Multi-factor authentication and comprehensive login system for client-server networks

US 9,374,369 B2
Filed: 03/15/2013
Issued: 06/21/2016
Est. Priority Date: 12/28/2012
Status: Active Grant

First Claim

Patent Images

1. A method for processing a request to access a target server over a network from a user operating a client computer, the method comprising:

receiving, at an authentication server, a request to access the target server from the user operating the client computer, wherein the target server is separate from the authentication server and wherein the target server is accessible to the user executing a web browser on the client computer;

causing, by the authentication server, user input fields to be displayed on the client computer to prompt the user for entry of user credentials through the web browser;

issuing, by the authentication server, a challenge to an authorizing client device requiring validation of an identity of the user in response to the request to access the target server;

sending, from the authentication server, a command to the authorizing client device to prompt the user to input a response to the challenge into the authorizing client device;

receiving, at the authentication server, verification from the authorizing client device that the response to the challenge is valid;

evaluating, by the authentication server, at least one item of context information related to the client computer being operated by the user, the at least one item of context information including at least one of a location of the client computer, characteristics of a network to which the client computer is connected, security risk data associated with an application operating on the target server for which the user requests access, an identification of accounts common to both the client computer and the authorizing client device, and an identification of usage anomalies, wherein the at least one item of context information is provided by the client computer to the authentication server separate from the request to access the network resource and separate from the user credentials;

determining, at the authentication server, a disposition of the request to access the target server based on the verification from the authorizing client device and the evaluation of the at least one item of context information; and

releasing, by the authentication server, user credentials to a client desktop extension on the client computer when the determined disposition is to grant access, the released user credentials being used by the client computer to obtain access to the target server.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments are directed to a system and method for authenticating a user of a client computer making a request to a server computer providing access to a network resource through an authentication platform that issues a challenge in response to the request requiring authentication of the user identity through a reply from the client computer, determining one or more items of context information related to at least one of the user, the request, and the client computer, and determining a disposition of the request based on the reply and the one or more items of context information. The reply includes a user password and may be provided by an authorizing client device.

Citations

22 Claims

1. A method for processing a request to access a target server over a network from a user operating a client computer, the method comprising:
- receiving, at an authentication server, a request to access the target server from the user operating the client computer, wherein the target server is separate from the authentication server and wherein the target server is accessible to the user executing a web browser on the client computer;
  
  causing, by the authentication server, user input fields to be displayed on the client computer to prompt the user for entry of user credentials through the web browser;
  
  issuing, by the authentication server, a challenge to an authorizing client device requiring validation of an identity of the user in response to the request to access the target server;
  
  sending, from the authentication server, a command to the authorizing client device to prompt the user to input a response to the challenge into the authorizing client device;
  
  receiving, at the authentication server, verification from the authorizing client device that the response to the challenge is valid;
  
  evaluating, by the authentication server, at least one item of context information related to the client computer being operated by the user, the at least one item of context information including at least one of a location of the client computer, characteristics of a network to which the client computer is connected, security risk data associated with an application operating on the target server for which the user requests access, an identification of accounts common to both the client computer and the authorizing client device, and an identification of usage anomalies, wherein the at least one item of context information is provided by the client computer to the authentication server separate from the request to access the network resource and separate from the user credentials;
  
  determining, at the authentication server, a disposition of the request to access the target server based on the verification from the authorizing client device and the evaluation of the at least one item of context information; and
  
  releasing, by the authentication server, user credentials to a client desktop extension on the client computer when the determined disposition is to grant access, the released user credentials being used by the client computer to obtain access to the target server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1 wherein the disposition of the request to access the target server includes one of granting the request by the user to access the target server or denying the request by the user to access the target server, and the method further comprising transmitting, by the server, the disposition information in a message to the authorizing client device to cause the authorizing client device to display the disposition.
  - 3. The method of claim 1 wherein the target server provides access to a network resource from the group consisting of:
    - a web site, a service provided by the target server, a hardware device coupled to the network, access to physical facilities controlled by the target server, an executable application, and a product sold by an operator of the target server.
  - 4. The method of claim 1 wherein the authorizing client device comprises a mobile communications device coupled to the client computer over a network link, wherein the network link is at least one of:
    - cellular link, Bluetooth link, WIFI link, and near field communication link.
  - 5. The method of claim 4 further comprising causing, by the authentication server, a display of a device selection field on the client computer to allow the user to select a specific type and model of mobile communications device from a selection of mobile communications devices.
  - 6. The method of claim 1 wherein the response to the challenge is a universal password.
  - 7. The method of claim 1 wherein the at least one item of context information is the location of the client computer.
  - 8. The method of claim 1 wherein the at least one item of context information is the characteristics of a network to which the client computer is connected.
  - 9. The method of claim 1 wherein the at least one item of context information is the security risk data associated with the network resource to which the user requests access.
  - 10. The method of claim 1 wherein the at least one item of context information is the identification of common accounts.
  - 11. The method of claim 1 wherein the at least one item of context information is the identification of usage anomalies.

12. A non-transitory computer-readable medium encoded with a plurality of instructions which, when executed by a processor, cause the processor to perform a method comprising:
- receiving, at an authentication server, a request to access a target server from the user operating a client computer, wherein the target server is separate from the authentication server and wherein the target server is accessible to the user executing a web browser on the client computer;
  
  causing, by the authentication server, user input fields to be displayed on the client computer to prompt the user for entry of user credentials through the web browser;
  
  issuing, by the authentication server, a challenge to an authorizing client device requiring validation of an identity of the user in response to the request to access the target server;
  
  sending, from the authentication server, a command to the authorizing client device to prompt the user to input a response to the challenge into the authorizing client device;
  
  receiving, at the authentication server, verification from the authorizing client device that the response to the challenge is valid;
  
  evaluating, by the authentication server, at least one item of context information related to the client computer being operated by the user, the at least one item of context information including at least one of a location of the client computer, characteristics of a network to which the client computer is connected, security risk data associated with an application operating on the target server for which the user requests access, an identification of accounts common to both the client computer and the authorizing client device, and an identification of usage anomalies, wherein the at least one item of context information is provided by the client computer to the authentication server separate from the request to access the network resource and separate from the user credentials;
  
  determining, at the authentication server, a disposition of the request to access the target server based on the verification from the authorizing client device and the evaluation of the at least one item of context information; and
  
  releasing, by the authentication server, user credentials to a client desktop extension on the client computer when the determined disposition is to grant access, the released user credentials being used by the client computer to obtain access to the target server.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The non-transitory computer-readable medium of claim 12 wherein the disposition of the request to access the target server includes one of granting the request by the user to access the target server or denying the request by the user to access the target server, and the non-transitory computer-readable medium further comprising instructions to cause the processor to perform a method comprising transmitting, by the server, the disposition information in a message to the authorizing client device to cause the authorizing client device to display the disposition.
  - 14. The non-transitory computer-readable medium of claim 12 wherein the target server provides access to a network resource from the group consisting of:
    - a web site, a service provided by the target server, a hardware device coupled to the network, access to physical facilities controlled by the target server, an executable application, and a product sold by an operator of the target server.
  - 15. The non-transitory computer-readable medium of claim 12 wherein the authorizing client device comprises a mobile communications device coupled to the client computer over a network link, wherein the network link is at least one of:
    - cellular link, Bluetooth link, WIFI link, and near field communication link.
  - 16. The non-transitory computer-readable medium of claim 15 further comprising instructions to cause the processor to perform a method comprising causing, by the authentication server, a display of a device selection field on the client computer to allow the user to select a specific type and model of mobile communications device from a selection of mobile communications devices.
  - 17. The non-transitory computer-readable medium of claim 12 wherein the response to the challenge is a universal password.
  - 18. The non-transitory computer-readable medium of claim 12 wherein the at least one item of context information is the location of the client computer.
  - 19. The non-transitory computer-readable medium of claim 12 wherein the at least one item of context information is the characteristics of a network to which the client computer is connected.
  - 20. The non-transitory computer-readable medium of claim 12 wherein the at least one item of context information is the security risk data associated with the network resource to which the user requests access.
  - 21. The non-transitory computer-readable medium of claim 12 wherein the at least one item of context information is the identification of common accounts.
  - 22. The non-transitory computer-readable medium of claim 12 wherein the at least one item of context information is the identification of usage anomalies.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Lookout Incorporated
Original Assignee
Lookout Incorporated
Inventors
Mahaffey, Kevin Patrick, Richardson, David Luke, Salomon, Ariel, Croy, R. Tyler, Walker, Samuel Alexander, Buck, Brian James, Marcin Gorrino, Sergio Ivan, Golombek, David
Primary Examiner(s)
Zecher, Dede
Assistant Examiner(s)
DOAN, TRANG T

Application Number

US13/837,321
Publication Number

US 20140189808A1
Time in Patent Office

1,194 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/31   User authentication

G06F 21/45   Structures or tools for the...

G06F 21/6245   Protecting personal data, e...

H04L 2463/082   applying multi-factor authe...

H04L 63/083   using passwords cryptograph...

H04L 63/0853   using an additional device,...

H04W 12/069   using certificates or pre-s...

Multi-factor authentication and comprehensive login system for client-server networks

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Multi-factor authentication and comprehensive login system for client-server networks

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links