SCALABLE POLICY BASED EXECUTION OF MULTI-FACTOR AUTHENTICATION
First Claim
Patent Images
1. A method performed by an authentication server, the method comprising:
- maintaining at least one database, such that the at least one database comprises user profile information related to a plurality of users, authentication information related to a plurality of user devices, and policy information related to a plurality of service providers;
receiving an authentication request from a first service provider of the plurality of service providers;
in response to the authentication request, obtaining information from the at least one database to authenticate a first user of the plurality of users in accordance with the policy information related to the first service provider, and profile information related to the first user, wherein the authentication request or the policy information indicates an assurance level required by the first service provider such that the first user is authenticated to an assurance level that is sufficient as compared to the assurance level required by the first service provider;
separating the assurance level required by the first service provider into a local assurance level and a network assurance level; and
sending the local assurance level to a multi-factor authentication proxy on a user device.
1 Assignment
0 Petitions
Accused Products
Abstract
Current approaches to multi-factor authentication lack scalability, among other capabilities and efficiencies. Described herein are methods, devices, and systems that provide for robust and scalable multi-factor authentication using a combination of network-based and device-based authentications. In an example embodiment, a common policy framework enables policy enforcements to be carried out in the network or on the device. As described below, the framework may provide synchronization of policies and authentication results between a network entity and an entity on a user device.
219 Citations
36 Claims
-
1. A method performed by an authentication server, the method comprising:
-
maintaining at least one database, such that the at least one database comprises user profile information related to a plurality of users, authentication information related to a plurality of user devices, and policy information related to a plurality of service providers; receiving an authentication request from a first service provider of the plurality of service providers; in response to the authentication request, obtaining information from the at least one database to authenticate a first user of the plurality of users in accordance with the policy information related to the first service provider, and profile information related to the first user, wherein the authentication request or the policy information indicates an assurance level required by the first service provider such that the first user is authenticated to an assurance level that is sufficient as compared to the assurance level required by the first service provider; separating the assurance level required by the first service provider into a local assurance level and a network assurance level; and sending the local assurance level to a multi-factor authentication proxy on a user device. - View Dependent Claims (5, 6, 7, 8, 9, 11, 12, 13, 14, 15, 16, 17, 18)
-
-
2-4. -4. (canceled)
-
10. The method as recited in 7, the method further comprising:
based policy information related to the first service provider that is specific to the device possessed by the first user, determining at least one authentication factor that is acceptable to the first service provider.
-
19. An entity comprising communication circuitry such that the entity is communicatively coupled with a plurality of service providers via its communication circuitry, wherein the entity further comprises:
a processor and a memory, the memory containing computer-executable instructions that when executed by the processor, cause the processor to perform operations comprising; maintaining at least one database, such that the at least one database comprises user profile information related to a plurality of users, authentication information related to a plurality of user devices, and policy information related to a plurality of service providers; receiving an authentication request from a first service provider of the plurality of service providers; and in response to the authentication request, obtaining information from the at least one database to authenticate a first user of the plurality of users in accordance with the policy information related to the first service provider, and profile information related to the first user, wherein the authentication request or the policy information indicates an assurance level required by the first service provider such that the first user is authenticated to an assurance level that is sufficient as compared to the assurance level required by the first service provider; separating the assurance level required by the first service provider into a local assurance level and a network assurance level; and sending the local assurance level to a multi-factor authentication proxy on a user device. - View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
-
20-22. -22. (canceled)
Specification