METHODS AND SYSTEMS FOR USING DERIVED CREDENTIALS TO AUTHENTICATE A DEVICE ACROSS MULTIPLE PLATFORMS

US 20140020073A1
Filed: 07/13/2012
Published: 01/16/2014
Est. Priority Date: 07/13/2012
Status: Active Grant

First Claim

Patent Images

1. A method for authenticating a login request received by a provider server comprising:

(a) receiving from the provider server an identity assertion request associated with the login request;

(b) receiving an identity identifier for an identity associated with the identity assertion request;

(c) in response to receiving the identity assertion request and the identity identifier, identifying a client device associated with the identity identifier and the provider server; and

(d) sending a validation request to the client device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for adapting existing service provider servers to support two-factor authentication by leveraging an authentication server, which may be operated by a third party. Where a user desires to access content or services offered by a service provider server, the user may employ a client agent (for example, a web browser) in order to authenticate with the service provider server. Service provider server can redirect client agent to an authentication server to process at least a second factor or derived credential.

Citations

40 Claims

1. A method for authenticating a login request received by a provider server comprising:
- (a) receiving from the provider server an identity assertion request associated with the login request;
  
  (b) receiving an identity identifier for an identity associated with the identity assertion request;
  
  (c) in response to receiving the identity assertion request and the identity identifier, identifying a client device associated with the identity identifier and the provider server; and
  
  (d) sending a validation request to the client device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 2. The method of claim 1, further comprising:
    - receiving a validation response from the client device in response to the validation request;
      
      determining whether the validation response satisfies a validation response criterion; and
      
      in response to the validation response satisfying the validation response criterion, sending a response assertion relating to the identity to the provider server.
  - 3. The method of claim 1, wherein, in response to receiving the identity assertion request and the identity identifier, and before sending the validation request, further comprising:
    - identifying a plurality of client devices associated with the identity identifier and the provider server; and
      
      receiving a selection identifying the client device from among the plurality of client devices.
  - 4. The method of claim 2, wherein the validation request comprises a smart card cryptogram request, and wherein the validation response comprises a smart card cryptogram generated by a smart card.
  - 5. The method of claim 2, wherein the validation request comprises a password request, and the validation response comprises a password entered at the client device.
  - 6. The method of claim 2, wherein the validation request comprises a device cryptogram request, and wherein the validation response comprises a device cryptogram generated by the client device.
  - 7. The method of claim 1, wherein the identity assertion request comprises a request assurance level.
  - 8. The method of claim 7, wherein the request assurance level is an OMB 04-04 assertion level.
  - 9. The method of claim 7, further comprising determining a type of the validation request based upon the request assurance level.
  - 10. The method of claim 1, further comprising determining a type of the validation request based upon a provider server configuration stored in a memory.
  - 11. The method of claim 2, wherein the response assertion comprises a response assurance level.
  - 12. The method of claim 1, wherein the identity identifier is received from the provider server.
  - 13. The method of claim 1, wherein the identity identifier is received from an identity provider other than the provider server.
  - 14. The method of claim 1, wherein the identity is a federated identity.
  - 15. The method of claim 2, further comprising:
    - in response to the validation response satisfying the validation response criterion, sending a security token; and
      
      after sending the response assertion, receiving from the provider server a subsequent identity assertion request associated with a subsequent login request;
      
      after receiving the subsequent identity assertion request, receiving the security token; and
      
      after receiving the security token, sending a subsequent response assertion relating to the identity to the provider server without sending a subsequent validation request to the client device.
  - 16. The method of claim 2, further comprising:
    - in response to the validation response satisfying the validation response criterion, sending a security token; and
      
      after sending the response assertion, receiving from the provider server a subsequent identity assertion request associated with a subsequent login request;
      
      after receiving the subsequent identity assertion request, receiving the security token; and
      
      after receiving the security token, determining that less than a predetermined amount of time has elapsed since sending the security token; and
      
      in response to determining that less than the predetermined amount of time has elapsed, sending a subsequent response assertion with respect to the identity to the provider server without sending a subsequent validation request to the client device.
  - 17. The method of claim 1, further comprising:
    - prior to the identifying and the sending steps, receiving a request to associate the client device with the identity identifier.
  - 18. The method of claim 17, wherein the request to associate the client device with the identity identifier further comprises a request to associate the client device with the provider server.
  - 19. The method of claim 17, further comprising:
    - determining an identity proofing criterion based upon a primary credential;
      
      generating an identity proofing request for an identity proofing response that satisfies the identity proofing criterion;
      
      sending the identity proofing request;
      
      receiving the identity proofing response in response to the identity proofing request; and
      
      in response to the identity proofing response satisfying the identity proofing criterion, storing a record of the client device and the association of the client device with the identity identifier.
  - 20. The method of claim 17, further comprising:
    - determining an identity proofing criterion based upon a primary credential;
      
      generating an identity proofing request for an identity proofing response that satisfies the identity proofing criterion;
      
      sending the identity proofing request;
      
      receiving the identity proofing response in response to the identity proofing request; and
      
      in response to the identity proofing response satisfying an identity proofing criterion, storing a record of the client device and the association of the client device with the provider server.

21. A computing device for authenticating a login request received by a provider server, the computing device comprising:
- a memory; and
  
  a processor communicatively coupled to the memory, the processor configured to;
  
  receive from a provider server an identity assertion request associated with the login request;
  
  receive an identity identifier for an identity associated with the identity assertion request;
  
  in response to receiving the assertion request and the identity identifier, identify a client device associated with the identity identifier and the provider server; and
  
  send a validation request to the client device.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40)
- - 22. The computing device of claim 21, wherein the processor is further configured to:
    - receive a validation response from the client device in response to the validation request;
      
      determine whether the validation response satisfies a validation response criterion; and
      
      in response to the validation response satisfying the validation response criterion, send an response assertion with respect to the identity to the provider server.
  - 23. The computing device of claim 21, wherein in response to receiving the assertion request and the identity identifier and before sending the validation request the processor is further configured to:
    - identify a plurality of client devices associated with the identity identifier and the provider server; and
      
      receive a selection identifying the client device from among the plurality of identified client devices.
  - 24. The computing device of claim 22, wherein the validation request comprises a smart card cryptogram request, and wherein the validation response comprises a smart card cryptogram generated by a smart card.
  - 25. The computing device of claim 22, wherein the validation request comprises a password request, and the validation response comprises a password entered at the client device.
  - 26. The computing device of claim 22, wherein the validation request comprises a device cryptogram request, and wherein the validation response comprises a device cryptogram generated by the client device.
  - 27. The computing device of claim 21, wherein the identity assertion request comprises a request assurance level.
  - 28. The computing device of claim 27, wherein the request assurance level is an OMB 04-04 assertion level.
  - 29. The computing device of claim 27 wherein the processor is further configured to determine a type of the validation request based upon the request assurance level.
  - 30. The computing device of claim 21, wherein the processor is further configured to determine a type of the validation request based upon a provider server configuration stored in the memory.
  - 31. The computing device of claim 22, wherein the response assertion comprises a response assurance level.
  - 32. The computing device of claim 21, wherein the identity identifier is received from the provider server.
  - 33. The computing device of claim 21, wherein the identity identifier is received from an identity provider other than the provider server.
  - 34. The computing device of claim 21, wherein the identity is a federated identity.
  - 35. The computing device of claim 22, wherein the processor is further configured to:
    - in response to the validation response satisfying the validation response criterion, send a security token; and
      
      after sending the response assertion, receive from the provider server a subsequent identity assertion request associated with a subsequent login request;
      
      after receiving the subsequent identity assertion request, receive the security token; and
      
      after receiving the security token, send a subsequent response assertion with respect to the identity to the provider server without sending a subsequent validation request to the client device.
  - 36. The computing device of claim 22, wherein the processor is further configured to:
    - in response to the validation response satisfying the validation response criterion, send a security token; and
      
      after sending the response assertion, receive from the provider server a subsequent identity assertion request associated with a subsequent login request;
      
      after receiving the subsequent identity assertion request, receive the security token;
      
      after receiving the security token, determine whether less than a predetermined amount of time has elapsed since sending the security token; and
      
      in response to determining that less than the predetermined amount of time has elapsed, send a subsequent response assertion with respect to the identity to the provider server without sending a subsequent validation request to the client device.
  - 37. The computing device of claim 21, wherein the processor is further configured to:
    - prior to the identifying and the sending, receive a request to associate the client device with the identity identifier.
  - 38. The computing device of claim 37, wherein the request to associate the client device with the identity identifier further comprises a request to associate the selected client device with the provider server.
  - 39. The computing device of claim 37, wherein the processor is further configured to:
    - determine an identity proofing criterion based upon a primary credential;
      
      generate an identity proofing request for an identity proofing response that can satisfy the identity proofing criterion;
      
      send the identity proofing request;
      
      receive the identity proofing response in response to the identity proofing request; and
      
      in response to the identity proofing response satisfying an identity proofing criterion, storing a record of the client device and the association of the client device with the identity identifier.
  - 40. The computing device of claim 37, wherein the processor is further configured to:
    - determine an identity proofing criterion based upon a primary credential;
      
      generate an identity proofing request for an identity proofing response that can satisfy the identity proofing criterion;
      
      send the identity proofing request;
      
      receive the identity proofing response in response to the identity proofing request; and
      
      in response to the identity proofing response satisfying an identity proofing criterion, storing a record of the client device and the association of the client device with the provider server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SecureKey Technologies, Inc. (Gen Digital Inc.)
Original Assignee
SecureKey Technologies, Inc. (Gen Digital Inc.)
Inventors
Ronda, Troy Jacob, Boysen, Andre, Das, Abhishek, Varley, Michael, Cumming, Hugh

Granted Patent

US 9,053,304 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/7
CPC Class Codes

G06F 21/31   User authentication

G06F 21/335   for accessing specific reso...

G06F 21/34   involving the use of extern...

G06F 21/44   Program or device authentic...

H04L 63/0815   providing single-sign-on or...

H04L 63/0853   using an additional device,...

METHODS AND SYSTEMS FOR USING DERIVED CREDENTIALS TO AUTHENTICATE A DEVICE ACROSS MULTIPLE PLATFORMS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

40 Claims

Specification

Solutions

Use Cases

Quick Links

METHODS AND SYSTEMS FOR USING DERIVED CREDENTIALS TO AUTHENTICATE A DEVICE ACROSS MULTIPLE PLATFORMS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

40 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links