Search

EP-3989623-B1 - ADVANCED AUTHENTICATION TECHNIQUES AND APPLICATIONS

EP3989623B1EP 3989623 B1EP3989623 B1EP 3989623B1EP-3989623-B1

Inventors

  • BRICENO, Marc
  • WILSON, Brendon J.
  • KESANUPALLI, RAMESH
  • BAGHDASARYAN, DAVIT
  • DHOLAKIA, Rajiv
  • BLANKE, William J.
  • LINDEMANN, ROLF
  • POLIVANYI, Igor
  • UMAP, Avinash

Dates

Publication Date
20260506
Application Date
20140320

Claims (8)

  1. A location-aware method for user authentication comprising: receiving, at a client (1700), a request from a user of the client (1700) to perform a transaction with a relying party (250) which requires user authentication, the relying party (250) comprising a website or an online service implemented by one or more computer servers (4632-4633); receiving, at an authentication engine (2311), environmental sensor data from one or more sensors (1741-1743) of the client (1700); using, by the authentication engine (2311), a geographical location of the client (1700) reported by one of the one or more sensors (1741-1743) of the client (1700) to collect supplemental data known for the geographical location, the supplemental data collected from sources other than the one or more sensors (1741-1743) of the client (1700); collecting, by a client risk assessment agent (3004), client configuration data including at least one of hardware data, operating system data, and application data of the client (1700); calculating, by an assurance level calculation module (3006), a correlation score based on the client configuration data and a comparison of the environmental sensor data with the supplemental data; determining, by the assurance level calculation module (3006), an assurance level required for allowing the client (1700) to complete the transaction; determining, by the assurance level calculation module (3006), an assurance level gain required to arrive at the assurance level based on the correlation score; and selecting, by the authentication engine (2311), one or more authentication techniques to authenticate the user based at least in part on the indication of the assurance level gain.
  2. The method of claim 1, wherein the hardware data comprises at least one of client device model, client processor name, client processor type, client boot read-only memory (ROM) version, and management controller version.
  3. The method of claim 1, wherein the operating system data comprises at least one of current operating system (OS) version, date of last OS update, and current boot mode.
  4. The method of claim 1, wherein the application data comprises at least one of firewall status, firewall type, firewall version, anti-virus software status, anti-virus software version, anti-virus software virus definition files, date of most recent anti-virus scan, and results of most recent anti-virus scan.
  5. A system for user authentication, the system comprising: a client (1700) to receive a request from a user to perform a transaction with a relying party (250) which requires user authentication, the relying party (250) comprising a website or an online service implemented by one or more computer servers (4632-4633); an authentication engine (2311) to: receive environmental sensor data from one or more sensors (1741-1743) of the client (1700); collect supplemental data known for a geographical location reported by one of the one or more sensors (1741-1743) of the client (1700), the supplemental data collected from sources other than the one or more sensors (1741-1743) of the client (1700); a client risk assessment agent (3004) to collect client configuration data including at least one of hardware data, operating system data, and application data of the client (1700); and an assurance level calculation module (3006) to: calculate a correlation score based on the client configuration data and a comparison of the environmental sensor data with the supplemental data; determine an assurance level required for allowing the client (1700) to complete the transaction; determine an assurance level gain required to arrive at the assurance level based on the correlation score; wherein the authentication engine (2311) is to select one or more authentication techniques to authenticate the user based at least in part on the indication of the assurance level gain.
  6. The system of claim 5, wherein the hardware data comprises at least one of client device model, client processor name, client processor type, client boot read-only memory (ROM) version, and management controller version.
  7. The system of claim 5, wherein the operating system data comprises at least one of current operating system (OS) version, date of last OS update, and current boot mode.
  8. The system of claim 5, wherein the application data comprises at least one of firewall status, firewall type, firewall version, anti-virus software status, anti-virus software version, anti-virus software virus definition files, date of most recent anti-virus scan, and results of most recent anti-virus scan.

Description

BACKGROUND Cross Reference to Related Applications This application claims the benefit of and priority to co-pending U.S. Provisional Patent Application No. 61/804,568, filed, March 22, 2013, entitled, "Advanced Methods of Authentication And Its Applications". This application is a continuation-in-part of U.S. Patent Application 14/066,384 (U.S. Patent Publication No. US 2014/0121068 A1), filed October 29, 2013, entitled, "Apparatus and Method For Implementing Composite Authenticators". This application is also a continuation-in-part of U.S. Patent Application 14/145,439 (U.S. Patent Publication No. US 2014/0289819 A1), filed December 31, 2013, entitled, "System and Method For Non-Intrusive, Privacy-Preserving Authentication", which also claims the benefit of and priority to co• pending U.S. Provisional Patent Application No. 61/804,568, filed, March 22, 2013, entitled, "Advanced Methods of Authentication And Its Applications". This application is also a continuation-in-part of U.S. Patent Application 14/145,466 (U.S. Patent Publication No. US 2014/0289820 A1), filed December 31, 2013, entitled, "System and Method For Adaptive User Authentication", which also claims the benefit of and priority to co-pending U.S. Provisional Patent Application No. 61/804,568, filed, March 22, 2013, entitled, "Advanced Methods of Authentication And Its Applications". This application is also a continuation-in-part of U.S. Patent Application 14/145,533 (U.S. Patent Publication No. US 2014/0289821 A1), filed December 31, 2013, entitled, "System and Method For Location• Based Authentication", which also claims the benefit of and priority to co-pending U.S. Provisional Patent Application No. 61/804,568, filed, March 22, 2013, entitled, "Advanced Methods of Authentication And Its Applications". This application is also a continuation-in-part of U.S. Patent Application 14/145,607, filed December 31, 2013, entitled, "System and Method For Confirming Location Using Supplemental Sensor and/or Location Data", which also claims the benefit of and priority to co-pending U.S. Provisional Patent Application No. 61/804,568, filed, March 22, 2013, entitled, "Advanced Methods of Authentication And Its Applications". Field of the Invention This invention relates generally to the field of data processing systems. More particularly, the invention relates to advanced user authentication techniques and associated applications. Description of Related Art Figure 1 illustrates an exemplary client 120 with a biometric device 100. When operated normally, a biometric sensor 102 reads raw biometric data from the user (e.g., capture the user's fingerprint, record the user's voice, snap a photo of the user, etc) and a feature extraction module 103 extracts specified characteristics of the raw biometric data (e.g., focusing on certain regions of the fingerprint, certain facial features, etc). A matcher module 104 compares the extracted features 133 with biometric reference data 110 stored in a secure storage on the client 120 and generates a score 153 based on the similarity between the extracted features and the biometric reference data 110. The biometric reference data 110 is typically the result of an enrollment process in which the user enrolls a fingerprint, voice sample, image or other biometric data with the device 100. An application 105 may then use the score 135 to determine whether the authentication was successful (e.g., if the score is above a certain specified threshold). Systems have also been designed for providing secure user authentication over a network using biometric sensors. In such systems, the score 135 generated by the application 105, and/or other authentication data, may be sent over a network to authenticate the user with a remote server. For example, Patent Application No. 2011/0082801 ("'801 Application") describes a framework for user registration and authentication on a network which provides strong authentication (e.g., protection against identity theft and phishing), secure transactions (e.g., protection against "malware in the browser" and "man in the middle" attacks for transactions), and enrollment/management of client authentication tokens (e.g., fingerprint readers, facial recognition devices, smartcards, trusted platform modules, etc). The assignee of the present application has developed a variety of improvements to the authentication framework described in the '801 application. Some of these improvements are described in the following set of US Patent Applications ("Co-pending Applications"), all filed December 29, 1012, which are assigned to the present assignee: Serial No. 13/730,761, Query System and Method to Determine Authentication Capabilities; Serial No. 13/730,776, System and Method for Efficiently Enrolling, Registering, and Authenticating With Multiple Authentication Devices; 13/730,780, System and Method for Processing Random Challenges Within an Authentication Framework; Serial No. 13/730,791, System an