AUTHENTICATION OF ACCESS REQUEST OF A DEVICE AND PROTECTING CONFIDENTIAL INFORMATION

US 20170171183A1
Filed: 12/15/2016
Published: 06/15/2017
Est. Priority Date: 12/15/2015
Status: Active Grant

First Claim

Patent Images

1. A method for requesting access to a resource, comprising:

receiving, by an application executing on a user device, order data and a signature based on the order data, the order data and the signature being received from an access device, the order data being for an order made via the access device to a request computer, wherein the signature is generated by the request computer using the order data and a shared secret key that is shared between the request computer and an authentication server;

obtaining, by the application, a selection of a credential routine from a plurality of credential routines installed on the user device, wherein each of the plurality of credential routines have access to a different credential corresponding to a different service for obtaining access to the resource;

requesting, by the application, a credential from the selected credential routine;

obtaining, by the application, the credential from the credential routine; and

sending, by the application to the authentication server, an access request including the order data, the signature, and the credential, the access request being a request for access to the resource, wherein the authentication server provides a response to the access request based on the order data, the signature, and the credential.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The systems and methods described herein enable an application on a user device to securely request access to a resource for an order using a selected credential routine. The application can receive order data and a signature based on the order data from an access device. The application can include an interface for selecting a particular credential routine from a plurality of credential routines that can be used to obtain the credential for accessing the resource. Instead of requesting access to the resource via the access device, the application can communicate with an authentication server that can verify the signature based on the order data and obtain authorization of the credential. Thus, the application can select a credential routine and credential for accessing a resource through secure communications with the authentication server.

Citations

20 Claims

1. A method for requesting access to a resource, comprising:
- receiving, by an application executing on a user device, order data and a signature based on the order data, the order data and the signature being received from an access device, the order data being for an order made via the access device to a request computer, wherein the signature is generated by the request computer using the order data and a shared secret key that is shared between the request computer and an authentication server;
  
  obtaining, by the application, a selection of a credential routine from a plurality of credential routines installed on the user device, wherein each of the plurality of credential routines have access to a different credential corresponding to a different service for obtaining access to the resource;
  
  requesting, by the application, a credential from the selected credential routine;
  
  obtaining, by the application, the credential from the credential routine; and
  
  sending, by the application to the authentication server, an access request including the order data, the signature, and the credential, the access request being a request for access to the resource, wherein the authentication server provides a response to the access request based on the order data, the signature, and the credential.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, further comprising:
    - obtaining, by the application, a first geolocation of the user device;
      
      obtaining, by the application, a second geolocation of the access device; and
      
      determining, by the application, that the first geolocation and the second geolocation are within a predetermined range, wherein the sending of the access request is based on the determination that the first geolocation and the second geolocation are within the predetermined range.
  - 3. The method of claim 1, further comprising:
    - generating, by the application, a user interface for selecting at least one of the plurality of credential routines;
      
      displaying, by the user device, the user interface; and
      
      receiving, by the user device, an input to the user interface, wherein the obtaining of the selection of the credential routine is based on the input.
  - 4. The method of claim 1, further comprising:
    - obtaining, by the application, a first fingerprint of the user device; and
      
      obtaining, by the application, a first geolocation of the user device,wherein the access request further include the first fingerprint and the first geolocation, andwherein the response to the access request is further based on the first fingerprint and the first geolocation.
  - 5. The method of claim 1, wherein the order data includes at least one of an access device identifier of the access device, a request computer identifier that identifies the authorization server, an order identifier that identifies the order, an order amount value, an access geolocation of the access device, and a timestamp, and wherein the signature includes a hash value that is based on at least one of an access device identifier of the access device, a request computer identifier that identifies the authorization server, an order identifier that identifies the order, an order amount value, an access geolocation of the access device, a timestamp, and an access device fingerprint.
  - 6. The method of claim 1, further comprising receiving, by the user device, a cleartext message including the order data and the signature, wherein the user device receives the cleartext message via a bluetooth message, a short message service message, or a quick response code.

7. A method for authenticating an access request, comprising:
- storing, by an authentication server, a shared secret key that is shared with a request computer;
  
  receiving, by the authentication server from an application of a user device, an access request including order data, a signature based on the order data, and a credential, wherein the order data is for an order made via the access device to a request computer, wherein the signature is generated by the request computer using the order data and shared secret key;
  
  verifying, by the authentication server, the signature using the order data and the shared secret key that is stored at the authentication server;
  
  obtaining, by the authentication server, authorization of the access request based on the order data and the credential; and
  
  sending, by the authentication server to the application, a response to the access request based on the verifying of the signature and the obtaining of the authorization.
- View Dependent Claims (8, 9, 10, 11, 12, 13)
- - 8. The method of claim 7, further comprising:
    - generating, by the authentication server, a second signature using the share secret key and the order data; and
      
      comparing, by the authentication server, the second signature to the signature received from the application, wherein the verifying of the signature is based on the comparison to the second signature.
  - 9. The method of claim 7, further comprising sending the shared secret key to the request computer, wherein the shared secret key used for the verifying of the signature is the same as the shared secret key sent to the request computer.
  - 10. The method of claim 7, further comprising:
    - obtaining, by the authentication server, a first geolocation of an access device from the order data;
      
      obtaining, by the authentication server, a second geolocation of the access device that is stored at the authentication server; and
      
      determining, by the authentication server, that the first geolocation and the second geolocation are within a predetermined range, wherein the response is based on the determination that the first geolocation and the second geolocation are within the predetermined range.
  - 11. The method of claim 7, further comprising:
    - storing, by the authentication server, a first fingerprint of the access device, wherein the request computer generated the signature using a second fingerprint of the access device;
      
      generating, by the authentication server, a second signature using the order data, the first fingerprint of the access device, and the stored shared secret key;
      
      comparing, by the authentication server, the second signature to the signature received from the application, wherein the verifying of the signature is based on the comparison to the second signature.
  - 12. The method of claim 7, further comprising sending, by the authentication server, the order data and the credential to an authorization server, wherein the obtaining of the authorization of the access request comprises obtaining the authorization from the authorization server.
  - 13. The method of claim 7, further comprising:
    - receiving, by the authentication server, a confirmation request from the request computer, the confirmation request requesting an authorization response that indicates whether the access request was authorized; and
      
      sending, by the authentication server, the authorization response to the request computer, the authorization response indicating that the access request is authorized.

14. A user device, comprising:
- a computer readable storage medium storing a plurality of instructions; and
  
  one or more processors for executing the instructions stored on the computer readable storage medium to;
  
  receive, by an application, order data and a signature based on the order data, the order data and the signature being received from an access device, the order data being for an order made via the access device to a request computer, wherein the signature is generated by the request computer using the order data and a shared secret key that is shared between the request computer and an authentication server;
  
  obtain, by the application, a selection of a credential routine from a plurality of credential routines installed on the user device, wherein each of the plurality of credential routines have access to a different credential corresponding to a different service for obtaining access to the resource;
  
  request, by the application, a credential from the selected credential routine;
  
  obtain, by the application, the credential from the credential routine; and
  
  sending, by the application to the authentication server, an access request including the order data, the signature, and the credential, the access request being a request for access to the resource, wherein the authentication server provides a response to the access request based on the order data, the signature, and the credential.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The user device of claim 14, wherein the instructions further cause the one or more processors to:
    - obtain, by the application, a first geolocation of the user device;
      
      obtain, by the application, a second geolocation of the access device; and
      
      determine, by the application, that the first geolocation and the second geolocation are within a predetermined range, wherein the sending of the access request is based on the determination that the first geolocation and the second geolocation are within the predetermined range.
  - 16. The user device of claim 14, wherein the instructions further cause the one or more processors to:
    - generating, by the application, a user interface for selecting at least one of the plurality of credential routines;
      
      displaying, by the user device, the user interface; and
      
      receiving, by the user device, an input to the user interface, wherein the obtaining of the selection of the credential routine is based on the input.
  - 17. The user device of claim 14, wherein the instructions further cause the one or more processors to:
    - obtain, by the application, a first fingerprint of the user device; and
      
      obtain, by the application, a first geolocation of the user device,wherein the access request further include the first fingerprint and the first geolocation, andwherein the response to the access request is further based on the first fingerprint and the first geolocation.
  - 18. The user device of claim 14, wherein the order data includes at least one of an access device identifier of the access device, a request computer identifier that identifies the authorization server, an order identifier that identifies the order, an order amount value, an access geolocation of the access device, and a timestamp.
  - 19. The user device of claim 14, wherein the signature includes a hash value that is based on at least one of an access device identifier of the access device, a request computer identifier that identifies the authorization server, an order identifier that identifies the order, an order amount value, an access geolocation of the access device, a timestamp, and an access device fingerprint.
  - 20. The user device of claim 14, wherein the instructions further cause the one or more processors to receive, by the user device, a cleartext message including the order data and the signature, wherein the user device receives the cleartext message via a bluetooth message, a short message service message, or a quick response code.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Visa International Service Association (Visa, Inc.)
Original Assignee
Visa International Service Association (Visa, Inc.)
Inventors
Lingappa, Phaneendra Ramaseshu

Granted Patent

US 10,523,441 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/31   User authentication

G06F 2221/2111   Location-sensitive, e.g. ge...

H04L 2463/121   Timestamp

H04L 63/0435   wherein the sending and rec...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0861   using biometrical features,...

H04L 63/107   wherein the security polici...

H04L 9/3066   involving algebraic varieti...

H04L 9/3226   using a predetermined code,...

H04L 9/3247   involving digital signatures

AUTHENTICATION OF ACCESS REQUEST OF A DEVICE AND PROTECTING CONFIDENTIAL INFORMATION

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

AUTHENTICATION OF ACCESS REQUEST OF A DEVICE AND PROTECTING CONFIDENTIAL INFORMATION

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links