Multi-channel user authentication apparatus system and method

US 8,151,116 B2
Filed: 06/09/2007
Issued: 04/03/2012
Est. Priority Date: 06/09/2006
Status: Expired due to Fees

First Claim

Patent Images

1. An authorization server to facilitate authentication of a user requesting access to an access restricted resource, the authorization server comprising:

one or more hardware processors being configured to execute;

a validation software subroutine that receives a user identifier for a user that is requesting access to an access restricted resource from a client computing device, the user identifier being received over a first communication channel comprising a direct communication channel in conjunction with the request to access the access restricted resource, wherein the validation software subroutine further determines if the user identifier is a valid identifier corresponding to an electronic address;

a token generation software subroutine that generates a plurality of authentication tokens, including a cookie and an electronic message token, to be distributed over different communication channels;

a token distribution software subroutine that sends, in response to the validation software subroutine validating the user identifier, the cookie over the first communication channel to the client computing device, and sends the electronic message token over a second communication channel to a messaging server that provides a messaging service to the user using the electronic address, thereby determining that the electronic address exists, is valid, and uniquely identifies the user, the second communication channel thereby comprising an indirect communication channel for communicating with the client computing device; and

a token validation software subroutine configured to authenticate the client computing device to authorize access to the access restricted resource when receiving both the cookie and the electronic message token such that access to the access restricted resource requires receipt of the cookie and the electronic message token which were distributed over different communication channels, the electronic message token having been automatically collected and submitted at the client computing device.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An apparatus, system, and method are disclosed for authenticating users through multiple communication channels. The authentication method of the present invention may be used to supplement password systems or replace password authentication, effectively enabling secure sharing, auditing, delegation, and revocation of authority.

106 Citations

View as Search Results

50 Claims

1. An authorization server to facilitate authentication of a user requesting access to an access restricted resource, the authorization server comprising:
- one or more hardware processors being configured to execute;
  
  a validation software subroutine that receives a user identifier for a user that is requesting access to an access restricted resource from a client computing device, the user identifier being received over a first communication channel comprising a direct communication channel in conjunction with the request to access the access restricted resource, wherein the validation software subroutine further determines if the user identifier is a valid identifier corresponding to an electronic address;
  
  a token generation software subroutine that generates a plurality of authentication tokens, including a cookie and an electronic message token, to be distributed over different communication channels;
  
  a token distribution software subroutine that sends, in response to the validation software subroutine validating the user identifier, the cookie over the first communication channel to the client computing device, and sends the electronic message token over a second communication channel to a messaging server that provides a messaging service to the user using the electronic address, thereby determining that the electronic address exists, is valid, and uniquely identifies the user, the second communication channel thereby comprising an indirect communication channel for communicating with the client computing device; and
  
  a token validation software subroutine configured to authenticate the client computing device to authorize access to the access restricted resource when receiving both the cookie and the electronic message token such that access to the access restricted resource requires receipt of the cookie and the electronic message token which were distributed over different communication channels, the electronic message token having been automatically collected and submitted at the client computing device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The authentication server of claim 1, wherein the token validation software subroutine also determines if a token has expired.
  - 3. The authentication server of claim 1, wherein the token distribution software subroutine also sends another electronic message comprising a second electronic message token to a second messaging server that provides a messaging service to the user using another electronic address corresponding to the user identifier, and the token validation also authenticates the client computing device to authorize access to the access restricted resource when receiving at least two of the tokens distributed by the token distribution software subroutine.
  - 4. The authentication server of claim 1, wherein the token distribution software subroutine sends n tokens, where n is greater than two, and wherein the token validation software subroutine authenticates the client computing device to authorize access to the access restricted resource when receiving m tokens, where m is greater than 1, which were distributed by the token distribution software subroutine.
  - 5. The authentication server of claim 1, wherein the validation software subroutine verifies a password.
  - 6. The authentication server of claim 1, wherein the electronic message is selected from the group consisting of an email message, a telephone text message, a pager message, and an instant message.
  - 7. The authentication server of claim 1, wherein the token distribution software subroutine includes delegation information within the electronic message.
  - 8. The authentication server of claim 1, further comprising a communication software subroutine that establishes a secure connection between the client computing device and the authentication server.
  - 9. The authentication server of claim 8, wherein the communication software subroutine encrypts the electronic message.
  - 10. The authentication server of claim 1, further comprising a delegation software subroutine that enables delegation of access privileges.
  - 11. The authentication server of claim 1, further comprising an auditing software subroutine.
  - 12. The authentication server of claim 1, wherein the plurality of authentication tokens are configured for one time use.
  - 13. The authentication server of claim 1, wherein the cookie is a session cookie.

14. A client computing device to authenticate a user requesting access to an access restricted resource, the client computing device comprising:
- one or more hardware processors being configured to execute;
  
  an access request software subroutine that submits a user identifier to an authentication server for a user that is requesting access to an access restricted resource, the user identifier corresponding to an electronic address, the user identifier being submitted over a first communication channel comprising a direct communication channel between the client computing device and the authentication server in conjunction with the request to access the access restricted resource;
  
  a browser that receives a cookie, the cookie comprising a first authentication token, the cookie being received over the first communication channel;
  
  a token collection software subroutine that retrieves an electronic message, over a second communication channel from a messaging server, thereby determining that the electronic address exists, is valid, and uniquely identifies the user, that was sent to the electronic address, the electronic message comprising a second authentication token, wherein the first and second tokens are received in response to the submission of the user identifier;
  
  wherein the browser submits the first authentication token to the authentication server over the first communication channel; and
  
  a token submission software subroutine that submits the second authentication token to the authentication server over the first communication channel in conjunction with the submission of the first authentication token to request access to the access restricted resource such that access is requested by presenting both the first and the second authentication tokens, the tokens having been automatically collected and submitted at the client computing device.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21)
- - 15. The client computing device of claim 14, further comprising a user interface software subroutine that displays a single-click login control.
  - 16. The client computing device of claim 15, wherein submitting the user identifier occurs in response to user activation of the single-click login control.
  - 17. The client computing device of claim 14, wherein the token collection software subroutine retrieves another electronic message comprising a third authentication token from another electronic address corresponding to the user identifier.
  - 18. The client computing device of claim 14, wherein the token collection software subroutine retrieves at least m valid tokens from a set of n distributed tokens wherein m and n are integers and m is less than n.
  - 19. The client computing device of claim 14, wherein the electronic message is selected from the group consisting of an email message, a telephone text message, a pager message, and an instant message.
  - 20. The client computing device of claim 14, wherein the electronic message is an encrypted electronic message.
  - 21. The client computing device of claim 14, wherein the cookie is a session cookie.

22. A system to authenticate a user requesting access to an access restricted resource, the system comprising:
- an authentication server comprising one or more hardware processors being configured to execute;
  
  a user validation software subroutine that receives a user identifier from a client computing device and determines if the user identifier is a valid identifier corresponding to an electronic address, the user identifier being received over a first communication channel comprising a direct communication channel between the authentication server and the client computing device in conjunction with a request to access the access restricted resource,a token generation software subroutine that generates a plurality of authentication tokens for the client computing device, including a cookie and an electronic message token, to be distributed over different communication channels,a token distribution software subroutine that sends, in response to the validation software subroutine validating the user identifier, the cookie over the first communication channel to the client computing device and sends the electronic message token over a second communication channel to a messaging server that provides a messaging service to the user using the electronic address, thereby determining that the electronic address exists, is valid, and uniquely identifies the user, the second communication channel thereby comprising an indirect communication channel for communicating with the client computing device; and
  
  a token validation software subroutine that authenticates the client computing device to authorize access to the access restricted resource when receiving both the cookie and the electronic message token such that access to the access restricted resource requires receipt of the cookie and the electronic message token which were distributed over different communication channels, the electronic message token having been automatically collected and submitted at the client computing device;
  
  a client computing device comprising one or more hardware processors being configured to execute;
  
  an access request software subroutine that submits the user identifier over the first communication channel to the authentication server for a user that is requesting access to an access restricted resource,a token collection software subroutine that receives the plurality of authentication tokens from the plurality of communication channels, anda token submission software subroutine that submits the cookie and the electronic message token to the authentication server.
- View Dependent Claims (23, 24, 25, 26)
- - 23. The system of claim 22, wherein the first communication channel comprises an HTTPS connection, and wherein the electronic message token is included within one of an email, a text message, an instant message, or a page.
  - 24. The system of claim 22, wherein the messaging server forwards the electronic message token to the user.
  - 25. The system of claim 22, wherein the token collection software subroutine receives at least m valid tokens from a set of n distributed tokens.
  - 26. The system of claim 22, wherein the token submission software subroutine submits at least m valid tokens from a set of n distributed tokens.

27. A method, performed by an authentication server, to authenticate a user requesting access to an access restricted resource, the method comprising:
- receiving a user identifier from a client computing device for a user that is requesting access to an access restricted resource, the user identifier being received over a first communication channel comprising a direct communication channel between the authentication server and the client computing device in conjunction with the request to access the access restricted resource;
  
  determining if the user identifier is a valid identifier corresponding to an electronic address;
  
  generating a plurality of authentication tokens, including a cookie and an electronic message token, to be sent to the client computing device over different communication channels, including at least one direct and at least one indirect channel;
  
  sending, in response to validating the user identifier, the cookie over the first communication channel to the client computing device and sending the electronic message token over a second communication channel to a messaging server that provides a messaging service to the user using the electronic address, thereby determining that the electronic address exists, is valid, and uniquely identifies the user, the second communication channel thereby comprising an indirect communication channel for communicating with the client computing device;
  
  receiving the cookie and the electronic message token from the client computing device over the first communication channel; and
  
  authenticating the client computing device to authorize access to the access restricted resource when receiving both the cookie and the electronic message token such that access to the access restricted resource requires receipt of the cookie and the electronic message token which were distributed over different communication channels, the electronic message token having been automatically collected and submitted at the client computing device.
- View Dependent Claims (28, 29, 30, 31, 32, 33, 34, 35, 36, 37)
- - 28. The method of claim 27, further comprising determining if a token has expired.
  - 29. The method of claim 27, further comprising sending another electronic message comprising a second electronic message token to a second messaging server that provides a messaging service to the user using another electronic address corresponding to the user identifier, and authenticating the client computing device to authorize access to the access restricted resource when receiving at least two of the tokens distributed by a token distribution software subroutine.
  - 30. The method of claim 27, further comprising verifying a password.
  - 31. The method of claim 27, wherein the cookie is a session cookie.
  - 32. The method of claim 27, wherein the electronic message is selected from the group consisting of an email message, a telephone text message, a pager message, and an instant message.
  - 33. The method of claim 27, wherein the electronic message is encrypted.
  - 34. The method of claim 27, wherein sending the electronic message comprises conducting communications in a protocol selected from the group consisting of pop, IMAP, SMS, Jabber, an email protocol, an instant messaging protocol, a paging protocol, and http.
  - 35. The method of claim 27, further comprising including delegation information within the electronic message.
  - 36. The method of claim 27, further comprising establishing a secure connection with the client computing device.
  - 37. The method of claim 27, further comprising determining a user'"'"'s permission level for the access restricted resource.

38. A method, performed by a client computing device, to facilitate authentication of a user requesting access to an access restricted resource, the method comprising:
- submitting a user identifier to an authentication server for a user requesting access to an access restricted resource via a browser, the user identifier corresponding to an electronic address, the user identifier being submitted over a first communication channel comprising a direct communication channel between the authentication server and the client computing device in conjunction with the request to access the access restricted resource;
  
  receiving a cookie comprising a first authentication token, the cookie being received over the first communication channel;
  
  retrieving an electronic message, sent to the electronic address, from a messaging server, the electronic message comprising a second authentication token sent over a second communication channel to the messaging server to the electronic address, thereby determining that the electronic address exists, is valid, and uniquely identifies the user, the second communication channel being different from the first communication channel and comprising an indirect communication channel for communicating with the client computing device wherein the first and second tokens are received in response to the submission of the user identifier;
  
  submitting the first and second authentication tokens to the authentication server over the first communication channel to request access to the access restricted resource such that access is requested by presenting both the first and second authentication tokens, the tokens having been automatically collected and submitted at the client computing device.
- View Dependent Claims (39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50)
- - 39. The method of claim 38, further comprising delegating access by forwarding the electronic message to a selected user.
  - 40. The method of claim 38, further comprising presenting a single-click login control to the user.
  - 41. The method of claim 40, wherein submitting the user identifier occurs in response to user activation of the single-click login control.
  - 42. The method of claim 38, further comprising retrieving another electronic message, from a second messaging server, comprising a third authentication token from another electronic address corresponding to the user identifier.
  - 43. The method of claim 38, further comprising collecting at least m valid tokens m from a set of n distributed tokens.
  - 44. The method of claim 38, further comprising auto-deleting the electronic message in response to retrieval of the electronic message.
  - 45. The method of claim 38, wherein the cookie is a session cookie.
  - 46. The method of claim 38, wherein the electronic message is selected from the group consisting of an email message, a telephone text message, a paging message, and an instant message.
  - 47. The method of claim 38, wherein the electronic message is encrypted.
  - 48. The method of claim 38, further comprising auditing messages.
  - 49. The method of claim 38, wherein retrieving the electronic message comprises conducting communications in a protocol selected from the group consisting of pop, IMAP, SMS, Jabber, an email protocol, an instant messaging protocol, a paging protocol, and http.
  - 50. The method of claim 38, wherein the access restricted resource is selected from the group consisting of a server, a website, a content feed, an intra-network, and a wireless network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Brigham Young University (The Church of Jesus Christ of Latter-Day Saints)
Original Assignee
Brigham Young University (The Church of Jesus Christ of Latter-Day Saints)
Inventors
van der Horst, Timothy, Seamons, Kent
Primary Examiner(s)
SHAN, APRIL YING

Application Number

US11/760,742
Publication Number

US 20070289002A1
Time in Patent Office

1,760 Days
Field of Search

726/19, 726/10, 726/28, 726/17, 726/20, 726/21, 713/183, 713/185, 713/152, 705/405
US Class Current

713/185
CPC Class Codes

G06F 21/42 using separate channels for...

G06F 2221/2137 Time limited access, e.g. t...

Multi-channel user authentication apparatus system and method

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

106 Citations

50 Claims

Specification

Solutions

Use Cases

Quick Links

Multi-channel user authentication apparatus system and method

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

106 Citations

50 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links