MULTI-FACTOR AUTHENTICATION TO ACHIEVE REQUIRED AUTHENTICATION ASSURANCE LEVEL

US 20160087957A1
Filed: 04/25/2014
Published: 03/24/2016
Est. Priority Date: 04/26/2013
Status: Abandoned Application

First Claim

Patent Images

1. A method that facilitates an authentication of at least one of a wireless transmit/receive unit (WTRU) or a user that operates the WTRU, wherein the WTRU is in a communications network that farther includes a service provider (SP), the method comprising:

determining a first authentication assurance level required by the SP to access a first service that is provided by the SP;

discovering one or more authentication capabilities of the WTRU;

determining whether the discovered one or more authentication capabilities can meet the first authentication assurance level required by the SP; and

if the discovered one or more capabilities can meet the first authentication assurance level required by the SP, triggering a performance using at least one of one or more authentication factors associated with the discovered one or more authentication capabilities.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

As users gain access to different services, the grade of the services may vary, for example, from low value services to high value services. A low value may indicate that a low strength of authentication is required, while a high value may indicate that a high strength of authentication is required to access the service. There is disclosed a method for authenticating a device comprising the determination (204) of an authentication requirement to access a first service that is provided by a service provider, SP, the discovery (208) of one or more authentication factors, associated with the device or the user, that are available for the authentication, the determination (210) whether at least one of the discovered authentication factors are sufficient to achieve the authentication requirement and, if so, the performance (212-228) of corresponding authentication procedures.

Citations

21 Claims

1. A method that facilitates an authentication of at least one of a wireless transmit/receive unit (WTRU) or a user that operates the WTRU, wherein the WTRU is in a communications network that farther includes a service provider (SP), the method comprising:
- determining a first authentication assurance level required by the SP to access a first service that is provided by the SP;
  
  discovering one or more authentication capabilities of the WTRU;
  
  determining whether the discovered one or more authentication capabilities can meet the first authentication assurance level required by the SP; and
  
  if the discovered one or more capabilities can meet the first authentication assurance level required by the SP, triggering a performance using at least one of one or more authentication factors associated with the discovered one or more authentication capabilities.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The method as recited in claim 1, the method further comprising:
    - based on one or more authentication results associated with the performances of each of the one or more authentication factors, creating a consolidated result that achieves the first authentication assurance level required by the SP; and
      
      sending the consolidated result to the SP, thereby enabling the WTRU to access the first service.
  - 3. The method as recited in claim 2, wherein the consolidated result comprises the one more authentication results bound together in a cryptographic manner, the consolidated result identifying the one or more authentication results that are bound together.
  - 4. The method as recited in claim 3, wherein the consolidated result further comprises an aggregate authentication assurance level and an aggregate authentication freshness level, the aggregate authentication assurance level and the aggregate authentication freshness level associated with the one or more authentication results.
  - 5. The method as recited in claim 2, wherein the consolidated result comprises the one or more authentication results bound by a nonce that is shared during the performance of each of the one or more authentication factors.
  - 6. The method as recited in claim 1, the method further comprising:
    - determining a freshness level associated with a select one of the one or more authentication factors;
      
      based on a policy of the SP, determining whether the freshness level associated with the select one authentication factor satisfies a threshold level; and
      
      if the freshness level satisfies the threshold level, asserting a previous authentication result of the one authentication factor, thereby refraining from performing a new authentication using the one authentication factor.
  - 7. The method as recited in claim 1, wherein triggering the performance of at least one of the selected one or more authentication factors comprises:
    - sending a challenge to a network authentication entity; and
      
      in response to the challenge, receiving a response from the network authentication entity.
  - 8. The method as recited in claim 1, wherein the method is performed by a logical entity operating on the WTRU.
  - 9. The method as recited in claim 1, where the method is performed by a logical entity operating in the network that is in communication with the WTRU and the SP.
  - 10. The method as recited in claim 1, the method farther comprising:
    - if the one or more discovered authentication capabilities cannot meet the first authentication assurance level, selecting one or more authentication factors that can achieve a second assurance level; and
      
      triggering a performance of the one or more authentication factors that can achieve the second assurance level.
  - 11. The method as recited in claim 10, based on one or More authentication results associated with the performance of the one or more authentication factors that can achieve the second authentication assurance level, the method further comprising:
    - creating a second consolidated result that achieves the second authentication assurance level; and
      
      sending the second consolidated result to the SP, thereby enabling the WTRU to access a second service provided by the SP, wherein access to the second service requires a lower assurance level than the first authentication assurance level required to access the first service.
  - 12. The method as recited in claim 1, the method further comprising:
    - if none of the discovered authentication capabilities can meet the first authentication assurance level or if the performance using the one or more authentication factors fails, sending notice to the SP such that at least the WTRU or user receives no access to services provided by the SP.
  - 13. The method as recited in claim 1, wherein the one or more discovered authentication capabilities comprises a biometric capability, the method further comprising:
    - determining that an authentication using the biometric capability can meet the first authentication assurance level.
  - 14. The method as recited in claim 13, wherein one of the one or more authentication factors is a biometric factor, the biometric factor being the only authentication factor.
  - 15. The method as recited in claim 1, wherein a first authentication factor of the one or more authentication factors is a biometric factor, and a second authentication factor of the one or more authentication factors is a password factor.
  - 16. The method as recited in claim 1, wherein discovering the one or more authentication capabilities comprises:
    - receiving at least one capability of the WTRU during a registration of the WTRU;
      
      storing the at least one capability of the WTRU with an identifier of the WTRU; and
      
      based on the identifier, retrieving the at least one capability when the WTRU attempts to access the first service.
  - 17. The method as recited in claim 1, wherein the performance that is triggered using at least one of the one or more authentication factors occurs at the SP or an identity provider (IdP).

18. A network server in a communication network that further includes a wireless transmit/receive unit (WTRU) and a service provider (SP), the network server comprising:
- a memory comprising executable instructions; and
  
  a processor that, when executing the executable instructions, effectuates operations comprising;
  
  determining an authentication requirement to access a first service that is provided by the SP;
  
  discovering one or more authentication capabilities of the WTRU;
  
  determining whether at least one of the discovered one or more authentication capabilities can achieve the authentication requirement; and
  
  if the discovered authentication can achieve the authentication requirement, triggering a performance using at least one of one or more authentication factors associated with the authentication capabilities.
- View Dependent Claims (19, 20, 21)
- - 19. The network service as recited in claim 18, wherein the performance using at least one of the one or more authentication factors occurs at the SP.
  - 20. The network server as recited in claim 18, wherein the network server is an identity provider (IdP), and wherein the performance using at least one of the one or more authentication factors occurs at the IdP.
  - 21. The network server as recited in claim 18, wherein determining an authentication requirement to access a first service that is provided by the SP comprises:
    - receiving the authentication requirement from the SP, wherein the authentication requirement indicates an authentication assurance level.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
InterDigital Patent Holdings, Inc. (InterDigital, Inc.)
Original Assignee
InterDigital Patent Holdings, Inc. (InterDigital, Inc.)
Inventors
SHAH, Yogendra C., SCHMIDT, Andreas, CHOYI, Vinod K., SUBRAMANIAN, Lakshmi, LEICHER, Andreas

Application Number

US14/786,688
Publication Number

US 20160087957A1
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 2463/082   applying multi-factor authe...

H04L 2463/121   Timestamp

H04L 63/08   for authentication of entit...

H04L 63/083   using passwords cryptograph...

H04L 63/0861   using biometrical features,...

H04L 63/20   for managing network securi...

H04L 63/205   involving negotiation or de...

H04W 12/06   Authentication

H04W 12/67   Risk-dependent, e.g. select...

MULTI-FACTOR AUTHENTICATION TO ACHIEVE REQUIRED AUTHENTICATION ASSURANCE LEVEL

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

MULTI-FACTOR AUTHENTICATION TO ACHIEVE REQUIRED AUTHENTICATION ASSURANCE LEVEL

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links