METHODS AND SYSTEMS FOR AUTHENTICATING USERS OVER NETWORKS

US 20130024918A1
Filed: 07/20/2011
Published: 01/24/2013
Est. Priority Date: 07/20/2011
Status: Active Grant

First Claim

Patent Images

1. A method for authenticating users over networks comprising:

requesting a one-time password;

entering a personal identification number into a communications device;

retrieving a replaceable shared secret stored in the communications device;

generating a hashed personal identification number from the entered personal identification number;

combining the hashed personal identification number with the replaceable shared secret to generate a modified shared secret; and

generating a one-time password with the modified shared secret and the time of said requesting operation.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for authenticating users over networks includes requesting a one-time password, entering a personal identification number into a communications device, and retrieving a replaceable shared secret stored in the communications device. Moreover, the method includes generating a hashed personal identification number from the entered personal identification number, combining the hashed personal identification number with the replaceable shared secret to generate a modified shared secret, and generating a one-time password with the modified shared secret and the time of requesting the one-time password.

Citations

20 Claims

1. A method for authenticating users over networks comprising:
- requesting a one-time password;
  
  entering a personal identification number into a communications device;
  
  retrieving a replaceable shared secret stored in the communications device;
  
  generating a hashed personal identification number from the entered personal identification number;
  
  combining the hashed personal identification number with the replaceable shared secret to generate a modified shared secret; and
  
  generating a one-time password with the modified shared secret and the time of said requesting operation.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. A method for authenticating users over networks in accordance with claim 1, further comprising replacing the replaceable shared secret when the replaceable shared secret expires or after discovering a security breach.
  - 3. A method for authenticating users over networks in accordance with claim 1, further comprising:
    - reading the one-time password from the communications device;
      
      entering the one-time password in a service provider web page operated by a service provider computer system;
      
      transmitting the one-time password from the service provider computer system to an authentication system; and
      
      authenticating the one-time password.
  - 4. A method for authenticating users over networks in accordance with claim 3, said authenticating operation comprising:
    - determining a system time of the authentication system, a first time before the system time, and a second time after the system time;
      
      determining a difference between the first and second times;
      
      dividing the difference into intervals of time; and
      
      generating a series of passwords that includes a password for each interval of time, each of the passwords being generated using the modified shared secret and the beginning time of a respective interval of time.
  - 5. A method for authenticating users over networks in accordance with claim 4, further comprising:
    - comparing the one-time password against each password included in the series; and
      
      generating and transmitting a message to the service provider computer system when the one-time password matches one of the passwords included in the series of passwords.
  - 6. A method for authenticating users over networks in accordance with claim 5, said authenticating operation comprising:
    - generating a series of duress passwords when the one-time password does not match a password included in the series of passwords;
      
      comparing the one-time password against each duress password; and
      
      determining that the user is operating under duress when the one-time password matches one of the duress passwords.
  - 7. A method for authenticating users over networks in accordance with claim 6, said determining that the user is operating under duress operation comprising determining an action to take in response to learning that the user is operating under duress.
  - 8. A method for authenticating users over networks in accordance with claim 1, said combining operation comprising combining the personal identification number, the hashed personal identification number, and the replaceable shared secret to generate the modified shared secret.
  - 9. A method for authenticating users over networks in accordance with claim 3, further comprising:
    - updating the one-time password periodically and displaying the updated one-time password on a screen of the communications device;
      
      choosing a one-time password displayed on the screen; and
      
      conducting said entering operation by entering the chosen one-time password in the service provider web page.
  - 10. A method for authenticating users over networks in accordance with claim 1, further comprising:
    - determining a security breach could have occurred in the communications device while the communications device is unable to communicate with an authentication system;
      
      generating the modified shared secret by combining the replaceable shared secret with a error indicator number;
      
      generating the one-time password with the modified shared secret and the time of said requesting operation;
      
      transmitting the one-time password to the authentication system;
      
      authenticating the one-time password; and
      
      prohibiting access to resources in a service provider system when said authenticating operation is unsuccessful.
  - 11. A method for authenticating users over a network in accordance with claim 10, further comprising permitting access to the resources in the service provider system after a new shared secret and effective life replacement process occurs.

12. A system for authenticating users over networks, said system comprising:
- a service provider system, said service provider system including at least a database, said service provider system being configured to store within said database at least resources and unique user identifiers;
  
  a computing device configured to at least communicate with said service provider system;
  
  an authentication system comprising an authentication database and being configured to communicate with at least said service provider system and said computing device, store within said authentication database authentication data associated with each of a plurality of authorized users, generate and store shared secrets, generate one-time passwords, and conduct an authentication process; and
  
  a communications device configured to at least communicate with said authentication system, obtain authentication data, store shared secrets, replace shared secrets with new shared secrets, generate hashed personal identification numbers, and generate one-time passwords,said authentication system being further configured to communicate with said communications device,said communications device being further configured toreplace a shared secret with a new shared secret,combine a hashed personal identification number with the new shared secret to generate a modified shared secret,generate a one-time password with the modified shared secret and a time the one-time password is requested, andtransmit the one-time password to said authentication system.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
- - 13. A system for authenticating users over networks in accordance with claim 12, said authentication system being further configured to:
    - determine a plurality of time intervals; and
      
      generate a series of passwords, each password corresponding to one of the time intervals and being generated with the modified shared secret and the beginning time of each corresponding time interval.
  - 14. A system for authenticating users over networks in accordance with claim 13, said authentication system being further configured to:
    - determine a system time of said authentication system, a first time before the system time, and a second time after the system time;
      
      determine a difference between the first and second times; and
      
      divide the difference into the plurality of time intervals.
  - 15. A system for authenticating users over networks in accordance with claim 13, said authentication system being further configured to:
    - compare the one-time password against each password included in the series of passwords; and
      
      generate and transmit a message to said service provider system when the one-time password matches one of the passwords.
  - 16. A system for authenticating users over networks in accordance with claim 12, said authentication system being further configured to:
    - generate a series of duress passwords;
      
      compare the one-time password against the duress passwords; and
      
      determine that the user is operating under duress when the one-time password matches one of the duress passwords.
  - 17. A system for authenticating users over networks in accordance with claim 12, said communications device comprising:
    - a smart phone;
      
      a tablet computer;
      
      a laptop computer;
      
      a desktop personal computer;
      
      ora personal digital assistant.
  - 18. A system for authenticating users over networks in accordance with claim 12, said communications device being further configured to update the one-time password periodically and display the updated one-time password on said communications device.
  - 19. A system for authenticating users over networks in accordance with claim 12, said communications device being further configured to replace a shared secret with a new shared secret generated by said authentication system after discovering a security breach of said authentication system.

20. A computer program recorded on a non-transitory computer-readable recording medium included in a computer system, the computer program for enabling authentication of a user attempting to access resources stored in the computer system, the computer program for causing the computer system to execute at least the following:
- retrieving a replaceable shared secret upon receiving a request for a one-time password;
  
  generating a hashed personal identification number from a personal identification number entered into the transaction management system;
  
  combining the hashed personal identification number with the replaceable shared secret to generate a modified shared secret;
  
  generating the one-time password with the modified shared secret and the time of the request;
  
  determining a plurality of time intervals;
  
  generating series of passwords that includes a password for each time interval, each of the passwords being generated using the modified shared secret and the beginning time of a respective interval of time;
  
  comparing the one-time password against each password included in the series of passwords; and
  
  permitting the user to access the resources when the one-time password matches one of the passwords included in the series of passwords.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Corporation DAON Technology
Original Assignee
Daon Holdings Limited
Inventors
CRAMER, Jason Scott, WEBB, Andrew Supplee, HOLLAND, Christopher Eric, WHITE, Conor Robert

Granted Patent

US 8,868,921 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/6
CPC Class Codes

G06F 21/34   involving the use of extern...

H04L 63/0838   using one-time-passwords

H04L 63/0876   based on the identity of th...

H04L 9/3228   One-time or temporary data,...

H04L 9/3231   Biological data, e.g. finge...

METHODS AND SYSTEMS FOR AUTHENTICATING USERS OVER NETWORKS

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

METHODS AND SYSTEMS FOR AUTHENTICATING USERS OVER NETWORKS

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links