Possession of synchronized data as authentication factor in online services

US 8,453,222 B1
Filed: 08/20/2010
Issued: 05/28/2013
Est. Priority Date: 08/20/2010
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for user authentication, comprising:

storing on a non-transitory computer-readable storage medium server data synchronized with client data on one or more client devices associated with a user;

receiving an authentication request for authenticating the user;

identifying a level of authentication associated with the authentication request from a plurality of levels of authentication;

transmitting a data request to the one or more client devices, the data request requesting attributes of the client data, the requested attributes of the client data determined responsive to the level of authentication associated with the authentication request;

receiving from the one or more client devices the requested attributes of the client data;

verifying the received attributes of the client data based on the stored server data to determine whether the received attributes meet the level of authentication associated with the authentication request;

responsive to the received attributes meeting the level of authentication associated with the authentication request, determining that the user is successfully authenticated; and

responsive to the received attributes not meeting the level of authentication associated with the authentication request, requesting additional attributes of the client data for verification.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A user'"'"'s possession of synchronized data is used as an authentication factor. When the user requests an authentication configuration change, an authentication server requests the user to prove possession of synchronized data for that user. The user launches an authentication module on a client device hosting a local copy of the synchronized data. The authentication module creates a hash of the local copy and transmits the hash to the authorization server. Upon successfully verifying the received hash using a server copy of the synchronized data, the authentication server considers the user authorized and thus allows the user to make the authorization configuration change.

37 Citations

View as Search Results

20 Claims

1. A computer-implemented method for user authentication, comprising:
- storing on a non-transitory computer-readable storage medium server data synchronized with client data on one or more client devices associated with a user;
  
  receiving an authentication request for authenticating the user;
  
  identifying a level of authentication associated with the authentication request from a plurality of levels of authentication;
  
  transmitting a data request to the one or more client devices, the data request requesting attributes of the client data, the requested attributes of the client data determined responsive to the level of authentication associated with the authentication request;
  
  receiving from the one or more client devices the requested attributes of the client data;
  
  verifying the received attributes of the client data based on the stored server data to determine whether the received attributes meet the level of authentication associated with the authentication request;
  
  responsive to the received attributes meeting the level of authentication associated with the authentication request, determining that the user is successfully authenticated; and
  
  responsive to the received attributes not meeting the level of authentication associated with the authentication request, requesting additional attributes of the client data for verification.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The computer-implemented method of claim 1, wherein the requested attributes comprise hash values of the client data, and wherein verifying the received attributes comprises applying a cryptographic hash function to the stored server data.
  - 3. The computer-implemented method of claim 1, further comprising:
    - responsive to unsuccessfully verifying the received attributes, determining that the user is unsuccessfully authenticated.
  - 4. The computer-implemented method of claim 1, wherein the authentication request comprises a request to change a security configuration setting, and wherein the method further comprises:
    - responsive to successfully authenticating the user, enabling the user to change the security configuration setting.
  - 5. The computer-implemented method of claim 4, wherein enabling the user to change the security configuration setting comprises allowing the user to reset a password for the user.
  - 6. The computer-implemented method of claim 1, further comprising:
    - periodically communicating with the one or more client devices to synchronize the server data and the client data.
  - 7. The computer-implemented method of claim 1, wherein different authentication levels are associated with different threshold values describing different amounts of attributes of the client data to verify in order to successfully meet the levels of authentication, wherein verifying the received attributes comprises:
    - determining a threshold value associated with the identified authentication level; and
      
      determining whether an amount of received attributes that verify based on the stored server data meet the threshold value associated with the identified authentication level.
  - 8. The computer-implemented method of claim 1, wherein the identified level of authentication associated with the authentication request requires attributes of client data from a plurality of client devices and wherein transmitting the data request comprises transmitting the data request to the plurality of client devices.

9. A computer-implemented method for user authentication, comprising:
- transmitting to an authentication server first client data retrieved from a non-transitory computer-readable storage medium in a client device associated with a user, the authentication server configured to store server data synchronized with client data received from one or more client devices associated with the user;
  
  transmitting to the authentication server an authentication request for authenticating the user, the authentication server configured to identify a level of authentication associated with the authentication request from a plurality of levels of authentication and to transmit a data request to the one or more client devices associated with the user, the data request requesting attributes of the client data, the requested attributes of the client data determined responsive to the level of authentication associated with the authentication request;
  
  responsive to receiving the data request, applying a cryptographic hash function to the first client data to generate a hash value; and
  
  transmitting the generated hash value to the authentication server, the authentication server configured to;
  
  verify the generated hash value and any other attributes of client data received from other client devices to determine whether the received attributes meet the level of authentication associated with the authentication request;
  
  responsive to the received attributes meeting the level of authentication associated with the authentication request, determine that the user is successfully authenticated; and
  
  responsive to the received attributes not meeting the level of authentication associated with the authentication request, requesting additional attributes of the client data for verification.
- View Dependent Claims (10, 11, 12)
- - 10. The computer-implemented method of claim 9, further comprising:
    - periodically communicating with the authentication server to synchronize the first client data and the server data.
  - 11. The computer-implemented method of claim 9, wherein different authentication levels are associated with different threshold values describing different amounts of attributes of the client data to verify in order to successfully meet the levels of authentication, wherein verifying the received attributes comprises:
    - determining a threshold value associated with the identified authentication level; and
      
      determining whether an amount of received attributes that verify based on the stored server data meet the threshold value associated with the identified authentication level.
  - 12. The computer-implemented method of claim 9, wherein the identified level of authentication associated with the authentication request requires attributes of client data from a plurality of client devices and wherein transmitting the data request comprises transmitting the data request to the plurality of client devices.

13. A computer system for user authentication, comprising:
- a non-transitory computer-readable storage medium storing executable computer program code, the computer program code comprising program code for;
  
  storing server data synchronized with client data on one or more client devices associated with a user;
  
  receiving an authentication request for authenticating the user;
  
  identifying a level of authentication associated with the authentication request from a plurality of levels of authentication;
  
  transmitting a data request to the one or more client devices, the data request requesting attributes of the client data, the requested attributes of the client data determined responsive to the level of authentication associated with the authentication request;
  
  receiving from the one or more client devices the requested attributes of the client data;
  
  verifying the received attributes of the client data based on the stored server data to determine whether the received attributes meet the level of authentication associated with the authentication request;
  
  responsive to the received attributes meeting the level of authentication associated with the authentication request, determining that the user is successfully authenticated; and
  
  responsive to the received attributes not meeting the level of authentication associated with the authentication request, requesting additional attributes of the client data for verification.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The computer system of claim 13, wherein the requested attributes comprise hash values of the client data, and wherein verifying the received attributes comprises applying a cryptographic hash function to the stored server data.
  - 15. The computer system of claim 13, wherein the computer program code further comprises program code for:
    - responsive to unsuccessfully verifying the received attributes, determining that the user is unsuccessfully authenticated.
  - 16. The computer system of claim 13, wherein the authentication request comprises a request to change a security configuration setting, and wherein the computer program code further comprises program code for:
    - responsive to successfully authenticating the user, enabling the user to change the security configuration setting.
  - 17. The computer system of claim 16, wherein enabling the user to change the security configuration setting comprises allowing the user to reset a password for the user.
  - 18. The computer system of claim 13, wherein the computer program code further comprises program code for:
    - periodically communicating with the one or more client devices to synchronize the server data and the client data.
  - 19. The computer system of claim 13, wherein different authentication levels are associated with different threshold values describing different amounts of attributes of the client data to verify in order to successfully meet the levels of authentication, wherein verifying the received attributes comprises:
    - determining a threshold value associated with the identified authentication level; and
      
      determining whether an amount of received attributes that verify based on the stored server data meet the threshold value associated with the identified authentication level.
  - 20. The computer system of claim 13, wherein the identified level of authentication associated with the authentication request requires attributes of client data from a plurality of client devices and wherein transmitting the data request comprises transmitting the data request to the plurality of client devices.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NortonLifeLock Inc.
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Newstadt, Keith, Viljoen, Pieter
Primary Examiner(s)
Flynn, Nathan
Assistant Examiner(s)
Vaughan, Michael R

Application Number

US12/860,608
Time in Patent Office

1,012 Days
Field of Search

None
US Class Current

726/7
CPC Class Codes

H04L 63/083 using passwords cryptograph...

H04L 63/105 Multiple levels of security

Possession of synchronized data as authentication factor in online services

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

37 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Possession of synchronized data as authentication factor in online services

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

37 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links