Method and apparatus for providing authentication using policy-controlled authentication articles and techniques

US 20060156385A1
Filed: 12/12/2005
Published: 07/13/2006
Est. Priority Date: 12/30/2003
Status: Active Grant

First Claim

Patent Images

10. A method for providing second factor authentication comprising:

providing, through a user interface, selectability on a per user group basis of a plurality of second factor authentication policies associated with a second factor authentication article that includes sender authentication information located in cells thereon that can be located by using corresponding location information;

controlling a challenge strength of one group of users to be different from another group of users that both use second factor authentication articles, based on a selected second factor authentication policy from the plurality of second factor authentication policies; and

providing second factor authentication based on the second factor authentication articles for each of the groups by enforcing at least one of the plurality of the selected group policies.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus provides first or second factor authentication by providing selectability of a plurality of second factor authentication policies associated with a second factor authentication article. The first or second factor authentication article includes authentication information, such as a plurality of data elements in different cells or locations on the authentication article, which can be located by using corresponding location information. The method and apparatus provides second factor authentication based on the first or second factor authentication article by enforcing at least one of the plurality of selected authentication policies.

440 Citations

43 Claims

10. A method for providing second factor authentication comprising:
- providing, through a user interface, selectability on a per user group basis of a plurality of second factor authentication policies associated with a second factor authentication article that includes sender authentication information located in cells thereon that can be located by using corresponding location information;
  
  controlling a challenge strength of one group of users to be different from another group of users that both use second factor authentication articles, based on a selected second factor authentication policy from the plurality of second factor authentication policies; and
  
  providing second factor authentication based on the second factor authentication articles for each of the groups by enforcing at least one of the plurality of the selected group policies.
- View Dependent Claims (11, 12)
- - 11. The method of claim 10 wherein controlling the challenge strength of the groups of users comprises setting, for each group, different challenge lengths corresponding to data in a different number of cells from the second factor authentication article to be required to be received in a reply to a challenge.
  - 12. The method of claim 10 comprising storing data representing selectable second factor global policies and group policies, and data representing user ID'"'"'s and group ID'"'"'s.

13. An apparatus for providing second factor authentication comprising:
- one or more processors and memory, operatively coupled to the one or more processors, that contains executable instructions that when executed causes the one or more processors to;
  
  provide selectability of a plurality of second factor authentication policies associated with a second factor authentication article that includes sender authentication information located thereon that can be located by using corresponding location information; and
  
  provide second factor authentication based on the second factor authentication article by enforcing at least one of the plurality of the selected policies.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The apparatus of claim 13 wherein the memory includes executable instructions that when executed causes the one or more processors to link the selected second factor authentication policies to a user or user group and wherein the second factor authentication article is a column and row based second factor authentication article.
  - 15. The apparatus of claim 13 wherein the memory includes executable instructions that when executed causes the one or more processors to allow a user to select the second factor authentication policies that will be applicable to that user.
  - 16. The apparatus of claim 13 wherein the memory includes executable instructions that when executed causes the one or more processors to allow a representative of a user group to select the second factor authentication policies that will be applicable to that user group.
  - 17. The apparatus of claim 13 wherein the memory includes executable instructions that when executed causes the one or more processors to:
    - configure a second factor authentication challenge based on the selected policies;
      
      send the second factor authentication challenge to a remote device wherein the sent challenge is defined by the selected group policies and includes data representing a location on the second factor authentication article that contains response data;
      
      receive, in response to the sent challenge, the response data obtained from second factor authentication article corresponding to the data representing the location on the article; and
      
      compare the received response data with expected response data to determine whether second factor authentication can be granted.
  - 18. The apparatus of claim 17 wherein the selectable second factor authentication policies include at least one of:
    - a policy to control a number of response data elements provided on the second factor authentication article;
      
      a policy to control second factor authentication article content type;
      
      a policy to control a strength of a second factor authentication challenge that is part of a challenge/reply authentication process;
      
      a policy to control a lifetime of the second factor authentication article;
      
      a policy to control lock out after unsuccessful reply attempts to a second factor authentication challenge that is part of a challenge/reply authentication process based on the second factor authentication article;
      
      a policy to control a multiple screen authentication process using the second factor authentication article;
      
      a policy to control whether a challenge based on the second factor authentication article is acceptable via different channels.
  - 19. The apparatus of claim 18 wherein the memory includes executable instructions that when executed causes the one or more processors to apply at least one selected second factor authentication policy globally to all users in a community of interest and at least another second factor authentication policy to a selected group of users within the community of interest.
  - 20. The apparatus of claim 13 wherein the article is a card containing row and column identification information and corresponding sender authentication information at row and column positions on the card and wherein the selected policy determines a length of a challenge sent as part of a second factor authentication process.

21. An apparatus for providing second factor authentication comprising:
- one or more processors and memory, operatively coupled to the one or more processors, that contains executable instructions that when executed causes the one or more processors to;
  
  provide, through a user interface, selectability on at least one of a per user group basis, user basis and transaction type basis of a plurality of second factor authentication policies associated with a second factor authentication card that includes sender authentication information located in cells thereon that can be located by using corresponding location information;
  
  control a challenge strength of one group of users to be different from another group of user that both use second factor authentication cards, based on a selected second factor authentication policy from the plurality of second factor authentication policies; and
  
  provide second factor authentication based on the second factor authentication cards for each of the groups by enforcing at least one of the plurality of the selected group policies.
- View Dependent Claims (22)
- - 22. The apparatus of claim 21 wherein the memory includes executable instructions that when executed causes the one or more processors to set, for each group, different challenge lengths corresponding to data in a different number of cells from the second factor authentication card to be required to be received in a reply to a challenge.

23. A method for providing authentication comprising:
- providing selectability of a plurality of authentication policies associated with a an authentication scheme wherein the policies select differing strength levels for the authentication scheme depending upon a specific user or user group or transaction type; and
  
  providing different strength levels of authentication security for the authentication scheme depending on a specified policy for a given user, group of users, or transaction type.
- View Dependent Claims (24, 25, 26)
- - 24. The method of claim 23 wherein the selectable authentication policies include at least one of:
    - a policy to control a number of challenge data elements sent as part of an authentication challenge that is part of a challenge/reply authentication process wherein the challenge data elements correspond to indicia on an authentication article;
      
      a policy to increase the number of one-time-passwords prompted for during a challenge;
      
      a policy that selects a number of shared secrets and their associated difficulty for each user and prompts for all or a subset to increase user authentication strength, as well as selects the number that must be successfully answered for successful authentication;
      
      a policy that varies the number of machine parameters that must match a stored profile to be considered authenticated and/or the type of machine parameters that are gathered and used to compare with stored a profile;
      
      a policy that causes a splitting of an out of band password across one or more out of band channels; and
      
      a policy that causes an out of band password to be sent to a particular out of band channel in preference to another out of band channel based on the relative security of the two out of band channels.
  - 25. The method of claim 23 comprising providing selectablity on a recipient device of the plurality of authentication policies.
  - 26. The method of claim 23 comprising providing selectablity by a user of the plurality of authentication policies to be applicable to that user.

27. An apparatus for providing authentication comprising:
- one or more processors and memory, operatively coupled to the one or more processors, that contains executable instructions that when executed causes the one or more processors to;
  
  provide selectability of a plurality of authentication policies associated with an authentication scheme wherein the policies select differing strength levels for the authentication scheme depending upon a specific user or user group or transaction type; and
  
  provide different strength levels of authentication security for the authentication scheme depending on a specified policy for a given user, group of users, or transaction type.
- View Dependent Claims (28)
- - 28. The apparatus of claim 27 wherein the memory contains executable instructions that when executed causes the one or more processors to provide the selectable authentication policies as at least one of:
    - a policy to control a number of challenge data elements sent as part of an authentication challenge that is part of a challenge/reply authentication process wherein the challenge data elements correspond to indicia on an authentication article;
      
      a policy to increase the number of one-time-passwords prompted for during a challenge;
      
      a policy that selects a number of shared secrets and their associated difficulty for each user and prompts for all or a subset to increase user authentication strength, as well as selects the number that much be successfully answered for successful authentication;
      
      a policy varies the number of machine parameters that must match a stored profile to be considered authenticated and/or the type of machine parameters that are gathered and used to compare with a stored profile;
      
      a policy that causes a splitting of an out of band password across one or more out of band channels; and
      
      a policy that causes an out of band password to be sent to a particular out of band channel in preference to another out of band channel based on the relative security of the two out of band channels.

29. A method for providing authentication comprising:
- providing selectability of a plurality of authentication policies associated with an authentication article that includes sender authentication information located thereon that can be located by using corresponding location information; and
  
  providing authentication based on the authentication article by enforcing at least one of the plurality of the selected policies.
- View Dependent Claims (1, 2, 3, 4, 5, 6, 7, 8, 9, 30, 31, 32, 33, 34, 35)
- - 1. A method for providing second factor authentication comprising:
    - providing selectability of a plurality of second factor authentication policies associated with a second factor authentication article that includes sender authentication information located thereon that can be located by using corresponding location information; and
      
      providing second factor authentication based on the second factor authentication article by enforcing at least one of the plurality of the selected policies.
  - 2. The method of claim 1 comprising linking the selected second factor authentication policies to a user or user group or transaction type.
  - 3. The method of claim 2 wherein the second factor authentication article is a column and row based second factor authentication article.
  - 4. The method of claim 2 wherein a user is allowed to select the second factor authentication policies to be applied to that user.
  - 5. The method of claim 2 wherein a representative of a user group is allowed to select the second factor authentication policies to be applied to that user group.
  - 6. The method of claim 1 wherein providing second factor authentication based on the second factor authentication article by enforcing at least one selected policies comprises:
    - configuring a second factor authentication challenge based on the selected policy;
      
      sending the second factor authentication challenge to a remote device wherein the sent challenge is defined by the selected group policies and includes data representing a location on the second factor authentication article that contains response data;
      
      receiving, in response to the sent challenge, the response data obtained from the second factor authentication article corresponding to the data representing the location on the article; and
      
      comparing the received response data with expected response data to determine whether second factor authentication can be granted.
  - 7. The method of claim 6 wherein the selectable second factor authentication policies include at least one of:
    - a policy to control a number of response data elements provided on the second factor authentication article;
      
      a policy to control second factor authentication article content type;
      
      a policy to control a strength of a second factor authentication challenge that is part of a challenge/reply authentication process;
      
      a policy to control a lifetime of the second factor authentication article;
      
      a policy to control lock out after unsuccessful reply attempts to a second factor authentication challenge that is part of a challenge/reply authentication process based on the second factor authentication article;
      
      a policy to control a multiple screen authentication process using the second factor authentication article;
      
      a policy to control whether a challenge based on the second factor authentication article is acceptable via different channels.
  - 8. The method of claim 1 comprising applying at least one selected second factor authentication policy globally to all users in a community of interest and at least another second factor authentication policy to a selected group of users within the community of interest.
  - 9. The method of claim 1 wherein the article is a card containing row and column identification information and corresponding sender authentication information at row and column positions on the card and wherein the selected policy determines a length of a challenge sent as part of a second factor authentication process.
  - 30. The method of claim 29 comprising linking the selected authentication policies to a user or user group or transaction type, and wherein the authentication article is a column and row based authentication article.
  - 31. The method of claim 30 comprising allowing a representative of a user group to select the authentication policies that will be applicable to that user group.
  - 32. The method of claim 30 comprising allowing a user to select the authentication policies that will be applicable to that user.
  - 33. The method of claim 29 wherein providing authentication based on the authentication article by enforcing at least one selected policies comprises:
    - configuring an authentication challenge based on the selected policy;
      
      sending the authentication challenge to a remote device wherein the sent challenge is defined by the selected group policies and includes data representing a location on the authentication article that contains response data;
      
      receiving, in response to the sent challenge, the response data obtained from the authentication article corresponding to the data representing the location on the article; and
      
      comparing the received response data with expected response data to determine whether authentication can be granted.
  - 34. The method of claim 29 comprising applying at least one selected authentication policy globally to all users in a community of interest and at least another authentication policy to a selected group of users within the community of interest.
  - 35. The method of claim 29 wherein the article is a card containing row and column identification information and corresponding sender authentication information at row and column positions on the card and wherein the selected policy determines a length of a challenge sent as part of an authentication process.

33-1. The method of claim 32 wherein the selectable authentication policies include at least one of:
- a policy to control a number of response data elements provided on the authentication article;
  
  a policy to control authentication article content type;
  
  a policy to control a strength of an authentication challenge that is part of a challenge/reply authentication process;
  
  a policy to control a lifetime of the authentication article;
  
  a policy to control lock out after unsuccessful reply attempts to an authentication challenge that is part of a challenge/reply authentication process based on the authentication article;
  
  a policy to control a multiple screen authentication process using the authentication article;
  
  a policy to control whether a challenge based on the authentication article is acceptable via different channels.

36. A method for providing authentication comprising:
- providing, through a user interface, selectability on a per user group basis of a plurality of authentication policies associated with an authentication article that includes sender authentication information located in cells thereon that can be located by using corresponding location information;
  
  controlling a challenge strength of one group of users to be different from another group of users that both use authentication articles, based on a selected authentication policy from the plurality of authentication policies; and
  
  providing authentication based on the authentication articles for each of the groups by enforcing at least one of the plurality of the selected group policies.
- View Dependent Claims (37, 38)
- - 37. The method of claim 36 wherein controlling the challenge strength of the groups of users comprises setting, for each group, different challenge lengths corresponding to data in a different number of cells from the authentication article to be required to be received in a reply to a challenge.
  - 38. The method of claim 36 comprising storing data representing selectable global policies and group policies, and data representing user ID'"'"'s and group ID'"'"'s.

39. An apparatus for providing authentication comprising:
- one or more processors and memory, operatively coupled to the one or more processors, that contains executable instructions that when executed causes the one or more processors to;
  
  provide selectability of a plurality of authentication policies associated with an authentication article that includes sender authentication information located thereon that can be located by using corresponding location information; and
  
  provide authentication based on the authentication article by enforcing at least one of the plurality of the selected policies.
- View Dependent Claims (40, 41, 42, 43)
- - 40. The apparatus of claim 39 wherein the memory includes executable instructions that when executed causes the one or more processors to link the selected authentication policies to a user or user group and wherein the authentication article is a column and row based authentication article.
  - 41. The apparatus of claim 39 wherein the memory includes executable instructions that when executed causes the one or more processors to allow a representative of a user group to select the authentication policies that will be applicable to that user group.
  - 42. The apparatus of claim 39 wherein the memory includes executable instructions that when executed causes the one or more processors to allow a user to select the authentication policies that will be applicable to that user.
  - 43. The apparatus of claim 39 wherein the memory includes executable instructions that when executed causes the one or more processors to:
    - configure an authentication challenge based on the selected policies;
      
      send the authentication challenge to a remote device wherein the sent challenge is defined by the selected group policies and includes data representing a location on the authentication article that contains response data;
      
      receive, in response to the sent challenge, the response data obtained from the authentication article corresponding to the data representing the location on the article; and
      
      compare the received response data with expected response data to determine whether authentication can be granted.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Entrust Corp.
Original Assignee
Entrust Incorporated (Entrust Corp.)
Inventors
Chiviendacz, Michael, Neville, Steve, Morgan, Michael, Voice, Chris

Granted Patent

US 9,191,215 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/2
CPC Class Codes

G06F 21/36   by graphic or iconic repres...

G06F 21/40   by quorum, i.e. whereby two...

G06F 21/45   Structures or tools for the...

G06F 2221/2103   Challenge-response

G06F 2221/2111   Location-sensitive, e.g. ge...

G06F 2221/2129   Authenticate client device ...

G06Q 10/107   Computer-aided management o...

G06Q 20/341   Active cards, i.e. cards in...

G06Q 20/4014   Identity check for transact...

G06Q 20/40145   Biometric identity checks

G07F 7/1008   Active credit-cards provide...

G07F 7/1083   Counting of PIN attempts

H04L 2209/56   Financial cryptography, e.g...

H04L 2209/80   Wireless network architectu...

H04L 63/20   for managing network securi...

H04L 9/3271   using challenge-response

Method and apparatus for providing authentication using policy-controlled authentication articles and techniques

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

440 Citations

43 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for providing authentication using policy-controlled authentication articles and techniques

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

440 Citations

43 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links