Apparatus and method for performing real-time authentication using subject token combinations

US 8,752,124 B2
Filed: 05/24/2012
Issued: 06/10/2014
Est. Priority Date: 08/15/2011
Status: Active Grant

First Claim

Patent Images

1. An apparatus comprising:

a memory configured to;

store a plurality of token-based rules, wherein a token-based rule facilitates access to a first resource and a second resource;

store a plurality of first subject tokens associated with a user, wherein the plurality of first subject tokens indicates at least one form of user authentication that has been performed;

store a plurality of second subject tokens associated with a device, wherein the plurality of second subject tokens indicates at least one form of device authentication that has been performed; and

store a session token associated with a session, wherein;

access to the first resource has been granted during the session; and

the at least one form of user authentication and the at least one form of device authentication must be performed in order for access to the first resource to be granted; and

a processor communicatively coupled to the memory and configured to;

receive a resource token indicating that access to the second resource has been requested;

determine at least one token-based rule based at least in part upon the resource token, wherein the at least one token-based rule is associated with at least one subject token, the at least one subject token indicating a form of authentication that must be performed in order for access to the second resource to be granted;

determine that the at least one subject token is not in the plurality of first subject tokens and the plurality of second subject tokens, wherein the determination that the at least one subject token is not in the plurality of first subject tokens and the plurality of second subject tokens indicates that the form of authentication has not been performed during the session;

determine that access to the second resource should be denied based at least in part upon the determination that the at least one subject token is not in the plurality of first subject tokens and the plurality of second subject tokens;

generate a message indicating the determination that access to the second resource should be denied, wherein the message further indicates the form of authentication; and

transmit the message to the device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to one embodiment, an apparatus may receive a resource token associated with a resource indicating that access to the resource has been requested. The apparatus may determine at least one token-based rule based at least in part upon the resource token, wherein the at least one token-based rule may be associated with at least one subject token. The apparatus may then determine that the at least one subject token is not in the plurality of first subject tokens and the plurality of second subject tokens based at least in part upon the at least one token-based rule, and deny access to the resource.

Citations

21 Claims

1. An apparatus comprising:
- a memory configured to;
  
  store a plurality of token-based rules, wherein a token-based rule facilitates access to a first resource and a second resource;
  
  store a plurality of first subject tokens associated with a user, wherein the plurality of first subject tokens indicates at least one form of user authentication that has been performed;
  
  store a plurality of second subject tokens associated with a device, wherein the plurality of second subject tokens indicates at least one form of device authentication that has been performed; and
  
  store a session token associated with a session, wherein;
  
  access to the first resource has been granted during the session; and
  
  the at least one form of user authentication and the at least one form of device authentication must be performed in order for access to the first resource to be granted; and
  
  a processor communicatively coupled to the memory and configured to;
  
  receive a resource token indicating that access to the second resource has been requested;
  
  determine at least one token-based rule based at least in part upon the resource token, wherein the at least one token-based rule is associated with at least one subject token, the at least one subject token indicating a form of authentication that must be performed in order for access to the second resource to be granted;
  
  determine that the at least one subject token is not in the plurality of first subject tokens and the plurality of second subject tokens, wherein the determination that the at least one subject token is not in the plurality of first subject tokens and the plurality of second subject tokens indicates that the form of authentication has not been performed during the session;
  
  determine that access to the second resource should be denied based at least in part upon the determination that the at least one subject token is not in the plurality of first subject tokens and the plurality of second subject tokens;
  
  generate a message indicating the determination that access to the second resource should be denied, wherein the message further indicates the form of authentication; and
  
  transmit the message to the device.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The apparatus of claim 1, wherein the at least one subject token is associated with a missing form of user authentication.
  - 3. The apparatus of claim 1, wherein the at least one subject token is associated with a missing form of device authentication.
  - 4. The apparatus of claim 1, wherein the processor is further configured to:
    - receive the at least one subject token; and
      
      determine that access to the second resource should be granted based at least in part upon the at least one subject token.
  - 5. The apparatus of claim 4, wherein receiving the at least one subject token indicates that a missing form of user authentication has been performed.
  - 6. The apparatus of claim 5, wherein the missing form of user authentication is biometric authentication.
  - 7. The apparatus of claim 4, wherein receiving the at least one subject token indicates that a missing form of device authentication has been performed.

8. A method comprising:
- storing, by a memory, a plurality of token-based rules, wherein a token-based rule facilitates access to a first resource and a second resource;
  
  storing, by the memory, a plurality of first subject tokens associated with a user, wherein the plurality of first subject tokens indicates at least one form of user authentication that has been performed;
  
  storing, by the memory, a plurality of second subject tokens associated with a device, wherein the plurality of second subject tokens indicates at least one form of device authentication that has been performed;
  
  storing, by the memory, a session token associated with a session, wherein;
  
  access to the first resource has been granted during the session; and
  
  the at least one form of user authentication and the at least one form of device authentication must be performed in order for access to the first resource to be granted;
  
  receiving, by a processor communicatively coupled to the memory, a resource token indicating that access to the second resource has been requested;
  
  determining, by the processor, at least one token-based rule based at least in part upon the resource token, wherein the at least one token-based rule is associated with at least one subject token, the at least one subject token indicating a form of authentication that must be performed in order for access to the second resource to be granted;
  
  determining, by the processor, that the at least one subject token is not in the plurality of first subject tokens and the plurality of second subject tokens, wherein the determination that the at least one subject token is not in the plurality of first subject tokens and the plurality of second subject tokens indicates that the form of authentication has not been performed during the session;
  
  determining, by the processor, that access to the second resource should be denied based at least in part upon the determination that the at least one subject token is not in the plurality of first subject tokens and the plurality of second subject tokens;
  
  generating, by the processor, a message indicating the determination that access to the second resource should be denied, wherein the message further indicates the form of authentication; and
  
  transmitting, by the processor, the message to the device.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The method of claim 8, wherein the at least one subject token is associated with a missing form of user authentication.
  - 10. The method of claim 8, wherein the at least one subject token is associated with a missing form of device authentication.
  - 11. The method of claim 9, further comprising:
    - receiving, by the processor, the at least one subject token; and
      
      determining, by the processor, that access to the second resource should be granted based at least in part upon the at least one subject token.
  - 12. The method of claim 11, wherein receiving the at least one subject token indicates that a missing form of user authentication has been performed.
  - 13. The method of claim 12, wherein the missing form of user authentication is biometric authentication.
  - 14. The method of claim 11, wherein receiving the at least one subject token indicates that a missing form of device authentication has been performed.

15. One or more computer-readable non-transitory storage media embodying software that, when executed, is configured to:
- store a plurality of token-based rules, wherein a token-based rule facilitates access to a first resource and a second resource;
  
  store a plurality of first subject tokens associated with a user, wherein the plurality of first subject tokens indicates at least one form of user authentication that has been performed;
  
  store a plurality of second subject tokens associated with a device, wherein the plurality of second subject tokens indicates at least one form of device authentication that has been performed;
  
  store a session token associated with a session, wherein;
  
  access to the first resource has been granted during the session; and
  
  the at least one form of user authentication and the at least one form of device authentication must be performed in order for access to the first resource to be granted;
  
  receive a resource token indicating that access to the second resource has been requested;
  
  determine at least one token-based rule based at least in part upon the resource token, wherein the at least one token-based rule is associated with at least one subject token, the at least one subject token indicating a form of authentication that must be performed in order for access to the second resource to be granted;
  
  determine that the at least one subject token is not in the plurality of first subject tokens and the plurality of second subject tokens, wherein the determination that the at least one subject token is not in the plurality of first subject tokens and the plurality of second subject tokens indicates that the form of authentication has not been performed during the session;
  
  determine that access to the second resource should be denied based at least in part upon the determination that the at least one subject token is not in the plurality of first subject tokens and the plurality of second subject tokens;
  
  generate a message indicating the determination that access to the second resource should be denied, wherein the message further indicates the form of authentication; and
  
  transmit the message to the device.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The media of claim 15, wherein the at least one subject token is associated with a missing form of user authentication.
  - 17. The media of claim 15, wherein the at least one subject token is associated with a missing form of device.
  - 18. The media of claim 15 embodying software that, when executed, is further configured to:
    - receive the at least one subject token; and
      
      determine that access to the second resource should be granted based at least in part upon the at least one subject token.
  - 19. The media of claim 18, wherein receiving the at least one subject token indicates that a missing form of user authentication has been performed.
  - 20. The media of claim 19, wherein the missing form of user authentication is biometric authentication.
  - 21. The media of claim 18, wherein receiving the at least one subject token indicates that a missing form of device authentication has been performed.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Bank of America Corp.
Original Assignee
Bank of America Corp.
Inventors
Radhakrishnan, Rakesh
Primary Examiner(s)
Le, Chau
Assistant Examiner(s)
ZHAO, DON GORDON

Application Number

US13/479,482
Publication Number

US 20130047242A1
Time in Patent Office

747 Days
Field of Search

713172-185, 726/1
US Class Current

726/1
CPC Class Codes

G06F 21/00   Security arrangements for p...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0876   based on the identity of th...

H04L 63/102   Entity profiles

H04L 9/088   Usage controlling of secret...

H04L 9/3213   using tickets or tokens, e....

H04L 9/3231   Biological data, e.g. finge...

H04L 9/3234   involving additional secure...

Apparatus and method for performing real-time authentication using subject token combinations

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Apparatus and method for performing real-time authentication using subject token combinations

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links