Service Channel Authentication Token

US 20150334099A1
Filed: 05/19/2014
Published: 11/19/2015
Est. Priority Date: 05/19/2014
Status: Active Grant

First Claim

Patent Images

1. An apparatus comprising:

at least one memory device;

at least one processor coupled to the at least one memory device and configured to perform, based on instructions stored in the at least one memory device;

receiving a service request for a protected resource from a first user device, wherein the service request includes a plurality of device attributes and an authentication token;

determining a derived device identification from a first attribute set contained in the plurality of device attributes;

when a signed device identification of the authentication token and the derived device identification are equal, continue processing the service request; and

when the signed device identification is not equal to the derived device identification, rejecting the service request.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer system receives an authentication request from a user device and determines a determined device identification from a set of received device attributes. When the device is properly authenticated, the computer system generates an authentication token that is signed by the determined device identification and returns the authentication token to the user device. When the computer system subsequently receives a service request with an authentication token and a plurality of device attributes for a protected resource from a user device, the computer system determines a derived device identification from some or all of the received device attributes. When a signed device identification of the authentication token and the derived device identification are equal, the apparatus continues processing the service request. Otherwise, the service request is rejected.

Citations

20 Claims

1. An apparatus comprising:
- at least one memory device;
  
  at least one processor coupled to the at least one memory device and configured to perform, based on instructions stored in the at least one memory device;
  
  receiving a service request for a protected resource from a first user device, wherein the service request includes a plurality of device attributes and an authentication token;
  
  determining a derived device identification from a first attribute set contained in the plurality of device attributes;
  
  when a signed device identification of the authentication token and the derived device identification are equal, continue processing the service request; and
  
  when the signed device identification is not equal to the derived device identification, rejecting the service request.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The apparatus of claim 1, wherein the at least one processor is further configured to perform:
    - when the signed device identification and the derived device identification are equal, sending a challenge to the first user device for authentication information; and
      
      only when the authentication information is determined to be correct, servicing the service request.
  - 3. The apparatus of claim 1, wherein the at least one processor is further configured to perform:
    - receiving an authentication request from a second user device;
      
      determining a determined device identification from a set of device attributes;
      
      when a desired level of authentication for the second user device is achieved, generating a generated authentication token, wherein the generated authentication token is signed by the determined device identification; and
      
      returning the generated authentication token to the second user device.
  - 4. The apparatus of claim 1, wherein the at least one processor is further configured to perform:
    - when a signed device identification of the authentication token and the derived device identification are equal, challenging the first user device for authentication information until a degree of authentication is achieved.
  - 5. The apparatus of claim 1, wherein the at least one processor is further configured to perform:
    - extracting an extracted authentication level from the authentication token; and
      
      processing the service request based on the extracted authentication level.
  - 6. The apparatus of claim 1, wherein the at least one processor is further configured to perform:
    - receiving an expired authentication token with the service request;
      
      challenging the first user device for authentication information; and
      
      when the authentication is determined to be correct, determining a new expiration time;
      
      inserting the new expiration time in an updated authentication token;
      
      signing the updated authentication token with the signed device identification; and
      
      returning the updated authentication token to the first user device.
  - 7. The apparatus of claim 1, wherein the at least one processor is further configured to perform:
    - determining a changed device identification from a different attribute set of the plurality of device attributes;
      
      signing a changed authentication token with the changed device identification; and
      
      returning the changed authentication token to the first user device.
  - 8. The apparatus of claim 7, wherein the at least one processor is further configured to perform:
    - receiving an expired authentication token with the service request;
      
      challenging the first user device for authentication information; and
      
      when the authentication is determined to be correct, initiating the determining the changed device identification, the signing, and the returning when receiving an expired authentication.
  - 9. The apparatus of claim 1, wherein the at least one processor is further configured to perform:
    - when the signed device identification is not equal to the derived device identification, generating an notification about an authentication failure for the first user device.
  - 10. The apparatus of claim 3, wherein the at least one processor is further configured to perform:
    - when the determined device identification conflicts with an assigned device identification of another user device, altering the set of device attributes; and
      
      recalculating a recalculated device identification, wherein the recalculated device identification is different from the assigned device identification of the other user device.
  - 11. The apparatus of claim 3, wherein the set of received device attributes includes a browser attribute and a hardware attribute.

12. A computer-assisted method for authenticating a first user device the method comprising:
- receiving an authentication request and at least one device attribute from the first user device;
  
  determining a first determined device identification from a first set of device attributes;
  
  when a desired level of authentication for the first user device is achieved, generating a generated authentication token, wherein the generated authentication token is signed by the first determined device identification; and
  
  returning the generated authentication token to the first user device.
- View Dependent Claims (13)
- - 13. The method of claim 12, further comprising:
    - determining a second determined device identification for a second user device from a second set device attributes, wherein the first set and the second set differ by at least one device attribute.

14. A computer-assisted method for authenticating a user device, the method comprising:
- receiving a service request for a protected resource from a user device, wherein the service request includes a plurality of device attributes and a received authentication token;
  
  determining a derived device identification from an attribute set contained in the plurality of device attributes;
  
  when a signed device identification of the received authentication token and the derived device identification are equal, continue processing the service request; and
  
  when the signed device identification is not equal to the derived device identification, rejecting the service request.
- View Dependent Claims (15, 16, 17)
- - 15. The method of claim 14 further comprising:
    - when the signed device identification and the derived device identification are equal, sending a challenge to the user device for authentication information; and
      
      only when the authentication information is determined to be correct, servicing the service request.
  - 16. The method of claim 14 further comprising:
    - when a signed device identification of the received authentication token and the derived device identification are equal, challenging the user device for authentication information until a degree of authentication is achieved.
  - 17. The method of claim 14 further comprising:
    - extracting an extracted authentication level from the received authentication token; and
      
      processing the service request based on the extracted authentication level.

18. A non-transitory computer-readable storage medium storing computer-executable instructions that, when executed, cause a processor at least to perform operations comprising:
- receiving a service request for a protected resource from a user device, wherein the service request includes a plurality of device attributes and an authentication token;
  
  determining a derived device identification from a first attribute set contained in the plurality of device attributes;
  
  when a signed device identification of the authentication token and the derived device identification are equal, continue processing the service request; and
  
  when the signed device identification is not equal to the derived device identification, rejecting the service request.
- View Dependent Claims (19, 20)
- - 19. The non-transitory computer-readable storage medium of claim 18, wherein the computer-executable instructions, when executed, cause the processor to perform:
    - receiving an authentication request from the user device;
      
      determining the derived device identification from the plurality of device attributes;
      
      when a desired level of authentication for the user device is achieved, generating a generated authentication token, wherein the generated authentication token is signed by the derived device identification; and
      
      returning the generated authentication token to the user device.
  - 20. The non-transitory computer-readable storage medium of claim 18, wherein the computer-executable instructions, when executed, cause the processor to perform:
    - determining a changed device identification from a different attribute set of the plurality of device attributes;
      
      signing a changed authentication token with the changed device identification; and
      
      returning the authentication token to the user device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Bank of America Corp.
Original Assignee
Bank of America Corp.
Inventors
Zhang, Xianhong, Pruthi, Kapil, Carpenter, Daniel Lynn, Pender, Mark A., Dave, Apeksh M., Keys, Andrew T., Yezo, Spencer

Granted Patent

US 9,836,594 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/44   Program or device authentic...

G06F 21/45   Structures or tools for the...

G06F 21/73   by creating or determining ...

H04L 63/08   for authentication of entit...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0838   using one-time-passwords

H04L 63/0861   using biometrical features,...

H04L 63/0876   based on the identity of th...

H04L 63/10   for controlling access to d...

H04L 63/105   Multiple levels of security

H04L 9/40   Network security protocols

Service Channel Authentication Token

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Service Channel Authentication Token

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links