Single-use password authentication

US 7,613,919 B2
Filed: 10/12/2004
Issued: 11/03/2009
Est. Priority Date: 10/12/2004
Status: Active Grant

First Claim

Patent Images

1. At an authentication service in a computerized environment that includes a client, a service provider, and an authentication service, a method of the authentication service authenticating the client to the service provider using a one-time password that was previously exchanged between the authentication service and the client, the method comprising the acts of:

the authentication service generating an authentication service identifier for the client;

the authentication service receiving a client moniker from the client;

after receiving the client moniker, the authentication service sending a one-time password to the client for the client to use in accessing the service provider;

after sending the one-time password to the client, the authentication service receiving a one-time password from the service provider;

if the one-time password received from the service provider matches the one-time password sent by the authentication service to the client, then the authentication service sending the authentication service identifier for the client to the service provider to authenticate the client; and

if the one-time password received from the service provider does not match the one-time password sent by the authentication service to the client, then the authentication service indicating to the service provider that the one-time password received from the service provider does not match the one-time password sent to the client.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, computer program products and methods for authentication using a one-time password. In system that includes a client, a service provider, and an authentication service, the authentication service generates an authentication service identifier for the client. Any suitable identifier may be used for the authentication service identifier, which generally takes the form of an arbitrary number of characters. From the client, the authentication service receives a client moniker (e.g., a username) for the client to use when accessing the authentication service. The authentication service sends a one-time password to the client for the client to use in accessing the service provider. When the authentication service receives a one-time password from the service provider, the authentication service sends the authentication service identifier for the client to the service provider to authenticate the client if the one-time password received from the service provider matches the one-time password sent to the client.

38 Citations

View as Search Results

29 Claims

1. At an authentication service in a computerized environment that includes a client, a service provider, and an authentication service, a method of the authentication service authenticating the client to the service provider using a one-time password that was previously exchanged between the authentication service and the client, the method comprising the acts of:
- the authentication service generating an authentication service identifier for the client;
  
  the authentication service receiving a client moniker from the client;
  
  after receiving the client moniker, the authentication service sending a one-time password to the client for the client to use in accessing the service provider;
  
  after sending the one-time password to the client, the authentication service receiving a one-time password from the service provider;
  
  if the one-time password received from the service provider matches the one-time password sent by the authentication service to the client, then the authentication service sending the authentication service identifier for the client to the service provider to authenticate the client; and
  
  if the one-time password received from the service provider does not match the one-time password sent by the authentication service to the client, then the authentication service indicating to the service provider that the one-time password received from the service provider does not match the one-time password sent to the client.
- View Dependent Claims (2, 3, 4, 5)
- - 2. A method as recited in claim 1, wherein the one-time password received from the service provider matches the one-time password sent to the client, the method further comprising the authentication service performing an act of discarding the one-time password to limit further use of the one-time password in authenticating the client.
  - 3. A method as recited in claim 1, further comprising the authentication service performing an act of selecting the one-time password sent to the client from a list of random numbers.
  - 4. A method as recited in claim 1, wherein the authentication service generates the authentication service identifier for the client as part of a registration operation during which the authentication service receives the client moniker from the client through a trusted entity that verifies the client'"'"'s identity.
  - 5. A method as recited in claim 1, wherein the authentication service sends the authentication service identifier for the client to the service provider over a secure connection that authenticates the identity of the authentication service to the service provider.

6. At an authentication service in a computerized environment that includes a client, a service provider, and an authentication service, a computer program storage product comprising one or more computer readable media carrying computer executable instructions that, when executed, cause one or more processors in the authentication service to perform a method of the authentication service authenticating the client to the service provider using a one-time password previously exchanged between the authentication service and the client, the method comprising the authentication service performing acts of:
- the authentication service generating an authentication service identifier for the client;
  
  the authentication service receiving a client moniker from the client;
  
  after receiving the client moniker, the authentication service sending a one-time password to the client for use with the service provider;
  
  after sending the one-time password to the client, the authentication service receiving a one-time password from the service provider; and
  
  the authentication service identifying that the one-time password received from the service provider matches the one-time password sent by the authentication service to the client; and
  
  the authentication service sending the authentication service identifier for the client to the service provider to authenticate the client.
- View Dependent Claims (7, 8, 9, 10, 11, 12)
- - 7. A computer program storage product as recited in claim 6, the method further comprising the authentication service performing an act of discarding the one-time password sent to the client to limit further use of the one-time password in authenticating the client after an expiration time.
  - 8. A computer program storage product as recited in claim 6, the method further comprising the authentication service performing an act of generating the one-time password sent to the client using an algorithm for generating random numbers.
  - 9. A computer program storage product as recited in claim 6, wherein the service provider is a trusted entity for authenticating client information to a new service provider, the method further comprising the authentication service performing acts of:
    - the authentication service receiving client information from the client;
      
      the authentication service sending the client information to the trusted entity provider to authenticate;
      
      the authentication service receiving the one-time password from the trusted entity service provider as an indication that the client information is accurate;
      
      the authentication service sending the client information to the new service provider;
      
      the authentication service receiving the one-time password from the new service provider; and
      
      the authentication service sending the authentication service identifier for the client to the new service provider as an indication that the client information is accurate.
  - 10. A computer program storage product as recited in claim 9, the method further comprising an act of the authentication service discarding the one-time password after the one-time password is received from the new service provider.
  - 11. A computer program storage product as recited in claim 9, wherein the service provider is an email recipient.
  - 12. A computer program storage product as recited in claim 9, further comprising an act of sending the authentication service identifier to the client to be used as an encryption key.

13. At a service provider in a computerized environment that includes a client, a service provider, and an authentication service, a method of the service provider authenticating the client through a one-time password previously exchanged between the authentication service and the client, the method comprising the service provider performing acts of:
- the service provider associating a prior authentication service identifier for the client with a prior service provider identifier for the client;
  
  the service provider receiving from the client a service provider identifier for the client and a one-time password from the client to use in authenticating the client through the authentication service, wherein the authentication service sent the one-time password to the client in exchange for a client moniker;
  
  the service provider verifying that the service provider identifier received from the client matches the prior service provider identifier, and represents a valid service provider identifier;
  
  the service provider sending the one-time password to the authentication service in order to receive a client authentication service identifier from the authentication service;
  
  identifying that a received authentication service identifier for the client matches the prior authentication service identifier for the client associated with the service provider identifier for the client at the service provider.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. A method as recited in claim 13, wherein the authentication service identifier for the client is associated with a service provider identifier for the client as part of a registration operation during which the service provider first receives the authentication service identifier for the client in order to make the association.
  - 15. A method as recited in claim 14, wherein the registration operation is conducted in connection with activating a credit card.
  - 16. A method as recited in claim 15, further comprising the service provider performing acts of:
    - the service provider receiving a credit card number from the client over a telephone connection;
      
      the service provider receiving a registration one-time password from the client over the telephone connection;
      
      the service provider sending the registration one-time password to the authentication service; and
      
      the service provider receiving the authentication service identifier for the client to be associated with the service provider identifier for the client from the authentication service.
  - 17. A method as recited in claim 13, further comprising the service provider performing acts of:
    - the service provider receiving a subsequent authentication service identifier for the client from the authentication service;
      
      identifying that the subsequent authentication service identifier for the client received from the authentication service fails to match the prior authentication service identifier for the client associated with the service provider identifier for the client at the service provider; and
      
      the service provider denying the client access to one or more services offered by the service provider.
  - 18. A method as recited in claim 13, wherein no authentication service identifier for the client is received from the authentication service, indicating that no client authentication service identifier is associated with the one-time password at the authentication service.

19. At a service provider in a computerized environment that includes a client, a service provider, and an authentication service, a computer program storage product comprising one or more computer readable media carrying computer executable instructions that, when executed, cause one or more processors in the service provider to perform a method of the service provider authenticating the client through a one-time password previously exchanged between the client and the authentication service, the method comprising the service provider performing acts of:
- the service provider associating an authentication service identifier for the client with a prior service provider identifier for the client;
  
  the service provider receiving from the client the service provider identifier for the client and a one-time password from the client to use in authenticating the client through the authentication service, wherein the authentication service sent the one-time password to the client in exchange for a client moniker;
  
  the service provider verifying that the service provider identifier received from the client matches the prior service provider identifier, and represents a valid service provider identifier;
  
  the service provider sending the one-time password to the authentication service in order to receive a client authentication service identifier from the authentication service;
  
  identifying that received authentication service identifier for the client matches the prior authentication service identifier for the client associated with the service provider identifier for the client at the service provider; and
  
  the service provider allowing the client access to one or more services offered by the service provider.
- View Dependent Claims (20, 21, 22, 23, 24, 25)
- - 20. A computer program storage product as recited in claim 19, wherein the service provider receives the authentication service identifier for the client over a secure connection that authenticates the identity of the service provider to the authentication service.
  - 21. A computer program storage product as recited in claim 19, wherein the one or more services offered by the service provider include electronic voting.
  - 22. A computer program storage product as recited in claim 19, wherein the one or more services offered by the service provider comprise processing electronic mail for one or more electronic mail recipients.
  - 23. A computer program storage product as recited in claim 19, wherein the authentication service identifier comprises a generic authentication service identifier for multiple clients.
  - 24. A computer program storage product as recited in claim 21, wherein the one-time password is received from the client in connection with the client casting an electronic vote, the method further comprising an act of the service provider sending the electronic vote to a vote tallying authority upon identifying that the authentication service identifier for the client received from the authentication service matches the authentication service identifier for the client associated with the service provider identifier for the client at the service provider.
  - 25. A computer program storage product as recited in claim 19, wherein the service provider is a trusted entity for authenticating client information to a new service provider, the method further comprising the trusted entity service provider performing acts of:
    - the trusted entity service provider receiving client information to authenticate to the new service provider; and
      
      the trusted entity service provider sending the one-time password to the authentication service only if the client information accurately corresponds to the received service provider identifier for the client and the authorization service identifier for the client to authenticate to indicate to the authentication service that the client information is accurate.

26. At a client computer system in a computerized environment that includes a client, a service provider, and an authentication service, a computer program storage product comprising one or more computer readable media carrying computer executable instructions that, when executed, cause one or more processors in the client to perform a method of the client authenticating to the service provider using a one-time password previously exchanged between the client and the authentication service, the method comprising the client performing acts of:
- the client sending a client moniker to the authentication service to obtain a one-time password;
  
  the client receiving the one-time password from the authentication service, wherein the one-time password is associated with an authentication service identifier for the client to use in accessing the service provider;
  
  the client sending a service provider identifier for the client to the service provider so that the service provider can locate the authentication service identifier for the client that is associated with the service provider identifier for the client at the service provider; and
  
  the client sending the one-time password previously received from the authentication service to the service provider, whereby the service provider can perform the acts of;
  
  sending the one-time password to the authentication service;
  
  upon validating the one-time password by the authentication service, receiving the authentication service identifier for the client that is associated with the one-time password from the authentication service; and
  
  matching the authentication service identifier for the client that is received from the authentication service with the authentication service identifier for the client that is associated with the service provider identifier for the client at the service provider.
- View Dependent Claims (27, 28, 29)
- - 27. A computer program storage product as recited in claim 26, wherein the service provider is part of a password protected file protocol at the client that requests the one-time password in order to grant access to a protected file.
  - 28. A computer program storage product as recited in claim 26, wherein the client sends the one-time password to the service provider over a secure connection that authenticates the identity of the client to the service provider.
  - 29. A computer program storage product as recited in claim 26, the method further comprising the client performing acts of:
    - the client receiving a registration one-time password from the authentication service that is associated with the authentication service identifier for the client;
      
      the client sending the service provider identifier for the client to the service provider in preparation for registering the client with the service provider; and
      
      the client sending to the service provider the registration one-time password previously exchanged with the authentication service so that the service provider can send the registration one-time password to the authentication service, receive the authentication service identifier for the client from the authentication service, and associate the authentication service identifier for the client that is received from the authentication service with the service provider identifier for the client at the service provider.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Tokenym LLC
Original Assignee
Brian B. Bagley
Inventors
Bagley, Brian B.
Primary Examiner(s)
Barron, Jr.; Gilberto
Assistant Examiner(s)
HERRING, VIRGIL A

Application Number

US10/963,334
Publication Number

US 20060080545A1
Time in Patent Office

1,848 Days
Field of Search

713/183, 713/155, 726/10
US Class Current

713/155
CPC Class Codes

G06F 21/31   User authentication

G06F 2221/2115   Third party

H04L 63/0823   using certificates cryptogr...

H04L 63/083   using passwords cryptograph...

H04L 63/0838   using one-time-passwords

H04L 9/3228   One-time or temporary data,...

Single-use password authentication

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

38 Citations

29 Claims

Specification

Use Cases

Quick Links

Others

Single-use password authentication

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

38 Citations

29 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others