Privacy broker
First Claim
1. At least one non-transitory machine accessible storage medium having instructions stored thereon, the instructions when executed on a machine, cause the machine to:
- receive, at a privacy broker, a brokered authentication request corresponding to an interaction between a first user and a first entity;
identify, at the privacy broker, an identity provider corresponding to the first user, wherein the identity provider stores user data identifying the first user and at least a portion of the user data is to be hidden from the privacy broker and the first entity;
receive confirmation, at the privacy broker, that the identity provider authenticated the first user to a user profile maintained by the identity provider and associated with the user data;
generate, at the privacy broker, a unique persistent user identifier for the first user using a joint hash function, wherein inputs to the joint hash function comprise a first input from the privacy broker and a second input from the identity provider, the user identifier is unique, within a system, to a pairing of the first user with the first entity, the first input value is derived from a first secret value unknown to the identity provider and corresponding to the first entity, and the second input value is derived from a second secret value unknown to the privacy broker and corresponding to the portion of the user data; and
cause the user identifier to be communicated to the first entity for authenticating the first user in interactions with the first entity, wherein the user identifier abstracts identity of the first user to the first entity, the first entity is to provide online resources to the first user based at least in part on the user identifier, and identity of the first entity to be interacted with in the interaction is invisible to the identity provider.
11 Assignments
0 Petitions
Accused Products
Abstract
A brokered authentication request is received corresponding to an interaction between a particular user and a particular online entity. An identity provider corresponding to the particular user is identified that stores user data identifying the particular user. Confirmation is received that the identity provider has authenticated the particular user to a user profile maintained by the identity provider and a unique persistent user identifier is generated for the particular user that is unique within a system to a pairing of the first user with the first entity. The user identifier is caused to be communicated to the first entity for authenticating the first user in interactions with the first entity.
-
Citations
25 Claims
-
1. At least one non-transitory machine accessible storage medium having instructions stored thereon, the instructions when executed on a machine, cause the machine to:
-
receive, at a privacy broker, a brokered authentication request corresponding to an interaction between a first user and a first entity; identify, at the privacy broker, an identity provider corresponding to the first user, wherein the identity provider stores user data identifying the first user and at least a portion of the user data is to be hidden from the privacy broker and the first entity; receive confirmation, at the privacy broker, that the identity provider authenticated the first user to a user profile maintained by the identity provider and associated with the user data; generate, at the privacy broker, a unique persistent user identifier for the first user using a joint hash function, wherein inputs to the joint hash function comprise a first input from the privacy broker and a second input from the identity provider, the user identifier is unique, within a system, to a pairing of the first user with the first entity, the first input value is derived from a first secret value unknown to the identity provider and corresponding to the first entity, and the second input value is derived from a second secret value unknown to the privacy broker and corresponding to the portion of the user data; and cause the user identifier to be communicated to the first entity for authenticating the first user in interactions with the first entity, wherein the user identifier abstracts identity of the first user to the first entity, the first entity is to provide online resources to the first user based at least in part on the user identifier, and identity of the first entity to be interacted with in the interaction is invisible to the identity provider. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A method comprising:
-
receiving, at a privacy broker, a brokered authentication request corresponding to an interaction between a first user and a first entity; identifying, at the privacy broker, an identity provider corresponding to the first user, wherein the identity provider stores user data identifying the first user and at least a portion of the user data is to be privately stored at the identity provider; receiving, at the privacy broker, confirmation that the identity provider authenticated the first user to a user profile maintained by the identity provider and associated with the user data; generating, at the privacy broker, a unique persistent user identifier for the first user using a joint hash function, wherein inputs to the joint hash function comprise a first input from the privacy broker and a second input from the identity provider, the user identifier is unique, within a system, to a pairing of the first user with the first entity, the first input value is derived from a first secret value unknown to the identity provider and corresponding to the first entity, and the second input value is derived from a second secret value unknown to the privacy broker and corresponding to the portion of the user data; and causing the user identifier to be communicated to the first entity for authenticating the first user in interactions with the first entity, wherein the user identifier abstracts identity of the first user to the first entity, the first entity is to provide online resources to the first user based at least in part on the user identifier, and identity of the first entity to be interacted with in the interaction is invisible to the identity provider.
-
-
22. A system comprising:
-
at least one processor device; at least one memory element; and a privacy broker, adapted when executed by the at least one processor device to; receive a brokered authentication request corresponding to an interaction between a first user and a first entity; identify an identity provider corresponding to the first user, wherein the identity provider stores user data identifying the first user and at least a portion of the user data is to be kept from the privacy broker and the first entity; receive confirmation that the identity provider authenticated the first user to user profile maintained by the identity provider and associated with the user data; generate a unique persistent user identifier for the first user using a joint hash function, wherein inputs to the joint hash function comprise a first input from the privacy broker and a second input from the identity provider, the user identifier is unique, within a system, to a pairing of the first user with the first entity, the first input value is derived from a first secret value unknown to the identity provider and corresponding to the first entity, and the second input value is derived from a second secret value unknown to the privacy broker and corresponding to the portion of the user data; and cause the user identifier to be communicated to the first entity for authenticating the first user in interactions with the first entity, wherein identity of the first entity to be interacted with in the interaction is invisible to the identity provider. - View Dependent Claims (23, 24, 25)
-
Specification