Dynamic user authentication for access to online services

摘要

A dynamic authentication system that makes authentication stronger, while reducing the cost to business and the burden to users. The system includes a service that provides centralized, non-federated, proxied authentication. The system uses a two-pass authentication process that first receives a supposed identity of the user and then determines one or more authentication criteria for proving that supposed identity. When the user attempts to use an online service that relies on the dynamic authentication system for authentication, the service requests the user's identity. The system dynamically determines authentication criteria for the user to prove the provided identity belongs to the user. In the second pass, the service receives a response from the user containing additional authentication information, and forwards the received response to the system for verification. If verification succeeds, the service allows the user to access the requested resources.

主权项

1. A computer-implemented method for authenticating a user for access to an online service using a variable authentication type, the method comprising:
receiving from an online service an authentication request that includes user identity information and an indication of the online service that submitted the request; dynamically determining one or more authentication criteria to use to authenticate the identified user, by dynamically selecting one or more modes of authentication based on a determined level of confidence that the user is who the user claims to be such that a user receives one authentication criterion during one authentication request and another authentication criterion during another authentication request; sending to the online service an authentication response that requests satisfaction of the determined authentication criteria by the user, wherein the authentication response comprises a previously configured authentication method set by the user; receiving from the online service a verification request that includes user identity information and a response to the authentication criteria; validating the information received in the verification request to determine whether a user requesting access is the user identified by the user identity information; and upon determining that the information received in the information request matches one or more expected answers, sending to the online service a verification response indicating that the access request is allowed, wherein the preceding steps are performed by at least one processor.