Methods and apparatus for authenticating a user multiple times during a session

US 8,832,812 B1
Filed: 03/31/2011
Issued: 09/09/2014
Est. Priority Date: 03/31/2011
Status: Active Grant

First Claim

Patent Images

1. A method for controlling access of a user to a protected resource during a session, the method comprising the steps of:

issuing an authentication information request responsive to an access request from the user to access the protected resource;

receiving user-supplied authentication information from the user responsive to the authentication information request;

authenticating the user based upon verification of the received authentication information; and

repeating one or more of the issuing, receiving and authenticating steps during the session to re-authenticate the user using at least a portion of the user-supplied authentication information that is different from a corresponding portion of the user-supplied authentication information used during the first authenticating step, wherein said user-supplied authentication information received during an initial authentication and said user-supplied authentication information received during said re-authentication are based on a variable tokencode generated by a security token, wherein at least one of said issuing, receiving and authenticating steps is performed by at least one hardware device.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Access of a user to a protected resource during a session is controlled by issuing an authentication information request and receiving authentication information from the user responsive to the authentication information request. The user is authenticated based upon verification of the received authentication information. One or more of the issuing, receiving and authenticating steps are repeated during the session to re-authenticate the user. At least a portion of the authentication information that is used during the re-authentication is different from a corresponding portion of the authentication information that was used during the initial authentication. A secure channel is optionally established between the user and the protected resource responsive to the initial verification. The secure channel can optionally be re-established with the re-authentication using the different portion of the authentication information.

Citations

28 Claims

1. A method for controlling access of a user to a protected resource during a session, the method comprising the steps of:
- issuing an authentication information request responsive to an access request from the user to access the protected resource;
  
  receiving user-supplied authentication information from the user responsive to the authentication information request;
  
  authenticating the user based upon verification of the received authentication information; and
  
  repeating one or more of the issuing, receiving and authenticating steps during the session to re-authenticate the user using at least a portion of the user-supplied authentication information that is different from a corresponding portion of the user-supplied authentication information used during the first authenticating step, wherein said user-supplied authentication information received during an initial authentication and said user-supplied authentication information received during said re-authentication are based on a variable tokencode generated by a security token, wherein at least one of said issuing, receiving and authenticating steps is performed by at least one hardware device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The method of claim 1, further comprising the step of establishing a secure channel between the user and the protected resource responsive to the verification.
  - 3. The method of claim 2, further comprising the step of re-establishing the secure channel using the different portion of the authentication information.
  - 4. The method of claim 2, wherein the secure channel is based on at least a portion of the authentication information.
  - 5. The method of claim 1, wherein the step of repeating one or more of the issuing, receiving and authenticating steps is triggered based on a passage of time.
  - 6. The method of claim 1, wherein the step of repeating one or more of the issuing, receiving and authenticating steps is triggered based on occurrence of a predefined event.
  - 7. The method of claim 1, wherein the step of repeating one or more of the issuing, receiving and authenticating steps is triggered randomly.
  - 8. The method of claim 1, wherein the step of repeating one or more of the issuing, receiving and authenticating steps further comprises the step of providing a response to a challenge.
  - 9. The method of claim 1, wherein the step of repeating one or more of the issuing, receiving and authenticating steps is triggered by one or more of the user and the protected resource.
  - 10. The method of claim 1, wherein the step of repeating one or more of the issuing, receiving and authenticating steps further comprises the step of obtaining the variable tokencode from the security token.
  - 11. The method of claim 10, wherein the variable tokencode is derived from information contained within a challenge.
  - 12. The method of claim 10, wherein the variable tokencode comprises a one-time password generated by a security token.
  - 13. The method of claim 1, wherein the protected resource comprises one or more of an application, web site or hardware device.
  - 14. The method of claim 1, wherein the authentication information request comprises a request for at least a portion of at least one password or other authentication credential associated with the user.
  - 15. The method of claim 1, wherein the step of authenticating the user verifies the authentication information by checking that it is valid, has not been used before, and is within a designated lifetime of the session.
  - 16. The method of claim 1, wherein said user-supplied authentication information received during said initial authentication and said user-supplied authentication information received during said re-authentication evolve over time.
  - 17. The method of claim 1, wherein said user-supplied authentication information received during said initial authentication and said user-supplied authentication information received during said re-authentication are based on the variable tokencode generated by the same security token.
  - 18. A non-transitory machine-readable recordable storage medium for storing one or more software programs for use in controlling user access to an access-controlled resource, wherein the one or more software programs when executed by one or more processing devices implement the steps of the method of claim 1.

19. An apparatus for controlling access of a user to a protected resource during a session, the apparatus comprising:
- a memory; and
  
  at least one processor, coupled to the memory, operative to implement the following steps;
  
  issuing an authentication information request responsive to an access request from the user to access the protected resource;
  
  receiving user-supplied authentication information from the user responsive to the authentication information request;
  
  authenticating the user based upon verification of the received authentication information; and
  
  repeating one or more of the issuing, receiving and authenticating steps during the session to re-authenticate the user using at least a portion of the user-supplied authentication information that is different from a corresponding portion of the user-supplied authentication information used during the first authenticating step, wherein said user-supplied authentication information received during an initial authentication and said user-supplied authentication information received during said re-authentication are based on a variable tokencode generated by a security token.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 20. The apparatus of claim 19, wherein the processor is further configured to establish a secure channel between the user and the protected resource responsive to the verification.
  - 21. The apparatus of claim 20, wherein the secure channel is re-established using the different portion of the authentication information.
  - 22. The apparatus of claim 20, wherein the secure channel is based on at least a portion of the authentication information.
  - 23. The apparatus of claim 19, wherein the re-authentication steps is triggered based on one or more of a passage of time, an occurrence of a predefined event and randomly.
  - 24. The apparatus of claim 19, wherein the processor is further configured to provide a response to a challenge.
  - 25. The apparatus of claim 19, wherein the processor is further configured to obtain the variable tokencode from the security token.
  - 26. The apparatus of claim 19, wherein the protected resource comprises one or more of an application, web site or hardware device.
  - 27. The apparatus of claim 19, wherein said user-supplied authentication information received during said initial authentication and said user-supplied authentication information received during said re-authentication evolve over time.
  - 28. The apparatus of claim 19, wherein said user-supplied authentication information received during said initial authentication and said user-supplied authentication information received during said re-authentication are based on the variable tokencode generated by the same security token.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.), International Business Machines Corporation
Original Assignee
EMC Corporation (Dell Technologies Inc.)
Inventors
Morneau, Todd, Duane, William
Primary Examiner(s)
Harriman, Dant Shaifer

Application Number

US13/076,869
Time in Patent Office

1,258 Days
Field of Search

726/7
US Class Current

726/7
CPC Class Codes

G06F 21/31   User authentication

G06F 2221/2139   Recurrent verification

H04L 63/0846   using time-dependent-passwo...

H04L 63/0853   using an additional device,...

H04L 63/108   when the policy decisions a...

Methods and apparatus for authenticating a user multiple times during a session

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and apparatus for authenticating a user multiple times during a session

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links