MULTI-FACTOR AUTHENTICATION AND COMPREHENSIVE LOGIN SYSTEM FOR CLIENT-SERVER NETWORKS

US 20140189808A1
Filed: 03/15/2013
Published: 07/03/2014
Est. Priority Date: 12/28/2012
Status: Active Grant

First Claim

Patent Images

1. A method for authenticating a user of a client computer making a request to a server computer providing access to a network resource, the method comprising:

issuing a challenge in response to the request requiring authentication of the user identity through a reply from the client computer;

determining one or more items of context information related to at least one of the user, the request, and the client computer; and

determining a disposition of the request based on the reply and the one or more items of context information.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments are directed to a system and method for authenticating a user of a client computer making a request to a server computer providing access to a network resource through an authentication platform that issues a challenge in response to the request requiring authentication of the user identity through a reply from the client computer, determining one or more items of context information related to at least one of the user, the request, and the client computer, and determining a disposition of the request based on the reply and the one or more items of context information. The reply includes a user password and may be provided by an authorizing client device coupled to the client computer over a wireless communications link.

886 Citations

50 Claims

1. A method for authenticating a user of a client computer making a request to a server computer providing access to a network resource, the method comprising:
- issuing a challenge in response to the request requiring authentication of the user identity through a reply from the client computer;
  
  determining one or more items of context information related to at least one of the user, the request, and the client computer; and
  
  determining a disposition of the request based on the reply and the one or more items of context information.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1 wherein the network resource is selected from the group consisting of:
    - a web site, a service provided by server computer, a hardware device coupled to the network, access to physical facilities controlled by the server computer, an executable application, and a product sold by an operator of the server computer.
  - 3. The method of claim 2 wherein the one or more items of context information are selected from the group consisting of:
    - location of the client computer, user provided information, related server provided information, network information, application information, and client computer usage patterns.
  - 4. The method of claim 1 wherein the reply comprises a username and password combination.
  - 5. The method of claim 4 wherein the reply further comprises at least one of a token and session identifier.
  - 6. The method of claim 4 further comprising:
    - comparing the username and password in the reply against a username and password stored in a database; and
      
      transmitting a message regarding the result of the comparison to the client computer.
  - 7. The method of claim 1 wherein the disposition of the request comprises one of granting or denying the request by the user to access the network resource, the method further comprising:
    - determining a level of authorization required to grant the request, the level of authorization comprising a discrete value within a range of qualitative values; and
      
      determining if the reply meets the level of authorization before granting the request.
  - 8. The method of claim 7 wherein, and wherein the level of authorization is based on a plurality of factors selected from the group consisting of:
    - server-defined policies, client-defined policies, required periodicity of authorization, request type, resource type, location of user, and risk level associated with at least one of the user, resource and client computer.
  - 9. The method of claim 1 wherein the reply is provided by an authorizing client device coupled to the client computer over a network link.
  - 10. The method of claim 9 wherein the authorizing client device comprises a mobile communication device, and wherein the network link comprises a wireless communications link.

11. A method for processing a request from a client computer to access a target server over a network, the method comprising:
- issuing a challenge requiring validation of a user identity in response to the request;
  
  receiving user credentials from an authorizing client coupled to the client computer; and
  
  comparing the received user credentials with stored user credentials to determine a disposition of the request.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The method of claim 11 wherein the disposition of the request comprises one of granting or denying the request by the user to access the target server, the method further comprising transmitting the disposition in a message to the authorizing client for display to the user.
  - 13. The method of claim 12 wherein the client computer executes a web browser utilized by the user to access the target server, the method further comprising:
    - displaying user input fields prompting the user for entry of the credentials through the web browser;
      
      sending a command to the authorizing client to prompt the user to input the password into the authorizing client;
      
      sending user credentials to the client computer if the input password is valid; and
      
      allowing the client computer to access the target server.
  - 14. The method of claim 13 wherein the target server provides access to a network resource that is selected from the group consisting of:
    - a web site, a service provided by target server, a hardware device coupled to the network, access to physical facilities controlled by the target server, an executable application, and a product sold by an operator of the target server.
  - 15. The method of claim 13 wherein the authorizing client comprises a mobile communication device coupled to the client computer over a network link, wherein the network link is selected from the group consisting of:
    - cellular link, Bluetooth link, WIFI link, and near field communication link.
  - 16. The method of claim 15 further comprising displaying a device selection field allowing the user to select a specific type and model of mobile communication device from a selection of mobile communication devices.

17. A system for allowing a user to login to different websites using a global password, comprising:
- an authentication server coupled to one or more target servers and a client computer over a network;
  
  a data store coupled to the authentication server storing a password allowing the client computer to access the one or more target computers; and
  
  an authorization component verifying an identify of a user of the client computer to allows access to the one or more target servers.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
- - 18. The system of claim 17 further comprising a user interface component configured to display a login window in a web browser running on the client computer, the login window prompting the user to enter a global password to access the one or more target servers.
  - 19. The system of claim 18 wherein the authorization component compares the global password with the stored password to determine the disposition of a request from the client computer to access the one or more target servers.
  - 20. The method of claim 19 wherein the global password is provided by an authorizing client associated with the client computer and distinct from the client computer.
  - 21. The method of claim 20 wherein the authorizing client comprises a mobile communication device coupled to the client computer over a network link, wherein the network link is selected from the group consisting of:
    - cellular link, Bluetooth link, WIFI link, and near field communication link.
  - 22. The system of claim 17 wherein the password is recoverable by a system administrator and capable of being provided to the user upon request.
  - 23. The system of claim 17 wherein the password is encrypted and perceivable only to the user.
  - 24. The system of claim 17 wherein the network includes a captive portal intercepting network packets and redirecting traffic to a different site, and wherein the authentication component is configured to use DNS (domain name system) requests to transport credentials including the password through the network.

25. A method of processing electronic mail (e-mail) messages transmitted among client and server computers in a network, comprising:
- generating an assigned e-mail address for a user of a client computer that provides login credentials to an authentication server for access to at least one of the servers on the network;
  
  storing an assigned e-mail address associated with the user and a service of the at least one server in a database; and
  
  validating a source of an e-mail message sent to the assigned e-mail address for the user upon receipt of the e-mail message at an e-mail server on the network by checking source and service information against the database to determine whether or not the received e-mail message is from an appropriate sender for the service.
- View Dependent Claims (26, 27, 28, 29, 30)
- - 26. The method of claim 25 wherein validating comprises utilizing at least one of domain keys and sender policy framework (SPF) techniques to verify the received e-mail message.
  - 27. The method of claim 25 further comprising stripping information identifying the user in any e-mail message sent by the user in reply to the received e-mail message prior to forwarding the reply e-mail message on to the sender of the received e-mail message to protect the actual e-mail address of the user.
  - 28. The method of claim 27 further comprising:
    - rewriting any hypertext markup language (HTML) content embedded in the received e-mail message to protect the network address of the user;
      
      rewriting any uniform resource identifier (URI) included in the HTML content to a proxy; and
      
      stripping any executable code from the HTML content.
  - 29. The method of claim 25 further comprising:
    - identifying an e-mail type for the received e-mail message based on at least one of an identity of the source and the content of the received e-mail message;
      
      storing the e-mail in a respective type file in the database; and
      
      labeling the received e-mail with the e-mail type for display to the user.
  - 30. The method of claim 29 further comprising adding human-readable authentication information to the e-mail comprising at least one of:
    - an image, text, color, pattern, or unique data element to validate receipt through the service.

31. A system for authenticating a user of a client computer making a request to a target server computer providing access to a network resource, the system comprising:
- a requesting client receiving the request from a user to access the target server; and
  
  an authorizing client coupled to the requesting client over a link, the authorizing client configured to exchange credential information with an authentication server storing proprietary information of the user to enable access to the target server.
- View Dependent Claims (32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42)
- - 32. The system of claim 31 wherein the request comprises one of:
    - a request to login to a website maintained by the target server, and a request to access a network resource controlled by the target server.
  - 33. The system of claim 32 wherein the authorizing client comprises a portable device selected from the group consisting of:
    - a smartphone, a mobile phone, a tablet computer, and a personal digital assistant device.
  - 34. The system of claim 33 wherein the link is selected from the group consisting of:
    - cellular link, Bluetooth link, WIFI link, and near field communication link.
  - 35. The system of claim 31 further comprising an intermediate server coupled to at least one of the requesting client and the authorizing client, the intermediate server comprising a server-side operating system, a file system, and one or more applications for use by the authorizing client.
  - 36. The system of claim 35 the file system of the intermediate server is utilized by the authorizing client for execution of one or more applications on the authorizing client through a resident operating system.
  - 37. The system of claim 35 wherein the file system and the one or more applications are utilized by the authorizing client for execution on the authorizing client through a resident operating system.
  - 38. The system of claim 35 wherein the authorizing client comprises part of a personal device group consisting of a plurality of personal portable devices associated with the user, the personal portable devices linked to one another through a portable server communicating with each personal portable device through a short-range wireless link.
  - 39. The system of claim 35 wherein the credential information is exchanged through a challenge-response routine between the authorizing client and the authentication server consisting of:
    - the user entering an unlock code into the authorizing client;
      
      the authentication server pushing an authorization request to the authorizing client;
      
      the authorizing client receiving an acknowledgment request from the user; and
      
      the authentication server sending an access command to the target server.
  - 40. The system of claim 39 wherein the authorizing client comprises two or more separate devices coupled to the requesting client, and wherein the acknowledgement request from the user comprises separate data elements entered into each of the two or more separate devices.
  - 41. The system of claim 39 further comprising a timer coupled to one of the authorizing client and the authentication server, and wherein the challenge-response routine is a time-limited exchange wherein the user is provided with a limited period of time to provide the acknowledgment request to the authorizing client.
  - 42. The system of claim 39 wherein the requesting client comprises a public computer, and wherein the unlock code comprises a phone number of the user and the credential information comprises a secret password of the user.

43. A method for authenticating a user of a requesting client computer making a request to a target server computer providing access to a network resource, the system comprising:
- receiving an unlock code into an authorizing client coupled to the requesting client;
  
  pushing an authorization request from an authentication server to the authorizing client;
  
  receiving an acknowledgment request from the user through the authorizing client; and
  
  sending an access command to the target server from the authentication server.
- View Dependent Claims (44, 45, 46, 47, 48, 49, 50)
- - 44. The method of claim 43 further comprising exchanging credential information between the authentication server storing proprietary information of the user to enable access to the target server.
  - 45. The method of claim 44 wherein the authorizing client comprises two or more separate devices coupled to the requesting client, and wherein the acknowledgement request from the user comprises separate data elements entered into each of the two or more separate devices.
  - 46. The method of claim 45 further comprisingproviding a timer;
    - defining a time period for receipt of the acknowledgment request;
      
      measuring a time for receipt of the acknowledgment request; and
      
      allowing or preventing the transmission of the access command based on the measured time for receipt of the acknowledgment request relative to the defined time period.
  - 47. The method of claim 46 wherein the requesting client comprises a public computer, and wherein the unlock code comprises a phone number of the user and the credential information comprises a secret password of the user.
  - 48. The method of claim 46 wherein the target server comprises a captive portal consisting of a wireless network that requires login by the user prior to routing network traffic, the method further comprising using a domain name server (DNS) process to provide the credential exchange.
  - 49. The method of claim 48 further comprising one of:
    - receiving a client specification that the target server is a captive portal, and performing a plurality of access attempts to determine that the target server is a captive portal.
  - 50. The method of claim 44 further comprising utilizing a file system and one or more executable applications of an intermediate server coupled to the authentication server to execute one or more applications embodying authentication and login processes for the credential exchange.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Lookout Incorporated
Original Assignee
Lookout Incorporated
Inventors
Mahaffey, Kevin Patrick, Richardson, David Luke, Salomon, Ariel, Walker, Samuel Alexander, Buck, Brian James, Golombek, David, Croy, R. Tyler, Marcin Gorrino, Sergio Ivan

Granted Patent

US 9,374,369 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/4
CPC Class Codes

G06F 21/31   User authentication

G06F 21/45   Structures or tools for the...

G06F 21/6245   Protecting personal data, e...

H04L 2463/082   applying multi-factor authe...

H04L 63/083   using passwords cryptograph...

H04L 63/0853   using an additional device,...

H04W 12/069   using certificates or pre-s...

MULTI-FACTOR AUTHENTICATION AND COMPREHENSIVE LOGIN SYSTEM FOR CLIENT-SERVER NETWORKS

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

886 Citations

50 Claims

Specification

Solutions

Use Cases

Quick Links

MULTI-FACTOR AUTHENTICATION AND COMPREHENSIVE LOGIN SYSTEM FOR CLIENT-SERVER NETWORKS

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

886 Citations

50 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links