US2016065552A1PendingUtilityA1

Method and system for interoperable identity and interoperable credentials

60
Assignee: DRFIRST COM INCPriority: Aug 28, 2014Filed: Nov 26, 2014Published: Mar 3, 2016
Est. expiryAug 28, 2034(~8.1 yrs left)· nominal 20-yr term from priority
G06F 21/31H04L 63/0884G06F 21/45H04L 63/08H04L 67/60G06Q 50/265G06F 21/46H04L 63/10G06F 2221/2117H04L 63/0421G06Q 10/00
60
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

Method, system, and programs for interoperable identity and interoperable credentials. In one example, an authentication request is received. The authentication request originated from an online user in connection with an application having a first LOA. The authentication request includes the online user's input. A digital identity is searched based on the online user's input. A GUID associated with the digital identity is obtained when the digital identity is found. One or more credentials that are bound to the GUID at the first LOA or a higher LOA are provided. A selection of at least one credential is received. Information of the selected credential that includes a credential verification service capable of verifying the selected credential is received. Verification of the selected credential of the online user based on the GUID is requested. A verification response is received. The online user is authenticated at the first LOA when the verification response indicates that the selected credential is successfully verified.

Claims

exact text as granted — not AI-modified
We claim: 
     
         1 . A method implemented on a computing device having at least one processor, storage, and a communication platform capable of making a connection to a network for managing identity information of a person, the method comprising the steps of:
 receiving the person's name after the identity of the person has been proved at an identity proofing (IDP) level of assurance (LOA);   receiving information related to a credential that is associated with the person, wherein the credential can be verified by a credential verification service at a LOA that is of the same or lower level than the IDP LOA;   obtaining a chosen name of the person, wherein a combination of the person's name and the chosen name uniquely identifies the person;   creating a digital identity based, at least in part, on the person's name and the chosen name;   generating a globally unique identifier (GUID) that associates with the digital identity and binds to the person;   binding the GUID with the credential;   storing a record of the person that includes at least the IDP LOA and information related to the credential and the credential verification service; and   transmitting information to the credential verification service that the person is to be authenticated based on a real-time user input associated with the credential.   
     
     
         2 . The method of  claim 1 , wherein binding the GUID with the credential occurs at an identity center or at a credential exchange. 
     
     
         3 . The method of  claim 2 , wherein the identity of the person is unknown to the credential exchange. 
     
     
         4 . The method of  claim 1 , wherein the identity of the person has been proved by an IDP source. 
     
     
         5 . The method of  claim 4 , wherein the IDP source includes at least one of:
 an identity proofing service provider that is an approved member of a trust framework;   a government agency;   a trusted healthcare organization; and   a trusted application wherein users of the trusted application passed the identity proofing at the IDP LOA.   
     
     
         6 . A method implemented on a computing device having at least one processor, storage, and a communication platform capable of making a connection to a network for authenticating an online user, the method comprising the steps of:
 receiving an authentication request originated from the online user in connection with an application having a first level of assurance (LOA), wherein the authentication request includes the online user's input;   searching a digital identity based on the online user's input;   obtaining a globally unique identifier (GUID) associated with the digital identity when the digital identity is found;   providing one or more credentials that are bound to the GUID at the first LOA or a higher LOA;   receiving a selection of at least one credential from the one or more credentials;   retrieving information of the selected at least one credential that includes a credential verification service capable of verifying the selected at least one credential;   requesting verification of the selected at least one credential of the online user based on the GUID;   receiving a verification response; and   authenticating the online user at the first LOA when the verification response indicates that the selected at least one credential is successfully verified.   
     
     
         7 . The method of  claim 6 , further comprising denying authentication of the online user when the digital identity is not found. 
     
     
         8 . The method of  claim 6 , wherein the step of requesting verification of the selected at least one credential of the online user based on the GUID comprises:
 soliciting information associated with the selected at least one credential from the online user; and   sending a verification request to the credential verification service with the GUID and the received information associated with the selected at least one credential.   
     
     
         9 . The method of  claim 6 , wherein the step of requesting verification of the selected at least one credential of the online user based on the GUID includes sending a verification request to the credential verification service with the GUID. 
     
     
         10 . The method of  claim 6 , wherein the first LOA is 2 or 3. 
     
     
         11 . The method of  claim 6  further comprising the steps of:
 providing, upon the successful authentication, the one or more credentials; 
 receiving a choice of at least one of the one or more credentials; and 
 disabling the chosen at least one credential. 
 
     
     
         12 . The method of  claim 6  further comprising the steps of:
 receiving, upon the successful authentication, information about a credential with an associated LOA that is the same or lower than the first LOA, as well as a credential verification service capable of verifying the credential; and 
 binding the GUID with the credential and the associated LOA. 
 
     
     
         13 . The method of  claim 12  further comprising the step of:
 storing the received information; or 
 sending the received information to a credential exchange. 
 
     
     
         14 . The method of  claim 6 , wherein an authenticated session is created upon the successful authentication of the online user. 
     
     
         15 . The method of  claim 14 , further comprising sharing the authenticated session with another application. 
     
     
         16 . The method of  claim 14 , wherein the authenticated session expires at a predetermined period of time. 
     
     
         17 . The method of  claim 16 , wherein the predetermined period of time is configurable. 
     
     
         18 . A method implemented on a computing device having at least one processor, storage, and a communication platform capable of making a connection to a network for authenticating an online user, the method comprising the steps of:
 storing one or more credentials associated with a globally unique identifier (GUID) corresponding to a person;   receiving the GUID and a first level of assurance (LOA) associated with an application;   determining at least one of the one or more credentials, wherein each of the determined at least one credential is at the first LOA or a higher LOA; and   providing the determined at least one credential so that the online user who claims to be the person can be authenticated based on a credential selected from the at least one credential.   
     
     
         19 . The method of  claim 18  further comprising receiving information about one of the one or more credentials associated with the GUID at a LOA from an identify center. 
     
     
         20 . The method of  claim 19 , wherein the information further includes a credential verification service capable of verifying the credential.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.