Systems and methods for providing security token authentication

US 8,032,932 B2
Filed: 08/22/2008
Issued: 10/04/2011
Est. Priority Date: 08/22/2008
Status: Active Grant

First Claim

Patent Images

1. A system for authenticating a security token provided to request access to at least one business application in an enterprise including a plurality of business units, comprising:

a processor coupled to memory and programmed for;

receiving a request for the security token for authenticating the request to access the at least one business application of a plurality of business applications, each business application being managed by a different one of the plurality of business units, and the plurality of business units being provided with access to a token domain interface (TAMIN);

creating, via accessing the TAMIN, a unique user identification (UID) for the security-token request;

assigning and activating, via accessing the TAMIN, the security token in response to the security-token request, the security token being identified by a unique token identification;

storing in a lookup database a mapping of security tokens to token types and a plurality of token domains, each of said token domains operating to authenticate a type of security token;

storing in a user store database a user profile that includes the UID, the assigned and activated security token, a token type of the assigned and activated security token as provided by the mapping in the lookup database, and a corresponding one of the token domains as also provided by the mapping in the lookup database;

receiving by an authentication broker the assigned and activated security token from the at least one business application;

looking up, via accessing the TAMIN, the assigned and activated security token and its unique token identification in the user profile stored in the user store database to identify the token type and the corresponding token domain of the assigned and activated security token so as to authenticate the assigned and activated security token; and

preventing one of the plurality of business units to perform, via accessing the TAMIN, the steps of creating the UID, assigning the security token, and looking up the assigned and activated security token upon a determination that the assigned security token is used for authentication access to multiple business applications in different ones of the plurality of business units.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Described herein are systems and methods for centralizing and standardizing implementation of security tokens so as to provide one token per one user for accessing business applications across an enterprise, providing scalability to support authentication of as many enterprise users as desired or needed, and providing a standardized token management interface that supports both pre-binding and post-binding user registration processes and different types of security token.

217 Citations

17 Claims

1. A system for authenticating a security token provided to request access to at least one business application in an enterprise including a plurality of business units, comprising:
- a processor coupled to memory and programmed for;
  
  receiving a request for the security token for authenticating the request to access the at least one business application of a plurality of business applications, each business application being managed by a different one of the plurality of business units, and the plurality of business units being provided with access to a token domain interface (TAMIN);
  
  creating, via accessing the TAMIN, a unique user identification (UID) for the security-token request;
  
  assigning and activating, via accessing the TAMIN, the security token in response to the security-token request, the security token being identified by a unique token identification;
  
  storing in a lookup database a mapping of security tokens to token types and a plurality of token domains, each of said token domains operating to authenticate a type of security token;
  
  storing in a user store database a user profile that includes the UID, the assigned and activated security token, a token type of the assigned and activated security token as provided by the mapping in the lookup database, and a corresponding one of the token domains as also provided by the mapping in the lookup database;
  
  receiving by an authentication broker the assigned and activated security token from the at least one business application;
  
  looking up, via accessing the TAMIN, the assigned and activated security token and its unique token identification in the user profile stored in the user store database to identify the token type and the corresponding token domain of the assigned and activated security token so as to authenticate the assigned and activated security token; and
  
  preventing one of the plurality of business units to perform, via accessing the TAMIN, the steps of creating the UID, assigning the security token, and looking up the assigned and activated security token upon a determination that the assigned security token is used for authentication access to multiple business applications in different ones of the plurality of business units.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The system of claim 1, wherein the at least one business application includes a single sign-on (SSO) authentication application that operates to receive the assigned and activated security token and to forward the assigned and activated security token to the authentication broker.
  - 3. The system of claim 2, wherein the processor is further programmed for receiving, via a security policy server of the authentication broker, the assigned and activated security token and to validate the assigned and activated security token before looking up the assigned and activated security token in the user profile stored in the user store database.
  - 4. The system of claim 3, wherein the processor is further programmed for receiving, via a token-identification server of the authentication broker, the validated security token from the security policy server and to look up the assigned and activated security token in the user profile stored in the user store database.
  - 5. The system of claim 4, wherein the:
    - processor is further programmed for accessing a token-identification configuration file of the authentication broker by the token identification server to configure settings for accessing one or more authentication plug-ins; and
      
      for accessing an authentication-scheme configuration file of the authentication broker by the one or more authentication plug-ins to configure settings for accessing one or more token domains external to the authentication broker that are used to authenticate different types of security tokens.
  - 6. The system of claim 1, wherein the assigned and activated security token is one of a hardware security token and a software security token that provide one-time password (OTP) authentication.
  - 7. The system of claim 1, wherein the authentication broker includes a plurality of authentication plug-ins, each authentication plug-in connects to one of the plurality of token domains that authenticates a different type of security token.
  - 8. The system of claim 7, wherein at least one of the authentication plug-ins is a remote authentication dial in user service (RADIUS) based plug-in.
  - 9. The system of claim 7, wherein at least one of the authentication plug-ins is a plug-in that provides connection to one of the plurality of token domains for authenticating a software security token.

10. A method for authenticating a request to access at least one business application in an enterprise including a plurality of business units, comprising:
- receiving a request for a security token for authenticating the request to access the at least one business application of a plurality of business applications, each business application being managed by a different one of the plurality of business units, and the plurality of business units being provided with access to a token domain interface (TAMIN);
  
  creating, via accessing the TAMIN, a unique user identification (UID) for the security-token request;
  
  assigning and activating, via accessing the TAMIN, a security token in response to the security-token request, the security token is identified by a unique token identification;
  
  looking up, via accessing the TAMIN, the assigned and activated security token and its unique token identification to identify a token type of the assigned and activated security token and an associated token domain for authenticating the assigned and activated security token;
  
  storing the UID, the unique token identification, the identified token type, and an identification of the associated token domain in a user profile;
  
  receiving the request to access the at least one business application, wherein the request includes the assigned and activated security token;
  
  responsive to the request to access, looking up the assigned and activated security token and its unique token identification in the user profile to identify the token type and the associated token domain of the assigned and activated security token;
  
  invoking an authentication plug-in particular to the identified token type to connect to the associated token domain based on the identification of the associated token domain in the user profile;
  
  authenticating the assigned and activated security token with the associated token domain as connected to by the authentication plug-in; and
  
  preventing one of the plurality of business units to perform, via accessing the TAMIN, the steps of creating the UID, assigning the security token, and looking up the assigned and activated security token upon a determination that the assigned and activated security token is used for authentication access to multiple business applications in different ones of the plurality of business units.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The method of claim 10, further comprising:
    - assigning a personal identification number (PIN) to the request to access the at least one business application to establish multi-factor authentication to access the at least one business application with the PIN and the assigned and activated security token.
  - 12. The method of claim 10, further comprising:
    - providing a plurality of application programming interfaces (APIs) in the TAMIN for the at least one business application to access the TAMIN to perform the steps of creating the UID, assigning and activating the security token, and looking up the assigned and activated security token.
  - 13. The method of claim 10, further comprising:
    - one of the plurality of business units accessing the TAMIN to perform the steps of creating the UID, assigning and activating the security token, and looking up the assigned and activated security token upon a determination that the assigned and activated security token is used for authenticating access to the business application managed by the one business unit and not in a business application managed by any other of the plurality of business units.
  - 14. The method of claim 10, further comprising:
    - providing a centralized information security administration (ISA) in the enterprise to access the TAMIN and perform the steps of creating the UID, assigning the security, and looking up the assigned security token.

15. A method for authenticating a request to access at least one business application in an enterprise including a plurality of business units, comprising:
- receiving a request for the security token for authenticating the request to access the at least one business application of a plurality of business applications, each business application being managed by a different one of a plurality of business units, and the plurality of business units being provided with access to a token domain interface (TAMIN);
  
  creating, via accessing the TAMIN, a unique user identification (UID) for the security-token request;
  
  assigning, via accessing the TAMIN, a security token in response to the security-token request, the security token being identified by a unique token identification;
  
  receiving a request to activate the previously assigned security token for authenticating the request to access the at least one business application, the request includes a unique token identification of the previously assigned security token;
  
  activating, via accessing the TAMIN, the previously assigned security token;
  
  looking up, via accessing the TAMIN, the previously assigned and activated security token and its unique token identification to identify a token type of the previously assigned and activated security token and an associated token domain for authenticating the previously assigned and activated security token;
  
  storing the UID, the unique token identification, the identified token type, and an identification of the associated token domain in a user profile;
  
  receiving the request to access the at least one business application, wherein the request includes the previously assigned and activated security token;
  
  responsive to the request to access, looking up, via accessing the TAMIN, the previously assigned and activated security token and its unique token identification in the user profile to identify the token type and the associated token domain of the previously assigned and activated security token;
  
  invoking an authentication plug-in particular to the identified token type to connect to the associated token domain based on the identification of the associated token domain in the user profile;
  
  authenticating the previously assigned and activated security token with the associated token domain as connected to by the authentication plug-in; and
  
  preventing one of the plurality of business units to perform, via accessing the TAMIN, the steps of creating the UID, assigning the security token, and looking up the assigned and activated security token upon a determination that the assigned and activated security token is used for authentication access to multiple business applications in different ones of the plurality of business units.
- View Dependent Claims (16, 17)
- - 16. The method of claim 15, further comprising:
    - assigning an authentication mechanism to the request to access the at least one business application to establish multi-factor authentication to access the at least one business application with the authentication mechanism and the previously assigned and activated security token.
  - 17. The method of claim 16, wherein in the step of receiving the request to access the at least one business application, the request further includes the assigned authentication mechanism, and the method further comprising:
    - authenticating the assigned authentication mechanism; and
      
      upon successfully authenticating the assigned authentication mechanism, proceeding to perform the step of looking up the previously assigned and activated security token and its unique token identification.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citibank (South Dakota) NA (Citigroup Incorporated)
Original Assignee
Citibank (South Dakota) NA (Citigroup Incorporated)
Inventors
Speyer, Jerry, Luo, Ricky, Nair, Sandeep
Primary Examiner(s)
SIMITOSKI, MICHAEL J

Application Number

US12/196,526
Publication Number

US 20100050251A1
Time in Patent Office

1,138 Days
Field of Search

726/9, 726/20
US Class Current

726/9
CPC Class Codes

G06Q 10/06   Resources, workflows, human...

H04L 2209/56   Financial cryptography, e.g...

H04L 9/3228   One-time or temporary data,...

H04L 9/3234   involving additional secure...

Systems and methods for providing security token authentication

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

217 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for providing security token authentication

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

217 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links