Personal authentication system and method for multiple computer platform

US 6,161,185 A
Filed: 03/06/1998
Issued: 12/12/2000
Est. Priority Date: 03/06/1998
Status: Expired due to Term

First Claim

Patent Images

1. In a computer network having a client and a server, a method comprising the steps of:

providing an account password and an account name by the client;

at the server, comparing the account password and account name to a database of account names and associated account passwords;

providing a challenge to the client;

at the client, producing a response to the challenge using the challenge and at least a user password;

transmitting the response to the server, but not the user password;

at the server, producing a local response based on the challenge and the user password, the user password being stored in the database and being associated with the account name;

authorizing access to the server if the local response favorably compares to the received response; and

prohibiting authorized access to the server for an increasing period of time if the local response does not favorably compare to the received response, the period of time increasing after each set of failures to favorably compare.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A personal authentication system provides at least two levels of security for an authentication process, in addition to numerous other security features. The system operates across many different software and hardware platforms, in a client/server fashion, employing a challenge/response process that does not require users to transmit their passwords across a network. An application running on a client computer is coupled with an application running on a server computer. The client generates a response to a challenge, which is provided by the server. The response is a combined function of the server'"'"'s challenge, a serial number assigned to the client, and a password provided by the user.

Citations

27 Claims

1. In a computer network having a client and a server, a method comprising the steps of:
- providing an account password and an account name by the client;
  
  at the server, comparing the account password and account name to a database of account names and associated account passwords;
  
  providing a challenge to the client;
  
  at the client, producing a response to the challenge using the challenge and at least a user password;
  
  transmitting the response to the server, but not the user password;
  
  at the server, producing a local response based on the challenge and the user password, the user password being stored in the database and being associated with the account name;
  
  authorizing access to the server if the local response favorably compares to the received response; and
  
  prohibiting authorized access to the server for an increasing period of time if the local response does not favorably compare to the received response, the period of time increasing after each set of failures to favorably compare.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1 wherein the step of prohibiting includes:
    - incrementing an authorization failures value in the database for each consecutive occurrence that the local response does not favorably compare to the received response;
      
      prohibiting authorized access for a first period of time if the authorization failures value equals a set value;
      
      again incrementing the authorization failures value for each consecutive occurrence that the local response does not favorably compare to the received response until the authorization failures value again equals a multiple of the set value; and
      
      prohibiting authorized access for the first period of time times a multiplier value if the authorization failures value again equals the multiple of the set value, where the multiplier value is greater than one.
  - 3. The method of claim 1, further comprising the steps of:
    - at the client, receiving a client calculator from the server; and
      
      initializing the client calculator for the client by inputting a number assigned to the client.
  - 4. The method of claim 1 wherein the step of producing includes:
    - providing a one-way response generating algorithm;
      
      inputting the challenge, the user password and a predetermined number to the one-way algorithm, wherein the predetermined number corresponds to the client; and
      
      generating the response based on the step of inputting.
  - 5. The method of claim 1 wherein the step of providing a response includes providing a response having a length of fewer than 15 alphanumeric characters, and wherein the response does not include vowels or include alphanumeric characters visually confusing with other alphanumeric characters.
  - 6. The method of claim 1 wherein the step of comparing includes:
    - determining if a life-time of the account password has expired;
      
      if the account password has expired, then determining if a number of allowances remain for the user'"'"'s account;
      
      if a number of allowances remain, then performing the step of providing a challenge; and
      
      if a number of allowances does not remain, prohibiting authorized access to the server.

7. An electronic access method for use by a user comprising the steps of:
- providing a challenge to the user and producing a local response to the challenge using the challenge and at least a locally stored value;
  
  receiving a response to the challenge from the user;
  
  authorizing access if the local response favorably compares to a received response; and
  
  prohibiting authorized access for an increasing period of time if the local response does not favorably compare to the received response, wherein the period of time increases after each failure to favorably compare.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The method of claim 7 wherein the step of prohibiting includes:
    - incrementing an authorization failures value for each consecutive occurrence that the local response does not favorably compare to the received response;
      
      prohibiting authorized access for a first period of time if the authorization failures value equals a set value;
      
      again incrementing the authorization failures value for each consecutive occurrence that the local response does not favorably compare to the received response until the authorization failures value again equals a multiple of the set value; and
      
      prohibiting authorized access for the first period of time times a multiplier value if the authorization failures value again equals the multiple of the set value, where the multiplier value is greater than one.
  - 9. The method of claim 7, further comprising the steps of:
    - providing a calculator to the user; and
      
      providing a number for inputting to and initializing the calculator.
  - 10. The method of claim 7 wherein the step of providing includes:
    - providing a one-way response generating algorithm;
      
      inputting the challenge and the user password to the one-way algorithm; and
      
      generating the response based on the step of inputting.
  - 11. The method of claim 7 wherein the step of providing includes providing a challenge that is comprised of alphanumeric characters and lacks predetermined characters.
  - 12. The method of claim 7 wherein the step of providing includes:
    - determining if a life-time of a user account password has expired;
      
      if the account password has expired, then determining if a number of allowances remain for the user;
      
      if a number of allowances remain, then performing the step of providing a challenge; and
      
      if a number of allowances does not remain, prohibiting authorized access.

13. A computer-readable medium having stored thereon a computer-readable data structure for use by a server in an authorization procedure, the server being networked to at least one client, the data structure comprising:
- an identifier data structure;
  
  a password associated with the identifier data structure, the password having a time period indicating a period during which the password is valid;
  
  an allowances value indicating a number of authorizations permitted under the authorization procedure after the period that the password is valid has expired;
  
  a serial number data structure associated with the client; and
  
  a response data structure, the response data structure storing a response produced by the server from a server calculator, the server calculator generating the response based on a server generated challenge, the serial number and the password, wherein the password is associated with a user of the account, and wherein the response is compared with a response received from the client.
- View Dependent Claims (14, 15)
- - 14. The computer-readable medium of claim 13, further comprising:
    - a log-in failures data structure storing a number of consecutive log-in failures associated with the account; and
      
      a lock-out timer data structure indicating a duration during which the user is prohibited from logging into the server, wherein the lock-out timer record indicates a non-linearly increasing time period during which the user is prohibited from logging into the server after consecutive sets of failed log-on attempts.
  - 15. The computer-readable medium of claim 14 wherein the identifier data structure is a user account record identifying an account assigned to a user, and wherein the password and allowances value correspond respectively to a password record and an allowances value record.

16. In a computer network having at least one client, an apparatus comprising:
- a user account database having stored therein a first password associated with a user account; and
  
  a first server coupled to the database and being programmed for receiving an authorization request from the client for the user account, including a response, generating a local response based on the first password and a locally generated seed value, permitting access to the first server by the client if the local response favorably compares to the received response, and prohibiting access to the first server by the client for an increasing time period for each group of failed authorization attempts for the user account, the server is programmed for incrementing an authorization failures value in the database for each consecutive occurrence that the local response does not favorably compare to the received response;
  
  prohibiting authorized access for a first period of time if the authorization failures value equals a set value;
  
  again incrementing the authorization failures value for each consecutive occurrence that the local response does not favorably compare to the received response until the authorization failures value equals a multiple of the set value; and
  
  prohibiting authorized access for the first period of time times a multiplier value if the authorization failures value equals the multiple of the set value, where the multiplier value is greater than one.
- View Dependent Claims (17, 18)
- - 17. The apparatus of claim 16, further comprising a web server coupled to the client, and an interface coupled between the web server and the first server, wherein the web server provides a plurality of displayable screens to the client, and wherein the interface provides a plurality of authorizations for the web server.
  - 18. The apparatus of claim 16, further comprising at least a second server coupled to the first server over the network, wherein the second server is physically distant from the first server and includes another account database having stored therein the first password associated with the user account.

19. In a computer network having a client and first and second servers, a method of authorizing a user comprising the steps of:
- receiving at the first server a request for user authorization by the client;
  
  receiving at the second server a request for authorization by the first server;
  
  providing authorization between the first and second servers;
  
  at the second server, providing a challenge to the first server;
  
  at the first server, providing the challenge to the client;
  
  at the client, producing a response to the challenge using the challenge and at least a user password;
  
  transmitting the response, but not the user password, to the first server;
  
  forwarding the response to the second server;
  
  at the second server, producing a local response based on the challenge and the user password; and
  
  at the second server, authorizing access if the local response favorably compares to the received response.
- View Dependent Claims (20, 21, 22, 23, 24)
- - 20. The method of claim 19 wherein the step of providing authorization between the first and second servers includes:
    - identifying at the second server that the first server is authorized;
      
      forwarding a first server password to the second server from the first server;
      
      forwarding a second server password to the first server from the second server;
      
      at the first server, comparing the second server password to a locally stored second server password; and
      
      at the second server, comparing the first server password to a locally stored first server password.
  - 21. The method of claim 19 wherein the step of providing a challenge to the first server includes providing to the first server a new second server password.
  - 22. The method of claim 19 wherein the step of forwarding includes providing to the second server a new first server password.
  - 23. The method of claim 19 wherein the step of authorizing includes disconnecting communications with the first server following authorizing access.
  - 24. The method of claim 19 wherein the step of providing a challenge to the first server includes:
    - at the client, providing an account password and an account name by the client to the first server;
      
      forwarding the account password and account name to the second server; and
      
      at the second server, comparing the account password and account name to a database of account names and associated account passwords before providing the challenge.

25. In a computer network having at least one client, an apparatus comprising:
- a user account database having stored therein a first password associated with a user account; and
  
  a first server coupled to the database and being programmed for receiving an authorization request from the client for the user account, including a response, generating a local response based in the first password and a locally generated seed value, permitting access to the first server by the client if the local response favorably compares to the received response, and prohibiting access to the first server by the client for an increasing time period for each group of failed authorization attempts for the user account, the server is programmed for distributing a client calculator, wherein the client calculator is initialized by inputting a number assigned to the client.

26. In a computer network having at least one client, an apparatus comprising:
- a user account database having stored therein a first password associated with a user account; and
  
  a first server coupled to the database and being programmed for receiving an authorization request from the client for the user account, including a response, generating a local response based on the first password and a locally generated seed value, permitting access to the first server by the client if the local response favorably compares to the received response, and prohibiting access to the first server by the client for an increasing time period for each group of failed authorization attempts for the user account, the server is programmed for providing a one-way response generating algorithm, inputting the challenge and the user password to the one-way algorithm and generating the response.

27. In a computer network having at least one client, an apparatus comprising:
- a user account database having stored therein a first password associated with a user account; and
  
  a first server coupled to the database and being programmed for receiving an authorization request from the client for the user account, including a response, generating a local response based on the first password and a locally generated seed value, permitting access to the first server by the client if the local response favorably compares to the received response, and prohibiting access to the first server by the client for an increasing time period for each group of failed authorization attempts for the user account, the server is programmed for determining if a life-time of a second password has expired, if the second password has expired, then determining if a number of allowances remain for the user account, if a number of allowances remain, then performing the step of providing a challenge, and if a number of allowances does not remain, prohibiting authorized access to the server, and wherein the second password is stored in the database and is associated with the user account.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Verizon Patent and Licensing Incorporated (Verizon Communications Inc.)
Original Assignee
MCI Communications Corporation (Verizon Communications Inc.)
Inventors
Guthrie, R. Scott, Waid, Jr., Charles E.
Primary Examiner(s)
De Cady, Albert
Assistant Examiner(s)
OMAR, OMAR B

Application Number

US09/036,290
Time in Patent Office

1,012 Days
Field of Search

713/201, 713/200, 707/2, 707/204, 380/48, 709/229
US Class Current

726/5
CPC Class Codes

G06F 21/31   User authentication

H04L 63/0846   using time-dependent-passwo...

Y10S 707/99932   Access augmentation or opti...

Personal authentication system and method for multiple computer platform

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Personal authentication system and method for multiple computer platform

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links