Authentication tokens managed for use with multiple sites

摘要

A method and system for authenticating an account holder using multi-factor authentication. An account holder is associated with a token device configured to supply the account holder with a dynamic password. The dynamic password has a current value that is synchronously stored at an aggregator service and at the token device. The dynamic password is changed periodically. The aggregator service also associates the account holder with at least one account maintained by the account providers. The aggregator service receives an authorization request from either the user or from one of the account providers. The aggregator service performs an authorization operation for determining if a proffered dynamic password submitted by the user during an attempt to login matches the current value of the dynamic password stored at the aggregator service.

主权项

1. At an aggregator service within a distributed computing system that includes the aggregator service and a plurality of different account providers, wherein an account holder is an owner of a plurality of accounts, at least one account of the plurality with each of the different account providers, a method for authenticating the account holder using multi-factor authentication, the method comprising:
associating, by the aggregator service, the account holder with a single token device, the token device configured to supply the account holder with a single dynamic password linking the account holder with the token device and with the plurality of accounts, at least one account of the plurality with each of the different account providers, the dynamic password having a current value that is synchronously stored at the aggregator service and at the token device, wherein the current value of the dynamic password stored at the token device is updated using a first clocking device, wherein the current value of the dynamic password stored at the aggregator service is updated using a second clocking device, and wherein the first clocking device at the token device and the second clocking device at the aggregator service synchronously update the dynamic password independent of each other; periodically changing, using a plurality of processor-based computing devices programmed to perform the periodic changing, the current value of the dynamic password by synchronously generating and storing a single, different dynamic password at the aggregator service and at the token device, wherein the periodic changing is programmed to pull the current value of the dynamic password from a table of password values; associating the account holder with a different client identifier for each of the account providers, each client identifier linking the account holder to the at least one account with one of the account providers, the account providers each being a separate entity from the aggregator service; receiving a request for authorization to login to a selected account of the plurality of accounts with one of the account providers, the request including the client identifier linking the account holder to the selected account and a proffered password generated by the token device, wherein the dynamic password and the proffered password submitted by a user are associated with a timestamp for indicating a time at which the dynamic password and the proffered password were previously updated; and performing an authorization operation by determining the dynamic password associated with the account holder using the client identifier and by determining a match between the proffered password received with the request for authorization to login to the selected account and the current value of the dynamic password stored at the aggregator service and associated with the account holder.