System and method for non-intrusive, privacy-preserving authentication

US 9,396,320 B2
Filed: 12/31/2013
Issued: 07/19/2016
Est. Priority Date: 03/22/2013
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

entering into a legitimate user state on a client device for a specified time period following a first explicit authentication by an end user;

recording reference data related to user behavior while in the legitimate user state;

measuring user behavior when outside of the legitimate user state and arriving at an authentication assurance level based on a distance between the measured user behavior and the recorded reference data;

entering into a first transaction with a relying party over a network resulting in an authentication request from the relying party;

in response to receiving the authentication request within the legitimate user state, transmitting an authentication assurance level at or above a defined threshold from the client device to the relying party over the network, the authentication assurance level being sufficient to authenticate the user to the relying party, and the relying party to responsively allow the first transaction; and

in response to an authentication request while outside of the legitimate user state, transmitting the authentication assurance level based on a distance between the measured user behavior and the recorded reference data from the client device to the relying party over the network;

wherein in response to receiving the authentication assurance level, determining at the relying party whether the authentication assurance level is acceptable to complete the first transaction, wherein if the assurance level is acceptable, then the relying party to responsively allow the first transaction and wherein if the assurance level is not acceptable, then the relying party to transmit a response requesting additional authentication, the method further comprising;

performing a second explicit authentication by the end user on the client device to re-enter the legitimate user state; and

transmitting an authentication assurance level from the client device to the relying party, and the relying party to responsively allow the first transaction.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system, apparatus, method, and machine readable medium are described for non-intrusive privacy-preserving authentication. For example, one embodiment of a method comprises: entering into a legitimate user state on a client device for a time period following an explicit authentication by an end user; recording reference data related to user behavior while in the legitimate user state; measuring user behavior when outside of the legitimate user state and arriving at an authentication assurance level based on a distance between the measured user behavior and the recorded reference data; in response to an authentication request within the legitimate user state, providing an authentication assurance level at or above a defined threshold, the authentication assurance level being sufficient to authenticate the user to a relying party; and in response to an authentication request while outside of the legitimate user state, providing the authentication assurance level based on a distance between the measured user behavior and the recorded reference data.

206 Citations

25 Claims

1. A method comprising:
- entering into a legitimate user state on a client device for a specified time period following a first explicit authentication by an end user;
  
  recording reference data related to user behavior while in the legitimate user state;
  
  measuring user behavior when outside of the legitimate user state and arriving at an authentication assurance level based on a distance between the measured user behavior and the recorded reference data;
  
  entering into a first transaction with a relying party over a network resulting in an authentication request from the relying party;
  
  in response to receiving the authentication request within the legitimate user state, transmitting an authentication assurance level at or above a defined threshold from the client device to the relying party over the network, the authentication assurance level being sufficient to authenticate the user to the relying party, and the relying party to responsively allow the first transaction; and
  
  in response to an authentication request while outside of the legitimate user state, transmitting the authentication assurance level based on a distance between the measured user behavior and the recorded reference data from the client device to the relying party over the network;
  
  wherein in response to receiving the authentication assurance level, determining at the relying party whether the authentication assurance level is acceptable to complete the first transaction, wherein if the assurance level is acceptable, then the relying party to responsively allow the first transaction and wherein if the assurance level is not acceptable, then the relying party to transmit a response requesting additional authentication, the method further comprising;
  
  performing a second explicit authentication by the end user on the client device to re-enter the legitimate user state; and
  
  transmitting an authentication assurance level from the client device to the relying party, and the relying party to responsively allow the first transaction.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method as in claim 1 wherein the first and second explicit authentications by the end user comprises the user entering a secret identification code or swiping a finger on a fingerprint authenticator on the client device.
  - 3. The method as in claim 1 wherein recording the reference data based on user behavior comprises using sensors and associated hardware and/or software on the client device to measure gait of the user as the user is walking, the reference data defining a reference gait of the user.
  - 4. The method as in claim 1 wherein recording the reference data based on user behavior comprises using sensors and associated hardware and/or software on the client device to measure locations of the client device while in the legitimate user state, the reference data defining a set of reference locations.
  - 5. The method as in claim 4 wherein in addition to measuring locations of the client device while in the legitimate user state, the client device allows the user to specify certain locations as trusted regions.
  - 6. The method as in claim 1 wherein recording the reference data based on user behavior comprises using sensors and associated hardware and/or software on the client device to measure one or more of the following variables to be used as reference data:
    - networks or devices to which the client device is connected;
      
      smart watches;
      
      Bluetooth devices;
      
      near field communication (NFC) devices;
      
      other computing devices;
      
      Nymi bracelets;
      
      Wifi networks in reach;
      
      Wifi-enabled computers in reach;
      
      acceleration sensor characteristics;
      
      digital camera sensor pattern noise;
      
      touch screen gestures of normal user interaction; and
      
      user typing behavior from normal user interaction.
  - 7. The method as in claim 1 further comprising:
    - continuing to record reference data related to user behavior for an extended window of time outside the legitimate user state.
  - 8. The method as in claim 1 wherein the client device provides for multiple forms of explicit user authentication, wherein at least some forms of explicit user authentication will not result in a maximum assurance level.
  - 9. The method as in claim 1 further comprising:
    - encrypting the assurance level using a key prior to transmitting the assurance level to the relying party.
  - 10. The method as in claim 1 wherein the explicit authentication by the end user comprises requiring user interaction in order to trigger and/or unlock the explicit authentication.
  - 11. The method as in claim 10 wherein the user interaction comprises selecting a button or tapping on the client device.
  - 12. The method as in claim 1 wherein the relying party initially specifies a required assurance level for a particular transaction and the assurance level gain is selected to ensure that the required assurance level is met.

13. An client device having a memory for storing program code and a processor for processing the program code, the client device comprising:
- an explicit user authenticator comprising at least one biometric sensor or keypad to perform a first explicit authentication of an end user, the explicit user authenticator to cause the client device to enter into a legitimate user state for a specified time period following the first explicit authentication; and
  
  one or more additional sensors to collect reference data related to user behavior while in the legitimate user state, the one or more sensors in communication with the processor, the processor to perform the operations of;
  
  recording the reference data related to user behavior while in the legitimate user state;
  
  measuring user behavior using the one or more sensors when outside of the legitimate user state and arriving at an authentication assurance level based on a distance between the measured user behavior and the recorded reference data;
  
  entering into a first transaction with a relying party over a network resulting in an authentication request from the relying party;
  
  in response to receiving the authentication request within the legitimate user state, transmitting an authentication assurance level at or above a defined threshold from the client device to the relying party over the network, the authentication assurance level being sufficient to authenticate the user to the relying party, and the relying party to responsively allow the first transaction; and
  
  in response to an authentication request while outside of the legitimate user state, transmitting the authentication assurance level based on a distance between the measured user behavior and the recorded reference data from the client device to the relying party over the network;
  
  wherein in response to receiving the authentication assurance level, determining at the relying party whether the authentication assurance level is acceptable to complete the first transaction, wherein if the assurance level is acceptable, then the relying party to responsively allow the first transaction and wherein if the assurance level is not acceptable, then the relying party to transmit a response requesting additional authentication, the processor to perform the additional operations of;
  
  performing a second explicit authentication by the end user on the client device to re-enter the legitimate user state; and
  
  transmitting an authentication assurance level from the client device to the relying party, and the relying party to responsively allow the first transaction.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 14. The client device as in claim 13 wherein the first and second explicit authentications by the end user comprises the user entering a secret identification code or swiping a finger on a fingerprint authenticator on the client device.
  - 15. The client device as in claim 13 wherein recording the reference data based on user behavior comprises using sensors and associated hardware and/or software on the client device to measure gait of the user as the user is walking, the reference data defining a reference gait of the user.
  - 16. The client device as in claim 13 wherein recording the reference data based on user behavior comprises using sensors and associated hardware and/or software on the client device to measure locations of the client device while in the legitimate user state, the reference data defining a set of reference locations.
  - 17. The client device as in claim 16 wherein in addition to measuring locations of the client device while in the legitimate user state, the non-intrusive privacy-preserving authenticator allows the user to specify certain locations as trusted regions.
  - 18. The client device as in claim 13 wherein recording the reference data based on user behavior comprises using sensors and associated hardware and/or software on the client device to measure one or more of the following variables to be used as reference data:
    - networks or devices to which the client device is connected;
      
      smart watches;
      
      Bluetooth devices;
      
      near field communication (NFC) devices;
      
      other computing devices;
      
      Nymi bracelets;
      
      Wifi networks in reach;
      
      Wifi-enabled computers in reach;
      
      acceleration sensor characteristics;
      
      digital camera sensor pattern noise;
      
      touch screen gestures of normal user interaction; and
      
      user typing behavior from normal user interaction.
  - 19. The client device as in claim 13 wherein the non-intrusive privacy-preserving authenticator continues to record reference data related to user behavior for an extended window of time outside the legitimate user state.
  - 20. The client device as in claim 13 wherein the client device provides for multiple forms of explicit user authentication, wherein at least some forms of explicit user authentication will not result in a maximum assurance level.
  - 21. The client device as in claim 13 further comprising:
    - a secure communication module to encrypt the assurance level using a key prior to transmitting the assurance level to the relying party.
  - 22. The client device as in claim 13 wherein the explicit authentication by the end user comprises requiring user interaction in order to trigger and/or unlock the explicit authentication.
  - 23. The client device as in claim 22 wherein the user interaction comprises selecting a button or tapping on the client device.
  - 24. The client device as in claim 13 wherein the relying party initially specifies a required assurance level for a particular transaction and the assurance level gain is selected to ensure that the required assurance level is met.
  - 25. The client device as in claim 24 wherein explicit user authentication is required if the calculated assurance level does not reach the required assurance level.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nok Nok Labs Incorporated
Original Assignee
Nok Nok Labs Incorporated
Inventors
Lindemann, Rolf
Primary Examiner(s)
Paliwal, Yogesh

Application Number

US14/145,439
Publication Number

US 20140289819A1
Time in Patent Office

931 Days
Field of Search

713/186
US Class Current

1/1
CPC Class Codes

G06F 21/32   using biometric data, e.g. ...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/2115   Third party

G06Q 20/204   comprising interface for re...

G06Q 20/3224   Transactions dependent on l...

G06Q 20/3274   using a pictured code, e.g....

G06Q 20/3278   RFID or NFC payments by mea...

G06Q 20/4012   Verifying personal identifi...

G06Q 20/40145   Biometric identity checks

G06Q 20/42   Confirmation, e.g. check or...

G06Q 20/425   using two different network...

G07F 19/20   Automatic teller machines [...

H04L 2209/805   Lightweight hardware, e.g. ...

H04L 2463/102   applying security measure f...

H04L 63/0492   by using a location-limited...

H04L 63/08   for authentication of entit...

H04L 63/083   using passwords cryptograph...

H04L 63/0861   using biometrical features,...

H04L 63/20   for managing network securi...

H04L 9/0819   Key transport or distributi...

H04L 9/0822 : using key encryption key

H04L 9/0841 : involving Diffie-Hellman or...

H04L 9/3231 : Biological data, e.g. finge...

H04L 9/3247 : involving digital signatures

H04L 9/3297 : involving time stamps, e.g....

H04W 12/06 : Authentication

H04W 12/065 : Continuous authentication

View All

System and method for non-intrusive, privacy-preserving authentication

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

206 Citations

25 Claims

Specification

Use Cases

Quick Links

Others

System and method for non-intrusive, privacy-preserving authentication

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

206 Citations

25 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others