Systems and methods to authenticate users and/or control access made by users on a computer network using identity services

US 9,888,007 B2
Filed: 03/20/2017
Issued: 02/06/2018
Est. Priority Date: 05/13/2016
Status: Active Grant

First Claim

Patent Images

1. A controller for user authentication and access control, the controller comprising:

at least one microprocessor;

a network interface controlled by the at least one microprocessor to communicate over a computer network with;

at least one computing site, andat least one identity service, wherein the identity service stores identification information of a user and is configured to communicate with the user for identity protection; and

memory coupled with the at least one microprocessor and storing;

graph data representing a graph having;

nodes representing data elements associated with accesses made using an access token, andlinks among the nodes representing connections between the data elements associated with the accesses made using the access token; and

instructions which, when executed by the at least one microprocessor, cause the controller to;

receive, from the computing site, input data specifying details of an access made using the access token;

determine, from the input data;

a device identity representing a user device from which the access is made using the access token, anda user identity representing the user who uses the user device to make the access using the access token;

update the graph according to the input data;

identify a connection in the graph resulting from updating the graph according to the input data, wherein the connection identified in the graph is one of;

a connection between a node representing the device identity and a node representing the user identity;

a connection to a shipping address added in the updating of the graph; and

a connection to an access token added in the updating of the graph;

transmit a query over the network to the identity service, the query causing the identity service to verify association of data elements corresponding to the connection identified in the graph;

receive, over the network and from the identity service, a validation responsive to the query; and

process, based on the validation, the access made using the access token.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A controller for user authentication and access control, configured to: store data representing a graph having: nodes representing data elements associated with accesses made using an access token; and links among the nodes representing connections between the data elements identified in details of the accesses. In response to receiving details of an access made using the access token, the controller updates the graph according to the details and identifies a new connection in the graph resulting from update. The controller communicates with an identity service to verify the association of data elements corresponding to the new connection in the graph. Based on a result of the verification, the controller authenticates the user of the access and/or controls the access.

Citations

23 Claims

1. A controller for user authentication and access control, the controller comprising:
- at least one microprocessor;
  
  a network interface controlled by the at least one microprocessor to communicate over a computer network with;
  
  at least one computing site, andat least one identity service, wherein the identity service stores identification information of a user and is configured to communicate with the user for identity protection; and
  
  memory coupled with the at least one microprocessor and storing;
  
  graph data representing a graph having;
  
  nodes representing data elements associated with accesses made using an access token, andlinks among the nodes representing connections between the data elements associated with the accesses made using the access token; and
  
  instructions which, when executed by the at least one microprocessor, cause the controller to;
  
  receive, from the computing site, input data specifying details of an access made using the access token;
  
  determine, from the input data;
  
  a device identity representing a user device from which the access is made using the access token, anda user identity representing the user who uses the user device to make the access using the access token;
  
  update the graph according to the input data;
  
  identify a connection in the graph resulting from updating the graph according to the input data, wherein the connection identified in the graph is one of;
  
  a connection between a node representing the device identity and a node representing the user identity;
  
  a connection to a shipping address added in the updating of the graph; and
  
  a connection to an access token added in the updating of the graph;
  
  transmit a query over the network to the identity service, the query causing the identity service to verify association of data elements corresponding to the connection identified in the graph;
  
  receive, over the network and from the identity service, a validation responsive to the query; and
  
  process, based on the validation, the access made using the access token.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The controller of claim 1, wherein in response to the query, the identity service determines whether the association of the data elements corresponding to the connection identified in the graph is confirmed by the identification information.
  - 3. The controller of claim 2, wherein in response to a determination that the association of the data elements corresponding to the connection identified in the graph cannot be confirmed by the identification information, the identity service transmits an alert to a registered device or address of the user.
  - 4. The controller of claim 3, wherein the validation is transmitted from the identity service to the controller in response to a reply to the alert.
  - 5. The controller of claim 2, wherein the controller communicates with the computing site to block the access in response to a determination that the identity service cannot confirm the association of the data elements corresponding to the connection identified in the graph.
  - 6. The controller of claim 1, wherein the user identity is determined from the input data based on the access token used to make the access.

7. A controller for user authentication and access control, the controller comprising:
- at least one microprocessor;
  
  a network interface controlled by the at least one microprocessor to communicate over a computer network with;
  
  at least one computing site, andat least one identity service, wherein the identity service stores identification information of a user and is configured to communicate with the user for identity protection; and
  
  memory coupled with the at least one microprocessor and storing;
  
  graph data representing a graph having;
  
  nodes representing data elements associated with accesses made using an access token, andlinks among the nodes representing connections between the data elements associated with the accesses made using the access token; and
  
  instructions which, when executed by the at least one microprocessor, cause the controller to;
  
  receive, from the computing site, input data specifying details of an access made using the access token;
  
  determine, from the input data;
  
  a device identity representing a user device from which the access is made using the access token, anda user identity representing the user who uses the user device to make the access using the access token;
  
  update the graph according to the input data;
  
  identify a connection in the graph resulting from updating the graph according to the input data;
  
  transmit a query over the network to the identity service, the query causing the identity service to verify association of data elements corresponding to the connection identified in the graph, wherein the association of the data elements corresponding to the connection identified in the graph includes association of attributes of the device identity and the user identity;
  
  receive, over the network and from the identity service, a validation responsive to the query; and
  
  process, based on the validation, the access made using the access token.
- View Dependent Claims (8, 9)
- - 8. The controller of claim 7, wherein in response to the query, the identity service determines whether the association of the data elements corresponding to the connection identified in the graph is confirmed by the identification information.
  - 9. The controller of claim 8, wherein the controller communicates with the computing site to block the access in response to a determination that the identity service cannot confirm the association of the data elements corresponding to the connection identified in the graph.

10. A controller for user authentication and access control, the controller comprising:
- at least one microprocessor;
  
  a network interface controlled by the at least one microprocessor to communicate over a computer network with;
  
  at least one computing site, andat least one identity service, wherein the identity service stores identification information of a user and is configured to communicate with the user for identity protection; and
  
  memory coupled with the at least one microprocessor and storing;
  
  graph data representing a graph having;
  
  nodes representing data elements associated with accesses made using an access token, andlinks among the nodes representing connections between the data elements associated with the accesses made using the access token; and
  
  instructions which, when executed by the at least one microprocessor, cause the controller to;
  
  receive, from the computing site, input data specifying details of an access made using the access token;
  
  determine, from the input data;
  
  a device identity representing a user device from which the access is made using the access token, anda user identity representing the user who uses the user device to make the access using the access token;
  
  update the graph according to the input data;
  
  identify a connection in the graph resulting from updating the graph according to the input data;
  
  transmit a query over the network to the identity service, the query causing the identity service to verify association of data elements corresponding to the connection identified in the graph;
  
  receive, over the network and from the identity service, a validation responsive to the query; and
  
  process, based on the validation, the access made using the access token, wherein the controller flags the user identity as an imposter candidate in response to the determination that the identity service cannot confirm the association of the data elements corresponding to the connection identified in the graph.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The controller of claim 10, wherein the graph is identified for update based on the access token.
  - 12. The controller of claim 10, wherein the graph is identified for update based on the user identity.
  - 13. The controller of claim 10, wherein in response to the query, the identity service determines whether the association of the data elements corresponding to the connection identified in the graph is confirmed by the identification information.
  - 14. The controller of claim 13, wherein the controller communicates with the computing site to block the access in response to a determination that the identity service cannot confirm the association of the data elements corresponding to the connection identified in the graph.

15. A controller for user authentication and access control, the controller comprising:
- at least one microprocessor;
  
  a network interface controlled by the at least one microprocessor to communicate over a computer network with;
  
  at least one computing site, andat least one identity service, wherein the identity service stores identification information of a user and is configured to communicate with the user for identity protection; and
  
  memory coupled with the at least one microprocessor and storing;
  
  graph data representing a graph having;
  
  nodes representing data elements associated with accesses made using an access token, andlinks among the nodes representing connections between the data elements associated with the accesses made using the access token;
  
  wherein the graph is generated based on a cluster of access activities after identifying the cluster from a set of access activities; and
  
  instructions which, when executed by the at least one microprocessor, cause the controller to;
  
  receive, from the computing site, input data specifying details of an access made using the access token;
  
  determine, from the input data;
  
  a device identity representing a user device from which the access is made using the access token, anda user identity representing the user who uses the user device to make the access using the access token;
  
  update the graph according to the input data;
  
  identify a connection in the graph resulting from updating the graph according to the input data;
  
  transmit a query over the network to the identity service, the query causing the identity service to verify association of data elements corresponding to the connection identified in the graph;
  
  receive, over the network and from the identity service, a validation responsive to the query; and
  
  process, based on the validation, the access made using the access token.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The controller of claim 15, wherein the graph is extracted from a second graph based on a node selected according to the input data and a predetermined number of degrees of separation from the selected node.
  - 17. The controller of claim 15, wherein the controller identifies the identity service based on the user identity.
  - 18. The controller of claim 17, wherein in processing the access made using the access token, the controller determines from the graph data a score representing a risk of the access being fraudulent.
  - 19. The controller of claim 18, wherein the user identity is determined based on an electronic signature generated from the input data.

20. A non-transitory computer storage medium storing instructions which, when executed by a controller, cause the controller to perform a method for user authentication and access control, the method comprising:
- storing, in the controller coupled to a network, graph data representing a graph having;
  
  nodes representing data elements associated with accesses made using an access token, andlinks among the nodes representing connections between the data elements associated with the accesses made using the access token;
  
  wherein the graph is generated based on a cluster of access activities after identifying the cluster from a set of access activities;
  
  receiving, in the controller over the network from the computing site, input data specifying details of an access made using the access token;
  
  determining, by the controller, from the input data;
  
  a device identity representing a user device from which the access is made using the access token, anda user identity representing the user who uses the user device to make the access using the access token;
  
  updating, by the controller, the graph according to the input data;
  
  identifying, by the controller, a connection in the graph resulting from updating the graph according to the input data;
  
  transmitting, by the controller over the network to an identity service storing identification information of a user and configured to communicate with the user for identity protection, a query over the network to the identity service, the query causing the identity service to verify association of data elements corresponding to the connection identified in the graph;
  
  receiving, in the controller over the network and from the identity service, a validation responsive to the query; and
  
  processing, by the controller based on the validation, the access made using the access token.

21. A method for user authentication and access control, the method comprising:
- storing, in a controller coupled to a network, graph data representing a graph having;
  
  nodes representing data elements associated with accesses made using an access token, andlinks among the nodes representing connections between the data elements associated with the accesses made using the access token;
  
  wherein the graph is generated based on a cluster of access activities after identifying the cluster from a set of access activities;
  
  receiving, in the controller over the network from the computing site, input data specifying details of an access made using the access token;
  
  determining, by the controller, from the input data;
  
  a device identity representing a user device from which the access is made using the access token, anda user identity representing the user who uses the user device to make the access using the access token;
  
  updating, by the controller, the graph according to the input data;
  
  identifying, by the controller, a connection in the graph resulting from updating the graph according to the input data;
  
  transmitting, by the controller over the network to an identity service storing identification information of a user and configured to communicate with the user for identity protection, a query over the network to the identity service, the query causing the identity service to verify association of data elements corresponding to the connection identified in the graph;
  
  receiving, in the controller over the network and from the identity service, a validation responsive to the query; and
  
  processing, by the controller based on the validation, the access made using the access token.
- View Dependent Claims (22, 23)
- - 22. The method of claim 21, further comprising:
    - identifying, by the controller, a risk of the access being fraudulent based at least in part on the graph data.
  - 23. The method of claim 22, wherein the user identity is determined based on an electronic signature generated from the input data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Acuant Inc. (GB Group Plc)
Original Assignee
IDM Global, Inc.
Inventors
Caldera, Jose, Sherlock, Kieran, Gafke, Garrett
Primary Examiner(s)
Leung, Robert

Application Number

US15/464,141
Publication Number

US 20170331828A1
Time in Patent Office

323 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/316   by observing the pattern of...

G06F 21/44   Program or device authentic...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0876   based on the identity of th...

H04L 63/10   for controlling access to d...

H04L 63/104   Grouping of entities

H04W 12/068   using credential vaults, e....

H04W 12/084   using delegated authorisati...

Systems and methods to authenticate users and/or control access made by users on a computer network using identity services

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods to authenticate users and/or control access made by users on a computer network using identity services

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links