US2014013390A1PendingUtilityA1
System and method for out-of-band application authentication
Est. expiryJul 5, 2032(~6 yrs left)· nominal 20-yr term from priority
G06F 21/42H04L 63/08G06F 21/44G06F 21/52H04L 63/10
51
PatentIndex Score
0
Cited by
0
References
0
Claims
Abstract
Application-to-Application authentication features using a second communication channel for out-of-band authentication separate from a communication channel of a request from a client to a server. Authentication information is associated with a component of the system such as the request or the client application, while being collected independent of interaction with the client application initiating the request. Implementations provide improved security over existing solutions using in-band or other means of collecting authentication information.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1 . A system for authentication comprising:
(a) a server machine configured to:
(i) receive, via a first channel, a request from a client machine, said request associated with a client application on said client machine;
(ii) connect, via a second channel that is separate from said first channel, to said client machine to request authentication information;
(iii) receive, via said second channel, said authentication information;
(iv) validate, based on said authentication information, said request, and
(b) a client machine configured to:
(i) collect said authentication information
wherein said authentication information is associated with a component of the system selected from the group consisting of:
(A) said request; and
(B) said client application, and
wherein said authentication information is collected independently of interaction with said client application.
2 . The system of claim 1 wherein said server machine is further configured to effect a preliminary request validation of said request prior to connecting via said second channel to said client machine, said connecting being contingent on a success of said preliminary request validation.
3 . The system of claim 1 wherein said request is for access credentials to network resources or other server machines.
4 . The system of claim 1 wherein said server machine is further configured to:
(v) initiate a transmission, in response to said request from the client machine, of an authentication agent to said client machine; and
(vi) receive said authentication information from said authentication agent.
5 . The system of claim 1 wherein said server machine is further configured to receive said authentication information from an authentication agent selected from the group consisting of:
(a) an agent pre-installed on said client machine;
(b) an agent transmitted to and executed on said client machine, following said connection from said server machine, said agent remaining on said client machine after said agent transmits said authentication information to said server machine; and
(c) an agent transmitted to and executed on said client machine, following said connection from said server machine, said agent removed from said client machine after said agent transmits said authentication information to said server machine.
6 . The system of claim 1 wherein said authentication information is provided by an operating system of said client machine.
7 . The system of claim 1 wherein said authentication information is provided from one or more query responses to one or more corresponding queries independent of interaction with said client application.
8 . The system of claim 1 wherein said authentication information is provided from one or more query responses to one or more corresponding queries to components of said client machine other than said client application.
9 . A system for authentication comprising:
(a) a server machine configured to:
(i) receive, via a first channel, a request from a client machine, said request associated with a client application on said client machine;
(ii) receive, via a second channel that is separate from said first channel, authentication information;
wherein said authentication information is associated with a component of the system selected from the group consisting of:
(A) said request; and
(B) said client application, and
wherein said authentication information is collected independently of interaction with said client application.
10 . The system of claim 9 wherein said server machine is further configured to
(iii) connect, via said second channel, between said server machine and said client.
11 . The system of claim 9 wherein said server machine is further configured to connect from said server machine to said client machine via said second channel to request said authentication information.
12 . The system of claim 9 wherein said server machine is further configured to effect a preliminary request validation of said request prior to connecting via said second channel to said client machine, said connecting being contingent on a success of said preliminary request validation
13 . The system of claim 9 wherein said request is for access credentials to network resources or other server machines.
14 . The system of claim 9 wherein said server machine is further configured to:
(iii) initiate a transmission, in response to said request from the client machine, of an authentication agent to said client machine; and
(iv) receive said authentication information from said authentication agent.
15 . The system of claim 9 wherein said server machine is further configured to receive said authentication information from an authentication agent selected from the group consisting of:
(a) an agent pre-installed on said client machine;
(b) an agent transmitted to and executed on said client machine, following said connection from said server machine, said agent remaining on said client machine after said agent transmits said authentication information to said server machine; and
(c) an agent transmitted to and executed on said client machine, following said connection from said server machine, said agent removed from said client machine after said agent transmits said authentication information to said server machine.
16 . The system of claim 9 wherein said authentication information is provided by an operating system of said client machine.
17 . The system of claim 9 wherein said authentication information is provided from one or more query responses to one or more corresponding queries independent of interaction with said client application.
18 . The system of claim 9 wherein said server machine is further configured to validate, based on said authentication information, said request.
19 . A system for authentication comprising:
(a) a client machine configured to collect authentication information for authenticating a request sent from a client application,
(i) wherein said client machine is configured to send said request via a first channel;
(ii) wherein said client machine is configured to send said authentication information via a second channel;
(iii) wherein said authentication information is associated with a component of the system selected from the group consisting of:
(A) said request sent from said client machine; and
(B) said client application on said client machine, and
(iv) wherein said authentication information is collected independent of interaction with said client application.
20 . The system of claim 19 wherein authentication information is collected by an authentication agent selected from the group consisting of:
(a) an agent pre-installed on said client machine;
(b) an agent transmitted to and executed on said client machine, following a connection from a server machine to said client machine, said agent remaining on said client machine after said agent sends said authentication information to said server machine; and
(c) an agent transmitted to and executed on said client machine, following a connection from a server machine to said client machine, said agent removed from said client machine after said agent transmits said authentication information to said server machine.
21 . The system of claim 19 wherein said authentication information is provided by an operating system of said client machine.
22 . The system of claim 19 wherein said authentication information is provided from one or more query responses to one or more corresponding queries independent of interaction with said client application.
23 . The system of claim 19 wherein said authentication information is provided from one or more query responses to one or more corresponding queries to components of said client machine other than said client application
24 . The system of claim 19 wherein said request is for access credentials to network resources or other server machines.
25 . A method for authentication comprising the steps of:
(a) receiving at a server machine, via a first channel, a request from a client machine, said request associated with a client application on said client machine; (b) connecting, via a second channel that is separate from said first channel, between said server machine and said client machine; (c) collecting said authentication information on said client machine; (d) sending said authentication information from said client machine via said second channel to said server machine; and (e) receiving at said server machine, via said second channel, authentication information from said client machine,
wherein said authentication information is associated with a component of the system selected from the group consisting of:
(i) said request; and
(ii) said client application, and
wherein said authentication information is collected independently of interaction with said client application.
26 . The method of claim 25 wherein connecting is from said server machine to said client machine to request said authentication information.
27 . The method of claim 25 further including the step of:
(f) effecting a preliminary request validation of said request prior to connecting via said second channel to said client machine, said connecting being contingent on a success of said preliminary request validation.
28 . The method of claim 25 wherein said request is for access credentials to network resources or other server machines.
29 . The method of claim 25 further including the step of:
(f) initiating a transmission, in response to said receiving of said request from the client machine, of an authentication agent to said client machine;
wherein said receiving of said authentication information is from said authentication agent.
30 . The method of claim 25 wherein receiving said authentication information is from an authentication agent selected from the group consisting of:
(a) an agent pre-installed on said client machine;
(b) an agent transmitted to and executed on said client machine, following said connection from said server machine, said agent remaining on said client machine after said agent transmits said authentication information to said server machine; and
(c) an agent transmitted to and executed on said client machine, following said connection from said server machine, said agent removed from said client machine after said agent transmits said authentication information to said server machine.
31 . The method of claim 25 wherein said authentication information is provided by an operating system of said client machine.
32 . The method of claim 25 wherein said authentication information is provided from one or more query responses to one or more corresponding queries independent of interaction with said client application.
33 . The method of claim 25 further including the step of:
(f) validating said request based on said authentication information.
34 . A method for authentication comprising the steps of:
(a) receiving at a server machine, via a first channel, a request from a client machine, said request associated with a client application on said client machine; and (b) receiving at said server machine, via a second channel that is separate from said first channel, from said client machine, authentication information;
wherein said authentication information is associated with a component of the system selected from the group consisting of:
(i) said request; and
(ii) said client application, and
wherein said authentication information is collected independently of interaction with said client application.
35 . The method of claim 34 further including the step of:
(c) connecting, via said second channel, between said server machine and said client machine.
36 . The method of claim 35 wherein connecting is from said server machine to said client machine to request said authentication information.
37 . The method of claim 34 further including the step of:
(c) effecting a preliminary request validation of said request prior to connecting via said second channel to said client machine, said connecting being contingent on a success of said preliminary request validation.
38 . The method of claim 34 wherein said request is for access credentials to network resources or other server machines.
39 . The method of claim 34 further including the steps of:
(c) initiating a transmission, in response to said receiving of said request from the client machine, of an authentication agent to said client machine; and
(d) receiving said authentication information from said authentication agent.
40 . The method of claim 34 wherein receiving said authentication information is from an authentication agent selected from the group consisting of:
(a) an agent pre-installed on said client machine;
(b) an agent transmitted to and executed on said client machine, following said connection from said server machine, said agent remaining on said client machine after said agent transmits said authentication information to said server machine; and
(c) an agent transmitted to and executed on said client machine, following said connection from said server machine, said agent removed from said client machine after said agent transmits said authentication information to said server machine.
41 . The method of claim 34 wherein said authentication information is provided by an operating system of said client machine.
42 . The method of claim 34 wherein said authentication information is provided from one or more query responses to one or more corresponding queries independent of interaction with said client application.
43 . The method of claim 34 further including the step of: validating said request based on said authentication information.
44 . A method for authentication comprising the steps of:
(a) sending a request from a client application on a client machine via a first channel to a server machine; and (b) sending authentication information from said client machine via a second channel to said server machine,
wherein said authentication information is associated with a component selected from the group consisting of:
(i) said request; and
(ii) said client application, and
wherein said authentication information is collected independent of interaction with said client application.
45 . The method of claim 44 wherein said authentication information is provided by an authentication agent selected from the group consisting of:
(a) an agent pre-installed on said client machine;
(b) an agent transmitted to and executed on said client machine, following a connection from said server machine to said client machine, said agent remaining on said client machine after said agent sends said authentication information to said server machine; and
(c) an agent transmitted to and executed on said client machine, following a connection from said server machine to said client machine, said agent removed from said client machine after said agent transmits said authentication information to said server machine.
46 . The method of claim 44 wherein said authentication information is provided by an operating system of said client machine.
47 . The method of claim 44 wherein said authentication information is provided from one or more query responses to one or more corresponding queries independent of interaction with said client application.
48 . The method of claim 44 wherein said authentication information is provided from one or more query responses to one or more corresponding queries to components of said client machine other than said client application.
49 . The method of claim 44 wherein said request is for access credentials to network resources or other server machines.
50 . A computer-readable storage medium having embedded thereon computer-readable code for authentication, the computer-readable code comprising program code for:
(a) receiving at a server machine, via a first channel, a request from a client machine, said request associated with a client application on said client machine; (b) connecting, via a second channel that is separate from said first channel, between said server machine and said client machine; (c) collecting said authentication information on said client machine; (d) sending said authentication information from said client machine via said second channel to said server machine; and (e) receiving at said server machine, via said second channel, authentication information from said client machine,
wherein said authentication information is associated with a component of the system selected from the group consisting of:
(i) said request; and
(ii) said client application, and
wherein said authentication information is collected independently of interaction with said client application.
51 . A computer-readable storage medium having embedded thereon computer-readable code for authentication, the computer-readable code comprising program code for:
(a) receiving at a server machine, via a first channel, a request from a client machine, said request associated with a client application on said client machine; and (b) receiving at said server machine, via a second channel that is separate from said first channel, from said client machine, authentication information;
wherein said authentication information is associated with a component of the system selected from the group consisting of:
(i) said request; and
(ii) said client application, and
wherein said authentication information is collected independently of interaction with said client application.
52 . A computer-readable storage medium having embedded thereon computer-readable code for authentication, the computer-readable code comprising program code for:
(a) sending a request from a client application on a client machine via a first channel to a server machine; and (b) sending authentication information from said client machine via a second channel to said server machine,
wherein said authentication information is associated with a component selected from the group consisting of:
(i) said request; and
(ii) said client application, and
wherein said authentication information is collected independent of interaction with said client application.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.