US20170134391A1 - Location and device based student access control - Google Patents

Location and device based student access control Download PDF

Info

Publication number
US20170134391A1
US20170134391A1 US15/411,699 US201715411699A US2017134391A1 US 20170134391 A1 US20170134391 A1 US 20170134391A1 US 201715411699 A US201715411699 A US 201715411699A US 2017134391 A1 US2017134391 A1 US 2017134391A1
Authority
US
United States
Prior art keywords
location
particular user
determining
information
subsequent request
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US15/411,699
Inventor
Rajaa Mohamad Abdul Razack
Pavan Aripirala Venkata
Sharad Gupta
Raghunadha Konda
Balaji Nidadavolu
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Phoenix Inc, University of
Original Assignee
Apollo Education Group Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Apollo Education Group Inc filed Critical Apollo Education Group Inc
Priority to US15/411,699 priority Critical patent/US20170134391A1/en
Publication of US20170134391A1 publication Critical patent/US20170134391A1/en
Assigned to THE UNIVERSITY OF PHOENIX, INC. reassignment THE UNIVERSITY OF PHOENIX, INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: APOLLO EDUCATION GROUP, INC.
Abandoned legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/107Network architectures or network communication protocols for network security for controlling access to devices or network resources wherein the security policies are location-dependent, e.g. entities privileges depend on current location or allowing specific operations only from locally connected terminals
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/065Continuous authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • H04W12/082Access security using revocation of authorisation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/02Services making use of location information
    • H04W4/021Services related to particular areas, e.g. point of interest [POI] services, venue services or geofences
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/082Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying multi-factor authentication

Definitions

  • the present invention relates to methods and systems for controlling access to online services, and in particular, for implementing access controls by means of geolocation and geofencing, as well as by only permitting access from a particular device/browser combination.
  • username/password authentication One way to restrict access to online content or services is to use username/password authentication.
  • Username/password authentication is easily thwarted, however, when unauthorized users are told or otherwise obtain the username/password of authorized users.
  • FIG. 1 is a block diagram that depicts an example network arrangement for a location and device based student access, according to embodiments.
  • FIG. 2 depicts a flow chart showing the initial registration and configuration of the challenge questions.
  • FIG. 3 depicts a flow chart showing device/browser based access control.
  • FIG. 4 depicts a flow chart showing location based access control.
  • FIG. 5 is a block diagram of a computer system on which embodiments may be implemented.
  • Methods and systems are provided for controlling access to online activities, for example online exams and the like.
  • a student can only be present in one place at a given time. They therefore cannot participate in two different online classroom activities at the same time.
  • current authentication methods do not ensure that a student's identity has not been compromised.
  • an online activity provider may require a method of verifying that only the registered student—and not someone who possesses the login credentials—is participating in a given online classroom activity.
  • a second authentication mechanism is used to verify their identity to ensure the login is not fraudulent. If the student successfully confirms his identity by the second authentication mechanism, they can then be offered a choice between (a) being granted access to the activity on his current device (thereby ceasing activity on the previous device), or (b) continuing access on the previous device (thereby being denied login on the current device). Additionally, access may be controlled on the basis of comparing the time and location of an online session with the time and location of a previous session, and determining whether it is possible for a user to have travelled the distance between the location of the current session and the location of the previous session. If the travel is not possible, and the same user ID was used for both sessions, then the second session is not allowed to proceed.
  • Client devices 110 A- 110 C may be implemented by any type of computing device that is communicatively connected to network 120 .
  • Example implementations of client devices 110 A- 110 C include, without limitation, workstations, personal computers, laptop computers, personal digital assistants (PDAs), tablet computers, cellular telephony devices such as smart phones, and any other type of computing device.
  • PDAs personal digital assistants
  • tablet computers tablet computers
  • cellular telephony devices such as smart phones
  • client devices 110 A- 110 C are each communicatively coupled to a display device (not shown in FIG. 1 ) for displaying graphical user interfaces.
  • a display device may be implemented by any type of device capable of displaying a graphical user interface.
  • Example implementations of a display device include a monitor, a screen, a touch screen, a projector, a light display, a display of a tablet computer, a display of a telephony device, a television, etc.
  • Network 120 may be implemented with any type of medium and/or mechanism that facilitates the exchange of information between client devices 110 A- 110 C and server device 130 . Furthermore, network 120 may facilitate use of any type of communications protocol, and may be secured or unsecured, depending upon the requirements of a particular embodiment.
  • Database 140 includes various data elements that can be used to tailor the online service 132 for the individual needs of each user at respective client devices 110 A- 110 C, as discussed in further detail below, for example, authenticated mechanism data and associated information, location data, and user data. These various types of data are described in greater detail below.
  • Database 140 may reside in any type of storage, including volatile and non-volatile storage (e.g., random access memory (RAM), one or more hard or floppy disks, main memory, etc.), and may be implemented by multiple logical databases. The storage on which database 140 resides may be external or internal to server device 130 .
  • an online activity can permit simultaneous access from different devices, or different browsers on the same device. If the online activity does not permit simultaneous access, the properly authenticated user is prompted to choose the device on which he or she wishes to participate in the online activity, and the other device is thereby logged out.
  • the second authentication mechanism can employ any authentication method, for example a set of one or more challenge questions, a biometric authentication method, or any other suitable authentication method.
  • the second authentication method should differ from the first authentication method. If a user 101 is successfully authenticated by the second authentication mechanism at step 330 , then the method proceeds to step 340 .
  • the user 101 is asked whether the user desires the UDBI of the user's current device/browser combination to be stored. In response to an affirmative response at step 340 , server device 130 stores UDBI 1 in the database 140 in association with user 101 .
  • the user 101 may also choose to decline to tag the device/browser combination as a “known device” for user 101 . This may occur, for example, if he is borrowing a friend's device, or if he is attempting to access the service 132 from a public computer.
  • step 350 if the service 132 does not permit simultaneous access from multiple devices or browsers, the method proceeds to step 370 .
  • the user 101 is prompted to choose between continuing the activity on the previous device or the current device. If the user 101 chooses to continue the activity on the current device, the method advances to step 360 and access is granted. If the student chooses to continue the activity on the device he logged in from previously, the method proceeds to step 365 and access to the desired activity is denied.
  • FIG. 3 an embodiment was described in which device/browser combinations were treated as “known” or “unknown”, where unknown device/browser combinations require an additional level of authentication.
  • the known/unknown determination may be performed at the device level, rather than the device/browser combination level.
  • a device would be treated as “known” if the user had previously used the device to access the service, even if the previous access was performed using a different application than the user is currently using to access the service.
  • server device 130 obtains location information and time information pertaining to the current login.
  • server device 130 can obtain location information of the user device from the GPS system on the user device.
  • server device 130 the location information can be obtained from the IP address associated with the login, by querying the Internet Service Provider on the current location of the device, or any other suitable method of determining the current location.
  • the time information can be obtained from the system time of the server device 130 .
  • Server device 130 records the location and time information at the end of a session and stores the information in the database 140 .
  • server device 130 retrieves location and time information recorded at the end of the previous login session.
  • the server device 130 determines whether the user 101 could have plausibly traveled from the location associated with the user's most recent session with the service to his current location in the time that has expired since the user's most recent session with the service. Step 450 can be performed, for example, by comparing the time and location of the current login to a time and location of the preceding login.
  • Service device 130 may use a publicly available service, such as Google Maps, to determine how much time it takes for a person to travel between the two locations. If travel is determined to be feasible between the locations in the time that has lapsed between sessions, the method proceeds to step 460 , permitting access to the online activity. If travel is determined to be unfeasible between the locations in the amount of time that lapsed between sessions, the method proceeds to step 465 and access is denied.
  • the server device 130 can calculate the distance between the location of the current login and the location of the previous login using the HTML location data. In another embodiment, the server device 130 can determine the location of the device from the known location of a WiFi hotspots that the device is currently connected to. In another embodiment, the server device 130 can determine the location of the device from the known location of a cellular tower that the device is currently connected to. Server device 130 can then calculate the time elapsed between the current login and the previous login, by comparing the current system time with the system time recorded during the previous login.
  • the server device 130 uses the distance and time elapsed values obtained to calculate an average speed, and compares the calculated speed value to a pre-defined plausible average speed value. If the calculated speed value is lower than the pre-defined average speed value, then travel between the locations is plausible.
  • the server device 130 can calculate the distance between the location of the current login and the location of the previous login, and calculate the time elapsed between the current login and the previous login. To determine whether travel between the locations is possible in the time elapsed, the server device 130 uses the values obtained to calculate an average speed, and compares the calculated speed value to previously observed average speed values. If the calculated speed value is lower than the previously observed average speed values, then travel between the locations is plausible.
  • the server device 130 can query a public travel site to obtain the travel time between the locations, using the location of the previous login as the point of departure, and the location of the current login as the point of arrival. Any suitable travel site such as Kayak, Travelocity, or the like may be utilized. Server device 130 can then determine whether travel between the locations is plausible by comparing the travel time obtained from the public travel site to the time elapsed between the current login and the previous login.
  • FIG. 5 is a block diagram that illustrates a computer system 600 upon which an embodiment of the invention may be implemented.
  • Computer system 500 includes a bus 502 or other communication mechanism for communicating information, and a hardware processor 504 coupled with bus 502 for processing information.
  • Hardware processor 504 may be, for example, a general purpose microprocessor.
  • Computer system 500 also includes a main memory 506 , such as a random access memory (RAM) or other dynamic storage device, coupled to bus 502 for storing information and instructions to be executed by processor 504 .
  • Main memory 506 also may be used for storing temporary variables or other intermediate information during execution of instructions to be executed by processor 504 .
  • Such instructions when stored in non-transitory storage media accessible to processor 504 , render computer system 500 into a special-purpose machine that is customized to perform the operations specified in the instructions.
  • Computer system 500 may be coupled via bus 502 to a display 512 , such as a cathode ray tube (CRT), for displaying information to a computer user.
  • a display 512 such as a cathode ray tube (CRT)
  • An input device 514 is coupled to bus 502 for communicating information and command selections to processor 504 .
  • cursor control 516 is Another type of user input device
  • cursor control 516 such as a mouse, a trackball, or cursor direction keys for communicating direction information and command selections to processor 504 and for controlling cursor movement on display 512 .
  • This input device typically has two degrees of freedom in two axes, a first axis (e.g., x) and a second axis (e.g., y), that allows the device to specify positions in a plane.
  • Computer system 500 may implement the techniques described herein using customized hard-wired logic, one or more ASICs or FPGAs, firmware and/or program logic which in combination with the computer system causes or programs computer system 500 to be a special-purpose machine. According to one embodiment, the techniques herein are performed by computer system 500 in response to processor 504 executing one or more sequences of one or more instructions contained in main memory 506 . Such instructions may be read into main memory 506 from another storage medium, such as storage device 510 . Execution of the sequences of instructions contained in main memory 506 causes processor 504 to perform the process steps described herein. In alternative embodiments, hard-wired circuitry may be used in place of or in combination with software instructions.
  • storage media include, for example, a floppy disk, a flexible disk, hard disk, solid-state drive, magnetic tape, or any other magnetic data storage medium, a CD-ROM, any other optical data storage medium, any physical medium with patterns of holes, a RAM, a PROM, and EPROM, a FLASH-EPROM, NVRAM, any other memory chip or cartridge.
  • Various forms of media may be involved in carrying one or more sequences of one or more instructions to processor 504 for execution.
  • the instructions may initially be carried on a magnetic disk or solid-state drive of a remote computer.
  • the remote computer can load the instructions into its dynamic memory and send the instructions over a telephone line using a modem.
  • a modem local to computer system 500 can receive the data on the telephone line and use an infra-red transmitter to convert the data to an infra-red signal.
  • An infra-red detector can receive the data carried in the infra-red signal and appropriate circuitry can place the data on bus 502 .
  • Bus 502 carries the data to main memory 506 , from which processor 504 retrieves and executes the instructions.
  • the instructions received by main memory 506 may optionally be stored on storage device 510 either before or after execution by processor 504 .
  • Computer system 500 also includes a communication interface 518 coupled to bus 502 .
  • Communication interface 518 provides a two-way data communication coupling to a network link 520 that is connected to a local network 522 .
  • communication interface 518 may be an integrated services digital network (ISDN) card, cable modem, satellite modem, or a modem to provide a data communication connection to a corresponding type of telephone line.
  • ISDN integrated services digital network
  • communication interface 518 may be a local area network (LAN) card to provide a data communication connection to a compatible LAN.
  • LAN local area network
  • Wireless links may also be implemented.
  • communication interface 518 sends and receives electrical, electromagnetic or optical signals that carry digital data streams representing various types of information.
  • Network link 520 typically provides data communication through one or more networks to other data devices.
  • network link 520 may provide a connection through local network 522 to a host computer 524 or to data equipment operated by an Internet Service Provider (ISP) 526 .
  • ISP 526 in turn provides data communication services through the world wide packet data communication network now commonly referred to as the “Internet” 528 .
  • Internet 528 uses electrical, electromagnetic or optical signals that carry digital data streams.
  • the signals through the various networks and the signals on network link 520 and through communication interface 518 which carry the digital data to and from computer system 500 , are example forms of transmission media.
  • Computer system 500 can send messages and receive data, including program code, through the network(s), network link 520 and communication interface 518 .
  • a server 530 might transmit a requested code for an application program through Internet 528 , ISP 526 , local network 522 and communication interface 518 .
  • the received code may be executed by processor 504 as it is received, and/or stored in storage device 510 , or other non-volatile storage for later execution.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

Techniques are described for controlling access to an online service by a one or more authentication mechanisms based on device, browser, or location, or a combination of the three. A method comprises receiving a request to access a service, receiving, in association with the request, a first access mechanism, receiving a first and second level of authentication associated with the user requesting the service, updating authenticated-mechanism data to indicate that the first access mechanism is an authenticated access mechanism for the particular user, receiving a second request to access the service, in response to receiving a second request, determining whether the second access mechanism is an authenticated access mechanism for the particular user, upon determining that the second access mechanism is not an authenticated mechanism, requesting a second level of authentication for the particular user, otherwise granting access.

Description

    BENEFIT CLAIMS
  • This application claims the benefit as a divisional of application Ser. No. 14/657,936, filed Mar. 13, 2015 the entire contents of which is hereby incorporated by reference as if fully set forth herein, under 35 U.S.C. §120. The applicant(s) hereby rescind any disclaimer of claim scope in the parent application(s) or the prosecution history thereof and advise the USPTO that the claims in this application may be broader than any claim in the parent application(s).
    • FIELD OF THE INVENTION
  • The present invention relates to methods and systems for controlling access to online services, and in particular, for implementing access controls by means of geolocation and geofencing, as well as by only permitting access from a particular device/browser combination.
    • BACKGROUND
  • One way to restrict access to online content or services is to use username/password authentication. Username/password authentication is easily thwarted, however, when unauthorized users are told or otherwise obtain the username/password of authorized users.
  • In some online environments, such as online education, it is particularly important to ensure that the person using log-in credentials is the actual person that was provided those log-in credentials. For example, the integrity of tests that are administered online would be compromised if one student takes the test under another student's log-in credentials. Therefore, a need exists for an additional method of authentication that helps ensure that the person using an online service is the person that the online service believes is using the online service.
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • In the drawings:
  • FIG. 1 is a block diagram that depicts an example network arrangement for a location and device based student access, according to embodiments.
  • FIG. 2 depicts a flow chart showing the initial registration and configuration of the challenge questions.
  • FIG. 3 depicts a flow chart showing device/browser based access control.
  • FIG. 4 depicts a flow chart showing location based access control.
  • FIG. 5 is a block diagram of a computer system on which embodiments may be implemented.
    •  DETAILED DESCRIPTION
  • In the following description, for the purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the present invention. It will be apparent, however, that the present invention may be practiced without these specific details. In other instances, well-known structures and devices are shown in block diagram form in order to avoid unnecessarily obscuring the present invention.
    • GENERAL OVERVIEW
  • Methods and systems are provided for controlling access to online activities, for example online exams and the like. A student can only be present in one place at a given time. They therefore cannot participate in two different online classroom activities at the same time. However, current authentication methods do not ensure that a student's identity has not been compromised. Additionally, an online activity provider may require a method of verifying that only the registered student—and not someone who possesses the login credentials—is participating in a given online classroom activity.
  • The administrator of an online service, for example an exam, may wish to restrict access to the service to a single device, a single device/browser combination, or a single device/browser/location combination To accomplish this, one or more access mechanisms can be defined. For example, an authentication mechanism can be a location access control, a device/browser access control, a user id/password control, or any other mechanism suitable for authenticating a user, In one embodiment, one or more access mechanisms can be combined to improve the authentication even further, by being arranged in levels—for example, one access mechanism can comprise the first authentication level, another access mechanism can comprise the second authentication level, and so on. If a student taking part in such an activity attempts to log in for a second time, using for example a different device, a second authentication mechanism is used to verify their identity to ensure the login is not fraudulent. If the student successfully confirms his identity by the second authentication mechanism, they can then be offered a choice between (a) being granted access to the activity on his current device (thereby ceasing activity on the previous device), or (b) continuing access on the previous device (thereby being denied login on the current device). Additionally, access may be controlled on the basis of comparing the time and location of an online session with the time and location of a previous session, and determining whether it is possible for a user to have travelled the distance between the location of the current session and the location of the previous session. If the travel is not possible, and the same user ID was used for both sessions, then the second session is not allowed to proceed.
    • Client/Server Architecture
  • Client devices 110A-110C may be implemented by any type of computing device that is communicatively connected to network 120. Example implementations of client devices 110A-110C include, without limitation, workstations, personal computers, laptop computers, personal digital assistants (PDAs), tablet computers, cellular telephony devices such as smart phones, and any other type of computing device.
  • In network arrangement 100, each of the client devices 110A-110C is configured with a respective web browser 112A-112C that may access tutoring service 132. Web browsers 112A-112C may be any web browser capable of running on the devices 110A-110C, such as Firefox, Safari, Chrome and so on. Client devices 110A-110C may be configured with other mechanisms, processes and functionalities, depending upon a particular implementation.
  • Further, client devices 110A-110C are each communicatively coupled to a display device (not shown in FIG. 1) for displaying graphical user interfaces. Such a display device may be implemented by any type of device capable of displaying a graphical user interface. Example implementations of a display device include a monitor, a screen, a touch screen, a projector, a light display, a display of a tablet computer, a display of a telephony device, a television, etc.
  • Network 120 may be implemented with any type of medium and/or mechanism that facilitates the exchange of information between client devices 110A-110C and server device 130. Furthermore, network 120 may facilitate use of any type of communications protocol, and may be secured or unsecured, depending upon the requirements of a particular embodiment.
  • Server device 130 may be implemented by any type of computing device that is capable of communicating with client devices 110A-110C over network 120. In a network arrangement 100, server device 130 is configured with an online service 132, which may be part of a cloud computing service. Functionality attributed to online service 132 may also be performed on client devices 110A-110C, according to embodiments. Server device 130 may be configured with other mechanisms, processes and functionalities, depending upon a particular implementation.
  • Server device 130 is communicatively coupled to database 140. As shown in FIG. 1, database 140 includes various data elements that can be used to tailor the online service 132 for the individual needs of each user at respective client devices 110A-110C, as discussed in further detail below, for example, authenticated mechanism data and associated information, location data, and user data. These various types of data are described in greater detail below. Database 140 may reside in any type of storage, including volatile and non-volatile storage (e.g., random access memory (RAM), one or more hard or floppy disks, main memory, etc.), and may be implemented by multiple logical databases. The storage on which database 140 resides may be external or internal to server device 130.
  • Any of browsers 112A-112C and online service 132 may receive and respond to Application Programming Interface (API) calls, Simple Object Access Protocol (SOAP) messages, requests via HyperText Transfer Protocol (HTTP), HyperText Transfer Protocol Secure (HTTPS), Simple Mail Transfer Protocol (SMTP), or any other kind of communication. Further, any of browsers 112A-112C and online service 132 may send one or more of the following over network 120 to one of the other entities: information via HTTP, HTTPS, SMTP, etc.; XML data; SOAP messages; API calls; and other communications according to embodiments.
  • In an embodiment, each of the processes described are performed automatically and may be implemented using one or more computer programs, other software elements, and/or digital logic in any of a general-purpose computer or a special-purpose computer, while performing data retrieval, transformation, and storage operations that involve interacting with and transforming the physical state of memory of the computer.
    • Authentication Mechanism Configuration
  • FIG. 2 is a flow chart that depicts initial registration and configuration of the second authentication mechanism. At step 200, a user 101 registers for access to an online service 132 using a first authentication mechanism, for example, a user name and password, or any other user authentication mechanism. The online classroom activity can be, for example, an exam, a tutorial, or any other kind of online activity.
  • At step 205, it is determined whether the user 101 has previously provided authentication information for a second authentication mechanism 230. This determination may be made, for example, by examining database 140 to determine if authentication information for the second authentication mechanism 230 has been associated with the user 101. Upon determining that authentication information for the second authentication mechanism has been associated with the user, the method proceeds to step 250 and permits access to the service.
  • Upon determining that authentication information for the second authentication mechanism has not been associated with the user, at step 210 the user 101 is prompted to for authentication information for the second authentication mechanism 230. For example, in the case where the second authentication mechanism is a “challenge question” system, the authentication information can comprise one or more challenge questions and associated responses. In one embodiment, the challenge questions can be pre-selected, and the user 101 can be prompted to provide answers thereto. In another embodiment, the challenge questions can also be written by the user, with the user also writing the responses thereto. Additionally, or alternatively, the second authentication mechanism can comprise a biometric identification device, a smart card, or any other authentication mechanism that can confirm the identity of the user 101. The second authentication method should be one that differs from the first authentication mechanism. The second authentication mechanism only needs to be configured once for each user. Once authentication information of a user has been obtained for the second access mechanism 230, the information can be permanently stored, for example on the database 140 and retrieved when necessary to confirm the identity of a user 101.
  • In one embodiment, an online activity can permit simultaneous access from different devices, or different browsers on the same device. If the online activity does not permit simultaneous access, the properly authenticated user is prompted to choose the device on which he or she wishes to participate in the online activity, and the other device is thereby logged out.
    • Device/Browser Authentication Mechanism
  • According to one embodiment, when a user attempts to obtain access to an online service, the online service determines whether the device/browser combination that is being used by the user is “known”. For known device/browser combinations, authentication using a first authentication mechanism is sufficient. On the other hand, for unknown device/browser combinations, authentication using a second authentication mechanism, or both the first and second authentication mechanism, is required. In one embodiment, a device/browser combination is “known” relative to a user if that user has previously used that same device/browser combination to access the online service.
  • FIG. 3 is a flow chart that depicts the steps to determine whether to grant a user 101 access to an online service 132, where the authentication process takes into account the device/browser combination that is being used by the user 101. For the purpose of explanation, it shall be assumed that user 101 is using client device 110A and browser 112A to sign in to online service 132, and that device 110A/browser 112A are associated with a unique device/browser identifier (UDBI) of UDBI1. The UDBI can be a sequence of numbers, or letters, or any other identifier capable of uniquely identifying a particular device or device/browser combination. The UDBI can be stored, for example in the database 140 or any other kind of suitable storage device.
  • At step 300, user 101 logs in, providing the authentication information required by the first authentication mechanism (e.g. a userid/password). According to one embodiment, as part of the login step, the client device 110A sends to server device 130 the device/browser identifier UDBI1. At step 305, the server device 130 determines whether the device/browser combination that is being used by user 101 is a known device/browser combination for user 101. For example, service device 120 may compare UDBI1 with the UDBIs that are stored in the database 140 for previous sessions by the same user 101. Step 310 is a binary decision step. If UDBI1 matches any previously stored UDBIs for user 101, in other words, if the device/browser combination is one that the user 101 has used before, then the method proceeds to step 350.
  • If at step 310, the method determines that UDBI1 is not a known device/browser combination for user 101, then the method instead proceeds to step 320, wherein the user 101 is required to authenticate using a second authentication mechanism.
  • As detailed above, the second authentication mechanism can employ any authentication method, for example a set of one or more challenge questions, a biometric authentication method, or any other suitable authentication method. The second authentication method should differ from the first authentication method. If a user 101 is successfully authenticated by the second authentication mechanism at step 330, then the method proceeds to step 340. At step 340, the user 101 is asked whether the user desires the UDBI of the user's current device/browser combination to be stored. In response to an affirmative response at step 340, server device 130 stores UDBI1 in the database 140 in association with user 101. Alternative, at step 340, the user 101 may also choose to decline to tag the device/browser combination as a “known device” for user 101. This may occur, for example, if he is borrowing a friend's device, or if he is attempting to access the service 132 from a public computer.
  • At step 352, the server device 130 determines whether the service 132 that the user 101 wishes to access allows simultaneous access from multiple devices or multiple browsers on the same device. If the service 132 permits simultaneous access, at step 360, access is granted.
  • At step 350, if the service 132 does not permit simultaneous access from multiple devices or browsers, the method proceeds to step 370. At step 370, the user 101 is prompted to choose between continuing the activity on the previous device or the current device. If the user 101 chooses to continue the activity on the current device, the method advances to step 360 and access is granted. If the student chooses to continue the activity on the device he logged in from previously, the method proceeds to step 365 and access to the desired activity is denied.
    • Device Identifiers
  • In FIG. 3, an embodiment was described in which device/browser combinations were treated as “known” or “unknown”, where unknown device/browser combinations require an additional level of authentication. In an alternative embodiment, the known/unknown determination may be performed at the device level, rather than the device/browser combination level. In such an embodiment, a device would be treated as “known” if the user had previously used the device to access the service, even if the previous access was performed using a different application than the user is currently using to access the service.
    • Location Access Control
  • FIG. 4 is a flow chart depicting a method of controlling access to an online activity on the basis of the location. As before, at step 400, the user 101 logs in and requests access to an online service 132 using a first authentication method, for example a conventional access credential such as a username and password. As before, a second authentication mechanism may be presented at step 410, for example if the device/browser identifier does not match any stored device/browser identifier for user 101.
  • Proceeding, at step 440, server device 130 obtains location information and time information pertaining to the current login. In one embodiment, server device 130 can obtain location information of the user device from the GPS system on the user device. In another embodiment, server device 130 the location information can be obtained from the IP address associated with the login, by querying the Internet Service Provider on the current location of the device, or any other suitable method of determining the current location. In one embodiment, the time information can be obtained from the system time of the server device 130. Server device 130 records the location and time information at the end of a session and stores the information in the database 140. At step 445, server device 130 retrieves location and time information recorded at the end of the previous login session. At step 450, the server device 130 determines whether the user 101 could have plausibly traveled from the location associated with the user's most recent session with the service to his current location in the time that has expired since the user's most recent session with the service. Step 450 can be performed, for example, by comparing the time and location of the current login to a time and location of the preceding login. Service device 130 may use a publicly available service, such as Google Maps, to determine how much time it takes for a person to travel between the two locations. If travel is determined to be feasible between the locations in the time that has lapsed between sessions, the method proceeds to step 460, permitting access to the online activity. If travel is determined to be unfeasible between the locations in the amount of time that lapsed between sessions, the method proceeds to step 465 and access is denied.
  • Referring back to step 450, in one embodiment the server device 130 can calculate the distance between the location of the current login and the location of the previous login using the HTML location data. In another embodiment, the server device 130 can determine the location of the device from the known location of a WiFi hotspots that the device is currently connected to. In another embodiment, the server device 130 can determine the location of the device from the known location of a cellular tower that the device is currently connected to. Server device 130 can then calculate the time elapsed between the current login and the previous login, by comparing the current system time with the system time recorded during the previous login. To determine whether travel between the locations is possible in the time elapsed, the server device 130 uses the distance and time elapsed values obtained to calculate an average speed, and compares the calculated speed value to a pre-defined plausible average speed value. If the calculated speed value is lower than the pre-defined average speed value, then travel between the locations is plausible.
  • In another embodiment, the server device 130 can calculate the distance between the location of the current login and the location of the previous login, and calculate the time elapsed between the current login and the previous login. To determine whether travel between the locations is possible in the time elapsed, the server device 130 uses the values obtained to calculate an average speed, and compares the calculated speed value to previously observed average speed values. If the calculated speed value is lower than the previously observed average speed values, then travel between the locations is plausible.
  • In another embodiment, the server device 130 can query a public travel site to obtain the travel time between the locations, using the location of the previous login as the point of departure, and the location of the current login as the point of arrival. Any suitable travel site such as Kayak, Travelocity, or the like may be utilized. Server device 130 can then determine whether travel between the locations is plausible by comparing the travel time obtained from the public travel site to the time elapsed between the current login and the previous login.
    • Device/Browser/Location Authentication
  • In another embodiment, the device/browser access control and location access control, as detailed above, can be combined to provide an additional level of authentication. For example, a location-based access control could be administered following the device/browser authentication step. Additionally, or alternatively, the location-based access control could be administered before, or concurrently with, the device/browser authentication step.
    • Hardware Overview
  • According to one embodiment, the techniques described herein are implemented by one or more special-purpose computing devices. The special-purpose computing devices may be hard-wired to perform the techniques, or may include digital electronic devices such as one or more application-specific integrated circuits (ASICs) or field programmable gate arrays (FPGAs) that are persistently programmed to perform the techniques, or may include one or more general purpose hardware processors programmed to perform the techniques pursuant to program instructions in firmware, memory, other storage, or a combination. Such special-purpose computing devices may also combine custom hard-wired logic, ASICs, or FPGAs with custom programming to accomplish the techniques. The special-purpose computing devices may be desktop computer systems, portable computer systems, handheld devices, networking devices or any other device that incorporates hard-wired and/or program logic to implement the techniques.
  • For example, FIG. 5 is a block diagram that illustrates a computer system 600 upon which an embodiment of the invention may be implemented. Computer system 500 includes a bus 502 or other communication mechanism for communicating information, and a hardware processor 504 coupled with bus 502 for processing information. Hardware processor 504 may be, for example, a general purpose microprocessor.
  • Computer system 500 also includes a main memory 506, such as a random access memory (RAM) or other dynamic storage device, coupled to bus 502 for storing information and instructions to be executed by processor 504. Main memory 506 also may be used for storing temporary variables or other intermediate information during execution of instructions to be executed by processor 504. Such instructions, when stored in non-transitory storage media accessible to processor 504, render computer system 500 into a special-purpose machine that is customized to perform the operations specified in the instructions.
  • Computer system 500 further includes a read only memory (ROM) 508 or other static storage device coupled to bus 502 for storing static information and instructions for processor 504. A storage device 510, such as a magnetic disk, optical disk, or solid-state drive is provided and coupled to bus 502 for storing information and instructions.
  • Computer system 500 may be coupled via bus 502 to a display 512, such as a cathode ray tube (CRT), for displaying information to a computer user. An input device 514, including alphanumeric and other keys, is coupled to bus 502 for communicating information and command selections to processor 504. Another type of user input device is cursor control 516, such as a mouse, a trackball, or cursor direction keys for communicating direction information and command selections to processor 504 and for controlling cursor movement on display 512. This input device typically has two degrees of freedom in two axes, a first axis (e.g., x) and a second axis (e.g., y), that allows the device to specify positions in a plane.
  • Computer system 500 may implement the techniques described herein using customized hard-wired logic, one or more ASICs or FPGAs, firmware and/or program logic which in combination with the computer system causes or programs computer system 500 to be a special-purpose machine. According to one embodiment, the techniques herein are performed by computer system 500 in response to processor 504 executing one or more sequences of one or more instructions contained in main memory 506. Such instructions may be read into main memory 506 from another storage medium, such as storage device 510. Execution of the sequences of instructions contained in main memory 506 causes processor 504 to perform the process steps described herein. In alternative embodiments, hard-wired circuitry may be used in place of or in combination with software instructions.
  • The term “storage media” as used herein refers to any non-transitory media that store data and/or instructions that cause a machine to operate in a specific fashion. Such storage media may comprise non-volatile media and/or volatile media. Non-volatile media includes, for example, optical disks, magnetic disks, or solid-state drives, such as storage device 510. Volatile media includes dynamic memory, such as main memory 506. Common forms of storage media include, for example, a floppy disk, a flexible disk, hard disk, solid-state drive, magnetic tape, or any other magnetic data storage medium, a CD-ROM, any other optical data storage medium, any physical medium with patterns of holes, a RAM, a PROM, and EPROM, a FLASH-EPROM, NVRAM, any other memory chip or cartridge.
  • Storage media is distinct from but may be used in conjunction with transmission media. Transmission media participates in transferring information between storage media. For example, transmission media includes coaxial cables, copper wire and fiber optics, including the wires that comprise bus 502. Transmission media can also take the form of acoustic or light waves, such as those generated during radio-wave and infra-red data communications.
  • Various forms of media may be involved in carrying one or more sequences of one or more instructions to processor 504 for execution. For example, the instructions may initially be carried on a magnetic disk or solid-state drive of a remote computer. The remote computer can load the instructions into its dynamic memory and send the instructions over a telephone line using a modem. A modem local to computer system 500 can receive the data on the telephone line and use an infra-red transmitter to convert the data to an infra-red signal. An infra-red detector can receive the data carried in the infra-red signal and appropriate circuitry can place the data on bus 502. Bus 502 carries the data to main memory 506, from which processor 504 retrieves and executes the instructions. The instructions received by main memory 506 may optionally be stored on storage device 510 either before or after execution by processor 504.
  • Computer system 500 also includes a communication interface 518 coupled to bus 502. Communication interface 518 provides a two-way data communication coupling to a network link 520 that is connected to a local network 522. For example, communication interface 518 may be an integrated services digital network (ISDN) card, cable modem, satellite modem, or a modem to provide a data communication connection to a corresponding type of telephone line. As another example, communication interface 518 may be a local area network (LAN) card to provide a data communication connection to a compatible LAN. Wireless links may also be implemented. In any such implementation, communication interface 518 sends and receives electrical, electromagnetic or optical signals that carry digital data streams representing various types of information.
  • Network link 520 typically provides data communication through one or more networks to other data devices. For example, network link 520 may provide a connection through local network 522 to a host computer 524 or to data equipment operated by an Internet Service Provider (ISP) 526. ISP 526 in turn provides data communication services through the world wide packet data communication network now commonly referred to as the “Internet” 528. Local network 522 and Internet 528 both use electrical, electromagnetic or optical signals that carry digital data streams. The signals through the various networks and the signals on network link 520 and through communication interface 518, which carry the digital data to and from computer system 500, are example forms of transmission media.
  • Computer system 500 can send messages and receive data, including program code, through the network(s), network link 520 and communication interface 518. In the Internet example, a server 530 might transmit a requested code for an application program through Internet 528, ISP 526, local network 522 and communication interface 518.
  • The received code may be executed by processor 504 as it is received, and/or stored in storage device 510, or other non-volatile storage for later execution.
  • In the foregoing specification, embodiments of the invention have been described with reference to numerous specific details that may vary from implementation to implementation. The specification and drawings are, accordingly, to be regarded in an illustrative rather than a restrictive sense. The sole and exclusive indicator of the scope of the invention, and what is intended by the applicants to be the scope of the invention, is the literal and equivalent scope of the set of claims that issue from this application, in the specific form in which such claims issue, including any subsequent correction.

Claims (20)

What is claimed is:
1. A method comprising:
maintaining, on a storage device, first time information and first location information of a most recent access to a service by a particular user;
receiving a subsequent request to access the service;
receiving, in association with the subsequent request, authentication information for the particular user;
in response to receiving the subsequent request:
determining second time information and second location information associated with the subsequent request;
determining, based on the first time information, the second time information, the first location information, and the second location information, whether it is feasible for the particular user to have travelled from a first location associated with the first location information to a second location associated with the second location information in an amount of time that lapsed between the first time information and the second time information; and
responsive to determining that it is not feasible for the particular user to have travelled from the first location to the second location in the amount of time, performing at least one of:
denying the subsequent request;
granting the subsequent request only after receiving additional authentication information in association with the subsequent request.
2. The method of claim 1, wherein the subsequent request is denied.
3. The method of claim 1, wherein the subsequent request is granted after receiving additional authentication information in association with the second request.
4. The method of claim 1, wherein the most recent access to the service has concluded before receiving the subsequent request to access the service.
5. The method of claim 1, wherein the most recent access to the service is accessing the service when the subsequent request is received and the method further comprises:
receiving, in association with the subsequent request, an indication to grant the subsequent request and conclude the most accent access.
6. The method of claim 1, wherein determining whether it is feasible for the particular user to have travelled from the first location to the second location comprises determining the second location, at least in part, using HTML, location data associated with the particular user's computing device.
7. The method of claim 1, wherein determining whether it is feasible for the particular user to have travelled from the first location to the second location comprises determining the second location, at least in part, from known locations of one or more WiFi hotspots associated with the particular user's computing device.
8. The method of claim 1, wherein determining whether it is feasible for the particular user to have travelled from the first location to the second location comprises determining the second location, at least in part, from known locations of one or more cellular towers associated with the particular user's computing device.
9. The method of claim 1, wherein determining whether it is feasible for the particular user to have travelled from the first location to the second location comprises:
determining, based on the first time information, the second time information, the first location information, and the second location information, an average speed value;
comparing the average speed value with a pre-defined average speed value;
if the average speed value is lower than the pre-defined average speed value, determining that it is feasible for the particular user to have travelled from the first location to the second location; and
if the average speed value is higher than the pre-defined average speed value, determining that it is not feasible for the particular user to have travelled from the first location to the second location.
10. The method of claim 1, wherein determining whether it is feasible for the particular user to have travelled from the first location to the second location comprises:
determining a travel time between the first location information and the second location information;
determining, based on the first time information and the second time information, whether the travel time may be satisfied;
if the travel time may be satisfied, determining that it is feasible for the particular user to have travelled from the first location to the second location; and
if the travel time may not be satisfied, determining that it is not feasible for the particular user to have travelled from the first location to the second location.
11. The method of claim 1, further comprising:
before determining whether it is feasible for the particular user to have travelled from the first location to the second location and in response to receiving the subsequent request:
determining whether the subsequent request originates from a computing device corresponding to an authenticated access mechanism, wherein the authenticated access mechanism comprises a particular computing device that previously satisfied a first level of authentication and a second level of authentication;
responsive to the subsequent request originating from the authenticated access mechanism, allowing the subsequent request to proceed without receiving, in association with the subsequent request, the second level of authentication; and
responsive to the subsequent request not originating from the authenticated access mechanism, allowing the computing device to access the service only after the second level of authentication is provided in association with the subsequent request.
12. The method of claim 11, wherein the authenticated access mechanism includes information identifying:
a device;
a combination of device and browser; or
a combination of device, browser and location.
13. A system comprising:
one or more processors; and
a storage storing instructions which, when executed by the one or more processors, cause the one or more processors to perform operations comprising:
maintaining, on a storage device, first time information and first location information of a most recent access to a service by a particular user;
receiving a subsequent request to access the service;
receiving, in association with the subsequent request, authentication information for the particular user;
in response to receiving the subsequent request:
determining second time information and second location information associated with the subsequent request;
determining, based on the first time information, the second time information, the first location information, and the second location information, whether it is feasible for the particular user to have travelled from a first location associated with the first location information to a second location associated with the second location information in an amount of time that lapsed between the first time information and the second time information; and
responsive to determining that it is not feasible for the particular user to have travelled from the first location to the second location in the amount of time, performing at least one of:
denying the subsequent request;
granting the subsequent request only after receiving additional authentication information in association with the subsequent request.
14. The system of claim 13, wherein the most recent access to the service has concluded before receiving the subsequent request to access the service.
15. The system of claim 13, wherein the most recent access to the service is accessing the service when the subsequent request is received and the method further comprises:
receiving, in association with the subsequent request, an indication to grant the subsequent request and conclude the most accent access.
16. The system of claim 13, wherein determining whether it is feasible for the particular user to have travelled from the first location to the second location comprises determining the second location, at least in part, using HTML, location data associated with the particular user's computing device.
17. The system of claim 13, wherein determining whether it is feasible for the particular user to have travelled from the first location to the second location comprises determining the second location, at least in part, from known locations of one or more WiFi hotspots associated with the particular user's computing device.
18. The system of claim 13, wherein determining whether it is feasible for the particular user to have travelled from the first location to the second location comprises determining the second location, at least in part, from known locations of one or more cellular towers associated with the particular user's computing device.
19. The system of claim 13, wherein determining whether it is feasible for the particular user to have travelled from the first location to the second location comprises:
determining, based on the first time information, the second time information, the first location information, and the second location information, an average speed value;
comparing the average speed value with a pre-defined average speed value;
if the average speed value is lower than the pre-defined average speed value, determining that it is feasible for the particular user to have travelled from the first location to the second location; and
if the average speed value is higher than the pre-defined average speed value, determining that it is not feasible for the particular user to have travelled from the first location to the second location.
20. The system of claim 13, wherein determining whether it is feasible for the particular user to have travelled from the first location to the second location comprises:
determining a travel time between the first location information and the second location information;
determining, based on the first time information and the second time information, whether the travel time may be satisfied;
if the travel time may be satisfied, determining that it is feasible for the particular user to have travelled from the first location to the second location; and
if the travel time may not be satisfied, determining that it is not feasible for the particular user to have travelled from the first location to the second location.
US15/411,699 2015-03-13 2017-01-20 Location and device based student access control Abandoned US20170134391A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US15/411,699 US20170134391A1 (en) 2015-03-13 2017-01-20 Location and device based student access control

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US14/657,936 US9565183B2 (en) 2015-03-13 2015-03-13 Location and device based student access control
US15/411,699 US20170134391A1 (en) 2015-03-13 2017-01-20 Location and device based student access control

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
US14/657,936 Division US9565183B2 (en) 2015-03-13 2015-03-13 Location and device based student access control

Publications (1)

Publication Number Publication Date
US20170134391A1 true US20170134391A1 (en) 2017-05-11

Family

ID=56888679

Family Applications (2)

Application Number Title Priority Date Filing Date
US14/657,936 Active US9565183B2 (en) 2015-03-13 2015-03-13 Location and device based student access control
US15/411,699 Abandoned US20170134391A1 (en) 2015-03-13 2017-01-20 Location and device based student access control

Family Applications Before (1)

Application Number Title Priority Date Filing Date
US14/657,936 Active US9565183B2 (en) 2015-03-13 2015-03-13 Location and device based student access control

Country Status (1)

Country Link
US (2) US9565183B2 (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10334026B2 (en) 2016-08-08 2019-06-25 Bank Of America Corporation Resource assignment system
US10171438B2 (en) * 2017-04-04 2019-01-01 International Business Machines Corporation Generating a password
US11962596B2 (en) 2021-08-04 2024-04-16 Bank Of America Corporation Integrated multifactor authentication for network access control

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120060214A1 (en) * 2009-12-21 2012-03-08 Ebay Inc. Behavioral Stochastic Authentication (BSA)
US20120227098A1 (en) * 2011-03-03 2012-09-06 Microsoft Corporation Sharing user id between operating system and application
US20130110715A1 (en) * 2011-10-27 2013-05-02 Bank Of America Corporation Use of Velocity in Fraud Detection or Prevention
US20140157381A1 (en) * 2012-12-05 2014-06-05 Telesign Corporation Frictionless multi-factor authentication system and method
US20140179273A1 (en) * 2012-12-21 2014-06-26 Empire Technology Development Llc Location-based authentication scheme
US20160112437A1 (en) * 2013-09-04 2016-04-21 Anton Nikolaevich Churyumov Apparatus and Method for Authenticating a User via Multiple User Devices

Family Cites Families (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7093020B1 (en) * 2000-06-29 2006-08-15 Sungard Sct Inc. Methods and systems for coordinating sessions on one or more systems
US8112794B2 (en) * 2006-07-17 2012-02-07 Research In Motion Limited Management of multiple connections to a security token access device
US8522010B2 (en) * 2008-10-20 2013-08-27 Microsoft Corporation Providing remote user authentication
US8793769B2 (en) * 2009-12-31 2014-07-29 Cable Television Laboratories, Inc. Zero sign-on authentication
US8756650B2 (en) * 2010-03-15 2014-06-17 Broadcom Corporation Dynamic authentication of a user
US8892647B1 (en) * 2011-06-13 2014-11-18 Google Inc. System and method for associating a cookie with a device identifier
CN103348354B (en) * 2011-12-01 2016-01-06 日本电气株式会社 Security verification equipment and security verification method
US20160087957A1 (en) * 2013-04-26 2016-03-24 Interdigital Patent Holdings, Inc. Multi-factor authentication to achieve required authentication assurance level
US9231940B2 (en) * 2013-12-16 2016-01-05 Verizon Patent And Licensing Inc. Credential linking across multiple services

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120060214A1 (en) * 2009-12-21 2012-03-08 Ebay Inc. Behavioral Stochastic Authentication (BSA)
US20120227098A1 (en) * 2011-03-03 2012-09-06 Microsoft Corporation Sharing user id between operating system and application
US20130110715A1 (en) * 2011-10-27 2013-05-02 Bank Of America Corporation Use of Velocity in Fraud Detection or Prevention
US20140157381A1 (en) * 2012-12-05 2014-06-05 Telesign Corporation Frictionless multi-factor authentication system and method
US20140179273A1 (en) * 2012-12-21 2014-06-26 Empire Technology Development Llc Location-based authentication scheme
US20160112437A1 (en) * 2013-09-04 2016-04-21 Anton Nikolaevich Churyumov Apparatus and Method for Authenticating a User via Multiple User Devices

Also Published As

Publication number Publication date
US20160269387A1 (en) 2016-09-15
US9565183B2 (en) 2017-02-07

Similar Documents

Publication Publication Date Title
US10462120B2 (en) Authentication system and method
US11601412B2 (en) Securely managing digital assistants that access third-party applications
US8959619B2 (en) Graphical image password authentication method
US8151343B1 (en) Method and system for providing authentication credentials
US20100169219A1 (en) Pluggable health-related data user experience
US9390243B2 (en) Dynamic trust score for evaluating ongoing online relationships
US10986187B2 (en) System and method for personalized virtual reality experience in a controlled environment
US20130212653A1 (en) Systems and methods for password-free authentication
US10003975B2 (en) Authorized areas of authentication
US20130247149A1 (en) Internet protocol address authentication method
US8627421B1 (en) Methods and apparatus for authenticating a user based on implicit user memory
US20180233152A1 (en) Voice Signature for User Authentication to Electronic Device
US20180227296A1 (en) Authentication on thin clients using independent devices
US20160301675A1 (en) System for authenticating multiple users
US10356096B2 (en) Authentication using credentials submitted via a user premises device
US9172692B2 (en) Systems and methods for securely transferring authentication information between a user and an electronic resource
US11068574B2 (en) Phone factor authentication
US9996701B2 (en) Restrictive access of a digital object based on location
US20240096160A1 (en) Distributed Voting Platform
US20170134391A1 (en) Location and device based student access control
WO2022026601A1 (en) Evaluation of a registration process
WO2018217204A1 (en) Authentication system and method
US11875242B2 (en) Systems and methods for risk analysis and mitigation with nested machine learning models for exam registration and delivery processes
KR20050096093A (en) Unified member certification and service method use cellphone number
JP2007310678A (en) Alibi proving system and method, alibi server, and program

Legal Events

Date Code Title Description
STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION

AS Assignment

Owner name: THE UNIVERSITY OF PHOENIX, INC., ARIZONA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:APOLLO EDUCATION GROUP, INC.;REEL/FRAME:053308/0512

Effective date: 20200626