DYNAMIC USER AUTHENTICATION FOR ACCESS TO ONLINE SERVICES

US 20110047608A1
Filed: 08/24/2010
Published: 02/24/2011
Est. Priority Date: 08/24/2009
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for authenticating a user for access to an online service using a variable authentication type, the method comprising:

receiving from an online service an authentication request that includes user identity information and an indication of the online service that submitted the request;

determining one or more authentication criteria to use to authenticate the identified user;

sending to the online service an authentication response that requests satisfaction of the determined authentication criteria by the user;

receiving from the online service a verification request that includes user identity information and a response to the authentication criteria;

validating the information received in the verification request to determine whether a user requesting access is the user identified by the user identity information;

upon determining that the information received in the verification request matches one or more expected answers, sending to the online service a verification response indicating that the access request is allowed,wherein the preceding steps are performed by at least one processor.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A dynamic authentication system that makes authentication stronger, while reducing the cost to business and the burden to users. The system includes a service that provides centralized, non-federated, proxied authentication. The system uses a two-pass authentication process that first receives a supposed identity of the user and then determines one or more authentication criteria for proving that supposed identity. When the user attempts to use an online service that relies on the dynamic authentication system for authentication, the service requests the user'"'"'s identity. The system dynamically determines authentication criteria for the user to prove the provided identity belongs to the user. In the second pass, the service receives a response from the user containing additional authentication information, and forwards the received response to the system for verification. If verification succeeds, the service allows the user to access the requested resources.

185 Citations

20 Claims

1. A computer-implemented method for authenticating a user for access to an online service using a variable authentication type, the method comprising:
- receiving from an online service an authentication request that includes user identity information and an indication of the online service that submitted the request;
  
  determining one or more authentication criteria to use to authenticate the identified user;
  
  sending to the online service an authentication response that requests satisfaction of the determined authentication criteria by the user;
  
  receiving from the online service a verification request that includes user identity information and a response to the authentication criteria;
  
  validating the information received in the verification request to determine whether a user requesting access is the user identified by the user identity information;
  
  upon determining that the information received in the verification request matches one or more expected answers, sending to the online service a verification response indicating that the access request is allowed,wherein the preceding steps are performed by at least one processor.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1 wherein receiving the authentication request comprises receiving a username associated with the user and a domain associated with the online service.
  - 3. The method of claim 1 wherein determining one or more authentication criteria comprises determining a least burdensome set of authentication criteria that will provide a sufficient degree of confidence in the user'"'"'s identity in accordance with the sensitivity of information to which the user is requesting access.
  - 4. The method of claim 1 wherein determining one or more authentication criteria comprises determining an authentication method based on the user'"'"'s identity.
  - 5. The method of claim 1 wherein determining one or more authentication criteria comprises determining an authentication method based on the online service that submitted the request.
  - 6. The method of claim 1 wherein determining one or more authentication criteria comprises determining an authentication method based on historical information stored about the user.
  - 7. The method of claim 1 wherein determining one or more authentication criteria comprises adapting a rigor of authentication based on one or more circumstances of the request.
  - 8. The method of claim 1 wherein sending the authentication response comprises sending one or more user interface elements for requesting the determined authentication criteria.
  - 9. The method of claim 1 wherein receiving the verification request comprises receiving one or more answers to any previously presented authentication queries to the user.
  - 10. The method of claim 1 wherein validating the information received comprises comparing a received secret to a secret stored in a user data store managed by an authentication system.
  - 11. The method of claim 1 further comprising, after validating the information received, storing a verification result and information about the request for use during a subsequent authentication request.

12. A computer system for providing a hosted authentication service to multiple online resources, the system comprising:
- a processor and memory configured to execute software instructions embodied in the following components;
  
  an account creation component configured to receive user information and create an account for the user;
  
  a user data store configured to store user information about users of the system;
  
  an authentication request component configured to receive first requests from online services from users attempting to access the online services, wherein the requests include user identity information;
  
  an authentication criteria component configured to determine one or more authentication criteria for proving a user'"'"'s identity in response to a received authentication request, and provide a response to each received request based on the determined authentication criteria; and
  
  a verification request component configured to receive second requests from online services from users attempting to access the online services, wherein the requests include user responses to the determined authentication criteria.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
- - 13. The system of claim 12 wherein the account creation component is further configured to receive at least a user name, contact information for the user, and one or more methods of authentication that the user prefers.
  - 14. The system of claim 12 wherein the user data store is further configured to store historical information about a user'"'"'s authentication attempts and online sites the user has visited from which authentication requests were received.
  - 15. The system of claim 12 wherein the authentication request component is further configured to invoke the authentication criteria component to determine one or more authentication methods to use for proving the user'"'"'s identity.
  - 16. The system of claim 12 wherein the authentication criteria component is further configured to access a previously configured authentication method set by the user and provide the authentication method in the response to the received request.
  - 17. The system of claim 12 wherein the authentication criteria component is further configured to determine criteria based on authentication requests received from multiple online services accessed by the user.
  - 18. The system of claim 12 wherein the authentication criteria component is further configured to determine criteria based on at least one factor selected from the group consisting of a computer from which the user is requesting access, a time of day, a past historical pattern of the user, whether the online service is commonly accessed by the user, and how fast the user types compared to past observations.
  - 19. The system of claim 12 further comprising a configuration component configured to receive configuration information from parties to the system, and wherein a user can configure a single authentication method for logging into multiple online services that can be changed in one place.

20. A computer-readable storage medium comprising instructions for controlling a computer system to access a hosted authentication provider for authenticating access to an online service, wherein the instructions, upon execution, cause a processor to perform actions comprising:
- receiving from a user a request to access the online service;
  
  sending an authentication request to the hosted authentication provider, wherein the request identifies the user and requests one or more authentication methods for verifying the user'"'"'s identity;
  
  receiving from the hosted authentication provider one or more user interface elements to receive information from the user to respond to one or more authentication methods identified by the hosted authentication provider;
  
  providing the received user interface elements for display to the user;
  
  receiving from the user authentication information through the displayed user interface elements;
  
  sending to the hosted authentication provider a verification request that includes the authentication information received from the user; and
  
  receiving from the hosted authentication provider a verification response that indicates whether the authentication information provided by the user was sufficient to prove the user'"'"'s identity.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cory Levenberg
Original Assignee
UFP Identity Incorporated
Inventors
Levenberg, Richard

Granted Patent

US 8,756,661 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/7
CPC Class Codes

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/126   the source of the received ...

H04L 63/18   using different networks or...

DYNAMIC USER AUTHENTICATION FOR ACCESS TO ONLINE SERVICES

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

185 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

DYNAMIC USER AUTHENTICATION FOR ACCESS TO ONLINE SERVICES

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

185 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links