Service channel authentication processing hub

US 9,548,997 B2
Filed: 02/12/2016
Issued: 01/17/2017
Est. Priority Date: 05/19/2014
Status: Active Grant

First Claim

Patent Images

1. An apparatus comprising:

at least one memory device;

at least one processor coupled to the at least one memory device and configured to perform, based on instructions stored in the at least one memory device;

receiving a service request over a first service channel from a user device, wherein the first service channel is one of a plurality of service channels and the service request includes an authentication token and a received set of attributes of the user device;

extracting, from the received authentication token, a signed set of attributes of an authenticated device when the authentication token was created;

comparing the received set of attributes with the signed set of attributes to obtain an authentication indicator;

when the authentication indicator is indicative that the received set of attributes and the signed attributes do not match, denying the service request;

when the authentication indicator is indicative that the received set of attributes and the signed attributes match, extracting an initial level of authentication from the authentication token, wherein the initial level of authentication is one of a plurality of authentication levels;

when the initial level of authentication is not sufficient for the first service channel, generating a challenge message to the user device requesting a further authentication information based on at least one additional authenticator;

determining an achieved level of authentication based on the initial level of authentication and the further authentication information; and

when the achieved level of authentication is at least as great as a first target authentication level for the first service channel, continue processing the service request by the first service channel.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer system receives a service request over a service channel from a user device, initiates a challenge to the user device to provide authentication information based on a set of authenticators, and determines an initial level of authentication. When the initial level of authentication is not sufficient for the service channel or protected resource, the apparatus generates a challenge to the user device with at least one additional authenticator and determines an achieved level of authentication based on the further authentication information. When the achieved level of authentication reaches a target authentication level for the service channel, the apparatus continues processing the service request by the service channel. The computer may transfer the service request to another service channel with the authentication token obtained on the original service channel and further challenges the user device with additional authenticators when a higher level of authentication is necessary.

134 Citations

20 Claims

1. An apparatus comprising:
- at least one memory device;
  
  at least one processor coupled to the at least one memory device and configured to perform, based on instructions stored in the at least one memory device;
  
  receiving a service request over a first service channel from a user device, wherein the first service channel is one of a plurality of service channels and the service request includes an authentication token and a received set of attributes of the user device;
  
  extracting, from the received authentication token, a signed set of attributes of an authenticated device when the authentication token was created;
  
  comparing the received set of attributes with the signed set of attributes to obtain an authentication indicator;
  
  when the authentication indicator is indicative that the received set of attributes and the signed attributes do not match, denying the service request;
  
  when the authentication indicator is indicative that the received set of attributes and the signed attributes match, extracting an initial level of authentication from the authentication token, wherein the initial level of authentication is one of a plurality of authentication levels;
  
  when the initial level of authentication is not sufficient for the first service channel, generating a challenge message to the user device requesting a further authentication information based on at least one additional authenticator;
  
  determining an achieved level of authentication based on the initial level of authentication and the further authentication information; and
  
  when the achieved level of authentication is at least as great as a first target authentication level for the first service channel, continue processing the service request by the first service channel.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The apparatus of claim 1, wherein the at least one processor is further configured to perform:
    - transferring the service request to a second service channel, wherein the plurality of service channels includes the second service channel and wherein the second service channel is different than the first service channel;
      
      when a second target authentication level for the second service channel is greater than the achieved level of authentication, generating a third challenge message to the user device requesting additional authentication information based on another authenticator; and
      
      when the additional authentication is validated, processing the service request on the second service channel.
  - 3. The apparatus of claim 1, wherein the at least one processor is further configured to perform:
    - recommending the other authenticator from the plurality of authenticators.
  - 4. The apparatus of claim 3, wherein the at least one processor is further configured to perform:
    - recommending an alternative authenticator when the other authenticator is not available.
  - 5. The apparatus of claim 1, wherein the at least one processor is further configured to perform:
    - mapping the plurality of service channels to the plurality of authentication levels.
  - 6. The apparatus of claim 1, wherein the at least one processor is further configured to perform:
    - obtaining a list of passed authenticators and failed authenticators, wherein a correct response was received from the user device for the passed authenticators and an incorrect response was received from the user device for the failed authenticators.
  - 7. The apparatus of claim 1, wherein the at least one processor is further configured to perform:
    - mapping the plurality of authentication levels to a plurality of authenticator combinations.
  - 8. The apparatus of claim 1, the at least one processor is further configured to perform:
    - accessing a first protected resource through the first service channel; and
      
      when a required authentication level for the first protected resource is not reached, generating a fourth challenge message to the user device requesting additional authentication information until the required authentication level is reached.
  - 9. The apparatus of claim 8, the at least one processor is further configured to perform:
    - accessing a second protected resource through the first service channel, wherein the second protected resource has a different authentication level from the required authentication level for the first protected resource.
  - 10. The apparatus of claim 9, wherein the at least one processor is further configured to perform:
    - mapping a plurality of protected resources to the plurality of authentication levels, wherein the plurality of protected resources includes the first protected resource and the second protected resource.
  - 11. The apparatus of claim 1, wherein the at least one processor is further configured to perform:
    - inserting the achieved level of authentication in the authentication token; and
      
      returning the authentication token to the user device.

12. A computer-assisted method for authenticating a user device, the method comprising:
- receiving a service request over a first service channel from a user device, wherein the first service channel is one of a plurality of service channels and the service request includes an authentication token and a received set of attributes of the user device;
  
  extracting, from the received authentication token, a signed set of attributes of an authenticated device when the authentication token was created;
  
  comparing the received set of attributes with the signed set of attributes to obtain an authentication indicator;
  
  when the authentication indicator is indicative that the received set of attributes and the signed attributes do not match, denying the service request;
  
  when the authentication indicator is indicative that the received set of attributes and the signed attributes match, extracting an initial level of authentication from the authentication token, wherein the initial level of authentication is one of a plurality of authentication levels;
  
  when the initial level of authentication is not sufficient for the first service channel, generating a challenge message to the user device requesting a further authentication information based on at least one additional authenticator;
  
  determining an achieved level of authentication based on the initial level of authentication and the further authentication information; and
  
  when the achieved level of authentication is at least as great as a first target authentication level for the first service channel, continue processing the service request by the first service channel.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The method of claim 12, further comprising:
    - transferring the service request to a second service channel, wherein the plurality of service channels includes the second service channel and wherein the second service channel is different than the first service channel; and
      
      when a second target authentication level for the second service channel is greater than the achieved level of authentication, generating a third challenge message to the user device requesting additional authentication information based on at least another authenticator.
  - 14. The method of claim 12, further comprising:
    - recommending a combination of authenticators from the plurality of authenticators, wherein the combination has an assigned level of authentication; and
      
      when all of the authenticators in the combination from the user device are validated, assigning the assigned level of authentication to the user device.
  - 15. The method of claim 14, wherein the assigned level of authentication is greater than an associated level of authentication of each of authenticators in the combination.
  - 16. The method of claim 12, wherein the service request includes an authentication token, the method further comprising:
    - obtaining a list of passed authenticators and failed authenticators, wherein a correct response was received from the user device for the passed authenticators and an incorrect response was received from the user device for the failed authenticators.
  - 17. The method of claim 12, wherein the service request includes an authentication token, the method further comprising:
    - accessing a first protected resource through the first service channel; and
      
      when a required authentication level for the first protected resource is not reached, generating a third challenge message to the user device requesting additional authentication information until the required authentication level is reached.

18. A non-transitory computer-readable storage medium storing computer-executable instructions that, when executed, cause a processor at least to perform operations comprising:
- receiving a service request over a first service channel from a user device, wherein the first service channel is one of a plurality of service channels and the service request includes an authentication token and a received set of attributes of the user device;
  
  extracting, from the received authentication token, a signed set of attributes of an authenticated device when the authentication token was created;
  
  comparing the received set of attributes with the signed set of attributes to obtain an authentication indicator;
  
  when the authentication indicator is indicative that the received set of attributes and the signed attributes do not match, denying the service request;
  
  when the authentication indicator is indicative that the received set of attributes and the signed attributes match, extracting an initial level of authentication from the authentication token, wherein the initial level of authentication is one of a plurality of authentication levels;
  
  when the initial level of authentication is not sufficient for the first service channel, generating a challenge message to the user device requesting a further authentication information based on at least one additional authenticator;
  
  determining an achieved level of authentication based on the initial level of authentication and the further authentication information; and
  
  when the achieved level of authentication is at least as great as a first target authentication level for the first service channel, continue processing the service request by the first service channel.
- View Dependent Claims (19, 20)
- - 19. The non-transitory computer-readable storage medium of claim 18, wherein the computer-executable instructions, when executed, cause the processor to perform:
    - recommending a combination of authenticators from the plurality of authenticators, wherein the combination has an associated level of authentication; and
      
      when all of the authenticators in the combination from the user device are validated, assigning the associated level of authentication to the user device.
  - 20. The non-transitory computer-readable storage medium of claim 18, wherein the computer-executable instructions, when executed, cause the processor to perform:
    - transferring the service request to a second service channel, wherein the plurality of service channels includes the second service channel and wherein the second service channel is different than the first service channel; and
      
      when a second target authentication level for the second service channel is greater than the achieved level of authentication, generating a third challenge message to the user device requesting additional authentication information based on at least another authenticator.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Bank of America Corp.
Original Assignee
Bank of America Corp.
Inventors
Keys, Andrew T., Pruthi, Kapil, Zhang, Xianhong, Pender, Mark A., Carpenter, Daniel Lynn
Primary Examiner(s)
To, Baotran N

Application Number

US15/042,669
Publication Number

US 20160164921A1
Time in Patent Office

340 Days
Field of Search

726/1, 726/3, 726/9
US Class Current

1/1
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0838   using one-time-passwords

H04L 63/0853   using an additional device,...

H04L 63/0861   using biometrical features,...

H04L 63/0876   based on the identity of th...

H04L 63/105   Multiple levels of security

H04L 63/20   for managing network securi...

Service channel authentication processing hub

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

134 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Service channel authentication processing hub

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

134 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others