Computer-implemented systems and methods of device based, internet-centric, authentication

US 10,348,715 B2
Filed: 10/06/2017
Issued: 07/09/2019
Est. Priority Date: 11/07/2014
Status: Active Grant

First Claim

Patent Images

1. A system for authorizing respective access by each of a plurality of Internet users to a respective plurality of Internet services, comprising:

a processor at a single identity provider;

a first non-transitory computer readable storage device of the single identity provider, wherein the first non-transitory computer readable storage device is configured to store data, and wherein the stored data comprises;

for each of a plurality of Internet users, a respective public key portion of a respective authentication token, wherein the respective authentication token is specific to a user credential of the Internet user and to an identity provider application of the single identity provider residing on a computing device of one or more devices of the Internet user and that is configured to be used by the Internet user to receive authorized access to each of a plurality of Internet services;

for each one of the respective plurality of Internet services, a respective identifier, and a respective one or more call-back Internet addresses;

a second non-transitory machine-readable storage device of the single identity provider, wherein the second non-transitory computer readable storage device is encoded with program code executable by the processor for;

requiring the respective single identity provider application residing on each of the respective computing devices of the plurality of Internet users to create the respective authentication token, to store a respective private key portion of the respective authentication token on the respective computing device, and to prevent transmission of the respective private key portion of the respective authentication token from the respective computing device;

for each selection by a respective Internet user of a respective one Internet service of the respective plurality of Internet services, receiving, via a respective application programming interface (API) call from a computer server, a respective identifier for the respective selected one Internet service; and

in response to receiving each of the respective identifiers, requiring the respective single identity provider application residing on the respective computing device of each of the selecting Internet users to validate a respective received user credential using the respective stored private key portion of the respective authentication token for the respective selecting Internet user;

receiving a respective approved authentication challenge message from the respective single identity provider application residing on the respective computing device of each of a plurality of the selecting Internet users;

validating a plurality of the received approved authentication challenge messages using the respective stored public key portion of the respective authentication token for each of the plurality of the selecting Internet users, and;

in response to validating the plurality of received approved authentication challenge messages, authorizing access by at least one of the respective selecting Internet users to the respective selected one Internet service by re-directing a respective web browser residing on a device of the respective one or more devices of the at least one of the respective selecting Internet users to a respective one of the respective stored one or more call-back Internet addresses for the respective selected one Internet service.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and computer-implemented methods for authorizing respective access by each of a plurality of Internet users to a respective one or more Internet services provided by each of a plurality of Internet service providers. A system includes a processor, and non-transient computer readable storage media, at a single identity provider. The storage media is encoded with program code executable by the processor for requiring an identity provider application residing on each of a plurality of devices to create a respective authentication token that is specific to a respective identifier and user credential of a respective Internet user, a respective device identifier, and the respective identity provider application, and for authorizing respective access by the plurality of Internet users to a respective requested one of the Internet services provided by each Internet service provider using the respective created authentication tokens and respective identifiers for each of the respective requested Internet services.

56 Citations

View as Search Results

20 Claims

1. A system for authorizing respective access by each of a plurality of Internet users to a respective plurality of Internet services, comprising:
- a processor at a single identity provider;
  
  a first non-transitory computer readable storage device of the single identity provider, wherein the first non-transitory computer readable storage device is configured to store data, and wherein the stored data comprises;
  
  for each of a plurality of Internet users, a respective public key portion of a respective authentication token, wherein the respective authentication token is specific to a user credential of the Internet user and to an identity provider application of the single identity provider residing on a computing device of one or more devices of the Internet user and that is configured to be used by the Internet user to receive authorized access to each of a plurality of Internet services;
  
  for each one of the respective plurality of Internet services, a respective identifier, and a respective one or more call-back Internet addresses;
  
  a second non-transitory machine-readable storage device of the single identity provider, wherein the second non-transitory computer readable storage device is encoded with program code executable by the processor for;
  
  requiring the respective single identity provider application residing on each of the respective computing devices of the plurality of Internet users to create the respective authentication token, to store a respective private key portion of the respective authentication token on the respective computing device, and to prevent transmission of the respective private key portion of the respective authentication token from the respective computing device;
  
  for each selection by a respective Internet user of a respective one Internet service of the respective plurality of Internet services, receiving, via a respective application programming interface (API) call from a computer server, a respective identifier for the respective selected one Internet service; and
  
  in response to receiving each of the respective identifiers, requiring the respective single identity provider application residing on the respective computing device of each of the selecting Internet users to validate a respective received user credential using the respective stored private key portion of the respective authentication token for the respective selecting Internet user;
  
  receiving a respective approved authentication challenge message from the respective single identity provider application residing on the respective computing device of each of a plurality of the selecting Internet users;
  
  validating a plurality of the received approved authentication challenge messages using the respective stored public key portion of the respective authentication token for each of the plurality of the selecting Internet users, and;
  
  in response to validating the plurality of received approved authentication challenge messages, authorizing access by at least one of the respective selecting Internet users to the respective selected one Internet service by re-directing a respective web browser residing on a device of the respective one or more devices of the at least one of the respective selecting Internet users to a respective one of the respective stored one or more call-back Internet addresses for the respective selected one Internet service.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The system of claim 1, wherein the second non-transitory computer readable storage device is further encoded with program code executable by the processor for:
    - repudiating at least one of the received approved authentication challenge messages using the respective stored public key portion of the respective authentication token of the respective selecting Internet user; and
      
      denying access by the respective selecting Internet user to the respective selected one Internet service in response to repudiating the at least one of the received respective approved authentication challenge messages.
  - 3. The system of claim 1, wherein each of the respective plurality of Internet services is provided by a different relying party of a plurality of relying parties and wherein the provider of the respective selected one Internet service is one of the plurality of relying parties.
  - 4. The system of claim 3, wherein the stored data further comprises, for each of the plurality of relying parties, a respective identifier that is visually perceptible when displayed on a page of the single identity provider application and when displayed on a web page belonging to the single identity provider;
    - and wherein the second non-transitory computer readable storage device is further encoded with program code executable by the processor for automatically generating, and transmitting, to a respective web browser residing on a device of the respective one or more devices of the respective selecting Internet user, a respective web page belonging to the single identity provider that displays;
      
      the respective visually perceptible identifier of the respective relying party; and
      
      a respective Internet address of the respective web page belonging to the respective relying party.
  - 5. The system of claim 1, wherein the second non-transitory computer readable storage device is further encoded with program code executable by the processor for:
    - automatically generating, and transmitting, via an API call, to a single identity provider application residing on a respective computing device of an Internet user, a pseudorandom string; and
      
      requiring the respective identity provider application residing on the respective computing device to;
      
      generate an encryption key using the transmitted pseudorandom string and the user credential of the Internet user;
      
      encrypt the private key portion of the authentication token of the Internet user using the generated encryption key; and
      
      store the encrypted private key portion of the authentication token on the computing device of the Internet user.
  - 6. The system of claim 5, wherein the second non-transitory computer readable storage device is further encoded with program code executable by the processor for:
    - executing the program code for automatically generating and transmitting a new pseudorandom string at a predetermined periodicity; and
      
      requiring the single identity provider application residing on the computing device of the Internet user to perform the generating, encrypting, and storing steps using each transmitted new pseudorandom string.
  - 7. The system of claim 1, wherein the second non-transitory computer readable storage device is further encoded with program code executable by the processor for requiring the respective single identity provider application residing on the respective computing device of each of a plurality of the selecting Internet users to display a respective page configured to receive the respective received user credential.
  - 8. The system of claim 1, wherein the second non-transitory computer readable storage device is further encoded with program code executable by the processor for:
    - requiring the respective single identity provider application residing on the respective computing device of each of the selecting Internet users to repudiate a respective received user credential that fails to be usable to decrypt the respective stored private key portion of the respective authentication token for the respective selecting Internet user; and
      
      receiving, from the single identity provider application residing on the computing device of a selecting Internet user, an indication that the received user credential was repudiated and, in response to receiving the indication, denying access by the selecting Internet user to the selected one Internet service.
  - 9. The system of claim 1, wherein the user credential comprises a PIN, a biometric factor, or combinations thereof.
  - 10. The system of claim 1, wherein the computer server is of a provider of the respective selected one Internet service.

11. A non-transitory computer readable storage device encoded with program code, wherein, when the program code is executed by a processor of a computing device, the processor performs a method comprising:
- an identity provider application of a single identity provider residing on the computing device;
  
  creating an authentication token comprising a public key portion and a private key portion, wherein the created authentication token is specific to the single identity provider application;
  
  storing the private key portion of the created authentication token in a memory of the computing device; and
  
  transmitting, via an application programming interface (API) call to a computer server of the single identity provider, only the public key portion of the created authentication token;
  
  in an out-of-band interaction with other than the single identity provider application, a web browser of the computing device receiving a selection of a link on a web page identifying a respective one of a plurality of Internet services, and, in response to receiving the selection of the link on the web page, the web browser transmitting an electronic signal indicative of an Internet user identifier to the computer server of the single identity provider;
  
  in response to receiving an API call from the computer server of the single identity provider, the single identity provider application;
  
  displaying a page to receive an Internet user input;
  
  validating a received Internet user input by attempting to decrypt the stored private key portion of the created authentication token; and
  
  if the received input is validated, transmitting an approved authentication challenge message via an API call to the computer server of the single identity provider; and
  
  in response to receiving another API call from the computer server of the single identity provider indicating successful validation of the transmitted authentication challenge message, the single identity provider application authorizing access by the Internet user to the selected one of the plurality of Internet services by re-directing the web browser to a call-back Internet address of, and displaying content of, another web page for the selected one of the plurality of Internet services.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The non-transitory computer readable storage device of claim 11, wherein, when the program code is further executed by the processor of the computing device, the processor performs the method further comprising:
    - the single identity provider application;
      
      receiving an Internet user credential;
      
      encrypting the private key portion of the created authentication token using the received Internet user credential; and
      
      storing the encrypted private key portion of the created authentication token in the memory of the computing device.
  - 13. The non-transitory computer readable storage device of claim 11, wherein, when the program code is further executed by the processor of the computing device, the processor performs the method further comprising:
    - in response to receiving the selection of the link on the web page, the web browser transmitting to a web server content indicative of a respective identifier for the selected one of the plurality of Internet services, and wherein the API call is received by the single identity provider application and from the computer server of the single identity provider based on to the transmitted Internet user identifier and the transmitted content.
  - 14. The non-transitory computer readable storage device of claim 11, wherein when the program code is further executed by the processor of the computing device, the processor performs the method further comprising:
    - another application residing on the computing device, in an out-of-band interaction with other than the single identity provider application;
      
      transmitting, to the computer server of the single identity provider, an electronic signal including content indicative of an activation code for the created authentication token of the Internet user; and
      
      directing the web browser of the computing device, to an Internet address, and displaying content of, a web page belonging to the single identity provider to activate the created authentication token of the Internet user.
  - 15. The non-transitory computer readable storage device of claim 11, wherein when the program code is further executed by the processor of the computing device, the processor performs the method further comprising:
    - the single identity provider application;
      
      receiving, at a predetermined periodicity via an API call from the computer server of the single identity provider, a respective predefined pseudorandom string; and
      
      generating a new encryption key using the received respective pseudorandom string and a user credential of the Internet user; and
      
      encrypting the private key portion of the created authentication token using the generated new encryption key.
  - 16. The non-transitory computer readable storage device of claim 11, wherein when the program code is further executed by the processor of the computing device, the processor performs the method further comprising:
    - the single identity provider application;
      
      performing the step of creating the authentication token at a predetermined periodicity so that the single identity provider application periodically creates a new authentication token;
      
      deleting the stored private key portion of the prior created authentication token;
      
      storing the private key portion of the new created authentication token in the memory of the computing device; and
      
      transmitting, via an application programming interface (API) call to the computer server of the single identity provider, only the public key portion of the new created authentication token.

17. A system for authorizing respective access by each of a plurality of Internet users to a respective plurality of Internet services, comprising:
- a processor at a single identity provider;
  
  a first non-transitory computer readable storage device of the single identity provider, wherein the first non-transitory computer readable storage device is configured to store data, and wherein the stored data comprises;
  
  for each of a plurality of Internet users, a respective public key portion of a respective authentication token, wherein the respective authentication token is specific to;
  
  a credential of the Internet user, and an identity provider application of the single identity provider residing on a computing device of one or more devices of the Internet user and that is configured to be used by the Internet user to receive authorized access to each of a plurality of Internet services;
  
  a second non-transitory machine-readable storage device of the single identity provider, wherein the second non-transitory computer readable storage device is encoded with program code executable by the processor for;
  
  requiring the respective single identity provider application residing on each of the computing devices to create the respective authentication token, to store a respective private key portion of the respective created authentication token on the respective computing device, and to prevent transmission of the respective private key portion of the respective created authentication token from the respective computing device, wherein the respective stored private key portion of each of the created authentication tokens is configured to be decrypted by the credential of the respective Internet user that is received by the respective single identity provider application;
  
  requiring the respective single identity provider application residing on each of the computing devices to create a new respective authentication token at a predetermined periodicity, to delete the respective stored private key portion of the prior respective authentication token, to store a respective private key portion of the new respective created authentication token on the respective computing device, and to prevent transmission of the respective private key portion of the new respective created authentication token from the respective computing device, wherein the respective stored private key portion of each of the new created authentication tokens is configured to be decrypted by the credential of the respective Internet user that is received by the respective single identity provider application;
  
  deleting the respective stored public key portion of the prior respective authentication token for each of the plurality of Internet users from the stored data;
  
  storing the respective public key portion of the new respective created authentication token for each of the plurality of Internet users in the stored data; and
  
  authorizing respective access by two or more of the plurality of Internet users to a respective selected one of the respective plurality of Internet services in response to validating respective approved authentication challenge messages received in a respective API call from the respective single identity provider application residing on the respective computing device of each of the two or more Internet users using the respective stored public key portion of the respective new created authentication token for each of the two or more Internet users, wherein each respective approved authentication challenge message comprises an indication of successful decryption of the respective stored private key portion of the respective new created authentication token for the respective Internet user.
- View Dependent Claims (18, 19, 20)
- - 18. The system of claim 17, wherein the stored data in the first non-transitory computer readable storage device of the single identity provider further comprises, for each one of the respective plurality of Internet services, a respective identifier, and a respective one or more call-back Internet addresses, and wherein the second non-transitory computer readable storage device is further encoded with program code executable by the processor for:
    - validating respective information received from a respective computer server of a respective provider of each selected one of the respective plurality of Internet services using the respective stored identifier for each respective selected one Internet service; and
      
      wherein the step of authorizing respective access by the two or more Internet users further comprises re-directing a respective web browser residing on the respective computing device of each of the two or more Internet users to a respective one of the respective stored one or more call-back Internet addresses for the respective selected one Internet service; and
      
      wherein the step of authorizing respective access by the two or more Internet users is further in response to the validating the respective information received from the respective computer server of the respective provider of each respective selected one Internet service.
  - 19. The system of claim 18, wherein the second non-transitory computer readable storage device is further encoded with program code executable by the processor for:
    - automatically generating, and transmitting via a respective API call to the respective single identity provider application residing on the respective computing device of each of the two or more Internet users, a respective page that displays;
      
      an Internet address of a web page displayed on the web browser of the computing device of the Internet user to request access by the Internet user to the selected one Internet service by selection of a corresponding link on the web page, wherein each of the plurality of Internet services is provided by a different relying party;
      
      a time identifier of the Internet user selection of the link corresponding to the selected one Internet service on the web page; and
      
      a status identifier of authorizing access by the Internet user to the selected one Internet service; and
      
      in response to authorizing respective access by each of the two or more Internet users to the respective selected one Internet service, re-directing a respective web browser on the respective computing device of the respective Internet user to the respective one of the respective one or more call-back Internet addresses for the respective selected one Internet service.
  - 20. The system of claim 17, wherein the stored data in the first non-transitory computer readable storage device of the single identity provider further comprises, for each of the plurality of Internet users, a respective counter value, and wherein the second non-transitory computer readable storage device is further encoded with program code executable by the processor for:
    - in response to authorizing respective access by the two or more Internet users, incrementing the respective counter value in the stored data for each of the two or more Internet users, and wherein the step of authorizing respective access by the two or more Internet users further comprises using the respective stored public key portion of the respective authentication token, and the respective stored counter value, for each of the two or more Internet users.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Privakey, Inc. (Probaris Technologies, Inc.)
Original Assignee
Probaris Technologies, Inc.
Inventors
Ross, Brian G., Hollin, Benjamin P., Durkin, Charles J., Anuszewski, Harry D., Fischetti, Joseph A.
Primary Examiner(s)
Schmidt, Kari L

Application Number

US15/726,755
Publication Number

US 20180034796A1
Time in Patent Office

641 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/31   User authentication

G06F 21/41   where a single sign-on prov...

H04L 63/0442   wherein the sending and rec...

H04L 63/08   for authentication of entit...

H04L 63/0815   providing single-sign-on or...

H04L 63/0823   using certificates cryptogr...

H04L 67/02   based on web technology, e....

H04W 12/069   using certificates or pre-s...

Computer-implemented systems and methods of device based, internet-centric, authentication

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

56 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Computer-implemented systems and methods of device based, internet-centric, authentication

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

56 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links