Methods and systems for secure identity management

US 9,215,223 B2
Filed: 01/18/2013
Issued: 12/15/2015
Est. Priority Date: 01/18/2012
Status: Active Grant

First Claim

Patent Images

1. A method for authenticating a virtual identity with a resource accessible through a computer network, the method comprising:

registering the virtual identity with the resource by;

sending, from an access device to the resource, a first access device key that is specific to the resource; and

sending, from the access device to the resource, a first identity repository key that is specific to the resource; and

authenticating a use of the virtual identity with the resource by;

sending, from the access device to the resource, a request to access the resource using the virtual identity;

accessing, by the access device, a resource challenge that is acceptable to the resource;

sending, from the access device to an identity repository, the resource challenge;

receiving, by the access device and from the identity repository, a first signed resource challenge that is signed by the identity repository using a second identity repository key that is paired with the first identity repository key;

signing, by the access device, the resource challenge to generate a second signed resource challenge that is signed by the access device using a second access device key that is paired with the first access device key;

sending, from the access device to the resource, the first signed resource challenge and the second signed resource challenge, wherein the resource authenticates the virtual identity using the first signed resource challenge, first access device key, the second signed resource challenge, and the first identity repository key; and

receiving, by the access device and from the resource, an authentication result in response to a verification of the first signed resource challenge and the second signed resource challenge by the resource.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for authorizing a virtual identity using an access device may include sending, from an access device, a request to a resource through a network. The method may also include accessing a resource challenge that is acceptable to the resource and sending the resource challenge to an identity repository. The method may additionally include receiving, from the identity repository, a first signed resource challenge and signing the resource challenge to generate a second signed resource challenge. The method may further include sending an authorization for the virtual identity to the resource through the network. The authorization may include the first signed resource challenge and the second signed resource challenge.

Citations

24 Claims

1. A method for authenticating a virtual identity with a resource accessible through a computer network, the method comprising:
- registering the virtual identity with the resource by;
  
  sending, from an access device to the resource, a first access device key that is specific to the resource; and
  
  sending, from the access device to the resource, a first identity repository key that is specific to the resource; and
  
  authenticating a use of the virtual identity with the resource by;
  
  sending, from the access device to the resource, a request to access the resource using the virtual identity;
  
  accessing, by the access device, a resource challenge that is acceptable to the resource;
  
  sending, from the access device to an identity repository, the resource challenge;
  
  receiving, by the access device and from the identity repository, a first signed resource challenge that is signed by the identity repository using a second identity repository key that is paired with the first identity repository key;
  
  signing, by the access device, the resource challenge to generate a second signed resource challenge that is signed by the access device using a second access device key that is paired with the first access device key;
  
  sending, from the access device to the resource, the first signed resource challenge and the second signed resource challenge, wherein the resource authenticates the virtual identity using the first signed resource challenge, first access device key, the second signed resource challenge, and the first identity repository key; and
  
  receiving, by the access device and from the resource, an authentication result in response to a verification of the first signed resource challenge and the second signed resource challenge by the resource.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1 wherein:
    - registering the virtual identity with the resource further comprises;
      
      sending, from the access device to the resource, a first control device key that is specific to the resource; and
      
      authenticating the virtual identity with the resource further comprises;
      
      receiving, by the access device and from the identity repository, a third signed resource challenge that is signed by a control device; and
      
      sending, from the access device to the resource, the third signed resource challenge, wherein the resource further authenticates the virtual identity using the third signed resource challenge and the first control device key.
  - 3. The method of claim 2 wherein the control device comprises an app operating on a computing device.
  - 4. The method of claim 2 wherein the access device and the control device are the same device.
  - 5. The method of claim 2 wherein the access device and the control device are different devices.
  - 6. The method of claim 1 further comprising:
    - accessing, by the access device, an access device challenge that is acceptable to the identity repository;
      
      receiving, by the access device, a personal identifier from a user;
      
      signing, by the access device, the access device challenge using at least the personal identifier to generate a signed access device challenge; and
      
      sending, from the access device to the identity repository, the signed access device challenge, wherein the access device challenge is verified by the identity repository before the identity repository generates the second signed resource challenge.
  - 7. The method of claim 6 wherein the personal identifier comprises a user password or Personal Identification Number (PIN).
  - 8. The method of claim 1 wherein the resource comprises a website, and the access device comprises a web browser operating on a computing device.

9. A non-transitory, computer-readable medium comprising instructions that, when executed by one or more hardware processors, cause the one or more hardware processors to perform operations comprising:
- registering a virtual identity with a resource by;
  
  sending, from an access device to the resource, a first access device key that is specific to the resource; and
  
  sending, from the access device to the resource, a first identity repository key that is specific to the resource; and
  
  authenticating a use of the virtual identity with the resource by;
  
  sending, from the access device to the resource, a request to access the resource using the virtual identity;
  
  accessing, by the access device, a resource challenge that is acceptable to the resource;
  
  sending, from the access device to an identity repository, the resource challenge;
  
  receiving, by the access device and from the identity repository, a first signed resource challenge that is signed by the identity repository using a second identity repository key that is paired with the first identity repository key;
  
  signing, by the access device, the resource challenge to generate a second signed resource challenge that is signed by the access device using a second access device key that is paired with the first access device key;
  
  sending, from the access device to the resource, the first signed resource challenge and the second signed resource challenge, wherein the resource authenticates the virtual identity using the first signed resource challenge, first access device key, the second signed resource challenge, and the first identity repository key; and
  
  receiving, by the access device and from the resource, an authentication result in response to a verification of the first signed resource challenge and the second signed resource challenge by the resource.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The non-transitory, computer-readable medium of claim 9 wherein:
    - registering the virtual identity with the resource further comprises;
      
      sending, from the access device to the resource, a first control device key that is specific to the resource; and
      
      authenticating the virtual identity with the resource further comprises;
      
      receiving, by the access device and from the identity repository, a third signed resource challenge that is signed by a control device; and
      
      sending, from the access device to the resource, the third signed resource challenge, wherein the resource further authenticates the virtual identity using the third signed resource challenge and the first control device key.
  - 11. The non-transitory, computer-readable medium of claim 10 wherein the control device comprises an app operating on a computing device.
  - 12. The non-transitory, computer-readable medium of claim 10 wherein the access device and the control device are the same device.
  - 13. The non-transitory, computer-readable medium of claim 10 wherein the access device and the control device are different devices.
  - 14. The non-transitory, computer-readable medium of claim 10 further comprising instructions that, when executed by the one or more processors, cause the one or more processors to perform further operations comprising:
    - accessing, by the access device, an access device challenge that is acceptable to the identity repository;
      
      receiving, by the access device, a personal identifier from a user;
      
      signing, by the access device, the access device challenge using at least the personal identifier to generate a signed access device challenge; and
      
      sending, from the access device to the identity repository, the signed access device challenge, wherein the access device challenge is verified by the identity repository before the identity repository generates the second signed resource challenge.
  - 15. The non-transitory, computer-readable medium of claim 14 wherein the personal identifier comprises a user password or Personal Identification Number (PIN).
  - 16. The non-transitory, computer-readable medium of claim 9 wherein the resource comprises a website, and the access device comprises a web browser operating on a computing device.

17. An access device comprising:
- one or more hardware processors; and
  
  one or more memory devices comprising instructions that, when executed by the one or more hardware processors, cause the one or more hardware processors to perform operations comprising;
  
  registering a virtual identity with a resource by;
  
  sending, from the access device to the resource, a first access device key that is specific to the resource; and
  
  sending, from the access device to the resource, a first identity repository key that is specific to the resource; and
  
  authenticating a use of the virtual identity with the resource by;
  
  sending, from the access device to the resource, a request to access the resource using the virtual identity;
  
  accessing, by the access device, a resource challenge that is acceptable to the resource;
  
  sending, from the access device to an identity repository, the resource challenge;
  
  receiving, by the access device and from the identity repository, a first signed resource challenge that is signed by the identity repository using a second identity repository key that is paired with the first identity repository key;
  
  signing, by the access device, the resource challenge to generate a second signed resource challenge that is signed by the access device using a second access device key that is paired with the first access device key;
  
  sending, from the access device to the resource, the first signed resource challenge and the second signed resource challenge, wherein the resource authenticates the virtual identity using the first signed resource challenge, first access device key, the second signed resource challenge, and the first identity repository key; and
  
  receiving, by the access device and from the resource, an authentication result in response to a verification of the first signed resource challenge and the second signed resource challenge by the resource.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
- - 18. The access device of claim 17 wherein:
    - registering the virtual identity with the resource further comprises;
      
      sending, from the access device to the resource, a first control device key that is specific to the resource; and
      
      authenticating the virtual identity with the resource further comprises;
      
      receiving, by the access device and from the identity repository, a third signed resource challenge that is signed by a control device; and
      
      sending, from the access device to the resource, the third signed resource challenge, wherein the resource further authenticates the virtual identity using the third signed resource challenge and the first control device key.
  - 19. The access device of claim 18 wherein the control device comprises an app operating on a computing device.
  - 20. The access device of claim 18 wherein the access device and the control device are the same device.
  - 21. The access device of claim 18 wherein the access device and the control device are different devices.
  - 22. The access device of claim 17 further comprising instructions that, when executed by the one or more processors, cause the one or more processors to perform further operations comprising:
    - accessing, by the access device, an access device challenge that is acceptable to the identity repository;
      
      receiving, by the access device, a personal identifier from a user;
      
      signing, by the access device, the access device challenge using at least the personal identifier to generate a signed access device challenge; and
      
      sending, from the access device to the identity repository, the signed access device challenge, wherein the access device challenge is verified by the identity repository before the identity repository generates the second signed resource challenge.
  - 23. The access device of claim 22 wherein the personal identifier comprises a user password or Personal Identification Number (PIN).
  - 24. The access device of claim 17 wherein the resource comprises a website, and the access device comprises a web browser operating on a computing device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Neustar Incorporated
Original Assignee
OneID Inc.
Inventors
Kirsch, Steven Todd
Primary Examiner(s)
Pham, Luu
Assistant Examiner(s)
MOHAMMADI, FAHIMEH M

Application Number

US13/745,332
Publication Number

US 20130205136A1
Time in Patent Office

1,061 Days
Field of Search

713/168, 713/176
US Class Current

1/1
CPC Class Codes

G06F 21/31   User authentication

G06F 21/335   for accessing specific reso...

G06F 2221/2103   Challenge-response

H04L 63/06   for supporting key manageme...

H04L 63/08   for authentication of entit...

H04L 63/0823   using certificates cryptogr...

H04L 63/083   using passwords cryptograph...

H04L 63/0869   for achieving mutual authen...

H04L 63/12   Applying verification of th...

H04L 9/14   using a plurality of keys o...

H04L 9/30   Public key, i.e. encryption...

H04L 9/3247   involving digital signatures

H04L 9/3263   involving certificates, e.g...

Methods and systems for secure identity management

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and systems for secure identity management

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links