Authentication policy orchestration for a user device

US 9,426,183 B2
Filed: 07/28/2014
Issued: 08/23/2016
Est. Priority Date: 07/28/2013
Status: Active Grant

First Claim

Patent Images

1. A server, comprising:

a network interface configured to be communicatively coupled to a network utilizing a secure communication protocol;

at least one hardware processor configured to;

direct a plurality of authorization policies which are separately configurable between those received from a relying party policy engine located on the server and those received from an authorizing party policy engine located on a authorizing party user device and control authorization requirements of the authorizing party user device being sent authorization requests;

obtain, from a client device via the network, a transaction request for a transaction;

determine the authorization requirement for the transaction request based on the plurality of authorization policies;

a first policy of the plurality of authorization policies being configurable by the relying party policy engine but not the authorizing party policy engine;

a second policy of the plurality of authorization policies being configurable by the authorizing party policy engine;

a third policy of the plurality of authorization policies being configurable by the authorizing party policy engine, and authorizing completion of the transaction without input from the authorizing party user device based on automatic authorization criterion; and

a fourth policy of the plurality of authorization policies being based on risk factors related to the transaction and configurable by the relying party policy engine or the authorizing party policy engine;

wherein the plurality of authorization policies include;

a status of the authorizing party user device, providing a notification of the transaction, a location of at least one of the client device and the authorizing party user device, a status of the network, and a habit of at least one of the client device and the authorizing party user device;

determine that the automatic authorization criterion has not been met;

based on the determination that the automatic authorization criterion has not been met, transmit a respective authorization request to the authorizing party user device;

receive at least one authorization response per transaction request from the authorizing party user device; and

complete the transaction by approving the transaction based on the authorization requirement having been met and based on having received an authorization approval in each of the authorization responses.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for authentication policy orchestration may include a user device, a client device, and a server. The server may include a network interface configured to be communicatively coupled to a network. The server may further include a processor configured to obtain, from a client device via the network, a transaction request for a transaction, determine an authorization requirement for the transaction request based, at least in part, on a plurality of authorization policies, individual ones of the plurality of authorization policies being separately configurable by at least one of a relying party and an authorizing party, and complete the transaction based on the authorization requirement having been met.

68 Citations

View as Search Results

42 Claims

1. A server, comprising:
- a network interface configured to be communicatively coupled to a network utilizing a secure communication protocol;
  
  at least one hardware processor configured to;
  
  direct a plurality of authorization policies which are separately configurable between those received from a relying party policy engine located on the server and those received from an authorizing party policy engine located on a authorizing party user device and control authorization requirements of the authorizing party user device being sent authorization requests;
  
  obtain, from a client device via the network, a transaction request for a transaction;
  
  determine the authorization requirement for the transaction request based on the plurality of authorization policies;
  
  a first policy of the plurality of authorization policies being configurable by the relying party policy engine but not the authorizing party policy engine;
  
  a second policy of the plurality of authorization policies being configurable by the authorizing party policy engine;
  
  a third policy of the plurality of authorization policies being configurable by the authorizing party policy engine, and authorizing completion of the transaction without input from the authorizing party user device based on automatic authorization criterion; and
  
  a fourth policy of the plurality of authorization policies being based on risk factors related to the transaction and configurable by the relying party policy engine or the authorizing party policy engine;
  
  wherein the plurality of authorization policies include;
  
  a status of the authorizing party user device, providing a notification of the transaction, a location of at least one of the client device and the authorizing party user device, a status of the network, and a habit of at least one of the client device and the authorizing party user device;
  
  determine that the automatic authorization criterion has not been met;
  
  based on the determination that the automatic authorization criterion has not been met, transmit a respective authorization request to the authorizing party user device;
  
  receive at least one authorization response per transaction request from the authorizing party user device; and
  
  complete the transaction by approving the transaction based on the authorization requirement having been met and based on having received an authorization approval in each of the authorization responses.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 15, 16)
- - 2. The server of claim 1:
    - wherein the authorization requirement is for authorization of the transaction by the authorizing party user device;
      
      wherein the hardware processor is further configured to transmit, via the network, an authorization request to an other authorizing party user device different from the client device based, at least in part, on the authorization requirement; and
      
      wherein the hardware processor is further configured to complete the transaction based on having received an authorization approval from the other authorizing party user device in response to the authorization request.
  - 3. The server of claim 2, wherein the hardware processor is further configured to complete the transaction by rejecting the transaction upon receiving an authorization rejection in response to the authorization request.
  - 4. The server of claim 1, wherein the plurality of authorization policies include at least two of:
    - requiring multiple other authorizing party devices;
      
      multiple transacting party devices;
      
      multiple client devices;
      
      a transaction amount;
      
      an availability of a security token;
      
      provision of biometric information;
      
      provision of a personal identification number (PIN);
      
      an authorization request message delivery mechanism;
      
      a transaction context;
      
      a transaction risk factor;
      
      proximity;
      
      a timeout;
      
      a serial rejection of preceding transactions; and
      
      a method of providing an authorization response from the authorizing party user device.
  - 5. The server of claim 1, wherein the transaction is at least one of a monetary transaction, an attempt to access a physical location, an attempt to utilize personal information, and an attempt to access electronic data.
  - 6. The server of claim 1, wherein the authorization requirement is for authorization of the transaction by all of a plurality of authorizing party user devices.
  - 7. The server of claim 1, wherein the authorization requirement is for authorization of the transaction by at least one but fewer than all of a plurality of authorizing party user devices.
  - 8. The server of claim 1, wherein the second policy requires a first authorization mechanism for the authorizing party user device and a second authorization mechanism for an other authorizing party user device, the first authorization mechanism being different from the second authorization mechanism.
  - 9. The server of claim 1, wherein the hardware processor is further configured to:
    - determine that an authorization is not required by the authorizing party user device; and
      
      transmit a notification of the transaction to the authorizing party user device based on authorization not being required by the authorizing party user device.
  - 10. The server of claim 1, wherein at least one of the first, second, and third policies specifies at least one of a predetermined transacting party and a predetermined client device and wherein the hardware processor is configured to automatically reject the transaction based on a transacting party and/or a client device related to the transaction not being the at least one of the predetermined transacting party and the predetermined client device.
  - 11. The server of claim 1, wherein an authorizing party input to meet the authorization requirement for the authorization approval is stored on the authorizing party user device.
  - 12. The server of claim 11, wherein an authorizing party input is one from the group consisting of:
    - biometric, habits, and PIN code stored on the authorizing party user device.
  - 13. The server of claim 1, wherein the first, second or third policy is a context policy.
  - 15. The server of claim 1, wherein the plurality of authorization policies require multiple authorizing party user devices.
  - 16. The server of claim 1, wherein the first, second or the third policy is a context policy and the plurality of authorization policies require multiple authorizing party user devices.

14. The server of aim 1, wherein the first, second or third policy is a habit policy.

17. A system, comprising:
- a network interface configured to be communicatively coupled to a network utilizing a secure communication protocol;
  
  a hardware processor to execute a policy engine configured to;
  
  direct a plurality of authorization policies which are separately configurable between those received from a relying party policy engine located on a server and those received from an authorizing party policy engine located on an authorizing party user device and control authorization requirements of the authorizing party user device being sent authorization requests;
  
  obtain, from a client device via the network, a transaction request for a transaction; and
  
  determine the authorization requirement for the transaction request based on the plurality of authorization policies;
  
  a hardware-implemented information engine comprising a processor and instructions executing on the processor, configured to receive a configuration of at least one of the plurality of authorization policies;
  
  a first policy of the plurality of authorization policies being configurable by the relying party server policy engine but not the authorizing party policy engine;
  
  a second policy of the plurality of authorization policies being configurable by the authorizing party policy engine, the first policy taking precedence over the second policy; and
  
  a third policy of the plurality of authorization policies being configurable by the authorizing party policy engine, and authorizing completion of the transaction without input from the authorizing party based on an automatic authorization criterion; and
  
  a fourth policy of the plurality of authorization policies being based on risk factors related to the transaction and configurable by the relying party policy engine or the authorizing party policy engine;
  
  wherein the plurality of authorization policies include;
  
  a status of the authorizing party user device, providing a notification of the transaction, a location of at least one of the client device and the authorizing party user device, a status of the network, and a habit of at least one of the client device and the authorizing party user devicewherein the information engine is further configured to;
  
  determine that the automatic authorization criterion has not been met;
  
  based on the determination that the automatic authorization criterion has not been met, transmit a receptive authorization request to the authorizing party user device; and
  
  receive at least one authorization response per transaction request from the authorizing party user device; and
  
  a hardware-implemented transaction engine comprising a processor and instructions executing on the processor, configured to complete the transaction based on the authorization requirement having been met.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25)
- - 18. The system of claim 17, wherein:
    - the authorization requirement is for authorization of the transaction by the authorizing party user device,the hardware-implemented information engine is configured to transmit, via the network, an authorization request to an other authorizing party user device which is different from the client device based, at least in part, on the authorization requirement;
      
      wherein the hardware-implemented transaction engine is further configured to complete the transaction based on having received an authorization approval from the other authorizing party user device in response to the authorization request.
  - 19. The system of claim 18, wherein the hardware-implemented transaction engine is further configured to complete the transaction by rejecting the transaction upon receiving an authorization rejection in response to the authorization request.
  - 20. The system of claim 17, wherein the plurality of authorization policies include at least two of:
    - requiring multiple authorizing party devices;
      
      multiple transacting party devices;
      
      multiple client devices;
      
      a transaction amount;
      
      an availability of a security token;
      
      provision of biometric information;
      
      provision of a personal identification number (PIN);
      
      an authorization request message delivery mechanism;
      
      proximity;
      
      a timeout;
      
      a serial rejection of preceding transactions;
      
      a transaction risk factor; and
      
      a method of providing an authorization response from the authorizing party user device.
  - 21. The system of claim 17, wherein the authorization requirement is for authorization of the transaction by all of a plurality of authorizing party user devices.
  - 22. The system of claim 17, wherein the authorization requirement is for authorization of the transaction by at least one but fewer than all of a plurality of authorizing party user devices.
  - 23. The system of claim 17, wherein the second policy requires a first authorization mechanism for the first authorizing party device and a second authorization mechanism for an other authorizing party user device, the first authorization mechanism being different from the second authorization mechanism.
  - 24. The system of claim 17, wherein the information engine is further configured to:
    - determine that an authorization is not required by the authorizing party user device; and
      
      transmit a notification of the transaction to the authorizing party user device based on authorization not being required by the authorizing party user device.
  - 25. The system of claim 17, wherein at least one of the first, second, and third policies specifies at least one of a predetermined transacting party and a predetermined client device and wherein the information engine is configured to automatically reject the transaction based on a transacting party and/or a client device related to the transaction not being the at least one of the predetermined transacting party and the predetermined client device.

26. An authorizing party user device, comprising:
- a network interface configured to be communicatively coupled to a network;
  
  a hardware processor configured to obtain, from a server via the network utilizing a secure communication protocol, an authorization request associated with a transaction request for a transaction, the authorization request being based, on a plurality of authorization policies, individual ones of the plurality of authorization policies being separately configurable by at least one of a relying party policy engine located on the server and an authorizing party policy engine located on an authorizing party user device,a first policy of the plurality of authorization policies being configurable by the relying party policy engine but not the authorizing party policy engine;
  
  a second policy of the plurality of authorization policies being configurable by the authorizing party policy engine;
  
  a third policy of the plurality of authorization policies being configurable by the authorizing party policy engine, and authorizing completion of the transaction without input from the authorizing party user device based on an automatic authorization criterion; and
  
  a fourth policy of the plurality of authorization policies being based on risk factors related to the transaction and configurable by the relying party policy engine or the authorizing party policy engine;
  
  wherein the plurality of authorization policies include;
  
  a status of the authorizing party user device,providing a notification of a transaction,a location of the authorizing party user device,a status of the network, anda habit of the authorizing party user device;
  
  determine that the automatic authorization criterion has not been met; and
  
  based on the determination that the automatic authorization criterion has not been met, transmit a respective authorization request to the authorizing party user device;
  
  a user interface configured to;
  
  display information associated with the authorization request; and
  
  obtain an authorization response from the authorizing party user device;
  
  wherein the hardware processor is configured to transmit the authorization response to the relying party server via the network interface based on having received an authorization approval in each of the authorization responses.
- View Dependent Claims (27, 28, 29, 30, 31, 32, 33)
- - 27. The user device of claim 26, wherein the user interface is further configured to obtain a configuration of at least one of the authorization policies from the authorizing party user device, wherein the authorization request is based on the plurality of authorization policies, as configured.
  - 28. The user device of claim 26, wherein the plurality of authorization policies include at least two of:
    - requiring multiple authorizing party devices;
      
      multiple transacting party devices;
      
      multiple client devices;
      
      a transaction amount;
      
      an availability of a security token;
      
      provision of biometric information;
      
      provision of a personal identification number (PIN);
      
      an authorization request message delivery mechanism;
      
      proximity;
      
      a timeout;
      
      a serial rejection of preceding transactions;
      
      a transaction risk factor; and
      
      a method of providing an authorization response from the authorizing party user device.
  - 29. The user device of claim 26, wherein the authorization requirement is for authorization of the transaction by all of a plurality of authorizing party user devices.
  - 30. The user device of claim 26, wherein the authorization requirement is for authorization of the transaction by at least one but fewer than all of a plurality of authorizing party user devices.
  - 31. The user device of claim 26, wherein the second policy requires a first authorization mechanism for first authorization party and a second authorization mechanism for a second authorization party, the first authorization mechanism being different from the second authorization mechanism.
  - 32. The user device of claim 26, wherein the hardware processor is further configured to:
    - determine that an authorization is not required by the authorizing party user device; and
      
      transmit a notification of the transaction to the authorizing party user device based on authorization not being required by the authorizing party user device.
  - 33. The authorizing party user device of claim 26, wherein at least one of the first, second, and third policies specifies at least one of a predetermined transacting party and a predetermined client device and wherein the hardware processor is configured to automatically reject the transaction based on a transacting party and/or a client device related to the transaction not being the at least one of the predetermined transacting party and the predetermined client device.

34. A method, comprising:
- obtaining, from a client device via a network, a transaction request for a transaction;
  
  directing a plurality of authorization policies which are separately configurable between those received from a relying party policy engine located on a server and those received from an authorizing party policy engine located on an authorizing party user device and controlling authorization requirements of the authorizing party user device being sent authorization requests, wherein a first policy of the plurality of authorization policies being configurable by the relying party policy engine but not the authorizing party policy engine, a second policy of the plurality of authorization policies being configurable by the authorizing party policy engine, a third policy of the plurality of authorization policies being configurable by the authorizing party policy engine, and authorizing completion of the transaction without input from the authorizing party user device based on an automatic authorization criterion, and a fourth policy of the plurality of authorization policies being based on risk factors related to the transaction and configurable by the relying party policy engine or the authorizing party policy engine;
  
  wherein the plurality of authorization policies include;
  
  a status of the authorizing party user device, providing a notification of the transaction, a location of at least one of the client device and the authorizing party user device, a status of the secure network, and a habit of at least one of the client device and the authorizing party user device;
  
  determining that the automatic authorization criterion has not been met;
  
  based on the determination that the automatic authorization criterion has not been met, transmitting a respective authorization request to the authorizing party user device;
  
  receiving at least one authorization response per transaction request from the authorizing party user device through a secure communication protocol; and
  
  completing, with a hardware processor at the relying party server, the transaction by approving the transaction based on the authorization requirement having been met and based on having received an authorization approval in each of the authorization responses.
- View Dependent Claims (35, 36, 37, 38, 39, 40, 41, 42)
- - 35. The method of claim 34, wherein the authorization requirement is for authorization of the transaction by the authorizing party user device, and further comprising:
    - transmitting, via the network, an authorization request to an other authorizing party user device different from the client device based, at least in part, on the authorization requirement;
      
      wherein completing the transaction is based on having received an authorization approval from the other authorizing party user device in response to the authorization request.
  - 36. The method of claim 35, wherein completing the transaction is by rejecting the transaction upon receiving an authorization rejection in response to the authorization request.
  - 37. The method of claim 34, wherein the plurality of authorization policies include at least two of:
    - requiring multiple authorizing party devices;
      
      multiple transacting party devices;
      
      multiple client devices;
      
      a transaction amount;
      
      an availability of a security token;
      
      provision of biometric information;
      
      provision of a personal identification number (PIN);
      
      an authorization request message delivery mechanism;
      
      a transaction context;
      
      proximity;
      
      a transaction risk factor; and
      
      a method of providing an authorization response from the authorizing party user device.
  - 38. The method of claim 34, wherein the authorization requirement is for authorization of the transaction by all of a plurality of authorizing party user devices.
  - 39. The method of claim 34, wherein the authorization requirement is for authorization of the transaction by at least one but fewer than all of a plurality of authorizing party user devices.
  - 40. The method of claim 34, wherein the second policy requires a first authorization mechanism for the first authorizing party user device and a second authorization mechanism for an other authorizing party user device, the first authorization mechanism being different from the second authorization mechanism.
  - 41. The method of claim 34, further comprising:
    - determining that an authorization is not required by the authorizing party user device; and
      
      transmitting a notification of the transaction to the authorizing party user device based on authorization not being required by the authorizing party user device.
  - 42. The method of claim 34, wherein at least one of the first, second, and third policies specifies at least one of a predetermined transacting party and a predetermined client device and further comprising automatically rejecting the transaction based on a transacting party and/or a client device related to the transaction not being the at least one of the predetermined transacting party and the predetermined client device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SecureAuth Incorporated
Original Assignee
Acceptto Corporation
Inventors
Shahidzadeh, Nahal, Akkary, Haitham
Primary Examiner(s)
Homayounmehr, Farid
Assistant Examiner(s)
LWIN, MAUNG T

Application Number

US14/444,865
Publication Number

US 20150033286A1
Time in Patent Office

757 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06Q 20/401   Transaction verification

G06Q 20/4014   Identity check for transact...

G06Q 20/405   Establishing or using trans...

H04L 2463/102   applying security measure f...

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

H04L 63/20   for managing network securi...

H04L 63/205   involving negotiation or de...

Authentication policy orchestration for a user device

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

68 Citations

42 Claims

Specification

Solutions

Use Cases

Quick Links

Authentication policy orchestration for a user device

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

68 Citations

42 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links