System and Method For Authentication Of Users In A Secure Computer System

US 20090037995A1
Filed: 07/31/2007
Published: 02/05/2009
Est. Priority Date: 07/31/2007
Status: Active Grant

First Claim

Patent Images

1. A method of authenticating a user in a secure computer system comprising the steps of:

transmitting from a client computer of a user to the computer system a request for a sign-on page;

transmitting from the computer system to the client computer a prompt for a first user identifier;

in response to said prompt, transmitting from the client computer to the computer system a request includingthe first user identifier,a second user identifier stored in an object stored at the client computer anda plurality of request header attributes;

authenticating at the computer system the first user identifier;

authenticating at the computer system the second user identifier;

comparing the transmitted plurality of request header attributes with a plurality of request header attributes stored at the computer system and associated with the first user identifier; and

if the first and second user identifiers are authenticated, and if the transmitted request header attributes correspond to the stored request header attributes, transmitting a success message to the client computer to be viewed by the user.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method of authenticating a user in a secure computer system in which a client computer transmits to the secure computer system a request for a sign-on page, the computer system transmits to the client computer a prompt for a first user identifier, and in response to the prompt, the client computer transmits to the computer system a request including a first identifier, a second identifier stored in an object stored at the client computer and a plurality of request header attributes. The computer system includes a server software module that authenticates the first user identifier and the second user identifier, and compares the transmitted plurality of request header attributes with a plurality of request header attributes stored at the computer system and associated with the first and second user identifiers. If the first and second user identifiers are authenticated, and if the transmitted request header attributes match stored request header attributes, the server software module transmits a success message to the client computer to be viewed by the user, and the user is allowed to access the secure computer system. In one embodiment, each transmitted request header attribute is given a numerical weighted value and the comparison of request header attributes includes adding the assigned numerical values of matching attributes to arrive at a total value, then transmitting the success message to the client computer only if the total value of matching request header attributes is at least a certain predetermined numerical total.

75 Citations

View as Search Results

72 Claims

1. A method of authenticating a user in a secure computer system comprising the steps of:
- transmitting from a client computer of a user to the computer system a request for a sign-on page;
  
  transmitting from the computer system to the client computer a prompt for a first user identifier;
  
  in response to said prompt, transmitting from the client computer to the computer system a request includingthe first user identifier,a second user identifier stored in an object stored at the client computer anda plurality of request header attributes;
  
  authenticating at the computer system the first user identifier;
  
  authenticating at the computer system the second user identifier;
  
  comparing the transmitted plurality of request header attributes with a plurality of request header attributes stored at the computer system and associated with the first user identifier; and
  
  if the first and second user identifiers are authenticated, and if the transmitted request header attributes correspond to the stored request header attributes, transmitting a success message to the client computer to be viewed by the user.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 2. The method of claim 1 wherein the step of comparing the transmitted plurality of request header attributes with a plurality of stored request header attributes includes the step of determining whether a match exists therebetween of a predetermined number of said transmitted and said stored header attributes fewer than all of said transmitted and stored request header attributes.
  - 3. The method of claim 1 wherein the step of comparing the transmitted plurality of request header attributes with a plurality of stored request header attributes includes the steps ofassigning a weighted value to each of said request header attributes anddetermining whether a match exists between said transmitted header attributes and said stored request header attributes such that a sum of weighted values of matching transmitted and stored request header attributes equals or exceeds a predetermined value.
  - 4. The method of claim 3 wherein the determining step includes the further step of sending an error message to the client computer to be viewed by the user instead of the success message in the event that the sum of weighted values of matching transmitted and stored request header attributes is less than the predetermined value.
  - 5. The method of claim 4 wherein the step of sending an error message further includes the step of sending a message to the client computer to be viewed by the user that the user must enroll in the computer system.
  - 6. The method of claim 1 wherein the comparing step includes the step of comparing a transmitted locale request header attribute to a stored locale request header attribute.
  - 7. The method of claim 1 wherein the comparing step includes the step of comparing a transmitted user-agent request header attribute to a stored user-agent request header attribute.
  - 8. The method of claim 1 wherein the comparing step includes the step of comparing a transmitted accept-encoding request header attribute to a stored accept-encoding request header attribute.
  - 9. The method of claim 1 wherein the comparing step includes the step of comparing a transmitted IP address request header attribute to a stored IP address request header attribute.
  - 10. The method of claim 1 wherein the comparing step includes the step of comparing a transmitted character-encoding request header attribute to a stored character-encoding request header attribute.
  - 11. The method of claim 1 wherein the comparing step includes the step of comparing a transmitted referrer request header attribute to a stored referrer request header attribute.
  - 12. The method of claim 1 wherein the comparing step includes the step of comparing a transmitted accept request header attribute to a stored accept request header attribute.
  - 13. The method of claim 1 wherein the comparing step includes the step of comparing a transmitted remote host request header attribute to a stored remote host request header attribute.
  - 14. The method of claim 1 wherein the step of transmitting a second user identifier includes the step of transmitting a plurality of second user identifiers stored in said object, each of said second user identifiers being associated with a different user.
  - 15. The method of claim 14 wherein the step of validating at the computer system the second user identifier includes the step of sorting said plurality of second user identifiers to find a match between one of said plurality of second identifiers and said first identifier.
  - 16. The method of claim 1 wherein the step of transmitting a second user identifier includes the step of transmitting a second user identifier stored in a local shared object stored on said client computer.
  - 17. The method of claim 16 wherein the step of transmitting a second user identifier includes the step of transmitting a second user identifier including an encrypted serial number associated with said user.
  - 18. The method of claim 17 wherein the step of transmitting a second user identifier including an encrypted serial number associated with said user includes the step of transmitting a second user identifier including an encrypted serial number and date-time stamp.
  - 19. The method of claim 18 wherein said serial number and date-time stamp are hashed, then encrypted.

20. A method of authenticating a user in a secure computer system comprising the steps of:
- transmitting from a client computer of a user to the computer system a request for a sign-on page;
  
  receiving from the client computer a prompt for an enrollment;
  
  in response to said prompt, the computer systemcollecting a plurality of device attributes of the client computer andtransmitting to the client computer a request for information pertaining to a user of the client computer including a user account number;
  
  receiving from the client computer the information pertaining to the user including the user account number;
  
  authenticating the information pertaining to said user including matching said received user account number with a stored user account number;
  
  if a match of the received and stored account numbers exists, transmitting to the client computer a request for a first user identifier;
  
  receiving the first user identifier from the client computer, associating the first user identifier with the user and storing the first user identifier and the plurality of device attributes on the computer system; and
  
  transmitting a success message to the client computer to be viewed by the user.

21. A method of authenticating a user in a secure computer system comprising the steps of:
- transmitting from a client computer of a user to the computer system a request for an enrollment page, the request including a request header containing a plurality of device attributes specific to said client computer;
  
  transmitting from the computer system to the client computer a prompt for a user identifier;
  
  transmitting from the client computer the user identifiervalidating the user identifier;
  
  authenticating the user identifier;
  
  transmitting from the computer system a request for a user identification and password;
  
  receiving from the client computer a user identification and password, validating the user identification and password and storing the user identification and password in storage associated with the computer system;
  
  transmitting from the client computer of a user to the computer system a request to register the client computer;
  
  creating a serial number unique to the user and saving the serial number and request header in the storage associated with the user identification and password;
  
  storing the serial number on the client computer; and
  
  allowing the user access to the secure computer system.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32)
- - 22. The method of claim 21 wherein the storing step includes the step of creating a browser cookie on the client computer and storing the serial number in the browser cookie.
  - 23. The method of claim 21 wherein the storing step includes the step of creating a local shared object on the client computer and storing the serial number in the local shared object.
  - 24. The method of claim 21 further comprising the steps of:
    - prior to the step of transmitting from the computer system to the client computer a prompt for a user identifier, transmitting from the computer system to the client computer of the user disclosure material pertaining to services provided by the secure computer system.
  - 25. The method of claim 21 wherein the user identifier includes at least one of a Social Security number, ATM number, ATM PIN and email address of the user.
  - 26. The method of claim 21 wherein said step of storing the serial number on the user computer includes the step of appending a date and time stamp to the serial number and encrypting the second serial number, date and time stamp string.
  - 27. The method of claim 21 further comprising the steps of, in a subsequent session:
    - transmitting from the client computer of a user to the computer system a request for a sign-on page;
      
      transmitting from the computer system to the client computer a prompt for the first user identifier;
      
      in response to said prompt, transmitting from the client computer to the computer system a request includingthe first user identifier,the serial number stored in at least one of a browser cookie and a local shared object stored at the client computer anda plurality of current request header attributes;
      
      authenticating at the computer system the first user identifier;
      
      authenticating at the computer system the second user identifier;
      
      comparing the transmitted plurality of current request header attributes with the plurality of request header attributes stored at the computer system and associated with the first and second identifiers; and
      
      if the first and second user identifiers are validated, and if the transmitted request header attributes correspond to the stored request header attributes, allowing the user computer to access the computer system.
  - 28. The method of claim 27 wherein the step of comparing the request header attributes received from the user computer with the request header attributes associated with the serial number in the storage to determine whether a match exists includes a step of assigning a value to each of the request header attributes matched, and determining that a match exists only if the total values of the matching request header attributes at least meets a predetermined total.
  - 29. The method of claim 28 wherein the predetermined total is less than the total of all of the values.
  - 30. The method of claim 28 wherein the values are numeric values and the predetermined total is a numeric total.
  - 31. The method of claim 28 wherein the request header attributes compared include locale, user-agent, accept-encoding, IP address, character-encoding referrer and accept.
  - 32. The method of claim 28 wherein failure of a locale attribute of the current request header attributes to match a locale attribute of the request header attributes associated with the serial number in the storage results in a finding of no match.

33. A method of enrolling a user in a secure computer system comprising the steps of:
- transmitting from a client computer of a user to the computer system a request for an enrollment page, the request including a request header containing a plurality of device attributes specific to said client computer;
  
  transmitting from the computer system to the client computer a prompt for a user identifier;
  
  transmitting from the client computer the user identifier;
  
  validating the user identifier;
  
  authenticating the user identifier;
  
  transmitting from the computer system to the client computer a request for a user identification and password;
  
  authenticating the user identification and password;
  
  storing the user identification and password in storage associated with the computer system in a file containing the device attributes and user identifier;
  
  creating a serial number and saving the serial number in the file;
  
  encrypting the serial number;
  
  creating a browser cookie containing the encrypted serial number and storing the browser cookie on the client computer;
  
  creating a local shared object containing the encrypted serial number and storing the local shared object on the client computer.
- View Dependent Claims (34, 35, 36, 37)
- - 34. The method of claim 33 further comprising the step of, prior to the step of creating a serial number, querying the user to determine if the user desires to register the user'"'"'s computer.
  - 35. The method of claim 34 further comprising the step of, subsequent to the step of storing the local shared object on the client computer, transmitting from the computer system to the client computer a page notifying the user that the user'"'"'s computer has been registered.
  - 36. The method of claim 33 wherein the step of creating a browser cookie includes the step of appending a date and time stamp to the serial number and encrypting the serial number and appended date and time stamp.
  - 37. The method of claim 33 wherein the step of creating a local shared object includes the step of appending a date and time stamp to the serial number and encrypting the serial number and appended date and time stamp.

38. A method of authenticating a user in a secure computer system comprising the steps of:
- transmitting from a client computer of a user to the computer system a request for a sign-on page;
  
  transmitting from the computer system to the client computer a prompt for a first user identifier;
  
  in response to said prompt, transmitting from the client computer to the computer system a request includingthe first user identifier,a second user identifier stored in at least one of a browser cookie and a local shared object stored at the client computer anda plurality of request header attributes;
  
  authenticating at the computer system the first user identifier;
  
  authenticating at the computer system the second user identifier;
  
  comparing the transmitted plurality of request header attributes with a plurality of request header attributes stored at the computer system and associated with the first and second identifiers; and
  
  if the first and second user identifiers are validated, and if the transmitted request header attributes correspond to the stored request header attributes, transmitting a success message to the client computer to be viewed by the user and allowing the user computer to access the computer system.
- View Dependent Claims (39)
- - 39. The method of claim 38 wherein the comparing step includes comparing the plurality of request header attributes with a plurality of request header attributes stored at the computer system and associated with the first and second identifiers, the stored plurality of request header attributes being stored during a previous enrollment process by the user using the client computer.

40. A method of authenticating a banking customer to allow the customer access to a secure banking computer system comprising the steps of:
- transmitting from a client computer of the customer to the banking computer system a request for a sign-on page;
  
  transmitting from the computer system to the client computer a prompt for a customer identification number and password;
  
  in response to said prompt, transmitting from the client computer to the banking computer system a request includingthe customer identification and password,a serial number stored in at least one of a browser cookie and a local shared object stored at the client computer anda plurality of request header attributes;
  
  authenticating at the computer system the customer identification number and password;
  
  authenticating at the computer system the serial number;
  
  comparing the transmitted plurality of request header attributes with a plurality of request header attributes stored at the banking computer system and associated with the customer identification number, customer password and serial number; and
  
  if the customer number, customer password and serial number are authenticated, and if the transmitted request header attributes correspond to the stored request header attributes, transmitting a success message to the client computer to be viewed by the banking customer and allowing the banking customer computer access to the secure banking computer system.

41. A system for authenticating a user in a secure computer system comprising:
- a client computer operable by a user;
  
  a server associated with a secure computer system in communication with the client computer and having storage;
  
  a client software module utilized by the client computer for sending to the server a request for a sign on page;
  
  a server software module utilized by the server for transmitting from the server to the client computer a prompt for a first user identifier;
  
  the client software module, in response to the prompt, transmits from the client computer to the server a request includingthe first user identifier,a second user identifier stored in an object stored at the client computer anda plurality of request header attributes; and
  
  the server software module validates the first user identifier and the second user identifier and compares the transmitted plurality of request header attributes with a plurality of request header attributes in the storage at the server and associated with the first identifier;
  
  whereby, if the first and second user identifiers are validated by the server software module, and if the transmitted request header attributes correspond to the stored request header attributes, the server software module allows the client computer access to the secure computer system.
- View Dependent Claims (42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64)
- - 42. The system of claim 41 wherein the client computer and server communicate over a network.
  - 43. The system of claim 41 wherein the client software module includes a browser for sending the requests to the server.
  - 44. The system of claim 43 wherein the browser creates the object stored at the client computer.
  - 45. The system of claim 41 wherein the client software module creates a local shared object on the client computer and stores the second client identifier therein.
  - 46. The system of claim 45 wherein the second client identifier is a serial number provided by the server software module.
  - 47. The system of claim 41 wherein the server software module assigns a weighted value to each of the request header attributes and determines whether a match exists between the transmitted header attributes and the stored request header attributes such that a sum of weighted values of matching transmitted and stored request header attributes equals or exceeds a predetermined value.
  - 48. The system of claim 47 wherein the server software module sends an error message to the client computer to be viewed by the user in the event that the sum of weighted values of matching transmitted and stored request header attributes is less than the predetermined value.
  - 49. The system of claim 48 wherein, along with the error message, the server software module sends a message to the client computer to be viewed by the user that the user must enroll in the computer system.
  - 50. The system of claim 41 wherein the server software module compares a transmitted locale request header attribute to a stored locale request header attribute.
  - 51. The system of claim 41 wherein the server software module compares a transmitted user-agent request header attribute to a stored user-agent request header attribute.
  - 52. The system of claim 41 wherein the server software module compares a transmitted accept-encoding request header attribute to a stored accept-encoding request header attribute.
  - 53. The system of claim 41 wherein the server software module compares a transmitted IP address request header attribute to a stored IP address request header attribute.
  - 54. The system of claim 41 wherein the server software module compares a transmitted character-encoding request header attribute to a stored character-encoding request header attribute.
  - 55. The system of claim 41 wherein the server software module compares a transmitted referrer request header attribute to a stored referrer request header attribute.
  - 56. The system of claim 41 wherein the server software module compares a transmitted accept request header attribute to a stored accept request header attribute.
  - 57. The system of claim 41 wherein the server software module compares a transmitted remote host request header attribute to a stored remote host request header attribute.
  - 58. The system of claim 41 wherein the server software module transmits a plurality of second user identifiers stored in the object, each of said second user identifiers being associated with a different user.
  - 59. The system of claim 58 wherein the server software module sorts the plurality of second user identifiers to find a match between one of said plurality of second identifiers and said first identifier.
  - 60. The system of claim 41 wherein the client software module creates a local shared object on the client computer;
    - and the server software module stores a second user identifier in the local shared object.
  - 61. The system of claim 60 wherein the client software module causes the client computer to transmit the second user identifier stored in the local shared object to the server in response to the prompt.
  - 62. The system of claim 61 wherein the client software module causes the client computer to transmit an encrypted serial number associated with said user to the server.
  - 63. The system of claim 62 wherein the client software module causes the client computer to transmit an encrypted serial number and date-time stamp.
  - 64. The system of claim 63 wherein the serial number and date-time stamp are hashed, then encrypted.

65. A system for authenticating a user in a secure computer system comprising:
- a client computer operable by a user;
  
  a server associated with a secure computer system in communication with the client computer and having storage containing user information;
  
  a client software module utilized by the client computer for sending to the server a request for a sign on page;
  
  a server software module utilized by the server to transmit from the server to the client computer a prompt for an enrollment of the user, and in response to acknowledgement from the client software module,collects a plurality of device attributes of the client computer andtransmits to the client computer a request for information pertaining to a user of the client computer including a user account number;
  
  the client software module transmits to the server the information pertaining to the user including the user account number;
  
  the server software module authenticates the information pertaining to the and matches the received user account number with a user account number in the storage;
  
  whereby, if a match of the received and stored account numbers exists, the server transmits to the client computer a request for a first user identifier and receives the first user identifier from the client computer, associates the first user identifier with the user and stores the first user identifier and the plurality of device attributes on the computer system and allows the client computer access to the secure computer system.

66. A system of authenticating a user in a secure computer system comprising:
- a client computer operable by a user;
  
  a server associated with a secure computer system in communication with the client computer and having storage containing user information;
  
  a client software module utilized by the client computer for transmitting from the client computer of a user to the computer system a request for an enrollment page, the request including a request header containing a plurality of device attributes specific to the client computer;
  
  a server software module for transmitting from the server to the client computer a prompt for a user identifier, receiving the user identifier from the client computer, validating the user identifier, authenticating the user identifier, transmitting from the server a request for a user identification and password, validating the user identification and password received from the client computer and storing the user identification and password in the storage;
  
  the client software module transmitting from the client computer of a user to the server a request to register the client computer;
  
  in response to the request to register, the server software module creates a serial number unique to the user and saves the serial number and request header in the storage associated with the user identification and password, stores the serial number on the client computer, and allows the user access to the secure computer system.
- View Dependent Claims (67, 68, 69, 70, 71, 72)
- - 67. The system of claim 66 wherein the server software module creates a browser cookie on the client computer and stores the serial number in the browser cookie.
  - 68. The system of claim 66 wherein the server software module causes a local shared object to be created on the client computer and stores the serial number in the local shared object.
  - 69. The system of claim 66 wherein the server software module transmits from the computer system to the client computer material pertaining to services provided by the secure computer system.
  - 70. The system of claim 66 wherein the user identifier includes at least one of a Social Security number, ATM number, ATM PIN and email address of the user.
  - 71. The system of claim 66 wherein the server software module appends a date and time stamp to the serial number and encrypts the second serial number, date and time stamp string.
  - 72. The system of claim 66 wherein the server software module transmits to the client computer a prompt for the first user identifier;
    - the client software module transmits to the server a request including the first user identifier, the serial number stored in at least one of a browser cookie and a local shared object stored at the client computer and a plurality of current request header attributes;
      
      the server software module authenticates the first user identifier, the second user identifier and compares the transmitted plurality of current request header attributes with the plurality of request header attributes stored at the computer system and associated with the first and second identifiers;
      
      whereby, if the first and second user identifiers are validated by the server software module, and if the transmitted request header attributes correspond to the stored request header attributes, the server software module allows the user computer to access the computer system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
KeyCorp
Original Assignee
KeyCorp
Inventors
Zapata, Onesimo, Flannery, Deana M., Zielinski, Susan E.

Granted Patent

US 8,230,490 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/9
CPC Class Codes

G06F 21/43   wireless channels

H04L 63/083   using passwords cryptograph...

H04L 69/22   Parsing or analysis of headers

System and Method For Authentication Of Users In A Secure Computer System

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

75 Citations

72 Claims

Specification

Solutions

Use Cases

Quick Links

System and Method For Authentication Of Users In A Secure Computer System

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

75 Citations

72 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links