Biometric authentication for remote initiation of actions and services

US 7,356,705 B2
Filed: 05/17/2002
Issued: 04/08/2008
Est. Priority Date: 05/18/2001
Status: Active Grant

First Claim

Patent Images

1. A method for authenticating a user on a client machine, the method comprising:

determining a task set for processing user authentication data at the client machine;

determining a set of software components for executing the task set;

determining if the components are trustworthy;

providing a reference set of user authentication data to the client machine only if such software components are determined to be trustworthy and not providing the reference set of user authentication data otherwise;

comparing, on the client machine, the reference set of authentication data with a candidate set of authentication data to authenticate a user associated with the client machine and if there is a sufficient match between the candidate set of authentication data and the reference set of authentication data, providing a new task set based at least in part on the identity of the authenticated user.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one aspect, the invention relates to generating a trusted communication channel with a client. An agent module is provided at the client along with a task set including one or more tasks. One or more client components needed to complete each of the tasks of the task set is determined, and it is further determined whether each of the needed client components is trustworthy. An equivalent component for components determined to be untrustworthy may be provided.

209 Citations

28 Claims

1. A method for authenticating a user on a client machine, the method comprising:
- determining a task set for processing user authentication data at the client machine;
  
  determining a set of software components for executing the task set;
  
  determining if the components are trustworthy;
  
  providing a reference set of user authentication data to the client machine only if such software components are determined to be trustworthy and not providing the reference set of user authentication data otherwise;
  
  comparing, on the client machine, the reference set of authentication data with a candidate set of authentication data to authenticate a user associated with the client machine and if there is a sufficient match between the candidate set of authentication data and the reference set of authentication data, providing a new task set based at least in part on the identity of the authenticated user.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1 further comprising:
    - determining that one or more software components are not trustworthy; and
      
      transmitting to the client machine substitute software components having equivalent functionality as the software components determined not to be trustworthy.
  - 3. The method of claim 1 further comprising retrieving, on the client machine, the candidate set of authentication data using at least one of the software components determined to be trustworthy.
  - 4. The method of claim 3 wherein the candidate set of authentication data comprises biometric data.
  - 5. The method of claim 1 further comprising transmitting the candidate set of authentication data, to the client machine using the software components determined to be trustworthy.
  - 6. The method of claim 5 wherein the candidate set of authentication data comprises biometric data.
  - 7. The method of claim 6 further comprisingtransmitting an application program for execution on the client machine if there is a sufficient match between the candidate set of biometric data and the reference set of biometric data, and otherwise not transmitting the application program.
  - 8. The method of claim 1 further comprising:
    - determining an additional set of software components for executing the new task set; and
      
      determining if the additional set of software components are trustworthy.
  - 9. The method of claim 1 wherein the new task set includes a task of retrieving user credentials for the authenticated user, the method further comprising:
    - retrieving the reference set of user authentication data associated with an electronic vault associated with the authenticated user; and
      
      retrieving the user credentials from the electronic vault.
  - 10. The method of claim 1 further comprising retrieving the reference set of user authentication data from a template.

11. A system for generating a trusted communication channel for receiving user authentication data, the system comprising:
- a task set for processing user authentication data on a client device;
  
  a set of software components for executing the task set on the client device;
  
  a comparator module for comparing a retrieved reference set of authentication data with a candidate set of authentication data;
  
  an agent module configured to (i) determine if the software components are trustworthy, and only if so, to retrieve to the client device the reference set of authentication data, the agent module not retrieving the reference set of user authentication data otherwise, (ii) to authenticate a user associated with the client device and if there is a sufficient match between the candidate set of authentication data and the reference set of authentication data, (iii) providing a new task set based at least in part on the identity of the authenticated user.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The system of claim 11 wherein the agent module is further configured to retrieve the candidate set of authentication data using at least one of the software components determined to be trustworthy.
  - 13. The system of claim 12 wherein the candidate set of authentication data comprises biometric data.
  - 14. The system of claim 11 further comprising a transceiver module configured to transmit the candidate set of authentication data using at least one of the software components determined to be trustworthy.
  - 15. The system of claim 14 wherein the candidate set of authentication data comprises biometric data.
  - 16. The system of claim 11 wherein the agent module is further configured to determine if one or more software components are not trustworthy and the system further comprisinga transceiver module configured to request and receive one or more trustworthy software components having equivalent functionality as the software components determined not to be trustworthy.

17. A system for generating a trusted communication channel, the system comprising:
- a client device comprising;
  
  a task set for processing user authentication data; and
  
  a set of software components for executing the task set;
  
  a server in communication with the client device, the server having a reference set of authentication data;
  
  a comparator module for comparing the retrieved reference set of authentication data with a candidate set of authentication data;
  
  an agent module residing on the client device and configured to (i) determine if the software components are trustworthy, and only if so, to retrieve to the client device the reference set of authentication data, the agent module not retrieving the reference set of authentication data otherwise (ii) authenticate a user associated with the client device and if there is a sufficient match between the candidate set of authentication data and the reference set of authentication data (iii) provide a new task set based at least in part on the identity of the authenticated user.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
- - 18. The system of claim 17 wherein the reference set of authentication data comprises biometric data.
  - 19. The system of claim 17 wherein the agent module is further configured to determine if one or more software components are not trustworthy and the server further comprises:
    - a transceiver module configured to transmit substitute software components having equivalent functionality as the software components determined not to be trustworthy.
  - 20. The system of claim 19 wherein the transceiver module is further configured to allow transmission of an application program for execution on the client device based on the comparison by the comparator module.
  - 21. The system of claim 17 wherein the agent module is further configured to retrieve the candidate set of authentication data using one or more software components determined to be trustworthy.
  - 22. The system of claim 21 wherein the candidate set of authentication data comprises biometric data.
  - 23. The system of claim 17 further comprising a transceiver module configured to transmit the candidate set of authentication data using one or more software components determined to be trustworthy.
  - 24. The system of claim 23 wherein the candidate set of authentication data comprises biometric data.
  - 25. The system of claim 23 wherein the agent module is further configured to determine an additional set of software components for executing the new task set and to determine if the additional set of software components are trustworthy.
  - 26. The system of claim 17 wherein the server further comprises an electronic vault.
  - 27. The system of claim 17 wherein an electronic vault comprising one or more realms having one or more vaults having one or more folders.

28. An article of manufacture having computer-readable program portions embodied thereonfor generating a trusted communication channel with a client, the article comprising:
- a computer-readable program portion for determining a task set for processing user authentication data;
  
  a computer-readable program portion for determining a set of software components for executing the task set;
  
  a computer-readable program portion for determining if the software components are trustworthy;
  
  a computer-readable program for providing a reference set of authentication data to a client if the software components are determined to be trustworthy and not providing the reference set of authentication data otherwise;
  
  a computer-readable program portion for comparing, on the client, the reference set of authentication data with a candidate set of authentication data and a computer-readable program portion for authenticating a user associated with the client and, if there is a sufficient match between the candidate set of authentication data and the reference set of authentication data, providing a new task set based at least in part on the identity of the authenticated user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Imprivata Incorporated
Original Assignee
Imprivata Incorporated
Inventors
Ting, David M. T.
Primary Examiner(s)
Zand; Kambiz
Assistant Examiner(s)
Simitoski; Michael J

Application Number

US10/147,947
Publication Number

US 20020174348A1
Time in Patent Office

2,153 Days
Field of Search

726/8, 726/22, 726/28, 726/29, 726/30, 713/176, 713/186
US Class Current

713/186
CPC Class Codes

G06F 21/32   using biometric data, e.g. ...

G06F 21/57   Certifying or maintaining t...

H04L 2463/102   applying security measure f...

H04L 63/0407   wherein the identity of one...

H04L 63/0861   using biometrical features,...

H04L 63/1441   Countermeasures against mal...

H04L 63/1466   Active attacks involving in...

H04L 63/20   for managing network securi...

Biometric authentication for remote initiation of actions and services

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

209 Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Biometric authentication for remote initiation of actions and services

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

209 Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links