1. Patent Search
  2. Details

USER AUTHENTICATION SYSTEM

20230164130 · 2023-05-25

    Inventors

    Cpc classification

    International classification

    Abstract

    A user authentication system and method includes a network of guardian nodes and gatekeeper nodes configured to securely communicate with one another. The gatekeeper nodes are connected to service providers and the guardian nodes are associated with UAS customers. The guardian nodes and gatekeeper nodes are configured to generate tokens that are passed between the guardian nodes, gatekeeper nodes, service providers and UAS customers to authenticate UAS customers requesting access to service providers.

    Claims

    1. A secure communication system comprising: a network of guardian security nodes and gatekeeper security nodes configured to securely and directly communicate with one another; (a) wherein a guardian security node is associated with a customer; wherein the guardian security node is configured to maintain and store a registered customer account; wherein the guardian security node is configured to generate a token associated with a transaction; wherein the guardian security node is configured to directly transmit the token to a gatekeeper security node; (b) wherein the gatekeeper security node is associated with a service provider; wherein the gatekeeper security node is configured to maintain and store a registered service provider account; wherein the gatekeeper security node is configured to receive the token from the guardian node; wherein the gatekeeper security node is configured to associate the token received from the guardian node with a service provider account associated with the customer; and wherein the gatekeeper security node is configured to directly transmit service provider account information to the service provider.

    2. The secure communication system of claim 1, further comprising: wherein the guardian security node is configured to verify the customer’s identity and register the customer.

    3. The secure communication system of claim 1, further comprising: wherein the registered customer account includes a unique number corresponding to the customer.

    4. The secure communication system of claim 1, further comprising: wherein the registered customer account includes at least one user account key corresponding to the service provider.

    5. The secure communication system of claim 1, further comprising: wherein the registered customer account includes a network address of the gatekeeper security node associated with the service provider.

    6. The secure communication system of claim 1, further comprising: wherein the gatekeeper security node is configured to verify the service provider’s identity and register the service provider.

    7. The secure communication system of claim 1, further comprising: wherein the registered service provider account includes a service provider account unique number corresponding to the customer.

    8. The secure communication system of claim 1, further comprising: wherein the registered service provider account includes at least one service provider account key corresponding to the customer.

    9. The secure communication system of claim 1, further comprising: wherein the gatekeeper security node is configured to detect customers with multiple customer accounts for the same service provider.

    10. The secure communication system of claim 1, further comprising: wherein the gatekeeper security node is configured to receive data from one or more guardian security nodes and to detect if the customer has multiple customer accounts.

    11. The secure communication system of claim 1, further comprising: wherein the service provider account information is a username.

    12. The secure communication system of claim 1, further comprising: an executive node configured to securely communicate with the guardian security node and the gatekeeper security node; wherein the executive node stores public keys, and the guardian security node and the gatekeeper security node store private keys; and wherein the public keys and private keys are used for secure communication among the executive node, the guardian security node and the gatekeeper security node.

    13. The secure communication system of claim 12, further comprising: wherein the executive node includes a table of the guardian security nodes and the gatekeeper security nodes, which includes the network addresses of the guardian security nodes and the gatekeeper security nodes, the customers associated with each guardian security node and the service providers associated with each gatekeeper security node.

    14. The secure communication system of claim 13, wherein the executive node is configured to periodically distribute the table to the guardian security nodes and the gatekeeper security nodes.

    15. A secure communication system comprising: a network of guardian security nodes and gatekeeper security nodes configured to securely and directly communicate with one another;. (a) wherein a guardian security node is associated with a customer, wherein the guardian security node is configured to maintain and store a registered customer account; wherein the guardian security node is configured to generate a token associated with a transaction; wherein the guardian security node is configured to directly transmit the token to a gatekeeper security node; (b) wherein the gatekeeper security node is associated with a service provider; wherein the gatekeeper security node is configured to maintain and store a registered service provider account; wherein the gatekeeper security node is configured to receive the token from the guardian node; wherein the gatekeeper security node is configured to associate the token received from the guardian node with a service provider account associated with the customer; and wherein the gatekeeper security node is configured to directly transmit the service provider account information to the service provider; and (c) further comprising an executive node configured to securely communicate with the guardian security node and gatekeeper security node; wherein the executive node includes a table of the guardian security nodes and the gatekeeper security nodes, which includes network addresses of the guardian security nodes and the gatekeeper security nodes, the customers associated with each guardian security node and the service providers associated with each gatekeeper security node; and wherein the executive node is configured to periodically distribute the table to the guardian security nodes and the gatekeeper security nodes.

    16. The secure communication system of claim 15, further comprising: wherein the guardian security node is configured to verify the customer’s identity and register the customer.

    17. The secure communication system of claim 15, further comprising: wherein the registered customer account includes a unique number corresponding to the customer.

    18. The secure communication system of claim 15, further comprising: wherein the registered customer account includes at least one user account key corresponding to the service provider.

    19. The secure communication system of claim 15, further comprising: wherein the registered customer account includes a network address of the gatekeeper security node associated with the service provider.

    20. The secure communication system of claim 15, further comprising: wherein the gatekeeper security node is configured to verify the service provider’s identity and register the service provider.

    21. The secure communication system of claim 15, further comprising: wherein the registered service provider account includes a service provider account unique number corresponding to the customer.

    22. The secure communication system of claim 15, further comprising: wherein the registered service provider account includes at least one service provider account key corresponding to the customer.

    23. The secure communication system of claim 15, further comprising: wherein the gatekeeper security node is configured to detect customers with multiple customer accounts for the same service provider.

    24. The secure communication system of claim 15, further comprising: wherein the gatekeeper security node is configured to receive data from one or more guardian security nodes and to detect if the customer has multiple customer accounts.

    25. The secure communication system of claim 15, further comprising: wherein the executive node stores public keys, and the guardian security node and the gatekeeper security node store private keys; and wherein the public keys and private keys are used for secure communication among the executive node, the guardian security node and the gatekeeper security node.

    26. A secure communication system comprising: a network of guardian security nodes and gatekeeper security nodes configured to securely and directly communicate with one another; (a) wherein a guardian security node is associated with a customer, wherein the guardian security node is configured to maintain and store a registered customer account; wherein the registered customer account includes a unique number corresponding to the customer; wherein the guardian security node is configured to generate a token associated with a transaction; wherein the guardian security node is configured to directly transmit the token to a gatekeeper security node; (b) wherein the gatekeeper security node is associated with a service provider; wherein the gatekeeper security node is configured to maintain and store a registered service provider account; wherein the registered service provider account includes a service provider account unique number corresponding to the customer; wherein the gatekeeper security node is configured to receive the token from the guardian node; wherein the gatekeeper security node is configured to associate the token received from the guardian node with the service provider account key and with a service provider account associated with the customer; and wherein the gatekeeper security node is configured to directly transmit service provider account information to the service provider.

    27. The secure communication system of claim 26, further comprising: wherein the guardian security node is configured to verify the customer’s identity and register the customer.

    28. The secure communication system of claim 26, further comprising: wherein the registered customer account includes a network address of the gatekeeper security node associated with the service provider.

    29. The secure communication system of claim 26, further comprising: wherein the registered customer account includes at least one user account key corresponding to a service provider.

    30. The secure communication system of claim 26, further comprising: wherein the registered customer account includes a network address of the gatekeeper security node associated with the service provider.

    31. The secure communication system of claim 26, further comprising: wherein the registered service provider account includes at least one service provider account key corresponding to the customer.

    32. The secure communication system of claim 26, further comprising: wherein the gatekeeper security node is configured to verify the service provider’s identity and register the service provider.

    33. The secure communication system of claim 26, further comprising: wherein the gatekeeper security node is configured to detect customers with multiple customer accounts for the same service provider.

    34. The secure communication system of claim 26, further comprising: wherein the gatekeeper security node is configured to receive data from one or more guardian security nodes and to detect if the customer has multiple customer accounts.

    35. The secure communication system of claim 26, further comprising: wherein the unique number corresponding to the customer is the same as, or can be linked to, the service provider account unique number corresponding to the customer.

    36. The secure communication system of claim 26, further comprising: wherein the executive node includes a table of the guardian security nodes and the gatekeeper security nodes, which includes network addresses of the guardian security nodes and the gatekeeper security nodes, the customers associated with each guardian security node and the service provider associated with each gatekeeper security node; and wherein the executive node is configured to periodically distribute the table to the guardian security nodes and the gatekeeper security nodes.

    37. A secure communication system comprising: a network of guardian security nodes and gatekeeper security nodes configured to securely and directly communicate with one another; wherein a gatekeeper security node is associated with a service provider; wherein a guardian security node is associated with a customer; wherein the gatekeeper security node is configured to maintain and store a registered service provider account associated with the customer; wherein the guardian security node is configured to maintain and store a registered customer account; wherein the gatekeeper security node is configured to generate a token associated with a transaction and with the service provider account associated with the customer; wherein the guardian security node is configured to receive the token associated with the transaction; wherein the guardian security node is configured to transmit the token to the gatekeeper node; wherein the gatekeeper security node is configured to receive the token from the guardian node; and wherein the gatekeeper security node is configured to transmit service provider account information to the service provider.

    Description

    BRIEF DESCRIPTION OF THE DRAWINGS

    [0034] The foregoing summary, as well as the following detailed description, is better understood when read in conjunction with the appended drawings. For the purpose of illustrating the invention, exemplary embodiments are shown in the drawings, it being understood, however, that the present application is not limited to the specific embodiments disclosed. In the drawings:

    [0035] FIG. 1 is a diagram of an exemplary User Authentication System (UAS);

    [0036] FIG. 2 is another diagram of the of the exemplary UAS of FIG. 1; and

    [0037] FIG. 3 is a flowchart of an exemplary operation of the UAS of FIG. 1.

    DETAILED DESCRIPTION

    [0038] Before the various embodiments are described in further detail, it is to be understood that the invention is not limited to the particular embodiments described. It will be understood by one of ordinary skill in the art that the systems and methods described herein may be adapted and modified as is appropriate for the application being addressed and that the systems and methods described herein may be employed in other suitable applications, and that such other additions and modifications will not depart from the scope thereof. It is also to be understood that the terminology used is for the purpose of describing particular embodiments only, and is not intended to limit the scope of the claims of the present application.

    [0039] As shown in FIGS. 1 and 2, provided is a User Authentication System (UAS) 1 configured to provide authentication of customers 2 (C.sub.1, C.sub.2, C.sub.3 ... C.sub.n) for different online service providers 3 (P.sub.1, P.sub.2, P.sub.3 ... P.sub.n) across system boundaries. Each customer 2 may be an individual, agent or team, which accesses one or more internet services that require authentication for access. Service providers 3 provide such internet services (e.g., retail, media, financial, government, data management, etc.) with an obligation to secure their own systems and customer information of subscribing customers 2. UAS 1 may be connected to customers 2 and service providers 3 to provide authentication of customers 2 who are trying to access online services provided by the service providers 3 via network connections on computing devices (e.g., smartphones, computers, laptops, etc.).

    [0040] Typically, online service providers 3 build, support and/or manage their own user authentication functionality for providing customers 2 access to online services. Different service providers 3 may employ different authentication methods for granting customers 2 access to online services. For example, some service providers 3 may use a username and password to authenticate a customer 2 and grant access to said customer 2, while other service providers 3 may use two-factor authentication or some other authentication technique to authenticate a customer 2 and grant access to said customer 2.

    [0041] UAS 1 may provide an alternative means of authentication for participating customers 2 and service providers 3. Customers 2 and service providers 3 may register with UAS 1 to make use of the authentication functionality provided by UAS 1. Accordingly, participating customers 2 may use UAS 1 to access online services across system boundaries provided by different participating service providers 3. Also, participating service providers 3 may offload the authentication functionality to UAS 1 and mitigate the risks associated with user authentication.

    [0042] UAS 1 is a decentralized authentication system for securing user identities on the Internet, which eliminates a single point of failure. UAS 1 operates as shared infrastructure, replacing individual login screens. UAS 1 enables secure user authentication for sensitive transactions on all platforms (e.g., websites, native apps, the Internet of Things (IoT), etc.). UAS 1 preserves user privacy by avoiding the use of email addresses, phone numbers and personally identifiable information in the login process. UAS 1 also saves developers the trouble of creating and maintaining user login systems, while providing a consistent, high-quality user experience.

    [0043] The UAS 1 includes all of the necessary electronics, software, memory, storage, databases, firmware, logic/state machines, processors, microprocessors, servers, communication links, and any other input/output interfaces to perform the functions described herein and/or to achieve the results described herein. For example, the UAS 1 may include, or be in communication with, one or more processors and memory, which may include system memory, including random access memory (RAM) and read-only memory (ROM). Suitable computer program code may be provided to the UAS 1 for executing numerous functions, including those discussed herein in connection with providing user authentication.

    [0044] The one or more processors and/or microprocessors may be in communication with the memory, which may store any data and/or information typically found in computing devices, including an operating system, and/or one or more other programs (e.g., computer program code and/or a computer program product) that are stored in a non-transitory memory portion and adapted to direct the UAS 1 to perform according to the various embodiments discussed herein. Embodiments of the present invention are not limited to any specific combination of hardware and software.

    [0045] The computer program code may be provided on a suitable computer-readable medium, which as used herein, refers to any medium that provides or participates in providing instructions and/or data to the UAS 1 for execution. Such computer-readable medium may take many forms, including but not limited to, non-volatile media or memory and volatile memory. Non-volatile memory may include, for example, optical, magnetic, or opto-magnetic disks, or other non-transitory memory. Volatile memory may include dynamic random access memory (DRAM), which typically constitutes the main memory or other transitory memory.

    [0046] Referring to FIG. 2, UAS 1 operates as a highly cohesive, but loosely coupled, set of network nodes, including a single Executive Node 10, Guardian Nodes 20 (GN.sub.1, GN.sub.2 ... GN.sub.n) and Gatekeeper Nodes 30 (CN.sub.1, CN.sub.2 ... CN.sub.n), each implemented on its own server or cluster of servers. Customer identity data of customers 2 is partitioned between Guardian Nodes 20 and Gatekeeper Nodes 30 to protect privacy. Executive Node 10, Guardian Node 20 and Gatekeeper Node 30 may each be implemented in a centralized, decentralized or distributed computing system. An implementer (e.g., an individual or organization) builds and deploys a licensed instance of the UAS 1. The implementer stands up UAS 1 - the network of Guardian Nodes 20 and Gatekeeper Nodes 30 that are managed by the Executive Node 10. Node operators (e.g., individuals or organizations) build and deploy licensed instances of one or more Guardian Nodes 20 and/or Gatekeeper Nodes 30. Guardian Nodes 20 and Gatekeeper Nodes 30 may be located in different countries, preserving the rights of customers 2 and service providers 3 in different jurisdictions.

    [0047] Executive Node 10 is the entry point for system management of UAS 1. The primary function of Executive Node 10 is to maintain a table 12 of authentic Guardian Nodes 20 and Gatekeeper Nodes 30, including a network location (e.g., network address) and public key for each Guardian Node 20 and Gatekeeper Node 30. The Executive Node 10 periodically distributes this table 12 to each Guardian Node 20 and Gatekeeper Node 30, enabling the Guardian Nodes 20 and Gatekeeper Nodes 30 to securely communicate with one another.

    [0048] Guardian Nodes 20 interface with customers 2 on the network for authentication. For example, customers 2 may access Guardian Nodes 20 via browser applications on Internet of Things (IoT) devices. A customer 2 accesses a Guardian Node 20 to create a UAS customer account 22 (CA.sub.1, CA.sub.2, CA.sub.3 ... CA.sub.n). Customers 2 may select Guardian Nodes 20 of their choice that they trust. This selection may be based on a variety of factors including price, reputation, jurisdiction of the Guardian Node 20, availability of the Guardian Node 20 in the Customer’s location, liability guarantees provided by the Guardian Node 20 for security breaches, and/or any other similar commercial terms or factors of interest to the Customer 2. Customers 2 log in to their UAS customer accounts 22 at their selected Guardian Nodes 20 via a selected authentication method including cryptographic and/or biometric protocols. For initial identity verification, the customer 2 may provide basic contact information (e.g., email, phone, etc.) and choose a method of authentication and provide necessary details (e.g., authenticator app seed value). Importantly, Guardian Nodes 20 are not required to store any Personally Identifiable Information (PII) (e.g., full name, Social Security number, driver’s license number, bank account number, passport number, etc.) in UAS customer accounts 22. Once a customer’s 2 identity is verified when the UAS customer account 22 is created, subsequent customer 2 authentication is carried out using a selected authentication method (e.g., multifactor authentication (MFA), Public Key Infrastructure (PKI), biometric authentication, WebAuthn, etc.) that does not require PII.

    [0049] UAS customer account 22 may include information regarding the level security of the authentication method used in connection with the UAS customer account 22 and information regarding the amount of indemnity coverage in effect for the UAS customer account 22. The implementer of UAS 1 establishes the amount of indemnity coverage based on the level of security provided by the authentication method used. Also, the UAS customer account 22 for a customer 2 may include user account keys 24 (uK.sub.1 ... uK.sub.n) corresponding to different online services accessed by said customer 2 that are provided by participating service providers 3. Each user account key 24 corresponds to a specific online service and includes a unique number and a network address of the Gatekeeper Node 30 corresponding to the online service.

    [0050] A participating service provider 3 may implement UAS 1 for authentication functionality by accessing a Gatekeeper Node 30. Gatekeeper Nodes 30 interface with service providers 3 to provide authentication functionality for granting authenticated customers 2 access to online services. For example, service providers 3 may access Gatekeeper Nodes 30 via web server applications on Internet of Things (IoT) servers. Participating service providers 3 are provided UAS provider accounts 32 (PA.sub.1, PA.sub.2, PA.sub.3... PA.sub.n) that are maintained and stored at one or more selected Gatekeeper Nodes 30. Service Providers 3 may select Gatekeeper Nodes 30 of their choice that they trust. Like with the Guardian Nodes 20, the selection of Gatekeeper Nodes 30 may be based on a variety of factors including price, reputation of the Gatekeeper Nodes 30, jurisdiction of the Gatekeeper Nodes 30, availability of the Gatekeeper Nodes 30 in the service provider’s location, liability guarantees provided by the Gatekeeper Nodes 30 for security breaches, and/or any other similar commercial terms or factors of interest to the service provider 3. Each UAS provider account 32 may include service account keys 34 (sK.sub.1 ... sK.sub.n) corresponding to different customers 2 who access an online service managed by a specific service provider 3. Each service account key 34 corresponding to a customer 2 includes a unique number and a username associated with the online service managed by the specific service provider 3. The unique number in the service account key 34 associated with the online service and customer 2 is the same unique number in the user account key 24 associated with the same online service and customer 2. Thus, the unique number links the user account key 24 and service account key 34 associated with the same online service and customer 2.

    [0051] FIG. 3 shows an exemplary flow diagram illustrating operation of UAS 1 to authenticate a customer 2 seeking access to an online service provided by a service provider 3. The authentication process may be initiated by a customer 2 requesting access to an online service provided by a service provider 3 at block 36. When the service provider 3 receives the request from the customer 2 for access to its online service, the service provider 3 requests a token from the Gatekeeper Node 30 of the UAS 1 with which it has its UAS provider account 32 for the customer access request at block 38. The Gatekeeper Node 30 of the UAS 1 then generates a token associated with the request for the specific request for access at block 40.

    [0052] The token is a single use data object that includes a unique number, an identifier of the issuing Gatekeeper Node 30 and a session identifier that prevents replay attacks. At block 42, the token is then transmitted to the Guardian Node 20 of the customer 2 that has the customer’s UAS customer account 22 in order to confirm authentication of the customer 2.

    [0053] Although operation of the UAS 1 in FIG. 3 has thus far been described with the authentication process being initiated by a customer 2 requesting access to an online service provided by a service provider 3, in another example, authentication process may begin at block 44 with the customer 2 requesting a token from the Guardian Node 20 of the UAS 1 corresponding to the customer’s 2 UAS customer account 22 for a selected online service provided by a service provider 3. In this instance, at block 46, the Guardian Node 20 then generates the token, which is a single use data object that includes a unique number, an identifier of the issuing Guardian Node 20 and a session identifier that prevents replay attacks. The Guardian Node 20 introduces the customer 2 to the Gatekeeper Node 30 representing the desired online service by transmitting the token to the Gatekeeper Node 30 corresponding to the service provider 3 whose online services the customer 2 wishes to access at block 48. The Gatekeeper Node 30 then sends the token back to the Guardian Node 20 that issued the token in order to confirm authentication of the customer 2 at block 42.

    [0054] After the token is generated as described above (whether the token is generated by Guardian Node 20 or a Gatekeeper Node 30), the Guardian Node 20 receives the token for authentication of the customer 2 at block 42 and the Guardian Node 20 goes through the selected authentication method (e.g., multifactor authentication (MFA), Public Key Infrastructure (PKI), biometric authentication, WebAuthn, etc.) to authenticate the customer 2 at block 50. Once the customer 2 has gone through the authentication method, the Guardian Node 20 sends the token back to the Gatekeeper Node 30 with a SUCCEED/FAIL message to the Gatekeeper Node 30 at block 52. The SUCCEED/FAIL message indicates whether the customer 2 has been successfully authenticated and may include additional details such as information regarding the level security of the authentication method used in connection with the UAS customer account 22 and information regarding the amount of indemnity coverage in effect for the UAS customer account 22. If the customer 2 has been successfully authenticated, at block 54, the Gatekeeper Node 30 tells the corresponding service provider 3 which account belongs to the customer 2 by sending the service provider 3 the username associated with the service account key 34 corresponding to the customer 2 and the online service requested by the customer 2.

    [0055] As discussed above, in the authentication process provided by the UAS1, the token may be generated by either a Guardian Node 20 or a Gatekeeper Node 30. A defining property of UAS 1 is that the token is passed around the circle (Guardian Node 20, customer 2, service provider 3, Gatekeeper Node 30) and ending at the node where it was issued. This circular transmission provides for secure authentication, whereby each party appends the token to authenticate their identity before the appended token is transmitted back to the originating node and, therefore, it does not matter which node initiates the authentication procedure. Thus, the UAS 1 according to the present disclosure advantageously provides a system and method for user authentication with two security nodes, one selected by the service provider and one selected by the customer, without requiring agreement between the parties on a single authentication server.

    [0056] In some embodiments of the user authentication methods described herein, the token from the Guardian Node 20 indicating that the customer 2 has been successfully authenticated sent at block 52 may be passed from the receiving Gatekeeper Node 30 to a first service provider 3, e.g., the service provider 3 for which access was initially requested, and then on to a second service provider 3. In this way the customer 2 can prove their identity to the first service provider 3 and allow the first service provider 3 to share information about the customer 3 with the second service provider 3.

    [0057] In some embodiments of the user authentication methods described herein, the Gatekeeper Nodes 30 may be configured to share with the Guardian Nodes 20 tokenized versions of the public keys of the customers 2, thereby allowing the Gatekeeper Nodes 30 to detect if a particular customer 2 has created multiple accounts with a service because multiple accounts created and/or controlled by the same customer 2 are often used maliciously. Tokenization is a process of hashing a first piece of data so that the recipient, in this case the Guardian Node 20, is able to tell if that first piece of data was the same as a second piece of data without actually knowing either the first or second piece of data. Hashing is a one-way encryption function that does not allow the result to be decrypted.

    [0058] In some embodiments of the UAS 1, the customers’ devices maintain a data structure, such as a Merkle tree or the like, containing the customers’ public keys. When a customer 2 digitally signs a token in the authentication procedures described herein, the customer 2 appends an indicator of their set of public keys, such as the root hash of the Merkle tree containing their keys, which confirms all of the customer’s valid keys. In some embodiments of the present disclosure, the Guardian Nodes 20 may also maintain a data structure containing that customer’s public keys, such as a Merkle tree or the like, for each customer 2 having a UAS customer account 22 with the Guardian Node 20.

    [0059] In some embodiments of the user authentication methods described herein, the Guardian Nodes 20 and the Gatekeeper Nodes 30 may save the tokens from prior authentication transactions and present them to the customer 2 for verification. In this way the customer 2 can detect if a Guardian Node 20 or Gatekeeper Node 30 has performed an incorrect authentication.

    [0060] Although this invention has been shown and described with respect to specific embodiments thereof, it will be understood by those skilled in the art that various changes in form and detail thereof may be made without departing from the spirit and the scope of the invention. With respect to the embodiments of the systems described herein, it will be understood by those skilled in the art that one or more system components/devices may be added, omitted or modified without departing from the spirit and the scope of the invention. With respect to the embodiments of the methods described herein, it will be understood by those skilled in the art that one or more steps may be omitted, modified or performed in a different order and that additional steps may be added without departing from the spirit and the scope of the invention.