Service channel authentication processing hub
US-9306930-B2 · Apr 5, 2016 · US
Service channel authentication processing hub
US9548997B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-9548997-B2 |
| Application number | US-201615042669-A |
| Country | US |
| Kind code | B2 |
| Filing date | Feb 12, 2016 |
| Priority date | May 19, 2014 |
| Publication date | Jan 17, 2017 |
| Grant date | Jan 17, 2017 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A computer system receives a service request over a service channel from a user device, initiates a challenge to the user device to provide authentication information based on a set of authenticators, and determines an initial level of authentication. When the initial level of authentication is not sufficient for the service channel or protected resource, the apparatus generates a challenge to the user device with at least one additional authenticator and determines an achieved level of authentication based on the further authentication information. When the achieved level of authentication reaches a target authentication level for the service channel, the apparatus continues processing the service request by the service channel. The computer may transfer the service request to another service channel with the authentication token obtained on the original service channel and further challenges the user device with additional authenticators when a higher level of authentication is necessary.
First claim
Opening claim text (preview).
What is claimed is: 1. An apparatus comprising: at least one memory device; at least one processor coupled to the at least one memory device and configured to perform, based on instructions stored in the at least one memory device: receiving a service request over a first service channel from a user device, wherein the first service channel is one of a plurality of service channels and the service request includes an authentication token and a received set of attributes of the user device; extracting, from the received authentication token, a signed set of attributes of an authenticated device when the authentication token was created; comparing the received set of attributes with the signed set of attributes to obtain an authentication indicator; when the authentication indicator is indicative that the received set of attributes and the signed attributes do not match, denying the service request; when the authentication indicator is indicative that the received set of attributes and the signed attributes match, extracting an initial level of authentication from the authentication token, wherein the initial level of authentication is one of a plurality of authentication levels; when the initial level of authentication is not sufficient for the first service channel, generating a challenge message to the user device requesting a further authentication information based on at least one additional authenticator; determining an achieved level of authentication based on the initial level of authentication and the further authentication information; and when the achieved level of authentication is at least as great as a first target authentication level for the first service channel, continue processing the service request by the first service channel. 2. The apparatus of claim 1 , wherein the at least one processor is further configured to perform: transferring the service request to a second service channel, wherein the plurality of service channels includes the second service channel and wherein the second service channel is different than the first service channel; when a second target authentication level for the second service channel is greater than the achieved level of authentication, generating a third challenge message to the user device requesting additional authentication information based on another authenticator; and when the additional authentication is validated, processing the service request on the second service channel. 3. The apparatus of claim 1 , wherein the at least one processor is further configured to perform: recommending the other authenticator from the plurality of authenticators. 4. The apparatus of claim 3 , wherein the at least one processor is further configured to perform: recommending an alternative authenticator when the other authenticator is not available. 5. The apparatus of claim 1 , wherein the at least one processor is further configured to perform: mapping the plurality of service channels to the plurality of authentication levels. 6. The apparatus of claim 1 , wherein the at least one processor is further configured to perform: obtaining a list of passed authenticators and failed authenticators, wherein a correct response was received from the user device for the passed authenticators and an incorrect response was received from the user device for the failed authenticators. 7. The apparatus of claim 1 , wherein the at least one processor is further configured to perform: mapping the plurality of authentication levels to a plurality of authenticator combinations. 8. The apparatus of claim 1 , the at least one processor is further configured to perform: accessing a first protected resource through the first service channel; and when a required authentication level for the first protected resource is not reached, generating a fourth challenge message to the user device requesting additional authentication information until the required authentication level is reached. 9. The apparatus of claim 8 , the at least one processor is further configured to perform: accessing a second protected resource through the first service channel, wherein the second protected resource has a different authentication level from the required authentication level for the first protected resource. 10. The apparatus of claim 9 , wherein the at least one processor is further configured to perform: mapping a plurality of protected resources to the plurality of authentication levels, wherein the plurality of protected resources includes the first protected resource and the second protected resource. 11. The apparatus of claim 1 , wherein the at least one processor is further configured to perform: inserting the achieved level of authentication in the authentication token; and returning the authentication token to the user device. 12. A computer-assisted method for authenticating a user device, the method comprising: receiving a service request over a first service channel from a user device, wherein the first service channel is one of a plurality of service channels and the service request includes an authentication token and a received set of attributes of the user device; extracting, from the received authentication token, a signed set of attributes of an authenticated device when the authentication token was created; comparing the received set of attributes with the signed set of attributes to obtain an authentication indicator; when the authentication indicator is indicative that the received set of attributes and the signed attributes do not match, denying the service request; when the authentication indicator is indicative that the received set of attributes and the signed attributes match, extracting an initial level of authentication from the authentication token, wherein the initial level of authentication is one of a plurality of authentication levels; when the initial level of authentication is not sufficient for the first service channel, generating a challenge message to the user device requesting a further authentication information based on at least one additional authenticator; determining an achieved level of authentication based on the initial level of authentication and the further authentication information; and when the achieved level of authentication is at least as great as a first target authentication level for the first service channel, continue processing the service request by the first service channel. 13. The method of claim 12 , further comprising: transferring the service request to a second service channel, wherein the plurality of service channels includes the second service channel and wherein the second service channel is different than the first service channel; and when a second target authentication level for the second service channel is greater than the achieved level of authentication, generating a third challenge message to the user device requesting additional authentication information based on at least another authenticator. 14. The method of claim 12 , further comprising: recommending a combination of authenticators from the plurality of authenticators, wherein the combination has an assigned level of authentication; and when all of the authenticators in the combination from the user device are validated, assigning the assigned level of authentication to the user device. 15. The method of claim 14 , wherein the assigned level of authentication is greater than an associated level of authentication of each of authenticators in the combination. 16. The method of claim 12 , wherein the servi
Assignees
Inventors
Classifications
based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint · CPC title
for authentication of entities (cryptographic mechanisms or cryptographic arrangements for entity authentication H04L9/32) · CPC title
- H04L63/0807Primary
using tickets, e.g. Kerberos (cryptographic mechanisms or cryptographic arrangements for entity authentication using tickets or tokens H04L9/3213) · CPC title
using biometrical features, e.g. fingerprint, retina-scan (cryptographic mechanisms or cryptographic arrangements for entity authentication using biological data H04L9/3231) · CPC title
- H04L63/20Primary
for managing network security; network security policies in general (filtering policies H04L63/0227) · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9548997B2 cover?
- A computer system receives a service request over a service channel from a user device, initiates a challenge to the user device to provide authentication information based on a set of authenticators, and determines an initial level of authentication. When the initial level of authentication is not sufficient for the service channel or protected resource, the apparatus generates a challenge to …
- Who is the assignee on this patent?
- Bank Of America
- What technology area does this patent fall under?
- Primary CPC classification H04L63/0807. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Jan 17 2017 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 5 related publications on this page (citations in our corpus or others sharing the same primary CPC).