Distributing access and identification tokens in a mobile environment
First Claim
1. A method of performing authentication, the method comprising:
- receiving, by processing circuitry, a first message from a first application running on a client device, the first message including a token request and a first set of authentication factors;
receiving, by the processing circuitry, a second message from a second application running on the client device, the second message including an authentication request and a second set of authentication factors; and
generating, by the processing circuitry, an authentication result message which (i) provides access to a token for use by the client device when the first set of authentication factors is consistent with the second set of authentication factors, and (ii) rejects the token request when the first set of authentication factors is inconsistent with the second set of authentication factors;
wherein the client device is a mobile device;
wherein the first message is received via wireless communications;
wherein the second message is received via wireless communications;
wherein receiving the first message from the first application running on the mobile device includes obtaining the first message from a browser application which is constructed and arranged to access a resource from a service provider (SP) server;
wherein receiving the second message from the second application running on the mobile device includes obtaining the second message from a security application which is constructed and arranged to (i) collect the second set of authentication factors on the mobile device and (ii) send the second set of authentication factors to the processing circuitry independently of the browser application running on the mobile device;
wherein the processing circuitry includes (i) an identity provider (IDP) server and (ii) an authentication server;
wherein obtaining the first message from the browser application includes acquiring the first set of authentication factors by the IDP server;
wherein obtaining the second message from the security application includes acquiring the second set of authentication factors by the authentication server in a manner which is out of band of the IDP server; and
wherein the method further comprises;
receiving, by the IDP server, another message from the browser application running on the mobile device via wireless communications, the other message including a token identifier which identifies the token, and providing, by the IDP server, a response message to the mobile device in response to the other message from the browser application.
18 Assignments
0 Petitions
Accused Products
Abstract
A technique performs authentication before delivering a token to a client device. The technique involves receiving a first message from a first application on the client device, the first message including a token request and a first set of authentication factors. The technique further involves receiving a second message from a second application on the client device, the second message including an authentication request and a second set of authentication factors. The technique further involves generating a result message which (i) provides access to a token for use by the client device when the first set of authentication factors is consistent with the second set of authentication factors, and (ii) rejects the token request when the first set of authentication factors is inconsistent with the second set of authentication factors. The client device may be a mobile device, and the first and second messages may be received via wireless communications.
30 Citations
21 Claims
-
1. A method of performing authentication, the method comprising:
-
receiving, by processing circuitry, a first message from a first application running on a client device, the first message including a token request and a first set of authentication factors; receiving, by the processing circuitry, a second message from a second application running on the client device, the second message including an authentication request and a second set of authentication factors; and generating, by the processing circuitry, an authentication result message which (i) provides access to a token for use by the client device when the first set of authentication factors is consistent with the second set of authentication factors, and (ii) rejects the token request when the first set of authentication factors is inconsistent with the second set of authentication factors; wherein the client device is a mobile device;
wherein the first message is received via wireless communications;wherein the second message is received via wireless communications; wherein receiving the first message from the first application running on the mobile device includes obtaining the first message from a browser application which is constructed and arranged to access a resource from a service provider (SP) server; wherein receiving the second message from the second application running on the mobile device includes obtaining the second message from a security application which is constructed and arranged to (i) collect the second set of authentication factors on the mobile device and (ii) send the second set of authentication factors to the processing circuitry independently of the browser application running on the mobile device; wherein the processing circuitry includes (i) an identity provider (IDP) server and (ii) an authentication server; wherein obtaining the first message from the browser application includes acquiring the first set of authentication factors by the IDP server; wherein obtaining the second message from the security application includes acquiring the second set of authentication factors by the authentication server in a manner which is out of band of the IDP server; and
wherein the method further comprises;receiving, by the IDP server, another message from the browser application running on the mobile device via wireless communications, the other message including a token identifier which identifies the token, and providing, by the IDP server, a response message to the mobile device in response to the other message from the browser application. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A method of obtaining access to a token from a mobile device, the method comprising:
-
providing, by the mobile device, a first message from a first application running on the mobile device to remote processing circuitry via wireless communications, the first message including a token request and a first set of authentication factors; providing, by the mobile device, a second message from a second application running on the mobile device to the remote processing circuitry via wireless communications, the second message including an authentication request and a second set of authentication factors; and receiving, by the mobile device, an authentication result message from the remote processing circuitry, the authentication result message (i) providing access to a token for use by the mobile device when the first set of authentication factors is consistent with the second set of authentication factors, and (ii) rejecting the token request when the first set of authentication factors is inconsistent with the second set of authentication factors; wherein providing the first message from the first application running on the mobile device includes sending the first message using a browser application which is constructed and arranged to access a resource from a service provider (SP) server; wherein providing the second message from the second application running on the mobile device includes sending the second message using a security application which is constructed and arranged to (i) collect the second set of authentication factors on the mobile device and (ii) send the second set of authentication factors to the remote processing circuitry independently of the browser application running on the mobile device; wherein the remote processing circuitry includes (i) an identity provider (IDP) server and (ii) an authentication server; wherein sending the first message using the browser application includes transmitting the first set of authentication factors to the IDP server; wherein sending the second message from the security application includes transmitting the second set of authentication factors to the authentication server in a manner which is out of band of the IDP server; and wherein the method further comprises; providing, by the mobile device, another message to the IDP server from the browser application running on the mobile device via wireless communications, the other message including a token identifier which identifies the token, and receiving, by the mobile device, a response message from the IDP server in response to the other message from the browser application. - View Dependent Claims (10, 11, 12, 13, 14, 15)
-
-
16. A computer program product having a non-transitory computer readable medium which stores a set of instructions to perform authentication, the set of instructions, when carried out by computerized circuitry, causing the computerized circuitry to perform a method of:
-
receiving, by the computerized circuitry, a first message from a first application running on the mobile device via wireless communications, the first message including a token request and a first set of authentication factors; receiving, by the computerized circuitry, a second message from a second application running on the mobile device via wireless communications, the second message including an authentication request and a second set of authentication factors; and generating, by the computerized circuitry, an authentication result message which (i) provides access to a token for use by the mobile device when the first set of authentication factors is consistent with the second set of authentication factors, and (ii) rejects the token request when the first set of authentication factors is inconsistent with the second set of authentication factors; wherein receiving the first message from the first application running on the mobile device includes obtaining the first message from a browser application which is constructed and arranged to access a resource from a service provider (SP) server; wherein receiving the second message from the second application running on the mobile device includes obtaining the second message from a security application which is constructed and arranged to (i) collect the second set of authentication factors on the mobile device and (ii) send the second set of authentication factors to the processing circuitry independently of the browser application running on the mobile device; wherein the computerized circuitry includes (i) an identity provider (IDP) server and (ii) an authentication server; wherein obtaining the first message from the browser application includes acquiring the first set of authentication factors by the IDP server; wherein obtaining the second message from the security application includes acquiring the second set of authentication factors by the authentication server in a manner which is out of band of the IDP server; and
wherein the method further comprises;receiving, by the IDP server, another message from the browser application running on the mobile device via wireless communications, the other message including a token identifier which identifies the token, and providing, by the IDP server, a response message to the mobile device in response to the other message from the browser application. - View Dependent Claims (17, 18, 19, 20)
-
-
21. A method of performing authentication, the method comprising:
-
receiving, by processing circuitry, a first message from a first application running on a client device, the first message including a token request and a first set of authentication factors; receiving, by the processing circuitry, a second message from a second application running on the client device, the second message including an authentication request and a second set of authentication factors; and generating, by the processing circuitry, an authentication result message which (i) provides access to a token for use by the client device when the first set of authentication factors is consistent with the second set of authentication factors, and (ii) rejects the token request when the first set of authentication factors is inconsistent with the second set of authentication factors; wherein the client device is a mobile device;
wherein the first message is received via wireless communications;wherein the second message is received via wireless communications; wherein receiving the first message from the first application running on the mobile device includes obtaining the first message from a browser application which is constructed and arranged to access a resource from a service provider (SP) server; wherein receiving the second message from the second application running on the mobile device includes obtaining the second message from a security application which is constructed and arranged to (i) collect the second set of authentication factors on the mobile device and (ii) send the second set of authentication factors to the processing circuitry independently of the browser application running on the mobile device; wherein the processing circuitry includes (i) an identity provider (IDP) server and (ii) an authentication server; wherein obtaining the first message from the browser application includes acquiring the first set of authentication factors by the IDP server; wherein obtaining the second message from the security application includes acquiring the second set of authentication factors by the authentication server in a manner which is out of band of the IDP server; wherein the method further comprises providing, by the IDP server, an augmented universal resource locator (URL) string in response to the first message from the browser application, the augmented URL string directing the browser application to automatically launch the security application on the mobile device; and wherein, when the authentication result message provides access to the token for use by the mobile device, the authentication result message includes a token identifier and directs the security application running on the mobile device to point the browser application to the IDP server to retrieve the token from the IDP server using the token identifier.
-
Specification