AU2008100959A4 - Method of using client self-registration to upgrade an online service authentication process - Google Patents

Method of using client self-registration to upgrade an online service authentication process Download PDF

Info

Publication number
AU2008100959A4
AU2008100959A4 AU2008100959A AU2008100959A AU2008100959A4 AU 2008100959 A4 AU2008100959 A4 AU 2008100959A4 AU 2008100959 A AU2008100959 A AU 2008100959A AU 2008100959 A AU2008100959 A AU 2008100959A AU 2008100959 A4 AU2008100959 A4 AU 2008100959A4
Authority
AU
Australia
Prior art keywords
client
online service
credential
authentication
authentication credential
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired
Application number
AU2008100959A
Inventor
Paul Cuthbert
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
CASTELAIN Pty Ltd
Original Assignee
CASTELAIN Pty Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from AU2007905569A external-priority patent/AU2007905569A0/en
Application filed by CASTELAIN Pty Ltd filed Critical CASTELAIN Pty Ltd
Priority to AU2008100959A priority Critical patent/AU2008100959A4/en
Application granted granted Critical
Publication of AU2008100959A4 publication Critical patent/AU2008100959A4/en
Anticipated expiration legal-status Critical
Expired legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/34User authentication involving the use of external additional devices, e.g. dongles or smart cards
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/33User authentication using certificates
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2117User registration

Description

00 O DESCRIPTION The invention consists of the method by which clients of an online service can authenticate using an existing credential and then self-register a new authentication credential to be used for future access.
The new authentication credential may be, without limitation, a hardware authentication device such as a One Time Password (OPT) token or smart card, a software digital certificate that is either self generated or generated by a Certification Authority or another authentication 00 credential.
SThis patent covers two methods that the client can register a new authentication credential for subsequent use. The first method registers the new credential with some input from the client; the second method is invisible to the client.
In the first method, the client first authenticates using an existing authentication credential, such as by entering a username and password.
Once the client has successfully authenticated, they may either choose or be directed to register a new authentication credential. The client may register the new authentication credential, without limitation, by the client entering a device serial number into an online form, by selecting a software digital certificate that has already been stored in their computer, or by providing information so that a new software credential such as a digital certificate can be generated at that point. Following any of these steps, the online service will then recognise the new authentication credential for future use by the client.
In the second method, the new authentication credential is registered in a way that is largely automatic and transparent to the client. This is possible using an authentication device such as that described by Australian Patent #2006100953, "METHOD OF USING CONVENTIONAL MEDIA AS AN AUTHENTICATION DEVICE FOR ONLINE SERVICES". It is also possible when using another credential such as a digital certificate for the new authentication credential.
As an example of device registration that may be implemented in practice, consider the scenario where a client has been issued an 00 authentication device as described by Australian Patent #2006100953. In this Oscenario, the client inserts the device into their computer and is connected to an online service that the client has a previous association with. The client may then be prompted by the online service to enter their username and password. These credentials are checked, and if correct, the authentication device that the client used to access the service is identified by the online service and is registered as belonging to that client for future use. The authentication device can then be used in conjunction with the existing client Spassword for future two-factor authentication.
00 70 Similarly, consider the scenario where a client has been issued a Osoftware digital certificate that has already been installed on their computer.
In this scenario, a client may access an existing online service that requires authentication using a username and password. Following authentication, the online service may check the client's machine, or a database of its own, and determine that a trusted digital certificate is installed and/or available for use by the client. The online service may decide to recognise and trust this digital certificate for future authentication by the client.
Alternatively, following authentication of the client a new digital certificate may be generated and registered for future use by the client. In this case, the digital certificate could be a self-signed digital certificate that is generated using client software, or it could be a certificate that is generated by an online Certification Authority (CA).
For each of these scenarios, there is no need for the online service to rely on any personal information about the client that may be contained in the authentication credential. This is because the client effectively performs the binding between the credential and the client account when they authenticate using their existing credential and subsequently present their new credential for future use.
Following the successful registration of a new authentication credential, the online service may be configured to no longer accept previous authentication credentials for that client. This approach can be used to gradually transition clients from using an existing, relatively insecure username and password based authentication system, to a more secure authentication system. It can also be used as a way of routinely replacing oO 95 two-factor authentication mechanisms, to manage the risk that a previous Odevice may have been compromised.
One of the major benefits of the invention is that it allows hardware authentication devices to be supported without having to personalise these devices in any way prior to delivery to the client. The process of assigning a ioo specific authentication device for use by a client instead happens by the client during the self-registration process. This avoids the need for the online service provider to register individual authentication devices against clients Oand it avoids the need to securely deliver these devices to the clients.
oo00 A second major benefit of the invention is that it allows two-factor S105os authentication to be provided as an option for clients that want it, rather than implementing it for all clients. This provides improved security for clients that are concerned about online dangers such as identity theft, without affecting other clients that may consider two-factor authentication to be unnecessary and inconvenient. It also reduces the number of authentication devices that 110 must be deployed to clients, and therefore the cost of providing support for two-factor authentication.
A third major benefit of the invention is that self-registration by the client reduces operational risk to the service provider of any new authentication technology. It does this by transitioning clients gradually from 115 using the old authentication system to the new, which provides time to fix any integration problems without affecting large numbers of clients.

Claims (4)

1. A method of establishing a binding between a client's online account or 120 identity and a new authentication credential by having the client first authenticate to the online service using an existing authentication credential and then registering the new authentication credential, either by requesting further input from the client or implementing this process automatically and invisibly. 125
2. A method according to claim 1 where the existing authentication 00 credential is automatically disabled for future use by the client after the aclient has successfully registered the new authentication credential, either immediately or at some point in the future.
3. A method according to claim 1 where the new authentication credential 130 does not contain any client specific information and is not bound to the client in any way until it is self-registered for use by the client.
4. A method according to claim 1 where the online service includes a Certification Authority (CA) component that is used to generate a digital certificate for the client. This may involve the online service processing a 135 certificate-signing request that has been generated by the client, or it may involve the online service generating the client's keys and delivering the private key along with the certificate to the client. A method according to claim 1 where the client accesses the online service using a customised browser that is stored on a conventional 140 media device, such as that described by Australian Patents #2005906324 and #2006100953.
AU2008100959A 2007-10-12 2008-09-29 Method of using client self-registration to upgrade an online service authentication process Expired AU2008100959A4 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU2008100959A AU2008100959A4 (en) 2007-10-12 2008-09-29 Method of using client self-registration to upgrade an online service authentication process

Applications Claiming Priority (5)

Application Number Priority Date Filing Date Title
AU2007905569A AU2007905569A0 (en) 2007-10-12 Method of using client self-registration to up grade an online service authentIcation process
AU2007905569 2007-10-12
AU2008901750A AU2008901750A0 (en) 2008-04-11 Use of client self-services for certificate-based authentication to online services
AU2008901750 2008-04-11
AU2008100959A AU2008100959A4 (en) 2007-10-12 2008-09-29 Method of using client self-registration to upgrade an online service authentication process

Publications (1)

Publication Number Publication Date
AU2008100959A4 true AU2008100959A4 (en) 2008-11-06

Family

ID=40030505

Family Applications (1)

Application Number Title Priority Date Filing Date
AU2008100959A Expired AU2008100959A4 (en) 2007-10-12 2008-09-29 Method of using client self-registration to upgrade an online service authentication process

Country Status (1)

Country Link
AU (1) AU2008100959A4 (en)

Similar Documents

Publication Publication Date Title
US10382427B2 (en) Single sign on with multiple authentication factors
US20160277383A1 (en) Binding to a user device
US7409543B1 (en) Method and apparatus for using a third party authentication server
US8955082B2 (en) Authenticating using cloud authentication
CN101027676B (en) A personal token and a method for controlled authentication
US8769655B2 (en) Shared registration multi-factor authentication tokens
US8225384B2 (en) Authentication system for enhancing network security
US8584224B1 (en) Ticket based strong authentication with web service
US8091120B2 (en) Adaptive authentication methods, systems, devices, and computer program products
US8407464B2 (en) Techniques for using AAA services for certificate validation and authorization
US20160337351A1 (en) Authentication system
US20090037729A1 (en) Authentication factors with public-key infrastructure
US8769289B1 (en) Authentication of a user accessing a protected resource using multi-channel protocol
US8348157B2 (en) Dynamic remote peripheral binding
EP1777641A1 (en) Biometric authentication system
US20160191486A1 (en) Transparent client authentication
JP5571854B2 (en) User account recovery
US20160182491A1 (en) Methods, systems and apparatus to manage an authentication sequence
EP2106093A1 (en) Devolved authentication
CN106161348B (en) Single sign-on method, system and terminal
US8504824B1 (en) One-time rotating key for third-party authentication
US20080016347A1 (en) Systems and Methods of User Authentication
CN114301617A (en) Identity authentication method and device for multi-cloud application gateway, computer equipment and medium
CN113826095A (en) Single click login process
US20230198751A1 (en) Authentication and validation procedure for improved security in communications systems

Legal Events

Date Code Title Description
FGI Letters patent sealed or granted (innovation patent)
MK22 Patent ceased section 143a(d), or expired - non payment of renewal fee or expiry