System and method for collecting and utilizing client data for risk assessment during authentication
First Claim
Patent Images
1. A method implemented on a client device comprising a memory for storing program code, and a processor for processing the program code to implement the method comprising:
- collecting client configuration data on a client device using a native code agent running in a client operating system of the client device, the native code agent having secure access to the client configuration data, wherein the client configuration data is collected by the native code agent without disclosing confidential user information to a relying party;
performing an assessment of the client configuration data on the client to determine a risk level associated with the client device, the client configuration data including;
data related to client authentication hardware, including an indication of hardware to implement secure elements or trusted execution environments on the client;
data related to the client operating system, including an indication of a current operating system version installed on the client device and how recently the client operating system has been updated;
data related to anti-virus software configuration, including an indication of whether an anti-virus software has been installed and how recently the anti-virus software has been updated and/or executed; and
data related to firewall configuration, including an indication of whether a firewall is installed and how recently the firewall has been updated;
collecting biometric reference data of the user usable to authenticate the user and storing the biometric reference data in a secure storage of the authentication device used to collect the biometric reference data, the secure storage to cryptographically protect the biometric reference data of the user;
performing authentication for a particular transaction in accordance with the risk level to determine an assurance level that a current user of the client is legitimate, the assurance level determined, at least in part, based on the risk level, and also determined based on a combination of one or more current or prior explicit user authentications using the authentication hardware and one or more non-intrusive authentication techniques;
wherein for relatively higher risk levels, relatively more rigorous authentication techniques are selected to reach an assurance level required for the transaction as specified by the relying party, and for relatively lower risk levels, relatively less rigorous authentication techniques are selected to reach the assurance level required for the transaction as specified by the relying party; and
permitting the transaction when the authentication techniques selected to reach the assurance level required for the transaction as specified by the relying party are successfully completed and denying the transaction when the authentication techniques selected to reach the assurance level required for the transaction as specified by the relying party are not successfully completed.
3 Assignments
0 Petitions
Accused Products
Abstract
A system, apparatus, method, and machine readable medium are described for performing client risk assessment for authentication. For example, one embodiment of an apparatus comprises: a client risk assessment agent to perform an assessment of client configuration data to determine a risk level associated with a client device; and an authentication engine to performing authentication for a particular transaction in accordance with the risk level.
391 Citations
14 Claims
-
1. A method implemented on a client device comprising a memory for storing program code, and a processor for processing the program code to implement the method comprising:
-
collecting client configuration data on a client device using a native code agent running in a client operating system of the client device, the native code agent having secure access to the client configuration data, wherein the client configuration data is collected by the native code agent without disclosing confidential user information to a relying party; performing an assessment of the client configuration data on the client to determine a risk level associated with the client device, the client configuration data including; data related to client authentication hardware, including an indication of hardware to implement secure elements or trusted execution environments on the client; data related to the client operating system, including an indication of a current operating system version installed on the client device and how recently the client operating system has been updated; data related to anti-virus software configuration, including an indication of whether an anti-virus software has been installed and how recently the anti-virus software has been updated and/or executed; and data related to firewall configuration, including an indication of whether a firewall is installed and how recently the firewall has been updated; collecting biometric reference data of the user usable to authenticate the user and storing the biometric reference data in a secure storage of the authentication device used to collect the biometric reference data, the secure storage to cryptographically protect the biometric reference data of the user; performing authentication for a particular transaction in accordance with the risk level to determine an assurance level that a current user of the client is legitimate, the assurance level determined, at least in part, based on the risk level, and also determined based on a combination of one or more current or prior explicit user authentications using the authentication hardware and one or more non-intrusive authentication techniques; wherein for relatively higher risk levels, relatively more rigorous authentication techniques are selected to reach an assurance level required for the transaction as specified by the relying party, and for relatively lower risk levels, relatively less rigorous authentication techniques are selected to reach the assurance level required for the transaction as specified by the relying party; and permitting the transaction when the authentication techniques selected to reach the assurance level required for the transaction as specified by the relying party are successfully completed and denying the transaction when the authentication techniques selected to reach the assurance level required for the transaction as specified by the relying party are not successfully completed. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. An apparatus comprising a memory for storing program code and a processor for processing the program code, the apparatus comprising:
-
at least one sensor to collect data relevant to user authentication; authentication hardware to perform authentication using the data, the authentication hardware including at least one biometric authentication device to collect biometric data associated with the user, the at least one biometric authentication device further to collect biometric reference data of the user usable to authenticate the user and to store the biometric reference data in a secure storage of the at least one biometric authentication device, the secure storage to cryptographically protect the biometric reference data of the user; a client risk assessment agent to collect client configuration data on a client device using a native code agent running in a client operating system of the client device, the native code agent having secure access to the client configuration data, wherein the client configuration data is collected by the native code agent without disclosing confidential user information to a relying party, the client risk assessment agent to perform an assessment of client configuration data to determine a risk level associated with the client device, the client configuration data including; data related to client authentication hardware, including an indication of hardware used for secure elements or trusted execution environments on the client; data related to the client operating system, including an indication of a current operating system version installed on the client device and how recently the client operating system has been updated; data related to anti-virus software configuration, including an indication of whether an anti-virus software has been installed and how recently the anti-virus software has been updated and/or executed; and data related to firewall configuration, including an indication of whether a firewall is installed and how recently the firewall has been updated; the authentication hardware to perform authentication for a particular transaction in accordance with the risk level associated with the client device by performing the operations of; performing authentication for a particular transaction in accordance with the risk level to determine an assurance level that a current user of the client is legitimate, the assurance level determined, at least in part, based on the risk level, and also determined based on a combination of one or more current or prior explicit user authentications using the authentication hardware and one or more non-intrusive authentication techniques; wherein for relatively higher risk levels, relatively more rigorous authentication techniques are selected to reach an assurance level required for the transaction as specified by the relying party, and for relatively lower risk levels, relatively less rigorous authentication techniques are selected to reach the assurance level required for the transaction as specified by the relying party; and the authentication hardware to permit the transaction when the authentication techniques selected to reach the assurance level required for the transaction as specified by the relying party are successfully completed and deny the transaction when the authentication techniques selected to reach the assurance level required for the transaction as specified by the relying party are not successfully completed. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
Specification