Fallback identity authentication techniques

US 9,781,105 B2
Filed: 05/04/2015
Issued: 10/03/2017
Est. Priority Date: 05/04/2015
Status: Active Grant

First Claim

Patent Images

1. A system for authorizing access of a user device to a service provider (SP) server, comprising:

an authentication server computer device including at least one computer processor operatively connected to a computer memory and configured to;

responsive to a request to authenticate an identity of a user attempting to access the SP server via a first user device (UD), transmit a notification request to a notification server to cause the notification server to send a notification, including a token, to a second UD such that upon receipt of the notification the second UD sends data indicative of the token to the authentication server computer device, the notification server being physically distinct from the authentication server computer device;

responsive to a failure to receive the data indicative of the token from the second UD within a timeout limit, send instructions to the first UD to make the second UD ready for communicating with the authentication server computer device;

responsive to receiving information from the first UD indicating that the second UD is unavailable for communicating with the authentication server computer device, send instructions to the first UD such that the first UD displays instructions related to an authentication operation using a colleague UD and not including the second UD;

initiate the authentication operation, the authentication operation including a challenge presented on the colleague UD to be completed by the user to be granted access to the SP server;

determine an authorization-recommendation at least partly based on a response to the authentication operation received from the colleague UD; and

provide the authorization-recommendation to the SP server.

View all claims

15 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The presently disclosed subject matter includes a system, a method and a non-transitory program storage device configured for authorizing access of a user device to a service provider server. Responsive to a request to authenticate the identity of a user attempting to access an SP server via a user device (UD), an authentication server is configured to initiate at least one authentication operation using a second UD; in the event of a failure to receive a response to the at least one authentication operation from the second UD, the authentication server is configured to proceed according to an alternative authentication method which does not involve the second UD.

Citations

32 Claims

1. A system for authorizing access of a user device to a service provider (SP) server, comprising:
- an authentication server computer device including at least one computer processor operatively connected to a computer memory and configured to;
  
  responsive to a request to authenticate an identity of a user attempting to access the SP server via a first user device (UD), transmit a notification request to a notification server to cause the notification server to send a notification, including a token, to a second UD such that upon receipt of the notification the second UD sends data indicative of the token to the authentication server computer device, the notification server being physically distinct from the authentication server computer device;
  
  responsive to a failure to receive the data indicative of the token from the second UD within a timeout limit, send instructions to the first UD to make the second UD ready for communicating with the authentication server computer device;
  
  responsive to receiving information from the first UD indicating that the second UD is unavailable for communicating with the authentication server computer device, send instructions to the first UD such that the first UD displays instructions related to an authentication operation using a colleague UD and not including the second UD;
  
  initiate the authentication operation, the authentication operation including a challenge presented on the colleague UD to be completed by the user to be granted access to the SP server;
  
  determine an authorization-recommendation at least partly based on a response to the authentication operation received from the colleague UD; and
  
  provide the authorization-recommendation to the SP server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The system according to claim 1, wherein the notification is sent to the second UD to cause the second UD to be ready to receive a challenge from the authentication server computer device;
    - wherein following sending of the instructions to the first UD to make the second UD ready for communicating with the authentication server computer device, the authentication server computer device is configured to send the challenge to the second UD via a pathway excluding the notification server, to be completed at the second UD, to assist in authenticating the user.
  - 3. The system according to claim 2, wherein upon successful completion of the challenge, the authentication server computer device is configured to:
    - provide the first UD with partial access to the SP server responsive to completion of the challenge;
      
      repeatedly initiate attempts to send the notification to the second UD via the notification server; and
      
      provide the first UD with full access once a response to the notification is received from the second UD at the authentication server computer device.
  - 4. The system according to claim 2, wherein the authentication server computer device is configured in case of a failure to receive a response to the challenge, to send instructions to the first UD requesting to use an authentication method operated locally on the second UD.
  - 5. The system according to claim 4, wherein the authentication server computer device is configured to send challenge-related data to be displayed on the first UD;
    - wherein the challenge-related data is required to enable the authentication method operated locally on the second UD.
  - 6. The system according to claim 1, wherein the authentication operation includes instructions to input in the colleague UD login credentials of the user.
  - 7. The system according to claim 1, wherein the authentication operation includes instructions to input in the colleague UD login credentials of the user and login credentials of the colleague.
  - 8. The system according to claim 1, wherein the authentication server computer device is configured to send challenge-related data to be displayed on the first UD;
    - wherein the challenge-related data is required to complete the challenge.
  - 9. The system according to claim 8, wherein the challenge-related data includes at least one QR code to be scanned by the colleague UD.
  - 10. The system according to claim 1, wherein the authentication server computer device includes an image processor;
    - the authentication operation includes a challenge including instructions to capture at least one selfie of both the user and the colleague;
      
      the image processor is configured to compare the at least one selfie with one or more previously-stored selfies and determine a degree of similarity between the selfie and the one or more previously-stored selfies, and provide the authorization-recommendation based on the degree of similarity.
  - 11. The system according to claim 10, wherein the instructions to capture the at least one selfie further include instructions to request that one or both of the colleague and user perform one or more of:
    - gesture at least one specified gesture while capturing the at least one selfie; and
      
      display a certain object while capturing the at least one selfie.
  - 12. The system according to claim 1, wherein the authentication server computer device is configured to transmit the notification request to the notification server to cause the notification server to cause a challenge to be presented on a colleague UD to be completed by the user to be granted access to the SP server, wherein the challenge includes instructions requesting the user to speak into a microphone of the colleague UD to obtain a recorded speech;
    - the authentication server computer device includes a voice recognition processor configured to determine a degree of similarity between the recorded speech and previously-recorded speech, wherein an authorization-recommendation is provided based on the degree of similarity between recorded speech received in response to the challenge including instructions requesting the user to speak into the microphone of the colleague UD, and the previously-recorded speech.
  - 13. The system according to claim 1, wherein, in response to a failure to receive a response to the notification from the second UD, the authentication server computer device is configured to:
    - cause a query to be displayed on the first UD, the query asking whether the second UD is available for communicating with the authentication server computer device; and
      
      receive from first UD information indicating whether the second UD is available or not.
  - 14. The system according to claim 1, wherein the sending of data indicative of the token to the authentication server computer device by the second UD device is performed without user input.
  - 15. The system according to claim 1, wherein the instructions sent to the first UD to make the second UD ready for communication with the authentication server computer device include instructions to make an authentication application on the second UD operative for initiating communicating with the authentication server computer device.

16. A computerized method of authorizing access of a first user device to a service provider (SP) server, comprising:
- at an authentication server computer device;
  
  responsive to a request to authenticate the identity of a user attempting to access the SP server via the first user device (UD), transmit a notification request to a notification server to cause the notification server to send a notification, including a token, via a first communication channel to a second UD such that upon receipt of the notification the second UD sends data indicative of the token to the authentication server computer device via a second communication channel, the first communication channel being distinct from the second communication channel, the second communication channel excluding the notification server;
  
  in response to a failure to receive the data indicative of the token from the second UD within a timeout limit, performing at least the following operations;
  
  sending instructions to the first UD to make the second UD ready to communicate with the authentication server computer device, andresponsive to receiving information from the first UD indicating that the second UD is unavailable to communicate with the authentication server computer device, sending instructions to the first UD such that the first UD displays instructions related to an authentication operation using a colleague UD and method not including the second UD;
  
  initiating the authentication operation, the authentication operation including a challenge presented on the colleague UD to be completed by the user to be granted access to the SP server;
  
  determining an authorization-recommendation at least partly based on a response to the authentication operation received from the colleague UD; and
  
  providing the authorization-recommendation to the SP server.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31)
- - 17. The computerized method according to claim 16, wherein the notification is sent to the second UD to cause the second UD to be ready to receive one or more challenges, the method further comprisingwherein following sending instructions to the first UD to make the second UD ready to communicate with the authentication server computer device, sending a challenge by the authentication server computer device to the second UD via the second communication channel to be completed by the user to be granted access to the SP server.
  - 18. The computerized method according to claim 17, further comprising, upon completion of the challenge:
    - providing the first UD with partial access to the SP server responsive to completion of the challenge;
      
      repeatedly initiating attempts to send the notification to the second UD via the notification server; and
      
      providing the first UD with full access once a response to the notification is received from the second UD.
  - 19. The computerized method according to claim 18, further comprising:
    - in case of a failure to receive a response to the challenge, requesting the first UD to use an authentication method operated locally on the second UD.
  - 20. The computerized method according to claim 19, further comprising:
    - sending challenge-related data to be displayed on the first UD, the challenge-related data being required to enable said authentication method operated locally on the second UD.
  - 21. The computerized method according to claim 16, wherein the authentication operation using the colleague UD includes instructions to input in the colleague UD login credentials of the user.
  - 22. The computerized method according to claim 16, wherein the authentication operation using the colleague UD includes instructions to input in the colleague UD login credentials of the user and login credentials of the colleague.
  - 23. The computerized method according to claim 16, further comprising sending challenge-related data to be displayed on the first UD, the challenge-related data being required to complete the challenge.
  - 24. The computerized method according to claim 23, wherein the challenge-related data includes at least one QR code to be scanned by the colleague UD to obtain data needed to respond to the challenge.
  - 25. The computerized method according to claim 16, wherein the challenge includes instructions to capture at least one selfie of the colleague and the user;
    - the method further comprising;
      
      comparing the at least one selfie with one or more previously-stored selfies;
      
      determining a degree of similarity between the selfie and the one or more previously-stored selfies; and
      
      providing the authorization-recommendation based on the degree of similarity between the selfie and the one or more previously-stored selfies.
  - 26. The computerized method according to claim 25, wherein the instructions request that one or both of the colleague and user perform one or more of:
    - gesture at least one specified gesture while capturing the at least one selfie; and
      
      display a certain object while capturing the at least one selfie.
  - 27. The computerized method according to claim 16, wherein the authentication operation using the colleague UD includes a challenge presented on a colleague UD to be completed by the user to be granted access to the SP server;
    - the challenge includes instructions requesting the user to speak into a microphone of the colleague UD to obtain recorded speech;
      
      the method further comprising;
      
      determining a degree of similarity between the recorded speech and previously-recorded speech; and
      
      providing an authorization-recommendation based on the degree of similarity between the recorded speech and the previously-recorded speech.
  - 28. The computerized method according to claim 16, further comprising:
    - in response to a failure to receive a response to the notification from the second UD, causing a query to be displayed on the first UD;
      
      the query asking whether the second UD is available for communicating with the authentication server computer device; and
      
      receiving from the first UD the information indicating whether the second UD is available or not.
  - 29. The computerized method according to claim 16, wherein the sending the instructions to the first UD to make the second UD ready for communicating with the authentication server computer device is responsive to receiving information indicating that the second UD is available to communicate with the authentication server computer device.
  - 30. The computerized method according to claim 16, wherein the sending of data indicative of the token to the authentication server computer by the second UD device is performed without user input.
  - 31. The computerized method according to claim 16, wherein the instructions sent to the first UD to make the second UD ready for communication with the authentication server computer device include instructions to make an authentication application on the second UD operative for initiating communication with the authentication server computer device.

32. An apparatus, comprising:
- an authentication server (1) including at least one computer processor operatively connected to a computer memory, and (2) configured to;
  
  responsive to (1) a request to authenticate an identity of a user attempting to access the SP server via the first user device (UD), (2) a failure to receive data indicative of a token from a second UD within a timeout limit, (3) and receiving an indication from the first UD indicating that a second UD is unavailable for communicating with the authentication server, transmit (1) information to the first UD such that the first UD displays information related to an authentication operating using a colleague UD, and (2) a notification request to a notification server to cause the notification server to send a notification, including the token, to the colleague UD such that the colleague UD, upon receipt of the notification, sends data indicative of the token to the authentication server, the notification server being physically distinct from the authentication server;
  
  responsive to receiving from the colleague UD the data indicative of the token, sending a challenge to the colleague UD;
  
  receive from the colleague UD a response to the challenge;
  
  determine an authorization-recommendation at least partly based on the response to the challenge from the colleague UD; and
  
  provide the authorization-recommendation to the SP server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Ping Identity Corporation
Original Assignee
Ping Identity Corporation
Inventors
Weiner, Avish Jacob, Ne'Man, Ran
Primary Examiner(s)
Rashid, Harunur
Assistant Examiner(s)
LE, THANH H

Application Number

US14/703,189
Publication Number

US 20160330199A1
Time in Patent Office

883 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0853   using an additional device,...

H04L 63/0861   using biometrical features,...

H04L 63/18   using different networks or...

H04W 12/65   Environment-dependent, e.g....

Fallback identity authentication techniques

First Claim

15 Assignments

0 Petitions

Accused Products

Abstract

Citations

32 Claims

Specification

Solutions

Use Cases

Quick Links

Fallback identity authentication techniques

First Claim

15 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

32 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links