Trust inheritance in network authentication

US 20050198534A1
Filed: 02/25/2005
Published: 09/08/2005
Est. Priority Date: 02/27/2004
Status: Active Grant

First Claim

Patent Images

1. A method for authenticating a user so that said user is able to access electronic services through an untrusted electronic terminal, said method comprising the steps of:

(a) providing to an authentication interface a unique identifier of a trusted personal entity associated with said user;

(b) sending said unique identifier to at least one validation entity;

(c) identifying said unique identifier as an authentication request at said validation entity by an authentication application;

(d) looking up with said identifier in said validation entity whether said unique identifier is already registered in said validation entity;

a. if said user is registered with said validation entity, retrieving a password associated with said unique identifier, and sending said password to said personal entity;

b. if said user is not registered with said validation entity, said authentication application creating an account in said validation entity, generating a password and sending said password to said personal entity. (e) said user, after retrieving said password, providing said unique identifier and said password to said authentication interface, whereby an application permits access to electronic services through said electronic terminal and said application recording said electronic services to an account associated with said unique identifier.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for providing ad hoc controlled user access to wireless and wireline IP communication networks while maintaining privacy for users and traceability for network providers. The method includes an authentication interface accepting user credentials, and a validation entity for credential verification and access authorization. The credentials include a unique identifier and a system generated password. The unique identifier is associated with a personal entity of the user such as a cellular telephone. The password is transmitted to the user through a SMS message to his cellular telephone. The user'"'"'s Internet session is monitored by the system and all records are indexed by his cellular telephone number. The system and method therefore permit fast and traceable access for guest users at networks where they are were not previously known. Alternatively, users do not provide their unique identifiers such as cellular telephone numbers which are instead already stored in the system. A user provides a username and a one time password is generated by the system and sent to the user by SMS. This enables the system to validate the user'"'"'s identity as well as the user to validate the Internet resources'"'"' identity.

Citations

122 Claims

1. A method for authenticating a user so that said user is able to access electronic services through an untrusted electronic terminal, said method comprising the steps of:
- (a) providing to an authentication interface a unique identifier of a trusted personal entity associated with said user;
  
  (b) sending said unique identifier to at least one validation entity;
  
  (c) identifying said unique identifier as an authentication request at said validation entity by an authentication application;
  
  (d) looking up with said identifier in said validation entity whether said unique identifier is already registered in said validation entity;
  
  a. if said user is registered with said validation entity, retrieving a password associated with said unique identifier, and sending said password to said personal entity;
  
  b. if said user is not registered with said validation entity, said authentication application creating an account in said validation entity, generating a password and sending said password to said personal entity. (e) said user, after retrieving said password, providing said unique identifier and said password to said authentication interface, whereby an application permits access to electronic services through said electronic terminal and said application recording said electronic services to an account associated with said unique identifier.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 122)
- - 2. A method according to claim 1, wherein said user is a human person or software or hardware or a combination of hardware and software.
  - 3. A method according to claim 1, wherein said electronic terminal is a mobile or fixed terminal.
  - 4. The method of claim 3, wherein said mobile terminal is a laptop computer or a personal digital assistant (PDA) or an IP telephone.
  - 5. The method of claim 3, wherein said fixed terminal is a desktop computer.
  - 6. A method according to claim 1, wherein said authentication interface is a web interface accepting authentication requests.
  - 7. A method according to claim 1, wherein said authentication interface is a software or hardware or combination of hardware and software or a human person accepting authentication requests or a combination thereof.
  - 8. The method of claim 6, wherein said web interface resides on at least one web server communicating with at least one database server.
  - 9. The method of claim 7, wherein said authentication interface is at least one SMS server or at least one email server or at least one chat server or at least one voice server or at least one fax server or a combination thereof communicating with at least one database server.
  - 10. The method of claim 7, wherein said authentication interface is at least one phone set or at least one fax machine or a combination thereof.
  - 11. The method of claim 7, wherein said authentication interface is at least one physical security access unit.
  - 12. The method of claim 1, wherein said user accesses said authentication interface through said electronic terminal.
  - 13. The method of claim 12, wherein said electronic terminal communicates with said authentication interface through at least one data network.
  - 14. The method of claim 12, wherein said electronic terminal communicates with said authentication interface through at least one wireline connection or at least one wireless connection or a combination thereof.
  - 15. The method of claim 1, wherein said user accesses said authentication interface through a security access card and said security access card is inserted into said authentication interface and said unique identifier is an embedded property of the security access card.
  - 16. The method of claim 1, wherein said user accesses said authentication interface through a radio frequency (RF) enabled security access tag and said radio frequency enabled security access card communicates with said authentication interface through radio waves and said unique identifier is an embedded property of the security access card.
  - 17. The method of claim 1, wherein said user accesses said authentication interface through an infrared (IR) enabled security access tag and said infrared enabled security access card communicates with said authentication interface through infrared waves and said unique identifier is an embedded property of the security access tag.
  - 18. A method according to claim 1, wherein said personal entity is a mobile or fixed terminal.
  - 19. The method of claim 18, wherein said mobile terminal is a cellular phone, and said unique identifier is a phone number of said cellular telephone or a mobile fax machine, and said unique identifier is a fax number of said mobile fax machine or a laptop computer, and said unique identifier is an email address or a personal digital assistant (PDA), and said unique identifier is an email address or a pager, and said unique identifier is a pager number.
  - 20. The method of claim 18, wherein said fixed terminal is a phone set, and said unique identifier is a phone number of said phone set or a fax machine, and said unique identifier is a fax number of said fax machine or a desktop computer, and said unique identifier is an email address.
  - 21. The method of claim 1, wherein said step (b) is characterized in that said validation entity is a server farm containing at least one database server or at least one web server or at least one human person or a combination thereof.
  - 22. The method of claim 1, wherein said step (b) is characterized in that said validation entity is a centralized or decentralized server farm or a combination thereof.
  - 23. The method of claim 1, wherein said step (b) is characterized in that said message is sent by SMS or by email or by pager or by fax or a combination thereof.
  - 24. The method of claim 1, wherein said step (b) is characterized in that said message is sent over a network connection.
  - 25. The method of claim 24 wherein, said network connection travels over the Internet or over a local area network (LAN) or a combination thereof.
  - 26. The method of claim 1, wherein said step (d) is further characterized by data network security verifications of said electronic terminal.
  - 27. The method of claim 26, wherein said security verifications include virus detection or spyware detection or a combination thereof.
  - 28. The method of claim 1, wherein said step (e) is characterized in that said message is sent by SMS or by email or by fax or by IVR or in a pager message or a combination thereof.
  - 29. The method of claim 1, wherein said step (e) is characterized in that said message is sent over a network connection.
  - 30. The method of claim 29 wherein, said network connection travels over the Internet or over local area network (LAN) or a combination thereof.
  - 122. The method of claim 1, wherein said user gains access to a variety of privileges within said network resources depending on the type of said personal terminal.

31. A system for authenticating a user so that said user is able to access electronic services through an untrusted electronic terminal, said user being associated with a trusted personal entity, said personal entity having a unique identifier, said system comprising:
- (a) an authentication interface, said authentication interface being adapted to receive said unique identifier and to send said unique identifier to at least one validation entity;
  
  (b) said validation entity adapted to receive said unique identifier and recognize said unique identifier and send a password associated with said unique identifier to said personal entity when an account associated with said personal entity already exists or create an account, generate a password and send said password to said personal entity if an account associated with said unique identifier is inexistent;
  
  (c) whereby said authentication interface is further adapted to receive said unique identifier and said password and to enable access to said electronic services through said electronic terminal upon confirmation.
- View Dependent Claims (32, 33, 34, 35, 36, 37, 38, 39, 40)
- - 32. A system according to claim 31, wherein said electronic services are internet services or voice telecommunications services or data telecommunications services or local area network (LAN) resources or a combination thereof.
  - 33. A system according to claim 31, wherein said electronic services are local or foreign or a combination of local and foreign services to the network said user is connecting to.
  - 34. The system of claim 31, wherein said electronic services comprise access to local area network (LAN) servers or local area network (LAN) data traffic or a combination thereof.
  - 35. A system according to claim 31, wherein said electronic terminal is a mobile or fixed terminal.
  - 36. The system of claim 35, wherein said mobile terminal is a laptop computer or a personal digital assistant (PDA) or an IP telephone or a combination thereof.
  - 37. The system of claim 35, wherein said fixed terminal is a desktop computer.
  - 38. A system according to claim 31, wherein said system further comprises the introduction of a feedback loop to guarantee delivery of said password to said personal entity.
  - 39. The system of claim 38, wherein said feedback loop consists in third party monitoring of said password delivery mechanism and notification of said user in case of failure.
  - 40. The system of claim 39, wherein said third party monitoring is performed by human persons or by automated processes consisting of software, or hardware or a combination of both.

41. A method of tracing untrusted electronic terminals to specific users, said method comprising the steps of:
- (a) accessing an authentication interface through said electronic terminal and inputting a unique identifier of a personal entity associated with said user;
  
  (b) sending said unique identifier to at least one validation entity;
  
  (c) identifying said unique identifier as an authentication request at said validation entity;
  
  (d) looking up with said identifier in said validation entity whether said unique identifier is already registered in said validation entity;
  
  a. if said user is registered with said validation entity, retrieving a password associated with said unique identifier, and sending said password to said user;
  
  b. if said user is not registered with said validation entity, said authentication application creating an account in said validation entity, generating a password and sending said password to said user;
  
  (e) said user, after retrieving said password, providing said unique identifier and said password to said authentication interface, whereby an application permits access to electronic services and said application tracing said electronic services to an account associated with said unique identifier and said electronic terminal.
- View Dependent Claims (42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70)
- - 42. A method according to claim 41, wherein said user is a human person or software or hardware or a combination of hardware and software.
  - 43. A method according to claim 41, wherein said electronic terminal is a mobile or fixed terminal.
  - 44. The method of claim 43, wherein said mobile terminal is a laptop computer or a personal digital assistant (PDA) or an IP telephone.
  - 45. The method of claim 43, wherein said fixed terminal is a desktop computer.
  - 46. A method according to claim 41, wherein said authentication interface is a web interface accepting authentication requests.
  - 47. A method according to claim 41, wherein said authentication interface is a software or hardware or combination of hardware and software or a human person accepting authentication requests or a combination thereof.
  - 48. The method of claim 46, wherein said web interface resides on at least one web server communicating with at least one database server.
  - 49. The method of claim 47, wherein said authentication interface is at least one SMS server or at least one email server or at least one chat server or at least one voice server or at least one fax server communicating or combination thereof with at least one database server.
  - 50. The method of claim 47, wherein said authentication interface is at least one phone set or at least one fax machine or a combination thereof.
  - 51. The method of claim 47, wherein said authentication interface is at least one physical security access unit.
  - 52. The method of claim 41, wherein said user accesses said authentication interface through said electronic terminal.
  - 53. The method of claim 52, wherein said electronic terminal communicates with said authentication interface through at least one data network.
  - 54. The method of claim 52, wherein said electronic terminal communicates with said authentication interface through at least one wireline connection or at least one wireless connection or a combination thereof.
  - 55. The method of claim 41, wherein said user accesses said authentication interface through a security access card and said security access card is inserted into said authentication interface and said unique identifier is an embedded property of the security access card.
  - 56. The method of claim 41, wherein said user accesses said authentication interface through a radio frequency (RF) enabled security access tag and said radio frequency enabled security access card communicates with said authentication interface through radio waves and said unique identifier is an embedded property of the security access card.
  - 57. The method of claim 41, wherein said user accesses said authentication interface through an infrared (IR) enabled security access tag and said infrared enabled security access card communicates with said authentication interface through infrared waves and said unique identifier is an embedded property of the security access tag.
  - 58. A method according to claim 41, wherein said personal entity is a mobile or fixed terminal.
  - 59. The method of claim 58, wherein said mobile terminal is a cellular phone, and said unique identifier is a phone number of said cellular telephone or a mobile fax machine, and said unique identifier is a fax number of said mobile fax machine or a laptop computer, and said unique identifier is an email address or a personal digital assistant (PDA), and said unique identifier is an email address or a pager, and said unique identifier is a pager number.
  - 60. The method of claim 58, wherein said fixed terminal is a phone set, and said unique identifier is a phone number of said phone set or a fax machine, and said unique identifier is a fax number of said fax machine or a desktop computer, and said unique identifier is an email address.
  - 61. The method of claim 41, wherein said step (b) is characterized in that said validation entity is a server farm containing at least one database server or at least one web server or at least one human person or a combination thereof.
  - 62. The method of claim 41, wherein said step (b) is characterized in that said validation entity is a centralized or decentralized server farm or a combination thereof.
  - 63. The method of claim 41, wherein said step (b) is characterized in that said message is sent by SMS or by email or by pager or by fax or a combination thereof.
  - 64. The method of claim 41, wherein said step (b) is characterized in that said message is sent over a network connection.
  - 65. The method of claim 64 wherein, said network connection travels over the Internet or over a local area network (LAN) or a combination thereof.
  - 66. The method of claim 41, wherein said step (d) is further characterized by data network security verifications of said electronic terminal.
  - 67. The method of claim 66, wherein said security verifications include virus detection or spyware detection or a combination thereof.
  - 68. The method of claim 41, wherein said step (e) is characterized in that said message is sent by SMS or by email or by fax or by IVR or in a pager message or a combination thereof.
  - 69. The method of claim 41, wherein said step (e) is characterized in that said message is sent over a network connection.
  - 70. The method of claim 69 wherein, said network connection travels over the Internet or over local area network (LAN) or a combination thereof.

71. A system for tracing untrusted electronic terminals to specific users so that said user is able to access electronic services through an electronic terminal, said user being associated with a personal entity, said personal entity having a unique identifier, said system comprising:
- (a) an authentication interface, said authentication interface being adapted to receive said unique identifier and to send said unique identifier to at least one validation entity;
  
  (b) said validation entity adapted to receive said unique identifier and recognize said unique identifier and send a password associated with said unique identifier to said personal entity when an account associated with said personal entity already exists or create an account, generate a password and send said password to said personal entity if an account associated with said unique identifier is inexistent;
  
  (c) whereby said authentication interface is further adapted to receive said unique identifier and said password and to enable access to said electronic services through said electronic terminal upon confirmation.
- View Dependent Claims (72, 73, 74, 75, 76, 77, 78, 79, 80)
- - 72. A system according to claim 71, wherein said electronic services are internet services or voice telecommunications services or data telecommunications services or local area network (LAN) resources or a combination thereof.
  - 73. A system according to claim 71, wherein said electronic services are local or foreign or a combination of local and foreign services to the network said user is connecting to.
  - 74. The system of claim 71, wherein said electronic services comprise access to local area network (LAN) servers or local area network (LAN) data traffic or a combination thereof.
  - 75. A system according to claim 71, wherein said electronic terminal is a mobile or fixed terminal.
  - 76. The system of claim 75, wherein said mobile terminal is a laptop computer or a personal digital assistant (PDA) or a combination thereof.
  - 77. The system of claim 75, wherein said fixed terminal is a desktop computer.
  - 78. A system according to claim 71, wherein said system further comprises the introduction of a feedback loop to guarantee delivery of said password to said personal entity.
  - 79. The system of claim 78, wherein said feedback loop consists in third party monitoring of said password delivery mechanism and notification of said user in case of failure.
  - 80. The system of claim 79, wherein said third party monitoring is performed by human persons or by automated processes consisting of software, or hardware or a combination of both.

81. A method for authenticating a user known to a service provider so that said user is able to access electronic services through an electronic terminal, said method comprising the steps of:
- (a) providing to an authentication interface a username;
  
  (b) sending said username to at least one validation entity;
  
  (c) identifying said username as an authentication request at said validation entity by an authentication application;
  
  (d) looking up with said username in said validation entity whether said username is already registered in said validation entity;
  
  a. if said username is registered with said validation entity and if a unique identifier of a personal entity associated with said user is already contained in said validation entity, generating a one-time password and sending said password to said personal entity using said unique identifier;
  
  b. if said user is not registered with said validation entity or if a unique identifier is not already stored in the account, said authentication application rejecting user access;
  
  (e) said user, after retrieving said password, providing said username and said password to said authentication interface, whereby an application permits access to electronic services through said electronic terminal and said application recording said electronic services to an account associated with said unique identifier.
- View Dependent Claims (82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99, 100, 101, 102, 103, 104, 105, 106, 107, 108, 109, 110)
- - 82. A method according to claim 81, wherein said user is a human person or software or hardware or a combination of hardware and software.
  - 83. A method according to claim 81, wherein said electronic terminal is a mobile or fixed terminal.
  - 84. The method of claim 83, wherein said mobile terminal is a laptop computer or a personal digital assistant (PDA) or an IP telephone.
  - 85. The method of claim 83, wherein said fixed terminal is a desktop computer.
  - 86. A method according to claim 81, wherein said authentication interface is a web interface accepting authentication requests.
  - 87. A method according to claim 81, wherein said authentication interface is a software or hardware or combination of hardware and software or a human person accepting authentication requests or a combination thereof.
  - 88. The method of claim 86, wherein said web interface resides on at least one web server communicating with at least one database server.
  - 89. The method of claim 87, wherein said authentication interface is at least one SMS server or at least one email server or at least one chat server or at least one voice server or at least one fax server or combination thereof communicating with at least one database server.
  - 90. The method of claim 87, wherein said authentication interface is at least one phone set or at least one fax machine or a combination thereof.
  - 91. The method of claim 87, wherein said authentication interface is at least one physical security access unit.
  - 92. The method of claim 81, wherein said user accesses said authentication interface through said electronic terminal.
  - 93. The method of claim 92, wherein said electronic terminal communicates with said authentication interface through at least one data network.
  - 94. The method of claim 92, wherein said electronic terminal communicates with said authentication interface through at least one wireline connection or at least one wireless connection or a combination thereof.
  - 95. The method of claim 81, wherein said user accesses said authentication interface through a security access card and said security access card is inserted into said authentication interface and said unique identifier is an embedded property of the security access card.
  - 96. The method of claim 81, wherein said user accesses said authentication interface through a radio frequency (RF) enabled security access tag and said radio frequency enabled security access card communicates with said authentication interface through radio waves and said unique identifier is an embedded property of the security access card.
  - 97. The method of claim 81, wherein said user accesses said authentication interface through an infrared (IR) enabled security access tag and said infrared enabled security access card communicates with said authentication interface through infrared waves and said unique identifier is an embedded property of the security access tag.
  - 98. A method according to claim 81, wherein said personal entity is a mobile or fixed terminal.
  - 99. The method of claim 98, wherein said mobile terminal is a cellular phone, and said unique identifier is a phone number of said cellular telephone or a mobile fax machine, and said unique identifier is a fax number of said mobile fax machine or a laptop computer, and said unique identifier is an email address or a personal digital assistant (PDA), and said unique identifier is an email address or a pager, and said unique identifier is a pager number.
  - 100. The method of claim 98, wherein said fixed terminal is a phone set, and said unique identifier is a phone number of said phone set or a fax machine, and said unique identifier is a fax number of said fax machine or a desktop computer, and said unique identifier is an email address.
  - 101. The method of claim 81, wherein said step (b) is characterized in that said validation entity is a server farm containing at least one database server or at least one web server or at least one human person or a combination thereof.
  - 102. The method of claim 81, wherein said step (b) is characterized in that said validation entity is a centralized or decentralized server farm or a combination thereof.
  - 103. The method of claim 81, wherein said step (b) is characterized in that said message is sent by SMS or by email or by pager or by fax or a combination thereof.
  - 104. The method of claim 81, wherein said step (b) is characterized in that said message is sent over a network connection.
  - 105. The method of claim 104 wherein, said network connection travels over the Internet or over a local area network (LAN) or a combination thereof.
  - 106. The method of claim 81, wherein said step (d) is further characterized by data network security verifications of said electronic terminal.
  - 107. The method of claim 106, wherein said security verifications include virus detection or spyware detection or a combination thereof.
  - 108. The method of claim 81, wherein said step (e) is characterized in that said message is sent by SMS or by email or by fax or by IVR or in a pager message or a combination thereof.
  - 109. The method of claim 81, wherein said step (e) is characterized in that said message is sent over a network connection.
  - 110. The method of claim 109 wherein, said network connection travels over the Internet or over local area network (LAN) or a combination thereof.

111. A system for authenticating a known user so that said user is able to access electronic services through an electronic terminal, said user being associated with a username and a personal entity, said personal entity having a unique identifier, said system comprising:
- (a) an authentication interface, said authentication interface being adapted to receive said username and to send said username to at least one validation entity;
  
  (b) said validation entity adapted to receive said username and recognize said username and find said unique identifier associated with said user'"'"'s personal entity and generate a one-time password associated with said username and send said password to said user using said unique identifier when an account associated with said username already exists or reject user access if an account associated with said username is inexistent;
  
  (c) whereby said authentication interface is further adapted to receive said username and said password and to enable access to said electronic services through said electronic terminal upon confirmation.
- View Dependent Claims (112, 113, 114, 115, 116, 117, 118, 119, 120, 121)
- - 112. A system according to claim 111, wherein said electronic services are internet services or voice telecommunications services or data telecommunications services or local area network (LAN) resources or a combination thereof.
  - 113. A system according to claim 111, wherein said electronic services are local or foreign or a combination of local and local and foreign services to the network said user is connecting to.
  - 114. The system of claim 111, wherein said electronic services comprise access to local area network (LAN) servers or local area network (LAN) data traffic or a combination thereof.
  - 115. A system according to claim 111, wherein said electronic terminal is a mobile or fixed terminal.
  - 116. The system of claim 115, wherein said mobile terminal is a laptop computer or a personal digital assistant (PDA) or an IP telephone or a combination thereof.
  - 117. The system of claim 115, wherein said fixed terminal is a desktop computer.
  - 118. A system according to claim 111, wherein said system further comprises the introduction of a feedback loop to guarantee delivery of said password to said personal entity.
  - 119. The system of claim 118, wherein said feedback loop consists in third party monitoring of said password delivery mechanism and notification of said user in case of failure.
  - 120. The system of claim 119, wherein said third party monitoring is performed by human persons or by automated processes consisting of software, or hardware or a combination of both.
  - 121. A system according to claim 111, wherein said system is used to prevent phishing scams to said user by malicious websites pretending to be legitimate websites trusted by said user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Airroamer Incorporated, Sesame Networks, Inc.
Original Assignee
Sesame Networks, Inc.
Inventors
Alj, Tarik, Lala, Probal Kanti, Matta, Johnny Mikhael, Campbell, John Robertson

Granted Patent

US 7,565,547 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/5
CPC Class Codes

G06F 21/31   User authentication

H04L 63/083   using passwords cryptograph...

H04L 63/0838   using one-time-passwords

H04L 63/0853   using an additional device,...

H04L 63/145   the attack involving the pr...

H04W 12/06   Authentication

H04W 12/128   Anti-malware arrangements, ...

H04W 12/72   Subscriber identity

Trust inheritance in network authentication

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

122 Claims

Specification

Solutions

Use Cases

Quick Links

Trust inheritance in network authentication

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

122 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links