Methods and systems for authenticating users over networks

US 8,868,921 B2
Filed: 07/20/2011
Issued: 10/21/2014
Est. Priority Date: 07/20/2011
Status: Active Grant

First Claim

Patent Images

1. A method for authenticating users comprising:

requesting a one-time password and determining a time the request was made;

comparing the request time against a previous request time;

when the request time is after the previous request time, entering a personal identification number into a communications device, the personal identification number being transmitted during an enrollment process from the device to an authentication system for storage therein;

retrieving, by the communications device, a shared secret stored therein;

generating a hashed personal identification number from the personal identification number;

generating a modified shared secret; and

generating a one-time password with the modified shared secret and the request time.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for authenticating users over networks includes requesting a one-time password, entering a personal identification number into a communications device, and retrieving a replaceable shared secret stored in the communications device. Moreover, the method includes generating a hashed personal identification number from the entered personal identification number, combining the hashed personal identification number with the replaceable shared secret to generate a modified shared secret, and generating a one-time password with the modified shared secret and the time of requesting the one-time password.

Citations

19 Claims

1. A method for authenticating users comprising:
- requesting a one-time password and determining a time the request was made;
  
  comparing the request time against a previous request time;
  
  when the request time is after the previous request time, entering a personal identification number into a communications device, the personal identification number being transmitted during an enrollment process from the device to an authentication system for storage therein;
  
  retrieving, by the communications device, a shared secret stored therein;
  
  generating a hashed personal identification number from the personal identification number;
  
  generating a modified shared secret; and
  
  generating a one-time password with the modified shared secret and the request time.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. A method in accordance with claim 1, said generating a modified shared secret step comprising combining the hashed personal identification number with the shared secret.
  - 3. A method in accordance with claim 1, further comprising:
    - reading the one-time password from the communications device;
      
      entering the one-time password in a service provider web page operated by a service provider computer system;
      
      transmitting the one-time password from the service provider computer system to an authentication system; and
      
      authenticating the one-time password.
  - 4. A method in accordance with claim 3, further comprising:
    - updating the one-time password periodically and displaying the updated one-time password on the communications device;
      
      choosing a displayed one-time password; and
      
      entering the chosen one-time password in the service provider web page.
  - 5. A method in accordance with claim 3, said authenticating step comprising:
    - determining a system time of the authentication system, a first time before the system time, and a second time after the system time;
      
      determining a difference between the first and second times;
      
      dividing the difference into time intervals; and
      
      generating a series of passwords that includes a password for each time interval, each password being generated using the modified shared secret and the beginning time of a respective time interval.
  - 6. A method in accordance with claim 5, further comprising:
    - comparing the one-time password against each password included in the series; and
      
      generating and transmitting a message to the service provider computer system when the one-time password matches a password included in the series.
  - 7. A method in accordance with claim 6, said authenticating step comprising:
    - generating a series of duress passwords when the one-time password does not match a password included in the series of passwords;
      
      comparing the one-time password against each duress password; and
      
      determining that the user is operating under duress when the one-time password matches a duress password.
  - 8. A method in accordance with claim 7, further comprising determining an action to take in response to learning that the user is operating under duress.
  - 9. A method in accordance with claim 1, said generating the modified shared secret step comprising combining the personal identification number, the hashed personal identification number, and the shared secret.
  - 10. A method in accordance with claim 1, said generating the modified shared secret step comprising combining the shared secret with an error indicator number when the request time is before the previous request time.
  - 11. A method in accordance with claim 10, further comprising:
    - generating the one-time password with the modified shared secret and the request time;
      
      authenticating the one-time password; and
      
      prohibiting access to resources in a service provider system when said authenticating step is unsuccessful.

12. A system for authenticating users comprising:
- an authentication system comprising an authentication database and being configured to store within said authentication database authentication data associated with authorized users, generate and store shared secrets, generate one-time passwords, and authenticate users; and
  
  a communications device configured to obtain authentication data, store shared secrets, generate hashed personal identification numbers, and generate one-time passwords,said communications device and said authentication system being configured to communicate over a network,said authentication system being further configured to receive and store personal identification numbers transmitted from said communications device,said communications device being further configured tocombine a hashed personal identification number with a new shared secret to generate a modified shared secret,compare a time a one-time password is requested against a previous request time,when the request time is after the previous request time, generate a one-time password with the modified shared secret and the request time, andtransmit the one-time password to said authentication system.
- View Dependent Claims (13, 14, 15, 16, 17, 18)
- - 13. A system in accordance with claim 12, said authentication system being further configured to:
    - determine time intervals; and
      
      generate a series of passwords, each password corresponding to a determined time interval and being generated with the modified shared secret and the beginning time of each corresponding time interval.
  - 14. A system in accordance with claim 13, said authentication system being further configured to:
    - determine a system time of said authentication system, a first time before the system time, and a second time after the system time;
      
      determine a difference between the first and second times; and
      
      divide the difference into the time intervals.
  - 15. A system in accordance with claim 13, said authentication system being further configured to:
    - compare the one-time password against each password included in the series; and
      
      generate and transmit a message to a service provider system when the one-time password matches a password.
  - 16. A system in accordance with claim 12, said authentication system being further configured to:
    - generate a series of duress passwords;
      
      compare the one-time password against the duress passwords; and
      
      determine that the user is operating under duress when the one-time password matches a duress password.
  - 17. A system in accordance with claim 12, said communications device comprising:
    - a smart phone;
      
      a tablet computer;
      
      a laptop computer;
      
      a desktop personal computer;
      
      ora personal digital assistant.
  - 18. A system in accordance with claim 12, said communications device being further configured to update the one-time password periodically and display the updated one-time password.

19. A computer program recorded on a non-transitory computer-readable recording medium included in a transaction management system, the computer program for enabling authentication of a user attempting to access resources stored in the transaction management system, the computer program for causing the transaction management system to execute at least the following:
- retrieve a shared secret upon receiving a request for a one-time password;
  
  compare a time the request was made against a previous request time;
  
  when the request time is after the previous request time generate a hashed personal identification number from a personal identification number, otherwise initiate a shared secret replacement process;
  
  combine the hashed personal identification number with the shared secret to generate a modified shared secret;
  
  generate the one-time password with the modified shared secret and the request time;
  
  determine time intervals;
  
  generate a series of passwords that includes a password for each determined time interval, each password being generated using the modified shared secret and the beginning time of a respective time interval;
  
  compare the one-time password against each password included in the series; and
  
  permit the user to access the resources when the one-time password matches a password included in the series.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Corporation DAON Technology
Original Assignee
Daon Holdings Limited
Inventors
Cramer, Jason Scott, Webb, Andrew Supplee, Holland, Christopher Eric, White, Conor Robert
Primary Examiner(s)
HENNING, MATTHEW T

Application Number

US13/186,900
Publication Number

US 20130024918A1
Time in Patent Office

1,189 Days
Field of Search

None
US Class Current

713/184
CPC Class Codes

G06F 21/34   involving the use of extern...

H04L 63/0838   using one-time-passwords

H04L 63/0876   based on the identity of th...

H04L 9/3228   One-time or temporary data,...

H04L 9/3231   Biological data, e.g. finge...

Methods and systems for authenticating users over networks

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and systems for authenticating users over networks

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links