Key management using quasi out of band authentication architecture

US 9,832,183 B2
Filed: 10/21/2015
Issued: 11/28/2017
Est. Priority Date: 04/19/2011
Status: Active Grant

First Claim

Patent Images

1. A method of authenticating a user of a network device (ND) having a portable hardware device (PHD) removably and communicatively connected thereto, comprising:

receiving, by a first application executing on the ND, a request for authentication of the user in connection with either (i) the user logging into a network site or (ii) the user entering into a transaction with the network site;

receiving, via the ND, by a second application executing on the PHD from a network security server, after receipt of the request for authentication by the first application, a secure message including a personal identification number (PIN) and readable only by the second application, for authenticating the user to the network site;

transferring the received PIN to the first application; and

directing, by the first application, transmission from the ND to the network site of the transferred PIN, to authenticate the user or authorize the transaction to the network site;

the method further comprising;

receiving via the ND, by the second application from the network security server, an intermediate seed; and

storing the received intermediate seed so that, after the PHD is disconnected from the ND, the seed is at least one of (i) presented to the user at the PHD for entry by the user into a seeding interface of a token on the PHD or (ii) entered into the seeding interface of the token without user intervention for generation of a final seed and the user authentication.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A portable apparatus is removably and communicatively connectable to a network device to communicate authentication or authorization credentials of a user in connection with the user logging into or entering into a transaction with a network site. The apparatus includes a communications port to connect and disconnect the apparatus to and from the network device and to establish a communication link with the network device when connected thereto. A processor receives a secure message from the network security server via the port. The message has a PIN for authenticating the user to the network site, and is readable only by the apparatus. The processor either transfers, via the port, the received PIN to an application associated with the network site that is executing on the network device or causes the apparatus to display the received PIN for manual transfer to the application associated with the network site.

76 Citations

View as Search Results

17 Claims

1. A method of authenticating a user of a network device (ND) having a portable hardware device (PHD) removably and communicatively connected thereto, comprising:
- receiving, by a first application executing on the ND, a request for authentication of the user in connection with either (i) the user logging into a network site or (ii) the user entering into a transaction with the network site;
  
  receiving, via the ND, by a second application executing on the PHD from a network security server, after receipt of the request for authentication by the first application, a secure message including a personal identification number (PIN) and readable only by the second application, for authenticating the user to the network site;
  
  transferring the received PIN to the first application; and
  
  directing, by the first application, transmission from the ND to the network site of the transferred PIN, to authenticate the user or authorize the transaction to the network site;
  
  the method further comprising;
  
  receiving via the ND, by the second application from the network security server, an intermediate seed; and
  
  storing the received intermediate seed so that, after the PHD is disconnected from the ND, the seed is at least one of (i) presented to the user at the PHD for entry by the user into a seeding interface of a token on the PHD or (ii) entered into the seeding interface of the token without user intervention for generation of a final seed and the user authentication.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method according to claim 1, wherein received PIN is manually transferred by the user to the first application.
  - 3. The method according to claim 2, further comprising:
    - directing, by the first application, a presentation to the user by the ND of a web page associated with the network site having the request for authentication; and
      
      directing, by the second application, a presentation to the user by the PHD of the received PIN;
      
      wherein the received PIN is manually transferred to the first application by the user inputting the PIN presented by the PHD into the web page presented by the ND.
  - 4. The method according to claim 1, wherein received PIN is automatically transferred to the first application.
  - 5. The method according to claim 4, further comprising:
    - storing, by the second application, the received PIN in a public data store within ND;
      
      wherein received PIN is transferred to the first application by the first application retrieving the stored PIN from the public data store.
  - 6. The method according to claim 1, wherein the PIN corresponds to a secret shared only by the security server and the network site, and not by the user, and is not associated with any particular user.
  - 7. The method according to claim 1, further comprising:
    - receiving, by the second application, a request of the user to login to the security server;
      
      directing, by the second application, transmission of the request and a user identifier from PHD to the security server via the ND;
      
      receiving, by a third application executing on the ND from the security server, a message including another PIN, in response to the transmitted request;
      
      directing, by the third application, display by the ND of the other PIN;
      
      receiving, by the second application, a user input including the displayed other PIN;
      
      directing, by the second application, transmission, from the PHD to the security server via the ND, of the input other PIN;
      
      receiving, by the second application from the security server via the ND, a session cookie and active session information indicating a period of time during which the session between the second application and the security server will remain active, in response to transmission of the other PIN; and
      
      storing, by the second application, (i) the session cookie in a private data store on the PHD accessible only to the second application and (ii) the active session information in a public data store accessible to the first application.
  - 8. The method according to claim 1, wherein the intermediate seed is for processing by the token to generate the final seed.
  - 9. The method according to claim 1, wherein if the received request for authentication is in connection with the user entering into a transaction with the network site, further comprising:
    - receiving via the ND, by the second application from the network security server, information associated with the transaction; and
      
      directing, by the second application, a presentation to the user by the PHD of the transaction information.

10. A portable apparatus removably and communicatively connectable to a network device for communicating authentication credentials for a user in connection with either (i) the user logging into a network site or (ii) the user entering into a transaction with the network site, comprising:
- a communications port configured to connect and disconnect the apparatus to and from the ND and to establish a communication link between the apparatus and the ND when connected;
  
  a data store; and
  
  a processor disposed configured to (1) receive, from a network security server via the port, a secure message, readable only by the processor and not by the ND, including a personal identification number (PIN) for authenticating the user to the network site, and (2) either (i) transfer, via the port, the received PIN to an application associated the network site and executing on the ND or (ii) cause the apparatus to display the received PIN to the user for manual transfer of the PIN to the application associated the network site; and
  
  wherein the port is further configured to receive from the security server via the ND, an intermediate seed; and
  
  wherein the processor is further configured to (i) direct storage of the received intermediate seed in the data store and (ii), after the apparatus is disconnected from the ND, at least one of (i) display the stored seed to the user at the apparatus for entry by the user into a seeding interface of a token or (ii) enter the stored seed into the seeding interface of the token without user intervention for generation of a final seed and the user authentication.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. The apparatus according to claim 10, wherein the PIN corresponds to a secret shared only by the security server and the network site, and not by the user, and is not associated with any particular user.
  - 12. The apparatus according to claim 10, wherein the ND is a mobile communications device.
  - 13. The apparatus according to claim 12, wherein the mobile communications device is a smart phone.
  - 14. The apparatus according to claim 10, wherein the port is a USB port, a headphone jack, or a bluetooth connection.
  - 15. The apparatus according to claim 10, further comprising:
    - a data store;
      
      wherein the processor is further configured to (1) receive a request of the user to login to the security server, (2) direct transmission from the port of the request and a user identifier to the security server via the ND, (3) receive a user input including another PIN, and (4) direct transmission from the port to the security server via the ND, of the input other PIN;
      
      wherein the port is further configured to receive from the security server via the ND, a session cookie and active session information indicating a period of time during which the session with the security server will remain active, in response to transmission of the other PIN; and
      
      wherein the data store stores the session cookie so as to be accessible only to the processor.
  - 16. The apparatus according to claim 10, wherein the intermediate seed is for processing by the token to generate the final seed.
  - 17. The apparatus according to claim 10, wherein if the user is entering into a transaction with the network site, the processor is further configured to:
    - receive, from a network security server via the port, a secure message, readable only by the processor and not by the ND, including information associated with the transaction; and
      
      cause the apparatus to display the received transaction information to the user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Payfone Incorporated
Original Assignee
Early Warning Services, LLC
Inventors
Ganesan, Ravi
Primary Examiner(s)
Patel, Ashok
Assistant Examiner(s)
Almamun, Abdullah

Application Number

US14/919,278
Publication Number

US 20160050199A1
Time in Patent Office

769 Days
Field of Search

726 7
US Class Current
CPC Class Codes

G06F 21/31   User authentication

G06F 21/33   using certificates

G06F 21/35   communicating wirelessly

G06F 21/42   using separate channels for...

G06F 21/43   wireless channels

G06F 21/51   at application loading time...

G06F 21/566   Dynamic detection, i.e. det...

H04L 2209/56   Financial cryptography, e.g...

H04L 2209/80   Wireless network architectu...

H04L 63/083   using passwords cryptograph...

H04L 63/0838   using one-time-passwords

H04L 63/0853   using an additional device,...

H04L 63/18   using different networks or...

H04L 9/3226   using a predetermined code,...

H04L 9/3234   involving additional secure...

H04L 9/3247   involving digital signatures

H04W 4/60   Subscription-based services...

Key management using quasi out of band authentication architecture

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

76 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Key management using quasi out of band authentication architecture

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

76 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links