Multiple factor-based user identification and authentication

US 6,845,453 B2
Filed: 01/30/2002
Issued: 01/18/2005
Est. Priority Date: 02/13/1998
Status: Expired due to Term

First Claim

Patent Images

1. A method of authenticating the identity of a user to determine access to a system, comprising:

providing a possession-based data instance, a modified version of the possession-based data instance, a knowledge-based data instance, a biometric-based data instance, and a modified version of the biometric-based data instance;

generating a first cryptographic key based on the knowledge-based data instance;

applying the first cryptographic key to the modified version of the possession-based data instance to generate a first recovered data instance;

interrogating the first recovered data instance against the possession-based data instance to generate a possession value as a result of a first correspondence evaluation;

applying the first cryptographic key to the modified version of the biometric-based data instance to generate a second recovered data instance;

interrogating the second recovered data instance against the biometric-based data instance to generate a biometric value as a result of a second correspondence evaluation;

combining the first cryptographic key, the possession value, and the biometric value to form a second cryptographic key;

restricting the user'"'"'s access to the system if the user'"'"'s identity is not authenticated, based at least in part on the second cryptographic key; and

granting the user'"'"'s access to the system if the user'"'"'s identity is authenticated, based at least in part on the second cryptographic key.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of authenticating the identity of a user to determine access to a system includes providing a plurality of factor-based data instances corresponding to a user, evaluating the factor-based data instances to determine if the user'"'"'s identity is authenticated, and granting or restricting the user'"'"'s access to the system if the user'"'"'s identity is authenticated. More particularly, the method includes providing a modified data instance based on a second data instance, generating a key based on a first data instance, applying the key to the a modified data instance to generate a recovered data instance, interrogating the recovered data instance against the second data instance to generate an authentication value as a result of a correspondence evaluation, and granting or restricting the user'"'"'s access to the system based at least in part on the validity of the authentication value.

136 Citations

12 Claims

1. A method of authenticating the identity of a user to determine access to a system, comprising:
- providing a possession-based data instance, a modified version of the possession-based data instance, a knowledge-based data instance, a biometric-based data instance, and a modified version of the biometric-based data instance;
  
  generating a first cryptographic key based on the knowledge-based data instance;
  
  applying the first cryptographic key to the modified version of the possession-based data instance to generate a first recovered data instance;
  
  interrogating the first recovered data instance against the possession-based data instance to generate a possession value as a result of a first correspondence evaluation;
  
  applying the first cryptographic key to the modified version of the biometric-based data instance to generate a second recovered data instance;
  
  interrogating the second recovered data instance against the biometric-based data instance to generate a biometric value as a result of a second correspondence evaluation;
  
  combining the first cryptographic key, the possession value, and the biometric value to form a second cryptographic key;
  
  restricting the user'"'"'s access to the system if the user'"'"'s identity is not authenticated, based at least in part on the second cryptographic key; and
  
  granting the user'"'"'s access to the system if the user'"'"'s identity is authenticated, based at least in part on the second cryptographic key.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein restricting the user'"'"'s access includes denying the user'"'"'s access.
  - 3. The method of claim 1, wherein the modified version of the biometric-based data instance is a first modified version of the biometric-based data instance, and the biometric value is a second modified version of the biometric-based data instance.
  - 4. The method of claim 3, wherein the biometric value is a cryptographic hash of the biometric-based data instance.
  - 5. The method of claim 1, wherein restricting the user'"'"'s access to the system and granting the user'"'"'s access to the system is based on a modified version of the second cryptographic value.
  - 6. The method of claim 5, wherein the modified version of the second cryptographic value is a cryptographic hash of the cryptographic key.

7. A method of authenticating the identity of a user to determine access to a system, comprising:
- providing a possession-based data instance, a biometric-based data instance, and a modified version of the biometric-based data instance;
  
  applying the possession-based data instance to the modified version of the biometric-based data instance to generate a recovered data instance;
  
  interrogating the recovered data instance against the biometric-based data instance to generate a biometric value as a result of a correspondence evaluation;
  
  combining the possession-based data instance and the biometric value to form a cryptographic key;
  
  evaluating the cryptographic key to determine if the user'"'"'s identity is authenticated;
  
  restricting the user'"'"'s access to the system if the user'"'"'s identity is not authenticated, based at least in part on the cryptographic key; and
  
  granting the user'"'"'s access to the system if the user'"'"'s identity is authenticated, based at least in part on the cryptographic key.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The method of claim 7, wherein restricting the user'"'"'s access includes denying the user'"'"'s access.
  - 9. The method of claim 7, wherein the modified version of the biometric-based data instance is a first modified version of the biometric-based data instance, and the biometric key is a second modified version of the biometric-based data instance.
  - 10. The method of claim 9, wherein the biometric key is a cryptographic hash of the biometric-based data instance.
  - 11. The method of claim 7, wherein restricting the user'"'"'s access to the system and granting the user'"'"'s access to the system is based on a modified version of the cryptographic key.
  - 12. The method of claim 11, wherein the modified version of the cryptographic key is a cryptographic hash of the cryptographic key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
TecSec, Incorporated
Original Assignee
TecSec, Incorporated
Inventors
Scheidt, Edward M., Domangue, Ersin
Primary Examiner(s)
Decady, Albert
Assistant Examiner(s)
Arani, Taghi T.

Application Number

US10/060,039
Publication Number

US 20020184509A1
Time in Patent Office

1,084 Days
Field of Search

713/183, 713184-186, 713/166, 713/202
US Class Current

726/5
CPC Class Codes

G06F 21/31   User authentication

G06Q 20/3674   involving authentication

H04L 9/0822   using key encryption key

H04L 9/3231   Biological data, e.g. finge...

Multiple factor-based user identification and authentication

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

136 Citations

12 Claims

Specification

Use Cases

Quick Links

Others

Multiple factor-based user identification and authentication

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

136 Citations

12 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others