One-time password authentication employing local testing of candidate passwords from one-time password server
First Claim
1. A method by which a one-time password (OTP) server provides a one-time password service to an authentication server coupled to the OTP server by a communications channel, the method comprising the steps, performed by a processor of the OTP server, of:
- maintaining, in a memory of the OTP server, a set of associations between a plurality of users and corresponding user-specific secret data used in a one-time-password (OTP) process to generate OTPs for use in authenticating the users;
receiving an authentication request from the authentication server via the communications channel, the authentication request identifying one of the users, the authentication server having separately received a first hashed OTP value resulting from application of a hash function to a user-generated OTP for authenticating the identified user;
in response to receiving the authentication request, executing the OTP process using the secret data for the identified user to generate a set of candidate OTPs, any one of the candidate OTPs being expected to match the user-generated OTP for a valid authentication of the identified user;
generating and returning a response to the authentication server via the communications channel, the response including second hashed OTP values each generated by applying the hash function to a respective candidate OTP;
subsequent to returning the response to the authentication server, receiving an informational message from the authentication server (a) indicating whether any of the second hashed OTP values has matched the first hashed OTP value, and (b) identifying which one, if any, of the second hashed OTP values has matched the first hashed OTP value; and
conditionally taking further user-specific action based on the indication in the informational message whether any of the second hashed OTP values has matched the first hashed OTP value,wherein the further user-specific action includes (a) maintaining a count of recent occurrences of OTP requests for the user for which the informational message from the authentication server indicates that none of the second hashed OTP values has matched a hashed OTP value for the user, and (b) taking a count-based action based on whether the count of recent occurrences is greater than a predetermined threshold.
18 Assignments
0 Petitions
Accused Products
Abstract
A computing system has a local computing domain coupled to a one-time password (OTP) server. The OTP server maintains user-specific secret data used in a one-time-password (OTP) process to generate OTPs for user authentication. An authentication server in the computing domain sends an OTP request identifying a user to the OTP server. The OTP server executes the OTP process to generate a set of candidate OTPs, any one of which is expected to match a user-generated OTP for a valid authentication. The OTP server returns a response to the authentication server which includes second hashed OTP values, each generated by applying a hash function to a respective candidate OTP. The authentication server performs a comparison function between a first hashed OTP value from the user and the second hashed OTP values. Only upon determining that the first hashed OTP value matches one of the second hashed OTP values, the authentication server performs a protected function in the computing domain that is permitted only upon authentication of the user. Applications include authentication in a ticket-based authentication scheme such as a Kerberos system, in which the protected function may be the granting of a ticket-granting ticket enabling the user to engage service servers in the computing domain.
67 Citations
18 Claims
-
1. A method by which a one-time password (OTP) server provides a one-time password service to an authentication server coupled to the OTP server by a communications channel, the method comprising the steps, performed by a processor of the OTP server, of:
-
maintaining, in a memory of the OTP server, a set of associations between a plurality of users and corresponding user-specific secret data used in a one-time-password (OTP) process to generate OTPs for use in authenticating the users; receiving an authentication request from the authentication server via the communications channel, the authentication request identifying one of the users, the authentication server having separately received a first hashed OTP value resulting from application of a hash function to a user-generated OTP for authenticating the identified user; in response to receiving the authentication request, executing the OTP process using the secret data for the identified user to generate a set of candidate OTPs, any one of the candidate OTPs being expected to match the user-generated OTP for a valid authentication of the identified user; generating and returning a response to the authentication server via the communications channel, the response including second hashed OTP values each generated by applying the hash function to a respective candidate OTP; subsequent to returning the response to the authentication server, receiving an informational message from the authentication server (a) indicating whether any of the second hashed OTP values has matched the first hashed OTP value, and (b) identifying which one, if any, of the second hashed OTP values has matched the first hashed OTP value; and conditionally taking further user-specific action based on the indication in the informational message whether any of the second hashed OTP values has matched the first hashed OTP value, wherein the further user-specific action includes (a) maintaining a count of recent occurrences of OTP requests for the user for which the informational message from the authentication server indicates that none of the second hashed OTP values has matched a hashed OTP value for the user, and (b) taking a count-based action based on whether the count of recent occurrences is greater than a predetermined threshold. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A computerized device operable as a one-time password (OTP) server, comprising:
-
non-transitory memory operative to store computer instructions; and a processor coupled to the memory operative to execute the computer instructions to cause the computerized device to perform a method by which the computerized device provides a one-time password service to an authentication server coupled to the OTP server by a communications channel, the method comprising; maintaining, in the memory, a set of associations between a plurality of users and corresponding user-specific secret data used in a one-time-password (OTP) process to generate OTPs for use in authenticating the users; receiving an authentication request from the authentication server via the communications channel, the authentication request identifying one of the users, the authentication server having separately received a first hashed OTP value resulting from application of a hash function to a user-generated OTP for authenticating the identified user; in response to receiving the authentication request, executing the OTP process using the secret data for the identified user to generate a set of candidate OTPs, any one of the candidate OTPs being expected to match the user-generated OTP for a valid authentication of the identified user; generating and returning a response to the authentication server via the communications channel, the response including second hashed OTP values each generated by applying the hash function to a respective candidate OTP; subsequent to returning the response to the authentication server, receiving an informational message from the authentication server (a) indicating whether any of the second hashed OTP values has matched the first hashed OTP value, and (b) identifying which one, if any, of the second hashed OTP values has matched the first hashed OTP value; and conditionally taking further user-specific action based on the indication in the informational message whether any of the second hashed OTP values has matched the first hashed OTP value, wherein the user-specific action includes (a) maintaining a count of recent occurrences of OTP requests for the user for which the informational message from the authentication server indicates that none of the second hashed OTP values has matched a hashed OTP value for the user, and (b) taking count-based action based on whether the count of recent occurrences is greater than a predetermined threshold. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
Specification