System and method for identity recognition and affiliation of a user in a service transaction
First Claim
1. A method of providing authoritative identity recognition of a user at a device to an accessed service for authentication including a client application, a device agent, a service agent, a broker agent, a broker service, a user service authentication code (SAC), a device asset identification number (AIN), an account number, a pre-authentication token, and a one-time user token, the method comprising:
- registering, of the user with the broker agent, to create a password and a user identification code (UIC) for the user, linked to the account number associated with a group of users;
registering, by the user at the device with the broker agent, the device to create a device profile comprising of at least the received unique device identifiers required to generate a device watermark and a device pre-shared key, and to create a device AIN for the device;
registering, by the user, a plurality of services with the broker agent using service profiles, wherein a service profile comprises of a service principal name (SPN), a username associated with the SPN, a password, and a device AIN, and further wherein the password is encrypted at the device using the device watermark and the user SAC;
storing, by the broker agent, in a broker repository, the registered user, device, and service profiles;
accessing, by the user at the device, a service, wherein the device agent is executing on the device and the service agent is executing on the accessed service;
clicking, by the user, on a service icon displayed by the client application on the device via the service agent of the accessed service to provide consent for identity recognition;
prompting, by the client application, to receive the user SAC from the user;
generating, by the device agent for the client application, a user token request containing the device AIN, the account number, a timestamp, a digital signature generated using the device watermark and the timestamp, the service principal name, the username associated with the SPN, and optionally a received digitally signed service identifier via the service agent;
sending the generated user token request by the device agent to the broker agent;
processing the received user token request by the broker agent to generate a one-time user token linked to the accessed service, comprising of the encrypted password or a pre-authentication token issued for the user by the accessed service to the broker agent using the username and a secret key;
sending the generated one-time user token by the broker agent to the device agent;
decrypting, by the device agent at the device, the encrypted password in the received one-time user token using the device watermark and the user SAC;
forwarding, by the device agent, the decrypted password or the pre-authentication token with the one-time user token, via the client application, to the service agent of the accessed service;
verifying, by the service agent of the accessed service with the broker agent, the one-time user token received from the client application;
authenticating, by the accessed service, the user based on the received password or pre-authentication token included with the verified one-time user token; and
notifying the user, by the broker agent, of successful and failed authentication attempts to access the service from the device.
2 Assignments
0 Petitions
Accused Products
Abstract
The method integrates the dynamic and authoritative posture of an authenticated user, a registered device, and a registered service provider as a conclusive proof of identity recognition for affiliation of associated contextual attribution and referential integrity. In addition to relieving the user of the burden of remembering multiple passwords for a plurality of services, the method provides a means to facilitate an affiliation oriented architecture for a broad spectrum of web and cloud based services with affiliation aware content streaming, leveraging the affiliation score as a key trust metric. The method provides protection from user-agnostic delegation and impersonation of identity, social engineering, and compromised passwords, which are exploited by numerous strains of landed malware to launch multi-stage coordinated cyber-attacks on consumer accounts and enterprise systems. The method of affiliation based on identity recognition provides authoritative, contextual, and consensual user information, of relevance in a live transaction, to the service provider.
-
Citations
12 Claims
-
1. A method of providing authoritative identity recognition of a user at a device to an accessed service for authentication including a client application, a device agent, a service agent, a broker agent, a broker service, a user service authentication code (SAC), a device asset identification number (AIN), an account number, a pre-authentication token, and a one-time user token, the method comprising:
-
registering, of the user with the broker agent, to create a password and a user identification code (UIC) for the user, linked to the account number associated with a group of users; registering, by the user at the device with the broker agent, the device to create a device profile comprising of at least the received unique device identifiers required to generate a device watermark and a device pre-shared key, and to create a device AIN for the device; registering, by the user, a plurality of services with the broker agent using service profiles, wherein a service profile comprises of a service principal name (SPN), a username associated with the SPN, a password, and a device AIN, and further wherein the password is encrypted at the device using the device watermark and the user SAC; storing, by the broker agent, in a broker repository, the registered user, device, and service profiles; accessing, by the user at the device, a service, wherein the device agent is executing on the device and the service agent is executing on the accessed service; clicking, by the user, on a service icon displayed by the client application on the device via the service agent of the accessed service to provide consent for identity recognition; prompting, by the client application, to receive the user SAC from the user; generating, by the device agent for the client application, a user token request containing the device AIN, the account number, a timestamp, a digital signature generated using the device watermark and the timestamp, the service principal name, the username associated with the SPN, and optionally a received digitally signed service identifier via the service agent; sending the generated user token request by the device agent to the broker agent; processing the received user token request by the broker agent to generate a one-time user token linked to the accessed service, comprising of the encrypted password or a pre-authentication token issued for the user by the accessed service to the broker agent using the username and a secret key; sending the generated one-time user token by the broker agent to the device agent; decrypting, by the device agent at the device, the encrypted password in the received one-time user token using the device watermark and the user SAC; forwarding, by the device agent, the decrypted password or the pre-authentication token with the one-time user token, via the client application, to the service agent of the accessed service; verifying, by the service agent of the accessed service with the broker agent, the one-time user token received from the client application; authenticating, by the accessed service, the user based on the received password or pre-authentication token included with the verified one-time user token; and notifying the user, by the broker agent, of successful and failed authentication attempts to access the service from the device. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A method of providing an affiliation score along with component scores and affiliation attributes for a user at a device to an accessed service with or without requiring authentication including a client application, a device agent, a service agent, a broker agent, a broker service, a user personal identification code (PIC), a device asset identification number (AIN), an account number, a pre-authentication token, a one-time user token, and a plurality of data providers, the method comprising:
-
registering, of the user with the broker agent, to create a password and a user identification code (UIC) for the user, linked to the account number associated with a group of users; registering, by the user at the device with the broker agent, the device to create a device profile comprising of at least the received unique device identifiers required to generate a device watermark, a device pre-shared key, and to create a device AIN for the device; registering, by the user, a plurality of services with the broker agent, using service profiles, wherein a service profile comprises of a service principal name (SPN), a username associated with the SPN, a password, and a device AIN, and further wherein the password is encrypted at the device using the device watermark and the user SAC; storing, by the broker agent, in a broker repository, the registered user, device, and service profiles; accessing, by the user at the device a service, wherein the device agent is executing on the device and the service agent is executing on the accessed service; clicking, by the user, on a service icon displayed by the client application on the device via the service agent of the accessed service to provide consent for identity affiliation; prompting, by the client application, to receive the user SAC or the user'"'"'s UIC from the user; generating, by the device agent for the client application, a user token request containing at least the device AIN, the account number, a timestamp, a digital signature generated using the device watermark and the timestamp, the service principal name (SPN), the username associated with the SPN where the accessed service requires authentication or the user'"'"'s UIC encrypted using the device pre-shared key where the accessed service requires no authentication, and a received digitally signed service identifier via the service agent; sending the generated user token request by the device agent to the broker agent; processing the received user token request by the broker agent to generate a one-time user token linked to the accessed service comprising the affiliation score, component scores, affiliation attributes, and optionally the encrypted password or a pre-authentication token issued for the user by the accessed service to the broker agent using the username and a secret key; sending the generated one-time user token by the broker agent to the device agent; decrypting, by the device agent at the device, the encrypted password in the received one-time user token using the device watermark and the user SAC; forwarding, by the device agent, the decrypted password or the pre-authentication token with the one-time user token, via the client application, to the service agent of the accessed service; verifying, by the service agent of the accessed service with the broker agent, the one-time user token received from the client application; authenticating, by the accessed service, the user based on the received password or pre-authentication token included with the verified one-time user token; notifying the user, by the broker agent, of successful and failed authentication attempts to access the service from the device; and personalization of content and services, by the accessed service, based on the received affiliation score, component scores, and affiliation attributes included with the verified one-time user token. - View Dependent Claims (8, 9, 10, 11, 12)
-
Specification