System, design and process for easy to use credentials management for online accounts using out-of-band authentication
First Claim
1. A method for authentication for accessing an online portal in a system comprising a user, a client processing application, a portable communications device, and an authentication server having a provisioned user database and encrypted payload, wherein the method comprises:
- providing a login portal and screen for access by a user, said login portal being in communication with said client processing application;
establishing contact between the client processing application and the authentication server wherein a new authentication session is started;
generating a session identifier at the authentication server, wherein the session identifier is communicated to the client processing application through at least a first communications channel;
creating a multi-dimensional barcode at the client processing application, wherein the barcode has dynamic encryption keys, portal information, session identifier, and a unique key, and wherein the barcode is displayed at the login screen;
holding the client processing application in waiting pending the authentication server notification of session validation;
starting authentication by user entering credential on the portable communications device, wherein the portable communications device validates credential and displays scan option;
using the portable communications device to scan the barcode displayed at the login screen and validate the client processing application;
finding on the portable communications device at least one encrypted user credentials with the encryption key from the barcode;
sending the encrypted credentials and session identifier from the portable communications device to the authentication server via a outbound out-of-band communications channel;
checking in provisioned user database of the authentication server, wherein the session is validated;
sending the encrypted payload to the waiting client processing application;
sending validation result from the authentication server to the portable communication device where the result is displayed;
decrypting the encrypted payload at the client processing application using the encryption keys;
extracting and decrypting the credentials at the client processing application;
using the decrypted credentials to access the online portal.
6 Assignments
0 Petitions
Accused Products
Abstract
The invention provides an easy to use credential management mechanism for multi-factor out-of-band multi-channel authentication process to protect a large number of documents without the need to remember all the document passwords. When opened, the secure document application generates a multi-dimensional code. The user scans the multi-dimensional code and validates the secure document application and triggers an out-of-band outbound mechanism. The portable mobile device invokes the authentication server to get authenticated. The authentication server authenticates the user based on shared secret key and is automatically allowed access to the secure document. The process of the invention includes an authentication server, a secure document application to generate an authentication vehicle or an embodiment (i.e. multi-dimensional bar code) and handle incoming requests, secret keys and a portable communication device with a smartphone application.
-
Citations
5 Claims
-
1. A method for authentication for accessing an online portal in a system comprising a user, a client processing application, a portable communications device, and an authentication server having a provisioned user database and encrypted payload, wherein the method comprises:
-
providing a login portal and screen for access by a user, said login portal being in communication with said client processing application; establishing contact between the client processing application and the authentication server wherein a new authentication session is started; generating a session identifier at the authentication server, wherein the session identifier is communicated to the client processing application through at least a first communications channel; creating a multi-dimensional barcode at the client processing application, wherein the barcode has dynamic encryption keys, portal information, session identifier, and a unique key, and wherein the barcode is displayed at the login screen; holding the client processing application in waiting pending the authentication server notification of session validation; starting authentication by user entering credential on the portable communications device, wherein the portable communications device validates credential and displays scan option; using the portable communications device to scan the barcode displayed at the login screen and validate the client processing application; finding on the portable communications device at least one encrypted user credentials with the encryption key from the barcode; sending the encrypted credentials and session identifier from the portable communications device to the authentication server via a outbound out-of-band communications channel; checking in provisioned user database of the authentication server, wherein the session is validated; sending the encrypted payload to the waiting client processing application; sending validation result from the authentication server to the portable communication device where the result is displayed; decrypting the encrypted payload at the client processing application using the encryption keys; extracting and decrypting the credentials at the client processing application; using the decrypted credentials to access the online portal. - View Dependent Claims (2, 3, 4)
-
-
5. A method for authentication in a system comprising a user, a browser extension or plugin, a portable communications device, and an authentication server having a provisioned user database and a encrypted payload, wherein the method comprises:
-
detecting user intent to login to an online portal using a browser extension or plugin; establishing contact between the browser extension or plugin and the authentication server wherein a new authentication session is started; generating a session identifier at the authentication server, wherein the session identifier is communicated to the browser plugin through at least a first communications channel; creating a multi-dimensional barcode at the browser extension or plugin, wherein the barcode has dynamic encryption keys, portal information, the session identifier, and a unique key, and wherein the barcode is displayed in the browser; holding the browser in waiting pending authentication server notification of session validation; starting authentication by user entering credential on the portable communications device, wherein the portable communications device validates the credential and displays scan option; using the portable communications device to scan the barcode displayed at a login screen and validate the browser extension or plugin; finding on the portable communications device at least one encrypted user credential with the encryption key from the barcode; sending the at least one encrypted credential and the session identifier from the portable communications device to the authentication server via a outbound out-of-band communications channel; checking in provisioned user database of the authentication server, wherein the session is validated; sending the encrypted payload to the waiting browser extension or plugin; sending validation result from the authentication server to the portable communication device where the result is displayed; decrypting the payload at the browser extension or plugin using the encryption keys; extracting and decrypting the at least one encrypted credential at the browser extension or plugin to obtain at least one decrypted credential; using the at least one decrypted credential to populate a login form on the login page of the online portal in the browser; initiating the login to the online portal by sending the login form to the online portal using the browser extension or plugin.
-
Specification