Systems and methods for authentication via mobile communication device

US 8,739,260 B1
Filed: 02/10/2012
Issued: 05/27/2014
Est. Priority Date: 02/10/2011
Status: Active Grant

First Claim

Patent Images

1. An authentication server computer system comprising at least one processor configured to:

communicate with a mobile communication device of a user to authenticate the mobile communication device as authorized to validate a user login session by a user client computer system on a service provider server;

send to the mobile communication device a request for user validation of the user login session on the service provider server;

in response to sending to the mobile communication device the request for user validation of the user login session, receive from the mobile communication device a user acceptance of the request for user validation of the user login session, wherein the user acceptance indicates a user confirmation that a first sensory identification of the login session presented to the user on the mobile communication device matches a second sensory identification of the login session presented to the user on the user client computer system; and

in response to authenticating the mobile communication device and receiving the user acceptance, send to the service provider an indicator of the user'"'"'s acceptance, for allowing the user client computer system access to a restricted resource on the service provider server.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Described systems and methods allow secure and relatively convenient authentication of a secure login session. When a user initiates a login session on a secure site using a client computer system (e.g. laptop, tablet, smartphone), matching login session identifiers (Ticket IDs) are displayed on the client computer system and a mobile communication device uniquely associated with the user (e.g. the user'"'"'s smartphone). Upon verifying that the two Ticket IDs match, the user accepts the Ticket ID displayed on the mobile communication device, which causes the login session by the client computer system to proceed. Identity verification proceeds largely in the background, through communications between an authentication server, service provider server, and mobile communication device, and involves minimal user input. Techniques are disclosed for reducing the incidence of inadvertent acceptance of incorrect Ticket IDs by users, and reducing system vulnerability to attacks.

Citations

30 Claims

1. An authentication server computer system comprising at least one processor configured to:
- communicate with a mobile communication device of a user to authenticate the mobile communication device as authorized to validate a user login session by a user client computer system on a service provider server;
  
  send to the mobile communication device a request for user validation of the user login session on the service provider server;
  
  in response to sending to the mobile communication device the request for user validation of the user login session, receive from the mobile communication device a user acceptance of the request for user validation of the user login session, wherein the user acceptance indicates a user confirmation that a first sensory identification of the login session presented to the user on the mobile communication device matches a second sensory identification of the login session presented to the user on the user client computer system; and
  
  in response to authenticating the mobile communication device and receiving the user acceptance, send to the service provider an indicator of the user'"'"'s acceptance, for allowing the user client computer system access to a restricted resource on the service provider server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The authentication server computer system of claim 1, wherein the authentication server computer system is configured to generate and send to the mobile communication device an identifier of the user login session, the mobile communication device generating the first sensory identification of the login session according to the identifier of the user login session.
  - 3. The authentication server computer system of claim 2, wherein the authentication server computer system is configured to send to the service provider the identifier of the user login session, the service provider server generating the second sensory identification of the login session according to the identifier of the user login session.
  - 4. The authentication server computer system of claim 1, wherein the first sensory identification of the login session comprises a first display of an alphanumeric sequence.
  - 5. The authentication server computer system of claim 4, wherein the second sensory identification of the login session comprises a second display of the alphanumeric sequence.
  - 6. The authentication server computer system of claim 1, wherein the first sensory identification of the login session comprises a first graphical display, and the second sensory identification of the login session comprises a second graphical display.
  - 7. The authentication server computer system of claim 6, wherein the first graphical display is identical in content to the second graphical display.
  - 8. The authentication server computer system of claim 6, wherein the first graphical display is complementary to the second graphical display.
  - 9. The authentication server computer system of claim 1, wherein the first sensory identification of the login session is a graphical representation, and wherein the second sensory identification of the login session is a non-graphical representation.
  - 10. The authentication server computer system of claim 1, wherein the user acceptance indicates a user selection of the first sensory identification of the login session from among a plurality of comparable sensory presentations presented to the user on the mobile communication device.
  - 11. The authentication server computer system of claim 1, wherein the authentication server computer system is configured to revoke the request to validate the login session sent to the mobile communication device in response to receiving, before receiving the user acceptance, a request to validate an additional login session of the user.

12. A mobile communication device comprising at least one processor configured to:
- communicate with an authentication server computer system to authenticate the mobile communication device as authorized to validate a user login session by a user client computer system on a service provider server;
  
  receive from the authentication server computer system a request for user validation of the user login session on the service provider server;
  
  in response to receiving the request for user validation of the user login session, present to the user a first sensory identification of the login session, wherein the first sensory identification matches a second sensory identification of the login session presented to the user on the user client computer system;
  
  receive from the user a user acceptance of the request for user validation of the user login session, wherein the user acceptance indicates a user confirmation that the first sensory identification matches the second sensory identification; and
  
  in response to receiving the user acceptance, send to the authentication server computer system an indicator of the user acceptance, for allowing the user client computer system access to a restricted resource on the service provider server.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
- - 13. The mobile communication device of claim 12, wherein the mobile communication device is configured to generate and send to the service provider server an identifier of the user login session, the service provider server generating the second sensory identification of the login session according to the identifier of the user login session.
  - 14. The mobile communication device of claim 12, wherein the first sensory identification of the login session comprises a first display of an alphanumeric sequence.
  - 15. The mobile communication device of claim 14, wherein the second sensory identification of the login session comprises a second display of the alphanumeric sequence.
  - 16. The mobile communication device of claim 12, wherein the first sensory identification of the login session comprises a first graphical display, and the second sensory identification of the login session comprises a second graphical display.
  - 17. The mobile communication device of claim 16, wherein the first graphical display is identical in content to the second graphical display.
  - 18. The mobile communication device of claim 16, wherein the first graphical display is complementary to the second graphical display.
  - 19. The mobile communication device of claim 12, wherein the first sensory identification of the login session is a graphical representation, and wherein the second sensory identification of the login session is a non-graphical representation.
  - 20. The mobile communication device of claim 12, wherein the user acceptance indicates a user selection of the first sensory identification of the login session from among a plurality of comparable sensory presentations presented to the user on the mobile communication device.

21. A service provider computer system comprising at least one processor configured to:
- receive from a user client computer system a request to initiate a user login session for a user;
  
  generate and send to the user client computer system a first sensory identification of the login session to be presented to the user by the user client computer system;
  
  send to an authentication server computer system a request for user validation of the user login session;
  
  receive from the authentication server computer system an indicator of the user'"'"'s acceptance of the request for user validation, wherein receiving the indicator of the user'"'"'s acceptance indicates;
  
  an authentication by the authentication server computer system of a mobile communication device of the user as authorized to validate the user login session, anda user confirmation that a second sensory identification of the login session presented to the user on the mobile communication device matches the first sensory identification of the login session presented to the user by the user client computer system; and
  
  in response to receiving from the authentication server computer system the indicator of the user'"'"'s acceptance of the request for user validation, allowing the user client computer system access to a restricted resource on the service provider server.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 22. The service provider computer system of claim 21, wherein the service provider computer system is configured to generate and send to the mobile communication device an identifier of the user login session, the mobile communication device generating the second sensory identification of the login session according to the identifier of the user login session.
  - 23. The service provider computer system of claim 21, wherein the service provider computer system is configured to send the identifier of the user login session to the mobile communication device through the authentication server computer system.
  - 24. The service provider computer system of claim 21, wherein the first sensory identification of the login session comprises a first display of an alphanumeric sequence.
  - 25. The service provider computer system of claim 24, wherein the second sensory identification of the login session comprises a second display of the alphanumeric sequence.
  - 26. The service provider computer system of claim 21, wherein the first sensory identification of the login session comprises a first graphical display, and the second sensory identification of the login session comprises a second graphical display.
  - 27. The service provider computer system of claim 26, wherein the first graphical display is identical in content to the second graphical display.
  - 28. The service provider computer system of claim 26, wherein the first graphical display is complementary to the second graphical display.
  - 29. The service provider computer system of claim 21, wherein the first sensory identification of the login session is a graphical representation, and wherein the second sensory identification of the login session is a non-graphical representation.
  - 30. The service provider computer system of claim 21, wherein the user acceptance indicates a user selection of the second sensory identification of the login session from among a plurality of comparable sensory presentations presented to the user on the mobile communication device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SecSign Technologies, Inc.
Original Assignee
SecSign Technologies, Inc.
Inventors
Damm-Goossens, Andre
Primary Examiner(s)
LE, CHAU D

Application Number

US13/371,357
Time in Patent Office

837 Days
Field of Search

726/4, 726/5, 726/7
US Class Current

726/7
CPC Class Codes

H04L 2209/80   Wireless

H04L 2463/082   applying multi-factor authe...

H04L 63/0853   using an additional device,...

H04L 63/18   using different networks or...

H04L 9/0891   Revocation or update of sec...

H04L 9/3213   using tickets or tokens, e....

H04L 9/3226   using a predetermined code,...

H04L 9/3234   involving additional secure...

H04W 12/065   Continuous authentication

H04W 12/069   using certificates or pre-s...

Systems and methods for authentication via mobile communication device

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for authentication via mobile communication device

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links