Method for secure user and site authentication

US 8,549,601 B2
Filed: 01/14/2011
Issued: 10/01/2013
Est. Priority Date: 11/02/2009
Status: Active Grant

First Claim

Patent Images

1. A method of authenticating a user on a network, comprising:

receiving, by a security server, a request of a network site for authentication of the user;

calculating, by the security server in response to the receipt of the authentication request, a one-time-password based on (i) a secret shared by the security server and the network site but not by the user, and the secret is not shared or associated by the security server or the network site with the user, and (ii) a one-time-password generating algorithm, wherein the one-time-password is independently calculable by the network site based on the shared secret and the one-time-password generating algorithm;

transmitting, by the security server to the network site, a time stamp or counter value associated with the calculated one-time-password; and

transmitting, by the security server to the user, the calculated one-time-password to authenticate the user to the network site.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

User authentication is achieved by creating a window on the user'"'"'s PC that is in communication with a security server, where this communication channel is separate from the communication channel between the user'"'"'s browser and whichever web site they are at. A legitimate web site embeds code in the web page which communicates to the security server from the user'"'"'s desktop. The security server signals both the web page on the user'"'"'s browser and the window to which it has a separate channel. If user authentication is requested by the web site, the security server computes a one time password based on a secret which it shares with the web site, but not with the user, and which is not associated with any particular user, and the web site can re-compute the one time password to authenticate the user.

122 Citations

View as Search Results

25 Claims

1. A method of authenticating a user on a network, comprising:
- receiving, by a security server, a request of a network site for authentication of the user;
  
  calculating, by the security server in response to the receipt of the authentication request, a one-time-password based on (i) a secret shared by the security server and the network site but not by the user, and the secret is not shared or associated by the security server or the network site with the user, and (ii) a one-time-password generating algorithm, wherein the one-time-password is independently calculable by the network site based on the shared secret and the one-time-password generating algorithm;
  
  transmitting, by the security server to the network site, a time stamp or counter value associated with the calculated one-time-password; and
  
  transmitting, by the security server to the user, the calculated one-time-password to authenticate the user to the network site.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein:
    - the user is represented on the network by a user network device executing code embedded in a network page that is (i) associated with the network site and (ii) displayed by the user network device; and
      
      the authentication request is received from the user network device in accordance with the execution of the embedded network page code.
  - 3. The method of claim 1, wherein:
    - the user is represented on the network by a user network device which displays a network page associated with the network site; and
      
      the calculated one-time-password is transmitted, by the security server to the user network device for presentation on a window displayed by the user network device and entry by the user onto the displayed network page.
  - 4. The method of claim 3, further comprising:
    - receiving, by a security server from the user network device, an identifier of the user network device and an identifier of the network site; and
      
      transmitting, by the security server to the user network device in response to the receipt of the identifiers, an indication of legitimacy of the network site that will cause display of a corresponding legitimacy indicator on both the displayed network page and the displayed window.
  - 5. The method of claim 4, further comprising:
    - determining, by the security server, the legitimacy of the network site based on the received network site identifier.
  - 6. The method of claim 5, further comprising:
    - storing, by the security server on the user network device, a local session object;
      
      wherein the received user network device identifier includes the stored local session object; and
      
      wherein the received network site identifier includes a network address of the network site presented in the displayed network page.
  - 7. The method of claim 4, wherein:
    - if the transmitted indication indicates that the network site is legitimate, the corresponding legitimacy indicator includes a first type visual cue in a first state; and
      
      if the transmitted indication indicates that the network site is illegitimate, the corresponding legitimacy indicator includes the first type visual cue in a second state.
  - 8. The method of claim 7, wherein:
    - the first type visual cue is a light;
      
      the first state is green; and
      
      the second state is red.
  - 9. The method of claim 7, further comprising:
    - if the transmitted indication indicates that the network site is legitimate, the corresponding legitimacy indicator also includes a second type visual cue in the form of a random image.

10. An article of manufacture for authenticating a user on a network, comprising:
- non-transitory processor readable storage medium; and
  
  logic stored on the storage medium, wherein the stored logic is configured to be readable by a processor and thereby cause the processor to operate so as to;
  
  receive a request of a network site for authentication of the user;
  
  calculate in response to the receipt of the authentication request, a one-time-password based on (i) a secret shared by a security server and the network site but not by the user, and the secret is not shared or associated by the security server or the network site with the user, and (ii) a one-time-password generating algorithm, wherein the one-time-password is independently calculable by the network site based on the shared secret and the one-time-password generating algorithm;
  
  transmit, to the network site, a time stamp or counter value associated with the calculated one-time-password; and
  
  transmit the calculated one-time-password to authenticate the user to the network site.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The article of manufacture of claim 10, wherein:
    - the user is represented on the network by a user network device executing code embedded in a network page that is (i) associated with the network site and (ii) displayed by the user network device; and
      
      the authentication request is received from the user network device in accordance with the execution of the embedded network page code.
  - 12. The article of manufacture of claim 10, wherein:
    - the user is represented on the network by a user network device which displays a network page associated with the network site; and
      
      the calculated one-time-password is transmitted to the user network device for presentation on a window displayed by the user network device and entry by the user onto the displayed network page.
  - 13. The article of manufacture of claim 12, wherein the stored logic is further configured to cause the processor to operate so as to:
    - receive, from the user network device, an identifier of the user network device and an identifier of the network site; and
      
      transmit, to the user network device in response to the receipt of the identifiers, an indication of legitimacy of the network site that will cause display of a corresponding legitimacy indicator on both the displayed network page and the displayed window.
  - 14. The article of manufacture of claim 13, wherein:
    - the stored logic is further configured to cause the processor to operate so as to;
      
      store, on the user network device, a local session object; and
      
      determine the legitimacy of the network site based on the received network site identifier;
      
      the received user network device identifier includes the stored local session object; and
      
      the received network site identifier includes a network address of the network site included in the displayed network page.
  - 15. The article of manufacture of claim 13, wherein:
    - if the transmitted indication indicates that the network site is legitimate, the corresponding legitimacy indicator will include a first type visual cue in a first state and a second type visual cue in the form of a random image; and
      
      if the transmitted indication indicates that the network site is illegitimate, the corresponding legitimacy indicator will include the first type visual cue in a second state.

16. A system for authenticating a user on a network, comprising:
- a communications port configured to receive a request of a network site for authentication of the user; and
  
  a processor configured to calculate, in response to the receipt of the authentication request, a one-time-password based on (i) a secret shared by a security server and the network site, but not by the user, and the secret is not shared or associated by the security server or the network site with the user, and (ii) a one-time-password generating algorithm and to direct transmission of the calculated one-time-password and a time stamp or counter value associated with the calculated one-time-password to authenticate the user to the network site;
  
  wherein the one-time-password is independently calculable by the network site based on the shared secret and the one-time-password generating algorithm.
- View Dependent Claims (17, 18, 19, 20, 21)
- - 17. The system of claim 16, wherein:
    - the user is represented on the network by a user network device executing code embedded in a network page that is (i) associated with the network site and (ii) displayed by the user network device; and
      
      the authentication request is received from the user network device in accordance with the execution of the embedded network page code.
  - 18. The system of claim 16, wherein:
    - the user is represented on the network by a user network device displaying a network page associated with the network site; and
      
      the calculated one-time-password is transmitted to the user network device for presentation on a window displayed by the user network device and entry by the user onto the displayed network page.
  - 19. The system of claim 18, wherein:
    - the communications port is further configured to receive, from the user network device, an identifier of the user network device and an identifier of the network site; and
      
      the processor is further configured to direct transmission, to the user network device in response to the receipt of the identifiers, of an indication of legitimacy of the network site that will cause display of a corresponding legitimacy indicator on both the displayed network page and the displayed window.
  - 20. The system of claim 19, wherein:
    - the processor is further configured to direct storage of a local session object on the user network device, and determine the legitimacy of the network site based on the received network site identifier;
      
      the received user network device identifier includes the stored local session object; and
      
      the received network site identifier includes a network address of the network site presented in the displayed network page.
  - 21. The system of claim 19, wherein:
    - if the transmitted indication indicates that the network site is legitimate, the corresponding legitimacy indicator includes a first visual cue in a first state and a second visual cue in the form of a random image; and
      
      if the transmitted indication indicates that the network site is illegitimate, the corresponding legitimacy indicator includes the first visual cue in a second state.

22. A method of authenticating a user on a network, comprising:
- receiving, by a first user agent on a user network device from a network site, a request of the network site for the user to be authenticated;
  
  transmitting, by the first user agent to a security server, the network site request;
  
  receiving, by a second user agent on the user network device from the security server in response to transmission of the network site request, a one-time-password calculated based on (i) a secret shared by the security server and the network site, but not by the user, and the secret is not shared or associated by the security server or the network site with the user and (ii) a one-time-password generating algorithm;
  
  transferring the one-time-password from second user agent to first user agent; and
  
  transmitting, by the first user agent to the network site, the one-time-password to authenticate the user to the network site;
  
  wherein the one-time-password is independently calculable by the network site based on the shared secret and the one-time-password generating algorithm.
- View Dependent Claims (23, 24, 25)
- - 23. The method of claim 22, further comprising:
    - transmitting, by the first user agent to the network site, a request of the user to access the network site;
      
      wherein the network site request is received in response to the transmitted user request.
  - 24. The method of claim 22, wherein:
    - the first user agent is a network page that is associated with the network site and displayed on the user network device; and
      
      the second user agent is a window displayed on the user network device.
  - 25. The method of claim 24, wherein:
    - the network page has embedded code; and
      
      the transmission of the network site request by the first user agent to the security server is based on execution of the embedded network page code by the user network device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Payfone Incorporated
Original Assignee
Authentify, Inc. (Early Warning Services, LLC)
Inventors
Ganesan, Ravi
Primary Examiner(s)
Louie, Oscar
Assistant Examiner(s)
Zhu, Zhimei

Application Number

US13/006,806
Publication Number

US 20110179472A1
Time in Patent Office

991 Days
Field of Search

726 2- 5, 726/8, 726 17- 21
US Class Current

726/8
CPC Class Codes

G06F 21/42   using separate channels for...

H04L 63/0838   using one-time-passwords

H04L 63/1483   service impersonation, e.g....

H04L 67/02   based on web technology, e....

Method for secure user and site authentication

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

122 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Method for secure user and site authentication

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

122 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links