Multi-tiered authentication methods for facilitating communications amongst smart home devices and cloud-based servers

US 8,539,567 B1
Filed: 09/22/2012
Issued: 09/17/2013
Est. Priority Date: 09/22/2012
Status: Active Grant

First Claim

Patent Images

1. A method for authenticating a client device to communicate with a remote server, comprising:

establishing, by the client device, a connection with a first remote server using first device credentials, the first device credentials being unique to and stored at the client device and authenticating the client device to communicate with the first remote server;

acquiring, at the client device, second device credentials from the first remote server, the second device credentials authenticating the client device to communicate with a second remote server;

establishing, by the client device, a connection with the second remote server using the second device credentials; and

when the connection with the second remote server fails;

re-establishing, by the client device, the connection with the first remote server using the first device credentials;

re-acquiring, at the client device, the second device credentials from the first remote server; and

re-establishing, by the client device, the connection with the second remote server using the second device credentials.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Apparatus, systems, methods, and related computer program products for synchronizing distributed states amongst a plurality of entities and authenticating devices to access information and/or services provided by a remote server. Synchronization techniques include client devices and remote servers storing buckets of information. The client device sends a subscription request to the remote serve identifying a bucket of information and, when that bucket changes, the remote server sends the change to the client device. Authentication techniques include client devices including unique default credentials that, when presented to a remote server, provide limited access to the server. The client device may obtain assigned credentials that, when presented to the remote server, provide less limited access to the server.

Citations

25 Claims

1. A method for authenticating a client device to communicate with a remote server, comprising:
- establishing, by the client device, a connection with a first remote server using first device credentials, the first device credentials being unique to and stored at the client device and authenticating the client device to communicate with the first remote server;
  
  acquiring, at the client device, second device credentials from the first remote server, the second device credentials authenticating the client device to communicate with a second remote server;
  
  establishing, by the client device, a connection with the second remote server using the second device credentials; and
  
  when the connection with the second remote server fails;
  
  re-establishing, by the client device, the connection with the first remote server using the first device credentials;
  
  re-acquiring, at the client device, the second device credentials from the first remote server; and
  
  re-establishing, by the client device, the connection with the second remote server using the second device credentials.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the client device was paired with a user account prior to re-acquiring the second device credentials from the first remote server, and the method further comprises re-pairing the client device with the user account.
  - 3. The method of claim 1, wherein the second device credentials are acquired from the first remote server only if the connection established with the first remote server is a secure connection.
  - 4. The method of claim 1, wherein the first device credentials are hardcoded into the client device.
  - 5. The method of claim 1, wherein the first device credentials include a device identifier and a unique secret generated by a third party, and the second device credentials include a device identifier and a unique secret generated by the first remote server.
  - 6. The method of claim 1, further comprising receiving, at the client device and from the second remote server, third device credentials, the third device credentials authenticating the client device to communicate with the second remote server after expiration of the second device credentials.
  - 7. The method of claim 1, further comprising accessing an account associated with the client device when the client device is paired with the account.
  - 8. The method of claim 1, further comprising establishing, by the client device, a connection with a third remote server using the first device credentials or the second device credentials, wherein data communications from the client device to the third remote server are categorized based on whether the first device credentials are used or the second device credentials are used.
  - 9. The method of claim 8, wherein the data communications are further categorized based on whether or not the client device is paired with a user account.

10. A client device, comprising:
- a storage device for storing first device credentials unique to the client device and operable to authenticate the client device to communicate with a first remote server; and
  
  an authentication module coupled to the storage device, the authentication module operable to;
  
  establish a connection with the first remote server using the first device credentials;
  
  acquire second device credentials from the first remote server, the second device credentials authenticating the client device to communicate with a second remote server;
  
  establish a connection with the second remote server using the second device credentials; and
  
  when the connection with the second remote server fails;
  
  re-establish the connection with the first remote server using the first device credentials;
  
  re-acquire the second device credentials from the first remote server; and
  
  re-establish the connection with the second remote server using the second device credentials.
- View Dependent Claims (11, 12, 13)
- - 11. The client device of claim 10, wherein the authentication module is further operable to:
    - receive, from the second remote server, third device credentials, the third device credentials authenticating the client device to communicate with the second remote server after expiration of the second device credentials.
  - 12. The client device of claim 10, wherein the authentication module is further operable to access an account associated with the client device when the client device is paired with the account.
  - 13. The client device of claim 10, wherein the authentication module is further operable to establish a connection with a third remote server using the first device credentials or the second device credentials, wherein data communications from the client device to the third remote server are categorized based on whether the first device credentials are used or the second device credentials are used.

14. A method of authenticating a client device, comprising:
- receiving, at a remote server, first device credentials from the client device, the first device credentials including a secret generated by a third party that is unique to the client device;
  
  determining whether the first device credentials are valid;
  
  when it is determined that the first device credentials are valid;
  
  generating, at the remote server, second device credentials, the second device credentials operable to authenticate the client device to communicate with one or more components of the remote server; and
  
  communicating the second device credentials to the client device;
  
  receiving the second device credentials from the client device at the remote server;
  
  determining whether the second device credentials are valid, wherein determining whether the second device credentials are valid includes one or more operations including;
  
  comparing the received second device credentials with recently generated second device credentials; and
  
  comparing the received second device credentials with previously generated second device credentials that were generated prior to the recently generated second device credentials; and
  
  when it is determined that the second device credentials are valid, granting the client device access to secured resources at the remote server.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21)
- - 15. The method of claim 14, further comprising:
    - determining whether a connection with the client device is secure; and
      
      when it is determined that the connection with the client device is not secure, denying the client device access to the remote server.
  - 16. The method of claim 14, further comprising:
    - determining whether a rate at which first device credentials have been communicated from the client device exceeds a preset rate; and
      
      when it is determined that the rate at which first device credentials have been communicated from the client device exceeds the preset rate, denying the client device access to the remote server.
  - 17. The method of claim 16, further comprising:
    - determining whether the second device credentials are expired; and
      
      when it is determined that the second device credentials are expired;
      
      generating new second device credentials; and
      
      sending the new second device credentials to the client device.
  - 18. The method of claim 14, further comprising:
    - determining whether the contact from the client device is an initial contact or a subsequent contact;
      
      when it is determined that the contact is a subsequent contact, determining whether the client device is paired with a user account; and
      
      when it is determined that the client device is paired with a user account, unpairing the client device from the user account.
  - 19. The method of claim 14, wherein determining whether the first device credentials are valid includes comparing the received first device credentials to device credentials stored at the remote server.
  - 20. The method of claim 14, wherein determining whether the first device credentials are valid includes comparing a hash of a secret included in the received first device credentials to a hash of a secret stored at the remote server.
  - 21. The method of claim 14, further comprising:
    - receiving one of the first device credentials and the second device credentials from the client device;
      
      receiving information from the client device; and
      
      categorizing the information based on whether the first device credentials or the second device credentials were received from the client device.

22. A computer system, comprising:
- a storage device for storing device credentials for client devices; and
  
  a registration server coupled to the storage device and operable to;
  
  receive first device credentials from a client device, the first device credentials including a secret generated by a third party that is unique to the client device;
  
  determine whether the first device credentials are valid; and
  
  when it is determined that the first device credentials are valid;
  
  generate second device credentials, the second device credentials operable to authenticate the client device to communicate with one or more components of the computer system; and
  
  communicate the second device credentials to the client device;
  
  wherein the registration server is further operable to;
  
  determine whether contact from the client device is an initial contact or a subsequent contact;
  
  when it is determined that the contact is a subsequent contact, determine whether the client device is paired with a user account; and
  
  when it is determined that the client device is paired with a user account, unpair the client device from the user account.
- View Dependent Claims (23, 24, 25)
- - 23. The computer system of claim 22, wherein the registration server is further operable to:
    - determine whether a rate at which first device credentials have been communicated from the client device exceeds a preset rate; and
      
      when it is determined that the rate at which first device credentials have been communicated from the client device exceeds the preset rate, deny the client device access to the registration server.
  - 24. The computer system of claim 22, further comprising a synchronization server coupled to the storage device and the registration server, the synchronization server operable to:
    - receive the second device credentials from the client device;
      
      determine whether the second device credentials are valid; and
      
      when it is determined that the second device credentials are valid, grant the client device access to secured resources.
  - 25. The computer system of claim 22, further comprising a logging server coupled to the storage device and the registration server, the logging server operable to:
    - receive one of the first device credentials and the second device credentials from the client device;
      
      receive information from the client device; and
      
      categorize the information based on whether the first device credentials or the second device credentials were received from the client device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Google LLC (Alphabet Inc.)
Original Assignee
Nest Labs Incorporated (Alphabet Inc.)
Inventors
Logue, Jay D., Supramaniam, Senthilvasan, Hardison, Osborne B., Luxemberg, Jared A.
Primary Examiner(s)
Gergiso, Techane

Application Number

US13/624,893
Time in Patent Office

360 Days
Field of Search

726/7, 709/223, 709/227
US Class Current

726/7
CPC Class Codes

G06F 21/31   User authentication

H04L 63/0428   wherein the data content is...

H04L 63/06   for supporting key manageme...

H04L 63/08   for authentication of entit...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0815   providing single-sign-on or...

H04L 63/0846   using time-dependent-passwo...

H04L 63/0853   using an additional device,...

H04L 63/0884   by delegation of authentica...

H04L 63/10   for controlling access to d...

Multi-tiered authentication methods for facilitating communications amongst smart home devices and cloud-based servers

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Multi-tiered authentication methods for facilitating communications amongst smart home devices and cloud-based servers

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links