System and method for adaptive application of authentication policies

US 10,776,464 B2
Filed: 03/18/2014
Issued: 09/15/2020
Est. Priority Date: 03/22/2013
Status: Active Grant

First Claim

Patent Images

1. A method for user authentication comprising:

initially defining a plurality of authentication device classes based on characteristics of client authentication devices, the characteristics comprising a type of authentication device and a level of security assurance of the client device'"'"'s hardware and/or software;

initially defining a plurality of interaction classes for a relying party, the interaction classes defined based on variables associated with interactions between a client and the relying party, the variables including an amount of money or a level of sensitivity of information involved in the interactions;

initially defining one or more authentication rule sets specifying authentication devices or classes of authentication devices to be used for different interaction classes, the one or more authentication rule sets comprising a first rule set;

detecting, by a secure transaction services engine, a user of a client attempting to perform a current interaction with a relying party over a network; and

responsively identifying a first interaction class for the current interaction, by an adaptive authentication policy hardware engine, based on variables associated with the current interaction andimplementing a first rule set of one or more authentication rules associated with the first interaction class to authenticate the user of the client, wherein implementing the first rule set of one or more authentication rules comprises the adaptive authentication policy hardware engine implementing a first rule specifying a particular authentication device class required to authenticate the user for the current interaction, wherein the first rule comprises a prioritized list of acceptable authentication device classes for the current interaction.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system, apparatus, method, and machine readable medium are described for adaptively implementing an authentication policy. For example, one embodiment of a method comprises: detecting a user of a client attempting to perform a current interaction with a relying party; and responsively identifying a first interaction class for the current interaction based on variables associated with the current interaction and implementing a set of one or more authentication rules associated with the first interaction class.

447 Citations

28 Claims

1. A method for user authentication comprising:
- initially defining a plurality of authentication device classes based on characteristics of client authentication devices, the characteristics comprising a type of authentication device and a level of security assurance of the client device'"'"'s hardware and/or software;
  
  initially defining a plurality of interaction classes for a relying party, the interaction classes defined based on variables associated with interactions between a client and the relying party, the variables including an amount of money or a level of sensitivity of information involved in the interactions;
  
  initially defining one or more authentication rule sets specifying authentication devices or classes of authentication devices to be used for different interaction classes, the one or more authentication rule sets comprising a first rule set;
  
  detecting, by a secure transaction services engine, a user of a client attempting to perform a current interaction with a relying party over a network; and
  
  responsively identifying a first interaction class for the current interaction, by an adaptive authentication policy hardware engine, based on variables associated with the current interaction andimplementing a first rule set of one or more authentication rules associated with the first interaction class to authenticate the user of the client, wherein implementing the first rule set of one or more authentication rules comprises the adaptive authentication policy hardware engine implementing a first rule specifying a particular authentication device class required to authenticate the user for the current interaction, wherein the first rule comprises a prioritized list of acceptable authentication device classes for the current interaction.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 25, 26)
- - 2. The method as in claim 1 further comprising:
    - initially classifying a plurality of authentication device models into the plurality of authentication device classes based on characteristics of the authentication device models.
  - 3. The method as in claim 1 wherein the client selects a first authentication device to be used for authentication based on the prioritized list of acceptable authentication device classes.
  - 4. The method as in claim 1 wherein the variables associated with the current interaction comprises an amount of money or sensitivity of data involved in the current interaction.
  - 5. The method as in claim 1 wherein the type of authentication device includes fingerprint authentication, PIN or password entry, face recognition authentication, voice recognition authentication, authentication using a trusted platform module (TPM) device, and/or retinal scanning authentication.
  - 6. The method as in claim 2 wherein at least one authentication device class is defined to have a particular authentication factor with a false acceptance rate below a specified threshold.
  - 7. The method as in claim 2 wherein at least one authentication device class is defined based on where and/or how a matching algorithm is implemented to match biometric data extracted from an authentication device with biometric template data stored in a secure storage.
  - 8. The method as in claim 7 wherein the authentication device class is defined based on the matching algorithm being, or not being implemented within a secure execution environment.
  - 9. The method as in claim 6 wherein the one authentication device class is further defined to store sensitive data in cryptographically secure hardware and/or software.
  - 10. The method as in claim 3 further comprising:
    - generating an assurance level based, at least in part, on a user authentication with the first authentication device.
  - 11. The method as in claim 10 wherein the interaction is permitted if the assurance level is above a specified threshold.
  - 12. The method as in claim 11 wherein the assurance level is generated, at least in part, based on current sensor data read from client sensors, wherein at least one of the sensors comprises a location sensor providing a current location of the client.
  - 25. The method as in claim 1, wherein the characteristics of client authentication devices further comprises a type of location in which secrets are stored.
  - 26. The method as in claim 1, wherein the characteristics of client authentication devices further comprises a type of location where cryptographic operations are performed by the authentication devices.

13. An authentication system comprising:
- an authentication policy database to store authentication policies for a relying party;
  
  a secure transaction services engine of the relying party to detect a user of a client attempting to perform a current interaction with the relying party over a network;
  
  an adaptive authentication policy hardware engine of the relying party to perform operations of;
  
  initially define a plurality of interaction classes in the authentication policy database, the interaction classes defined based on variables associated with interactions between the client and the relying party, the variables including an amount of money or a level of sensitivity of information involved in the interactions;
  
  initially define one or more authentication rule sets in the authentication policy database specifying authentication devices or classes of authentication devices to be used for different interaction classes, the one or more authentication rule sets comprising a first rule set; and
  
  query the authentication policy database to identify a first interaction class for the current interaction based on variables associated with the current interaction and to implement the first rule set of one or more authentication rules associated with the first interaction class to authenticate the user of the client, wherein implementing a first rule set of one or more authentication rules comprises the adaptive authentication policy hardware engine implementing a first rule specifying a particular authentication device class required to authenticate the user for the current interaction, the first rule comprising a prioritized list of acceptable authentication device classes for the current interaction, and wherein the adaptive authentication policy hardware engine is to perform additional operations of initially defining a plurality of authentication device classes in the authentication policy database based on characteristics of client authentication devices, the characteristics comprising a type of authentication device and a level of security assurance of the client device'"'"'s hardware and/or software.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 27, 28)
- - 14. The authentication system as in claim 13 further comprising:
    - initially classifying a plurality of authentication device models into the plurality of authentication device classes in the authentication policy database based on characteristics of the authentication device models.
  - 15. The authentication system as in claim 13 wherein the client selects a first authentication device to be used for authentication based on the prioritized list of acceptable authentication device classes.
  - 16. The authentication system as in claim 13 wherein the variables associated with the current interaction comprises an amount of money or sensitivity of data involved in the current interaction.
  - 17. The authentication system as in claim 13 wherein the type of authentication device includes fingerprint authentication, PIN or password entry, face recognition authentication, voice recognition authentication, authentication using a trusted platform module (TPM) device, and/or retinal scanning authentication.
  - 18. The authentication system as in claim 14 wherein at least one authentication device class is defined to have a particular authentication factor with a false acceptance rate below a specified threshold.
  - 19. The authentication system as in claim 14 wherein at least one authentication device class is defined based on where and/or how a matching algorithm is implemented to match biometric data extracted from an authentication device with biometric template data stored in a secure storage.
  - 20. The authentication system as in claim 19 wherein the authentication device class is defined based on the matching algorithm being, or not being implemented within a secure execution environment.
  - 21. The authentication system as in claim 18 wherein the one authentication device class is further defined to store sensitive data in cryptographically secure hardware and/or software.
  - 22. The authentication system as in claim 15 further comprising:
    - the client generating an assurance level based, at least in part, on a user authentication with the first authentication device.
  - 23. The authentication system as in claim 22 wherein the interaction is permitted if the assurance level is above a specified threshold.
  - 24. The authentication system as in claim 23 wherein the assurance level is generated, at least in part, based on current sensor data read from client sensors, wherein at least one of the sensors comprises a location sensor providing a current location of the client.
  - 27. The authentication system as in claim 13, wherein the characteristics of client authentication devices further comprises a type of location in which secrets are stored.
  - 28. The authentication system as in claim 13, wherein the characteristics of client authentication devices further comprises a type of location where cryptographic operations are performed by the authentication devices.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nok Nok Labs Incorporated
Original Assignee
Nok Nok Labs Incorporated
Inventors
Wilson, Brendon
Primary Examiner(s)
King, John B

Application Number

US14/218,646
Publication Number

US 20140289790A1
Time in Patent Office

2,373 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/32   using biometric data, e.g. ...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/2115   Third party

G06Q 20/204   comprising interface for re...

G06Q 20/3224   Transactions dependent on l...

G06Q 20/3274   using a pictured code, e.g....

G06Q 20/3278   RFID or NFC payments by mea...

G06Q 20/4012   Verifying personal identifi...

G06Q 20/40145   Biometric identity checks

G06Q 20/42   Confirmation, e.g. check or...

G06Q 20/425   using two different network...

G07F 19/20   Automatic teller machines [...

H04L 2209/805   Lightweight hardware, e.g. ...

H04L 2463/102   applying security measure f...

H04L 63/0492   by using a location-limited...

H04L 63/08   for authentication of entit...

H04L 63/083   using passwords cryptograph...

H04L 63/0861   using biometrical features,...

H04L 63/20   for managing network securi...

H04L 9/0819   Key transport or distributi...

H04L 9/0822 : using key encryption key

H04L 9/0841 : involving Diffie-Hellman or...

H04L 9/3231 : Biological data, e.g. finge...

H04L 9/3247 : involving digital signatures

H04L 9/3297 : involving time stamps, e.g....

H04W 12/06 : Authentication

H04W 12/065 : Continuous authentication

View All

System and method for adaptive application of authentication policies

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

447 Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for adaptive application of authentication policies

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

447 Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links