Method and system for enabling secure one-time password authentication

US 9,230,084 B2
Filed: 10/23/2012
Issued: 01/05/2016
Est. Priority Date: 10/23/2012
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, via an application programming interface, a one-time password authentication request, wherein the application programming interface is a single point of access to a dedicated validation appliance for maintaining one or more secret keys, wherein the application programming interface is associated with an authentication service separate from the dedicated validation appliance, wherein the authentication service is restricted from accessing the one or more secret keys;

receiving, per the request, a one-time password and an identifier of a user for which the one-time password is exclusively generated for a limited period of time for completion of the authentication procedure;

determining, by the dedicated validation appliance, a validity of the request based on a correlation between the identifier of the user and the one-time password with at least one of the one or more secret keys within the limited period of time; and

authenticating the user based on the determined validity of the request, wherein the user is associated with a client device for enabling user entry of the one-time password via an authentication service for initiating the authentication.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An approach for facilitating a one-time password (OTP) authentication procedure is described. A dedicated validation appliance receives a one-time password authentication request via an application programming interface, which is a single point of access to the dedicated validation appliance. The dedicated validation appliance then determines a validity of the request based on the correlating of a submitted OTP against OTP values independently generated by the dedicated validation appliance based on a large secret key exclusive to a client device that initiated the request. The single point of access to the dedicated validation appliance as well as exclusive sharing of the secret key with only another dedicated validation appliance or one-time with the client device reduces the likelihood of attackers discovering the secret keys.

14 Citations

View as Search Results

18 Claims

1. A method comprising:
- receiving, via an application programming interface, a one-time password authentication request, wherein the application programming interface is a single point of access to a dedicated validation appliance for maintaining one or more secret keys, wherein the application programming interface is associated with an authentication service separate from the dedicated validation appliance, wherein the authentication service is restricted from accessing the one or more secret keys;
  
  receiving, per the request, a one-time password and an identifier of a user for which the one-time password is exclusively generated for a limited period of time for completion of the authentication procedure;
  
  determining, by the dedicated validation appliance, a validity of the request based on a correlation between the identifier of the user and the one-time password with at least one of the one or more secret keys within the limited period of time; and
  
  authenticating the user based on the determined validity of the request, wherein the user is associated with a client device for enabling user entry of the one-time password via an authentication service for initiating the authentication.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising:
    - generating, at the dedicated validation appliance, a secret key to associate with an identifier of a user based on a hardware random number generation scheme; and
      
      replicating the secret key at another dedicated validation appliance associated with the dedicated validation appliance, wherein the dedicated validation appliance and the other dedicated validation appliance communicate with each other via a secure peer-to-peer communication channel.
  - 3. The method of claim 1, further comprising:
    - receiving a request to activate a soft-token application of a client device associated with a user; and
      
      transmitting, based on the request, a secret key associated with a user identifier of the user or a one-time password generation algorithm to the soft-token application, wherein the request is based on a one-time communication procedure between the client device and the dedicated validation appliance.
  - 4. The method of claim 3, wherein the secret key or the one-time password generation algorithm are used to generate a one-time password and the one-time password is presented via the soft-token application in association with a time-of-use of the one-time password.
  - 5. The method of claim 1, further comprising:
    - determining activation of a new dedicated validation appliance at a network location of a provider of the one-time password authentication service or the dedicated validation appliance; and
      
      receiving, at the dedicated validation appliance, notification of the activation based on interaction between the new dedicated validation appliance with the dedicated validation appliance from the network location, wherein the activation is associated with a bootstrapping procedure of the new dedicated validation appliance.
  - 6. The method of claim 5, wherein the activation includes a handshaking procedure or security procedure performed via a secure peer-to-peer communication channel for authenticating the new dedicated validation appliance.
  - 7. The method of claim 1, wherein a plurality of dedicated validation appliances are distributed throughout an area defined by a provider of an authentication service or of the dedicated validation appliance.
  - 8. The method of claim 1, wherein the dedicated validation appliance is maintained in a secured container or secured room.

9. An apparatus comprising:
- at least one processor; and
  
  at least one memory including computer program code for one or more programs, the at least one memory and the computer program code configured to, with the at least one processor, cause the apparatus to perform at least the following,receive, via an application programming interface, a one-time password authentication request, wherein the application programming interface is a single point of access to a dedicated validation appliance for maintaining one or more secret keys, wherein the application programming interface is associated with an authentication service separate from the dedicated validation appliance, wherein the authentication service is restricted from accessing the one or more secret keys;
  
  receive, per the request, a one-time password and an identifier of a user for which the one-time password is exclusively generated for a limited period of time for completion of the authentication procedure;
  
  determine, by the dedicated validation appliance, a validity of the request based on a correlation between the identifier of the user and the one-time password with at least one of the one or more secret keys within the limited period of time; and
  
  authenticate the user based on the determined validity of the request, wherein the user is associated with a client device for enabling user entry of the token value as a one-time password via an authentication service for initiating the one-time password authentication procedure.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The apparatus of claim 9, wherein the apparatus is further configured to:
    - generate, at the dedicated validation appliance, a secret key to associate with an identifier of a user based on a hardware random number generation scheme; and
      
      replicate the secret key at another dedicated validation appliance associated with the dedicated validation appliance, wherein the dedicated validation appliance and the other dedicated validation appliance communicate with each other via a secure peer-to-peer communication channel.
  - 11. The apparatus of claim 9, wherein the apparatus is further configured to:
    - receive a request to activate a soft-token application of a client device associated with a user; and
      
      transmit, based on the request, a secret key associated with a user identifier of the user or a one-time password generation algorithm to the soft-token application, wherein the request is based on a one-time communication procedure between the client device and the dedicated validation appliance.
  - 12. The apparatus of claim 11, wherein the secret key or the one-time password generation algorithm are used to generate a one-time password and the one-time password is presented via the soft-token application in association with a time-of-use of the one-time password.
  - 13. The apparatus of claim 9, wherein the apparatus is further configured to:
    - determine an activation of a new dedicated validation appliance at a network location of a provider of the one-time password authentication service or the dedicated validation appliance; and
      
      receive, at the dedicated validation appliance, notification of the activation based on interaction between the new dedicated validation appliance with the dedicated validation appliance from the network location, wherein the activation is associated with a bootstrapping procedure of the new dedicated validation appliance.
  - 14. The apparatus of claim 13, wherein the activation includes a handshaking procedure or security procedure performed via a secure peer-to-peer communication channel for authenticating the new dedicated validation appliance.
  - 15. The apparatus of claim 9, wherein a plurality of dedicated validation appliances are distributed throughout an area defined by a provider of an authentication service or a of the dedicated validation appliance.
  - 16. The apparatus of claim 9, wherein the dedicated validation appliance is maintained in a secured container or secured room.

17. A system comprising:
- one or more dedicated validation appliances for determining a validity of a one-time password authentication request based on a correlation between an identifier of a user and a one-time password with at least one of the one or more secret keys within a limited period of time;
  
  an application programming interface for accessing the one or more dedicated validation appliances to initiate the one-time password authentication request, wherein the application programming interface is a single point of access to the one or more dedicated validation appliances and the dedicated validation appliances maintain one or more secret keys, wherein the application programming interface is associated with an authentication service separate from the dedicated validation appliance, wherein the authentication service is restricted from accessing the one or more secret keys, and said one or more dedicated validation appliances authenticates the user based on the determined validity of the request, wherein the user is associated with a client device for enabling user entry of the one-time password via an authentication service for initiating the authentication.
- View Dependent Claims (18)
- - 18. The system of claim 17, further comprising:
    - a bootstrapping device for activating a new dedicated validation appliance at a network location of a provider of the one-time password authentication service or the one or more dedicated validation appliances; and
      
      a soft-token application for interacting with the one or more dedicated validation appliances to present the one-time password at a client device associated with the user as a one-time password in association with a time-of-use of the one-time password.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Verizon Patent and Licensing Incorporated (Verizon Communications Inc.)
Original Assignee
Verizon Patent and Licensing Incorporated (Verizon Communications Inc.)
Inventors
Robertson, James A.
Primary Examiner(s)
Smithers, Matthew

Application Number

US13/658,558
Publication Number

US 20140115341A1
Time in Patent Office

1,169 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/30   Authentication, i.e. establ...

G06F 21/34   involving the use of extern...

G06F 2221/2137   Time limited access, e.g. t...

H04L 63/0838   using one-time-passwords

H04L 63/0846   using time-dependent-passwo...

H04L 9/3228   One-time or temporary data,...

Method and system for enabling secure one-time password authentication

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

14 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for enabling secure one-time password authentication

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

14 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links