Method and apparatus for providing user authentication using a back channel

US 7,765,580 B2
Filed: 05/14/2001
Issued: 07/27/2010
Est. Priority Date: 12/22/2000
Status: Active Grant

First Claim

Patent Images

1. A method for providing user authentication comprising:

(a) sending, by a first unit, user identification data to an authentication unit;

(b) using the user identification data to determine which intermediate destination unit will receive an authentication code to be used to authenticate the user;

(c) sending the authentication code to the determined intermediate destination unit based on the user identification data via a first secondary channel;

(d) re-transmitting, by the intermediate destination unit, the authentication code to the first unit via a second secondary channel in a way that is transparent to the user;

(e) in response to receiving the re-transmitted authentication code from the intermediate destination unit, returning the authentication code to the authentication unit; and

(f) authenticating the user when the returned authentication code is determined to be suitable.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus provides user authentication by communicating primary authentication information, such as user identification data and/or password data to an authentication unit via a primary channel such as over the Internet. An authentication code is generated by the authentication unit on a per session basis and is sent to a destination unit via a first secondary channel during the session. The destination unit then retransmits the authentication code, on a second secondary channel, to the first unit in a way that is transparent to a user of the first unit. The first device then send the received re-transmitted authentication code back to the authentication unit via the primary channel during the session.

112 Citations

View as Search Results

11 Claims

1. A method for providing user authentication comprising:
- (a) sending, by a first unit, user identification data to an authentication unit;
  
  (b) using the user identification data to determine which intermediate destination unit will receive an authentication code to be used to authenticate the user;
  
  (c) sending the authentication code to the determined intermediate destination unit based on the user identification data via a first secondary channel;
  
  (d) re-transmitting, by the intermediate destination unit, the authentication code to the first unit via a second secondary channel in a way that is transparent to the user;
  
  (e) in response to receiving the re-transmitted authentication code from the intermediate destination unit, returning the authentication code to the authentication unit; and
  
  (f) authenticating the user when the returned authentication code is determined to be suitable.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1 including the step of providing selection of a third unit transparent authentication code submission scheme and selecting the third unit transparent authentication code scheme in response to receiving selection data.
  - 3. The method of claim 1 including the step of maintaining per user destination unit data including at least one destination unit identifier per user and wherein the step of using the user identification data to determine which destination unit will receive the authentication code includes sending the authentication code to the determined intermediate destination unit based on the stored per user destination unit identifier.
  - 4. The method of claim 1 wherein the second secondary channel is short range channel and including the step of notifying, by the second unit, the first unit of a short range secondary channel used to receive the retransmitted authentication code from the third unit.
  - 5. The method of claim 1 including the steps of:
    - prior to returning the authentication code to the authentication unit, digitally signing, by the first unit, the returned authentication code to produce a digitally signed authentication code that was received from the determined destination unit; and
      
      verifying the digitally signed authentication code as part of step (f).

6. A storage medium comprising:
- memory containing executable instructions that when executed by one or more processors, causes the one or more processors to;
  
  send, by a first unit, user identification data to an authentication unit;
  
  use the user identification data to determine which intermediate destination unit will receive an authentication code to be used to authenticate the user;
  
  send the authentication code to the determined intermediate destination unit based on the user identification data via a first secondary channel;
  
  re-transmit, by the intermediate destination unit, the authentication code to the first unit via a second secondary channel in a way that is transparent to the user;
  
  in response to receiving the re-transmitted authentication code from the intermediate destination unit, return the authentication code to the authentication unit; and
  
  authenticate the user when the returned authentication code is determined to be suitable.
- View Dependent Claims (7, 8)
- - 7. The storage medium of claim 6 including memory containing instructions that when executed by one or more processors, causes the one or more processors to provide selection of a third unit transparent authentication code submission scheme and selecting the third unit transparent authentication code scheme in response to receiving selection data.
  - 8. The storage medium of claim 6 wherein the second secondary channel is short range channel and including memory containing instructions that when executed by one or more processors, causes the one or more processors to notify, by the second unit, the first unit of a short range secondary channel used to receive the retransmitted authentication code from the third unit.

9. A system for providing user authentication comprising:
- a first unit;
  
  a second unit operatively coupleable to the first unit via a primary wireless channel and operatively coupleable to an authenticator; and
  
  a third unit, operatively coupleable to the second unit via a wireless back channel and operatively coupleable to the first unit via a secondary short range channel,the first unit operative to send primary authentication information via the primary channel during a session to the second unit;
  
  the authenticator operative to use the primary authentication information to determine which destination unit, other than the first unit, will receive an authentication code as secondary authentication information via the wireless back channel and wherein the destination unit is the third unit;
  
  the second unit operative to the send the authentication code on the wireless back channel to the destination unit based on the primary authentication information sent via the primary channel during the same session;
  
  the destination unit operative to re-transmit the authentication code to the first unit via a second secondary channel in a way that is transparent to a user of the first unit;
  
  the first unit operative to return the authentication code on the wireless primary channel to the second unit during the same session; and
  
  the authenticator operative to authenticate the user when the returned authentication code received from the wireless primary channel is determined to be suitable.
- View Dependent Claims (10, 11)
- - 10. The system of claim 9 wherein the authenticator maintains per user destination unit data including at least one destination unit identifier per user and sends the authentication code to the second unit for transmission to the destination unit based on the stored per user destination unit identifier.
  - 11. The system of claim 9 wherein the first unit includes a cryptographic engine and prior to the first unit returning the authentication code for the authenticator, digital signs the returned authentication code to produce a digitally signed authentication code that was received from the third unit;
    - and wherein the authenticator verifies the digitally signed authentication code as part of authenticating the user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Entrust Corp.
Original Assignee
Entrust Incorporated (Entrust Corp.)
Inventors
Skinner, Eric R., Vandergeest, Ron J., Simzer, Kevin T.
Primary Examiner(s)
Vu, Kimyen
Assistant Examiner(s)
TRUVAN, LEYNNA THANH

Application Number

US09/855,183
Publication Number

US 20020169988A1
Time in Patent Office

3,361 Days
Field of Search

713200-202, 713154-155, 713/161, 713/168, 713/176, 713/180, 713/183, 713/170, 705/53, 705/67, 705/72, 705/75, 705 77- 78, 705/7, 370/312, 370/329, 370/335, 370/341, 370/351, 380/229, 380/232, 380/241, 380/33, 380/34, 380/270, 380/272, 709/200, 709202-203, 709/225, 709/238, 725/27, 725/30, 725/54, 725 62- 63, 725/81, 726/12, 726/15, 726/17, 726 2- 5, 726/21, 726 27- 29, 348/14.02, 455 301- 304, 455/132
US Class Current

726/2
CPC Class Codes

H04L 63/0823 using certificates cryptogr...

H04L 63/126 the source of the received ...

Method and apparatus for providing user authentication using a back channel

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

112 Citations

11 Claims

Specification

Use Cases

Quick Links

Others

Method and apparatus for providing user authentication using a back channel

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

112 Citations

11 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others