EP3631662A1 - Authentication system and method - Google Patents
Authentication system and methodInfo
- Publication number
- EP3631662A1 EP3631662A1 EP17911253.7A EP17911253A EP3631662A1 EP 3631662 A1 EP3631662 A1 EP 3631662A1 EP 17911253 A EP17911253 A EP 17911253A EP 3631662 A1 EP3631662 A1 EP 3631662A1
- Authority
- EP
- European Patent Office
- Prior art keywords
- end user
- authentication
- computer program
- access
- computerized method
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/32—User authentication using biometric data, e.g. fingerprints, iris scans or voiceprints
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3234—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
- H04W12/068—Authentication using credential vaults, e.g. password manager applications or one time password [OTP] applications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
Definitions
- the present invention generally relates to authenticating end user access to computer programs across multiple devices using single sign-on techniques.
- Data describing a request to access a computer program is received at a processing component from a requesting device operated by an end user.
- the processing component determines whether an existing authentication session for the end user exists. In accordance with a determination that the existing authentication session for the end user does not exist, the end user is prompted to authenticate to the processing component. In accordance with a
- a risk assessment is performed.
- the risk assessment comprises a consideration of one or both of (i) one or more request characteristics associated with the request to access the computer program and (ii) one or more computer program access criteria.
- the requesting device is provided with access to the computer program.
- the end user is prompted to perform an authentication activity.
- a new authentication session is established for the end user and the requesting device is provided with access to the computer program.
- the data indicating that the end user performed the authentication activity may comprise biometrics data of the end user; a password selected by the end user; and/or a one-time password provided by the processing component after receiving the request to access from the requesting device.
- the processing component receives a registration request from the end user.
- the processing component creates a unique registration token.
- the processing component creates a database record including an identifier for the end user and the unique registration token.
- the processing component provides to a registration device a mechanism to access an authentication application for initiating registration of the registration device.
- the identifier for the end user and the unique registration token are received through the
- the processing component calculates a device authentication weight, which is stored in a database along with the public key.
- the authentication session for the end user is established using the registration device before the request to access the computer program is received.
- the requesting device is the registration device and, in other embodiments, is a different device.
- the consideration of the computer program access criteria dictate that the determination of the risk assessment is negative, regardless of the consideration of the request characteristics.
- the consideration of the request characteristics dictate that the determination of the risk assessment is negative, regardless of the consideration of the computer program access criteria.
- the computer program access criteria may comprise a minimum authentication weight associated with the computer program, which may be determined based on a criticality of the computer application.
- the request characteristics may comprise one or more of the device authentication weight; a location of the requesting device; a time that has elapsed since the existing
- the device authentication weight may be calculated based on a modality by which the end user authenticates to the registration device, and/or a security assessment of the registration device.
- the processing component receives the public key in connection with the end user performing the authentication activity.
- a request to access a resource within the computer program is received at the processing component and it is determined whether one or more request characteristics meet one or more computer program resource access criteria.
- the one or more computer program resource access criterial comprise a minimum authentication weight associated with the resource.
- the existing authentication session is established in connection with the end user accessing another computer program that is not the subject of the request to access.
- the one or more request characteristics may include a modality in which the existing authentication session in connection with accessing the other computer program was established.
- the computer program may be a native application; a web- based application; or an operating system of the requesting device.
- the consideration of the request characteristics and computer program access criteria dictate that the determination of the risk assessment is negative when the device authentication weight does not exceed a minimum authentication weight associated with the computer program.
- the consideration of the request characteristics and computer program access criteria dictate that the determination of the risk assessment is negative when a distance between a first location of the requesting device when the request to access was sent and a second location of another device when the existing authentication session was created exceeds a distance threshold.
- the consideration of the request characteristics and computer program access criteria dictate that the determination of the risk assessment is negative when a time period between a first time when the request to access was sent and a second time when the existing authentication session was created exceeds a time period threshold.
- Figure 1 is a diagram illustrating exemplary hardware and software components that may be used in connection with an exemplary embodiment of the present invention
- Figure 2A is a diagram illustrating the flow of data and communications between and among devices and other computer system components in connection with an exemplary registration process of the present invention
- Figures 2B is a diagram illustrating the flow of data and communications between and among devices and other computer system components in connection with an exemplary authentication process of the present invention.
- Figure 3 is a diagram illustrating an exemplary computer system architecture that may be used in accordance with the present invention.
- Embodiments of the present invention provide novel improvements in the field of authentication technology and are particularly useful in identity and access management systems. More specifically, embodiments of the present invention provide a platform that allows users to log on to any of multiple, distinct clients (e.g., mobile, desktop, services/capabilities), and access computer programs (e.g., native mobile applications, desktop applications, web/cloud-based applications, authentication set-ups, operating systems, services or capabilities), using single sign-on functionality (i.e., a single log in (e.g., username/password, touch identification)).
- clients e.g., mobile, desktop, services/capabilities
- access computer programs e.g., native mobile applications, desktop applications, web/cloud-based applications, authentication set-ups, operating systems, services or capabilities
- single sign-on functionality i.e., a single log in (e.g., username/password, touch identification)
- the invention uses biometrics (although biometrics need not be used in all embodiments of the invention), authentication, and cryptography components to enable a capability in which a user's identity (e.g., biometric identity), or signature, remains anonymous while a cryptographic key relationship is used to authenticate the user.
- a risk engine is also provided in preferred embodiments to control the single sign-on functionality based on various risk factors, such as time, number of devices, and/or geolocation, by way of example.
- FIG. 1 is a diagram of a system 100 illustrating exemplary hardware and software components that may be used in connection with an embodiment of the present invention.
- Device 10 is any device seeking access to a computer program.
- Device(s) 15 comprise the devices that are registered with processing component 20.
- the illustrated network is a communication network allowing the components of system 100 to communicate and exchange data.
- Processing component 20 performs the authentication activities described herein.
- Processing component 20 may be a computer server in an exemplary embodiment and, as such, is also referred to herein as authentication server 20.
- Risk engine 30 comprises a computer processor that is programmed to perform the risk assessment activities described herein.
- Rules/weights storage 45 comprises a data storage/retrieval mechanism for the rules and weights used by the risk engine 30.
- Cryptographic storage 40 stores data associated with the cryptographic keys used in connection with the present invention.
- step 201 the user initiates registration from a secure client device. More particularly, the user may initiate registration from a trusted work desktop or other authenticated environment with an existing authentication session (i.e., from a trusted device which was already registered and which the user is logged into or from an authorized desktop which the user is logged into).
- step 202 the authentication server 20 receives the request to commence registration and creates a unique time-bound registration token (e.g., a one-time pin or password, or a QR Code, by way of example).
- a unique time-bound registration token e.g., a one-time pin or password, or a QR Code, by way of example.
- Authentication server 20 creates a database record including, for example, an identifier for the user, such as an electronic mail address of the user, and the unique time-bound registration code.
- authentication server 20 sends to the user an electronic message, e.g., using a secure email address, that includes a link to download an application and initiate the registration process.
- the application acts as the authentication broker and is secured, e.g., with biometrics, to unlock access to a private key.
- the link to download the application may be displayed to the user on a screen within the secure session. Accordingly, in any number of ways, the user is provided with access to the application so he can install it on the device.
- step 204 using the link, the user installs the application and, through the application, is prompted to register his device.
- step 205 the user enters the identifier for the user, e.g., his electronic mail address, and the unique time-bound registration code. Additional data may be collected, e.g., the identifier of the device performing the registration and the location of such device at the time of registration. At this point, the authenticity and ownership of the device 15 sought to be registered by the user are confirmed, as well as the user's association with the authenticated session on the device employed by the user to register his device.
- step 206 the user registers the authentication factor on the device 15, e.g., by entering a user-created password or using biometrics.
- a cryptographic key pair is created within the secure container of the device.
- the private key of the key pair is stored in a secure area of the device and is not revealed during the authentication process described with reference to Figure 2A.
- the public key includes the device ID the key ID and, in some embodiments, data describing the location of the device 15 at the time of registration.
- the application installed on device 15, in conjunction with the risk engine 30, calculates a device authentication weight in step 208.
- the device authentication weight may be calculated based on several factors, in the preferred embodiment.
- One factor relates to location using, for example, parameters obtained by the application (e.g., geolocation, time) upon registration.
- the location of both the device conducting the registration process and the device to be registered is relevant to the process. For example, the system will consider whether the user should be permitted to register a device that is not within reasonable proximity to the device the user is using to perform the registration. In a particular example, if the user is logged onto his laptop in New York when he seeks to register his mobile phone, registration may be denied if the same user attempts to download the application and register his mobile phone from a location in Europe within a few minutes after his New York laptop logon, as this would indicate an impossible velocity (i.e., traveling to Europe from New York in minutes).
- the risk engine 30 assigns a weight based on the authentication factor provided, e.g., a biometric factor that is hardware-based and backed with a key stored in the secure container of the device would be considered more trusted than a password.
- Biometric factors in particular may be weighted based on established industry rating: For example, iris scanners have fewer false positives then vein scanners and, thus, would be given a higher weight.
- the weighting order from high to low is iris scanner, vein scanners, touch identification, pass phrases, and then passwords.
- Another factor relates to how secure the device is with regard to storing private keys and whether there are any known leaks or vulnerabilities. So, for example, touch identification sensors have operating system and hardware backing to ensure that the private keys are never accessed by the software and that they are fully stored and operate within the hardware. Certain iris scanner implementations, on the other hand, may have a higher perceived security rating but the key management used in connection with such implementations is fully software-based and, thus, the private key is exposed to the software before being committed to storage. An iris scanner implementation that takes advantage of hardware security may have a higher security rating than touch identification.
- a device sought to be registered need not be an integrated device.
- the user can leverage externally available devices for biometric authentication that connect to their devices, directly or via a wireless capability and using known interfaces.
- the registration process for the device is then complete and the device sends the following data elements to the authentication server 20, in the exemplary embodiment: the user identifier, e.g., his electronic mail address; unique registration code; public key; and the device authentication weight.
- the user/device record is updated in database 40.
- the user may register more than one device 15 pursuant to the foregoing registration process.
- Each device 15 is associated with its own unique public/private key relationship and a distinct key ID.
- the authentication weight is based on login context and is device-specific. More particularly, a device at rest (e.g., a registered device that is offline or is online but not being used) does not contribute to the weight logic.
- a user can initiate login via a first device and an authentication weight is assigned to that specific transaction based on use of the first device. If a user seeks to login from a second device, an authentication weight is calculated based on this new authentication request from the second device (e.g., based on location, time, and other factors described previously).
- an exemplary method 210 is illustrated in which the system of the present invention processes a log-in request.
- the process begins when a user attempts to access a desired computer program using a device. Access may be sought by the user to a native or web application on a mobile device; to a native or web application on a desktop computer; to a server application or service; or to an operating system, e.g., of a smart device, by way of example.
- each computer program that is to receive the benefit of the authentication techniques of the present invention is required to include an authentication module that launches upon an end user requesting access to the application and, in some instances, upon the end user seeking to perform an activity (e.g., access a resource) within the application. More particularly, for every category of device and computer program (e.g., mobile native
- an entry point is created that translates the device/application's user interface/access control into the ability to communicate with authentication server 20. This allows single sign-on to all such computer programs across all platforms/devices/services.
- the authentication module may be written into the code associated with logging into the computer program.
- an entry point for coding the authentication module is needed for third party computer programs (i.e., those that are not created by the sponsor of the
- authentication technique such as applications that are native to a mobile device.
- third parties may allow users of the computer program to customize the log-in page of the computer program (e.g., to allow for customized branding).
- Such access may be used as an opening to include code (e.g., HTML or JavaScript code) implementing the authentication module, which then launches when the user requests access to the computer program.
- step 211 when a user requests access to a computer program, identifying himself to the computer program by, e.g., entering his user name, the authentication module launches and causes the device to initiate an authentication request.
- step 212 the authentication request is passed to the authentication server 20.
- the authentication server 20 determines if the user must authenticate or if a previous authentication can be trusted. More particularly, authentication server 20 determines whether there exists an authentication session for the user (i.e., an existing session that has not yet expired or purged).
- an authentication session for the user i.e., an existing session that has not yet expired or purged.
- the authentication server 20 maintains a record of that the user logged into the computer program using a first device, at a particular location.
- This record remains valid for the duration of the maximum session length as configured by the administrator and would be either purged automatically or upon the next login if the maximum session length was exceeded.
- the device identifier for the second device, the location of the second device and the identity of the target computer program are made available.
- the authentication sever 20 uses the data from the previous login, and from the current login attempt, to perform the velocity calculation and application risk scoring and can determine if the user should be permitted to login or if additional authentication is required.
- step 214 risk associated with the newly requested access is still assessed (e.g., because the existing authentication session may have required less security requirements than the application currently sought to be accessed would require) in step 214, as follows.
- the risk engine first considers the minimum authentication weight associated with the computer program sought to be accessed, or the resource within the computer program sought to be accessed, or activity to be performed with regard to the computer program. Risk engine 30 consults rules/weights database 45 for this purpose. For example, critical computer
- programs/applications may be associated with a higher minimum authentication weight than non-critical computer programs/applications.
- a request to log-in to a computer program/application may be associated with a lower minimum authentication weight than a request to complete a transaction using the application, or a request to access a resource within the application.
- the risk engine 30 considers: the location of the device seeking access to the application; the time that has elapsed since the most recent authentication; and/or the device being used to seek access to the application (e.g., is it the same device that was used during the registration process).
- the risk engine 30 may consider whether the device is being used within a trusted location proximity (e.g. home or office, at a hotel, at a conference center that is associated with the firm or entity hosting the application, or at a public place within a country where the firm and the user typically reside). The risk engine 30 may further take into account whether the user is located in a foreign country where the firm does business or otherwise. In one exemplary embodiment, the user can inform the risk engine 30 of an anticipated location and obtain pre- approval to reduce impact on the weight, accordingly.
- a trusted location proximity e.g. home or office, at a hotel, at a conference center that is associated with the firm or entity hosting the application, or at a public place within a country where the firm and the user typically reside.
- the risk engine 30 may further take into account whether the user is located in a foreign country where the firm does business or otherwise.
- the user can inform the risk engine 30 of an anticipated location and obtain pre- approval to reduce impact on the weight, accordingly.
- the velocity of user movement is taken into account. For example, assume a user logs in to an application successfully from New York City and a session is granted. It is estimated that it will take at least 6 hours to travel to the United Kingdom; thus, if a user attempts a login from London 30 minutes after the New York City login, then the score will be reduced due to an impossible velocity.
- the risk engine 30 assigns a default user maximum velocity of 600 miles per hour. With this model, a velocity of 700 miles per hour is possible, but less likely. A velocity of 800 miles per hour would reduce the score even further and a velocity of 1200 miles per hour would render the score zero and an immediate login failure would result.
- the fact that a device is being used that is different from the device that logged into the application the first time is a negative factor in the weighting calculation, in one embodiment.
- the risk engine 30 determines the risk score accordingly and indicates to the authentication server 20 whether the user should be permitted access to the application or whether another authentication step is required.
- the process continues as described in steps 215 through 219.
- the user is provided with a one-time password that is used in connection with the additional authentication step, as described in more detail below.
- all device(s) 15 registered with the system receive from authentication server 20 an authentication request, in step 215.
- all the registered devices 15 receive a notification as supported by the particular device platform.
- the authentication request includes a cryptographic nonce.
- Device(s) 15 performs the authentication challenge, in step 216 (e.g., fingerprint scan or entering of password) and the end user inputs the one-time password. If the authentication challenge is successful, the cryptographic nonce is signed using the private key and sent to authentication server 20, in step 217.
- authentication server 20 validates the signature using the public key stored in cryptographic key storage 40.
- an authentication session context is returned to the requesting computer
- the user has successfully logged into the application and, once within that application, the user desires to access a resource within the application, e.g., perform some activity within the application.
- the framework of the present invention can be used to assess whether the resource can be accessed within the existing authentication session, or whether the risk associated with the requested resource requires additional authentication. For example, the user may have been permitted to log on to the application using an existing authentication session (e.g., due to the low-risk nature of the application upon log-in), but now seeks to complete a transaction which may be associated with more risk.
- the risk engine 30 may be used to determine whether the desired activity (e.g., a transaction) can be permitted or if further validation of credentials is required.
- the functionality of the risk engine 30 is extended to the activity portion of the application such that the risk engine will be employed to assess the risk associated with the desired activity.
- the functionality of the risk engine may be made available to the application as an application programming interface (API).
- API application programming interface
- the application invokes the authenticator API, which calls the authentication server 20, invoking the functionality of the risk engine 30 to assess the risk associated with the transaction.
- the authentication server 20 identifies the end user, creates a one-time password, and sends it back to the API where the application displays the one-time password via the accessing application.
- the authentication server 20 initiates a notification to the end user's registered device(s) 15.
- Any registered device 15 that is online receives and displays the notification.
- the user chooses one device and initiates authentication (using touch identification, for example, plus validating the previously provided one-time password).
- the authentication server 20 receives the registered device decision (i.e., yes or no), adds to it the decision of the risk engine 30, and then responds back to the API with a signed session token, authorizing the request or declining it.
- the API responds, accordingly, to the application.
- different types of transactions desired by the user may be assigned different weights and those weights are used in connection with the risk assessment.
- Embodiments of the present invention involve improvements over existing systems and solve several technical problems present in the prior art. For example, in existing solutions that offer single sign-on between, e.g., native applications and Web applications, if a shared session context exists, it is reused.
- the risk engine determines if a new authentication session is required before providing access. This improves the functioning of the computer technology because it allows for tying-in of previous authentication events with a new authentication event in a continuous fashion as the user moves from one application to another and from one device to another. Further, at the completion of any successful authentication event, an industry standard security token is generated (e.g., a SAML or OAUTH token) for each single sign-one request.
- the solution allows for cryptographic trust of the user identity without hosting any user biometrics or other identity information on the backend. It also allows for single sign-on to multiple applications, across multiple devices (including mobile devices), applications and services, while controlling and managing associated risk.
- Data describing a request to access a computer program is received at a processing component from a requesting device operated by an end user.
- the requesting device may be a registered device or may be another device.
- the processing component determines whether an existing authentication session for the end user exists.
- the existing authentication session may have been previously established in one of several different ways.
- the end user may have authenticated (e.g., using biometrics or a password) to a registered device prior to or at the beginning of the end user's work day (e.g., at home before he leaves for the office or during his commute). Having done so, the end user may be able seamlessly and automatically access all the applications needed throughout his work day, without having to log-in/authenticate again, assuming the risk engine makes that determination in accordance with its assessment (e.g., that the end user's location upon authenticating to his registered device is within a reasonable distance from his office; the time of the authentication is within the same work day; and the applications sought to be accessed by the end user throughout his work day are not highly sensitive/critical from a security perspective).
- authenticated e.g., using biometrics or a password
- the existing authentication session may have been established by the end user by logging into a computer application in a typical manner (e.g., username and password), or by the end user authenticating to a registered device in response to a prompt by the authentication server 20 in a prior session.
- the existing authentication is assessed, as described in more detail herein, in terms of how it was established (e.g., modality of authentication, including the device used to authenticate; the location and time of authentication, and the computer program accessed) in connection with determining whether a new
- the end user is prompted to authenticate. This can be accomplished in the typical way the end user accesses the computer program (e.g., via user name and password) or using registered device 15, in the manner described herein.
- the request characteristics may include a device authentication weight.
- the device authentication weight may be calculated based on a modality by which the end user authenticates to the registration device (e.g., biometrics or password), and/or a security assessment of the registration device (e.g., how secure is the device generally). Thus, for example, if the device is generally secure (e.g., no known leaks or access vulnerabilities) and the end user authenticated to the device during registration using biometrics, the device authentication weight will be higher. In this way, for example, if the existing authentication session was created while employing a device with a higher authentication weight, it may be more likely that re-authentication is not required for a currently requested access to a computer program.
- the request characteristics may also include a location of the requesting device. For example, it may be considered whether the end user is making a request from a location that is reasonably and realistically close in proximity to the location of a prior log in/establishment of the existing authentication session.
- the request characteristic may also include an assessment of the time that has elapsed between the establishment of the existing authentication session and the current access request (e.g., whether too much time has passed).
- the computer program access criteria may comprise a minimum authentication weight associated with the computer program sought to be accessed, which may be determined based on a criticality of the computer application (e.g., computer applications that are more sensitive or critical from a security perspective will be weighted higher and, thus, have more stringent authentication requirements).
- the requesting device is provided with access to the computer program. From the end user perspective, the access is seamlessly and automatically provided, without further authentication by the end user.
- the end user is prompted to perform an authentication activity.
- the end user performed_the authentication activity e.g., biometrics data of the end user or a password selected by the end user; and in some instances a one-time password provided by the processing component after receiving the request to access from the requesting device
- a new authentication session is established for the end user and the requesting device is provided with access to the computer program.
- the consideration of the request characteristics and computer program access criteria dictate that the determination of the risk assessment is negative when the device authentication weight does not exceed a minimum authentication weight associated with the computer program (e.g., the manner of authenticating to the registered device, and/or the registered device itself, is not sufficiently secure).
- the consideration of the request characteristics and computer program access criteria dictate that the determination of the risk assessment is negative when a distance between a first location of the requesting device when the request to access was sent and a second location of another device when the existing authentication session was created exceeds a distance threshold (e.g., the end user could not have traveled the distance between the location where the existing authentication session was created to the location where the request for access was made within the passing time period).
- a distance threshold e.g., the end user could not have traveled the distance between the location where the existing authentication session was created to the location where the request for access was made within the passing time period.
- the consideration of the request characteristics and computer program access criteria dictate that the determination of the risk assessment is negative when a time period between a first time when the request to access was sent and a second time when the existing authentication session was created exceeds a time period threshold (e.g., too much time has passed between when the end user created the authentication session and when the end user requested access to the computer program).
- a time period threshold e.g., too much time has passed between when the end user created the authentication session and when the end user requested access to the computer program.
- the data that may be used as an input to the system, and the outputs from the system, may be stored in one or more databases 301 (e.g., rules/weights storage 45, or crypto storage 40).
- Database server(s) 302 may include a database services management application 303 that manages storage and retrieval of data from the database(s) 301.
- the databases 301 may be relational databases; however, other data organizational structures may be used without departing from the scope of the present invention.
- One or more application server(s) 304 are in communication with the database server 302.
- the application server 304 communicates requests for data to the database server 302.
- the database server 302 retrieves the requested data.
- the application server 304 may also send data to the database server 302 for storage in the database(s) 301.
- the application server 304 comprises one or more processors 305, non-transitory computer readable storage media 307 that store programs (computer readable instructions) for execution by the processor(s), and an interface 306 between the processor(s) 305 and computer readable storage media 307.
- the application server 304 may store the computer programs referred to herein.
- the network server 308 also comprises one or more processors 309, computer readable storage media 311 that store programs (computer readable instructions) for execution by the processor(s), and an interface 310 between the processor(s) 309 and computer readable storage media 311.
- the network server 308 is employed to deliver content that can be accessed through the communications network 312, e.g., by an end user employing computing device 313 (e.g., device(s) 10, 15).
- an application such as an Internet browser
- the network server 308 receives and processes the request.
- the network server 308 sends the data or application requested along with user interface instructions for displaying a user interface on device 313 (e.g., device(s) 10, 15).
- the computers referenced herein are specially programmed to perform the functionality described herein.
- the non-transitory computer readable storage media e.g., 307 or 311) that store the programs (i.e., software modules comprising computer readable instructions) may include volatile and non-volatile, removable and non-removable media implemented in any method or technology for storage of information such as computer-readable instructions, data structures, program modules, or other data.
- Computer readable storage media may include, but is not limited to, RAM, ROM, Erasable Programmable ROM (EPROM), Electrically Erasable
- EEPROM Electrically erasable ROM
- flash memory or other solid state memory technology
- CD- ROM compact disc-read only memory
- DVD digital versatile disks
- magnetic cassettes magnetic tape
- magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can be accessed by the computer system and processed.
- one or more computers having one or more processors and memory (e.g., one or more nonvolatile storage devices).
- memory or computer readable storage medium of memory stores programs, modules and data structures, or a subset thereof for a processor to control and run the various systems and methods disclosed herein.
- a non-transitory computer readable storage medium having stored thereon computer-executable instructions which, when executed by a processor, perform one or more of the methods disclosed herein.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computing Systems (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Information Transfer Between Computers (AREA)
Abstract
Description
Claims
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/US2017/034386 WO2018217204A1 (en) | 2017-05-25 | 2017-05-25 | Authentication system and method |
Publications (2)
Publication Number | Publication Date |
---|---|
EP3631662A1 true EP3631662A1 (en) | 2020-04-08 |
EP3631662A4 EP3631662A4 (en) | 2020-10-28 |
Family
ID=64396941
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP17911253.7A Withdrawn EP3631662A4 (en) | 2017-05-25 | 2017-05-25 | Authentication system and method |
Country Status (3)
Country | Link |
---|---|
EP (1) | EP3631662A4 (en) |
CN (1) | CN110869928A (en) |
WO (1) | WO2018217204A1 (en) |
Families Citing this family (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111541656B (en) * | 2020-04-09 | 2022-09-16 | 中央电视台 | Identity authentication method and system based on converged media cloud platform |
US11677731B2 (en) * | 2020-04-29 | 2023-06-13 | Wells Fargo Bank, N.A. | Adaptive authentication |
CN115408673B (en) * | 2022-11-02 | 2023-10-27 | 杭州优百顺科技有限公司 | Software validity period access control management system and method |
Family Cites Families (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6754820B1 (en) * | 2001-01-30 | 2004-06-22 | Tecsec, Inc. | Multiple level access system |
US7221935B2 (en) * | 2002-02-28 | 2007-05-22 | Telefonaktiebolaget Lm Ericsson (Publ) | System, method and apparatus for federated single sign-on services |
US8751794B2 (en) * | 2011-12-28 | 2014-06-10 | Pitney Bowes Inc. | System and method for secure nework login |
US8769651B2 (en) * | 2012-09-19 | 2014-07-01 | Secureauth Corporation | Mobile multifactor single-sign-on authentication |
US9898168B2 (en) * | 2013-03-15 | 2018-02-20 | Adt Us Holdings, Inc. | Security system access profiles |
WO2014176539A1 (en) | 2013-04-26 | 2014-10-30 | Interdigital Patent Holdings, Inc. | Multi-factor authentication to achieve required authentication assurance level |
US9787723B2 (en) * | 2014-07-18 | 2017-10-10 | Ping Identify Corporation | Devices and methods for threat-based authentication for access to computing resources |
US9769147B2 (en) * | 2015-06-29 | 2017-09-19 | Oracle International Corporation | Session activity tracking for session adoption across multiple data centers |
-
2017
- 2017-05-25 EP EP17911253.7A patent/EP3631662A4/en not_active Withdrawn
- 2017-05-25 CN CN201780091059.8A patent/CN110869928A/en active Pending
- 2017-05-25 WO PCT/US2017/034386 patent/WO2018217204A1/en active Application Filing
Also Published As
Publication number | Publication date |
---|---|
WO2018217204A1 (en) | 2018-11-29 |
EP3631662A4 (en) | 2020-10-28 |
CN110869928A (en) | 2020-03-06 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10462120B2 (en) | Authentication system and method | |
US11716324B2 (en) | Systems and methods for location-based authentication | |
EP3544256B1 (en) | Passwordless and decentralized identity verification | |
US20200336310A1 (en) | Coordinating access authorization across multiple systems at different mutual trust levels | |
US10652282B2 (en) | Brokered authentication with risk sharing | |
US10572874B1 (en) | Dynamic authorization with adaptive levels of assurance | |
US10454918B1 (en) | Method for SSO service using PKI based on blockchain networks, and device and server using the same | |
US8997196B2 (en) | Flexible end-point compliance and strong authentication for distributed hybrid enterprises | |
US12074885B2 (en) | Dynamically-tiered authentication | |
US20220122088A1 (en) | Unified login biometric authentication support | |
EP3685287B1 (en) | Extensible framework for authentication | |
US11757882B2 (en) | Conditionally-deferred authentication steps for tiered authentication | |
US10110578B1 (en) | Source-inclusive credential verification | |
SG189085A1 (en) | User account recovery | |
US12125050B2 (en) | Security policy enforcement | |
EP3631662A1 (en) | Authentication system and method | |
US20240039726A1 (en) | System and method for secure access to legacy data via a single sign-on infrastructure | |
US11405379B1 (en) | Multi-factor message-based authentication for network resources | |
Baker | OAuth2 | |
US20240195808A1 (en) | System and method for multi-factor authentication | |
US20240372874A1 (en) | Dynamically-Tiered Authentication | |
US12101408B2 (en) | Distribution of one-time passwords for multi-factor authentication via blockchain | |
US20240283657A1 (en) | Systems methods and devices for dynamic authentication and identification |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE INTERNATIONAL PUBLICATION HAS BEEN MADE |
|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE |
|
17P | Request for examination filed |
Effective date: 20191022 |
|
AK | Designated contracting states |
Kind code of ref document: A1 Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR |
|
AX | Request for extension of the european patent |
Extension state: BA ME |
|
DAV | Request for validation of the european patent (deleted) | ||
DAX | Request for extension of the european patent (deleted) | ||
A4 | Supplementary search report drawn up and despatched |
Effective date: 20200924 |
|
RIC1 | Information provided on ipc code assigned before grant |
Ipc: H04L 29/06 20060101AFI20200918BHEP Ipc: H04W 12/08 20090101ALI20200918BHEP Ipc: G06F 21/57 20130101ALI20200918BHEP Ipc: H04W 12/06 20090101ALI20200918BHEP Ipc: H04L 9/32 20060101ALI20200918BHEP Ipc: H04L 9/08 20060101ALI20200918BHEP Ipc: G06F 21/32 20130101ALI20200918BHEP Ipc: G06F 21/31 20130101ALI20200918BHEP |
|
REG | Reference to a national code |
Ref country code: HK Ref legal event code: DE Ref document number: 40026245 Country of ref document: HK |
|
GRAP | Despatch of communication of intention to grant a patent |
Free format text: ORIGINAL CODE: EPIDOSNIGR1 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: GRANT OF PATENT IS INTENDED |
|
RIC1 | Information provided on ipc code assigned before grant |
Ipc: H04W 12/08 20090101ALI20220124BHEP Ipc: H04W 12/06 20090101ALI20220124BHEP Ipc: H04L 9/32 20060101ALI20220124BHEP Ipc: G06F 21/57 20130101ALI20220124BHEP Ipc: G06F 21/32 20130101ALI20220124BHEP Ipc: G06F 21/31 20130101ALI20220124BHEP Ipc: H04L 9/40 20220101AFI20220124BHEP |
|
INTG | Intention to grant announced |
Effective date: 20220223 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN |
|
18D | Application deemed to be withdrawn |
Effective date: 20220706 |