O
`(12) United States Patent
`Nandakumar
`
`(54) AUTHENTICATION SYSTEMAND RELATED
`METHOD
`
`(76)
`
`*
`
`(
`
`.
`) Not1ce:
`
`Inventor: Gopal Nandakumar, San Antonio, TX
`(US)
`.
`.
`.
`.
`Subject. to any d1scla1mer, the term of th1s
`patent 1s extended or adjusted under 35
`U.s.c. 15403) by 0 days.
`
`(21) Appl" No‘ 13/279392
`.
`.
`F11ed~
`
`(22)
`(65)
`
`0°“ 23= 2011
`P1101 Publication Data
`
`Us 2013/0104201“
`
`AP“ 25= 2013
`
`(51)
`
`1111- 0-
`G06F 7/04
`G06F 15/16
`W 17/30
`H041’ 29/06
`(52) U-S- 0-
`USPC ............................................................ .. 726/5
`(58) Field of Classification Search
`USPC ............................................................ .. 726/5
`
`(2006.01)
`(2006.01)
`9°06-01>
`(200601)
`
`See application file for complete search history.
`References Cited
`
`(56)
`
`U.S. PATENT DOCUMENTS
`7,437,145 B2
`10/2008 Hamada
`7,552,467 B2 *
`6/2009 Lindsay ............................ 726/5
`8,141,146 B2
`3/2012 Ozeki
`2001/0047281 A1
`11/2001 Keresman, 111 etal.
`2004/0255137 A1* 12/2004 Ying ........................... .. 713/193
`Serpa
`2005/0020783 A1*
`1/2005 Fisher ,,,,,,,,,,,,,,,,,,,,,,,,, ,, 713/155
`2007/0192618 A1
`8/2007 Ellmore
`2007/0204015 A1
`3/2007 Kunz et a1.
`2007/0250920 A1* 10/2007 Lindsay .......................... .. 726/7
`2008/0034219 A1*
`2/2008 Ting ............................ .. 713/ 186
`2008/0066165 A1
`3/2008 Rosenoer
`2003/0098454 A1
`4/2008 Mizfah
`0f3.I1'l C 3.
`.
`lg; §amue15t5"1n
`4/2009 Ting ............................ .. 713/186
`4/2009 Cerruti
`
`2009/0100270 A1*
`2009/0106825 A1
`
`US008505079B2
`
`(10) Patent N0.:
`(45) Date of Patent:
`
`US 8,505,079 B2
`Aug. 6, 2013
`
`2009/0259533 A1* 10/2009 Li111_1SaY ~~~~~~~~~~~~~~~~~~~~~~~~ ~~ 705/40
`2010/0217975 A1
`8/2010 Grajek
`2010/0241595 A1
`9/2010 Felsher
`2011/0041165 A1
`2/2011 Bowen
`2011/0321125 A1
`12/2011 Kyohgoku
`2012/0144461 A1
`6/2012 Rathbun
`2012/0144468 A1
`6/2012 Pratt
`2012/0151567 A1
`6/2012 Chayanam
`2012/0239928 A1
`9/2012 Judell
`OTHER PUBLICATIONS
`
`filed Oct. 23, 2011, by Gopal
`\Ic. 13/279,287,
`L.S. Appl.
`\Iandakumar (maintained in IFW system).
`EI.s.da,14{Ep1.
`(\Io._ 13_/27§,_28If%Wfi1ed O§t. 23, 2011, by Gopal
`an
`mar ma1nta1ne in
`s stem.
`Ls. Appl.
`\Ic. 13/279,289, n1Zd Oct. 23, 2011, by Gopal
`\Iandakumar (maintained in IFW system).
`L.S. Appl.
`\Ic. 13/279,290,
`filed Oct. 23, 2011, by Gopal
`\Iandakumar (maintained in IFW system).
`Ls. Appl.
`\Ic. 13/279,293,
`filed Oct. 23, 2011, by Gopal
`\Iandakumar (maintained in IFW system).
`L.S. Appl.
`\I0._ 13/279,294,
`filed Oct. 23, 2011, by Gopal
`52513151“ 85121221 1§;§W11y::e8>1
`23
`1. G
`1
`~pp.0.
`,,ec.,,y0pa
`\Iandakumar (maintained in IFW system).
`Ls. Appl.
`\Ic. 13/279,296,
`filed Oct. 23, 2011, by Gopal
`\Iandakumar (maintained in IFW system).
`L.S. Appl.
`\I0._ 13/279,297,
`filed Oct. 23, 2011, by Gopal
`Vandalmm“ <m*”“””“ed 1“ IFW System)
`
`,1, Cited by examiner
`Primary Examiner — Kambiz Zand
`Assistant Examiner — Stephen Sanders
`(57)
`ABSTRACT
`~
`~
`~
`$:{§;e‘§ra{}j:“}f1:2°fnV§I1§fr§f1yif1d;‘ff‘;%§§;Pf§S§‘§§f§;Zi
`b
`1 P d? t. gt d.
`1 d
`f
`reS°l“.°e 113%’ esecureyau en1.°ae inc“ 351:‘ meags 01
`r‘“iPe1V1ng :1°mareq“eS1erP“rP?}11ng1° ianaut 0“; 959$
`O aSeCure I'eSOUI'CeaI'equeSt 01'aCCeSS yandlnaut .0I'1Ze
`11Se1.(S11Ch 35, 101 63712111113163, 3131311 S1019, 3 Se1'V1C€ 51311011, 311
`on-l1ne service prov1der or merchand1ser, a healthcare pro-
`v1der, amed1cal1nsurer, an1nformat1on consumer orthel11<e)
`to the secured resource; a.means for detenmmng a.key stnng
`adapted to prov1de a bas1s for authent1cat1ng the 1dent1ty of
`therequestergameans forreceiving anauthenticationcreden-
`tial associated with the request for access; and a means for
`’
`’
`evaluating the authentication credential to authenticate the
`ldenmy Ofthe requester‘
`20 Claims, 14 Drawing Sheets
`
`7%
`ffue.
`
`rev e
`re en a
`‘L
`"‘ 7 57
`
`"
`
`M
`
`/—\fi
`‘X50
`'-‘fig
`
`0
`
`5.5
`
`4.
`
`\
`TT"
`—e---
`Revcks knystrinu
`
`-
`74
`
` C
`
`— ~
`
`Conduct Transafitilonf°' U“"°“'
`
`
`
`%cuisnt Sysnm
`
`<
`
`40
`
`1
`
`4'7
`
`5;
`........ 37
`[31 .5 /
`s
`:1
`>
`»
`41.
`c.mn‘5.'.'..u.n
`mini
`denaal
`Frompl ior
`Resource selection
`
`fix
`54
`
`_‘Q_
`/ 4:5
`
`/\Resource Provider
`
`IPRZO17-00296
`
`Unified EX1001 Page 1
`
`IPR2017-00296
`Unified EX1001 Page 1
`
`

`
`U.S. Patent
`
`Aug. 6, 2013
`
`Sheet 1 of 14
`
`US 8,505,079 B2
`
`/_\O
`
`
`
`..wu_>o._n_mu._:omow_
`
`
`
`_..o_..omm:m.._.uoswcoo
`
`Ew__0tmm:.2
`
`..............................................................................................................:/
`
`mmsfiawxr
`\\\1||’X/
`.$=_$~_BEwenov1\\\\
`
`XE}
`
`\
`
`
`
`EEo.n_:o_«um_mmw8_:ommm_f.6».
`NM,,
`
`Mm
`‘figwwzcwm
`
`\
`\1\;wr:
`
`//
`
`
`
`/E2w_um._08%__a>b
`
`\.'.
`
`
`
`§d_.ym>mx9_o>om_/
`
`‘Ill
`
`/»
`
`3
`
`IPRZO17-00296
`
`Unified EX1001 Page 2
`
`IPR2017-00296
`Unified EX1001 Page 2
`
`

`
`U.S. Patent
`
`Aug. 6, 2013
`
`Sheet 2 of 14
`
`US 8,505,079 B2
`
`4»;
`
`
`
`Client
`
`provides
`Request Data
`to User
`
`
`
` User submits
`Authorization
`
`
`
`
`
`Request to
`Service
`
`Provider
`
`IPRZO17-00296
`
`Unified EX1001 Page 3
`
`
`
`Resource
`Determinable
`
`
`
` Send
`Confirmation
`
`
`
`
`IPR2017-00296
`Unified EX1001 Page 3
`
`

`
`U.S. Patent
`
`Aug. 6, 2013
`
`Sheet 3 of 14
`
`US 8,505,079 B2
`
`-4%
`
`User submits
`Credential to
`Client
`
`Valid
`Credential
`
`
`
`
`
`Service
`Provider
`obtains
`Resource
`
`
`
`
`
`Service
`Provider
`
`to Client
`
`reports Result
`
`4?
`
`IPRZO17-00296
`
`Unified EX1001 Page 4
`
`
`
`
`
`
` External
`Resource
`
`Required
`
`Secure Comm
`
`with Service
`Provider
`
`
` Client
`forwards
`
`Credential to
`Service
`Provider
`
`
`
`
`IPR2017-00296
`Unified EX1001 Page 4
`
`

`
`U.S. Patent
`
`Aug. 6, 2013
`
`Sheet 4 of 14
`
`US 8,505,079 B2
`
`
`
`. provide Request Data
`
`
`generate
`Authorization Request
`2:3
`submit
`
`Authorization Request
`
`
`
`
`generate
`Confirmation
`
`send Confirmation
`
`
`
`
`provide Credential
`
`forward Credential
`
`
`
`
`......._...-....-._;._................_.._...._........._.._.-._..
`
`evaluate
`Credential
`
`obtain
`Resource
`
`provide Resource
`
`
`
`
`
`Féfitxs re 4
`
`IPRZO17-00296
`
`Unified EX1001 Page 5
`
`IPR2017-00296
`Unified EX1001 Page 5
`
`

`
`U.S. Patent
`
`Aug. 6, 2013
`
`Sheet 5 of 14
`
`US 8,505,079 B2
`
`A
`
`59
`
`K
`“““" gés
`
` ,
`
`
`zvaifidatéonoci
`
`:i-‘xdmirfiooi
`
`,3%‘\\\\
`
` :Re§_J,uestan§er
`
`
`:ALathenti::at0r
`
`«execution environment>>
` ,
`
`Hgfz/s $3 5
`
`IPRZO17-00296
`
`Unified EX1001 Page 6
`
`IPR2017-00296
`Unified EX1001 Page 6
`
`

`
`U.S. Patent
`
`Aug. 6, 2013
`
`Sheet 6 of 14
`
`US 8,505,079 B2
`
`égg
`
`«execution environment»
`
`“
`
`.
`
`
`
`Secure
`
`
`
`Pczym 9273
`System
`, Enabied!
`
`
`
`.
`
`Fjiifizxs ff; ?
`
`IPRZO17-00296
`
`Unified EX1001 Page 7
`
`IPR2017-00296
`Unified EX1001 Page 7
`
`

`
`U.S. Patent
`
`Aug. 6, 2013
`
`Sheet 7 of 14
`
`US 8,505,079 B2
`
`Q
`
`fi:m_.mt<.s.m§:mm§
`
`mmmbmgsnfiflmQ“smug303m6?;
`
`mEm>w§£,£,m
`
`Qmaxnv
`
`w:.:m:E.E-Nmm3
`
`Qflmmn5%Qgo;
`
`mQ&.m§£.E,m
`
`m:_m>mBnE:m
`
`km.
`
`.9
`
`E
`
`mmnawumgommmm
`
`
`
`Qamumsomxam:
`
`fizotg
`
`Qmafims5%
`
`Q“£9,
`
`
`
`6§.omE.
`
`«.v.mm.J_WmwU\:..Qmmw(_
`
`Q”avmn?
`
`mmmmuhmm:
`
`M:§9,,
`
`m£:m.Eg
`
`Mm,
`
`
`
`
`
`mmmmugsmmu;sommg
`
`%_%
`
`IPRZO17-00296
`
`Unified EX1001 Page 8
`
`IPR2017-00296
`Unified EX1001 Page 8
`
`
`
`
`

`
`U.S. Patent
`
`Aug. 6, 2013
`
`Sheet 8 of 14
`
`US 8,505,079 B2
`
`E
`
`.
`
`zo:u<mz<E
`
`Qmxvmmmv
`
`
`
`
`
`wcwfifiamflQ....fim:
`
`.......W,mm§.§.€,%§,:..
`
`mnfimwmfimbwmQm....zo5<mz<E5%
`
`mEm>m.5oE:m
`
`QM£9
`
`gfifimmfim.
`
`%§
`
`IPRZO17-00296
`
`Unified EX1001 Page 9
`
`IPR2017-00296
`Unified EX1001 Page 9
`
`
`
`
`

`
`U.S. Patent
`
`Aug. 6, 2013
`
`Sheet 9 of 14
`
`US 8,505,079 B2
`
`GUEST CHECK
`
`.... .. 7;;
`
`
`
`
`
`
`
`One Nice Meai
`
`$2.99
`
`Secure Pciymenr
`Sysfern Efiuzbiedf
`
`
`
`
`
`
`1357902468 ..... ..
`
`.. _.
`
`YC°"‘P*‘*">”°"‘
`
`_
`
`..
`
`.
`
`.
`
`_
`
`_
`
`.
`
`_
`
`GRDER COMPLETEON
`
`i 13579o24<3§3
`_
`
`,_
`
`77'
`
`Secure Payfiieivf
`Syszem Enabled! ‘
`
`Fiigiwig, if
`
`IPRZO17-00296
`
`Unified EX1001 Page 10
`
`IPR2017-00296
`Unified EX1001 Page 10
`
`

`
`U.S. Patent
`
`Aug. 6, 2013
`
`Sheet 10 of 14
`
`US 8,505,079 B2
`
`4
`
`Sam re Paymenfilystems
`
`1357902458,: 27.99
`
`Fifiu m M
`
`IPRZO17-00296
`
`Unified EX1001 Page 11
`
`IPR2017-00296
`Unified EX1001 Page 11
`
`

`
`U.S. Patent
`
`Aug. 6, 2013
`
`Sheet 11 of 14
`
`US 8,505,079 B2
`
`Superiviobiie
`
`Zaggfi
`
`FastCarr'serCom pany
`
`Secur'ePaysm§ntSystems
`
`9:31 AM
`
`2'
`
`SecurePaymentSystems needs more
`
`information to «:0mpEete your
`
`Authorization Request for payment
`of $27,899 to Good Feed. To pay with
`
`your Credit Card 98176 repiy to this
`
`message with ‘S35. To pay with your
`
`Checking 1234 repiy ta this message
`with 975.
`
`@519
`
`Figzws; {,5
`
`IPRZO17-00296
`
`Unified EX1001 Page 12
`
`IPR2017-00296
`Unified EX1001 Page 12
`
`

`
`U.S. Patent
`
`Aug. 6, 2013
`
`Sheet 12 of 14
`
`US 8,505,079 B2
`
`myE—maEi Appiicatéan
`
`1
`
`:
`
`i35?'9G2£iv68; 27.9‘.3E
`L
`
`$ea:m*ePaymentSy$is2m$
`Authorizatian Request
`
`Se-iectYour PaymentQp
`
`?§
`
`Q Credit Card 98%
`
`@ Checking 1234
`
`Fifiiéf rs; Z5
`
`IPRZO17-00296
`
`Unified EX1001 Page 13
`
`IPR2017-00296
`Unified EX1001 Page 13
`
`

`
`U.S. Patent
`
`Aug. 6, 2013
`
`Sheet 13 of 14
`
`US 8,505,079 B2
`
`Semre?aymen3‘Sy§§ems
`i\/iebiie Payment Appiication
`
`Se-Sect Your Payment Qption
`
`Q Credit Card 9876E
`
`?'0
`
`Q Checi<ing1234
`
`Figzi rs Zé
`
`IPRZO17-00296
`
`Unified EX1001 Page 14
`
`IPR2017-00296
`Unified EX1001 Page 14
`
`

`
`U.S. Patent
`
`Aug. 6, 2013
`
`Sheet 14 of 14
`
`US 8,505,079 B2
`
`‘Ema
`
`Fas*-;CarrierCQm pany
`
`SecurePayim§ntSystems
`
`9:31 AM
`
`SecuiePaymentSystems has received
`
`your Authorization Request for
`payment of $27.99 ta Good Food. To
`
`compiete this transaction confirm
`
`with your Persona} Autherizatien
`-Code.
`
`Fiigia is F?
`
`IPRZO17-00296
`
`Unified EX1001 Page 15
`
`IPR2017-00296
`Unified EX1001 Page 15
`
`

`
`US 8,505,079 B2
`
`1
`AUTHENTICATION SYSTEM AND RELATED
`METHOD
`
`FIELD OF THE INVENTION
`
`The present invention relates to security protocols for use
`in securing and/or restricting access to personal other confi-
`dential information, physical locations and the like. More
`particularly, the invention relates to a system and related
`method whereby the identity of a person, entity, device or the
`like attempting to gain access to a secured resource may be
`securely authenticated.
`
`BACKGROUND OF THE INVENTION
`
`information and/or other
`The protection of personal
`secured resources, such as, for example, credit data, medical
`history, financial account information, secured physical loca-
`tions and the like is of ever increasing concern to businesses
`and individuals alike. To be sure, each passing day reveals
`more sophisticated attacks by those who would gain unau-
`thorized access to such resources absent the constant vigi-
`lance of those charged with the protection of such resources.
`To this end, the various security protocols employed for the
`protection of such resources almost universally includes
`some means for authenticating the identity of a person, entity,
`device or the like attempting to gain access to a secured
`resource.
`More often than not the critical authentication is carried out
`
`by the age old process of a providing a privately held pass-
`word, personal identification number or the like in connection
`with some generally publicly known identifier for the person,
`entity, device or the like attempting to gain access to the
`secured resource. Unfortunately, however, this protocol is
`dogged by vulnerability to interception through spoofing,
`eavesdropping, and countless other techniques though which
`a password, personal identification number or the like may
`become known to an attacker. Additionally, it is common to
`find that a single person, entity, device or the like uses the
`same password, personal identification number or the like in
`connection with gaining access to multiple secured resources.
`In such case, a security breach in connection with a single
`secured resource may jeopardize the security of all other
`secured resources.
`
`Giving the fundamentally flawed state of the art with
`respect to password type protection, it is therefore the over-
`riding object ofthe present invention to improve over the prior
`art by providing a system and related method by which
`authentication may be more securely conducted. Addition-
`ally, it is an object of the present invention to provide such a
`system and related method that is robust in specific imple-
`mentation and readily usable by any manner ofperson, entity,
`device or the like. Finally, it is an object of the present inven-
`tion to provide such a system and method that is economical
`in implementation and therefore readily accessible to virtu-
`ally any application.
`
`SUMMARY OF THE INVENTION
`
`the present
`In accordance with the foregoing objects,
`invention—an authentication system for authenticating the
`identity of a requester of access by or for an unauthorized user
`to a secured resource—generally comprises a means for
`receiving from a requester purporting to be an authorized user
`of a secured resource a request for access by an unauthorized
`user (such as, for example, a retail store, a service station, an
`on-line service provider or merchandiser, a healthcare pro-
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`2
`
`vider, a medical insurer, an information consumer or the like)
`to the secured resource; a means for determining a key string
`adapted to provide a basis for authenticating the identity of
`the requester; a means for receiving an authentication creden-
`tial associated with the request for access; and a means for
`evaluating the authentication credential to authenticate the
`identity of the requester.
`In at least some implementations of the present invention,
`the authentication system further comprises a means for gen-
`erating and communicating to the purported authorized user a
`confirmation message indicating receipt of the request for
`access.
`
`In at least some implementations of the present invention,
`the authentication system further comprises a means for
`determining from among a plurality of secured resources
`associated with the authorized user the identity of a single
`secured resource for which the requester desires access.
`In at least some implementations of the present invention,
`the authentication system further comprises a means for con-
`ducting for the benefit of the unauthorized user a transaction
`reliant upon access to the secured resource for which the
`requester desires access.
`In at least some implementations of the present invention,
`the authentication system further comprises a means for
`determining whether the authentication credential should, as
`a result of passage of time and regardless of content, be
`deemed to be invalid.
`Additionally, a method for authenticating the identity of a
`requester of access to a secured resource generally comprises
`the steps of receiving from a requester purporting to be an
`authorized user of a secured resource a request for access by
`an unauthorized user (such as, for example, a retail store, a
`service station, an on-line service provider or merchandiser, a
`healthcare provider, a medical insurer, an information con-
`sumer or the like) to the secured resource; determining a key
`string adapted to provide a basis for authenticating the iden-
`tity of the requester; receiving an authentication credential
`associated with the request for access; and evaluating the
`authentication credential to authenticate the identity of the
`requester.
`In at least some implementations of the present invention,
`the authentication system further comprises the steps of gen-
`erating and communicating to the purported authorized user a
`confirmation message indicating receipt of the request for
`access.
`
`In at least some implementations of the present invention,
`the authentication method further comprises the step of deter-
`mining from among a plurality of secured resources associ-
`ated with the authorized user the identity of a single secured
`resource for which the requester desires access.
`In at least some implementations of the present invention,
`the authentication method further comprises the step of con-
`ducting for the benefit of the unauthorized user a transaction
`reliant upon access to the secured resource for which the
`requester desires access.
`In at least some implementations of the present invention,
`the authentication method further comprises the step of deter-
`mining whether the authentication credential should, as a
`result ofpassage oftime and regardless ofcontent, be deemed
`to be invalid.
`
`Finally, many other features, objects and advantages ofthe
`present invention will be apparent to those of ordinary skill in
`the relevant arts, especially in light of the foregoing discus-
`sions and the following drawings, exemplary detailed
`description and appended claims.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`invention is much
`Although the scope of the present
`broader than any particular embodiment, a detailed descrip-
`IPRZO17-00296
`
`Unified EX1001 Page 16
`
`IPR2017-00296
`Unified EX1001 Page 16
`
`

`
`US 8,505,079 B2
`
`3
`tion of the preferred embodiment follows together with illus-
`trative figures, wherein like reference numerals refer to like
`components, and wherein:
`FIG. 1 shows, in an overview use case diagram, the various
`basic functionality implemented in the preferred embodiment
`ofthe authentication system and method of the present inven-
`tion;
`FIG. 2 shows, in a flowchart, an overview of the various
`steps generally taken in making a request for access to a
`secured resource in accordance with the present invention;
`FIG. 3 shows, in a flowchart, an overview of the various
`steps generally taken in validating the purported access right
`of a user requesting access to a secured resource in accor-
`dance with the present invention;
`FIG. 4 shows, in an overview sequence diagram, various
`interactions as generally take place during the operation ofthe
`authentication system and method of the present invention;
`FIG. 5 shows, in a deployment diagram, an exemplary
`hardware and software implementation of the authentication
`system and method of the present invention;
`FIG. 6 shows, in a deployment diagram, various details of
`at least one particular implementation of a user interface for
`use in connection with the exemplary hardware and software
`implementation of FIG. 5;
`FIG. 7 shows, in a class diagram, a high level schema for a
`representative user database as may be implemented in con-
`nection with the exemplary hardware and software imple-
`mentation of FIG. 5;
`FIG. 8 shows, in a class diagram, a high level schema for a
`representative transaction database as may be implemented in
`connection with the exemplary hardware and software imple-
`mentation of FIG. 5;
`FIG. 9 shows, in an elevational representation, a represen-
`tative terminal device such as may be provided in connection
`with a service client
`implementing functionality of the
`present invention and showing, in particular, representative
`means for identifying the service client as well as means for
`communicating an authentication credential to the service
`client as implemented in connection with a point-of-sale,
`fueling station, automatic teller machine or like terminal
`device;
`FIG. 10 shows, a top plan representation of a guest check,
`particularly showing representative means for identifying the
`service client as implemented in connection with a document;
`FIG. 11 shows, in a screen representation of a web brows-
`ing application, representative means for identifying the ser-
`vice client as implemented in connection with an on-line
`application;
`FIG. 12 shows, in a top plan representation of a mobile
`telecommunications device screen, an example of a request
`message such as may be utilized in accordance with the
`present invention;
`FIG. 13 shows, in a top plan representation of a mobile
`telecommunications device screen, an example of an inquiry
`message such as may be implemented in accordance with the
`present invention;
`FIG. 14 shows, in a screen representation of an electronic
`mail application, a further example of a request message such
`as may be utilized in accordance with the present invention;
`FIG. 15 shows, in a screen representation of a web brows-
`ing application, an exemplary implementation of an interac-
`tive generation of a request message in accordance with the
`present invention;
`FIG. 16 shows, in a top plan representation of a mobile
`telecommunications device screen, a further exemplary
`implementation of an interactive generation of a request mes-
`sage in accordance with the present invention; and
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`4
`
`FIG. 17 shows, in a top plan representation of a mobile
`telecommunications device screen, an example of a confir-
`mation message such as may be implemented in accordance
`with the present invention.
`
`DETAILED DESCRIPTION OF THE PREFERRED
`EMBODIMENT
`
`Although those of ordinary skill in the art will readily
`recognize many alternative embodiments, especially in light
`ofthe illustrations provided herein, this detailed description is
`exemplary of the preferred embodiment of the present inven-
`tion,
`the scope of which is limited only by the claims
`appended hereto.
`Referring now to the figures, and to FIG. 1 in particular, the
`authentication system 30 of the present invention is shown to
`generally comprise an operative combination of a plurality of
`service client implemented use cases 31 and a plurality of
`service provider implemented use cases 32. In particular, the
`service client 33 of the present invention will generally pro-
`vide for an end user actor 34 a means 35 for identifying the
`service client 33 to a service provider 36 for the purpose of
`requesting that the service provider 36 provide for the service
`client 33 access to a secured resource. Additionally, the ser-
`vice client 33 of the present invention will generally provide
`for an end user actor 34 a means 37 for submitting an authen-
`tication credential to the service client 33 for use by the
`service client 33 in obtaining from the service provider 36
`access to the requested secured resource.
`As also particularly shown in FIG. 1, the service provider
`36 of the present invention will generally provide for an end
`user actor 34 a means 38 for requesting that access to a
`secured resource be provided by the service provider 36 for a
`service client 33. Additionally, the service provider 36 of the
`present invention will generally provide responsive to the
`submission by an end user actor 34 of a request for access to
`a secured resource a means 39 for generating and sending to
`the end user actor 34 a confirmation message 94 indicating
`that a submitted request was received by the service provider
`36. Further, the service provider 36 of the present invention
`will generally provide for a service client actor 33 a means 40
`for forwarding an end user provided authentication credential
`to the service provider 36. Still further, the service provider 36
`of the present invention will generally provide responsive to
`the forwarding by a service client actor 33 of an authentica-
`tion credential a means 41 for validating the authentication
`credential.
`
`In an extension of the present invention particularly useful
`in implementations wherein the service provider 36 may not
`otherwise be readily able to determine the identity of a
`resource to which an end user actor 34 requests access based
`on the information content of the request as initially submit-
`ted by the end user actor 34 to the service provider 36, the
`service provider 3 6 may in combination with the means 38 for
`requesting access to a secured resource also be adapted to
`provide a means for determining a particular resource for
`access on the authority of the end user actor 34 such as, for
`example, a means 42 for prompting the end user actor 34 to
`provide additional identifying information for the requested
`resource.
`
`In a further extension of the present invention particularly
`useful in the most typical implementations of the present
`invention wherein for security or other reasons the service
`client 33 is unable to directly access features or functionality
`of a resource for which an end user actor 34 has requested
`access, the service provider 36 is also adapted to provide for
`the enduser actor 34 and/or the service client actor 33 a means
`
`IPRZO17-00296
`
`Unified EX1001 Page 17
`
`IPR2017-00296
`Unified EX1001 Page 17
`
`

`
`US 8,505,079 B2
`
`5
`96 for conducting a transaction reliant upon or otherwise in
`connection with the requested secured resource. In this case,
`it is noted that the secured resource may be provided by
`and/or otherwise under the further control of a resource pro-
`vider actor 43 external to the service provider 36 or, in the
`alternative, may be provided and/or implemented by and/or
`otherwise under the control of the service provider 36. In any
`event, the means 96 for conducting a transaction reliant upon
`or otherwise in connection with the requested secured
`resource may generally also further comprise a means for
`reporting the conducted transaction to the service client actor
`33 and/or the end user actor 34.
`
`Finally, it is noted that time 44 as an actor may be accom-
`modated as desired in any particular implementation wherein
`the service provider 36 is also provided with a means 45
`responsive to the passage of time for revoking or otherwise
`invalidating an authentication credential such that an authen-
`tication credential otherwise correctly provided by an end
`user actor 34 to a service client actor 33 and forwarded to the
`
`service provider 36 may as a result of the passage of time be
`deemed to be incorrect, thereby resulting in a validation fail-
`ure upon application of the means 41 for validating the
`authentication credential.
`
`Referring now then to FIGS. 2 through 4 in particular, the
`authentication method 46 of the present invention as opera-
`tive upon the described authentication system 30 is shown to
`generally comprise various series of interactions between a
`user 34, a service client system 33 and a service provider
`system 36, as broadly set out in FIG. 4, wherein the interac-
`tions may be broadly categorized as steps 47 implicated in
`requesting access to a secured resource, as broadly set out in
`FIG. 2, and steps 48 implicated in validating the purported
`access right of the user requesting access to the secured
`resource, as broadly set out in FIG. 3.
`As particularly shown in FIGS. 2 and 4, the authentication
`method 46 of the present invention generally begins with an
`end user 34 obtaining from a service client 33 data or other
`information necessary for the end user 34 to request that a
`service provider 36 provide for the service client 33 access to
`a secured resource. This data or other information will gen-
`erally comprise the identification of the service client 33, but
`may additionally comprise any other data or information as
`may be helpful for the conduct ofa particular transaction such
`as, for example, a purchase amount 76, a client reference,
`detailed or itemized transaction data or the like. In any case,
`the service client provided information is then utilized by the
`end user 34 to submit a request message 84 to the service
`provider 36 for the service provider 36 to provide for the
`service client 33 access to a secured resource.
`
`Once a submitted request message 84 is received by the
`service provider 36, the service provider 36 preferably deter-
`mines whether the end user 34 making the request is autho-
`rized or otherwise permitted to make such use of the authen-
`tication system 30. If in an implementation of this feature it is
`determined that the end user 34 is not authorized or otherwise
`
`permitted to make the attempted use of the authentication
`system 30 the process 47 will generally terminate whereas if
`it is determined that the end user 34 is authorized or otherwise
`
`permitted to make the attempted use of the authentication
`system 30 the process 47 will generally continue. Continuing
`in an important step, the service provider 36 must be able to
`evaluate the request message 84 to determine the specific
`identity of the resource for which the request
`is made.
`Because, in at least some implementations of the present
`invention, the common identifier for the resource will for
`security reasons not be allowed to be openly transmitted as
`part of submitted request, this step will in such implementa-
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`6
`tions involve determining the identity of the resource from
`some element or combination of elements of information
`
`other than the common identifier for the resource. In any case,
`if the available and/or obtainable information is insufficient
`
`for the service provider 36 to positively determine the identity
`ofthe resource for which the end user 34 has requested access
`the process 47 will generally terminate whereas if the avail-
`able and/or obtainable information is sufiicient for the service
`
`provider 36 to positively determine the identity of the
`resource for which the end user 34 has requested access the
`process 47 will generally continue.
`In the final steps for processing a request for access to a
`secured resource, the service provider 36 preferably gener-
`ates a confirmation message 94 for use by the end user 34 for
`indicating to the end user 34 that a submitted request message
`84 has in good order been received by the service provider 36
`and, thereafter, sends the confirmation message 94 to the end
`user 34. With the confirmation message 94 issued by the
`service provider 36 to the end user 34, the end user 34 will
`then submit a previously established authentication creden-
`tial to the service client 33.
`
`Referring then to FIGS. 3 and 4 in particular, validation 48
`of the purported access right of the user requesting access to
`a secured resource is shown to generally begin with the sub-
`mission to a service client 33 by the end user 34 of an authen-
`tication credential, which authentication credential simply
`comprises a previously established key string known to both
`the service provider 36 and the end user 34. Once submitted
`by an end user 34 to a service client 33, however, an authen-
`tication credential must in order for the validation 48 to con-
`
`tinue be forwarded by the service client 33 to the service
`provider 36. To this end, in an optional but most preferred
`feature of the present invention, the service client 33 may be
`programmed or otherwise configured to ensure prior to for-
`warding the authentication credential to the service provider
`36 that a secure communication channel is first established
`
`between the service client 33 and the service provider 36. If in
`an implementation of this feature the required secure com-
`munication channel cannot be established between the ser-
`
`vice client 33 and the service provider 36 the continuing
`process 48 will generally terminate whereas if the required
`secure communication channel is successfully established
`between the service client 33 and the service provider 36 the
`process 48 will generally continue.
`Upon successful forwarding by the service client 33 to the
`service provider 36 of the end user submitted authentication
`credential, the service provider 36 proceeds to validate the
`responsive authentication credential by comparing the cre-
`dential against a known correct key string. As will be appre-
`ciated by those of ordinary skill in the art in light of this
`exemplary description, the known correct key string will sim-
`ply be the same key string known to both the service provider
`36 and the end user 34 and used by end user 34 as an authen-
`tication credential
`in connection with the transaction in
`
`progress. In addition to comparison of the authentication
`credential to a known correct key string, however, it is noted
`that in an authentication system utilizing time 44 as an actor
`in order to provide a timeout for the validity of an authenti-
`cation credential provided in connection with a particular
`requested transaction the service provider 36 will be pro-
`grammed or otherwise adapted to determine as part of the
`validation step whether as a result of the passage of time 44
`the authentication credential should for the particular trans-
`action is progress be deemed to be incorrect. In any case, ifthe
`authentication credential is found or otherwise deemed to be
`
`incorrect, the service provider 36 will preferably report the
`incorrect finding to the service client 33 and/or the end user 34
`IPRZO17-00296
`
`Unified EX1001 Page 18
`
`IPR2017-00296
`Unified EX1001 Page 18
`
`

`
`US 8,505,079 B2
`
`7
`and the process 48 will generally terminate whereas if the
`authentication credential is found to be correct the process 48
`will generally continue.
`With the authentication credential found to be correct, the
`service provider 36 may simply report the correct finding to
`the service client 33 or, if for security or other reasons the
`service client 33 is unable to directly access features or func-
`tionality of a resource for which an end user actor 34 has
`requested access, the service provider 36 will then obtain for
`the end user 34 and/or the service client 33 the benefit of the
`
`requested secured resource and thereafter appropriately
`report the conducted transaction to the service client 33 and/
`or the end user 34.
`
`With the foregoing broad overview ofthe general structure
`and function of the authentication system 30 of the present
`invention in mind, it is now noted that