Authentication tokens managed for use with multiple sites

US 9,363,262 B1
Filed: 09/15/2008
Issued: 06/07/2016
Est. Priority Date: 09/15/2008
Status: Active Grant

First Claim

Patent Images

1. At an aggregator service within a distributed computing system that includes the aggregator service and a plurality of different account providers, wherein an account holder is an owner of a plurality of accounts, at least one account of the plurality with each of the different account providers, a method for authenticating the account holder using multi-factor authentication, the method comprising:

associating, by the aggregator service, the account holder with a single token device, the token device configured to supply the account holder with a single dynamic password linking the account holder with the token device and with the plurality of accounts, at least one account of the plurality with each of the different account providers, the dynamic password having a current value that is synchronously stored at the aggregator service and at the token device, wherein the current value of the dynamic password stored at the token device is updated using a first clocking device, wherein the current value of the dynamic password stored at the aggregator service is updated using a second clocking device, and wherein the first clocking device at the token device and the second clocking device at the aggregator service synchronously update the dynamic password independent of each other;

periodically changing, using a plurality of processor-based computing devices programmed to perform the periodic changing, the current value of the dynamic password by synchronously generating and storing a single, different dynamic password at the aggregator service and at the token device, wherein the periodic changing is programmed to pull the current value of the dynamic password from a table of password values;

associating the account holder with a different client identifier for each of the account providers, each client identifier linking the account holder to the at least one account with one of the account providers, the account providers each being a separate entity from the aggregator service;

receiving a request for authorization to login to a selected account of the plurality of accounts with one of the account providers, the request including the client identifier linking the account holder to the selected account and a proffered password generated by the token device, wherein the dynamic password and the proffered password submitted by a user are associated with a timestamp for indicating a time at which the dynamic password and the proffered password were previously updated; and

performing an authorization operation by determining the dynamic password associated with the account holder using the client identifier and by determining a match between the proffered password received with the request for authorization to login to the selected account and the current value of the dynamic password stored at the aggregator service and associated with the account holder.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for authenticating an account holder using multi-factor authentication. An account holder is associated with a token device configured to supply the account holder with a dynamic password. The dynamic password has a current value that is synchronously stored at an aggregator service and at the token device. The dynamic password is changed periodically. The aggregator service also associates the account holder with at least one account maintained by the account providers. The aggregator service receives an authorization request from either the user or from one of the account providers. The aggregator service performs an authorization operation for determining if a proffered dynamic password submitted by the user during an attempt to login matches the current value of the dynamic password stored at the aggregator service.

Citations

15 Claims

1. At an aggregator service within a distributed computing system that includes the aggregator service and a plurality of different account providers, wherein an account holder is an owner of a plurality of accounts, at least one account of the plurality with each of the different account providers, a method for authenticating the account holder using multi-factor authentication, the method comprising:
- associating, by the aggregator service, the account holder with a single token device, the token device configured to supply the account holder with a single dynamic password linking the account holder with the token device and with the plurality of accounts, at least one account of the plurality with each of the different account providers, the dynamic password having a current value that is synchronously stored at the aggregator service and at the token device, wherein the current value of the dynamic password stored at the token device is updated using a first clocking device, wherein the current value of the dynamic password stored at the aggregator service is updated using a second clocking device, and wherein the first clocking device at the token device and the second clocking device at the aggregator service synchronously update the dynamic password independent of each other;
  
  periodically changing, using a plurality of processor-based computing devices programmed to perform the periodic changing, the current value of the dynamic password by synchronously generating and storing a single, different dynamic password at the aggregator service and at the token device, wherein the periodic changing is programmed to pull the current value of the dynamic password from a table of password values;
  
  associating the account holder with a different client identifier for each of the account providers, each client identifier linking the account holder to the at least one account with one of the account providers, the account providers each being a separate entity from the aggregator service;
  
  receiving a request for authorization to login to a selected account of the plurality of accounts with one of the account providers, the request including the client identifier linking the account holder to the selected account and a proffered password generated by the token device, wherein the dynamic password and the proffered password submitted by a user are associated with a timestamp for indicating a time at which the dynamic password and the proffered password were previously updated; and
  
  performing an authorization operation by determining the dynamic password associated with the account holder using the client identifier and by determining a match between the proffered password received with the request for authorization to login to the selected account and the current value of the dynamic password stored at the aggregator service and associated with the account holder.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method as recited in claim 1, wherein performing an authorization operation by determining a match between the proffered password and the current value of the dynamic password stored at the aggregator service further comprises:
    - receiving the proffered password as part of the authorization request;
      
      comparing the proffered password to the current value of the dynamic password stored at the aggregator service; and
      
      sending a response to the account provider of the selected account based on the result of the comparison.
  - 3. The method as recited in claim 2, wherein the response to the account provider further comprises an affirmative or a negative result depending on whether the proffered password matches the current value of the dynamic password.
  - 4. The method as recited in claim 1, wherein performing an authorization operation by determining if the proffered password matches the current value of the dynamic password stored at the aggregator service further comprises sending the current value of the dynamic password stored at the aggregator service to the account provider for allowing the account provider to determine a match between the proffered dynamic password and the current value of the dynamic password.
  - 5. The method as recited in claim 1, wherein the client identifier and the proffered dynamic password are submitted by a user via a webpage interface.
  - 6. The method as recited in claim 1, wherein the dynamic password and the proffered password submitted by the user are associated with an expiration time for indicating a time at which the dynamic password and the proffered password are scheduled to expire.
  - 7. The method as recited in claim 1, wherein the unique client identifier further identifies the selected account.
  - 8. The method as recited in claim 1, wherein the request for authorization to login to a selected account is received from the account provider.
  - 9. The method as recited in claim 1, wherein the account provider and the aggregator service have a preexisting trusted relationship, and communicate over a secure communication channel.

10. At an account provider within a distributed computing system that includes an aggregator service and the account provider, a method for authenticating an account holder using multi-factor authentication, the method comprising:
- generating a single dynamic password that is synchronously stored at the aggregator service and at a token device provided to the account holder, the dynamic password that links the account holder with the token device and with a plurality of accounts held by the account holder with different account providers, wherein the current value of the dynamic password stored at the token device is controlled by a clock device;
  
  storing, at the aggregator service, a unique client identifier that links the account holder with a single account of the plurality of accounts held by the account holder with different account providers;
  
  receiving a login request including a proffered password and a first form of authentication for identifying the account holder;
  
  associating, at the aggregator service, the first form of authentication with the account holder to determine the unique client identifier that links the account holder with the single account of the plurality of accounts held by the account holder with different account providers;
  
  communicating with the aggregator service to authenticate the login request by identifying the dynamic password associated with the stored unique client identifier and determining a match between the proffered password and a current value of the dynamic password stored at the aggregator service, wherein determining the match between the proffered password and the current value of the dynamic password stored at the aggregator service comprises comparing a timestamp indicating the time at which the dynamic password was updated with a time at which the login request including the proffered password was submitted by the user to ensure that the proffered password is compared to the dynamic password stored at the aggregator service at the time the login request was received;
  
  periodically changing, using a plurality of processor-based computing device programmed to perform the periodic changing, the current value of the dynamic password by synchronously generating and storing another dynamic password different from the dynamic password at the token device and the aggregator service wherein the periodic changing is programmed to pull the current value of the dynamic password and from a table of password values, whereina first clocking device controlled by the token device, and a second clocking device controlled by the aggregator device, synchronously update the dynamic password independent of each other; and
  
  granting the login request in the event the proffered password matches the current value of the dynamic password.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The method as recited in claim 10, wherein communicating with the aggregator service to authenticate the login request further comprises:
    - sending an authorization request to the aggregator service including the proffered password; and
      
      receiving a response from the aggregator service indicating whether the proffered password matches the current value of the dynamic password stored at the aggregator service.
  - 12. The method as recited in claim 10, wherein communicating with the aggregator service to authenticate the login request further comprises:
    - sending an authorization request to the aggregator service including the unique client identifier;
      
      receiving the current value of the dynamic password stored at the aggregator service from the aggregator service; and
      
      determining a match between the proffered password and the current value of the dynamic password.
  - 13. The method as recited in claim 10, further comprising providing a webpage interface for submitting the unique client identifier and the proffered dynamic password.
  - 14. The method as recited in claim 10, further comprising associating the dynamic password and the proffered password with a time at which the dynamic password and the proffered dynamic password are scheduled to expire.
  - 15. The method as recited in claim 10, wherein assigning the unique client identifier that links an account holder to at least one account provider comprises associating the unique client identifier with the dynamic password.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Galileo Financial Technologies LLC (SoFi Technologies, Inc.)
Original Assignee
Galileo Processing Incorporated
Inventors
Wilkes, T. Clay
Primary Examiner(s)
Schmidt, Kari

Application Number

US12/210,633
Time in Patent Office

2,822 Days
Field of Search

726/2, 726 4- 6, 726/9, 713/155, 713/168, 713/182
US Class Current

1/1
CPC Class Codes

G06F 21/31   User authentication

G06F 21/34   involving the use of extern...

H04L 2463/082   applying multi-factor authe...

H04L 63/083   using passwords cryptograph...

H04L 63/0838   using one-time-passwords

H04L 63/0846   using time-dependent-passwo...

H04L 63/0853   using an additional device,...

H04L 9/0891   Revocation or update of sec...

H04L 9/12   Transmitting and receiving ...

H04L 9/3228   One-time or temporary data,...

H04L 9/3234   involving additional secure...

Authentication tokens managed for use with multiple sites

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Authentication tokens managed for use with multiple sites

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links