Devolved authentication

US 8,800,013 B2
Filed: 02/19/2009
Issued: 08/05/2014
Est. Priority Date: 03/28/2008
Status: Active Grant

First Claim

Patent Images

1. A method of operating an authentication provisioning unit for authenticating a user to a service provider, the method comprising:

in a first stage of the method;

a) receiving credentials from a user;

b) determining whether the credentials received from the user represent a valid logon; and

if that determination is positive, thenc) generating at least one network address comprising a domain address and at least one instance parameter, the instance parameter uniquely identifying the user and the instance of generation of the network address;

d) providing the network address to the user;

e) receiving a parameter from a service provider;

f) determining whether the received parameter indicates a valid attempt to log on to the service provider by checking that the received parameter matches an instance parameter that has previously been provided to a user and that has not previously been received from a service provider; and

if that determination is positive, signalling to the service provider over a secure channel a message indicating that the received parameter represents a valid logon attempt, the message including credentials of the user to whom the instance parameter that matches the received parameter had been issued,wherein a positive determination at step (f) indicates that the parameter received from the service provider is based on the network address provided to the user,wherein the domain address is a single-use address of the service provider in order that the user is able to access the service provider by the domain address in the absence of redirection and confirm authentication by the instance parameter, andwherein the network address is provided to the user over a secure channel.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of authenticating a user to a service provider by means of an authentication provision unit, the method comprising: in a first stage of the method: receiving credentials from a user; determining whether the credentials received from the user represent a valid logon; and if that determination is positive: generating at least one network address comprising a domain address and at least one instance parameter, the instance parameter uniquely identifying the user and the instance of generation of the network address; and providing the network address to the user; and in a second stage of the method: receiving a parameter from a service provider; determining whether the received parameter indicates a valid attempt to log on to the service provider by checking that the received parameter matches an instance parameter that has previously been issued to a user and that has not previously been received from a service provider; and if that determination is positive: signalling to the service provider over a secure channel a message indicating that the received parameter represents a valid logon attempt, the message including credentials of the user to whom the instance parameter that matches the received parameter had been issued.

Citations

16 Claims

1. A method of operating an authentication provisioning unit for authenticating a user to a service provider, the method comprising:
- in a first stage of the method;
  
  a) receiving credentials from a user;
  
  b) determining whether the credentials received from the user represent a valid logon; and
  
  if that determination is positive, thenc) generating at least one network address comprising a domain address and at least one instance parameter, the instance parameter uniquely identifying the user and the instance of generation of the network address;
  
  d) providing the network address to the user;
  
  e) receiving a parameter from a service provider;
  
  f) determining whether the received parameter indicates a valid attempt to log on to the service provider by checking that the received parameter matches an instance parameter that has previously been provided to a user and that has not previously been received from a service provider; and
  
  if that determination is positive, signalling to the service provider over a secure channel a message indicating that the received parameter represents a valid logon attempt, the message including credentials of the user to whom the instance parameter that matches the received parameter had been issued,wherein a positive determination at step (f) indicates that the parameter received from the service provider is based on the network address provided to the user,wherein the domain address is a single-use address of the service provider in order that the user is able to access the service provider by the domain address in the absence of redirection and confirm authentication by the instance parameter, andwherein the network address is provided to the user over a secure channel.
- View Dependent Claims (3, 4, 5, 6, 7, 8, 9)
- - 3. A method as claimed in claim 1, wherein the secure channel over which the message is signalled to the service provider is an encrypted channel.
  - 4. A method as claimed in claim 1, wherein the network address is provided to the user in the form of a web page having a link to the network address.
  - 5. A method as claimed in claim 4, wherein the instance parameter is an HTTP querystring parameter to the network address.
  - 6. A method as claimed in claim 1, wherein the step of determining whether the received parameter indicates a valid attempt to log on to the service provider comprises checking that user to whom the instance parameter that matches the received parameter had been issued has not logged off from the authentication provision unit since the instance parameter was issued.
  - 7. A method as claimed in claim 1, wherein a plurality of network addresses is generated and provided to the user.
  - 8. A method as claimed in claim 7, wherein the network addresses are provided to the user in the form of iconised links to the network addresses.
  - 9. A method as claimed in claim 1, wherein the instance parameter identifies the time at which it was generated and the step of determining whether the received parameter indicates a valid attempt to log on to the service provider comprises checking that the difference between the time at which the instance parameter that matches the received parameter was generated and the current time is less than a predetermined value.

2. A method as claimed in claim, wherein the secure channel over which the network address is provided is an encrypted channel.

10. An authentication provision unit for authenticating a user to a service provider, the authentication unit comprising:
- a processing system, including a computer processor, the processing system being configured to;
  
  a) receive credentials from a user;
  
  b) determine whether the credentials received from the user represent a valid logon; and
  
  if that determination is positive, thenc) generate at least one network address comprising a domain address and at least one instance parameter, the instance parameter uniquely identifying the user and the instance of generation of the network addressd) provide the network address to the user;
  
  e) receive a parameter from a service provider;
  
  determine whether the received parameter indicates a valid attempt to log on to the service provider by checking that the received parameter matches an instance parameter that has previously been provided to a user and that has not previously been received from a service provider; and
  
  if that determination is positive, signal to the service provider over a secure channel a message indicating that the received parameter represents a valid logon attempt, the message including credentials of the user to whom the instance parameter that matches the received parameter had been issued,wherein a positive determination at step (f) indicates that the parameter received from the service provider is based on the network address provided to the user,wherein the domain address is a single-use address of the service provider in order the user is able to access the service provider by the domain address in the absence of redirection and confirm authentication by the instance parameter, andwherein the processing system is configured so that the network address is provided to the user over secure channel.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The authentication provision unit as claimed in claim 10, wherein the secure channel over which the network address is provided is an encrypted channel.
  - 12. The authentication provision unit as claimed in claim 10, wherein the processing system is configured so that the network address is provided to the user in the form of a web page having a link to the network address.
  - 13. The authentication provision unit as claimed in claim 12, wherein the instance parameter is an HTTP querystring parameter to the network address.
  - 14. The authentication provision unit as claimed in claim 10, wherein the processing system is configured to check that a user to whom the instance parameter that matches the received parameter had been issued has not logged off from the authentication provision unit since the instance parameter was issued.
  - 15. The authentication provision unit as claimed in claim 10, wherein the processing system is configured to generate a plurality of network addresses and provide the plurality of network addresses to the user.
  - 16. The authentication provision unit as claimed in claim 10, wherein the instance parameter identifies the time at which it was generated and the processing system is configured to check that the difference between the time at which the instance parameter that matches the received parameter was generated and the current time is less than a predetermined value.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
British Telecommunications PLC (BT Group PLC)
Original Assignee
British Telecommunications PLC (BT Group PLC)
Inventors
Herwono, Ian, Jones, James E
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
Jamshidi, Ghodrat

Application Number

US12/934,858
Publication Number

US 20110030043A1
Time in Patent Office

1,993 Days
Field of Search

726/7
US Class Current

726/7
CPC Class Codes

H04L 63/0815 providing single-sign-on or...

H04L 63/168 above the transport layer

Devolved authentication

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Devolved authentication

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links