Computer-implemented systems and methods of device based, internet-centric, authentication
First Claim
1. A system for authorizing respective access by each of a plurality of Internet users to a respective one or more Internet services provided by each of a plurality of Internet service providers, comprising:
- a processor at a single identity provider;
a first non-transitory computer readable storage device of the single identity provider, wherein the first non-transitory computer readable storage device is configured to store data, and wherein the stored data comprises;
for each of a plurality of Internet users, a respective public key portion of a respective authentication token, wherein the respective authentication token is specific to;
an electronic mail address, or anonymous identifier, of the Internet user;
a user credential of the Internet user;
a device identifier for each of one or more devices of the Internet user;
an identity provider application of the single identity provider residing on a computing device of the one or more devices and that is configured to be used by the Internet user to access a respective one or more Internet services provided by each of a plurality of Internet service providers;
for each of the plurality of Internet service providers, a respective identifier that is visually perceptible when displayed on a page of the single identity provider application and when displayed on a web page belonging to the single identity provider; and
for each of a respective one or more Internet services provided by each of the plurality of Internet service providers, a respective identifier, and a respective one or more call-back Internet addresses belonging to the respective Internet service provider;
a second non-transitory computer-readable storage device of the single identity provider, wherein the second non-transitory computer readable storage device is encoded with program code executable by the processor for;
requiring the respective single identity provider application residing on each of the respective computing devices of the plurality of Internet users to create the respective authentication token and to store a respective private key portion of the respective authentication token on the respective computing device;
receiving, via a respective application programming interface (API) call from a respective computer server of each of the plurality of Internet service providers, a respective identifier for a respective selected one of the respective one or more Internet services provided by the respective Internet service provider, wherein each respective identifier is received in response to a respective Internet user selection of a respective link on the respective web page belonging to the respective Internet service provider and displayed on a respective web browser to request access to the respective selected one Internet service;
automatically generating, and transmitting to the respective web browser, a respective web page belonging to the single identity provider that displays;
the respective visually perceptible identifier of the respective Internet service provider; and
a respective Internet address of the respective web page belonging to the respective Internet service provider;
requiring the respective single identity provider application residing on each of the respective computing devices of the selecting Internet users to display a respective page to input the respective user credential of the respective selecting Internet user, wherein each input user credential is configured to be used to decrypt the respective stored private key portion of the respective authentication token of the respective selecting Internet user;
receiving, via a respective API call from the respective single identity provider application residing on each of the respective computing devices of the selecting Internet users, a respective approved authentication challenge message;
validating each of a plurality of the received respective approved authentication challenge messages using the respective stored public key portions of the respective authentication tokens of the respective selecting Internet users;
in response to validating the plurality of received approved authentication challenge messages, authorizing access by the respective selecting Internet users to the respective selected one Internet services by re-directing the respective web browsers to a respective one of the respective one or more call-back Internet addresses for the respective selected one Internet services.
2 Assignments
0 Petitions
Accused Products
Abstract
Systems and computer-implemented methods for authorizing respective access by each of a plurality of Internet users to a respective one or more Internet services provided by each of a plurality of Internet service providers. A system includes a processor, and non-transient computer readable storage media, at a single identity provider. The storage media is encoded with program code executable by the processor for requiring an identity provider application residing on each of a plurality of devices to create a respective authentication token that is specific to a respective identifier and user credential of a respective Internet user, a respective device identifier, and the respective identity provider application, and for authorizing respective access by the plurality of Internet users to a respective requested one of the Internet services provided by each Internet service provider using the respective created authentication tokens and respective identifiers for each of the respective requested Internet services.
72 Citations
20 Claims
-
1. A system for authorizing respective access by each of a plurality of Internet users to a respective one or more Internet services provided by each of a plurality of Internet service providers, comprising:
-
a processor at a single identity provider; a first non-transitory computer readable storage device of the single identity provider, wherein the first non-transitory computer readable storage device is configured to store data, and wherein the stored data comprises; for each of a plurality of Internet users, a respective public key portion of a respective authentication token, wherein the respective authentication token is specific to; an electronic mail address, or anonymous identifier, of the Internet user; a user credential of the Internet user; a device identifier for each of one or more devices of the Internet user; an identity provider application of the single identity provider residing on a computing device of the one or more devices and that is configured to be used by the Internet user to access a respective one or more Internet services provided by each of a plurality of Internet service providers; for each of the plurality of Internet service providers, a respective identifier that is visually perceptible when displayed on a page of the single identity provider application and when displayed on a web page belonging to the single identity provider; and for each of a respective one or more Internet services provided by each of the plurality of Internet service providers, a respective identifier, and a respective one or more call-back Internet addresses belonging to the respective Internet service provider; a second non-transitory computer-readable storage device of the single identity provider, wherein the second non-transitory computer readable storage device is encoded with program code executable by the processor for; requiring the respective single identity provider application residing on each of the respective computing devices of the plurality of Internet users to create the respective authentication token and to store a respective private key portion of the respective authentication token on the respective computing device; receiving, via a respective application programming interface (API) call from a respective computer server of each of the plurality of Internet service providers, a respective identifier for a respective selected one of the respective one or more Internet services provided by the respective Internet service provider, wherein each respective identifier is received in response to a respective Internet user selection of a respective link on the respective web page belonging to the respective Internet service provider and displayed on a respective web browser to request access to the respective selected one Internet service; automatically generating, and transmitting to the respective web browser, a respective web page belonging to the single identity provider that displays; the respective visually perceptible identifier of the respective Internet service provider; and a respective Internet address of the respective web page belonging to the respective Internet service provider; requiring the respective single identity provider application residing on each of the respective computing devices of the selecting Internet users to display a respective page to input the respective user credential of the respective selecting Internet user, wherein each input user credential is configured to be used to decrypt the respective stored private key portion of the respective authentication token of the respective selecting Internet user; receiving, via a respective API call from the respective single identity provider application residing on each of the respective computing devices of the selecting Internet users, a respective approved authentication challenge message; validating each of a plurality of the received respective approved authentication challenge messages using the respective stored public key portions of the respective authentication tokens of the respective selecting Internet users; in response to validating the plurality of received approved authentication challenge messages, authorizing access by the respective selecting Internet users to the respective selected one Internet services by re-directing the respective web browsers to a respective one of the respective one or more call-back Internet addresses for the respective selected one Internet services. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A non-transitory computer readable storage device encoded with program code, wherein when the program code is executed by a processor of a computing device, the processor performs a method of authorizing access by an Internet user to a respective one or more Internet services provided by each of a plurality of Internet service providers, the method comprising:
-
an identity provider application of a single identity provider residing on the computing device; creating an authentication token comprising a public key portion and a private key portion, wherein the created authentication token is specific to; an electronic mail address, or anonymous identifier, of an Internet user; a user credential of the Internet user; a device identifier for each of one or more devices of the Internet user including the computing device; and the single identity provider application; encrypting the private key portion of the created authentication token using the user credential of the Internet user; storing the encrypted private key portion of the created authentication token in a memory of the computing device; and transmitting, via an application programming interface (API) call to a computer server of the single identity provider, the public key portion of the created authentication token; a web browser of the computing device displaying one or more of a plurality of web pages, wherein each web page of the plurality of web pages belongs to a respective Internet service provider, and wherein each web page of the plurality of web pages includes at least one respective link, wherein each link of the at least one respective link on each web page of the plurality of web pages is configured to be selected to request access by the Internet user to a respective one of the respective one or more Internet services provided by the respective Internet service provider; the web browser receiving a respective selection of one link on each of the displayed one or more web pages and, in response to receiving each respective selection of one link on the displayed one or more web pages, the web browser; transmitting, to a respective web server of the respective Internet service provider, a respective electronic signal including content indicative of a respective identifier for the respective one of the respective one or more Internet services provided by the respective Internet service provider; displaying content of a respective first web page belonging to the single identity service provider at a respective first Internet address of the single identity service provider in response to receiving a respective API call from a web server of the single identity service provider; transmitting, to the web server of the single identity provider, a respective electronic signal including content indicative of an electronic mail address, or an anonymous identifier, of the Internet user; displaying, content of a respective second web page belonging to the single identity service provider at a respective second Internet address of the single identity service provider in response to receiving a respective API call from the web server of the single identity service provider, wherein the content of the second web page includes a respective visually perceptible identifier of the respective Internet service provider, the electronic mail address, or the anonymous identifier, of the Internet user, and a respective Internet address of the respective web page belonging to the respective Internet service provider; the processor of the computing device automatically initiating the single identity provider application residing on the computing device and in response to receiving a respective API call from the computer server of the single identity provider; the single identity provider application; validating a respective user credential received from a respective page displayed by the single identity provider application by decrypting the stored encrypted private key portion of the authentication token; generating a respective approved authentication challenge message by digitally signing a predefined pseudorandom string with the decrypted private key portion of the authentication token and transmitting, via an API call to the computer server of the single identity provider, the generated respective approved authentication challenge message; and the web browser re-directing to a respective call-back Internet address of, and displaying content of, another respective web page belonging to the respective Internet service provider wherein the another respective web page is configured to be used by the Internet user to access the respective selected one of the respective one or more Internet services provided by the respective Internet service provider. - View Dependent Claims (15, 16, 17, 18)
-
-
19. A system for authorizing respective access by each of a plurality of Internet users to a respective one or more Internet services provided by each of a plurality of Internet service providers, comprising:
-
a processor at a single identity provider; a first non-transitory computer readable storage device of the single identity provider, wherein the first non-transitory computer readable storage device is configured to store data, and wherein the stored data comprises; for each of a plurality of Internet users, a respective public key portion of a respective authentication token, wherein the respective authentication token is specific to; an identifier of the Internet user; a user credential of the Internet user; a device identifier for each of one or more devices of the Internet user; an identity provider application of the single identity provider residing on a computing device of the one or more devices and that is configured to be used by the Internet user to access a respective one or more Internet services provided by each of a plurality of Internet service providers; a pseudorandom activation code; for each of a respective one or more Internet services provided by each of the plurality of Internet service providers, a respective identifier, and a respective one or more call-back Internet addresses belonging to the respective Internet service provider; a second non-transitory computer readable storage device of the single identity provider, wherein the second non-transitory computer readable storage device is encoded with program code executable by the processor for; requiring the respective single identity provider application residing on each of the computing devices to create the respective authentication token and to store a respective private key portion of the respective created authentication token on the respective computing device; generating pseudorandom activation codes to activate the created authentication tokens, wherein each generated pseudorandom activation code is configured to be used to activate a respective one of the created authentication tokens; generating pages to activate the created authentication tokens, wherein each generated page displays a respective active link associated with a respective one of the generated pseudorandom activation codes; transmitting, in a first out-of-band interaction with a respective application, other than the single identity provider application, and residing on each of the computing devices, a respective one of the generated pages; activating, in a second out-of-band interaction with a respective web browser on each of the computing devices, the respective one of the created authentication tokens, in response to a respective Internet user selection of the respective active link displayed by the respective application, other than the identity provider application, and residing on the respective computing device; and authorizing respective access by two or more of the plurality of Internet users to a respective selected one of the respective one or more Internet services provided by each of two or more of the plurality of Internet service providers using the respective activated authentication tokens of the two or more of the plurality of Internet users, the respective identifier for the respective selected one of the respective one or more Internet services provided by each of the two or more of the plurality of Internet service providers, and the respective one or more call-back Internet addresses for the respective selected one of the respective one or more Internet services provided by each of the two or more of the plurality of Internet service providers. - View Dependent Claims (20)
-
Specification