Access system utilizing multiple factor identification and authentication
1 Assignment
0 Petitions
Accused Products
Abstract
A method of authenticating a user to use a system includes using a provider token to generate a random value. The token generates a derived key based at least in part on a token-provided salt value and a user-provided password. The provider generates a token unlock key based at least in part on the derived key and sends it to the token. First and second challenge data instances are generated by the provider and the token, respectively, and the process is terminated if the challenge data instances are determined not to match. If the challenge data instances are determined to match, then an encrypted data transfer system is established between the token and the provider, and the token unlocks locked private data stored on the token. The user is authenticated for secured use of the system based at least in part on the unlocked private data.
351 Citations
59 Claims
-
1-37. -37. (canceled)
-
38. In a computer system comprising a token communicatively connected to a provider, a method of authenticating a user to use a system, comprising:
-
generating, by the token, a random value;
sending, by the token, the random value, a token ID, and a salt value to the provider;
providing, by the user, a user password to the provider;
generating, by the provider, a derived key based at least in part on the salt value and the password;
applying, by the provider, a first key-based hash algorithm, using the derived key, to the token ID to provide a first hash value;
generating, by the provider, a first challenge data instance based at least in part on the random value and the first hash value;
sending, by the provider, the first challenge data instance to the token;
generating, by the provider, a token unlock key based at least in part on the derived key;
sending, by the provider, the token unlock key to the token;
generating, by the token, a second challenge data instance based at least in part on the random value and a second hash value, wherein the second hash value is stored on the token and is based on the token ID;
determining, by the token, whether the first and second challenge data instances match;
terminating, by the token, the method, if the first and second challenge data instances are determined not to match; and
if the first and second challenge data instances are determined to match, then establishing an encrypted data transfer system between the token and the provider, unlocking with the token unlock key, by the token, locked first private data stored on the token, and authenticating the user for secured use of the system based at least in part on the unlocked first private data. - View Dependent Claims (39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58)
-
-
59. In a computer system comprising a token communicatively connected to a provider, a method of authenticating a user to use a system, comprising:
-
sending, by the token, a token ID, a salt value, an encrypted encryption key, and an encrypted user profile to the provider;
providing, by the user, a user password to the provider;
generating, by the provider, a derived key based at least in part on the salt value and the password;
applying, by the provider, a first key-based hash algorithm, using the derived key, to the token ID to provide a first hash value;
applying, by the provider, a key derivation function to the derived key and the first hash value to provide a cryptographic key;
decrypting, by the provider, the encrypted instance of the encryption key;
decrypting, by the provider, the encrypted profile with the encryption key; and
providing, by the provider, the decrypted user credential to the system to grant the user at least one of cryptographic reading authority and cryptographic writing authority.
-
Specification