Patent Issued for Multi-factor authentication with code rotation (USPTO 11349672): United Services Automobile Association
2022 JUN 16 (NewsRx) -- By a
The patent’s assignee for patent number 11349672 is
News editors obtained the following quote from the background information supplied by the inventors: “Organizations and individuals that operate and/or manage computing systems may implement various security measures to prevent unauthorized individuals, devices, and processes from accessing secured data stored on the systems, gaining control of processes executing on the systems, introducing new (e.g., malicious) processes to the systems, and/or gaining access for other purposes. Traditionally, a user may provide one or more credentials to gain access to a system. Such credentials may include a username, password, and/or personal identification number (PIN). By comparing the supplied credentials with previously established credentials for the user, a determination may be made whether to permit or deny the requested access. In some instances, tokens such as cryptographic keys may be employed to authenticate an individual and/or verify that an individual or process is authorized to access a system. Cryptographic keys may also be employed to secure communications over a network.”
As a supplement to the background information on this patent, NewsRx correspondents also obtained the inventors’ summary information for this patent: “Implementations of the present disclosure are generally directed to user authentication and/or device verification. More specifically, implementations are directed to using a rotating security code to sign a certificate which is provided for device verification to determine access to secure information.
“In general, innovative aspects of the subject matter described in this specification can be embodied in methods that include actions of: retrieving a first cryptographic key from data storage on a user device; generating an instance of a rotating security code, wherein the rotating security code changes with a periodicity; signing a certificate using the instance of the rotating security code, wherein the certificate is an assertion that the user device is authorized to access secure information; encrypting the certificate using the first cryptographic key; and communicating the encrypted certificate to a service that verifies, based on the certificate, that the user device is authorized to access secure information.
“Implementations can optionally include one or more of the following features: the first cryptographic key is retrieved from the data storage in response to a successful authentication of a user of the user device based on authentication data associated with the user; the authentication data includes one or more of biometric data and a personal identification number (PIN); the instance of the rotating security code is generated based on a shared secret that is stored in the data storage on the user device; a copy of the shared secret is accessible by the service for use in verifying that the user device is authorized to access the secure information; the instance of the rotating security code is generated using an algorithm for random or pseudo-random number generation; the instance of the rotating security code is communicated to the service for use in verifying that the user device is authorized to access the secure information; the actions further include retrieving a device identifier (ID) from the data storage, the device ID uniquely identifying the user device among a plurality of user devices; the actions further include communicating the device ID with the certificate to the service for use in verifying that the user device is authorized to access the secure information; the device ID is a token that complies with a version of an OAuth standard; and/or verifying that the user device is authorized to access the secure information includes decrypting the certificate to recover the instance of the security code from the certificate, the decrypting using a second cryptographic key that is associated with the first cryptographic key, comparing the instance of the security code with an expected instance of the security code, and based on a correspondence between the instance of the security code and an expected instance of the security code, allowing the user device to access the secure information.
“Other implementations of any of the above aspects include corresponding systems, apparatus, and computer programs that are configured to perform the actions of the methods, encoded on computer storage devices. The present disclosure also provides a computer-readable storage medium coupled to one or more processors and having instructions stored thereon which, when executed by the one or more processors, cause the one or more processors to perform operations in accordance with implementations of the methods provided herein. The present disclosure further provides a system for implementing the methods provided herein. The system includes one or more processors, and a computer-readable storage medium coupled to the one or more processors having instructions stored thereon which, when executed by the one or more processors, cause the one or more processors to perform operations in accordance with implementations of the methods provided herein.
“Implementations of the present disclosure provide one or more of the following technical advantages and/or technical improvements over previously available solutions. In traditional systems that rely solely on user credentials such as PIN, username, and/or password to control access to secure information, such security may be readily breached if an unauthorized user or process gains access to the credential(s). Moreover, such credentials may be cumbersome for an authorized user to remember, particularly in situations where the user holds many different credentials for accessing various systems. Implementations may avoid such disadvantages and provide stronger security than traditional systems by performing an initial authentication based on biometric data (e.g., fingerprint) followed by device verification based on a dynamically rotating security code. Moreover, by providing authentication and device verification that are stronger and more reliable than traditional systems, implementations reduce or eliminate the consumption of processing capacity, storage capacity, memory, networking resources, and/or other computing resources that would be consumed by a traditional system to recover from errors in authentication or device verification, or to perform repeated attempts to authenticate a user and/or verify a device for secure access.”
The claims supplied by the inventors are:
“1. A computer-implemented method performed by at least one processor, the method comprising: receiving, from a user device, a digital document signed using a first instance of a code, the first instance of the code being generated based on shared secret data stored in a data storage, and the signed digital document being encrypted; retrieving a public key and the shared secret data from the data storage; decrypting the encrypted digital document using the public key; recovering the first instance of the code from the decrypted digital document; generating a second instance of the code based on the shared secret data; determining whether the first instance of the code corresponds to the second instance of the code; and in response to determining that the first instance of the code corresponds to the second instance of the code, verifying that a user device is authorized to access secure information.
“2. The method of claim 1, further comprising: retrieving shared secret data from the data storage, and generating the first instance of the code based on the retrieved shared secret data, and wherein determining whether the first instance of the code corresponds to the second instance of the code comprises: comparing the generated first instance of the code with the recovered second instance of the code.
“3. The method of claim 1, further comprising: in response to determining that the first instance of the code does not correspond to the second instance of the code, verifying that a user device is not authorized to access secure information.
“4. The method of claim 1, further comprising: receiving, from the user device, a device identifier (ID) uniquely identifying the user device among a plurality of user devices; and verifying the device ID before decrypting the encrypted digital document using the public key.
“5. The method of claim 4, wherein verifying the device ID comprises: comparing the received device ID to a second device ID that is retrieved from the data storage, and determining that the received device ID corresponds to the second device ID.
“6. The method of claim 4, wherein the device ID is a token that complies with a version of an OAuth standard.
“7. The method of claim 1, wherein the secure information comprises one or more portions of an application executing on the user device.
“8. The method of claim 7, wherein the application is a financial services application.
“9. The method of claim 1, wherein the secure information comprises a health care record.
“10. A system comprising: at least one processor; and a memory communicatively coupled to the at least one processor, the memory storing instructions which, when executed by the at least one processor, cause the at least one processor to perform operations comprising: receiving, from a user device, a digital document signed using a first instance of a code, the first instance of the code being generated based on shared secret data stored in a data storage, and the signed digital document being encrypted; retrieving a public key and the shared secret data from the data storage; decrypting the encrypted digital document using the public key; recovering the first instance of the code from the decrypted digital document; generating a second instance of the code based on the shared secret data; determining whether the first instance of the code corresponds to the second instance of the code; and in response to determining that the first instance of the code corresponds to the second instance of the code, verifying that a user device is authorized to access secure information.
“11. The system of claim 10, wherein the operations further comprise: retrieving shared secret data from the data storage, and generating the first instance of the code based on the retrieved shared secret data, and wherein determining whether the first instance of the code corresponds to the second instance of the code comprises: comparing the generated first instance of the code with the recovered second instance of the code.
“12. The system of claim 10, wherein the operations further comprise: in response to determining that the first instance of the code does not correspond to the second instance of the code, verifying that a user device is not authorized to access secure information.
“13. The system of claim 10, wherein the operations further comprise: receiving, from the user device, a device identifier (ID) uniquely identifying the user device among a plurality of user devices; and verifying the device ID before decrypting the encrypted digital document using the public key.
“14. The system of claim 13, wherein the operations for verifying the device ID comprise: comparing the received device ID to a second device ID that is retrieved from the data storage, and determining that the received device ID corresponds to the second device ID.
“15. The system of claim 13, wherein the device ID is a token that complies with a version of an OAuth standard.
“16. The system of claim 10, wherein the secure information comprises one or more portions of an application executing on the user device.
“17. The system of claim 16, wherein the application is a financial services application.
“18. The system of claim 10, wherein the secure information comprises one or more portions of a health care record.
“19. One or more non-transitory computer-readable media storing instructions which, when executed by at least one processor, cause the at least one processor to perform operations comprising: receiving, from a user device, a digital document that is signed using a first instance of a code, the first instance of the code being generated based on a shared secret stored in a data storage, and the signed digital document being encrypted; retrieving a public key and the shared secret from the data storage; decrypting the encrypted digital document using the public key; recovering the first instance of the code from the decrypted digital document; generating a second instance of the code based on the received shared secret; determining whether the first instance of the code corresponds to the second instance of the code; and in response to determining that the first instance of the code corresponds to the second instance of the code, verifying that a user device is authorized to access secure information.
“20. The one or more non-transitory computer-readable media of claim 19, wherein the operations further comprise: retrieving shared secret data from the data storage, and generating the first instance of the code based on the retrieved shared secret data, and wherein determining whether the first instance of the code corresponds to the second instance of the code comprises: comparing the generated first instance of the code with the recovered second first instance of the code.”
For additional information on this patent, see: Rangarajan, Sudarshan. Multi-factor authentication with code rotation.
(Our reports deliver fact-based news of research and discoveries from around the world.)
New Health and Medicine Study Findings Have Been Reported by Researchers at University of Alabama Birmingham (Community-level Social Determinants of Health and Well-child Visits Among Alabama Medicaid Enrollees): Health and Medicine
Guangdong University of Finance and Economics Reports Findings in Sustainability Research (Assessing the Sustainability of Long-Term Care Insurance Systems Based on a Policy-Population-Economy Complex System: The Case Study of China): Sustainability Research
Advisor News
- Social Security Fairness Act increases need for financial advice
- It’s a new year: How will you reinvigorate your client service?
- Trump should impose China tariffs, prioritize renewing tax cuts and immigration reform
- Fewer report having retirement savings than a year ago
- Paul Brahim becomes 2025 FPA president
More Advisor NewsAnnuity News
- Delaware Life Announces Suite of Innovative Fixed Index Annuities
- Allianz Life moves to strengthen annuity operations with own reinsurer
- Global Atlantic Announces New Registered Index-Linked Annuity
- AM Best Affirms Credit Ratings of Reinsurance Group of America, Incorporated and Subsidiaries
- Life insurance and annuity sales: What’s ahead for 2025?
More Annuity NewsHealth/Employee Benefits News
- Health care in US flawed by design
Health care in US flawed by design
- The ‘sausage factory’ of health insurance negotiations in Mass.
- Health insurance tax credits set to expire for many Kentuckians at the end of 2025
- Open enrollment for health plan through state marketplace ends Wednesday
- MHS' health equity program, MHS Serves, launches youth mental health partnership
More Health/Employee Benefits NewsLife Insurance News
- Majority of Americans Anticipate Improved Economy in 2025
- Delaware Life Announces Suite of Innovative Fixed Index Annuities
- Knighthead Insurance Group Announces Acquisition and A- Rating of Merit Life Insurance Co.
- Douglas County Past: Yellowjackets remember lost teammate; cattle saved from fire
- The Standard Insurance Company of Portland, Ore. sues Securian Financial over $50 million in disputed bonus payments
More Life Insurance News