Key management using quasi out of band authentication architecture
First Claim
1. A method of authenticating a user of a network device (ND) having a portable hardware device (PHD) removably and communicatively connected thereto, comprising:
- receiving, by a first application executing on the ND, a request for authentication of the user in connection with either (i) the user logging into a network site or (ii) the user entering into a transaction with the network site;
receiving, via the ND, by a second application executing on the PHD from a network security server, after receipt of the request for authentication by the first application, a secure message including a personal identification number (PIN) and readable only by the second application, for authenticating the user to the network site;
transferring the received PIN to the first application; and
directing, by the first application, transmission from the ND to the network site of the transferred PIN, to authenticate the user or authorize the transaction to the network site;
the method further comprising;
receiving via the ND, by the second application from the network security server, an intermediate seed; and
storing the received intermediate seed so that, after the PHD is disconnected from the ND, the seed is at least one of (i) presented to the user at the PHD for entry by the user into a seeding interface of a token on the PHD or (ii) entered into the seeding interface of the token without user intervention for generation of a final seed and the user authentication.
7 Assignments
0 Petitions
Accused Products
Abstract
A portable apparatus is removably and communicatively connectable to a network device to communicate authentication or authorization credentials of a user in connection with the user logging into or entering into a transaction with a network site. The apparatus includes a communications port to connect and disconnect the apparatus to and from the network device and to establish a communication link with the network device when connected thereto. A processor receives a secure message from the network security server via the port. The message has a PIN for authenticating the user to the network site, and is readable only by the apparatus. The processor either transfers, via the port, the received PIN to an application associated with the network site that is executing on the network device or causes the apparatus to display the received PIN for manual transfer to the application associated with the network site.
76 Citations
17 Claims
-
1. A method of authenticating a user of a network device (ND) having a portable hardware device (PHD) removably and communicatively connected thereto, comprising:
-
receiving, by a first application executing on the ND, a request for authentication of the user in connection with either (i) the user logging into a network site or (ii) the user entering into a transaction with the network site; receiving, via the ND, by a second application executing on the PHD from a network security server, after receipt of the request for authentication by the first application, a secure message including a personal identification number (PIN) and readable only by the second application, for authenticating the user to the network site; transferring the received PIN to the first application; and directing, by the first application, transmission from the ND to the network site of the transferred PIN, to authenticate the user or authorize the transaction to the network site;
the method further comprising;receiving via the ND, by the second application from the network security server, an intermediate seed; and storing the received intermediate seed so that, after the PHD is disconnected from the ND, the seed is at least one of (i) presented to the user at the PHD for entry by the user into a seeding interface of a token on the PHD or (ii) entered into the seeding interface of the token without user intervention for generation of a final seed and the user authentication. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A portable apparatus removably and communicatively connectable to a network device for communicating authentication credentials for a user in connection with either (i) the user logging into a network site or (ii) the user entering into a transaction with the network site, comprising:
-
a communications port configured to connect and disconnect the apparatus to and from the ND and to establish a communication link between the apparatus and the ND when connected; a data store; and a processor disposed configured to (1) receive, from a network security server via the port, a secure message, readable only by the processor and not by the ND, including a personal identification number (PIN) for authenticating the user to the network site, and (2) either (i) transfer, via the port, the received PIN to an application associated the network site and executing on the ND or (ii) cause the apparatus to display the received PIN to the user for manual transfer of the PIN to the application associated the network site; and wherein the port is further configured to receive from the security server via the ND, an intermediate seed; and wherein the processor is further configured to (i) direct storage of the received intermediate seed in the data store and (ii), after the apparatus is disconnected from the ND, at least one of (i) display the stored seed to the user at the apparatus for entry by the user into a seeding interface of a token or (ii) enter the stored seed into the seeding interface of the token without user intervention for generation of a final seed and the user authentication. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
-
Specification