METHOD AND SYSTEM FOR IMPROVED SECURITY

US 20120144464A1
Filed: 12/06/2011
Published: 06/07/2012
Est. Priority Date: 12/06/2010
Status: Active Grant

First Claim

Patent Images

1. A method of providing secure access to a first server for a user, the method comprising:

at a second server;

receiving a request to authenticate the user for accessing one or more services in a set of services provided by the first server, each service associated with a corresponding security level;

receiving a selection of a particular security level;

receiving a set of security information to authentication the user for the selected particular security level; and

when the received set of security information is validated by the second server, sending a set of credentials from the second server to the first server to authenticate the user on the first server for using the services corresponding to the selected particular security level.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An improved authentication method and system is provided where a user securely accesses a variety of target servers for online email, online banking, credit card purchases, ecommerce, brokerage services, corporate databases, and online content (movies, music and software). The method involves a bridge server performing authentication tasks that allow a user to access a server or a group of servers with multiple security levels. The method eliminates the need for the user to remember multiple usernames/passwords for each target server. The method also allows one bridge server and one set of security devices to be used to authenticate the user for multiple servers, thereby reducing security costs and increasing user convenience. A location-based password-ID generating device is also described for secure location-based access.

Citations

31 Claims

1. A method of providing secure access to a first server for a user, the method comprising:
- at a second server;
  
  receiving a request to authenticate the user for accessing one or more services in a set of services provided by the first server, each service associated with a corresponding security level;
  
  receiving a selection of a particular security level;
  
  receiving a set of security information to authentication the user for the selected particular security level; and
  
  when the received set of security information is validated by the second server, sending a set of credentials from the second server to the first server to authenticate the user on the first server for using the services corresponding to the selected particular security level.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein receiving the request to authenticate the user for accessing one or more services in the set of services provided by the first server comprises:
    - displaying a list of a set of servers comprising the first server; and
      
      receiving a selection of the first server as a server to access by the user.
  - 3. The method of claim 1, wherein receiving the selection of the particular security level comprises:
    - displaying the set of services; and
      
      receiving the selection of the particular security level based on the displayed set of services.
  - 4. The method of claim 1 further comprising directing the user to the first server when the authentication is successful.
  - 5. The method of claim 1, wherein sending the set of credentials from the second server to the first server comprises sending a dynamically changing user identification and password corresponding to the user.
  - 6. The method of claim 1 further comprising:
    - after sending the set of credentials from the second server to the first server, dynamically updating the set of credentials for use in a future authentication of the user by the second server with the first server; and
      
      sending the updated set of credentials from the second server to the first server.
  - 7. The method of claim 1 further comprising:
    - requesting a server identification from the first server;
      
      receiving the server identification at the second server from the first server; and
      
      authenticating the first server based on the received server identification before sending the second set of security information from the second server to the first server to authenticate the user on the first server.
  - 8. The method of claim 7 further comprising:
    - dynamically updating the server identification for the first server; and
      
      sending the updated server identification to the first server for a future authentication of the first server by the second server.
  - 9. The method of claim 1, wherein the particular security level is a first security level, wherein the set of security information is a first set of security information, the method further comprising:
    - directing the user to the first sever after sending a set of credentials from the second server to the first server;
      
      receiving a request to authenticate the user for accessing one or more services of the first server based on second security level that is higher than the first security level; and
      
      receiving a second set of security information to authentication the user for the particular security level, the second set of security information different than the first set of security information; and
      
      when the second set of security information is validated by the second server, sending a set of credentials from the second server to the first server to authenticate the user on the first server for using the services corresponding to the second security level.
  - 10. The method of claim 1, wherein sending the set of credentials from the second server to the first server comprises:
    - establishing a secure network among the first server, the second server, and a device used by the user; and
      
      sending the set of credentials from the second server to the first server through the secure network.
  - 11. The method of claim 1, wherein sending the set of credentials from the second server to the first server comprises:
    - establishing an encrypted communication link between the second server and a device used by the user;
      
      sending the set of credentials from the second server to the device; and
      
      sending the set of credentials from the device to the first server.

12. A non-transitory computer readable medium storing a computer program for authenticating a user, the computer program executable by a processing unit, the computer program comprising sets of instructions for:
- displaying a list of a set of servers;
  
  receiving a selection of a particular server in the set of servers;
  
  receiving information for authenticating the user to access the particular server; and
  
  sending, when the received information is validated, a set of credentials to the particular server to enable the user to access the particular server.
- View Dependent Claims (13, 14, 15, 16, 17, 18)
- - 13. The non-transitory computer readable medium of claim 12, wherein the computer program further comprises sets of instructions for:
    - updating the set of credentials for enabling the user to access the particular server each time the user is authenticated by the authenticating server; and
      
      sending the updated credentials to the particular server for future authentication of the user on the particular server.
  - 14. The non-transitory computer readable medium of claim 12, wherein the computer program further comprises sets of instructions for:
    - updating the set of credentials for enabling the user to access the particular server after a pre-determined time has elapsed since a previous update of said credentials; and
      
      sending the updated credentials to the particular server for future authentication of the user on the particular server.
  - 15. The non-transitory computer readable medium of claim 12, wherein the computer program further comprises sets of instructions for:
    - displaying a set of services provided by the particular server, each service in the set of services associated with a security level in a set of security levels; and
      
      receiving a selection of a particular security level in the set of security levels,wherein the information for authenticating the user to access the particular server is based on the selected security level, wherein the information for authenticating the user based on the particular security level is different from the information for authenticating the user based on the at least one other security level.
  - 16. The non-transitory computer readable medium of claim 15, wherein the information for authenticating the user based on a selected security level comprises one of a finger print, a result of a retinal scan, a voice signature, a media access control address (MAC address) of a WiFi access point communicatively couple to a device utilized by the user, and a current location of the user.
  - 17. The non-transitory computer readable medium of claim 12, wherein the computer program further comprises sets of instructions for:
    - requesting a server identification from the particular server;
      
      receiving the server identification from the particular server; and
      
      authenticating the particular server based on the received server identification before sending the set of credentials to the particular server to authenticate the user on the particular server.
  - 18. The non-transitory computer readable medium of claim 12, wherein the set of instructions for receiving the information for authenticating the user to access the particular server comprises a set of instructions to receive one of a finger print, a result of a retinal scan, a voice signature, a media access control address (MAC address) of a WiFi access point communicatively couple to a device utilized by the user, and a current location of the user.

19. A device for location-based authentication of a user by an authenticating server, the device comprising:
- a positioning module for determining a set of coordinates for the device;
  
  a randomizer for generating a password based on the set of coordinates;
  
  a display for displaying the generated password,wherein the generated password is used by the user as one of a set of authentication information to send to the authentication server, wherein the user is authenticated only when the estimated set of coordinates are within a pre-determined threshold.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31)
- - 20. The device of claim 19, wherein the pre-determined threshold for the set of coordinates is set by the user through an interface on the authenticating server.
  - 21. The device of claim 19 further comprising:
    - a memory;
      
      a unique secure seed stored in the memory, the seed being synchronized with a seed stored on the authenticating server,wherein generating the password by the randomizer further comprises using the unique secure seed.
  - 22. The device of claim 19 further comprising a counter for generating a count, wherein generating the password by the randomizer further comprises using the generated count to generate the password.
  - 23. The device of claim 22, wherein the counter is synchronized with a counter stored in the authenticating server at a time the device is being released.
  - 24. The device of claim 22, wherein the counter is synchronized with a counter in the authenticating server based on an identification provided by the user to the authentication server.
  - 25. The device of claim 22 further comprising an internal power source for providing power to the memory and the counter.
  - 26. The device of claim 19 further comprising an interface for connecting to an external device for receiving power for the partitioning module, the randomizer, and the display.
  - 27. The device of claim 26, wherein the interface for connecting to the external device is a universal serial bus (USB).
  - 28. The device is claim 19, wherein the device is integrated in a mobile device, wherein the device receives power from the mobile device.
  - 29. The device of claim 19, wherein the generated password is utilized by the authentication server to authenticate the user for accessing a set of servers communicatively coupled to the authenticating server.
  - 30. The device of claim 19, wherein the partitioning module determines the set of coordinates for the device based on a media access control identification of an access point communicatively coupled to the device.
  - 31. The device of claim 19, wherein the partitioning module determines the set of coordinates for the device using global positioning system (GPS).

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Stripe, Inc.
Original Assignee
Golba LLC
Inventors
Fakhrai, Delaram, Moshfeghi, Mehran

Granted Patent

US 8,914,851 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/6
CPC Class Codes

G06F 21/31   User authentication

G06F 21/41   where a single sign-on prov...

G06F 21/45   Structures or tools for the...

G06F 2221/2111   Location-sensitive, e.g. ge...

H04L 63/06   for supporting key manageme...

H04L 63/08   for authentication of entit...

H04L 63/0815   providing single-sign-on or...

H04L 63/083   using passwords cryptograph...

H04L 63/0853   using an additional device,...

H04L 63/105   Multiple levels of security

METHOD AND SYSTEM FOR IMPROVED SECURITY

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

31 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND SYSTEM FOR IMPROVED SECURITY

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

31 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links