Security information caching on authentication token

US 9,319,393 B2
Filed: 01/09/2014
Issued: 04/19/2016
Est. Priority Date: 05/30/2013
Status: Active Grant

First Claim

Patent Images

1. A method of conducting at least a two-factor authentication, the method comprising:

caching a knowledge factor in a memory of a token, wherein the knowledge factor represents information known to an authorized user of a security system;

monitoring user custody status of the token, the token having an identifying characteristic representing a possession factor to satisfy possession factor authentication on the security system, wherein the identifying characteristic represents information that verifies the authorized user'"'"'s possession of the token, wherein the knowledge factor is separate and different from the identifying characteristic, and wherein said monitoring includes setting a continuous custody flag in response to determining a user custody of the token;

in response to an authentication request during a period of continuous user custody based on the monitoring of the user custody status, retrieving the knowledge factor from the memory to demonstrate knowledge of the knowledge factor to the security system;

providing access to a list of passwords stored in an encrypted manner and associated with the token;

wherein the knowledge factor is required for decryption of one or more passwords within the list; and

in response detecting a break in the continuous user custody, clearing the knowledge factor from the memory such that, during a next continuous user custody, the knowledge factor has to be re-entered into the memory, wherein said clearing the knowledge factor includes clearing the continuous custody flag.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of operating a security token to authenticate a user in a multi-factor authentication system is disclosed. The method includes: monitoring user custody of the token, the token having an identifying characteristic representing a possession factor for use through possession factor authentication; during a period of continuous user custody of the token based on the monitoring, obtaining a knowledge factor from a user having the continuous user custody; caching the knowledge factor in a memory of the token; and in response to a second authentication request, retrieving the knowledge factor from the memory to demonstrate to an authentication system knowledge of the knowledge factor, during the period of the continuous user custody.

22 Citations

View as Search Results

32 Claims

1. A method of conducting at least a two-factor authentication, the method comprising:
- caching a knowledge factor in a memory of a token, wherein the knowledge factor represents information known to an authorized user of a security system;
  
  monitoring user custody status of the token, the token having an identifying characteristic representing a possession factor to satisfy possession factor authentication on the security system, wherein the identifying characteristic represents information that verifies the authorized user'"'"'s possession of the token, wherein the knowledge factor is separate and different from the identifying characteristic, and wherein said monitoring includes setting a continuous custody flag in response to determining a user custody of the token;
  
  in response to an authentication request during a period of continuous user custody based on the monitoring of the user custody status, retrieving the knowledge factor from the memory to demonstrate knowledge of the knowledge factor to the security system;
  
  providing access to a list of passwords stored in an encrypted manner and associated with the token;
  
  wherein the knowledge factor is required for decryption of one or more passwords within the list; and
  
  in response detecting a break in the continuous user custody, clearing the knowledge factor from the memory such that, during a next continuous user custody, the knowledge factor has to be re-entered into the memory, wherein said clearing the knowledge factor includes clearing the continuous custody flag.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The method of claim 1, wherein caching the knowledge factor in memory includes pre-loading the knowledge factor in the memory prior to the period of continuous user custody.
  - 3. The method of claim 1, further comprising during the period of continuous user custody, obtaining the knowledge factor from a user having the continuous user custody and caching the knowledge factor in the memory.
  - 4. The method of claim 3, wherein obtaining of the knowledge factor is in response to receiving a first authentication request prior to the authentication request.
  - 5. The method of claim 3, wherein during the period of the continuous user custody, the user provides the knowledge factor for authentication only once.
  - 6. The method of claim 1, further comprising sending an authentication package comprising the retrieved knowledge factor to demonstrate the knowledge of the knowledge factor.
  - 7. The method of claim 1, further comprising sending an authentication package that reliably demonstrates knowledge of the knowledge factor.
  - 8. The method of claim 7, wherein the authentication package comprises a message digest computed by a cryptographic hash function from a message including the knowledge factor.
  - 9. The method of claim 1, wherein the continuous user custody of the token by the authorized user is assured by reliably securing the token around or to the authorized user'"'"'s body.
  - 10. The method of claim 1, wherein the token cannot be removed from the authorized user'"'"'s body without generating a signal that is detected by the token as a break in user custody of the token.
  - 11. The method of claim 1, wherein the monitoring comprises:
    - detecting a status of a switch or other sensor associated with the token;
      
      confirming constant contact between the token and the authorized user'"'"'s skin;
      
      continually acquiring biometric measurements of the authorized user;
      
      orany combination thereof.
  - 12. The method of claim 1, wherein the token comprises two sub-tokens including a first sub-token implanted within the authorized user'"'"'s body and a second sub-token unattached to the authorized user'"'"'s body to demonstrate possession and knowledge of the possession factor and the knowledge factor, respectively, through the second sub-token.
  - 13. The method of claim 12, wherein monitoring the user custody comprises confirming the continuous user custody by monitoring continual proximity between the first sub-token and the second sub-token.
  - 14. The method of claim 1, wherein the knowledge factor comprises any of a personal identification number (PIN), a password, and a pattern.
  - 15. The method of claim 1, further comprising demonstrating possession and knowledge of the possession factor and the knowledge factor, respectively, during a transaction requiring authentication at an in-person point of sale, wherein said demonstrating includes the token presenting the possession factor as a visible indicia for reading by a human or machine.
  - 16. The method of claim 1, further comprising presenting the possession factor via a visible indicia, a magnetic strip, wireless communication, a wired interface, or any combination thereof.
  - 17. The method of claim 1, further comprising presenting an authentication package for demonstrating knowledge of the knowledge factor via a visible indicia, a magnetic strip, wireless communication, a wired interface, or any combination thereof.
  - 18. The method of claim 1, further comprising periodically changing the possession factor to thwart potential replay attacks.

19. An apparatus acting as a token to conduct at least a two-factor authentication, the apparatus comprising:
- a sensor to take measurements indicative of user custody status of the token;
  
  a controller configured to monitor the measurements to determine a period of continuous user custody of the token based on the user custody status;
  
  a memory to cache a knowledge factor, the knowledge factor available during the period of the continuous user custody, wherein the knowledge factor represents information known to an authorized user of a security system;
  
  an interface to receive authentication requests; and
  
  a token portion with an identifying characteristic representing a possession factor to satisfy possession factor authentication on the security system, wherein the identifying characteristic represents information that verifies the authorized user'"'"'s possession of the token and wherein the knowledge factor is separate and different from the identifying characteristic;
  
  wherein the controller is configured to set a continuous custody flag in response to determining user custody based on the monitored measurements;
  
  wherein, during the period of the continuous user custody of the token, the controller is configured to retrieve the knowledge factor from the memory to demonstrate knowledge of the knowledge factor to the security system to gain access to a list of encrypted information associated with the token and decryptable by the knowledge factor, in response to receiving a second authentication request at the interface; and
  
  wherein, in response detecting a break in the continuous user custody, the controller is configured to clear the continuous custody flag and clear the knowledge factor from the memory such that during a next continuous user custody the knowledge factor has to be re-entered into the memory.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31)
- - 20. The apparatus of claim 19, further comprising an input device to receive a knowledge factor from a user during the period of continuous user custody;
    - wherein, during the period of the continuous user custody of the token, the controller is further configured to obtain the knowledge factor from the user through the input device responsive to receiving a first authentication request at the interface and to cache the knowledge factor in the memory.
  - 21. The apparatus of claim 20, wherein the input device receives the knowledge factor as a personal identification number (PIN), a password, or a pattern.
  - 22. The apparatus of claim 19, wherein the controller is further configured to send an authentication package that reliably demonstrates knowledge of the knowledge factor.
  - 23. The apparatus of claim 22, wherein the authentication package comprises a message digest computed by a cryptographic hash function from a message including the knowledge factor.
  - 24. The apparatus of claim 20, wherein the sensor is a switch, a skin contact sensor, or a biometric measurement device.
  - 25. The apparatus of claim 19, wherein the apparatus comprises two sub-tokens including a first sub-token with an attachment mechanism to attach to the authorized user'"'"'s body and a second sub-token unattached to the authorized user'"'"'s body to enable demonstration of possession and knowledge of the possession factor and the knowledge factor, respectively;
    - wherein the controller is configured to confirm the continuous user custody by monitoring continual proximity between the first sub-token and the second sub-token via the sensor; and
      
      wherein each component of the token, including the controller and the memory, is either in the first sub-token or the second sub-token.
  - 26. The apparatus of claim 19, wherein the controller is further configured to demonstrate possession of the possession factor by providing a visible indicia for reading by a human or machine, by configuring a magnetic strip, or by transmitting a wireless or wired communication.
  - 27. The apparatus of claim 19, the controller is further configured to demonstrate knowledge of the knowledge factor by providing a visible indicia on the token, configuring a magnetic strip, or by transmitting a wireless or wired communication.
  - 28. The apparatus of claim 19, wherein the memory stores a list of passwords, wherein the list is stored in an encrypted manner and associated with the token;
    - and wherein the knowledge factor is required for decryption of one or more passwords within the list.
  - 29. The apparatus of claim 19, further comprising a mechanism for reliably securing the token around or to the authorized user'"'"'s body, wherein the continuous user custody of the token by the authorized user is assured when the mechanism is secured.
  - 30. The apparatus of claim 19, further comprising a mechanism by which the token cannot be removed from the authorized user'"'"'s body without generating a signal that is detected by the controller as a break in the user custody of the token.
  - 31. The apparatus of claim 19, further comprising a body structure of the token in a form factor of:
    - a bracelet, an anklet, a necklace, an earring, a clamping or securing device, a medallion, or a patch secured using an elastic band.

32. An apparatus comprising:
- a sensor to take measurements indicative of user custody status of the apparatus;
  
  a controller configured to monitor the measurements to determine the user custody status of the apparatus;
  
  a token portion with an identifying characteristic representing a possession factor to satisfy possession factor authentication on a security system, wherein the identifying characteristic represents information that verifies an authorized user'"'"'s possession of the token portion;
  
  a memory to cache a knowledge factor to satisfy knowledge factor authentication on the security system, wherein the knowledge factor represents information known to the authorized user of the security system and wherein the knowledge factor is separate and different from the identifying characteristic; and
  
  an output component configured to demonstrate the knowledge factor or the possession factor to the security system to gain access to a list of encrypted information associated with the token portion and decryptable by the knowledge factor, during a period of continuous user custody according to the user custody status;
  
  wherein the controller is configured to set a continuous custody flag in response to determining user custody based on the monitored measurements;
  
  wherein the knowledge factor is removed from memory or prevented from being accessed when the period of the continuous user custody ends; and
  
  wherein, in response detecting a break in the continuous user custody, the controller is configured to clear the continuous custody flag and the knowledge factor from the memory such that during a next continuous user custody the knowledge factor has to be re-entered into the memory.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Applied Invention, LLC
Original Assignee
Applied Invention, LLC
Inventors
Hillis, W. Daniel
Primary Examiner(s)
Ho, Dao

Application Number

US14/151,327
Publication Number

US 20140359744A1
Time in Patent Office

831 Days
Field of Search

726/9
US Class Current

1/1
CPC Class Codes

G06F 21/34   involving the use of extern...

G06F 21/35   communicating wirelessly

G06F 21/36   by graphic or iconic repres...

G06Q 20/206   comprising security or oper...

H04L 2463/082   applying multi-factor authe...

H04L 63/08   for authentication of entit...

H04L 63/083   using passwords cryptograph...

H04L 63/0853   using an additional device,...

Security information caching on authentication token

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

22 Citations

32 Claims

Specification

Use Cases

Quick Links

Others

Security information caching on authentication token

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

22 Citations

32 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others