Multi-channel user authentication apparatus system and method
First Claim
Patent Images
1. An authorization server to facilitate authentication of a user requesting access to an access restricted resource, the authorization server comprising:
- one or more hardware processors being configured to execute;
a validation software subroutine that receives a user identifier for a user that is requesting access to an access restricted resource from a client computing device, the user identifier being received over a first communication channel comprising a direct communication channel in conjunction with the request to access the access restricted resource, wherein the validation software subroutine further determines if the user identifier is a valid identifier corresponding to an electronic address;
a token generation software subroutine that generates a plurality of authentication tokens, including a cookie and an electronic message token, to be distributed over different communication channels;
a token distribution software subroutine that sends, in response to the validation software subroutine validating the user identifier, the cookie over the first communication channel to the client computing device, and sends the electronic message token over a second communication channel to a messaging server that provides a messaging service to the user using the electronic address, thereby determining that the electronic address exists, is valid, and uniquely identifies the user, the second communication channel thereby comprising an indirect communication channel for communicating with the client computing device; and
a token validation software subroutine configured to authenticate the client computing device to authorize access to the access restricted resource when receiving both the cookie and the electronic message token such that access to the access restricted resource requires receipt of the cookie and the electronic message token which were distributed over different communication channels, the electronic message token having been automatically collected and submitted at the client computing device.
2 Assignments
0 Petitions
Accused Products
Abstract
An apparatus, system, and method are disclosed for authenticating users through multiple communication channels. The authentication method of the present invention may be used to supplement password systems or replace password authentication, effectively enabling secure sharing, auditing, delegation, and revocation of authority.
106 Citations
50 Claims
-
1. An authorization server to facilitate authentication of a user requesting access to an access restricted resource, the authorization server comprising:
one or more hardware processors being configured to execute; a validation software subroutine that receives a user identifier for a user that is requesting access to an access restricted resource from a client computing device, the user identifier being received over a first communication channel comprising a direct communication channel in conjunction with the request to access the access restricted resource, wherein the validation software subroutine further determines if the user identifier is a valid identifier corresponding to an electronic address; a token generation software subroutine that generates a plurality of authentication tokens, including a cookie and an electronic message token, to be distributed over different communication channels; a token distribution software subroutine that sends, in response to the validation software subroutine validating the user identifier, the cookie over the first communication channel to the client computing device, and sends the electronic message token over a second communication channel to a messaging server that provides a messaging service to the user using the electronic address, thereby determining that the electronic address exists, is valid, and uniquely identifies the user, the second communication channel thereby comprising an indirect communication channel for communicating with the client computing device; and a token validation software subroutine configured to authenticate the client computing device to authorize access to the access restricted resource when receiving both the cookie and the electronic message token such that access to the access restricted resource requires receipt of the cookie and the electronic message token which were distributed over different communication channels, the electronic message token having been automatically collected and submitted at the client computing device. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
14. A client computing device to authenticate a user requesting access to an access restricted resource, the client computing device comprising:
one or more hardware processors being configured to execute; an access request software subroutine that submits a user identifier to an authentication server for a user that is requesting access to an access restricted resource, the user identifier corresponding to an electronic address, the user identifier being submitted over a first communication channel comprising a direct communication channel between the client computing device and the authentication server in conjunction with the request to access the access restricted resource; a browser that receives a cookie, the cookie comprising a first authentication token, the cookie being received over the first communication channel; a token collection software subroutine that retrieves an electronic message, over a second communication channel from a messaging server, thereby determining that the electronic address exists, is valid, and uniquely identifies the user, that was sent to the electronic address, the electronic message comprising a second authentication token, wherein the first and second tokens are received in response to the submission of the user identifier; wherein the browser submits the first authentication token to the authentication server over the first communication channel; and a token submission software subroutine that submits the second authentication token to the authentication server over the first communication channel in conjunction with the submission of the first authentication token to request access to the access restricted resource such that access is requested by presenting both the first and the second authentication tokens, the tokens having been automatically collected and submitted at the client computing device. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21)
-
22. A system to authenticate a user requesting access to an access restricted resource, the system comprising:
-
an authentication server comprising one or more hardware processors being configured to execute; a user validation software subroutine that receives a user identifier from a client computing device and determines if the user identifier is a valid identifier corresponding to an electronic address, the user identifier being received over a first communication channel comprising a direct communication channel between the authentication server and the client computing device in conjunction with a request to access the access restricted resource, a token generation software subroutine that generates a plurality of authentication tokens for the client computing device, including a cookie and an electronic message token, to be distributed over different communication channels, a token distribution software subroutine that sends, in response to the validation software subroutine validating the user identifier, the cookie over the first communication channel to the client computing device and sends the electronic message token over a second communication channel to a messaging server that provides a messaging service to the user using the electronic address, thereby determining that the electronic address exists, is valid, and uniquely identifies the user, the second communication channel thereby comprising an indirect communication channel for communicating with the client computing device; and a token validation software subroutine that authenticates the client computing device to authorize access to the access restricted resource when receiving both the cookie and the electronic message token such that access to the access restricted resource requires receipt of the cookie and the electronic message token which were distributed over different communication channels, the electronic message token having been automatically collected and submitted at the client computing device; a client computing device comprising one or more hardware processors being configured to execute; an access request software subroutine that submits the user identifier over the first communication channel to the authentication server for a user that is requesting access to an access restricted resource, a token collection software subroutine that receives the plurality of authentication tokens from the plurality of communication channels, and a token submission software subroutine that submits the cookie and the electronic message token to the authentication server. - View Dependent Claims (23, 24, 25, 26)
-
-
27. A method, performed by an authentication server, to authenticate a user requesting access to an access restricted resource, the method comprising:
-
receiving a user identifier from a client computing device for a user that is requesting access to an access restricted resource, the user identifier being received over a first communication channel comprising a direct communication channel between the authentication server and the client computing device in conjunction with the request to access the access restricted resource; determining if the user identifier is a valid identifier corresponding to an electronic address; generating a plurality of authentication tokens, including a cookie and an electronic message token, to be sent to the client computing device over different communication channels, including at least one direct and at least one indirect channel; sending, in response to validating the user identifier, the cookie over the first communication channel to the client computing device and sending the electronic message token over a second communication channel to a messaging server that provides a messaging service to the user using the electronic address, thereby determining that the electronic address exists, is valid, and uniquely identifies the user, the second communication channel thereby comprising an indirect communication channel for communicating with the client computing device; receiving the cookie and the electronic message token from the client computing device over the first communication channel; and authenticating the client computing device to authorize access to the access restricted resource when receiving both the cookie and the electronic message token such that access to the access restricted resource requires receipt of the cookie and the electronic message token which were distributed over different communication channels, the electronic message token having been automatically collected and submitted at the client computing device. - View Dependent Claims (28, 29, 30, 31, 32, 33, 34, 35, 36, 37)
-
-
38. A method, performed by a client computing device, to facilitate authentication of a user requesting access to an access restricted resource, the method comprising:
-
submitting a user identifier to an authentication server for a user requesting access to an access restricted resource via a browser, the user identifier corresponding to an electronic address, the user identifier being submitted over a first communication channel comprising a direct communication channel between the authentication server and the client computing device in conjunction with the request to access the access restricted resource; receiving a cookie comprising a first authentication token, the cookie being received over the first communication channel; retrieving an electronic message, sent to the electronic address, from a messaging server, the electronic message comprising a second authentication token sent over a second communication channel to the messaging server to the electronic address, thereby determining that the electronic address exists, is valid, and uniquely identifies the user, the second communication channel being different from the first communication channel and comprising an indirect communication channel for communicating with the client computing device wherein the first and second tokens are received in response to the submission of the user identifier; submitting the first and second authentication tokens to the authentication server over the first communication channel to request access to the access restricted resource such that access is requested by presenting both the first and second authentication tokens, the tokens having been automatically collected and submitted at the client computing device. - View Dependent Claims (39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50)
-
Specification