SCALABLE POLICY BASED EXECUTION OF MULTI-FACTOR AUTHENTICATION

US 20170374070A1
Filed: 01/08/2016
Published: 12/28/2017
Est. Priority Date: 01/09/2015
Status: Abandoned Application

First Claim

Patent Images

1. A method performed by an authentication server, the method comprising:

maintaining at least one database, such that the at least one database comprises user profile information related to a plurality of users, authentication information related to a plurality of user devices, and policy information related to a plurality of service providers;

receiving an authentication request from a first service provider of the plurality of service providers;

in response to the authentication request, obtaining information from the at least one database to authenticate a first user of the plurality of users in accordance with the policy information related to the first service provider, and profile information related to the first user, wherein the authentication request or the policy information indicates an assurance level required by the first service provider such that the first user is authenticated to an assurance level that is sufficient as compared to the assurance level required by the first service provider;

separating the assurance level required by the first service provider into a local assurance level and a network assurance level; and

sending the local assurance level to a multi-factor authentication proxy on a user device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Current approaches to multi-factor authentication lack scalability, among other capabilities and efficiencies. Described herein are methods, devices, and systems that provide for robust and scalable multi-factor authentication using a combination of network-based and device-based authentications. In an example embodiment, a common policy framework enables policy enforcements to be carried out in the network or on the device. As described below, the framework may provide synchronization of policies and authentication results between a network entity and an entity on a user device.

219 Citations

36 Claims

1. A method performed by an authentication server, the method comprising:
- maintaining at least one database, such that the at least one database comprises user profile information related to a plurality of users, authentication information related to a plurality of user devices, and policy information related to a plurality of service providers;
  
  receiving an authentication request from a first service provider of the plurality of service providers;
  
  in response to the authentication request, obtaining information from the at least one database to authenticate a first user of the plurality of users in accordance with the policy information related to the first service provider, and profile information related to the first user, wherein the authentication request or the policy information indicates an assurance level required by the first service provider such that the first user is authenticated to an assurance level that is sufficient as compared to the assurance level required by the first service provider;
  
  separating the assurance level required by the first service provider into a local assurance level and a network assurance level; and
  
  sending the local assurance level to a multi-factor authentication proxy on a user device.
- View Dependent Claims (5, 6, 7, 8, 9, 11, 12, 13, 14, 15, 16, 17, 18)
- - 5. The method as recited in claim 1, wherein the authentication request indicates at least one user device that the first user is using to access a service provided by the first service provider.
  - 6. The method as recited in claim 1, wherein the at least one database comprises a user database for maintaining the user profile information related to the plurality of users, a user equipment database for maintaining the authentication information related to the plurality of user devices, and a service provider database for maintaining the policy information related to the plurality of service providers.
  - 7. The method as recited in claim 1, the method further comprising:
    - determining, based on the user profile information, a device possessed by the first user, wherein the device is associated with the authentication request.
  - 8. The method as recited in claim 7, the method further comprising:
    - determining, based on the device possessed by the first user, at least one authentication factor that can be used to authenticate the first user.
  - 9. The method as recited in claim 1, the method further comprising:
    - determining, based on policy information related to the first service provider, at least one authentication factor that is acceptable to the first service provider.
  - 11. The method as recited in claim 1, the method further comprising:
    - determining one or more combinations of one or more authentication factors that meet the assurance level required by the first service provider.
  - 12. The method as recited in claim 11, the method further comprising:
    - asserting a result associated with one of the one or more combinations, such that the first user can access a service provided by the first service provider.
  - 13. The method as recited in claim 11, the method further comprising:
    - determining a priority associated with each of the one or more authentication factors.
  - 14. The method as recited in claim 6, the method further comprising:
    - accessing the user database to determine authentication capabilities of the first user.
  - 15. The method as recited in claim 6, the method further comprising:
    - accessing the user equipment database to determine authentication capabilities of the user device of the first user.
  - 16. The method as recited claim 6, the method further comprising:
    - accessing the service provider database to determine the assurance level required by the first service provider.
  - 17. The method as recited in claim 6, the method further comprising:
    - accessing the service provider database to determine attributes related to the one or more authentication factors that meet the assurance level required by the first service provider.
  - 18. The method as recited in claim 11, the method further comprising:
    - accessing an authentication factor database to determine a plurality of authentication attributes associated with each of the authentication factors, the attributes including at least one of a freshness, an assurance level, a priority, and a retry limit.

2-4. -4. (canceled)

10. The method as recited in 7, the method further comprising:
- based policy information related to the first service provider that is specific to the device possessed by the first user, determining at least one authentication factor that is acceptable to the first service provider.

19. An entity comprising communication circuitry such that the entity is communicatively coupled with a plurality of service providers via its communication circuitry, wherein the entity further comprises:
- a processor and a memory, the memory containing computer-executable instructions that when executed by the processor, cause the processor to perform operations comprising;
  
  maintaining at least one database, such that the at least one database comprises user profile information related to a plurality of users, authentication information related to a plurality of user devices, and policy information related to a plurality of service providers;
  
  receiving an authentication request from a first service provider of the plurality of service providers; and
  
  in response to the authentication request, obtaining information from the at least one database to authenticate a first user of the plurality of users in accordance with the policy information related to the first service provider, and profile information related to the first user, wherein the authentication request or the policy information indicates an assurance level required by the first service provider such that the first user is authenticated to an assurance level that is sufficient as compared to the assurance level required by the first service provider;
  
  separating the assurance level required by the first service provider into a local assurance level and a network assurance level; and
  
  sending the local assurance level to a multi-factor authentication proxy on a user device.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
- - 23. The entity as recited in claim 19, wherein the authentication request indicates at least one user device that the first user is using to access a service provided by the first service provider.
  - 24. The entity as recited in claim 19, wherein the at least one database comprises a user database for maintaining the user profile information related to the plurality of users, a user equipment database for maintaining the authentication information related to the plurality of user devices, and a service provider database for maintaining the policy information related to the plurality of service providers.
  - 25. The entity as recited in claim 19, the operations further comprising:
    - determining, based on the user profile information, a device possessed by the first user, wherein the device is associated with the authentication request.
  - 26. The entity as recited in claim 25, the operations further comprising:
    - determining, based on the device possessed by the first user, at least one authentication factor that can be used to authenticate the first user.
  - 27. The entity as recited in claim 19, the operations further comprising:
    - determining, based on policy information related to the first service provider, at least one authentication factor that is acceptable to the first service provider.
  - 28. The entity as recited claim 25, the operations further comprising:
    - based policy information related to the first service provider that is specific to the device possessed by the first user, determining at least one authentication factor that is acceptable to the first service provider.
  - 29. The entity as recited in claim 19, the operations further comprising:
    - determining one or more combinations of one or more authentication factors that meet the assurance level required by the first service provider.
  - 30. The entity as recited claim 29, the operations further comprising:
    - asserting a result associated with one of the one or more combinations, such that the first user can access a service provided by the first service provider.
  - 31. The entity as recited in claim 29, the operations further comprising:
    - determining a priority associated with each of the one or more authentication factors.
  - 32. The entity as recited in claim 24, the operations further comprising:
    - accessing the user database to determine authentication capabilities of the first user.
  - 33. The entity as recited in claim 24, the operations further comprising:
    - accessing the user equipment database to determine authentication capabilities of the user device of the first user.
  - 34. The entity as recited claim 24, the operations further comprising:
    - accessing the service provider database to determine the assurance level required by the first service provider.
  - 35. The entity as recited in claim 24, the operations further comprising:
    - accessing the service provider database to determine attributes related to the one or more authentication factors that meet the assurance level required by the first service provider.
  - 36. The entity as recited in claim 29, the operations further comprising:
    - accessing an authentication factor database to determine a plurality of authentication attributes associated with each of the authentication factors, the attributes including at least one of a freshness, an assurance level, a priority, and a retry limit.

20-22. -22. (canceled)

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Interdigital Technology Corporation (InterDigital, Inc.)
Original Assignee
Interdigital Technology Corporation (InterDigital, Inc.)
Inventors
SHAH, Yogendra C., SUN, Li-Hsiang, TAMAKI, Nobuyuki, CHOY, Vinod Kumar, CEPEDA, Rafael A.

Application Number

US15/542,250
Publication Number

US 20170374070A1
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

H04L 2463/082   applying multi-factor authe...

H04L 63/0884   by delegation of authentica...

H04L 63/105   Multiple levels of security

H04L 63/20   for managing network securi...

H04W 12/06   Authentication

H04W 12/67   Risk-dependent, e.g. select...

SCALABLE POLICY BASED EXECUTION OF MULTI-FACTOR AUTHENTICATION

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

219 Citations

36 Claims

Specification

Solutions

Use Cases

Quick Links

SCALABLE POLICY BASED EXECUTION OF MULTI-FACTOR AUTHENTICATION

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

219 Citations

36 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links