Knowledge-based authentication based on tracked credential usage

US 9,300,644 B1
Filed: 02/22/2013
Issued: 03/29/2016
Est. Priority Date: 02/22/2013
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

tracking credential usage of an end-user on one or more end-user devices by a cloud-based authentication service executing by a server computing system;

receiving, at the cloud-based authentication service over a first connection between the server computing system and a relying party website, a credential request for credentials associated with the end-user for the relying party website, wherein the end-user no long has authentication credentials for access to the relying party website;

issuing, by the cloud-based authentication service over a second connection between the server computing system and a first end-user device of the one or more end-user devices, a dynamic knowledge-based (KB) challenge to the end-user on the first end-user device, wherein the dynamic KB challenge is based on the tracked credential usage of the end user, wherein at least a portion of the dynamic KB challenge comprises information from the credential usage that is not site-centric to the relying party website;

receiving, at the cloud-based authentication service over the second connection, a response to the dynamic KB challenge from the end-user; and

sending temporary credentials over the first connection to the relying party website for the end-user when the response is validated.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for knowledge-based authentication by a cloud-based authentication service are described. A cloud-based authentication service is to track credential usage of an end-user at the cloud-based authentication service. The authentication service receives a credential request for credentials associated with the end-user from a relying party website. The end-user no longer has authentication credentials for access to the relying party website. The authentication service issues a dynamic knowledge-based (KB) challenge to the end-user, the dynamic KB challenge being based on at least some of the tracked credential usage of the end-user. The processing logic receives a response to the dynamic KB challenge from the end-user and sends temporary credentials to the relying party for the end-user when the response is validated.

34 Citations

View as Search Results

20 Claims

1. A method comprising:
- tracking credential usage of an end-user on one or more end-user devices by a cloud-based authentication service executing by a server computing system;
  
  receiving, at the cloud-based authentication service over a first connection between the server computing system and a relying party website, a credential request for credentials associated with the end-user for the relying party website, wherein the end-user no long has authentication credentials for access to the relying party website;
  
  issuing, by the cloud-based authentication service over a second connection between the server computing system and a first end-user device of the one or more end-user devices, a dynamic knowledge-based (KB) challenge to the end-user on the first end-user device, wherein the dynamic KB challenge is based on the tracked credential usage of the end user, wherein at least a portion of the dynamic KB challenge comprises information from the credential usage that is not site-centric to the relying party website;
  
  receiving, at the cloud-based authentication service over the second connection, a response to the dynamic KB challenge from the end-user; and
  
  sending temporary credentials over the first connection to the relying party website for the end-user when the response is validated.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the temporary credentials comprise temporary one-time password (OTP) credentials.
  - 3. The method of claim 1, further comprising generating, by the cloud-based authentication service, the dynamic KB challenge based on the credential usage.
  - 4. The method of claim 3, wherein the credential usage comprises credential usage history of the end-user, wherein the generating the dynamic KB challenge comprises generating the dynamic KB challenge based on the credential usage history, and wherein the dynamic KB challenge comprises at least one of the following:
    - a challenge asking the end-user for a last successful login to a specified website;
      
      a challenge asking the end-user for a number of websites for which the end-user uses credentials for the cloud-based authentication service;
      
      a challenge asking the end-user for another website where the end-user uses the credentials for the cloud-based authentication service;
      
      a challenge asking the end-user for at least one of the credentials that the end-user first used for the cloud-based authentication service;
      
      a challenge asking the end-user where the end-user last used the credentials for the cloud-based authentication service;
      
      ora challenge asking the end-user for a type of the credentials for the cloud-based authentication service.
  - 5. The method of claim 3, wherein the relying party website subscribes to a transaction verification service with the cloud-based authentication service, and wherein the generating the dynamic KB challenge comprises generating the dynamic KB challenge with a challenge asking the end-user for a detail of a last transaction at the relying party website.
  - 6. The method of claim 1, wherein the receiving the credential request from the relying party website comprises receiving a Security Assertion Markup Language (SAML) authentication request for credentials associated with the end-user for the relying party website.
  - 7. The method of claim 1, wherein the sending the temporary credentials to the relying party website when the response is validated comprises sending a Security Assertion Markup Language (SAML) assertion with temporary one-time password (OTP) credentials for the temporary credentials to the relying party website when the response is validated, wherein the relying party website sends the temporary OTP credentials to the end-user in response to the SAML assertion.
  - 8. The method of claim 1, further comprising sending a Security Assertion Markup Language (SAML) assertion with an access rejection to the relying party website when the response is not validated, wherein the relying party website sends an authentication failure to the end-user in response to the SAML assertion.
  - 9. The method of claim 6, wherein the SAML authentication request from the relying party website to the cloud-based authentication service and a SAML assertion from the cloud-based authentication service to the relying party website are through a SAML HTTP redirect binding.
  - 10. The method of claim 7, wherein the relying party website sends the temporary OTP credentials via at least one of an email message or a text message, and wherein the relying party website sends an authentication failure via a webpage of the relying party website.

11. A computing system comprising:
- a memory; and
  
  a processor coupled with the memory to execute a cloud-based authentication service to;
  
  track credential usage of an end-user on one or more end-user devices by a cloud-based authentication service executing by a server computing system;
  
  receive, at the cloud-based authentication service over a first connection between the server computing system and a relying party website, a credential request for credentials associated with the end-user for the relying party website, wherein the end-user no long has authentication credentials for access to the relying party website;
  
  issue, by the cloud-based authentication service over a second connection between the server computing system and a first end-user device of the one or more end-user devices, a dynamic knowledge-based (KB) challenge to the end-user on the first end-user device, wherein the dynamic KB challenge is based on the tracked credential usage of the end user, wherein at least a portion of the dynamic KB challenge comprises information from the credential usage that is not site-centric to the relying party website;
  
  receive, at the cloud-based authentication service over the second connection, a response to the dynamic KB challenge from the end-user; and
  
  send temporary credentials over the first connection to the relying party website for the end-user when the response is validated.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The computing system of claim 11, wherein the temporary credentials comprise temporary one-time password (OTP) credentials.
  - 13. The computing system of claim 11, wherein the credential usage comprises credential usage history of the end-user, wherein the processor is further to generate, by the cloud-based authentication service, the dynamic KB challenge based on the credential usage history, and wherein the dynamic KB challenge comprises at least one of the following:
    - a challenge asking the end-user for a last successful login to a specified website;
      
      a challenge asking the end-user for a number of websites for which the end-user uses credentials for the cloud-based authentication service;
      
      a challenge asking the end-user for another website where the end-user uses the credentials for the cloud-based authentication service;
      
      a challenge asking the end-user for at least one of the credentials that the end-user first used for the cloud-based authentication service;
      
      a challenge asking the end-user where the end-user last used the credentials for the cloud-based authentication service;
      
      ora challenge asking the end-user for a type of the credentials for the cloud-based authentication service.
  - 14. The computing system of claim 11, wherein the relying party website subscribes to a transaction verification service with the cloud-based authentication service, and wherein the processor is further to generate the dynamic KB challenge with a challenge asking the end-user for a detail of a last transaction at the relying party website.
  - 15. The computing system of claim 11, wherein the processor is further to:
    - receive a Security Assertion Markup Language (SAML) authentication request for credentials associated with the end-user for the relying party website;
      
      send a first SAML assertion with temporary one-time password (OTP) credentials for the temporary credentials to the relying party website when the response is validated, wherein the relying party website is to send the temporary OTP credentials to the end-user in response to the first SAML assertion; and
      
      send a second SAML assertion with an access rejection to the relying party website when the response is not validated, wherein the relying party website is to send an authentication failure to the end-user in response to the second SAML assertion.

16. A non-transitory computer readable storage medium including instructions that, when executed by a processor, cause the processor to perform operations comprising:
- tracking credential usage of an end-user on one or more end-user devices by a cloud-based authentication service executing by a server computing system;
  
  receiving, at the cloud-based authentication service over a first connection between the server computing system and a relying party website, a credential request for credentials associated with the end-user for the relying party website, wherein the end-user no long has authentication credentials for access to the relying party website;
  
  issuing, by the cloud-based authentication service over a second connection between the server computing system and a first end-user device of the one or more end-user devices, a dynamic knowledge-based (KB) challenge to the end-user on the first end-user device, wherein the dynamic KB challenge is based on the tracked credential usage of the end user, wherein at least a portion of the dynamic KB challenge comprises information from the credential usage that is not site-centric to the relying party website;
  
  receiving, at the cloud-based authentication service over the second connection, a response to the dynamic KB challenge from the end-user; and
  
  sending temporary credentials over the first connection to the relying party website for the end-user when the response is validated.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The non-transitory computer readable storage medium of claim 16, wherein the temporary credentials comprise temporary one-time password (OTP) credentials.
  - 18. The non-transitory computer readable storage medium of claim 16, wherein the credential usage comprises credential usage history of the end-user, wherein the operations further comprises generating, by the cloud-based authentication service, the dynamic KB challenge based on the credential usage history, and wherein the dynamic KB challenge comprises at least one of the following:
    - a challenge asking the end-user for a last successful login to a specified website;
      
      a challenge asking the end-user for a number of websites for which the end-user uses credentials for the cloud-based authentication service;
      
      a challenge asking the end-user for another website where the end-user uses the credentials for the cloud-based authentication service;
      
      a challenge asking the end-user for at least one of the credentials that the end-user first used for the cloud-based authentication service;
      
      a challenge asking the end-user where the end-user last used the credentials for the cloud-based authentication service;
      
      ora challenge asking the end-user for a type of the credentials for the cloud-based authentication service.
  - 19. The non-transitory computer readable storage medium of claim 16, wherein the relying party website subscribes to a transaction verification service with the cloud-based authentication service, and wherein the operations further comprise generating the dynamic KB challenge with a challenge asking the end-user for a detail of a last transaction at the relying party website.
  - 20. The non-transitory computer readable storage medium of claim 16, wherein the receiving the credential request from the relying party website comprises receiving a Security Assertion Markup Language (SAML) authentication request for credentials associated with the end-user for the relying party website, wherein the sending the temporary credentials to the relying party website when the response is validated comprises sending a first SAML assertion with temporary one-time password (OTP) credentials for the temporary credentials to the relying party website when the response is validated, wherein the relying party website sends the temporary OTP credentials to the end-user in response to the first SAML assertion, and wherein the operations further comprise sending a second SAML assertion with an access rejection to the relying party website when the response is not validated, wherein the relying party website sends an authentication failure to the end-user in response to the second SAML assertion.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Venkataramani, Srinath, Dubey, Sankalp, Garimella, Phalgun
Primary Examiner(s)
AVERY, JEREMIAH L

Application Number

US13/773,924
Time in Patent Office

1,131 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/0815   providing single-sign-on or...

H04L 63/0838   using one-time-passwords

Knowledge-based authentication based on tracked credential usage

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

34 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Knowledge-based authentication based on tracked credential usage

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

34 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others