Query system and method to determine authentication capabilities

摘要

A system, apparatus, method, and machine readable medium are described for determining the authentication capabilities. For example, one embodiment of a method comprises: receiving a policy identifying a set of acceptable authentication capabilities; determining a set of client authentication capabilities; and filtering the set of acceptable authentication capabilities based on the determined set of client authentication capabilities to arrive at a filtered set of one or more authentication capabilities for authenticating a user of the client.

主权项

1. A machine-implemented method for authenticating a user over a network comprising:
receiving at a client device from an authentication server a policy identifying a set of acceptable authentication capabilities for authenticating a user of the client device over the network, the acceptable authentication capabilities including one or more acceptable types of authentication devices; determining at the client device a set of client authentication capabilities available on the client device, including one or more authentication devices available on the client device; analyzing the policy at the client device to determine an appropriate privacy class to be used for providing client information to the authentication server for each authentication device of the policy, wherein a privacy class is defined based on a probability with which the client information could be used to uniquely identify a user; filtering at the client device the set of acceptable authentication capabilities based on the determined set of client authentication capabilities, the determined privacy class of each authentication device, and privacy preferences specified by the user of the client to arrive at a filtered set of one or more authentication capabilities for authenticating the user of the client; wherein the filtered set of one or more authentication capabilities comprises a subset of authentication capabilities common to both the authentication capabilities identified in the server policy and the authentication capabilities available on the client, further filtered based on the determined privacy class for each authentication device and privacy preferences specified by the user, the filtered set including one or more authentication devices available on the client device for performing authentication that reduce the privacy risks to the user; and using the filtered set of one or more authentication capabilities to register the filtered set of one or more authentication capabilities, including the one or more acceptable authentication devices, with an authentication service and to authenticate the user with the authentication service over the network.