Computer-implemented systems and methods of device based, internet-centric, authentication

US 9,813,400 B2
Filed: 09/18/2015
Issued: 11/07/2017
Est. Priority Date: 11/07/2014
Status: Active Grant

First Claim

Patent Images

1. A system for authorizing respective access by each of a plurality of Internet users to a respective one or more Internet services provided by each of a plurality of Internet service providers, comprising:

a processor at a single identity provider;

a first non-transitory computer readable storage device of the single identity provider, wherein the first non-transitory computer readable storage device is configured to store data, and wherein the stored data comprises;

for each of a plurality of Internet users, a respective public key portion of a respective authentication token, wherein the respective authentication token is specific to;

an electronic mail address, or anonymous identifier, of the Internet user;

a user credential of the Internet user;

a device identifier for each of one or more devices of the Internet user;

an identity provider application of the single identity provider residing on a computing device of the one or more devices and that is configured to be used by the Internet user to access a respective one or more Internet services provided by each of a plurality of Internet service providers;

for each of the plurality of Internet service providers, a respective identifier that is visually perceptible when displayed on a page of the single identity provider application and when displayed on a web page belonging to the single identity provider; and

for each of a respective one or more Internet services provided by each of the plurality of Internet service providers, a respective identifier, and a respective one or more call-back Internet addresses belonging to the respective Internet service provider;

a second non-transitory computer-readable storage device of the single identity provider, wherein the second non-transitory computer readable storage device is encoded with program code executable by the processor for;

requiring the respective single identity provider application residing on each of the respective computing devices of the plurality of Internet users to create the respective authentication token and to store a respective private key portion of the respective authentication token on the respective computing device;

receiving, via a respective application programming interface (API) call from a respective computer server of each of the plurality of Internet service providers, a respective identifier for a respective selected one of the respective one or more Internet services provided by the respective Internet service provider, wherein each respective identifier is received in response to a respective Internet user selection of a respective link on the respective web page belonging to the respective Internet service provider and displayed on a respective web browser to request access to the respective selected one Internet service;

automatically generating, and transmitting to the respective web browser, a respective web page belonging to the single identity provider that displays;

the respective visually perceptible identifier of the respective Internet service provider; and

a respective Internet address of the respective web page belonging to the respective Internet service provider;

requiring the respective single identity provider application residing on each of the respective computing devices of the selecting Internet users to display a respective page to input the respective user credential of the respective selecting Internet user, wherein each input user credential is configured to be used to decrypt the respective stored private key portion of the respective authentication token of the respective selecting Internet user;

receiving, via a respective API call from the respective single identity provider application residing on each of the respective computing devices of the selecting Internet users, a respective approved authentication challenge message;

validating each of a plurality of the received respective approved authentication challenge messages using the respective stored public key portions of the respective authentication tokens of the respective selecting Internet users;

in response to validating the plurality of received approved authentication challenge messages, authorizing access by the respective selecting Internet users to the respective selected one Internet services by re-directing the respective web browsers to a respective one of the respective one or more call-back Internet addresses for the respective selected one Internet services.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and computer-implemented methods for authorizing respective access by each of a plurality of Internet users to a respective one or more Internet services provided by each of a plurality of Internet service providers. A system includes a processor, and non-transient computer readable storage media, at a single identity provider. The storage media is encoded with program code executable by the processor for requiring an identity provider application residing on each of a plurality of devices to create a respective authentication token that is specific to a respective identifier and user credential of a respective Internet user, a respective device identifier, and the respective identity provider application, and for authorizing respective access by the plurality of Internet users to a respective requested one of the Internet services provided by each Internet service provider using the respective created authentication tokens and respective identifiers for each of the respective requested Internet services.

72 Citations

View as Search Results

20 Claims

1. A system for authorizing respective access by each of a plurality of Internet users to a respective one or more Internet services provided by each of a plurality of Internet service providers, comprising:
- a processor at a single identity provider;
  
  a first non-transitory computer readable storage device of the single identity provider, wherein the first non-transitory computer readable storage device is configured to store data, and wherein the stored data comprises;
  
  for each of a plurality of Internet users, a respective public key portion of a respective authentication token, wherein the respective authentication token is specific to;
  
  an electronic mail address, or anonymous identifier, of the Internet user;
  
  a user credential of the Internet user;
  
  a device identifier for each of one or more devices of the Internet user;
  
  an identity provider application of the single identity provider residing on a computing device of the one or more devices and that is configured to be used by the Internet user to access a respective one or more Internet services provided by each of a plurality of Internet service providers;
  
  for each of the plurality of Internet service providers, a respective identifier that is visually perceptible when displayed on a page of the single identity provider application and when displayed on a web page belonging to the single identity provider; and
  
  for each of a respective one or more Internet services provided by each of the plurality of Internet service providers, a respective identifier, and a respective one or more call-back Internet addresses belonging to the respective Internet service provider;
  
  a second non-transitory computer-readable storage device of the single identity provider, wherein the second non-transitory computer readable storage device is encoded with program code executable by the processor for;
  
  requiring the respective single identity provider application residing on each of the respective computing devices of the plurality of Internet users to create the respective authentication token and to store a respective private key portion of the respective authentication token on the respective computing device;
  
  receiving, via a respective application programming interface (API) call from a respective computer server of each of the plurality of Internet service providers, a respective identifier for a respective selected one of the respective one or more Internet services provided by the respective Internet service provider, wherein each respective identifier is received in response to a respective Internet user selection of a respective link on the respective web page belonging to the respective Internet service provider and displayed on a respective web browser to request access to the respective selected one Internet service;
  
  automatically generating, and transmitting to the respective web browser, a respective web page belonging to the single identity provider that displays;
  
  the respective visually perceptible identifier of the respective Internet service provider; and
  
  a respective Internet address of the respective web page belonging to the respective Internet service provider;
  
  requiring the respective single identity provider application residing on each of the respective computing devices of the selecting Internet users to display a respective page to input the respective user credential of the respective selecting Internet user, wherein each input user credential is configured to be used to decrypt the respective stored private key portion of the respective authentication token of the respective selecting Internet user;
  
  receiving, via a respective API call from the respective single identity provider application residing on each of the respective computing devices of the selecting Internet users, a respective approved authentication challenge message;
  
  validating each of a plurality of the received respective approved authentication challenge messages using the respective stored public key portions of the respective authentication tokens of the respective selecting Internet users;
  
  in response to validating the plurality of received approved authentication challenge messages, authorizing access by the respective selecting Internet users to the respective selected one Internet services by re-directing the respective web browsers to a respective one of the respective one or more call-back Internet addresses for the respective selected one Internet services.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The system of claim 1, wherein the second non-transitory computer readable storage device is further encoded with program code executable by the processor for:
    - automatically identifying the respective selecting Internet users using respective electronic signals received from the respective web browsers; and
      
      wherein the program code executable by the processor for automatically generating and transmitting is executed in response to identification of the respective selecting Internet users.
  - 3. The system of claim 2, wherein the second non-transitory computer readable storage device is further encoded with program code executable by the processor for:
    - requiring each respective web browser to display a respective web page to input an electronic mail address, or an anonymous identifier, of the respective selecting Internet user; and
      
      wherein the respective electronic signal received from each respective web browser includes content indicative of the respective electronic mail address, or the respective anonymous identifier, of the respective selecting Internet user.
  - 4. The system of claim 3, wherein the program code executable by the processor for automatically generating and transmitting is further for automatically generating, and transmitting to the respective web browser, the respective web page that further displays the respective electronic mail address, or the respective anonymous identifier, of the respective selecting Internet user.
  - 5. The system of claim 1, wherein the second non-transitory computer readable storage device is further encoded with program code executable by the processor for:
    - repudiating at least one of the received respective approved authentication challenge messages using the respective stored public key portion of the respective authentication token of the respective selecting Internet user;
      
      in response to repudiating the at least one of the received approved authentication challenge messages, denying access by the respective selecting Internet user to the respective selected one Internet service by directing the respective web browser to an Internet address of the single identity provider.
  - 6. The system of claim 1, wherein the first and second non-transitory computer readable storage devices are the same non-transitory computer readable storage device.
  - 7. The system of claim 1, wherein the program code executable by the processor for validating each of the plurality of received approved authentication challenge messages is further for validating each of the plurality of received approved authentication challenge messages using the respective stored public key portions, and the respective stored device identifiers of the respective mobile devices, of the respective authentication tokens of the respective selecting Internet users.
  - 8. The system of claim 1, wherein each authentication token is further specific to a respective another identity provider application of the single identity provider residing on each of the respective one or more devices of the respective Internet user other than the respective computing device of the respective Internet user, and wherein the second non-transitory computer readable storage device is further encoded with program code executable by the processor for automatically generating, and transmitting, via a respective API call, to the respective another single identity provider application residing on each of the respective one or more devices of the respective Internet user other than the respective computing device of the respective Internet user, a respective page that displays:
    - the respective visually perceptible identifier of the respective Internet service provider; and
      
      the respective Internet address of the respective web page belonging to the respective Internet service provider.
  - 9. The system of claim 1, wherein the second non-transitory computer readable storage device is further encoded with program code executable by the processor for:
    - automatically generating, and transmitting, via an API call, to a single identity provider application residing on a computing device of an Internet user, a pseudorandom string; and
      
      requiring the single identity provider application residing on the computing device of the Internet user to;
      
      generate an encryption key using the transmitted pseudorandom string and the user credential of the Internet user;
      
      encrypt the private key portion of the authentication token of the Internet user using the generated encryption key; and
      
      and store the encrypted private key portion of the authentication token on the computing device of the Internet user.
  - 10. The system of claim 9, wherein the second non-transitory computer readable storage device is further encoded with program code executable by the processor for:
    - executing the program code for automatically generating and transmitting a new pseudorandom string at a predetermined periodicity; and
      
      requiring the single identity provider application residing on the computing device of the Internet user to perform the generating, encrypting, and storing steps using each transmitted new pseudorandom string.
  - 11. The system of claim 1, wherein the second non-transitory computer readable storage device is further encoded with program code executable by the processor for:
    - requiring the respective single identity provider application residing on each of the computing devices of the plurality of Internet users to create a new respective authentication token for the respective Internet user at a predetermined periodicity, to delete the respective stored private key portion of the prior respective authentication token for the respective Internet user, and to store a respective private key portion of the new respective authentication token for the respective Internet user on the respective computing device;
      
      deleting the respective stored public key portion of the prior respective authentication token for each of the plurality of Internet users from the stored data; and
      
      storing the respective public key portion of the new respective authentication token for each of the plurality of Internet users in the stored data.
  - 12. The system of claim 1, wherein the stored data further comprises, for each of the plurality of Internet users, a respective counter value, and wherein the second non-transitory computer readable storage device is further encoded with program code executable by the processor for:
    - in response to validating each of the plurality of received approved authentication challenge messages, incrementing the respective counter value in the stored data for the respective selecting Internet user, and wherein the step of validating each of the plurality of received approved authentication challenge messages further comprises using the respective stored public key portion of the respective authentication token for the respective selecting Internet user and the respective stored counter value.
  - 13. The system of claim 12, wherein the second non-transitory computer readable storage device is further encoded with program code executable by the processor for:
    - repudiating at least one of the received approved authentication challenge messages using the respective stored public key portion of the respective authentication token for the respective selecting Internet user and the respective stored counter value; and
      
      in response to repudiating the at least one of the received approved authentication challenge messages, denying access by the respective selecting Internet user to the respective selected one Internet service by directing the respective web browser to an Internet address of the respective single identity provider.

14. A non-transitory computer readable storage device encoded with program code, wherein when the program code is executed by a processor of a computing device, the processor performs a method of authorizing access by an Internet user to a respective one or more Internet services provided by each of a plurality of Internet service providers, the method comprising:
- an identity provider application of a single identity provider residing on the computing device;
  
  creating an authentication token comprising a public key portion and a private key portion, wherein the created authentication token is specific to;
  
  an electronic mail address, or anonymous identifier, of an Internet user;
  
  a user credential of the Internet user;
  
  a device identifier for each of one or more devices of the Internet user including the computing device; and
  
  the single identity provider application;
  
  encrypting the private key portion of the created authentication token using the user credential of the Internet user;
  
  storing the encrypted private key portion of the created authentication token in a memory of the computing device; and
  
  transmitting, via an application programming interface (API) call to a computer server of the single identity provider, the public key portion of the created authentication token;
  
  a web browser of the computing device displaying one or more of a plurality of web pages, wherein each web page of the plurality of web pages belongs to a respective Internet service provider, and wherein each web page of the plurality of web pages includes at least one respective link, wherein each link of the at least one respective link on each web page of the plurality of web pages is configured to be selected to request access by the Internet user to a respective one of the respective one or more Internet services provided by the respective Internet service provider;
  
  the web browser receiving a respective selection of one link on each of the displayed one or more web pages and, in response to receiving each respective selection of one link on the displayed one or more web pages,the web browser;
  
  transmitting, to a respective web server of the respective Internet service provider, a respective electronic signal including content indicative of a respective identifier for the respective one of the respective one or more Internet services provided by the respective Internet service provider;
  
  displaying content of a respective first web page belonging to the single identity service provider at a respective first Internet address of the single identity service provider in response to receiving a respective API call from a web server of the single identity service provider;
  
  transmitting, to the web server of the single identity provider, a respective electronic signal including content indicative of an electronic mail address, or an anonymous identifier, of the Internet user;
  
  displaying, content of a respective second web page belonging to the single identity service provider at a respective second Internet address of the single identity service provider in response to receiving a respective API call from the web server of the single identity service provider, wherein the content of the second web page includes a respective visually perceptible identifier of the respective Internet service provider, the electronic mail address, or the anonymous identifier, of the Internet user, and a respective Internet address of the respective web page belonging to the respective Internet service provider;
  
  the processor of the computing device automatically initiating the single identity provider application residing on the computing device and in response to receiving a respective API call from the computer server of the single identity provider;
  
  the single identity provider application;
  
  validating a respective user credential received from a respective page displayed by the single identity provider application by decrypting the stored encrypted private key portion of the authentication token;
  
  generating a respective approved authentication challenge message by digitally signing a predefined pseudorandom string with the decrypted private key portion of the authentication token and transmitting, via an API call to the computer server of the single identity provider, the generated respective approved authentication challenge message; and
  
  the web browser re-directing to a respective call-back Internet address of, and displaying content of, another respective web page belonging to the respective Internet service provider wherein the another respective web page is configured to be used by the Internet user to access the respective selected one of the respective one or more Internet services provided by the respective Internet service provider.
- View Dependent Claims (15, 16, 17, 18)
- - 15. The non-transitory computer readable storage device of claim 14, wherein when the program code is further executed by the processor of the computing device, the processor performs the method of authorizing access by the Internet user to the respective one or more Internet services provided by each of the plurality of Internet service providers, the method further comprising:
    - another application residing on the computing device, in an out-of-band interaction with other than the single identity provider application;
      
      transmitting, to the web server of the single identity provider, a respective electronic signal including content indicative of an activation code for the created authentication token of the Internet user; and
      
      directing the web browser of the computing device, to a respective third Internet address, and displaying content of, a respective third web page belonging to the single identity service provider, to activate the created authentication token of the Internet user.
  - 16. The non-transitory computer readable storage device of claim 14, wherein when the program code is further executed by the processor of the computing device, the processor performs the method of authorizing access by the Internet user to the respective one or more Internet services provided by each of the plurality of Internet service providers, the method further comprising:
    - the single identity provider application;
      
      receiving, at a predetermined periodicity via an API call from the computer server of the single identity provider, a new pseudorandom string; and
      
      generating a new encryption key using the received new pseudorandom string and the user credential of the Internet user; and
      
      wherein the step of encrypting the private key portion further comprises encrypting the private key portion using the generated new encryption key.
  - 17. The non-transitory computer readable storage device of claim 14, wherein when the program code is executed by the processor of the computing device, the processor performs the method of authorizing access by the Internet user to the respective one or more Internet services provided by each of the plurality of Internet service providers, the method further comprising:
    - the single identity provider application;
      
      performing the step of creating the authentication token at a predetermined periodicity so that the single identity provider application periodically creates a new authentication token;
      
      deleting the stored private key portion of the prior created authentication token;
      
      encrypting the private key portion of the new created authentication token using the user credential of the Internet user;
      
      storing the encrypted private key portion of the new created authentication token in the memory of the computing device; and
      
      transmitting, via an application programming interface (API) call to the computer server of the single identity provider, the public key portion of the new created authentication token.
  - 18. The non-transitory computer readable storage device of claim 14, wherein when the program code is further executed by the processor of the computing device, the processor performs the method of authorizing access by the Internet user to the respective one or more Internet services provided by each of the plurality of Internet service providers, the method further comprising:
    - the single identity provider application;
      
      storing, in memory of the device, a counter value;
      
      in response to the web browser re-directing to the respective call-back Internet address, incrementing the stored counter value, and wherein the step of transmitting the generated respective approved authentication challenge message further comprises transmitting, via the API call to the computer server of the single identity provider, the stored counter value.

19. A system for authorizing respective access by each of a plurality of Internet users to a respective one or more Internet services provided by each of a plurality of Internet service providers, comprising:
- a processor at a single identity provider;
  
  a first non-transitory computer readable storage device of the single identity provider, wherein the first non-transitory computer readable storage device is configured to store data, and wherein the stored data comprises;
  
  for each of a plurality of Internet users, a respective public key portion of a respective authentication token, wherein the respective authentication token is specific to;
  
  an identifier of the Internet user;
  
  a user credential of the Internet user;
  
  a device identifier for each of one or more devices of the Internet user;
  
  an identity provider application of the single identity provider residing on a computing device of the one or more devices and that is configured to be used by the Internet user to access a respective one or more Internet services provided by each of a plurality of Internet service providers;
  
  a pseudorandom activation code;
  
  for each of a respective one or more Internet services provided by each of the plurality of Internet service providers, a respective identifier, and a respective one or more call-back Internet addresses belonging to the respective Internet service provider;
  
  a second non-transitory computer readable storage device of the single identity provider, wherein the second non-transitory computer readable storage device is encoded with program code executable by the processor for;
  
  requiring the respective single identity provider application residing on each of the computing devices to create the respective authentication token and to store a respective private key portion of the respective created authentication token on the respective computing device;
  
  generating pseudorandom activation codes to activate the created authentication tokens, wherein each generated pseudorandom activation code is configured to be used to activate a respective one of the created authentication tokens;
  
  generating pages to activate the created authentication tokens, wherein each generated page displays a respective active link associated with a respective one of the generated pseudorandom activation codes;
  
  transmitting, in a first out-of-band interaction with a respective application, other than the single identity provider application, and residing on each of the computing devices, a respective one of the generated pages;
  
  activating, in a second out-of-band interaction with a respective web browser on each of the computing devices, the respective one of the created authentication tokens, in response to a respective Internet user selection of the respective active link displayed by the respective application, other than the identity provider application, and residing on the respective computing device; and
  
  authorizing respective access by two or more of the plurality of Internet users to a respective selected one of the respective one or more Internet services provided by each of two or more of the plurality of Internet service providers using the respective activated authentication tokens of the two or more of the plurality of Internet users, the respective identifier for the respective selected one of the respective one or more Internet services provided by each of the two or more of the plurality of Internet service providers, and the respective one or more call-back Internet addresses for the respective selected one of the respective one or more Internet services provided by each of the two or more of the plurality of Internet service providers.
- View Dependent Claims (20)
- - 20. The system of claim 19, wherein the second non-transitory computer readable storage device is further encoded with program code executable by the processor for:
    - automatically generating, and transmitting via a respective API call to the respective single identity provider application residing on each of the computing devices, a respective page that displays;
      
      respective Internet addresses of respective web pages displayed on the respective web browser to request access to the respective selected one of the respective one or more Internet services provided by each of the plurality of Internet service providers;
      
      respective time identifiers of respective Internet user selections of respective links on the respective web pages; and
      
      respective status identifiers of authorizing respective access by the respective Internet user to the respective selected one of the respective one or more Internet services provided by each of the plurality of Internet service providers; and
      
      in response to authorizing respective access by the two or more of the plurality of Internet users to the respective selected one of the respective one or more Internet services provided by each of the two or more of the plurality of Internet service providers, re-directing the respective web browser on the respective computing devices of the two or more of the plurality of Internet users to the respective one of the respective one or more call-back Internet addresses for the respective requested one Internet service.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Privakey, Inc. (Probaris Technologies, Inc.)
Original Assignee
Probaris Technologies, Inc.
Inventors
Ross, Brian G., Hollin, Benjamin P., Durkin, Charles J., Anuszewski, Harry D., Fischetti, Joseph A.
Primary Examiner(s)
Schmidt, Kari

Application Number

US14/858,087
Publication Number

US 20160134599A1
Time in Patent Office

781 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/31   User authentication

G06F 21/41   where a single sign-on prov...

H04L 63/0442   wherein the sending and rec...

H04L 63/08   for authentication of entit...

H04L 63/0815   providing single-sign-on or...

H04L 63/0823   using certificates cryptogr...

H04L 67/02   based on web technology, e....

H04W 12/069   using certificates or pre-s...

Computer-implemented systems and methods of device based, internet-centric, authentication

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

72 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Computer-implemented systems and methods of device based, internet-centric, authentication

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

72 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links