Strong authentication with feeder robot in a federated identity web environment

US 9,961,070 B2
Filed: 09/11/2015
Issued: 05/01/2018
Est. Priority Date: 09/11/2015
Status: Active Grant

First Claim

Patent Images

1. An authentication server in communication with a controlled access application of an enterprise system that requires at least a first Identifier (ID) factor and a second ID factor for authentication, the authentication server comprising:

at least one hardware processor; and

memory storing instructions that, when executed by the at least one hardware processor, causes the authentication server to perform operations including;

receiving a request to authenticate a user to the controlled access application using the first ID factor and the second ID factor;

selecting and activating, at the authentication server, a feeder robot configured to interact with a host verification server associated with the first ID factor and the second ID factor using HTTP protocol or HTTPS protocol;

obtaining, via the feeder robot, first information to complete the first ID factor, at least some of the first information being obtained from the user, attempting to access the controlled access application through a user interface provided by the enterprise system;

opening a connection between the host verification server and the authentication server;

requesting, in an HTTP or HTTPS request made via the feeder robot, a first authentication user interface from the host verification server via the connection;

receiving, in an HTTP or HTTPS response received via the feeder robot, the first authentication user interface in response to the request, wherein the first authentication user interface is not presented to the user;

generating a token for the feeder robot,generating, via the feeder robot, a first web form using the first information and information used to maintain the connection that is extracted from the first authentication user interface;

submitting, via the feeder robot, the token and the first web form to the host verification server, wherein submitting the first web form simulates a first submission by the user, wherein the token verifies to the host verification server that the feeder robot from the feeder robot is not a web-crawling robot;

receiving, in an HTTP or HTTPS response received via the feeder robot, an indication of successful verification from the host verification server, the indication including a second authentication user interface, wherein the second authentication user interface is not presented to the user;

obtaining, via the feeder robot, a second information to complete the second ID factor, at least some of the second information being obtained from the user;

generating, via the feeder robot, a second web form using the second information and information used to maintain the connection that is extracted from the second authentication user interface;

submitting the second web form to the host verification server, wherein submitting the second web form simulates a second submission by the user;

receiving an indication of successful verification from the host verification server;

cleaning up the feeder robot, including closing the connection with the host verification server; and

initiating, in response to receiving the indication of successful verification, access to the controlled access application.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Method, system, and programs for performing two-factor authentication for a controlled access application via one or more third-party host verification servers. An example method includes receiving a request to a controlled access application after a user has successfully logged into an enterprise system with a first Identifier (ID) factor, the controlled access application requiring additional authentication with a second ID factor, obtaining first information to complete the second ID factor, at least some of the first information being obtained from the user, and generating a first web form using the first information. The method also includes submitting the first web form to a host verification server, receiving an indication of successful verification from the host verification server; and initiating, in response to receiving the indication of successful verification, access to the controlled access application.

311 Citations

23 Claims

1. An authentication server in communication with a controlled access application of an enterprise system that requires at least a first Identifier (ID) factor and a second ID factor for authentication, the authentication server comprising:
- at least one hardware processor; and
  
  memory storing instructions that, when executed by the at least one hardware processor, causes the authentication server to perform operations including;
  
  receiving a request to authenticate a user to the controlled access application using the first ID factor and the second ID factor;
  
  selecting and activating, at the authentication server, a feeder robot configured to interact with a host verification server associated with the first ID factor and the second ID factor using HTTP protocol or HTTPS protocol;
  
  obtaining, via the feeder robot, first information to complete the first ID factor, at least some of the first information being obtained from the user, attempting to access the controlled access application through a user interface provided by the enterprise system;
  
  opening a connection between the host verification server and the authentication server;
  
  requesting, in an HTTP or HTTPS request made via the feeder robot, a first authentication user interface from the host verification server via the connection;
  
  receiving, in an HTTP or HTTPS response received via the feeder robot, the first authentication user interface in response to the request, wherein the first authentication user interface is not presented to the user;
  
  generating a token for the feeder robot,generating, via the feeder robot, a first web form using the first information and information used to maintain the connection that is extracted from the first authentication user interface;
  
  submitting, via the feeder robot, the token and the first web form to the host verification server, wherein submitting the first web form simulates a first submission by the user, wherein the token verifies to the host verification server that the feeder robot from the feeder robot is not a web-crawling robot;
  
  receiving, in an HTTP or HTTPS response received via the feeder robot, an indication of successful verification from the host verification server, the indication including a second authentication user interface, wherein the second authentication user interface is not presented to the user;
  
  obtaining, via the feeder robot, a second information to complete the second ID factor, at least some of the second information being obtained from the user;
  
  generating, via the feeder robot, a second web form using the second information and information used to maintain the connection that is extracted from the second authentication user interface;
  
  submitting the second web form to the host verification server, wherein submitting the second web form simulates a second submission by the user;
  
  receiving an indication of successful verification from the host verification server;
  
  cleaning up the feeder robot, including closing the connection with the host verification server; and
  
  initiating, in response to receiving the indication of successful verification, access to the controlled access application.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The authentication server according to claim 1, wherein the first information includes information obtained from a data store for the user.
  - 3. The authentication server according to claim 1, wherein the second information includes a security device token provided by the user.
  - 4. The authentication server according to claim 1, wherein obtaining the first information, generating the first web form, and submitting the first web form is performed by a first feeder robot configured to authenticate the first ID factor with the host verification server and obtaining the second information, generating the second web form, and submitting the second web form is performed by a second feeder robot configured to authenticate the second ID factor with the host verification server.
  - 5. The authentication server according to claim 4, wherein the first feeder robot includes rules for extracting information from the first authentication user interface and rules for placing the first information in the first web form.
  - 6. The authentication server according to claim 1, wherein generating the first web form includes:
    - extracting at least some of the first information from the first authentication user interface after it is received.

7. A method comprising:
- receiving, at an authentication server associated with an enterprise system, a request to access a controlled access application after a user has successfully logged into the enterprise system with a first Identifier (ID) factor, the controlled access application requiring additional authentication with a second ID factor;
  
  selecting and activating, at the authentication server, a feeder robot configured to interact with a host verification server associated with the second ID factor using HTTP protocol or HTTPS protocol;
  
  obtaining, via the feeder robot, first information to complete the second ID factor, at least some of the first information being obtained from the user through a user interface provided by the enterprise system;
  
  opening a connection between the host verification server associated with the second ID factor and the authentication server;
  
  requesting, in an HTTP or HTTPS request made via the feeder robot, an authentication user interface from the host verification server via the connection;
  
  receiving, in an HTTP or HTTPS response received via the feeder robot, the authentication user interface in response to the request, wherein the authentication user interface is not presented to the user;
  
  generating a token for the feeder robot;
  
  generating, via the feeder robot, a first web form using the first information and information used to maintain the connection that is extracted from the authentication user interface;
  
  submitting, via the feeder robot, the first web form and the token to the host verification server, wherein submitting the first web form simulates a submission by the user, wherein the token verifies to the host verification server that the feeder robot from the feeder robot is not a web-crawling robot;
  
  receiving an indication of successful verification from the host verification server;
  
  cleaning up the feeder robot, including closing the connection with the host verification server; and
  
  initiating, in response to receiving the indication of successful verification, access to the controlled access application.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 8. The method according to claim 7, wherein the information used to maintain the connection includes a session identifier.
  - 9. The method according to claim 8, wherein the session identifier is extracted based on rules for the authentication user interface.
  - 10. The method according to claim 7, wherein obtaining the first information, generating the first web form, and submitting the first web form is performed by a first feeder robot configured to authenticate the second ID factor with the host verification server.
  - 11. The method according to claim 10, wherein the first feeder robot is selected based on the second ID factor.
  - 12. The method according to claim 7, wherein generating the first web form includes:
    - extracting at least some of the first information from the authentication user interface after it is received.
  - 13. The method of claim 7, further comprising:
    - receiving a request, at the authentication server, from a second controlled access application to authenticate a second user at a requested level of assurance;
      
      identifying, in a data store, the second ID factor for the second user that meets the requested level of assurance;
      
      selecting a second feeder robot configured to obtain second information for the second ID factor;
      
      activating the second feeder robot to verify the second ID factor with the host verification server associated with the second ID factor by submitting, via HTTP protocol or HTTPS protocol, a second authentication user interface used by the host verification server, wherein the second authentication user interface is not presented to the second user and the second information is used by the second feeder robot in submission of the second authentication user interface; and
      
      initiating, in response to receiving an indication of successful verification of the second ID factor, access to the second controlled access application.
  - 14. The method of claim 13, wherein the second feeder robot verifies the second ID factor by:
    - opening a second connection with the host verification server;
      
      requesting the second authentication user interface from the host verification server via the second connection;
      
      receiving the second authentication user interface in response to the request;
      
      generating a web form using the second information, at least some of the second information being information obtained from the second user and some of the second information being extracted from the second authentication user interface;
      
      submitting the web form to the host verification server, wherein submitting the web form simulates submission by the second user;
      
      receiving an indication of successful verification from the host verification server; and
      
      closing the second connection.
  - 15. The method of claim 13, wherein submission of the second authentication user interface includes using the second information and a second token to format an API call, wherein the second token verifies to the host verification server that the second feeder robot is not a web-crawling robot.
  - 16. The method of claim 13, further comprising:
    - identifying, in the data store, a third ID factor for the second user that meets the requested level of assurance, wherein the requested level of assurance requires authentication by two factors;
      
      selecting a third feeder robot configured to obtain third information for the third ID factor; and
      
      activating the third feeder robot to verify the third ID factor with a host verification server associated with the third ID factor, wherein the third feeder robot uses the third information to format an API call to the host verification server associated with the third ID factor and submits the API call to the host verification server associated with the third ID factor,wherein initiating access to the second controlled access application occurs responsive to receiving an indication of successful verification of the third ID factor and successful verification of the second ID factor.

17. A method comprising:
- receiving a request from a user to access a controlled access application, the request including a first Identifier (ID) factor and a second ID factor and identifying the user;
  
  selecting a first feeder robot configured to obtain first information for the first ID factor;
  
  opening a first connection with a first host verification server associated with the first ID factor;
  
  requesting, in an HTTP or HTTPS request, a first authentication user interface from the first host verification server via the first connection;
  
  receiving, in an HTTP or HTTPS response, the first authentication user interface in response to the request, wherein the first authentication user interface is not presented to the user;
  
  activating the first feeder robot to generate a first web form using the first information, at least some of the first information being information obtained from the user and some of the first information being information used to maintain the first connection that is extracted from the first authentication user interface;
  
  generating a token for the feeder robot;
  
  submitting the token and the first web form to the first host verification server, wherein submitting the first web form simulates a submission by the user and the token verifies to the host verification server that the feeder robot from the feeder robot is not a web-crawling robot;
  
  receiving an indication of successful verification from the first host verification server;
  
  closing the first connection with the first host verification server;
  
  selecting a second feeder robot configured to obtain second information for the second ID factor;
  
  opening a second connection with a second host verification server associated with the second ID factor;
  
  requesting, in an HTTP or HTTPS request, a second authentication user interface from the second host verification server via the second connection;
  
  receiving, in an HTTP or HTTPS response, the second authentication user interface in response to the request, wherein the second authentication user interface is not presented to the user;
  
  activating the second feeder robot to generate a second web form using the second information, at least some of the second information being information obtained from the user and at least some of the second information being information used to maintain the second connection that is extracted from the second authentication user interface;
  
  submitting the second web form to the second host verification server, wherein submitting the second web form simulates a submission by the user; and
  
  initiating, in response to receiving an indication of successful verification from the second host verification server, access to the controlled access application.
- View Dependent Claims (18, 19, 20, 21, 22, 23)
- - 18. The method according to claim 17, wherein the first information includes information obtained from a data store for the user.
  - 19. The method according to claim 17, wherein the information used to maintain the first connection includes status information.
  - 20. The method according to claim 17, wherein the first information obtained from the user and the second information obtained from the user are obtained via a user interface provided by the controlled access application.
  - 21. The method according to claim 17, wherein the information used to maintain the first connection includes a session identifier.
  - 22. The method according to claim 17, wherein the first feeder robot and the first host verification server have a trusted relationship and the first host verification server lacks a relationship with the controlled access application.
  - 23. The method according to claim 17, wherein the first feeder robot is configured to handle a workflow request issued by the first host verification server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
DrFirst.com, Incorported
Original Assignee
DrFirst.com, Incorported
Inventors
Tang, Zilong
Primary Examiner(s)
Nipa, Wasika

Application Number

US14/851,708
Publication Number

US 20170078270A1
Time in Patent Office

963 Days
Field of Search
US Class Current
CPC Class Codes

H04L 2463/082   applying multi-factor authe...

H04L 63/0815   providing single-sign-on or...

H04L 63/083   using passwords cryptograph...

H04L 63/0853   using an additional device,...

H04L 63/0861   using biometrical features,...

H04L 63/123   received data contents, e.g...

Strong authentication with feeder robot in a federated identity web environment

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

311 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Strong authentication with feeder robot in a federated identity web environment

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

311 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links