Patent 6993658
Derivative works
Defensive disclosure: derivative variations of each claim designed to render future incremental improvements obvious or non-novel.
Active provider: Google · gemini-2.5-flash
Derivative works
Defensive disclosure: derivative variations of each claim designed to render future incremental improvements obvious or non-novel.
✓ Generated
Defensive Disclosure: Derivatives of US Patent 6,993,658
This document outlines various derivative concepts extending the core teachings of US Patent 6,993,658, aimed at establishing prior art for future incremental improvements in user authentication systems leveraging personal communication devices. The objective is to render such improvements obvious or non-novel, thereby limiting the patentability landscape for competitors.
Core Claims for Derivation
The primary focus for these derivations is on the independent claims of US6993658, specifically:
- Claim 1 (Method): A method of authenticating a user on a first secure computer network, associating the user with a personal communication device (PCD) on a second network, receiving a token request via the PCD, generating a new password from a token (unknown to user) and a passcode (known to user), setting the new password, activating/deactivating account access within a predetermined time, transmitting the token to the PCD, and receiving the password from the user via the first network.
- Claim 5 (System): A user authentication system comprising a computer processor, a user database, a control module to create/set a new password from a token and passcode, a communication module to transmit the token to a PCD via a cell phone network, and an authentication module to receive the password, activate/deactivate account access within a predetermined time.
The following derivatives expand upon these core concepts across five axes: Material & Component Substitution, Operational Parameter Expansion, Cross-Domain Application, Integration with Emerging Tech, and The "Inverse" or Failure Mode.
Derivative Variations for User Authentication System/Method
1. Material & Component Substitution
Derivative 1.1: Authentication via Satellite Communication Device
- Enabling Description: The personal communication device (PCD) is substituted with a satellite communication handset or a satellite modem integrated into a portable terminal. The "second network" is a satellite constellation (e.g., Iridium, Globalstar, Starlink) providing global coverage. The communication module on the authentication server side uses a satellite transceiver unit (e.g., an L-band or Ku-band modem) connected via a ground station to send the token as a short burst data (SBD) message or a proprietary satellite messaging format. The user requests a token by sending an SBD message, and the server identifies the user by the satellite terminal's unique identifier (e.g., IMEI or a registered SATCOM ID) received with the incoming SBD message. The new password is formed by concatenating the user's secret passcode with the received satellite-delivered token.
flowchart TD
A[User] --> B{Satellite Comm. Device};
B -- Token Request (SBD Message) --> C[Satellite Constellation];
C -- Relays Request --> D[Satellite Ground Station];
D -- Forwards Request --> E[Authentication Server];
E -- Generates Token & New Password --> E;
E -- Sends Token (SBD Message) --> D;
D -- Relays Token --> C;
C -- Delivers Token --> B;
B -- User Combines Passcode & Token --> A;
A -- Submits New Password --> F[Secure System];
F -- Authenticates User --> E;
Derivative 1.2: Authentication with Near-Field Communication (NFC) Enabled Wearable Device
- Enabling Description: The personal communication device is a wearable smart device (e.g., smartwatch, smart ring) equipped with an NFC chip. The "second network" is a local NFC field established by a proximity reader integrated into the secure system's access point or a dedicated communication module. The token is transmitted to the wearable device via a secure NFC handshake. The user requests a token by tapping their wearable device on the NFC reader. The system identifies the user through a pre-registered unique identifier associated with the wearable device's NFC chip. The new password is a combination of the user's passcode and the NFC-delivered token. For login, the user taps the device again, and the combined password (passcode+token, generated client-side or retrieved from the wearable) is submitted.
sequenceDiagram
participant U as User
participant W as Wearable Device (NFC)
participant A as NFC Reader (Auth Server)
participant S as Secure System
U->W: Wearable on user
U->A: Tap W to A (Token Request)
A->A: Identify W via NFC ID
A->A: Generate Token
A->W: Transmit Token via NFC
U->W: Receive Token
U->U: Mentally combine passcode + token
U->S: Submit Passcode + Token
S->A: Validate Authentication
A->S: Grant Access Confirmation
Derivative 1.3: Authentication Using a Public-Key Cryptography (PKC) Hardware Token
- Enabling Description: The personal communication device is replaced by a standardized PKC hardware token (e.g., a FIDO U2F security key or a smart card with a cryptographic coprocessor) which is capable of generating or holding cryptographic keys. The "second network" involves a direct USB or Bluetooth connection to the client device, which then relays the information to the authentication server over the main network. The server generates a random challenge (token) and transmits it to the PKC hardware token. The hardware token uses its private key to sign the challenge, and this signature (the "new password") is transmitted back to the server. The user's "passcode" in this context is the PIN/biometric required to unlock the hardware token. The server verifies the signature using the associated public key. Activation and deactivation of access are tied to the validity of the signed challenge and the hardware token's presence.
flowchart TD
U[User] --> H{PKC Hardware Token};
H -- USB/Bluetooth -- C[Client Device];
C -- Challenge Request --> S[Auth Server];
S -- Generates Random Challenge (Token) --> S;
S -- Sends Challenge --> C;
C -- Forwards Challenge --> H;
U -- Enters PIN/Biometric --> H;
H -- Signs Challenge with Private Key --> H;
H -- Transmits Signature (Password) --> C;
C -- Forwards Signature --> S;
S -- Verifies Signature with Public Key --> S;
S -- Activates/Deactivates Access --> D[User Database];
S -- Grants Access --> R[Secure Resource];
2. Operational Parameter Expansion
Derivative 2.1: Nanoscale Device Authentication for Distributed Sensor Networks
- Enabling Description: The secure system comprises a distributed network of nanoscale sensors (e.g., for environmental monitoring within a confined space or in a biological system). Each sensor requires periodic re-authentication. The "user" is a maintenance or control agent, and their "personal communication device" is a specialized handheld nanodevice interface unit that communicates via quantum entanglement or highly localized terahertz frequencies. Tokens are generated for each individual sensor or small clusters. The token lifespan is extremely short (milliseconds to seconds) due to the transient nature of sensor data and potential rapid compromise. The token and passcode (a cryptographic seed known to the nanodevice interface) are used to generate a unique, short-lived session key for data transmission. Deactivation occurs immediately upon session completion or data burst transmission.
graph LR
A[Nanodevice Interface Unit (PCD)] -- THz/Quantum Link --> B{Nanoscale Sensor Node};
B -- Token Request --> C[Authentication & Control Server (Micro)];
C -- Generates Nano-Token & Session Key --> C;
C -- Delivers Nano-Token --> B;
B -- Combines Token + Seed (Passcode) --> B;
B -- Generates Session Key --> B;
B -- Authenticates to Data Store --> D[Secure Data Store];
D -- Grants/Revokes Access --> B;
Derivative 2.2: Hyperscale, Continuous Authentication for Cloud-Native Microservices
- Enabling Description: The "first secure computer network" is a hyperscale, globally distributed cloud environment hosting millions of ephemeral microservices. The "user" is an automated CI/CD pipeline or a service mesh component requiring continuous, granular authorization. The "personal communication device" is a dedicated, ephemeral sidecar proxy or an enclave within the microservice instance. The "second network" is a highly secure, high-throughput internal cloud network fabric. Tokens (often short-lived JSON Web Tokens - JWTs) are requested and issued every few seconds or on-demand for specific API calls, with passcodes being cryptographic keys securely managed within the enclaves. The authentication server dynamically adjusts token lifespan and scope based on real-time threat intelligence and service behavior anomalies. Deactivation is implicit with JWT expiration, enforced by policy enforcement points.
sequenceDiagram
participant M as Microservice Instance (PCD)
participant C as Control Plane (Auth Server)
participant D as Data Plane (Secure Network)
loop Continuous Authentication
M->C: Automated Token Request (API Key as Passcode)
C->C: Risk Assessment & Token Generation (JWT)
C->M: Deliver JWT (Token)
M->D: Submit JWT for API Call
D->C: Validate JWT
C->D: Confirm/Deny Access
M->D: Perform API Call (if granted)
end
Derivative 2.3: Ultra-Low Frequency (ULF) Authentication for Subterranean/Underwater Infrastructure
- Enabling Description: The secure system is critical infrastructure located deep underground or underwater, requiring access authentication in challenging communication environments. The "user" is a specialized maintenance technician or autonomous underwater vehicle (AUV). The "personal communication device" is a ruggedized ULF transceiver. The "second network" operates on Ultra-Low Frequencies (300 Hz to 3 kHz) or extremely low frequencies (ELF) to penetrate rock and water over long distances. The communication module on the server side is a massive ULF antenna array. Tokens are generated as short, binary ULF pulse sequences. Passcodes might be pre-shared keys or physical parameters entered on the ULF transceiver. Due to extremely low bandwidth, tokens are simple bit strings, and transmissions are slow. Deactivation occurs within hours or days, considering the long intervals between human or AUV presence.
flowchart TD
U[Technician/AUV] --> T{ULF Transceiver (PCD)};
T -- ULF Token Request --> A[ULF Antenna Array];
A -- Data Link --> S[Authentication Server];
S -- Generates ULF Token --> S;
S -- Delivers ULF Token --> A;
A -- ULF Token Delivery --> T;
T -- Combines Passcode & Token --> T;
T -- Submits ULF Password --> I[Subterranean/Underwater Infrastructure];
I -- Verifies Password --> S;
S -- Grants/Revokes Access --> I;
3. Cross-Domain Application
Derivative 3.1: Maritime Vessel Access Control
- Enabling Description: The secure system is a critical control panel or engine room access point on a maritime vessel. The "user" is a crew member. The "personal communication device" is a ruggedized satellite phone or an onboard radio (VHF/UHF) with data messaging capabilities. The "second network" is either a maritime satellite network or a short-range vessel-specific data radio network. The authentication server is located either onshore or on the vessel's bridge. A token request is sent from the crew member's device (e.g., an SMS over satellite or a secure data burst over VHF). The server generates a token, combines it with a crew-specific passcode, and sends it back. The crew member then enters the combined password on the vessel's control panel to gain access. Access is automatically deactivated after a shift or for certain restricted areas after a short period.
sequenceDiagram
participant C as Crew Member
participant S as Sat Phone/VHF Radio (PCD)
participant N as Maritime Sat/VHF Network
participant A as Authentication Server (Onshore/Bridge)
participant V as Vessel Control Panel (Secure System)
C->S: Token Request
S->N: Transmit Request
N->A: Forward Request
A->A: Generate Token + New Password (Passcode)
A->N: Deliver Token
N->S: Transmit Token
S->C: Receive Token
C->V: Input New Password
V->A: Authenticate
A->V: Grant/Deny Access
Derivative 3.2: Agricultural Field Equipment Authorization
- Enabling Description: The secure system is an agricultural autonomous tractor or a high-value farming implement, requiring authorization for operation or specific functions. The "user" is a farm operator or an agronomist. The "personal communication device" is a robust smartphone or a dedicated ruggedized tablet with LoRaWAN or private 5G cellular capabilities. The "second network" is a farm-specific LoRaWAN network or a private cellular network covering the agricultural fields. The authentication server could be a local farm server or a cloud-based agricultural management platform. A token request is sent via the device. The server generates a token based on the user's passcode and sends it to the device. The operator then enters the combined password (e.g., on the tractor's console) to start or enable a particular function (e.g., seeding, spraying). Access is time-limited to a specific operational window.
graph TD
A[Farm Operator (User)] --> B{Ruggedized Tablet (PCD)};
B -- Token Request (LoRaWAN/Private 5G) --> C[Farm Network (Second Network)];
C -- Relays Request --> D[Farm/Cloud Auth Server];
D -- Generates Token & Combines with Passcode --> D;
D -- Sends Token --> C;
C -- Delivers Token --> B;
B -- Displays Token --> A;
A -- Inputs Password (Passcode+Token) --> E[Autonomous Tractor/Implement (Secure System)];
E -- Authenticates --> D;
D -- Grants Operational Access --> E;
E -- Deactivates after Time Limit --> D;
Derivative 3.3: Space-Based Asset Control (Satellite/Probe Access)
- Enabling Description: The secure system is a sensitive control interface for a satellite, space probe, or orbital asset. The "user" is a ground station operator. The "personal communication device" is a hardened ground station terminal capable of communicating over a secure space-to-ground data link (e.g., S-band, X-band). The "second network" is the deep space network or a proprietary satellite communication network. The authentication server is located at the mission control center. A token request is sent from the terminal to the authentication server. The server generates a token (which could be a segment of an encryption key or a specific command sequence) and transmits it back to the ground terminal. The operator then concatenates this token with a mission-specific passcode and inputs it into the space asset command console. Access to critical commands is activated for a very short, specific window and then immediately deactivated.
sequenceDiagram
participant O as Ground Station Operator
participant T as Hardened Terminal (PCD)
participant D as Deep Space Network
participant A as Mission Control Auth Server
participant S as Space Asset Command Console (Secure System)
O->T: Initiate Token Request
T->D: Transmit Request (Secure Link)
D->A: Relay Request
A->A: Generate Token (Key Segment) & New Command (Passcode)
A->D: Deliver Token
D->T: Relay Token
T->O: Display Token
O->S: Input New Command Sequence (Passcode+Token)
S->A: Authenticate Command
A->S: Authorize/Reject Command
4. Integration with Emerging Tech
Derivative 4.1: AI-Driven Adaptive Token Authentication with User Behavioral Biometrics
- Enabling Description: The user authentication system integrates an AI-driven risk engine. Upon a token request from the personal communication device (PCD), the AI analyzes contextual data (e.g., user's usual login patterns, geographic location of the PCD, time of day, network used, recent past authentications). It also incorporates passive behavioral biometrics (e.g., typing cadence, swipe patterns) collected by the PCD and sent with the request. The AI dynamically generates a token of variable complexity and lifespan. If risk is low, a short, long-lifespan token is issued. If risk is high, a complex, very short-lifespan token, or even a multi-token sequence, is generated, potentially requiring additional "passcodes" (e.g., a biometric on the PCD). The authentication module's acceptance criteria for the combined password are also dynamically adjusted by the AI based on the real-time risk score.
stateDiagram
[*] --> InitialRequest: User requests token
InitialRequest --> AI_RiskAssessment: Send contextual/behavioral data
AI_RiskAssessment --> LowRisk: If risk score < threshold
AI_RiskAssessment --> HighRisk: If risk score >= threshold
LowRisk --> GenerateSimpleToken: Short, long-lifespan token
HighRisk --> GenerateComplexToken: Complex, short-lifespan, multi-token
GenerateSimpleToken --> TokenDelivery: Deliver token
GenerateComplexToken --> TokenDelivery: Deliver token
TokenDelivery --> UserInput: User combines & inputs password
UserInput --> AI_AuthDecision: Authenticate with adaptive criteria
AI_AuthDecision --> AccessGranted: If authenticated
AI_AuthDecision --> AccessDenied: If failed
AccessGranted --> [*]
AccessDenied --> InitialRequest: Retry
Derivative 4.2: IoT-Triggered Contextual Authentication via Ultra-Wideband (UWB) Proximity
- Enabling Description: The secure system is an IoT device (e.g., a smart lock, industrial sensor controller). The "user" carries a personal communication device (e.g., a smartphone) equipped with Ultra-Wideband (UWB) capabilities. The "second network" is a short-range, secure UWB link to the IoT device. Authentication is contextually triggered: when the user's PCD is within a precise, pre-defined UWB proximity zone of the IoT device, the IoT device (acting as the communication module/requestor) automatically initiates a token request to a local edge authentication server. The server generates a token (e.g., a time-based one-time password, TOTP-like string) and pushes it as an ephemeral notification to the user's PCD. The user then enters their passcode plus the UWB-received token into a virtual keypad on the PCD or directly into the IoT device if it has an interface. Deactivation is automatic upon loss of UWB proximity or after a short operational window.
flowchart TD
U[User] --> P{Smartphone (PCD) with UWB};
P -- UWB Proximity Detection --> I[IoT Device (Secure System)];
I -- Auto-Token Request --> E[Edge Auth Server];
E -- Generates Token & Combines with Passcode --> E;
E -- Pushes Token Notification --> P;
P -- User Enters Password (Passcode+Token) --> I;
I -- Authenticates --> E;
E -- Grants IoT Access --> I;
I -- Deactivates on UWB Loss --> P;
Derivative 4.3: Blockchain-Verified Token Delivery and Decentralized Access Control
- Enabling Description: The user authentication system integrates a private or consortium blockchain for immutable record-keeping and decentralized validation of token transactions. When a token request is received from a personal communication device (PCD), the authentication server generates a token and records the token, its intended recipient, and its expiry on the blockchain as a transaction. Instead of directly transmitting the token, the server transmits a cryptographic proof of the token's existence on the blockchain to the PCD. The user, upon receiving this proof and their passcode, constructs the password. When submitting the password to the secure system, the secure system (or a delegated node) independently queries the blockchain to verify the token's validity and associated user, ensuring integrity and non-repudiation. Smart contracts can govern token generation frequency and deactivation.
sequenceDiagram
participant U as User
participant P as Personal Comm Device
participant A as Auth Server
participant B as Blockchain Network
participant S as Secure System
U->P: Request Token
P->A: Forward Token Request
A->A: Generate Token
A->B: Record Token details (hash, expiry, recipient) in transaction
B->A: Confirm Transaction (Proof)
A->P: Transmit Token Proof (e.g., transaction hash)
P->U: Receive Token Proof
U->U: Combine Passcode + Token (reconstructed via proof/local cache)
U->S: Submit Password + Token Proof
S->B: Verify Token details on Blockchain
B->S: Confirm Token Validity
S->S: Validate Password locally
S->A: Notify Auth Server of login
A->S: Grant/Deny Access Confirmation
5. The "Inverse" or Failure Mode
Derivative 5.1: Fail-Safe Limited Functionality Mode with Emergency Override
- Enabling Description: In situations where the personal communication device (PCD) is lost, damaged, or cannot connect to the "second network," the system enters a "fail-safe limited functionality mode." Upon a token request initiated directly at the "first secure computer network" (e.g., via an emergency console), the authentication server attempts to deliver a highly restricted, single-use, time-limited token to a pre-registered backup channel (e.g., a landline phone via voice synthesis, a trusted administrative terminal, or an encrypted email to a verified address). The passcode for this mode would be a separate, longer emergency passcode known only to the user. This combined "emergency password" grants only "read-only" access, diagnostic capabilities, or a critical minimum set of functions. Full access remains deactivated. Additionally, a physical, biometric-enabled emergency override mechanism (e.g., retina scan or fingerprint) directly at the secure system can grant temporary, monitored access without any token if the user's identity is verified by other means, triggering extensive auditing and alerts.
stateDiagram
[*] --> NormalOperation: Regular authentication
NormalOperation --> PCD_Unavailable: PCD lost/damaged/offline
PCD_Unavailable --> RequestEmergencyToken: User requests token at Secure System
RequestEmergencyToken --> AuthServer: Attempts backup delivery
AuthServer --> BackupChannel: Deliver limited token (e.g., voice call)
BackupChannel --> User: User retrieves token
User --> SecureSystem: User inputs Emergency Passcode + Limited Token
SecureSystem --> LimitedAccess: Grants read-only or critical functions
LimitedAccess --> AuditLog: Extensive logging of activity
LimitedAccess --> NormalOperation: Revert once PCD is restored/full auth
PCD_Unavailable --> EmergencyBiometricOverride: Direct biometric scan at Secure System
EmergencyBiometricOverride --> SecureSystem: Verifies biometric
SecureSystem --> LimitedAccess: Grants temporary, monitored access
Derivative 5.2: Self-Destructing Tokens on Malicious Activity Detection
- Enabling Description: The system incorporates a real-time threat detection module that monitors login attempts and personal communication device (PCD) activity. If a predefined pattern of malicious activity is detected (e.g., multiple failed login attempts with the same token from different IP addresses, simultaneous login attempts from vastly separated geographical locations, or unauthorized access to the PCD itself triggering an alert), the currently valid token for that user is immediately and irrevocably revoked/invalidated on the authentication server. The associated user account on the "first secure computer network" is instantly deactivated, preventing any access, and an alert is sent to the user via an alternative secure channel and to security administrators. The token is designed to "self-destruct" server-side, meaning it is purged from memory and cannot be used for any subsequent authentication.
sequenceDiagram
participant U as User
participant P as Personal Comm Device
participant A as Auth Server
participant T as Threat Detection Module
participant S as Secure System
U->P: Request Token
P->A: Request
A->A: Generate & Set Token
A->P: Deliver Token
P->U: Receive Token
U->S: Submit Password (Passcode+Token)
S->A: Authentication Request
loop Monitoring Login/PCD Activity
T->S: Monitors login attempts
T->P: Monitors PCD activity (if applicable)
alt Malicious Activity Detected
T->A: Trigger Token Revocation
A->A: Invalidate/Purge Token
A->S: Deactivate Account
A->U: Send Security Alert
S->S: Access Denied
break
end
end
S->A: Validate Authentication (if no threat)
A->S: Grant/Deny Access
Derivative 5.3: Gradual Deactivation with Audit Logging during Grace Period
- Enabling Description: Instead of immediate deactivation, the system implements a "graceful degradation" or "grace period" for deactivating access after the predetermined token lifespan. Once the token's primary validity period expires, the user's account transitions to a "limited access" state for an additional configurable grace period (e.g., 1 hour, 1 day). During this grace period, all actions performed by the user on the "first secure computer network" are subjected to enhanced, real-time audit logging and monitoring. If the user attempts to perform critical actions or exceeds predefined thresholds, the system immediately forces re-authentication (requiring a new token) or fully deactivates the account. The communication module can also send a "soft expiry" notification to the PCD, prompting the user to request a new token before full deactivation.
stateDiagram
[*] --> ActiveAccount: User authenticated, token valid
ActiveAccount --> TokenExpired: Predetermined time elapsed
TokenExpired --> GracePeriod: Limited access, enhanced logging
GracePeriod --> ForcedReauthentication: User attempts critical action/threshold exceeded
GracePeriod --> FullDeactivation: Grace period ends (no re-auth)
ForcedReauthentication --> NewTokenRequired: Prompt for new token
NewTokenRequired --> ActiveAccount: Successful re-authentication
NewTokenRequired --> FullDeactivation: Failed re-authentication/no new token
FullDeactivation --> [*]: Account deactivated
GracePeriod --> UserNotified: "Soft expiry" notification to PCD
Combination Prior Art Scenarios with Open-Source Standards
These scenarios illustrate how the core concepts of US6993658 (using a PCD for token-based authentication with a passcode) could be combined with widely adopted open-source standards, further solidifying the obviousness of such implementations.
US6993658 + OAuth 2.0 / OpenID Connect:
- Enabling Description: An authentication server implements the OAuth 2.0 authorization framework and OpenID Connect (OIDC) for single sign-on. When a user attempts to access a protected resource, they are redirected to the authorization server. If the user's primary authentication method is configured as per US6993658, the authorization server (acting as the user token server) would, in response to the user's initial login attempt or explicit token request, generate a token and send it via SMS (the "second network") to their registered mobile phone (the "personal communication device"). The user then combines this SMS token with their memorized passcode to enter as their password into the authorization server's login form. Upon successful authentication, the authorization server issues an ID Token (OIDC) and/or Access Token (OAuth 2.0) to the client application, allowing access to the "first secure computer network" (the resource server). The token's lifespan and the overall session duration are managed by standard OAuth/OIDC expiry mechanisms.
- Obviousness Statement: It would be obvious to a person skilled in the art of secure web authentication to integrate a two-factor authentication mechanism, such as that described in US6993658, into an existing OAuth 2.0/OpenID Connect flow to enhance security, leveraging readily available personal communication devices for out-of-band token delivery.
US6993658 + FreeRADIUS (for Network Access Control):
- Enabling Description: The "first secure computer network" is a corporate Wi-Fi network or VPN, protected by a FreeRADIUS server (an open-source RADIUS implementation). The FreeRADIUS server is configured to act as the authentication module and integrate with an external user token server (based on US6993658). When a user attempts to connect to the network, their client sends a RADIUS Access-Request with their User ID and a password. If the password format indicates a token-based authentication, the FreeRADIUS server queries the user token server. The user token server then generates a token and pushes it via SMS to the user's registered mobile phone. The user receives the token, combines it with their pre-shared passcode, and re-submits the full password to the FreeRADIUS server (or the client software manages this). The FreeRADIUS server, upon validating the combined password against the token server's generated value, issues a RADIUS Access-Accept, granting network access. The token's validity is time-limited, and the RADIUS session can be terminated after a predetermined idle time, effectively deactivating access.
- Obviousness Statement: Given the prevalence of RADIUS for network access control and the desire for stronger authentication, it would be an obvious step for a PHOSITA to combine the token-based authentication described in US6993658 with an open-source RADIUS server like FreeRADIUS, enabling secure network access via personal communication devices.
US6993658 + OpenVPN (for Secure Tunnel Establishment):
- Enabling Description: The "first secure computer network" is accessed via a Virtual Private Network (VPN) secured by an OpenVPN server. The OpenVPN server is configured to require user authentication using the mechanism described in US6993658. When a user attempts to establish an OpenVPN tunnel, the OpenVPN client prompts for a User ID and password. The OpenVPN server interacts with a backend user token server. This server, in response to an explicit user request (e.g., via a web portal) or as part of the initial VPN authentication challenge, sends a token via SMS to the user's mobile phone. The user then combines their secret passcode with this received token and enters the combined string into the OpenVPN client's password field. Upon successful validation by the OpenVPN server (which confirms the password with the user token server), the secure VPN tunnel is established. The token's limited lifespan and the VPN session's inactivity timeout ensure time-bound access.
- Obviousness Statement: It would be obvious to a PHOSITA in network security to enhance the authentication of a widely used open-source VPN solution like OpenVPN by integrating a two-factor token delivery mechanism as taught by US6993658, using personal mobile devices for improved security without requiring specialized hardware.
US6993658 + FIDO WebAuthn (for Device-Bound Credentials):
- Enabling Description: The secure system is a web application or service that supports FIDO WebAuthn for strong, phishing-resistant authentication. When a user registers or logs in, their "personal communication device" (e.g., a smartphone) acts as a WebAuthn authenticator. Instead of relying solely on the device's inherent biometrics or PIN, the WebAuthn flow is augmented by the US6993658 token mechanism. During WebAuthn registration or authentication, the Relying Party's server (which also acts as the user token server) generates a token and sends it via SMS to the user's registered phone number. The user's passcode in this context could be the PIN they use to unlock their phone, or a separate secret known only to them. The token is then concatenated with this passcode and entered into a prompt on the phone (within the WebAuthn authenticator application or browser interface) before the cryptographic assertion is generated by the phone's secure element. This combined value (passcode+token) is part of the user verification step within the WebAuthn flow, and only upon successful entry is the WebAuthn credential utilized to complete authentication to the web application.
- Obviousness Statement: It would be obvious to a PHOSITA to combine the security benefits of FIDO WebAuthn's device-bound credentials with the out-of-band token delivery of US6993658, effectively creating a multi-layered authentication scheme where an ephemeral, server-delivered token acts as an additional user verification step within the WebAuthn flow, using a commonly carried device.
Generated 6/11/2026, 6:03:43 PM