System and method providing disconnected authentication
First Claim
1. A method for authenticating at a verifier a user who possesses an authentication token capable of providing one or more one-time passcodes, comprising:
- obtaining a verification record from an authentication server;
obtaining a passcode from the authentication token submitted to authenticate the user at the verifier, wherein the one-time passcodes are generated as a function of a token secret, and wherein the verifier is isolated from the token secret; and
determining whether the submitted passcode is consistent with the verification record, where the verification record is a function of a reference passcode, wherein the verifier is disconnected from the authentication server which provided the verification record.
15 Assignments
0 Petitions
Accused Products
Abstract
In a system for disconnected authentication, verification records corresponding to given authentication token outputs over a predetermined period of time, sequence of events, and/or set of challenges are downloaded to a verifier. The records include encrypted or hashed information for the given authentication token outputs. In one embodiment using time intervals, for each time interval, token output data, a salt value, and a pepper value, are hashed and compared with the verification record for the time interval. After a successful comparison, a user can access the computer. A PIN value can also be provided as an input the hash function. A portion of the hash function output can be used as a key to decrypt an encrypted (Windows) password, or other sensitive information.
102 Citations
59 Claims
-
1. A method for authenticating at a verifier a user who possesses an authentication token capable of providing one or more one-time passcodes, comprising:
-
obtaining a verification record from an authentication server; obtaining a passcode from the authentication token submitted to authenticate the user at the verifier, wherein the one-time passcodes are generated as a function of a token secret, and wherein the verifier is isolated from the token secret; and determining whether the submitted passcode is consistent with the verification record, where the verification record is a function of a reference passcode, wherein the verifier is disconnected from the authentication server which provided the verification record. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56)
-
-
57. A method for disconnection authentication, comprising:
-
receiving verification records from an authentication server by an authenticated computer connected to the authentication server; storing the verification records on the computer, wherein the verification records correspond to a period of time and/or an event and include information corresponding to passcodes; receiving a passcode from an authentication token submitted by a user of the computer, which is disconnected from the server, wherein the passcode is generated as a function of a token secret, and wherein the verifier is isolated from the token secret; and determining whether the submitted passcode corresponds to a given one of the verification records to authenticate the user and allow the user to use the computer.
-
-
58. A method for authenticating at a laptop computer a user who possesses an authentication token capable of providing one or more one-time passcodes, comprising:
-
obtaining a verification record from an authentication server; obtaining a passcode from the authentication token submitted to authenticate the user at the laptop, wherein the passcode is generated as a function of a token secret, and wherein the laptop computer is isolated from the token secret; and determining whether the submitted passcode is consistent with the verification record, where the verification record is a function of a reference passcode, wherein the laptop computer is disconnected from the authentication server which provided the verification record, and disconnected from all network connections.
-
-
59. A method for authenticating at a verifier a user who possesses an authentication token capable of providing one or more one-time passcodes, comprising:
-
obtaining a verification record from an authentication server; obtaining a passcode from the authentication token submitted to authenticate the user at the verifier; and determining whether the submitted passcode is consistent with the verification record, where the verification record is a function of a reference passcode, wherein the verifier is disconnected from the authentication server which provided the verification record. wherein determining whether the submitted passcode is consistent with the verification record includes; applying a one-way function to the submitted passcode to obtain a hashed passcode; comparing the hashed passcode to a reference hashed passcode; and determining consistency based at least in part on the whether the comparison is successful.
-
Specification