Distributing access and identification tokens in a mobile environment

US 9,332,433 B1
Filed: 09/30/2013
Issued: 05/03/2016
Est. Priority Date: 09/30/2013
Status: Active Grant

First Claim

Patent Images

1. A method of performing authentication, the method comprising:

receiving, by processing circuitry, a first message from a first application running on a client device, the first message including a token request and a first set of authentication factors;

receiving, by the processing circuitry, a second message from a second application running on the client device, the second message including an authentication request and a second set of authentication factors; and

generating, by the processing circuitry, an authentication result message which (i) provides access to a token for use by the client device when the first set of authentication factors is consistent with the second set of authentication factors, and (ii) rejects the token request when the first set of authentication factors is inconsistent with the second set of authentication factors;

wherein the client device is a mobile device;

wherein the first message is received via wireless communications;

wherein the second message is received via wireless communications;

wherein receiving the first message from the first application running on the mobile device includes obtaining the first message from a browser application which is constructed and arranged to access a resource from a service provider (SP) server;

wherein receiving the second message from the second application running on the mobile device includes obtaining the second message from a security application which is constructed and arranged to (i) collect the second set of authentication factors on the mobile device and (ii) send the second set of authentication factors to the processing circuitry independently of the browser application running on the mobile device;

wherein the processing circuitry includes (i) an identity provider (IDP) server and (ii) an authentication server;

wherein obtaining the first message from the browser application includes acquiring the first set of authentication factors by the IDP server;

wherein obtaining the second message from the security application includes acquiring the second set of authentication factors by the authentication server in a manner which is out of band of the IDP server; and

wherein the method further comprises;

receiving, by the IDP server, another message from the browser application running on the mobile device via wireless communications, the other message including a token identifier which identifies the token, and providing, by the IDP server, a response message to the mobile device in response to the other message from the browser application.

View all claims

18 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A technique performs authentication before delivering a token to a client device. The technique involves receiving a first message from a first application on the client device, the first message including a token request and a first set of authentication factors. The technique further involves receiving a second message from a second application on the client device, the second message including an authentication request and a second set of authentication factors. The technique further involves generating a result message which (i) provides access to a token for use by the client device when the first set of authentication factors is consistent with the second set of authentication factors, and (ii) rejects the token request when the first set of authentication factors is inconsistent with the second set of authentication factors. The client device may be a mobile device, and the first and second messages may be received via wireless communications.

30 Citations

View as Search Results

21 Claims

1. A method of performing authentication, the method comprising:
- receiving, by processing circuitry, a first message from a first application running on a client device, the first message including a token request and a first set of authentication factors;
  
  receiving, by the processing circuitry, a second message from a second application running on the client device, the second message including an authentication request and a second set of authentication factors; and
  
  generating, by the processing circuitry, an authentication result message which (i) provides access to a token for use by the client device when the first set of authentication factors is consistent with the second set of authentication factors, and (ii) rejects the token request when the first set of authentication factors is inconsistent with the second set of authentication factors;
  
  wherein the client device is a mobile device;
  
  wherein the first message is received via wireless communications;
  
  wherein the second message is received via wireless communications;
  
  wherein receiving the first message from the first application running on the mobile device includes obtaining the first message from a browser application which is constructed and arranged to access a resource from a service provider (SP) server;
  
  wherein receiving the second message from the second application running on the mobile device includes obtaining the second message from a security application which is constructed and arranged to (i) collect the second set of authentication factors on the mobile device and (ii) send the second set of authentication factors to the processing circuitry independently of the browser application running on the mobile device;
  
  wherein the processing circuitry includes (i) an identity provider (IDP) server and (ii) an authentication server;
  
  wherein obtaining the first message from the browser application includes acquiring the first set of authentication factors by the IDP server;
  
  wherein obtaining the second message from the security application includes acquiring the second set of authentication factors by the authentication server in a manner which is out of band of the IDP server; and
  
  wherein the method further comprises;
  
  receiving, by the IDP server, another message from the browser application running on the mobile device via wireless communications, the other message including a token identifier which identifies the token, and providing, by the IDP server, a response message to the mobile device in response to the other message from the browser application.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. A method as in claim 1 wherein the other message from the browser application further includes a third set of authentication factors;
    - wherein the response message includes the token for use by the mobile device when the IDP server successfully matches the first set of authentication factors with the third set of authentication factors; and
      
      wherein the response message includes a token rejection when the IDP server does not successfully match the first set of authentication factors with the third set of authentication factors.
  - 3. A method as in claim 1, further comprising:
    - selecting a particular token from multiple tokens stored in a token database of the IDP server based on the token identifier, the response message including the particular token selected from multiple tokens stored in the token database of the IDP server.
  - 4. A method as in claim 3, further comprising:
    - delivering the token from the authentication server to the IDP server for storage in the token database in a manner which is out of band with the mobile device.
  - 5. A method as in claim 3 wherein the particular token is a bearer token that authenticates a user to the SP server in accordance with a bearer subject confirmation method.
  - 6. A method as in claim 1, further comprising:
    - providing, by the IDP server, an augmented universal resource locator (URL) string in response to the first message from the browser application, the augmented URL string directing the browser application to automatically launch the security application on the mobile device.
  - 7. A method as in claim 1 wherein the first set of authentication factors of the first message includes a first set of mobile device fingerprints which distinguish the mobile device from other mobile devices;
    - wherein the second set of authentication factors of the second message includes a second set of mobile device fingerprints which distinguish the mobile device from other mobile devices; and
      
      wherein the method further comprises comparing the first set of mobile device fingerprints to the second set of mobile device fingerprints to determine whether the first message and the second message were received from the same mobile device.
  - 8. A method as in claim 1 wherein the first set of authentication factors of the first message includes a first set of biometric data;
    - wherein the second set of authentication factors of the second message includes a second set of biometric data; and
      
      wherein the method further comprises comparing the first set of biometric data to the second set of biometric data to determine whether the first message and the second message were received from the same user.

9. A method of obtaining access to a token from a mobile device, the method comprising:
- providing, by the mobile device, a first message from a first application running on the mobile device to remote processing circuitry via wireless communications, the first message including a token request and a first set of authentication factors;
  
  providing, by the mobile device, a second message from a second application running on the mobile device to the remote processing circuitry via wireless communications, the second message including an authentication request and a second set of authentication factors; and
  
  receiving, by the mobile device, an authentication result message from the remote processing circuitry, the authentication result message (i) providing access to a token for use by the mobile device when the first set of authentication factors is consistent with the second set of authentication factors, and (ii) rejecting the token request when the first set of authentication factors is inconsistent with the second set of authentication factors;
  
  wherein providing the first message from the first application running on the mobile device includes sending the first message using a browser application which is constructed and arranged to access a resource from a service provider (SP) server;
  
  wherein providing the second message from the second application running on the mobile device includes sending the second message using a security application which is constructed and arranged to (i) collect the second set of authentication factors on the mobile device and (ii) send the second set of authentication factors to the remote processing circuitry independently of the browser application running on the mobile device;
  
  wherein the remote processing circuitry includes (i) an identity provider (IDP) server and (ii) an authentication server;
  
  wherein sending the first message using the browser application includes transmitting the first set of authentication factors to the IDP server;
  
  wherein sending the second message from the security application includes transmitting the second set of authentication factors to the authentication server in a manner which is out of band of the IDP server; and
  
  wherein the method further comprises;
  
  providing, by the mobile device, another message to the IDP server from the browser application running on the mobile device via wireless communications, the other message including a token identifier which identifies the token, andreceiving, by the mobile device, a response message from the IDP server in response to the other message from the browser application.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. A method as in claim 9 further comprising:
    - receiving an augmented universal resource locator (URL) string from the IDP server in response to the first message, andin response to the URL string, automatically launching the security application on the mobile device.
  - 11. A method as in claim 9, further comprising:
    - collecting a first set of user biometric data for inclusion in the first set of authentication factors of the first message; and
      
      collecting a second set of user biometric data for inclusion in the second set of authentication factors of the second message.
  - 12. A method as in claim 9 wherein the other message from the browser application further includes a third set of authentication factors;
    - wherein the response message includes the token for use by the mobile device when the IDP server successfully matches the first set of authentication factors with the third set of authentication factors; and
      
      wherein the response message includes a token rejection when the IDP server does not successfully match the first set of authentication factors with the third set of authentication factors.
  - 13. A method as in claim 9 wherein the IDP server selects a particular token from multiple tokens stored in a token database of the IDP server based on the token identifier, the response message including the particular token selected from multiple tokens stored in the token database of the IDP server.
  - 14. A method as in claim 13 wherein the token is delivered from the authentication server to the IDP server for storage in the token database in a manner which is out of band with the mobile device.
  - 15. A method as in claim 13 wherein the particular token is a bearer token that authenticates a user to the SP server in accordance with a bearer subject confirmation method.

16. A computer program product having a non-transitory computer readable medium which stores a set of instructions to perform authentication, the set of instructions, when carried out by computerized circuitry, causing the computerized circuitry to perform a method of:
- receiving, by the computerized circuitry, a first message from a first application running on the mobile device via wireless communications, the first message including a token request and a first set of authentication factors;
  
  receiving, by the computerized circuitry, a second message from a second application running on the mobile device via wireless communications, the second message including an authentication request and a second set of authentication factors; and
  
  generating, by the computerized circuitry, an authentication result message which (i) provides access to a token for use by the mobile device when the first set of authentication factors is consistent with the second set of authentication factors, and (ii) rejects the token request when the first set of authentication factors is inconsistent with the second set of authentication factors;
  
  wherein receiving the first message from the first application running on the mobile device includes obtaining the first message from a browser application which is constructed and arranged to access a resource from a service provider (SP) server;
  
  wherein receiving the second message from the second application running on the mobile device includes obtaining the second message from a security application which is constructed and arranged to (i) collect the second set of authentication factors on the mobile device and (ii) send the second set of authentication factors to the processing circuitry independently of the browser application running on the mobile device;
  
  wherein the computerized circuitry includes (i) an identity provider (IDP) server and (ii) an authentication server;
  
  wherein obtaining the first message from the browser application includes acquiring the first set of authentication factors by the IDP server;
  
  wherein obtaining the second message from the security application includes acquiring the second set of authentication factors by the authentication server in a manner which is out of band of the IDP server; and
  
  wherein the method further comprises;
  
  receiving, by the IDP server, another message from the browser application running on the mobile device via wireless communications, the other message including a token identifier which identifies the token, andproviding, by the IDP server, a response message to the mobile device in response to the other message from the browser application.
- View Dependent Claims (17, 18, 19, 20)
- - 17. A computer program product as in claim 16 wherein the other message from the browser application further includes a third set of authentication factors;
    - wherein the response message includes the token for use by the mobile device when the IDP server successfully matches the first set of authentication factors with the third set of authentication factors; and
      
      wherein the response message includes a token rejection when the IDP server does not successfully match the first set of authentication factors with the third set of authentication factors.
  - 18. A computer program product as in claim 16, further comprising:
    - selecting a particular token from multiple tokens stored in a token database of the IDP server based on the token identifier, the response message including the particular token selected from multiple tokens stored in the token database of the IDP server.
  - 19. A computer program product as in claim 18, further comprising:
    - delivering the token from the authentication server to the IDP server for storage in the token database in a manner which is out of band with the mobile device.
  - 20. A computer program product as in claim 18 wherein the particular token is a bearer token that authenticates a user to the SP server in accordance with a bearer subject confirmation method.

21. A method of performing authentication, the method comprising:
- receiving, by processing circuitry, a first message from a first application running on a client device, the first message including a token request and a first set of authentication factors;
  
  receiving, by the processing circuitry, a second message from a second application running on the client device, the second message including an authentication request and a second set of authentication factors; and
  
  generating, by the processing circuitry, an authentication result message which (i) provides access to a token for use by the client device when the first set of authentication factors is consistent with the second set of authentication factors, and (ii) rejects the token request when the first set of authentication factors is inconsistent with the second set of authentication factors;
  
  wherein the client device is a mobile device;
  
  wherein the first message is received via wireless communications;
  
  wherein the second message is received via wireless communications;
  
  wherein receiving the first message from the first application running on the mobile device includes obtaining the first message from a browser application which is constructed and arranged to access a resource from a service provider (SP) server;
  
  wherein receiving the second message from the second application running on the mobile device includes obtaining the second message from a security application which is constructed and arranged to (i) collect the second set of authentication factors on the mobile device and (ii) send the second set of authentication factors to the processing circuitry independently of the browser application running on the mobile device;
  
  wherein the processing circuitry includes (i) an identity provider (IDP) server and (ii) an authentication server;
  
  wherein obtaining the first message from the browser application includes acquiring the first set of authentication factors by the IDP server;
  
  wherein obtaining the second message from the security application includes acquiring the second set of authentication factors by the authentication server in a manner which is out of band of the IDP server;
  
  wherein the method further comprises providing, by the IDP server, an augmented universal resource locator (URL) string in response to the first message from the browser application, the augmented URL string directing the browser application to automatically launch the security application on the mobile device; and
  
  wherein, when the authentication result message provides access to the token for use by the mobile device, the authentication result message includes a token identifier and directs the security application running on the mobile device to point the browser application to the IDP server to retrieve the token from the IDP server using the token identifier.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
RSA Security LLC (Symphony Technology Group LLC)
Original Assignee
EMC Corporation (Dell Technologies Inc.)
Inventors
Dotan, Yedidya, Friedman, Lawrence N., Zolfonoon, Riaz, Richards, Gareth, Luo, Guoying
Primary Examiner(s)
Kim, Tae

Application Number

US14/041,125
Time in Patent Office

946 Days
Field of Search

726/2, 726/3, 726/4, 726/5, 726/7, 726/8, 726/9
US Class Current

1/1
CPC Class Codes

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0815   providing single-sign-on or...

H04L 63/0853   using an additional device,...

H04L 63/0876   based on the identity of th...

H04W 12/06   Authentication

H04W 12/068   using credential vaults, e....

Distributing access and identification tokens in a mobile environment

First Claim

18 Assignments

0 Petitions

Accused Products

Abstract

30 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Distributing access and identification tokens in a mobile environment

First Claim

18 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

30 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links