ENHANCED SECURITY AUTHENTICATION SYSTEM

US 20180309752A1
Filed: 04/20/2017
Published: 10/25/2018
Est. Priority Date: 04/20/2017
Status: Active Grant

First Claim

Patent Images

1. A method for authenticating a transaction of a user, the method comprising:

receiving, by an authentication service executing on a computer system, the transaction over a particular channel, wherein the particular channel is one of a plurality of supported channels;

determining, by the authentication service executing on the computer system, a risk score for the transaction based on a number of contextual risk factors;

determining, by the authentication service executing on the computer system, an authentication scheme from a number of authentication schemes for authenticating an identity of the user within an authentication context, wherein the authentication scheme is determined based on the particular channel and the risk score;

using, by the authentication service executing on the computer system, the authentication scheme to authenticate the identity of the user within the authentication context;

in response to successfully authenticating the identity of the user within the authentication context, determining, by the authentication service executing on the computer system, whether the transaction is a permitted transaction based on an assurance level associated with the authentication context; and

in response to determining that the transaction is the permitted transaction, authenticating, by the authentication service executing on the computer system, the transaction.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, a computer system, and a computer program product for authenticating a transaction are provided. An authentication system receives the transaction over a particular channel of a plurality of support channels. A risk score is determined for the transaction based on a number of contextual risk factors. An authentication scheme is determined from a number of authentication schemes for authenticating an identity of the user within an authentication context. The authentication scheme is determined based on the particular channel and the risk score. In response to successfully authenticating the identity of the user within the authentication context, the authentication system determines whether the transaction is a permitted transaction based on an assurance level associated with the authentication context. In response to determining that the transaction is the permitted transaction, the transaction is authenticated.

Citations

36 Claims

1. A method for authenticating a transaction of a user, the method comprising:
- receiving, by an authentication service executing on a computer system, the transaction over a particular channel, wherein the particular channel is one of a plurality of supported channels;
  
  determining, by the authentication service executing on the computer system, a risk score for the transaction based on a number of contextual risk factors;
  
  determining, by the authentication service executing on the computer system, an authentication scheme from a number of authentication schemes for authenticating an identity of the user within an authentication context, wherein the authentication scheme is determined based on the particular channel and the risk score;
  
  using, by the authentication service executing on the computer system, the authentication scheme to authenticate the identity of the user within the authentication context;
  
  in response to successfully authenticating the identity of the user within the authentication context, determining, by the authentication service executing on the computer system, whether the transaction is a permitted transaction based on an assurance level associated with the authentication context; and
  
  in response to determining that the transaction is the permitted transaction, authenticating, by the authentication service executing on the computer system, the transaction.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein the plurality of supported channels includes a web-based authentication channel, a mobile authentication channel, a biometric authentication channel, a voice channel, and a risk-based authentication channel.
  - 3. The method of claim 1, wherein the authentication context is selected from an identity management context, an organizational context, and a social context.
  - 4. The method of claim 1, further comprising:
    - identifying, by the authentication service executing on the computer system, the number of contextual risk factors based on context parameters of the transaction; and
      
      wherein the context parameters include a transaction type, and at least one of a current authentication context, a time of day that the transaction is received, a geographic location from which the transaction is received, a device type used by the user to submit the transaction, prior access behavioral patterns of the user, a keyword, and a quality of network.
  - 5. The method of claim 4, wherein the transaction type is selected from a lookup transaction, the transaction for authenticating the identity of the user, the transaction related to an account of the user, and the transaction to manage privileges of the account of the user.
  - 6. The method of claim 4, wherein the transaction is a lookup transaction, the method further comprising:
    - identifying, by the authentication service executing on the computer system, a number of accounts based on information and the context parameters of the transaction;
      
      returning, by the authentication service executing on the computer system, an authentication prompt, for information to disambiguate a user account from the number of accounts; and
      
      using, by the authentication service executing on the computer system, the authentication scheme to authenticate the identity of the user within the authentication context, wherein the authentication context is associated with the user account.
  - 7. The method of claim 6, wherein the number of accounts comprises the user account, a second account of the user, an account of a different user, and combinations thereof.
  - 8. The method of claim 4, wherein determining the authentication scheme further comprises:
    - determining, by the authentication service executing on the computer system, the authentication scheme from the number of authentication schemes based on the particular channel, the risk score, and a policy associated with a user profile.
  - 9. The method of claim 8, wherein the policy is based on one or more of a user preference, a risk level, and an organizational preference.
  - 10. The method of claim 8, further comprising:
    - receiving, by the authentication service executing on the computer system, the transaction over the particular channel, wherein the transaction includes the keyword that is associated with the user, wherein the keyword comprises one or more of a username, an email address, a name of an employer, a client identifier, or a company registration code;
      
      determining, by the authentication service executing on the computer system, the user profile for the user based on the keyword; and
      
      returning, by the authentication service executing on the computer system, an authentication prompt for credentials to authenticate the identity of the user according to the authentication scheme.
  - 11. The method of claim 1, further comprising:
    - generating, by the authentication service executing on the computer system, a token in response to successfully authenticating the identity of the user within the authentication context;
      
      sending, by the authentication service executing on the computer system, the token from the authentication service to a user device, wherein the token is stored on the user device; and
      
      receiving, by the authentication service executing on the computer system, a second transaction, wherein an authentication context of the transaction includes the token.
  - 12. The method of claim 1, further comprising:
    - in response to determining that the transaction is not the permitted transaction based on an identity assurance level of the authentication context, determining, by the authentication service executing on the computer system, a step-up authentication scheme for authenticating the identity of the user within a step-up authentication context, wherein the transaction is the permitted transaction based on an identity assurance level associated with the step-up authentication context; and
      
      returning, by the authentication service executing on the computer system, an authentication prompt for credentials to authenticate the identity of the user according to the step-up authentication scheme.

13. A computer system comprising:
- a hardware processor; and
  
  an authentication system in communication with the hardware processor and configured;
  
  to receive a transaction over a particular channel, wherein the particular channel is one of a plurality of supported channels;
  
  to determine a risk score for the transaction based on a number of contextual risk factors;
  
  to determine an authentication scheme from a number of authentication schemes for authenticating an identity of a user within an authentication context, wherein the authentication scheme is determined based on the particular channel and the risk score;
  
  to use the authentication scheme to authenticate the identity of the user within the authentication context;
  
  in response to successfully authenticating the identity of the user within the authentication context, to determine whether the transaction is a permitted transaction based on an assurance level associated with the authentication context; and
  
  in response to determining that the transaction is the permitted transaction, to authenticate the transaction.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 14. The computer system of claim 13, wherein the plurality of supported channels includes a web-based authentication channel, a mobile authentication channel, a biometric authentication channel, a voice channel, and a risk-based authentication channel.
  - 15. The computer system of claim 13, wherein the authentication context is selected from an identity management context, an organizational context, and a social context.
  - 16. The computer system of claim 13, wherein the authentication system is further configured:
    - to identify the number of contextual risk factors based on context parameters of the transaction; and
      
      wherein the context parameters include a transaction type and at least one of a current authentication context, a time of day that the transaction is received, a geographic location from which the transaction is received, a device type used by the user to submit the transaction, prior access behavioral patterns of the user, a keyword, and a quality of network.
  - 17. The computer system of claim 16, wherein the transaction type is selected from a lookup transaction, the transaction for authenticating the identity of the user, the transaction related to an account of the user, and the transaction to manage privileges of the account of the user.
  - 18. The computer system of claim 16, wherein the transaction is a lookup transaction, and wherein the authentication system is further configured:
    - to identify a number of accounts based on information and the context parameters of the transaction;
      
      to return an authentication prompt, for information to disambiguate a user account from the number of accounts; and
      
      to use the authentication scheme to authenticate the identity of the user within the authentication context, wherein the authentication context is associated with the user account.
  - 19. The computer system of claim 18, wherein the number of accounts comprises the user account, a second account of the user, an account of a different user, and combinations thereof.
  - 20. The computer system of claim 16, wherein in determining the authentication scheme, the authentication system is further configured:
    - to determine the authentication scheme from the number of authentication schemes based on the particular channel, the risk score, and a policy associated with a user profile.
  - 21. The computer system of claim 20, wherein the policy is based on one or more of a user preference, a risk level, and an organizational preference.
  - 22. The computer system of claim 20, wherein the authentication system is further configured:
    - to receive the transaction over the particular channel, wherein the transaction includes the keyword that is associated with the user, wherein the keyword comprises one or more of a username, an email address, a name of an employer, a client identifier, or a company registration code;
      
      to determine the user profile for the user based on the keyword; and
      
      to return an authentication prompt for credentials to authenticate the identity of the user according to the authentication scheme.
  - 23. The computer system of claim 13, wherein the authentication system is further configured:
    - to generate a token in response to successfully authenticating the identity of the user within the authentication context;
      
      to send the token from the authentication system to a user device, wherein the token is stored on the user device; and
      
      to receive a second transaction, wherein an authentication context of the transaction includes the token.
  - 24. The computer system of claim 13, wherein the authentication system is further configured:
    - in response to determining that the transaction is not the permitted transaction based on an identity assurance level of the authentication context;
      
      to determine a step-up authentication scheme for authenticating the identity of the user within a step-up authentication context, wherein the transaction is the permitted transaction based on an identity assurance level associated with the step-up authentication context; and
      
      to return an authentication prompt for credentials to authenticate the identity of the user according to the step-up authentication scheme.

25. A computer program product comprising:
- a computer readable storage media having program code stored thereon for authenticating a transaction of a user;
  
  first program code, stored on the computer readable storage media, for receiving the transaction over a particular channel, wherein the particular channel is one of a plurality of supported channels;
  
  second program code, stored on the computer readable storage media, for determining a risk score for the transaction based on a number of contextual risk factors;
  
  third program code, stored on the computer readable storage media, for determining an authentication scheme from a number of authentication schemes for authenticating an identity of the user within an authentication context, wherein the authentication scheme is determined based on the particular channel and the risk score;
  
  fourth program code, stored on the computer readable storage media, for using the authentication scheme to authenticate the identity of the user within the authentication context;
  
  fifth program code, stored on the computer readable storage media, for determining, in response to successfully authenticating the identity of the user within the authentication context, whether the transaction is a permitted transaction based on an assurance level associated with the authentication context; and
  
  sixth program code, stored on the computer readable storage media, for authenticating the transaction in response to determining that the transaction is the permitted transaction.
- View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
- - 26. The computer program product of claim 25, wherein the plurality of supported channels includes a web-based authentication channel, a mobile authentication channel, a Biometric authentication channel, a voice channel, and a risk-based authentication channel.
  - 27. The computer program product of claim 25, wherein the authentication context is selected from an identity management context, an organizational context, and a social context.
  - 28. The computer program product of claim 25, further comprising:
    - program code, stored on the computer readable storage media, for identifying the number of contextual risk factors based on context parameters of the transaction; and
      
      wherein the context parameters include a transaction type, and at least one of a current authentication context, a time of day that the transaction is received, a geographic location from which the transaction is received, a device type used by the user to submit the transaction, prior access behavioral patterns of the user, keyword, and a quality of network.
  - 29. The computer program product of claim 28, wherein the transaction type is selected from a lookup transaction, the transaction for authenticating the identity of the user, the transaction related to an account of the user, and the transaction to manage privileges of the account of the user.
  - 30. The computer program product of claim 28, wherein the transaction is a lookup transaction, the computer program product further comprising:
    - program code, stored on the computer readable storage media, for identifying a number of accounts based on information and the context parameters of the transaction;
      
      program code, stored on the computer readable storage media, for returning an authentication prompt, for information to disambiguate a user account from the number of accounts; and
      
      program code, stored on the computer readable storage media, for using the authentication scheme to authenticate the identity of the user within the authentication context, wherein the authentication context is associated with the user account.
  - 31. The computer program product of claim 30, wherein the number of accounts comprises the user account, a second account of the user, an account of a different user, and combinations thereof.
  - 32. The computer program product of claim 28, wherein the third program code further comprises:
    - program code, stored on the computer readable storage media, for determining the authentication scheme from the number of authentication schemes based on the particular channel, the risk score, and a policy associated with a user profile.
  - 33. The computer program product of claim 32, wherein the policy is based on one or more of a user preference, a risk level, and an organizational preference.
  - 34. The computer program product of claim 32, further comprising:
    - program code, stored on the computer readable storage media, for receiving the transaction over the particular channel, wherein the transaction includes a keyword that is associated with the user, wherein the keyword comprises one or more of a username, an email address, a name of an employer, a client identifier, or a company registration code;
      
      program code, stored on the computer readable storage media, for determining the user profile for the user based on the keyword; and
      
      program code, stored on the computer readable storage media, for returning an authentication prompt for credentials to authenticate the identity of the user according to the authentication scheme.
  - 35. The computer program product of claim 25, further comprising:
    - program code, stored on the computer readable storage media, for generating a token in response to successfully authenticating the identity of the user within the authentication context;
      
      program code, stored on the computer readable storage media, for sending the token from an authentication system to a user device, wherein the token is stored on the user device; and
      
      program code, stored on the computer readable storage media, for receiving a second transaction, wherein an authentication context of the transaction includes the token.
  - 36. The computer program product of claim 25, further comprising:
    - program code, stored on the computer readable storage media, for determining, in response to determining that the transaction is not the permitted transaction based on an identity assurance level of the authentication context, a step-up authentication scheme for authenticating the identity of the user within a step-up authentication context, wherein the transaction is the permitted transaction based on an identity assurance level associated with the step-up authentication context; and
      
      program code, stored on the computer readable storage media, for returning an authentication prompt for credentials to authenticate the identity of the user according to the step-up authentication scheme.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
ADP, Inc.
Original Assignee
ADP LLC (ADP, Inc.)
Inventors
Villavicencio, Frank, Xu, Zhitao, Civetta, Vincent, Kaushal, Deepak, Kaushik, Nishant

Granted Patent

US 10,623,402 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/083   using passwords cryptograph...

H04L 63/0853   using an additional device,...

H04L 63/0861   using biometrical features,...

H04L 63/0876   based on the identity of th...

H04L 63/1433   Vulnerability analysis

H04W 12/069   using certificates or pre-s...

H04W 12/61   Time-dependent

H04W 12/63   Location-dependent; Proximi...

H04W 12/67   Risk-dependent, e.g. select...

H04W 12/68   Gesture-dependent or behavi...

ENHANCED SECURITY AUTHENTICATION SYSTEM

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

36 Claims

Specification

Solutions

Use Cases

Quick Links

ENHANCED SECURITY AUTHENTICATION SYSTEM

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

36 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links