the ancillary communications network with a passcode encrypted with the public key of the device; and the suspect user decrypts and communicates over a communications network (114) the passcode with the user ID to the access authority.
-
Citations
142 Claims
-
1. In a system wherein both a PIN of a user authorized to access a network resource and a first key of an asymmetric key pair of the authorized user are maintained in association with a first primary identification by an authentication authority such that each of the PIN and the first key are retrievable based on the first primary identification, a method performed by the authentication authority whereby the authorized user gains access to the network resource from an access authority with a passcode, the method comprising the steps of:
-
(a) receiving the first primary identification and a suspect PIN from a suspect user;
(b) authenticating the first primary identification by considering at least one authentication factor, including comparing the suspect PIN with the PIN of the authorized user maintained in association with the first primary identification by the authentication authority; and
(c) following a successful authentication of the first primary identification, (i) generating the passcode, (ii) encrypting the passcode using the first key of the asymmetric key pair of the authorized user, and (iii) communicating the encrypted passcode to the suspect user for subsequent decryption and presentation to the access authority. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 42, 43, 44, 45, 46, 47, 48, 49)
-
-
41. Computer-readable medium having computer-executable instructions that perform a method comprising the steps of:
-
(a) maintaining a PIN of an authorized user of a network resource and a first key of an asymmetric key pair of the authorized user in association with a primary identification such that each of the PIN and the first key are retrievable based on the primary identification;
(b) retrieving the PIN of the authorized user based on the primary identification received over an ancillary communications network and comparing the retrieved PIN with a suspect PIN also received over the ancillary communications network with the primary identification;
(c) generating a passcode and encrypting the passcode using the first key of the asymmetric key pair of the authorized user for communicating back over the ancillary communications network;
(d) maintaining the passcode in association with a secondary identification such that the passcode is retrievable based on the secondary identification; and
(e) retrieving the generated passcode based on the secondary identification that is received and comparing the retrieved passcode with a suspect passcode also received with the secondary identification.
-
-
50. In a system wherein both a PIN of a user authorized to access a network resource and a first key of an asymmetric key pair generally unique to a personal communications device of the authorized user are maintained by an authentication authority in association with an identifier such that each of the PIN and the first key are retrievable based on the identifier, a method performed by the authentication authority whereby the authorized user gains access to the network resource from an access authority, the method comprising the steps of:
-
(a) with respect to a suspect user seeking to gain access to the network resource from the access authority, receiving a challenge request from the access authority in association with an identifier;
(b) in response to the challenge request, communicating a challenge to the access authority;
(c) receiving from the access authority a challenge response and the identifier; and
(d) authenticating the identifier by comparing the challenge response to a function of, (i) the challenge;
(ii) the PIN maintained by the authentication authority in association with the identifier; and
(iii) the first key maintained by the authentication authority in association with the identifier.
-
- 51. The method of claim 51, wherein the key pair is generated by the authentication authority and the first key of the key pair is communicated by the authentication authority to the personal communications device of the authorized user.
-
70. A method for gaining access by a user to a network resource, comprising the steps of:
-
(a) communicating a PIN and a first primary identification over an ancillary communications network to an authentication authority;
(b) receiving an encrypted passcode over the ancillary communications network from the authentication authority;
(c) decrypting the passcode using a key of an asymmetric key pair; and
(d) communicating the passcode and a user ID over a communications network to an access authority. - View Dependent Claims (71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96, 119)
-
-
97. Computer-readable medium having computer-executable instructions that perform a method comprising the steps of:
-
(a) generating an asymmetric key pair generally unique to a domain ID;
(b) communicating a first key of the asymmetric key pair in association with a device ID to an authentication authority over an ancillary communications network;
(c) receiving a PIN from a user through user-input of the device;
(d) communicating the PIN and a first primary identification over the ancillary communications network to the authentication authority;
(e) receiving an encrypted passcode over the ancillary communications network from the authentication authority;
(f) decrypting the passcode using the second key of the asymmetric key pair, and (g) displaying the passcode to the user. - View Dependent Claims (98, 99, 100)
-
-
101. Computer-readable medium having computer-executable instructions that perform a method comprising the steps of, during registration of an authorized user with respect to a network resource:
-
(a) generating a first asymmetric key pair generally unique to a domain ID;
(b) communicating a first key of the first asymmetric key pair in association with a device ID of a device to an authentication authority over an ancillary communications network;
(c) receiving a first key of an asymmetric key pair of the authentication authority over the ancillary communications network;
(d) receiving a PIN from a user through user-input of the device;
(e) encrypting the PIN using the fist key of the asymmetric key pair of the authentication authority;
(f) communicating the encrypted PIN over the ancillary communications network to the authentication authority in association with the device ID;
(g) receiving an encrypted registration code over the ancillary communications network from the authentication authority;
(h) decrypting the registration code using the second key of the first asymmetric key pair, and (i) displaying the registration code to the user. - View Dependent Claims (102, 103, 104, 105, 106, 107, 108, 109)
-
-
110. A method for registering for access by an authorized user with respect to a network resource, comprising the steps of:
-
(a) generating a first asymmetric key pair generally unique to a device of the authorized user, (b) communicating in association with a device ID of the device to an authentication authority over an ancillary communications network both a first key of the first asymmetric key pair and a PIN of the authorized user;
(c) receiving an encrypted registration code over the ancillary communications network from the authentication authority;
(d) decrypting the registration code using the second key of the first asymmetric key pair of the device; and
(e) communicating the registration code to an access authority over a communications network in association with a user ID that identifies the authorized user to the access authority. - View Dependent Claims (111)
-
-
112. A system in which an authorized user is registered with an authentication authority for later authenticating of a suspect user seeking to gain access from an access authority to a network resource, comprising the steps of:
-
(a) generating within a device of the authorized user a first asymmetric key pair of the authorized user that is generally unique to the device, and (b) communicating with the device a first key of the first asymmetric key pair in association with a device ID of the device to the authentication authority over an ancillary communications network;
(c) by the authentication authority, (i) receiving and maintaining the first key in association with the device ID, and (ii) communicating to the device of the authorized user over the ancillary communications network a first key of a first key asymmetric key pair of the authentication authority that is unique to a domain ID;
(d) by the authorized user, (i) encrypting with the device using the fist key of the asymmetric key pair of the authentication authority a PIN of the authorized user that is entered into the device, and (ii) communicating the encrypted PIN in association with the device ID to the authentication authority over the ancillary communications network;
(e) by the authentication authority, (i) decrypting the PIN and maintaining the PIN in association with the device ID and the domain ID, (ii) encrypting using the first key associated with the device ID a registration code, and (iii) communicating the registration code to the device of the authorized user over the ancillary communications network;
(f) by the authorized user, (i) decrypting within the device the encrypted registration code using the second key of the first asymmetric key pair of the authorized user, and (ii) communicating over a communications network the registration code to an access authority in association with a user ID identifying the authorized user to the access authority; and
(g) comparing the registration code received with the user ID with the registration code encrypted and sent to the authorized user. - View Dependent Claims (113, 114, 115, 116, 117, 118)
-
-
120. A method of granting access to a suspect user seeking to access a network resource, comprising the steps of:
-
(a) first, (i) maintaining credentials of the authorized user such that the credentials are retrievable based on the user ID, (ii) receiving a user ID, registration code, and suspect credentials, (iii) comparing the suspect credentials with the credentials maintained in association with the user ID, and (iv) upon a successful authentication of the user ID by matching the suspect credentials with the maintained credentials, communicating the user ID and registration code to an authentication authority; and
(b) thereafter, granting access to the network resource to a suspect user upon, (i) receiving a user ID and passcode from the suspect user, (ii) communicating the user ID and passcode to the authentication authority, and (iii) receiving an indication of a successful passcode comparison by the authentication authority. - View Dependent Claims (121, 122, 123)
-
-
124. A method of upgrading a single-factor authentication system to a multi-factor authentication system wherein a suspect user seeks access to a network resource, the single-factor authentication system including the binding of a user ID with credentials of an authorized user, the method comprising the steps of:
-
(a) initially, (i) binding a device ID of a device with a PIN, (ii) binding the device ID with a private key of the device, and (iii) binding the device ID with the user ID, including authenticating the user ID with the credentials; and
(b) thereafter, (i) authenticating the device ID including, as part thereof, communicating from the device the device ID and the PIN over an ancillary communications network, (ii) authenticating the device including, as part thereof, communicating to the device a passcode encrypted with the public key corresponding to the device private key and decrypting the passcode using the device private key, and (iii) communicating the unencrypted passcode over a communications network with the user ID. - View Dependent Claims (125, 126, 127, 128, 129, 130, 131, 132, 133, 134, 135, 136, 137, 138, 139, 140, 141, 142)
-
Specification