`
`
`(19) United States
`
`
`
`
`
`
`
`
`(12) Patent Application Publication (10) Pub. No.: US 2007/0136573 A1
`
`
`
`
`
`
`
`
`(43) Pub. Date:
`Jun. 14, 2007
`Steinberg
`
`US 20070136573A1
`
`
`
`
`(54) SYSTEM AND METHOD OE USING Two 0R
`
`
`
`
`
`MORE MUL’l‘l—FAC'I‘OR AU'l‘HEN'l‘lCA’l‘lON
`
`
`
`MECHANISMS T0 AUTHENTICATE ONLINE
`
`
`
`
`PARTIES
`
`(76)
`
`
`
`Inventor:
`
`
`
`Publication Classification
`
`
`
`
`
`
`(51)
`
`Int, Cl,
`
`
`(2006.01)
`H04L 9/00
`
`
`
`(52) US. Cl.
`.............................................................. 713/155
`
`
`
`
`
`
`
`
`
`
`
`Joseph Steinberg, Teaneck, NJ (US)
`Correspondence Address:
`
`
`KLAUBER & JACKSON
`
`
`411 HACKENSACK AVENUE
`
`
`HACKENSACK, NJ 07601
`
`11/606 788
`
`
`
`
`
`
`
`
`
`(57)
`
`
`
`ABSTRACT
`
`
`
`
`
`
`
`
`
`
`
`
`A system and method for authentication that comprises the
`use of at least one multiple multi-factor authentication with
`
`
`
`
`
`
`
`the optional addition of, mutual (site) authentication, trans-
`
`
`
`
`
`
`
`action/behavior analvsis. that utilizes user-facino geoloca-
`
`
`
`
`
`
`“
`’
`.
`.
`.
`.
`.
`,
`D
`.
`tion communications and/or information about user deVice
`
`
`
`
`
`
`
`
`
`
`
`
`
`ownership periods, and/or a combination thereof to help
`prevent fraud.
`
`
`
`
`
`(21) APp1 No .
`
`
`
`(22) Filed:
`
`
`
`
`
`
`
`NOV. 30, 2006
`.
`_
`Related US. Application Data
`
`
`
`
`(60) Provisional application No. 60/742,498, filed on Dec.
`
`
`
`
`
`
`5, 2005.
`
`
`
`
`
`
`
`
`
`a http://127 O 0.1/auth/not registered php Microsoft Internet Explorer
`file Edit 1" W
`*
`
`‘
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`e a .2 s: a 0 IGWind...
`”r,- 525,);
`Unknown user attempting log in.
`
`
`
`
`
`
`‘rz- 4w. v”. mm...
`
`
`
`'v‘msts...
`
`
`
`
`
`IEDocu... Mia-raw?
`
`Page 1 of 31
`
`GOOGLE EXHIBIT 1005
`
`Page 1 of 31
`
`GOOGLE EXHIBIT 1005
`
`
`
`
`
`
`
`
`
`
`
`Patent Application Publication Jun. 14, 2007 Sheet 1 of 20
`
`
`
`US 2007/0136573 A1
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`209.1%» KAZER-Sif
`s a i z; a 0 chsndm ‘a- 4w. vi army.” Huts... a Docu...
`"3g giaft
`
`
`
`
`
`
`Unknown user attempting log in.
`
`
`
`
`Figure 1
`
`Page 2 of31
`
`Page 2 of 31
`
`
`
`
`
`
`
`
`
`
`Patent Application Publication Jun. 14, 2007 Sheet 2 of 20
`
`
`
`US 2007/0136573 A1
`
`
`
`'3 http://‘l Z7.0.0.1/auth/home_pa
`ge.php - Microsoft Internet Explore
`
`
`
`
`
`
`
`
`
`file Edit mew Favori‘trsw‘Ioél‘s; .Hap-
`_
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`mfimwimmwma
`
`
`Identity Cues Dcmonstralion Using Version le
`
`
`
`
`
`
`
`
`)
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`41:
`’Mv‘
`
`
`
`
`
`
`
`
`
`
`
`
`
`’flliib..
`lac.“
`c v
`A? 21‘ '[i‘iScrm
`E E i u‘ G 'R‘J
`siart
`.Z‘wtu]A,;d:l§rvgslz7frlz,§53 ‘* 12:49 PM
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`The user enters the one time password that he has received as well as his normal username and password and
`submits them to the web site.
`
`
`
`
`
`
`
`
`
`
`
`Figure 2
`
`Page 3 of31
`
`Page 3 of 31
`
`
`
`
`
`
`
`
`
`
`Patent Application Publication Jun. 14, 2007 Sheet 3 0f 20
`
`
`
`US 2007/0136573 A1
`
`'//127 O 0 1/auth/hom
`' Méw
`fins
`
`' ©~ M
`, {sn’hitpz//1z7.u.o.1/auwh
`
`
`
` ldcnlity Cues Demonstration Using Version 1. lb
`
`
`
`
`
`Invalid One Time Pamword. Plus: wiry
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`One Time Password:
`
`
`
`“939 Enter your USB’ID and Passwam:
`User lD:
`
`
`, Peésm I
`Log."
`
`
`
`
`
` . start
`a 5‘ A "
`.
`If the one-time password, usemame, and password combination is not correct the user cannot log in.
`
`
`Figure 3
`
`Page 4 of31
`
`Page 4 of 31
`
`
`
`
`
`
`
`
`
`
`Patent Application Publication Jun. 14, 2007 Sheet 4 of 20
`
`
`
`US 2007/0136573 A1
`
`'3 http://127.0 0 1/auth/assign_mach
`‘ hp - Microsoft Internet Explorer
`
`
`
`
`
`
`file Edit 352w Fa
`
`
`
`
`
`
`
`
`
`
`
`
`Assign This Mums. A; Trusted?
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`If the one time password, usemame, and password combination all correspond and are correct the user is logged in
`
`
`
`
`
`
`
`
`
`
`and he may be asked if he wants his machine to be trusted on future Iogin attempts.
`
`
`Figure 4
`
`Page 5 of31
`
`Page 5 of 31
`
`
`
`
`
`
`
`
`
`
`Patent Application Publication Jun. 14, 2007 Sheet 5 0f 20
`
`
`
`US 2007/0136573 A1
`
`vEIhtt
`
`
`
`, m1
`Mr We .
` :
`//127.0.0.1/auth/assign machine.php Microsoft lnternet Explorer
`
`
`
`
`
`
`
`
`t
`He!
`
`
`
`
`
` Meshing Assigned As Tmsmd
`
`Click [HERE to cunlinne m the real sile
`
`
`
`
`
`
`
`
`
`
`
`;i
`il
`
`a
`
`
`
`
`.
`i} sigh é ;
`o w v'G'Wi... U”: 4v v? e 21. 'i‘ElDa...
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`The user has chosen to make the site trust him from the particular device he is using.
`
`
`Fig. 5
`
`
`
`Page 6 of31
`
`Page 6 of 31
`
`
`
`
`
`
`
`
`
`
`Patent Application Publication Jun. 14, 2007 Sheet 6 0f 20
`
`
`
`US 2007/0136573 A1
`
`‘3.
`
`
`Wine rsonal_banking.php
`
`
`7 WW MWW
`F.»
`
`
`
`Here H mm! banking infamau'on. This is mmla demo site
`
`
`
`
`
`
`
`
` F
`
`
`
`
`
`
`
`Page 7 of31
`
`Page 7 of 31
`
`
`
`
`
`
`
`
`
`
`Patent Application Publication Jun. 14, 2007 Sheet 7 0f 20
`
`
`
`US 2007/0136573 A1
`
`a http://127.0.0.1/auth/home_page.php - Microsoft Internet Explorer
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
` Idamixy Cues Demousntion Using Version 1.117
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`iu,s+‘~‘-xv.§i;i;>s? 9:45pm
`'ainbm 17123-2453 5;"
`93210:...
`'3“ v‘ :5 21. vmoo...
`a u i a; c o
`“:3 Start
`c ws...
`
`
`
`
`User login from a trusted machine in an implementation in which mutual authentication is enabled.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Fig. 7
`
`Page 8 of31
`
`Page 8 of 31
`
`
`
`
`
`
`
`
`
`
`Patent Application Publication Jun. 14, 2007 Sheet 8 of 20
`
`
`
`US 2007/0136573 A1
`
`,3 http://127.0.0.1/auth/new_user.php - Microsoft Internet Explorer
`
`
`
`glp ‘4
`Ie Edit [an ngok
`:3“
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
` , LastNaine:
`Emil:
`.
`
`
`
`_C¢|l:(ctg.2121llllll)
`
` User Name:
`
`
`
`
`
`Fassnmd:
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`‘
`
`
`
`
`
`
`
`‘Esioc...
`a4v~ 2‘
` '15,: Start
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`'a Inb...
`{39:1 filo .zsufflggvssi’a‘u'emse 12:43 PM
`21. vlas“...
`c 0 {c wan"
`a- n i
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`User enrolling to become a new user of the business system: no enrollment in the strong authentication system is
`needed.
`
`
`
`
`
`
`Fig. 8
`
`Page 9 of31
`
`Page 9 of 31
`
`
`
`
`
`
`
`
`
`
`Patent Application Publication Jun. 14, 2007 Sheet 9 of 20
`
`
`
`US 2007/0136573 A1
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`' C:\Documents and Settingonseph Sieinberg\Local Seth'ngsWempomry lnternel Files\0LKlD\demo_c Microsoft Internet Explorer lj@_]
`View
`fie
`fidlt
`»
`=
`E
`‘
`,
`‘
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`@Y’ 6N
`
`
`
`
`You have validated g
`
`
`
`
`
`3332154212. You may
`{a
`
`
`
`
`
`
`
`
`Chains at him the AmitPhixliingfipnm should ‘mu m :- pnieminl [lack and MITM attach
`
`
`
`
`
`
`
`
`
`
`Browser Incompanbflin'
`2 Factor
`
`
`. Failure Options
`
`
`Use Automatic Map
`
`
`
`‘ Validation Login
`
`
`' Display Message for
`
`
`‘ Successful
`
`, Authemicau'onviaMap
`
`
`' Interface
`
`
`
`
`
`f Display Cue on Map
`OY (91"
`Vahd'alien Email
`
`
`
`Key ncedcd la nxeGoagle Map: for (be May \ inflation method ofBrawur Incompatibility" failure 01mm
`
`
`
`
`
`
`
`
`
`
`Display Satellite View
`
`
`6’ Y (a N
`‘ And Googie Map
`
`
`
`
`,,r.w__._.w....,v.v_v.
`'3 Google Maps Key
`
`
`
`I? WEIGHUNG Issulnls llllrl i5 inilnlly a [00% mark. Fur run} misllke in the mismlrthrd fields, WE snbrran the
`
`
`
`
`
`
`
`
`
`
`
`rnlm specified belou. hulkingBélo“ the merlic xpuified by ll]? Penal“ Failure Limit, 1‘ill be considered as a
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`, potential Indian-ck. and [lie requesled failure option selectedin (lie Browser lnmmpaiilrilih failure Opliun field
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`f show will be knurled.
`
`
`
`Penalty Failure Limit
`
`
`
`Faulty For Incorrect IP
`
`
`
`address
`
`. Péqalty for Incorrect
`
`
`Browser Tvpe
`
`
`‘ Timezone Penalty
`
`: Zipcode Penalty
`
`
`. City Penalty
`
`
`
`: nglmdc Pumlxy
`
`
`latitude Penalty
`Regjom’Staze Penalty
`
`
`Country Penalty
`
`
`1 lcorrect ISP Penalty
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Drop down for map sending and heuristic scoring options.
`
`
`
`
`Figure 9
`
`Page 10 of31
`
`Page 10 of 31
`
`
`
`
`
`
`
`
`
`
`Patent Application Publication Jun. 14, 2007 Sheet 10 of 20
`
`
`
`US 2007/0136573 A1
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`BEBE”?......t
`
`
`
`
`33333333333533
`
`
`
`
`
`
`
`
`
`_
`
`
`1 193233294
`
`"W i
`
`
`
`
`
`
`
`
`
`
`at C:\pocunienls and Setfingonse-ph Steintserguoml SettingsWemporan; Internet FIles\0LK2l)\de-mo c Microsoft Internet Explorer DCDJD
`_ ‘ Favorites Yools_
`Edit
`
`
`
`
`
`
`
`
`
`
`
`
`MailSener Settings
`
`
`
`server
`i Usqnarn:for SMTP
`
`
`Passwordfor EMT?
`‘servet
`
`
`
`‘ FQDN or [P Address of
`MT? server
`
`
`
`, SMTP port
`
`Cookie Sittings
`
`; Cookie Prefix
`Days‘t‘otcxpirc cookie in:
`i355
`
`
`
`; Local ‘Z’Factot
`
`7 Expirifimflime in
`seconds from Jan 1
`
`
`
`V 1970)
`
`Assign multiple people
`
`
`
`In one device
`
`
`
`Encryption IndszthgSe
`
`
`
`Bermudian Salt (Need
`
`
`
`“ to change directly 'm the
`
`
`
`DB)
`
`Trim Length (#:of
`
`
`characters to send for
`the one Time
`
`
`
`
`
`Password)
`
`, Password Length To
`
`
`j Hash (Need to change
`
`
`
`I died}; in the DB)
`
`
`
`' File Used 1:0er Kcy
`
`
`
`
`(Need b0 change directly
`
`
`Gennrnl Prnducl Sating:
`
`In Testing
`
`
`uriel@greenarmmcom
` Testing; To Pq’son
`
`.
`‘
`
`3
`‘
`
`‘
`‘
`‘
`3
`‘
`I
`1
`
`
`
`
`
`
`None (Always force 2factor)
`
`
`
`
`Always (Always Allow Users to Assign The Machine! As Trusted Device)
`Home Phone Allow Muii - [e Pea - Ie will: Same Home Phone Number
`
`
`
`
`
`
`
`
`None (Always force 2 factor)
`
`
`
`
`192.368‘7.2_asdasd__3fi
`
`
`
`
`
`
` E:
`
`
`
`
`
`
`
`[:1
`
`@Y ON
`
`
`
`
`
`
`
`
`
`
`
`
`Illustrative drop down box depicting exemplary rules for determining when to allow multiple users to make a device
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`trusted based on information about the users.
`
`
`
`
`
`
`
`
`
`
`
`Figure 10
`
`Page 11 0f31
`
`Page 11 of 31
`
`
`
`
`
`
`
`
`
`
`
`Patent Application Publication Jun. 14, 2007 Sheet 11 of 20
`
`
`
`US 2007/0136573 A1
`
`
`
`1110
`
`
`
`User comes to site.
`
`
`
`
`
`|
`
`1112
`
`
`
`
`
`
`
`
`
`
`(Label X) System detects that computer is not known to be trusted.
`
`
`
`|
`
`
`
`
`
`
`
`
`
`
`
`
`1114 User enters usemame and requests that system use two—factor authentication to
`
` authenticate him (e.g., a one-time password to be sent to the cellphone in his possession
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
` previously identified to the owner of the system).
`
`|
`
`
`
`
`
`
`
`
`One-time password is sent to the cellphone Via SMS or email
`
`
`
`
`1116
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`%4
`1118 User enters one time password and his password on the screen.
`
`|
`
`
`
`
`
`1120 Visual cue is generated (optional).
`|_—~_J
`|
`
`
`
`
`
`
`
`1122 User clicks submit and logs in.
`
`l
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`1124 Either now, or at any point during his session, User may click a link that allows him to
`
`
`
`
`
`
`
`make his computer “trusted” for subsequent login attempts.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`1126 System sends some identifier to the computer (as a cookie, certificate, etc.), and/or records
`
`
`
`
`
`
`
`
`
`
`
` identifying information about that machine (e.g., network number from IP address, checksum of
`various items in the hardware or software, IP address, etc.).
`
`
`
`
`
`
`
`
`
`
`
`
`
`1128 User continues session
`
`
`
`
`
`
`FIG. 11A
`
`
`Page 12 0f31
`
`Page 12 of 31
`
`
`
`
`
`
`
`
`
`
`Patent Application Publication Jun. 14, 2007 Sheet 12 of 20
`
`
`
`US 2007/0136573 A1
`
`
`
`.
`
`
`
`
`1140 User comes to site.
`
`
`
`
`
`
`
`
`
`
`1142 System detects that computer is not known to be trusted.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`1144 User enters usemame and requests that system use two-factor authentication to
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`authenticate him (e. g., he asks for a one-time password to be sent to the cellphone in his possession previously identified to the owner of the system).
`
`
`
`
`
`
`
`
`
`
`1146 One time password is sent to the cellphone via SMS or email.
`
`
`
`
`
`
`
`
`
`
`
`
`
`1148 User enters one time password and his password on the screen.
`
`
`
`
`
`
`1150 Visual cue is generated (optional).
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`1152 User clicks submit and logs in.
`
`
`
`
`FIG. 11B
`
`Page 13 of31
`
`Page 13 of 31
`
`
`
`
`
`
`
`
`
`
`Patent Application Publication Jun. 14, 2007 Sheet 13 of 20
`
`
`
`US 2007/0136573 A1
`
`1160 User comes to Site
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`1162 System detects that computer is known to be trusted by retnevmg certificate cookie etc
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`1164 Optional: System displays visual cue for user trusted on this machine (system can also
`
`
`
`
`
`
`
`
`optionally inform user not to login if cue is not correct)
`
`
`
`
`
`
`
`
`
`
`1166 User enters usemame and password
`
`
`
`
`
`
`
`
`
`
`
`
`1168 Optional: Visual cue generated as the user types
`|
`
`
`
`
`
`
`
`
`
`
`
`
`
`1170 System detects if the user who is trusted is the user who actually entered username
`
`
`
`
`
`|
`
`1172
`
`
`
`
`| If YES
`
`
`
`
`
`User clicks submit and logs in
`
`Label X in Figure 11 A.
`
`l
`
`
`| IF NO
`1174
`
`
`
`
`
`System goes back to the screen asking
`
`
`
`
`
`
`
`for the one time password and continues at
`
`
`
`
`
`
`FIG. 11 C
`
`Page 14 0f31
`
`Page 14 of 31
`
`
`
`
`
`
`
`
`
`
`Patent Application Publication Jun. 14, 2007 Sheet 14 of 20
`
`
`
`US 2007/0136573 A1
`
`
`
`
`
`
`
`
`
`
`1190 User comes to man-in-the-middle phishing site from his trusted computer
`
`
`
`
`
`|
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`1192 Man—in-the-middle loads login page from real site and sends it to user (optinonally the
`
`
`
`
`
`
`
`
`
`
`login page may be previously stored on the man-in—the—middle machine in which case steps 1194
`and 1996 would be reversed)
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`1194 System detects that computer accessing (i.e., the manan—the—middle) is not known to be
`trusted
`
`
`
`
`
`
`
`
`
`1196 User enters username and expects cue to appear
`
`
`
`
`
`
`
`
`
`
`1198 Man in the middle relays username to real system
`
`
`
`I
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`1200 System does not send cue and instead generates one time password demail with warning
`
`
`
`
`
`
`
`
`
`
`
`
`message which it sends out of band to real user’s email address
`
`
`FIG. 11 D
`
`Page 15 of31
`
`Page 15 of 31
`
`
`
`
`
`
`
`
`
`
`Patent Application Publication Jun. 14, 2007 Sheet 15 of 20
`
`
`
`US 2007/0136573 A1
`
`
`
`
`
`
`
`
`
`
`1300 User selects Change Password feature on system
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`1310 System checks if user is accessing system from a trusted machine that has been trusted for
`
`
`
`
`a period of more than X clays
`
`|
`|
`
`
`
`
`
`
`
`
`
`
`
`1330
`1320
`|IfYES
`
`
`
`
`
`
`
`
`
`
`
`
`
`User is presented with password change feature User is presented with message that passwords
`
`
`
`
`
`
`
`can only be changed from devices known to be
`
`
`
`
`
`
`
` associated with him for over X days and that if
`
`
`
`
`
`
`
` he must change a password now he should call
`
`
`
`the helpdesk.
`
`
`
`
`|IFNO
`
`
`
`
`
`
`
`
`
`
`
`
`FIG. 11 E
`
`Page 16 of31
`
`Page 16 of 31
`
`
`
`
`
`
`
`
`
`
`Patent Application Publication Jun. 14, 2007 Sheet 16 of 20
`
`
`
`US 2007/0136573 A1
`
`
`
`
`
`
`
`
`
`
`
`
`
`1400 User logs in from device that has an identifier (e.g., cookie)
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`1410 System identifies that identifier matches known identifier of one of the devices trusted as
`
`
`
`
`
`belonging to this user
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`1420 System examine web session for its properties (time zone, language settings, network
`number, IP address, etc.). Geo-location is calculated from IP address.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`1430 Does the heuristic information taken from the session match to the acceptable minimum
`
`
`
`
`
`
`
`
`
`
`the known heuristic information for this device from previous sessions
`
`
`
`
`
`
`
`
`
`
`
`I IF NO
`1450
`1440
`| If YES
`
`
`
`
`
`
`
`
`
`
`
`
`Based on business policies, either the user is
`User is allowed in to the system if usemame
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`locked out for this session, locked out
`and password are correct
`
`
`
`
`
`
`
`
`
`
`altogether until he contacts the hclpdesk, a one
`
`
`
`
`
`
`
` time password is required for access, or other
`corrective actions are taken.
`
`
`
`
`
`
`FIG. 11F
`
`Page 17 of31
`
`Page 17 of 31
`
`
`
`
`
`
`
`
`
`
`Patent Application Publication Jun. 14, 2007 Sheet 17 of 20
`
`
`
`US 2007/0136573 A1
`
`
`
`
`
`1500 Organization prepares letter to user
`I
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`1510 Organization runs same process used to generate cues for web site and generates cue for a
`
`
`
`
`
`
`
`particular user and generates that user's cue
`
`
`
`
`
`
`
`
`1520 Organization prints cue onto letter to user
`
`
`
`
`FIG. 11G
`
`Page 18 of31
`
`Page 18 of 31
`
`
`
`
`
`
`
`
`
`
`Patent Application Publication Jun. 14, 2007 Sheet 18 of 20
`
`
`
`US 2007/0136573 A1
`
`
`
`
`
`
`
`
`1600 Organization makes phone call to user or user to organization
`
`
`
`
`
`
`
`
`
`1610 Optional: User speaks or enters usemame
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`1620 Organization runs same process used to generate cues for web site and generates cue for a
`
`
`
`
`
`
`
`particular user and generates that user’s cue
`
`
`
`
`
`
`
`
`1630 Organization audibly presents cue to user
`
`
`
`
`FIG. 11H
`
`Page 19 of31
`
`Page 19 of 31
`
`
`
`
`
`
`
`
`
`
`Patent Application Publication Jun. 14, 2007 Sheet 19 of 20
`
`
`
`US 2007/0136573 A1
`
`
`
`
`
`2000 User logs in from a computer
`
`
`
`
`
`
`
`
`2010 System checks geolocation of tha computer
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`2020 System checks geolocation of other electronic deice that user is known to carry with him
`
`
`
`
`
`
`
`
`
`
`2030 Are they at the same or similar locations?
`
`
`
`|
`
`
`
`
`2040
`lIfYES
`
`
`
`
`User is allowed in to the system if username
`
`
`
`
`and password are correct
`
`
`
`authentication is required.
`
`I
`
`
`2050
`|IFNO
`
`
`
`
`
`
`Based on business policies, either the user is
`
`
`
`
`
`
`
`locked out for this session, a one time
`
`
`
`
`password is required for access, or other
`
`
`
`
`
`
`FIG. 11 I
`
`Page 20 of 31
`
`Page 20 of 31
`
`
`
`
`
`
`
`
`
`
`Patent Application Publication Jun. 14, 2007 Sheet 20 of 20
`
`
`
`US 2007/0136573 A1
`
`I
`
`I
`
`
`
`
`
`2100 User logs in from a telephone
`
`
`
`
`
`
`
`
`2110 System checks geolocation of the telephone
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`2120 System checks geolocation of other electronic deice that user is known to carry with him
`
`
`
`
`
`
`
`
`
`
`
`2130 Are they at the same or similar locations?
`
`|
`
`
`
`
`
`
`
`
`
`
`
`2140
`[IfYES
`
`
`
`
`
`
`User is allowed in to the system if usemame
`
`
`
`
`
` and password are correct
`
`
`
`|
`
`
`
`2150
`|IFNO
`
`
`
`
`
`
`Based on business policies, either the user is
`
`
`
`
`
`
`
`locked out for this session, a one time
`
`
`
`
`
`
`
`password is required for access, or other
`
`
`
`authentication is required.
`
`
`FIG. 11]
`
`Page 210f31
`
`Page 21 of 31
`
`
`
`US 2007/0136573 A1
`
`
`
`
`
`Jun. 14, 2007
`
`
`
`
`
`SYSTEM AND METHOD OF USING TWO OR
`
`
`
`
`MORE MULTI-FACTOR AUTHENTICATION
`
`
`
`MECHANISMS T0 AUTHENTICATE ONLINE
`
`
`
`PARTIES
`
`
`
`RELATED APPLICATIONS
`
`
`
`
`
`
`
`
`
`
`
`[0001] The present application claims priority under 35
`U.S.C . §120 from US. non-provisional patent filing Ser. No.
`
`
`
`
`
`
`
`
`
`11/258,593 filed Oct. 25, 2005, which claims priority from
`
`
`
`
`
`
`
`
`
`U.S. non-provisional patent filing Ser. No. 11/114,945 filed
`
`
`
`
`
`
`
`
`Apr. 26, 2005, which claims priority from US. provisional
`
`
`
`
`
`
`
`
`
`patent application Ser. No. 60/565,744 filed on Apr. 27,
`
`
`
`
`
`
`
`
`
`2004, and from US. provisional patent application Ser. No.
`
`
`
`
`
`
`
`
`
`60/742,498 filed on Dec. 5, 2005, the entire disclosures of
`
`
`
`
`
`
`
`
`which are hereby incorporated by reference.
`
`
`
`
`
`BACKGROUND OF THE INVENTION
`
`
`
`
`[0002] While secret passwords have been used for millen-
`
`
`
`
`
`
`
`
`
`nia to prove one’s identity or that a party is authorized to
`
`
`
`
`
`
`
`
`access a specific resource, the use of passwords as a method
`
`
`
`
`
`
`
`of authentication poses risksiif an unauthorized party
`
`
`
`
`
`
`
`discovers,
`intercepts, or otherwise obtains a password
`
`
`
`
`
`
`he/she/it
`can gain inappropriate
`access
`sensitive
`to
`
`
`
`
`
`
`
`resources. In today’s electronic age fin which sensitive
`
`
`
`
`
`
`
`
`information can be accessed and transactions can be
`
`
`
`
`
`
`
`
`executed online (including Via telephone communications
`
`
`
`
`
`
`with humans and/or computers) after unseen parties authen-
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`ticateistronger forms of authentication are often appropri—
`ate. Furthermore, various approaches of addressing the
`
`
`
`
`
`
`
`problem of weak authentication have proven ineffective
`
`
`
`
`
`
`
`across the Internet. For example, requiring users to provide
`
`
`
`
`
`
`
`
`two distinct passwords instead of one, or asking users to
`
`
`
`
`
`
`
`
`
`provide a password and answer a question, as some systems
`
`
`
`
`
`
`
`have used, are actually less secure than a single longer
`
`
`
`
`
`
`
`
`
`password. It is often harder to crack one long password then
`
`
`
`
`
`
`
`
`to discover two short ones as there is no indication of
`
`
`
`
`
`
`
`
`
`
`success after cracking half of the former, but there is usually
`
`
`
`
`
`
`
`
`an indication once one password has successfully been
`
`
`
`
`
`
`
`
`successfully calculated. Furthermore,
`in the case of chal-
`
`
`
`
`
`
`lenge questions, if users are allowed to pick questions and
`
`
`
`
`
`
`
`
`set their answers they may pick questions that are not truly
`
`
`
`
`
`
`
`
`
`
`
`secretie.g., what is my birthday?iwhich may be accessed
`
`
`
`
`
`
`by criminals from public records or on the Internet. Ifusers
`
`
`
`
`
`
`
`
`are required to pick from specific questions and provide
`
`
`
`
`
`
`
`
`answers they may (and, in fact, are likely) to reuse answers
`
`
`
`
`
`
`
`
`
`to secret questions on multiple sites undermining the secu-
`
`
`
`
`
`
`
`
`rity value of answering the questions and setting the access
`
`
`
`
`
`
`
`
`
`security for all of the sites on which the question/answer was
`
`
`
`
`
`
`
`used to that of the lowest level among all of the sites on
`
`
`
`
`
`
`
`
`which it was used. A phishing site can easily ask for a user’s
`
`
`
`
`
`
`
`
`
`password and mother’s maiden nameias such, it is clear
`
`
`
`
`
`
`
`
`that requesting these two pieces of information (or any
`
`
`
`
`
`
`
`
`
`similar piece of information in conjunction with a password)
`
`
`
`
`
`
`is not a good way to combat phi shing and online fraudiand
`
`
`
`
`
`
`
`
`
`is unwise to condition users to submit sensitive
`that
`it
`
`
`
`
`
`
`
`
`information to online systems prior to knowing the identity
`
`
`
`
`
`
`of the online systems. Furthermore, once compromised the
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`answers to many challenge questions (e.g., what is your
`mother’s maiden name, what is your social security number,
`
`
`
`
`
`
`
`
`in what city were you born, etc.) cannot be resetiand so the
`
`
`
`
`
`
`
`
`
`
`compromise of such information even once can lead to a
`
`
`
`
`
`
`
`lifetime of increased risk of identity theft. Furthermore, even
`
`
`
`
`
`
`
`if the compromise is discovered immediately after occur-
`
`
`
`
`
`
`
`
`Page 22 of 31
`
`
`
`
`
`
`
`
`
`
`ringias would normally allow for reaction to prevent
`
`
`
`
`
`
`
`
`fraudiin the case of challenge questions once the secrets
`
`
`
`
`
`
`
`
`are compromised they can never be restored to secrecy.
`
`
`
`
`
`
`
`[0003] Some have suggested that to improve authentica-
`
`
`
`
`
`
`
`tion, users should prove their identities using not only a
`
`
`
`
`
`
`
`
`
`secret (password or answer), but also with something to
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`which they possess access (either physical or digital access)
`or with something such as biometrics. Yet, as those skilled
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`in the art will appreciate, just as passwords and challenge
`
`
`
`
`
`
`
`questions may prove inappropriate for strong authentication
`across the Internet, so may digital certificates, biometrics,
`
`
`
`
`
`
`
`
`USB devices, hardware tokens and one-time password gen-
`
`
`
`
`
`
`
`
`erating cards, and other forms of authentication.
`
`
`
`
`
`
`SUMMARY OF THE INVENTION
`
`
`
`
`
`
`
`
`
`
`[0004] To this end, the present invention provides a system
`and method for providing strong authentication without any
`
`
`
`
`
`
`of the aforementioned drawbacks, and in addition, with
`
`
`
`
`
`
`minimum inconvenience to users. Contemplated within the
`
`
`
`
`
`scope of this invention are several novel elements which
`
`
`
`
`
`
`
`
`
`
`
`may be implemented independently or together.
`[0005] One aspect the present invention offers a unique
`
`
`
`
`
`
`
`
`system and method for the use of two or more forms of
`
`
`
`
`
`
`
`
`
`multi-factor authentication (that is two, different systems,
`
`
`
`
`
`
`each of which requires a password in addition to a second
`
`
`
`
`
`
`authentication mechanism that does not rely on users enter-
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`ing a regular password/answer to a question) with a more
`convenient one used whenever possible, and another method
`
`
`
`
`
`
`
`
`used when necessary. The goal of such a system is to always
`
`
`
`
`
`
`
`
`provide strong or two factor authentication, all the while
`
`
`
`
`
`
`
`
`
`providing maximal convenience for users. In addition to the
`
`
`
`
`
`
`
`email based one time passwords described below, a cell—
`
`
`
`
`
`
`
`
`phone could be used to authenticate by sending it a barcode
`
`
`
`
`
`
`to display so it can be scanned by a reader, using RFID
`
`
`
`
`
`
`
`
`
`within the cellphone, having the cellphone use its wireless
`
`
`
`
`
`
`
`
`capabilities and ESN to create an RID—like identification,
`
`
`
`
`
`
`
`and other ways. Thus, the invention may also include the use
`
`
`
`
`
`
`
`
`
`
`
`of such systems for other purposes including sending bar
`
`
`
`
`
`
`
`
`
`codes to phones/mobile devices for use as coupons to be
`
`
`
`
`
`
`
`scanned at a grocer. For the sake of this patent, barcode is
`
`
`
`
`
`
`
`
`used to mean not only two-dimensional bar-based scannable
`
`
`
`
`
`
`images such as UPC symbols, but any generated image that
`
`
`
`
`
`
`
`
`
`is scannable and readable by another electronic device.
`
`
`
`
`
`
`
`[0006]
`In another aspect, the present invention offers a
`
`
`
`
`
`
`
`
`novel system and method that employs site or email authen-
`
`
`
`
`
`
`
`
`
`tication in conjunction with true multi-factor authentication.
`
`
`
`
`
`
`[0007]
`In another aspect, the present invention oifers a
`
`
`
`
`
`
`
`
`novel system and method to use site authentication in such
`
`
`
`
`
`
`
`
`a way that a system being accessed authenticates the party
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`accessing the system prior to that party having to type
`anything (i.e., prior to entering a username or other login
`
`
`
`
`
`
`
`credentials).
`
`[0008]
`In yet another aspect, the present invention oifers a
`
`
`
`
`
`
`
`
`
`novel system and method to use diiferentiated login pages,
`
`
`
`
`
`
`
`
`one for a user and machine that are trusted and one for a user
`
`
`
`
`
`
`
`
`
`
`and machine that is not trusted and one for a case in which
`
`
`
`
`
`
`
`
`
`
`only one of them (the user or the machine is trusted).
`
`
`
`
`
`
`
`
`[0009]
`In yet another aspect, the present invention oifers a
`
`
`
`
`
`
`
`
`
`novel system and method that provides the ability to have
`
`
`
`
`
`
`
`
`
`
`strong multi-factor authentication that is invisible to users.
`
`
`
`
`
`
`
`Page 22 of 31
`
`
`
`US 2007/0136573 A1
`
`
`
`
`
`Jun. 14, 2007
`
`
`
`[0010]
`In yet another aspect, the present invention oifers a
`
`
`
`
`
`
`
`
`
`unique system and method that provides the novel triple
`
`
`
`
`
`
`
`
`
`protection combination of multi-factor authentication, site
`
`
`
`
`
`
`authentication, and transaction/behavior analysis.
`
`
`
`
`[0011]
`In yet another aspect, the present invention olfers a
`
`
`
`
`
`
`
`
`
`unique system and method that provides the ability to ofier
`
`
`
`
`
`
`
`
`
`true multi-factor authentication without any user enrollment
`
`
`
`
`
`
`
`(other than that which has already occurred in order to olIer
`
`
`
`
`
`
`
`
`
`single factor authentication).
`
`
`
`[0012]
`In yet another aspect, the present invention oJIers a
`
`
`
`
`
`
`
`
`
`novel system and method that provides, among other things,
`
`
`
`
`
`
`
`
`
`the use of visible or audible site authentication when used
`
`
`
`
`
`
`
`
`with a remote access system such as a SSL VPN.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`[0013]
`In yet another aspect, the present invention oifers a
`novel system and method that provides the use of a login
`
`
`
`
`
`
`
`
`
`screen on which there is a button that the user must click in
`
`
`
`
`
`
`
`
`
`order to obtain information that must be entered on the login
`
`
`
`
`
`
`
`screen.
`
`[0014]
`In yet another aspect, the present invention ofiers a
`
`
`
`
`
`
`
`
`
`novel system and method that provide the ability to address
`
`
`
`
`
`
`
`
`
`111an-in-the-middle attacks through either or both of the
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`following defenses: a) presentation of a
`recognizable
`(audible, visual, or otherwise recognizable) cue providing
`
`
`
`
`
`
`
`authenticity of a computer only when the user is accessing
`
`
`
`
`
`
`it from an identified machine (and a man-in—the middle
`
`
`
`
`
`
`
`
`would either not be identified or identified differently) b)
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`sending a warning message via email, SMS, or some other
`carrier out of band to the user, such message potentially
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`comprising part of a one-time-password message or sepa-
`rate.
`
`
`[0015]
`In yet another aspect, the present invention offers a
`
`
`
`
`
`
`
`
`
`novel system and method that provides communication out
`
`
`
`
`
`
`
`
`of band to a user, said communication comprising informa—
`
`
`
`
`
`
`
`tion detailing the geolocation information (in the form of
`
`
`
`
`
`
`
`
`text or a map) that shows where the user is accessing a given
`
`
`
`
`
`
`
`
`
`application or site from so that the user can detect any
`
`
`
`
`
`
`
`
`
`
`fraudulent access.
`
`
`In yet another aspect, the present invention ofiers a
`[0016]
`
`
`
`
`
`
`
`
`
`unique system and method that provides for the use of a
`
`
`
`
`
`
`
`
`
`colored or uncolored word/s or other sets of characters
`
`
`
`
`
`
`
`
`
`within a colored box for site/mutual authentication.
`
`
`
`
`
`
`[0017]
`In yet another aspect the present invention offers a
`
`
`
`
`
`
`
`
`
`unique system and method that delivers two systems (rather
`
`
`
`
`
`
`
`
`
`than one system) for identifying devices used for access, one
`
`
`
`
`
`
`
`
`
`
`being heuristic based, and one being based on the assigning
`
`
`
`
`
`
`
`
`
`of a value to that machine which is stored on the device or
`
`
`
`
`
`
`
`
`read from the device.
`
`
`
`
`[0018]
`In yet another aspect, the present invention offers a
`
`
`
`
`
`
`
`
`
`novel system and method that provides for the use of user
`
`
`
`
`
`
`
`
`
`
`information in order to determine whether multiple users
`
`
`
`
`
`
`should be allowed to assign a particular device as trusted.
`
`
`
`
`
`
`[0019]
`In yet another aspect, the present invention oifers a
`
`
`
`
`
`
`
`
`
`novel system and method that allows setting business secu-
`
`
`
`
`
`
`
`
`
`rity policies based on information about how trusted a
`
`
`
`
`
`
`
`
`device is for a particular user or users in general (based on
`
`
`
`
`
`
`
`binding it to specific users).
`
`
`
`
`[0020]
`In yet another aspect, the present invention oifers a
`
`
`
`
`
`
`
`
`
`novel system and method that offers either site authentica-
`
`
`
`
`
`
`
`
`
`
`
`
`tion, user authentication, or both, and leverages human
`
`
`
`
`
`
`
`psychology and the science of learning in its design.
`
`
`
`
`
`
`
`[0021]
`In yet another aspect, the present invention olfers a
`
`
`
`
`
`
`
`
`
`novel system and method to address the problem of broken
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`image symbols tricking users into thinking that a missing
`visual cue is due to technical problems rather than a security
`
`
`
`
`
`
`
`
`concern. Furthermore, the invention includes stating to the
`
`
`
`
`
`
`
`user a message to the effect of “If you do not see your cue
`
`
`
`
`
`
`
`
`
`
`then there may be a security risk iplease do not log in.” as
`
`
`
`
`
`
`
`
`
`opposed to the “If y
Accessing this document will incur an additional charge of $.
After purchase, you can access this document again without charge.
Accept $ Charge
Still Working On It
This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.
Give it another minute or two to complete, and then try the refresh button.
A few More Minutes ... Still Working
It can take up to 5 minutes for us to download a document if the court servers are running slowly.
Thank you for your continued patience.
This document could not be displayed.
We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.
Your account does not support viewing this document.
You need a Paid Account to view this document. Click here to change your account type.
Your account does not support viewing this document.
Set your membership
status to view this document.
With a Docket Alarm membership, you'll
get a whole lot more, including:
- Up-to-date information for this case.
- Email alerts whenever there is an update.
- Full text search for other cases.
- Get email alerts whenever a new case matches your search.
One Moment Please
The filing “” is large (MB) and is being downloaded.
Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.
Your document is on its way!
If you do not receive the document in five minutes, contact support at support@docketalarm.com.
Sealed Document
We are unable to display this document, it may be under a court ordered seal.
If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.
Access Government Site
