Multi-dimensional framework for defining criteria that indicate when authentication should be revoked

US 9,942,230 B2
Filed: 08/29/2016
Issued: 04/10/2018
Est. Priority Date: 08/12/2014
Status: Active Grant

First Claim

Patent Images

1. An aggregator system comprising:

a storage system configured to store;

authentication information associated with a client device, wherein the authentication information indicates that the client device has been authenticated,first rules information received from a first interested party,second rules information received from a second interested party, wherein the first rules information and the second rules information each comprise respective rules of at least two different rule types selected from the group consisting of;

a predetermined number of uses of the client device, an event identifying the device as lost, an event identifying the client device as stolen, an event identifying a deactivated mobile number associated with the client device, an event identifying a fraud alert associated with the client device, a detected change between previously stored hashed information associated with the client device and current hashed information associated with the client device, a change in geographic location of the client device, detected mismatch in biometric authentication associated with the client device, an event identifying a change of account ownership associated with the client device, and an event identifying that an account associated with the client device has a payment status of past-due;

circuitry implementing a credentials engine configured to;

reconcile the respective rules of the first rules information and the second rules information having the same rule type based on a priority associated with each of the respective rules;

define criteria indicating when authentication of the client device will be revoked based on the authentication information and on the reconciling; and

invalidation circuitry configured to revoke authentication for the identified client device based on the criteria.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems are presented for defining criteria that indicate when authentication for an identified client device should be revoked based on rules associated with interested parties. Authentication information is stored that indicates that an identified client device is authenticated. Rules that are associated with a plurality of interested parties and include rules of different rule types may also be stored. Criteria may be defined based on the rules and the authentication information, the criteria indicating when authentication of the identified client device should be revoked. Authentication of the identified client device may be revoked based on the criteria.

Citations

20 Claims

1. An aggregator system comprising:
- a storage system configured to store;
  
  authentication information associated with a client device, wherein the authentication information indicates that the client device has been authenticated,first rules information received from a first interested party,second rules information received from a second interested party, wherein the first rules information and the second rules information each comprise respective rules of at least two different rule types selected from the group consisting of;
  
  a predetermined number of uses of the client device, an event identifying the device as lost, an event identifying the client device as stolen, an event identifying a deactivated mobile number associated with the client device, an event identifying a fraud alert associated with the client device, a detected change between previously stored hashed information associated with the client device and current hashed information associated with the client device, a change in geographic location of the client device, detected mismatch in biometric authentication associated with the client device, an event identifying a change of account ownership associated with the client device, and an event identifying that an account associated with the client device has a payment status of past-due;
  
  circuitry implementing a credentials engine configured to;
  
  reconcile the respective rules of the first rules information and the second rules information having the same rule type based on a priority associated with each of the respective rules;
  
  define criteria indicating when authentication of the client device will be revoked based on the authentication information and on the reconciling; and
  
  invalidation circuitry configured to revoke authentication for the identified client device based on the criteria.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The system of claim 1, wherein each of the first interested party and the second interested party is one of:
    - a carrier system, a merchant system, a government organization, and a school organization.
  - 3. The system of claim 1, wherein the first interested party is a carrier system configured to provide mobile network services to the client device, and wherein the second interested party is a merchant system configured to perform at least one transaction with the client device.
  - 4. The system of claim 1, wherein the reconciling comprises determining rules for a combination of the first interested party and the second interested party.
  - 5. The system of claim 1, wherein the authentication information comprises at least one credential.
  - 6. The system of claim 5, wherein the at least one credential comprises a digital key.
  - 7. The system of claim 1, wherein the invalidation circuitry is further configured to revoke authentication for the identified client device based on the criteria being met.
  - 8. The system of claim 7, wherein the criteria are met upon receiving an event notification which matches at least one predetermined event.
  - 9. The system of claim 1, wherein the respective rules of the first rules information and the second rules information conflict with each other.
  - 10. The system of claim 9, wherein the credentials engine is configured to resolve the conflict based on the priority associated with each of the respective rules.

11. A method comprising:
- storing, on a storage device, authentication information associated with an identified client device, wherein the authentication information indicates that the client device has been authenticated;
  
  storing, on the storage device, first rules information received from a first interested party;
  
  storing, on the storage device, second rules information received from a second interested party, wherein the first rules information and the second rules information each comprise respective rules of at least two different rule types selected from the group consisting of;
  
  a predetermined number of uses of the client device, an event identifying the device as lost, an event identifying the client device as stolen, an event identifying a deactivated mobile number associated with the client device, an event identifying a fraud alert associated with the client device, a detected change between previously stored hashed information associated with the client device and current hashed information associated with the client device, a change in geographic location of the client device, detected mismatch in biometric authentication associated with the client device, an event identifying a change of account ownership associated with the client device, and an event identifying that an account associated with the client device has a payment status of past-due;
  
  reconciling, using a credentials engine, the respective rules of the first rules information and the second rules information having the same rule type based on a priority associated with each of the respective rulesdefining, using the credentials engine, criteria indicating when authentication of the client device will be revoked based on the authentication information and on the reconciling; and
  
  revoking, using invalidation circuitry, authentication for the identified client device based on the criteria.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The method of claim 11, wherein each of the first interested party and the second interested party is one of:
    - a carrier system, a merchant system, a government organization, and a school organization.
  - 13. The method of claim 11, wherein the first interested party is a carrier system configured to provide mobile network services to the client device, and wherein the second interested party is a merchant system configured to perform at least one transaction with the client device.
  - 14. The method of claim 11, wherein the reconciling comprises determining rules fora combination of the first interested party and the second interested party.
  - 15. The method of claim 11, wherein the authentication information comprises at least one credential.
  - 16. The method of claim 15, wherein the at least one credential comprises a digital key.
  - 17. The method of claim 11, further comprising:
    - revoking, using the invalidation circuitry, the authentication for the identified client device based on the criteria being met.
  - 18. The method of claim 17, wherein the criteria are met upon receiving, using the credentials engine, an event notification which matches at least one predetermined event.
  - 19. The method of claim 11, wherein the respective rules of the first rules information and the second rules information conflict with each other.
  - 20. The method of claim 19, further comprising:
    - resolving, using the credentials engine, the conflict based on the priority associated with each of the respective rules.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
BOKU Identity Incorporated
Original Assignee
Danal Incorporated (Twilio, Inc.)
Inventors
Banerjee, Atreedev, Cocklin, Jillian
Primary Examiner(s)
SIMITOSKI, MICHAEL J

Application Number

US15/250,810
Publication Number

US 20170054718A1
Time in Patent Office

589 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/335   for accessing specific reso...

G06F 21/41   where a single sign-on prov...

G06Q 20/322   Aspects of commerce using m...

H04L 63/08   for authentication of entit...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0815   providing single-sign-on or...

H04L 63/0823   using certificates cryptogr...

H04L 63/0876   based on the identity of th...

H04L 63/0884   by delegation of authentica...

H04L 63/20   for managing network securi...

H04L 9/3268   using certificate validatio...

Multi-dimensional framework for defining criteria that indicate when authentication should be revoked

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Multi-dimensional framework for defining criteria that indicate when authentication should be revoked

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links