HK1136416A - Secure access to restricted resource - Google Patents
Secure access to restricted resource Download PDFInfo
- Publication number
- HK1136416A HK1136416A HK10103231.1A HK10103231A HK1136416A HK 1136416 A HK1136416 A HK 1136416A HK 10103231 A HK10103231 A HK 10103231A HK 1136416 A HK1136416 A HK 1136416A
- Authority
- HK
- Hong Kong
- Prior art keywords
- access number
- user
- access
- authentication server
- identification information
- Prior art date
Links
Description
Background
Many companies use security devices, such as token devices, to manage access to their restricted resources. Companies issue token devices to their employees and/or customers. The token device generates a number that changes over time (e.g., every 1 minute). The company's server also generates numbers that track the numbers generated by these token devices. The number generated by the company's server is synchronized in time with the number generated by the token device.
When a user attempts to gain access to the company's restricted resources, the user provides the number currently shown on their token device to the company's server and provides a Personal Identification Number (PIN). The company's server manages access to the restricted resource based on the number provided by the user matching the number it generated and the user's PIN.
Token devices are expensive. While each token device may be less expensive by itself, it becomes expensive when purchasing the token device for all employees and/or customers of the company. Also, token devices need to be replaced periodically (e.g., every three years). Thus, token devices become a persistent expense. Moreover, if an employee/customer loses or forgets their token device, the employee/customer cannot access the company's restricted resources.
Drawings
FIG. 1 is an exemplary diagram illustrating concepts described herein;
FIG. 2 is an exemplary diagram of a network in which systems and methods described herein may be implemented;
FIG. 3 is an exemplary diagram of a device that may correspond to one or more of the telephone device, service provider server, computer device, and/or authentication server of FIG. 2;
FIG. 4 is a flow diagram of an exemplary process for selectively providing access to a restricted resource;
5A-5B are exemplary views of a telephony device illustrating portions of the process of FIG. 4;
FIG. 6 is an exemplary diagram of a computer device illustrating portions of the process of FIG. 4;
FIG. 7 is an exemplary diagram of another network in which systems and methods described herein may be implemented; and
FIG. 8 is an exemplary diagram of yet another network in which systems and methods described herein may be implemented.
Detailed Description
The following detailed description refers to the accompanying drawings. The same reference numbers in different drawings may identify the same or similar elements. Also, the following detailed description does not limit the invention.
Embodiments described herein may facilitate selective access to restricted resources. FIG. 1 is an exemplary diagram illustrating concepts described herein. As shown in fig. 1, a user may contact a service provider using a cellular telephone. The user may authenticate itself to the service provider using, for example, information identifying the user's cellular telephone (e.g., caller Identification (ID)) and possibly a password (e.g., any combination of letters, numbers, and/or symbols). If the user is properly authenticated, the service provider may provide an access number that may be displayed on the display of the cellular telephone. The user may enter the access number into a user interface of a computer device that provides access to the restricted resource. The access number may be used to authenticate the user and provide selective access to the restricted resource.
FIG. 2 is an exemplary diagram of a network 200 in which systems and methods described herein may be implemented. Network 200 may include a telephone device 210 connected to a service provider server 220 via a network 230, and a computer device 240 connected to an authentication server 250 and a restricted resource 260 via a network 270. For simplicity, a single telephone device 210, service provider server 220, computer device 240, authentication server 250, and restricted resource 260 have been illustrated as connected to networks 230 and 270. In practice, there may be more or fewer telephone devices, service provider servers, computer devices, authentication servers, and/or restricted resources.
Moreover, it is possible to implement some combination of telephone device 210, service provider server 220, computer device 240, authentication server 250, and/or restricted resource 260 in a single device. For example, telephony device 210 and computer device 240 may be implemented as a single device, authentication server 250 and restricted resource 260 may be implemented as a single device, and/or computer device 240 and restricted resource 260 may be implemented as a single device.
The telephone device 210 may include any type or form of communication device, such as a cellular telephone, cordless telephone, wireline telephone, satellite telephone, wireless telephone, smart phone, and the like. The user may use telephone device 210 to contact service provider server 220.
Service provider server 220 may include a device, such as a computer system, capable of communicating with network 270 via network 230. In one embodiment, service provider server 220 may be implemented as a single device. In another embodiment, service provider server 220 may be implemented as multiple devices co-located or remotely located from each other.
Computer device 240 may include any type or form of computing or communication device, such as a personal computer, laptop computer, Personal Digital Assistant (PDA), or the like. A user of computer device 240 may attempt to gain access to restricted resource 260 via authentication server 250. Authentication server 250 may include a device, such as a computer system, capable of authenticating a user with respect to selective access of restricted resource 260. In one embodiment, authentication server 250 may allow access to restricted resource 260 based on an access number from service provider server 220. Restricted resource 260 may include any type or form of resource to which access may be controlled, such as a private network (e.g., a corporate intranet), a device (e.g., a computer, storage device, or peripheral device), data (e.g., data associated with a user's account or profile), or software (e.g., an email application, word processing program, or operating system).
The network 230 may include a telephone network, such as a cellular network, a Public Switched Telephone Network (PSTN), or a combination of networks. Network 270 may include a Local Area Network (LAN), a Wide Area Network (WAN), a telephone network such as the PSTN or cellular network, an intranet, the Internet, or a combination of networks. It is possible that network 230 and network 270 are implemented as the same network.
Fig. 3 is a device that may correspond to one or more of telephone device 210, service provider server 220, computer device 240, and/or authentication server 250. The devices may include a bus 310, a processor 320, a main memory 330, a Read Only Memory (ROM)340, a storage device 350, an input device 360, an output device 370, and a communication interface 380. Bus 310 may include a path that permits communication among the elements of the device.
Processor 320 may include a processor, microprocessor, or processing logic that may interpret and execute instructions. Main memory 330 may include a Random Access Memory (RAM) or another type of dynamic storage device that may store information and instructions for execution by processor 320. ROM340 may include a ROM device or another type of static storage device that may store static information and instructions for use by processor 320. Storage device 350 may include a magnetic and/or optical recording medium and its corresponding drive.
Input device 360 may include mechanisms that allow an operator to input information into the device, such as a keyboard, a mouse, a pen, voice recognition, and/or biometric mechanisms, among others. Output device 370 may include mechanisms to output information to an operator, including a display, a printer, a speaker, and the like. Communication interface 380 may include any transceiver-like mechanism that enables the device to communicate with other devices and/or systems. For example, communication interface 380 may include mechanisms for communicating with another device or system via a network, such as networks 230 or 270.
As will be described in greater detail below, the apparatus shown in FIG. 3, as described herein, may perform certain operations related to obtaining selective access to restricted resource 260. The device may perform these operations in response to processor 320 executing software instructions contained in a computer-readable medium, such as memory 330. A computer-readable medium may be defined as a physical or logical memory device and/or carrier wave.
The software instructions may be read into memory 330 from another computer-readable medium, such as data storage device 350, or from another device via communication interface 380. The software instructions contained in memory 330 may cause processor 320 to perform processes that will be described below. Alternatively, hardwired circuitry may be used in place of or in combination with software instructions to implement processes described herein. Thus, implementations described herein are not limited to any specific combination of hardware circuitry and software.
FIG. 4 is a flow diagram of an exemplary process for selectively providing access to a restricted resource. In one embodiment, the process of FIG. 4 may be performed by one or more software and/or hardware components in telephony device 210, service provider processor 220, computer device 240, authentication server 250, or a combination of telephony device 210, service provider processor 220, computer device 240, and authentication server 250. Fig. 5A-5B are exemplary views of a telephone device illustrating portions of the process of fig. 4. FIG. 6 is an exemplary diagram of a computer device illustrating portions of the process of FIG. 4.
Processing may begin with initiating a telephone call to a predetermined telephone number (block 410). For example, as shown in FIG. 5A, a user may enter a telephone number associated with service provider server 220 into telephone device 210. Telephone device 210 may call service provider server 220 when instructed by a user.
A telephone call may be received and the user may be authenticated (blocks 420 and 430). For example, service provider server 220 may identify the user based on unique (unique) telephone identification information associated with telephone device 210, such as caller ID information, International Mobile Subscriber Identity (IMSI) information, or other information unique to telephone device 210. Based on user identification information specific to the user, such as a password or biometric data (e.g., voice signals), service provider server 220 may identify the user of telephone device 210. For example, service provider server 220 may ask the user to provide user identification information, and may compare the user identification information to identification information previously associated with telephone device 210. It is possible that multiple users are associated with the same telephony device 210. In this case, service provider server 220 may use the user identification information provided by the user to determine whether the user is one of the users, and if so, which.
If the user is not properly authenticated, the call may be disconnected. However, if the user is properly authenticated, the access number may be provided to telephone device 210 and authentication server 250 (block 440). For example, service provider server 220 may include a hardware or software access number generator configured to generate a random string of characters (e.g., any combination of numbers, letters, and/or symbols) of a predetermined length to be used as an access number. In one embodiment, the access number may include user identification information (or possibly phone identification information) embedded therein. In this case, a random character string may be generated, and then, the character string may be modified to embed the user identification information. The user identification information may be embedded in a manner known to authentication server 250 so that authentication server 250 can determine the user identification information from the access number.
It is beneficial (e.g., by hacker means) to generate the access number in an unpredictable manner that is not reproducible. The access number may have an expiration time (e.g., 1 minute, 5 minutes, 30 minutes, etc.) that indicates when the access number expires. For security purposes, a shorter expiration time is more advantageous than a longer expiration time. Furthermore, the access number may be designed to be used once, so that the access number may expire immediately upon use.
Service provider server 220 may send the access number to telephone device 210. In one embodiment, as shown in FIG. 5B, service provider server 220 may send the access number in a message for presentation on the display of telephone device 210. Service provider server 220 may also send the same access number to authentication server 250. In one embodiment, service provider server 220 may send the access number along with information about the user in a message to authentication server 250. Authentication server 250 may use the user information to match subsequent user access attempts with the message (and thus, the access number) received from service provider server 220.
At some point, authentication server 250 may be contacted (block 450). For example, as shown in fig. 6, a user may access a user interface associated with computer device 240 or authentication server 250. In one embodiment, the user may access the user interface using, for example, a web browser provided on the computer device 240. In another embodiment, the user interface may be automatically presented to the user upon booting the computer device 240.
The access number may be presented to authentication server 250 (block 460). For example, authentication server 250 may request various information to properly authenticate the user. In one embodiment, as shown in fig. 6, authentication server 250 may authenticate a user based on the user's username (e.g., BillyWest) and access number (e.g., 46A9B 39P). If the access number includes user identification information (or phone identification information) embedded therein, authentication server 250 may authenticate the user based on the username, access number, and user identification information.
To provide further security, authentication server 250 may authenticate the user based on the user name, the access number, and one or more additional pieces of information, such as a password that is unique to the user, biometric information that is unique to the user, a password that is unique to a group of users (e.g., employees of the same company), an address that is unique to computer device 240 used by the user, or some other information that may uniquely or semi-uniquely identify the user.
The access number may be provided to authentication server 250 in a variety of ways. For example, the user may enter the access number using an input device such as a keyboard. Alternatively, the access number may be communicated directly or indirectly from the telephony device 210 to the computer device 240 via a wired or wireless connection.
The user may be authenticated based on the access number (block 470). For example, as described above, authentication server 250 may gather information from a user and authenticate the user. In one embodiment, authentication server 250 may properly authenticate the user based on the username and valid access number, as described above. An access number may be considered valid when the access number matches the access number received from service provider server 220 and the access number is received before expiration. In another embodiment, authentication server 250 may use the additional information to properly authenticate the user, as described above. The authentication server may expire immediately after the access number is used. In this case, if the user subsequently attempts to authenticate to the authentication server using the same access number, authentication server 250 will not properly authenticate the user because the access number will be identified as invalid.
Selective access to restricted resource 260 may be provided (block 480). For example, if authentication server 250 fails to properly authenticate the user, authentication server 250 may deny the user access to restricted resource 260. In this case, the user may need to call service provider server 220 again to obtain a new access number (e.g., block 410). If authentication server 250 properly authenticates the user, authentication server 250 may grant the user access to restricted resource 260. In this case, authentication server 250 may send a message to restricted resource 260, or another device (e.g., a firewall, gateway, etc.) that manages access to restricted resource 260, to allow the user's access rights. Based on the policy associated with restricted resource 260, a user's access to restricted resource 260 may be unrestricted (e.g., allow unrestricted access to any portion of restricted resource 260) or restricted (e.g., only allow access to certain portion(s) of restricted resource 260).
In an alternative embodiment, the access number provided by service provider server 220 may not include user identification information (or telephone identification information) embedded therein. In this case, authentication server 250 may authenticate the user based on the username, access number, and other information unique to the user, such as a password or biometric data.
In yet another embodiment, service provider server 220 may authenticate the user based only on the phone identification information. In this case, authentication server 250 may authenticate the user based on the username, access number, and other information unique to the user, such as a password or biometric data.
Fig. 7 is an exemplary diagram of another network 700 in which systems and methods described herein may be implemented. Network 700 may include a telephony device 210 connected to service provider server 220 via network 230 and a computer device 240 connected to restricted resource 710 via network 270 and 730. The telephone device 210, service provider server 220, network 230, computer device 240, and network 270 may be configured similar to the same elements described with respect to FIG. 2.
Although authentication server 250 is not shown in fig. 7, it may be assumed that there is an authentication server for each company or each restricted resource (not shown). Alternatively, the functionality of the authentication server may be embedded in restricted resource 710 and 730.
As described with respect to fig. 2, each of restricted resources 710 and 730 may be configured similar to restricted resource 260. Although three restricted resources 710 and 730 are shown in FIG. 7, in practice, there may be more or fewer restricted resources. However, it is assumed that restricted resources 710 and 730 are associated with different legal entities (e.g., companies) in network 700. As shown in FIG. 7, restricted resource 710 may be associated with company A, restricted resource 720 may be associated with company B, and restricted resource 730 may be associated with company C. Each of companies a-C may subscribe to an authentication service provided by service provider server 220.
In this case, the user may be selectively provided access to any of restricted resources 710 and 730 using a process similar to that described above with respect to FIG. 4. As a result, service provider server 220 is able to cross-authenticate users of a limited resource of one company to another company. This may create a corporate community that relies on the same authentication source (e.g., service provider server 220). This may also allow cross-promotions so that company a may promote to company C so that customers of company C may gain quick and secure access to company a's restricted resources using the same authentication procedure they are currently using for company C.
When a user accesses service provider server 220 to obtain an access number, service provider server 220 may determine which company or companies the user is associated with. For example, a user may be a customer of both company a and company B. In this case, when service provider server 220 sends an access number to the user, service provider server 220 may also provide the access number to both companies in anticipation of the user attempting to gain access to a restricted resource associated with one of the two companies. Alternatively, service provider server 220 may identify that the user is associated with multiple companies and ask the user to select one of the companies for which the user subsequently attempts to access the restricted resource.
Fig. 8 is an exemplary diagram of yet another network 800 in which systems and methods described herein may be implemented. Network 800 may include user device 810 connected to service provider server 220 via network 230 and to authentication server 250 and restricted resource 260 via network 270. Service provider server 220, network 230, authentication server 250, restricted resource 260, and network 270 may be configured similar to the same elements described with respect to fig. 2.
User device 810 may include any type of communication or computing device, such as a telephony device similar to telephony device 210, a computer device similar to computer device 240, or a device that combines aspects of a telephony device and a computer device. In network 800, user device 800 may be used not only to receive an access number from service provider server 220, but also to use the access number to access restricted resource 260. In other words, user device 810 may contact service provider server 220 to obtain the access number. User device 810 may then contact authentication server 250 and use the access number to gain access to restricted resource 260. In these embodiments, separate telephone devices and computer devices may not be necessary.
Embodiments described herein may provide a security technique for providing a user with access to a restricted resource.
The foregoing description provides illustration and description, but is not intended to be exhaustive or to limit the invention to the precise form disclosed. Modifications and variations are possible in light of the above teachings or may be acquired from practice of the invention.
For example, while series of acts have been described with regard to fig. 4, the order of the acts may be modified in other implementations. Also, non-dependent actions may be performed in parallel.
Also, while it has been described that the user receives the access number from service provider server 220 via a telephone call, this need not be the case. In another embodiment, the user may receive the access number via a text message, such as an instant message, or another form of reliable, quick communication.
Furthermore, it has been described to obtain access to restricted resources via an authentication server. In another embodiment, the service provider may operate as a proxy server for the restricted resource so that the user may gain access to the restricted resource through the service provider server.
It will be apparent, as described above, that these systems and methods may be implemented in many different forms of software, firmware, and hardware in the implementations illustrated in the figures. The actual software code or specialized control hardware used to implement the systems and methods does not limit the invention. Thus, the operation and behavior of the systems and methods were described without reference to the specific software code-it being understood that software and control hardware could be designed to implement the systems and methods based on the description herein.
No element, act, or instruction used in the present application should be construed as critical or essential to the invention unless explicitly described as such. Also, as used herein, an item without an added quantity is intended to comprise one or more items. Where only one item is referred to, the term "one" or similar language is used. Moreover, the phrase "based on" is intended to mean "based, at least in part, on" unless explicitly stated otherwise.
Claims (23)
1. One method comprises the following steps:
receiving a telephone call from a user;
authenticating the user;
generating an access number when the user is authenticated; and
sending the access number to the user and an authentication server to manage access to a restricted resource based on the access number sent to the user and the access number sent to the authentication server.
2. The method of claim 1, wherein the user makes the telephone call using a telephone device; and
wherein authenticating the user comprises:
determining first identification information associated with the telephony device,
determining second identification information associated with the user, an
Authenticating the user based on the first identification information and the second identification information.
3. The method of claim 2, wherein determining first identification information associated with the telephony device comprises:
at least one of caller Identification (ID) information or international mobile subscriber identity information is determined.
4. The method of claim 2, wherein determining second identifying information associated with the user comprises:
receiving at least one of a password or biometric data from the user.
5. The method of claim 2, wherein generating an access number comprises:
generating a random string, an
Embedding one of the first identification information or the second identification information in the random character string as the access number.
6. The method of claim 1, further comprising:
disconnecting the telephone call without sending the access number to the user when the user is not authenticated.
7. The method of claim 1, wherein generating the access number comprises:
generating a random string of a predetermined length as the access number.
8. The method of claim 1, wherein generating the access number comprises:
generating a random string having a predetermined length indicating an expiration time of when the access number expires as the access number.
9. The method of claim 1, further comprising:
determining that the user is associated with a plurality of companies, each of the companies including a respective authentication server; and
wherein sending the access number comprises:
transmitting the access number to the authentication server corresponding to the plurality of companies.
10. A system, comprising:
a service provider for:
receiving a telephone call from a user;
authenticating the user;
generating an access number when the user is authenticated; and
providing the access number to the user as a first access number and to an authentication server as a second access number to manage access to a restricted resource based on the first access number and the second access number.
11. The system of claim 10, wherein the user makes the telephone call using a telephone device; and
wherein, when authenticating the user, the service provider server is configured to:
determining first identification information associated with the telephony device,
determining second identification information associated with the user, an
Authenticating the user based on the first identification information and the second identification information.
12. The system of claim 11, wherein the first identification information comprises at least one of caller Identification (ID) information or international mobile subscriber identity information.
13. The system of claim 11, wherein the second identification information comprises at least one of a password or biometric data associated with the user.
14. The system of claim 11, wherein, when generating the access number, the service provider is configured to:
generating a random string, an
Embedding one of the first identification information or the second identification information in the random character string as the access number.
15. The system of claim 10, wherein the access number comprises a random string having a predetermined length with an expiration time indicating when the access number expires.
16. The system of claim 10, wherein the authentication server is configured to:
receiving the first access number from the user,
determining whether the first access number is valid,
comparing the first access number with the second access number, an
Determining that the user is allowed to access the restricted resource when the first access number is valid and the first access number matches the second access number.
17. The system of claim 16, wherein the access number has an expiration time indicating when the access number expires; and
wherein, when determining whether the first access number is valid, the authentication server is configured to determine that the first access number is valid when the first access number has not expired.
18. A system, comprising:
an authentication server to:
receiving a first access number from a service provider;
receiving a second access number from a user, the second access number being provided to the user from the service provider via a telephone call;
determining whether the second access number is valid;
comparing the first access number and the second access number; and
providing the user with selective access to a restricted resource based on whether the second access number is valid and a result of the comparison of the first access number and the second access number.
19. The system of claim 18, wherein the second access number has an expiration time indicating when the second access number expires; and
wherein, when determining whether the second access number is valid, the authentication server is configured to determine that the second access number is valid when the second access number has not expired.
20. The system of claim 18, wherein, when providing selective access to the restricted resource, the authentication server is configured to determine that the user is allowed to access the restricted resource when the second access number is valid and the first access number matches the second access number.
21. The system of claim 18, wherein the authentication server is further configured to expire the second access number after providing selective access to the restricted resource based on the second access number.
22. The system of claim 18, wherein, when providing selective access to the restricted resource, the authentication server is configured to send a message to the restricted resource or a device managing access to the restricted resource that grants the user access to the restricted resource when the user is allowed access to the restricted resource.
23. A system, comprising:
means for generating an access number;
means for providing the access number to a user via a telephone call;
means for providing the access number to an authentication server; and
means for managing access by the user to a restricted resource based on the access number provided to the user and the access number provided to the authentication server.
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US11/562,607 | 2006-11-22 |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| HK1136416A true HK1136416A (en) | 2010-06-25 |
Family
ID=
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8213583B2 (en) | Secure access to restricted resource | |
| US11165581B2 (en) | System for improved identification and authentication | |
| US10223520B2 (en) | System and method for integrating two-factor authentication in a device | |
| US11032275B2 (en) | System for improved identification and authentication | |
| US10445487B2 (en) | Methods and apparatus for authentication of joint account login | |
| US20180295137A1 (en) | Techniques for dynamic authentication in connection within applications and sessions | |
| US9130929B2 (en) | Systems and methods for using imaging to authenticate online users | |
| EP3685287B1 (en) | Extensible framework for authentication | |
| US9344896B2 (en) | Method and system for delivering a command to a mobile device | |
| KR101383761B1 (en) | User authentication system and method thereof | |
| US20160112437A1 (en) | Apparatus and Method for Authenticating a User via Multiple User Devices | |
| CN108259502A (en) | For obtaining the identification method of interface access rights, server-side and storage medium | |
| US20210234850A1 (en) | System and method for accessing encrypted data remotely | |
| US20230006844A1 (en) | Dynamic value appended to cookie data for fraud detection and step-up authentication | |
| WO2013030836A1 (en) | Method and system for authorizing an action at a site | |
| TW201544983A (en) | Data communication method and system, client and server | |
| US8635454B2 (en) | Authentication systems and methods using a packet telephony device | |
| AU2018214492A1 (en) | Authentication server, authentication system, and authentication method | |
| JP4914725B2 (en) | Authentication system, authentication program | |
| US20110022844A1 (en) | Authentication systems and methods using a packet telephony device | |
| CN104917755B (en) | A kind of login method based on mobile communication terminal and short message | |
| HK1136416A (en) | Secure access to restricted resource | |
| Schuba et al. | Internet ID–Flexible Reuse of Mobile Phone Authentication Security for Service Access | |
| IT201600115265A1 (en) | Process and computer system for the identification and authentication of the digital identity of a subject in possession of a personal telecommunication device. | |
| KR20070077484A (en) | Information processing method |