Passwordless strong authentication using trusted devices

US 8,627,438 B1
Filed: 09/08/2011
Issued: 01/07/2014
Est. Priority Date: 09/08/2011
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method of authenticating a customer using a trusted device, the method comprising:

registering a mobile device as a trusted device associated with a customer account for an online resource;

detecting an attempt to access the online resource by an electronic device different from the trusted device;

providing a graphical code for display by the electronic device responsive to detecting the attempt, the graphical code including a security token therein;

receiving authentication data from the mobile device, the authentication data indicating that the graphical code was captured by the mobile device;

identifying the mobile device as the trusted device associated with the customer account responsive to receiving the authentication data from the mobile device and based on the registering the mobile device as a trusted device;

marking the security token included in the graphical code as authenticated responsive to identifying the mobile device as the trusted device associated with the customer account;

detecting authentication of the security token displayed by the electronic device; and

automatically signing-in the electronic device to the customer account for the online resource responsive to detecting the authentication of the security token and without receiving a username or password associated with the customer account therefrom, wherein at least one of the registering, detecting the attempt to access, providing, receiving, identifying, marking, detecting the authentication, and automatically signing-in is performed using at least one hardware processor.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A code for accessing an online resource having a customer account associated therewith is presented via a secondary device, and authentication data indicative of the code that was presented is received from a primary device. The primary device is identified as a trusted device associated with the customer account responsive to receiving the authentication data therefrom, and the secondary device is authenticated for access to the online resource responsive to identification of the primary device as the trusted device associated with the customer account.

265 Citations

32 Claims

1. A computer-implemented method of authenticating a customer using a trusted device, the method comprising:
- registering a mobile device as a trusted device associated with a customer account for an online resource;
  
  detecting an attempt to access the online resource by an electronic device different from the trusted device;
  
  providing a graphical code for display by the electronic device responsive to detecting the attempt, the graphical code including a security token therein;
  
  receiving authentication data from the mobile device, the authentication data indicating that the graphical code was captured by the mobile device;
  
  identifying the mobile device as the trusted device associated with the customer account responsive to receiving the authentication data from the mobile device and based on the registering the mobile device as a trusted device;
  
  marking the security token included in the graphical code as authenticated responsive to identifying the mobile device as the trusted device associated with the customer account;
  
  detecting authentication of the security token displayed by the electronic device; and
  
  automatically signing-in the electronic device to the customer account for the online resource responsive to detecting the authentication of the security token and without receiving a username or password associated with the customer account therefrom, wherein at least one of the registering, detecting the attempt to access, providing, receiving, identifying, marking, detecting the authentication, and automatically signing-in is performed using at least one hardware processor.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1, wherein detecting authentication of the security token comprises:
    - querying a data store to verify that the security token has been authenticated,wherein the querying is performed repeatedly or in response to receiving a notification indicating that the trusted device has transmitted the authenticating data.
  - 3. The method of claim 1, wherein the electronic device includes a web browser executing thereon, and wherein automatically signing-in the electronic device to the customer account for the online resource comprises:
    - transmitting a cookie including a session identifier to the web browser responsive to detecting the authentication of the security token displayed by the electronic device.
  - 4. The method of claim 1, wherein the electronic device is connected to a television and includes a native application executing thereon, and wherein automatically signing-in the electronic device to the customer account for the online resource comprises:
    - linking the native application executing on the electronic device to the customer account responsive to detecting the authentication of the security token displayed by the electronic device.

5. A computer-implemented method of authenticating a customer, the method comprising:
- presenting, via a secondary device, a code for accessing an online resource having a customer account associated therewith;
  
  receiving, from a primary device, authentication data indicative of the code that was presented via the secondary device, wherein the code is captured by the primary device from a display of the secondary device;
  
  identifying the primary device as a trusted device associated with the customer account responsive to receiving the authentication data from the Mobil device; and
  
  authenticating the secondary device for access to the online resource responsive to identifying the primary device as the trusted device associated with the customer account, wherein at least one of the presenting, receiving, identifying, and authenticating is performed using at least one hardware processor.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 6. The method of claim 5, wherein identifying the primary device comprises:
    - identifying the primary device as the trusted device based on a registration event associating the primary device with the customer account for the online resource,and wherein authenticating the secondary device comprises;
      
      providing an indication that the secondary device is permitted to access the online resource responsive to identifying the primary device as the trusted device.
  - 7. The method of claim 6, wherein the code includes a security token therein, and wherein providing an indication that the secondary device is permitted to access the online resource comprises marking the security token in the code presented via the secondary device as authenticated.
  - 8. The method of claim 6, wherein the registration event occurs prior to or concurrently with receiving the authentication data from the primary device.
  - 9. The method of claim 8, wherein the authentication data received from the primary device indicates that the code presented via the secondary device was locally captured and recorded by the primary device.
  - 10. The method of claim 5, further comprising:
    - automatically logging-in the secondary device to the customer account associated with the online resource responsive to authenticating the secondary device and without receiving customer identification information therefrom.
  - 11. The method of claim 5, wherein presenting the code comprises:
    - receiving a request to access the online resource without entry of customer identification information via the secondary device; and
      
      transmitting the code for presentation via the secondary device responsive to receiving the request.
  - 12. The method of claim 11, wherein the code comprises an identifier that is randomly generated responsive to receiving the request to access the online resource without entry of the customer identification information.
  - 13. The method of claim 5, wherein the code includes information identifying an authentication server that performs the authenticating, and wherein receiving the authentication data from the primary device comprises:
    - receiving the authentication data at the authentication server based on the information included in the code.
  - 14. The method of claim 5, further comprising:
    - receiving, from the primary device or the secondary device, an indication of a duration of time for which the access to the online resource via the secondary device will be valid; and
      
      denying the secondary device access to the online resource upon expiration of the duration of time.
  - 15. The method of claim 5, further comprising:
    - receiving, from the primary device, a notification revoking the access of the secondary device to the online resource; and
      
      denying the secondary device access to the online resource responsive to receiving the notification from the primary device.
  - 16. The method of claim 5, further comprising:
    - providing a prompt for additional authentication data via the primary device or via the secondary device; and
      
      receiving the additional authentication data from the primary device or the secondary device responsive to providing the prompt,wherein authenticating the secondary device for access to the online resource is performed responsive to receiving both the authentication data and the additional authentication data.
  - 17. The method of claim 16, wherein the primary device is associated with multiple customer accounts for different online resources having respective security levels associated therewith, and further comprising:
    - detecting an attempt to access one of the online resources by the secondary device,wherein the prompt for the additional authentication data is selectively provided based on the security level associated with the one of the online resources.
  - 18. The method of claim 16, wherein the primary device comprises one of a plurality of trusted devices associated with the customer account, wherein the primary device is associated with a lower level of trust than a tertiary device associated with the customer account, and wherein the prompt for the additional authentication data is not provided to the tertiary device to authenticate the secondary device for access to the online resource.

19. A server for authenticating a customer, the server comprising:
- a code generator configured to provide a code for accessing an online resource having a customer account associated therewith;
  
  a transceiver configured to transmit the code for presentation by a secondary device responsive to detecting an attempt to access the online resource by the secondary device, and to receive authentication data from a primary device responsive to transmitting the code, wherein the authentication data indicates that the code presented by the secondary device was recorded by the primary device; and
  
  an authentication module configured to access a customer account store to identify the primary device as a trusted device associated with the customer account responsive to receiving the authentication data from the primary device, and to authenticate the secondary device for access to the online resource responsive to identifying the primary device as the trusted device.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 20. The server of claim 19, wherein the authentication module is configured to identify the primary device as the trusted device associated with the customer account based on a registration event stored in the customer account store, and wherein the authentication module is configured to provide an indication that the secondary device is permitted to access the online resource responsive to identification of the primary device as the trusted device.
  - 21. The server of claim 20, wherein the code includes a security token therein, and wherein the authentication module is configured to mark the security token as authenticated responsive to identifying the primary device as the trusted device and store an indicia thereof in a code store as the indication that the secondary device is permitted to access the online resource.
  - 22. The server of claim 19, wherein the authentication data received from the primary device indicates that the code presented via the secondary device was locally recorded by the primary device.
  - 23. The server of claim 19, wherein the code generator is configured to randomly generate the code responsive to receiving a request to access the online resource without entry of customer identification information via the secondary device.
  - 24. The server of claim 19, wherein the code includes addressing information for the server, and wherein the authentication module receives the authentication data from the primary device based on the addressing information included in the code.
  - 25. The server of claim 19, wherein the transceiver is configured to receive, from the primary device or the secondary device, an indication of a duration of time for which the access to the online resource via the secondary device will be valid, and wherein the authentication module is configured to deny the secondary device access to the online resource upon expiration of the duration of time.
  - 26. The server of claim 19, wherein the transceiver is configured to receive, from the primary device, a notification revoking the access of the secondary device to the online resource, and wherein the authentication module is configured to deny the secondary device access to the online resource responsive to receiving the notification from the primary device.
  - 27. The server of claim 19, wherein the authentication module is configured to provide a prompt for additional authentication data via the primary device or via the secondary device, wherein the transceiver is configured to receive the additional authentication data from the primary device or the secondary device responsive to providing the prompt, and wherein the authentication module is configured to authenticate the secondary device for access to the online resource responsive to receiving both the authentication data and the additional authentication data.
  - 28. The server of claim 27, wherein the authentication module is configured to selectively provide the prompt for additional authentication data based on a level of security associated with the online resource or based on a level of trust associated with the primary device.

29. A computer program product for authenticating a customer, the computer program product comprising a non-transitory computer-readable storage medium having computer-readable program code therein that, when executed by a processor, is configured to:
- register a mobile device including the processor therein as a trusted device associated with a customer account for an online resource;
  
  record a code for accessing the online resource, wherein the code is presented by an electronic device different than the mobile device; and
  
  transmit authentication data indicative of the code that was presented by the electronic device to an authentication server, the authentication data indicating that the code was recorded by the trusted device to authenticate the electronic device for access to the online resource.
- View Dependent Claims (30, 31, 32)
- - 30. The computer program product of claim 29, wherein the code is recorded using a camera of the mobile device, and wherein the computer-readable program code is further configured to:
    - derive, from the code recorded by the trusted device, addressing information for the authentication server and a security value provided therein;
      
      encrypt the security value using a predetermined encryption algorithm assigned to the mobile device responsive to registering thereof; and
      
      transmit the authentication data including the encrypted security value to the authentication server using the addressing information.
  - 31. The computer program product of claim 29, wherein the computer-readable program code is further configured to:
    - provide a prompt for entry of a duration of time for which the access to the online resource via the electronic device will be valid; and
      
      transmit an indication of the duration of time to the authentication server.
  - 32. The computer program product of claim 29, wherein the computer-readable program code is further configured to:
    - receive a request for additional authentication data based on a level of trust associated with the mobile device or a level of security associated with the online resource;
      
      provide a prompt for the additional authentication data responsive to the request;
      
      receive the additional authentication data via a user interface responsive to the prompt; and
      
      transmit the additional authentication data to the authentication server, wherein both the authentication data indicative of the code and the additional authentication data are used to authenticate the electronic device for access to the online resource.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Bhimanaik, Bharath Kumar
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
Getachew, Abiy

Application Number

US13/228,192
Time in Patent Office

852 Days
Field of Search

726/9
US Class Current

726/9
CPC Class Codes

G06F 21/35   communicating wirelessly

G06F 21/36   by graphic or iconic repres...

H04L 2463/082   applying multi-factor authe...

H04L 63/08   for authentication of entit...

H04L 63/0853   using an additional device,...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 63/18   using different networks or...

H04L 65/60   Network streaming of media ...

H04L 9/321   involving a third party or ...

H04W 12/06   Authentication

H04W 12/77   Graphical identity

Passwordless strong authentication using trusted devices

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

265 Citations

32 Claims

Specification

Solutions

Use Cases

Quick Links

Passwordless strong authentication using trusted devices

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

265 Citations

32 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links