Devolved authentication
First Claim
1. A method of operating an authentication provisioning unit for authenticating a user to a service provider, the method comprising:
- in a first stage of the method;
a) receiving credentials from a user;
b) determining whether the credentials received from the user represent a valid logon; and
if that determination is positive, thenc) generating at least one network address comprising a domain address and at least one instance parameter, the instance parameter uniquely identifying the user and the instance of generation of the network address;
d) providing the network address to the user;
e) receiving a parameter from a service provider;
f) determining whether the received parameter indicates a valid attempt to log on to the service provider by checking that the received parameter matches an instance parameter that has previously been provided to a user and that has not previously been received from a service provider; and
if that determination is positive, signalling to the service provider over a secure channel a message indicating that the received parameter represents a valid logon attempt, the message including credentials of the user to whom the instance parameter that matches the received parameter had been issued,wherein a positive determination at step (f) indicates that the parameter received from the service provider is based on the network address provided to the user,wherein the domain address is a single-use address of the service provider in order that the user is able to access the service provider by the domain address in the absence of redirection and confirm authentication by the instance parameter, andwherein the network address is provided to the user over a secure channel.
1 Assignment
0 Petitions
Accused Products
Abstract
A method of authenticating a user to a service provider by means of an authentication provision unit, the method comprising: in a first stage of the method: receiving credentials from a user; determining whether the credentials received from the user represent a valid logon; and if that determination is positive: generating at least one network address comprising a domain address and at least one instance parameter, the instance parameter uniquely identifying the user and the instance of generation of the network address; and providing the network address to the user; and in a second stage of the method: receiving a parameter from a service provider; determining whether the received parameter indicates a valid attempt to log on to the service provider by checking that the received parameter matches an instance parameter that has previously been issued to a user and that has not previously been received from a service provider; and if that determination is positive: signalling to the service provider over a secure channel a message indicating that the received parameter represents a valid logon attempt, the message including credentials of the user to whom the instance parameter that matches the received parameter had been issued.
-
Citations
16 Claims
-
1. A method of operating an authentication provisioning unit for authenticating a user to a service provider, the method comprising:
-
in a first stage of the method; a) receiving credentials from a user; b) determining whether the credentials received from the user represent a valid logon; and
if that determination is positive, thenc) generating at least one network address comprising a domain address and at least one instance parameter, the instance parameter uniquely identifying the user and the instance of generation of the network address; d) providing the network address to the user; e) receiving a parameter from a service provider; f) determining whether the received parameter indicates a valid attempt to log on to the service provider by checking that the received parameter matches an instance parameter that has previously been provided to a user and that has not previously been received from a service provider; and
if that determination is positive, signalling to the service provider over a secure channel a message indicating that the received parameter represents a valid logon attempt, the message including credentials of the user to whom the instance parameter that matches the received parameter had been issued,wherein a positive determination at step (f) indicates that the parameter received from the service provider is based on the network address provided to the user, wherein the domain address is a single-use address of the service provider in order that the user is able to access the service provider by the domain address in the absence of redirection and confirm authentication by the instance parameter, and wherein the network address is provided to the user over a secure channel. - View Dependent Claims (3, 4, 5, 6, 7, 8, 9)
-
-
2. A method as claimed in claim, wherein the secure channel over which the network address is provided is an encrypted channel.
-
10. An authentication provision unit for authenticating a user to a service provider, the authentication unit comprising:
-
a processing system, including a computer processor, the processing system being configured to; a) receive credentials from a user; b) determine whether the credentials received from the user represent a valid logon; and
if that determination is positive, thenc) generate at least one network address comprising a domain address and at least one instance parameter, the instance parameter uniquely identifying the user and the instance of generation of the network address d) provide the network address to the user; e) receive a parameter from a service provider; determine whether the received parameter indicates a valid attempt to log on to the service provider by checking that the received parameter matches an instance parameter that has previously been provided to a user and that has not previously been received from a service provider; and
if that determination is positive, signal to the service provider over a secure channel a message indicating that the received parameter represents a valid logon attempt, the message including credentials of the user to whom the instance parameter that matches the received parameter had been issued,wherein a positive determination at step (f) indicates that the parameter received from the service provider is based on the network address provided to the user, wherein the domain address is a single-use address of the service provider in order the user is able to access the service provider by the domain address in the absence of redirection and confirm authentication by the instance parameter, and wherein the processing system is configured so that the network address is provided to the user over secure channel. - View Dependent Claims (11, 12, 13, 14, 15, 16)
-
Specification