MULTI-MODAL ACCESS TO AN ONLINE SERVICE USING HIERARCHICAL CRYPTOGRAPHIC KEYS FOR USER AUTHENTICATION OF ACCOUNTS AND SUBACCOUNTS

BACKGROUND

One problem encountered with business organizations is how to enable employees to pay for items that employees need to purchase for their work. One solution conventionally used is to issue a credit card to a manager of the business organization. When an employee that the manager manages needs to make a work-related purchase, the employee request the manger to use the credit card to make the purchase or requests to borrow the credit card to make the purchase. One problem with this approach is that the manger may not be available to provide the credit card when it is used. In addition, some employees may make unapproved purchases when lent the credit card. Another complication is that the billing statement for the credit card does not indicate who made each purchase; rather the statement just contains a list of purchases sorted by date.

Another option is to issue each employee a credit card. One difficulty with this option is that some employees may make purchases without getting managerial approval. Further, some employees may use the credit card for personal purchases. Some employees may also spend too much on items. In addition, some employees may lose their credit cards or increase the risk of credit card fraud by not following proper security precautions.

These problems have become more pronounced with many credit card purchases being made online. The credit card holder merely needs to access a website and provide the credit card number online to make a purchase. The employee just needs to know the credit card number, expiration date and security code to make purchases.

SUMMARY

In accordance with an inventive aspect, a method is performed by a processor of a computing device. Per the method, with the processor, a primary cryptographic key pair is registered with an account of an online service for user authentication when accessing an online service. The primary cryptographic key pair includes a primary private cryptographic key and a primary public cryptographic key. A secondary cryptographic key pair is derived with the processor from the primary private cryptographic key. The secondary cryptographic key pair is for user authentication when accessing the online service and includes a private secondary cryptographic key and a public secondary cryptographic key. The secondary cryptographic key pair is registered by the processor with a subaccount of the account for the online service. The primary private cryptographic key is registered with the account. With the processor, the secondary private cryptographic key is designated for a mode of access to the online service that is more limited than the mode of access designated for the primary private cryptographic key, and the secondary private cryptographic key is forwarded to a client computing device.

The online service may be a website, and the secondary private cryptographic key may enable access to only a portion of the website, whereas the primary cryptographic key enables access to the full website. The online service may enable a user to purchase goods or services, and the mode of access for the subaccount may limit purchase of items by the user to a subset of less than all of the goods or services that may be purchased via the online service. The method may further include associating a payment mechanism with the account such that goods or services purchased via the online service using the account are paid via the associated payment mechanism. The associated payment mechanism may be one of a credit card account, a debit card account, an online payment account, a bank account a peer-to-peer payment or a cryptocurrency account. The method may further include creating a virtual account payment mechanism from the payment mechanism associated with the account. The virtual account payment mechanism may have an associated identifier and the virtual payment account mechanism may be associated with the subaccount such that good or services purchased via the online service via the subaccount are paid via virtual payment account payment mechanism using the associated identifier. The payment mechanism associated with the account may be a credit card having a credit card number, and the virtual payment account mechanism may be a virtual credit card having a virtual credit card number as the associated identifier.

In accordance with another inventive aspect, a method is performed by a processor of a computing device. The method entails, with the processor, registering a primary cryptographic key pair with an account of an online service for user authentication when accessing an online service. The primary cryptographic key pair includes a primary private cryptographic key and a primary public cryptographic key. With the processor, secondary cryptographic key pairs are derived from the primary private cryptographic key. The secondary cryptographic key pairs are for user authentication when accessing the online service, and each of the secondary cryptographic key pairs includes a public secondary cryptographic key and a private secondary cryptographic key. With the processor, registering at least some of the secondary cryptographic key pairs with respective subaccounts of the account for the online service, wherein the primary private cryptographic key is registered with the account. With the processor, each of the secondary private cryptographic keys of the registered secondary cryptographic key pairs are designated for a respective mode of access to the online service that is more limited than the mode of access designated for the primary private cryptographic key and the registered secondary private cryptographic keys is forwarded to a client computing device.

The method may further include registering a primary payment mechanism with the account for paying for good or services when accessing the online service via the account and deriving virtual payment mechanisms for the subaccounts from the primary payment mechanism that are associated with the primary payment mechanism and registering respective ones of the virtual payment mechanisms with respective ones of the registered subaccounts for payment for goods or services when accessing the online service via the respective subaccounts. The online service may be a website, and a user accessing the website via first of the registered subaccounts may access only a first portion of the website whereas the user accessing the website via a second of the registered subaccounts may access only a second portion of the website that differs at least in part from the first portion. A first of the registered subaccounts may have a first spending limit specifying how much a user may spend when accessing the online service via the first of the registered subaccounts. A second of the registered subaccounts may have a second spending limit that differs from the first spending limit. The method may include deriving a tertiary cryptographic key pair for user authentication for the online service for a child account of one of the subaccounts from one of the secondary cryptographic key pairs.

In accordance with an additional inventive aspect, a method is performed by a processor of a computing device. The method entails receiving a request from a requestor to access an online service via a subaccount of an account of the online service, and based on the receiving of the request, with the processor, issuing a cryptographic challenge to the requestor. The method further includes receiving a response to the challenge, and with the processor, determining if the response was proper by determining if the response was generated using a secondary private cryptographic key that is registered for the subaccount. Where the processor determines that the response was proper, the requestor is granted access to online service via the subaccount in accordance with a mode of access permitted for the subaccount. Where the processor determines that the response was improper, access to the online service via the subaccount is denied.

The mode of access permitted for the subaccount may specify what portions of the online service are accessible. The mode of access permitted for the subaccount may specify what interactions with the online service are permitted. The mode of access permitted for the subaccount may specify what good or services may be purchased via the online service using the subaccount. The mode of access permitted for the subaccount may specify a spending limit for good or services purchased via the online service using the subaccount. A payment mechanism may be associated with the subaccount for payment of goods or services purchased via the online service using the subaccount.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 depicts a flowchart of illustrative steps that may be performed in exemplary embodiments to register for an account with an online service.

FIG. 2 depicts an illustrative prompt that may be displayed for user to enter information to register for an account with an online service.

FIG. 3 depicts the flow of information between a requester and an online service in a user registering for an account with the online service in exemplary embodiments.

FIG. 4 depicts a flowchart of illustrative steps that may be performed in exemplary embodiments in generating offspring cryptographic key pair(s).

FIG. 5 depicts the flow of information between a requester and an online service in providing the requester with private offspring key(s) in exemplary embodiments.

FIG. 6 depicts a flowchart of illustrative steps that may be performed in exemplary embodiments in logging into a subaccount of the online service using a private cryptographic key.

FIG. 7 depicts an example of a prompt that is provided during login to the online service to obtain a username from a user in an exemplary embodiment.

FIG. 8 depicts the flow of information between a requester an online service during the login process in exemplary embodiments.

FIG. 9 depicts an illustrative hierarchy of private cryptographic keys including secondary private cryptographic keys and a tertiary private cryptographic key.

FIG. 10 depicts a flowchart of illustrative steps that may be performed in exemplary embodiments relative to a subaccount to properly configure the subaccount.

FIG. 11 depicts a block diagram of subaccount information that may be stored for a subaccount for the online service in exemplary embodiments.

FIG. 12 depicts a block diagram of motive access information that may be stored for a subaccount for the online service in exemplary embodiments.

FIG. 13 depicts different types of payment mechanisms that may be associated with accounts and/or subaccounts in exemplary embodiments.

FIG. 14 depicts a flowchart of illustrative steps that may be performed relative to a virtual payment mechanism for a subaccount in exemplary embodiments.

FIGS. 15A, 15B and 15C depict different versions of a webpage for an online service that are available to subaccounts having different modes of access in exemplary embodiments.

FIG. 16A depicts a flowchart of illustrative steps that may be performed in exemplary embodiments in determining whether a user action with the online service is authorized or not.

FIG. 16B depicts a flowchart of illustrative steps that may be performed in exemplary embodiments to determine whether a purchase via the online services authorized for a subaccount or not.

FIG. 17 depicts an example of a billing statement for account of the online service that itemizes purchases by subaccount in exemplary embodiments.

FIG. 18 is a block diagram of a computing environment suitable for practicing exemplary embodiments.

FIG. 19 depicts a block diagram of an illustrative client computing device suitable for practicing exemplary embodiments.

FIG. 20 depicts a block diagram of a computing device that is suitable for executing the online service in exemplary embodiments.

DETAILED DESCRIPTION

The exemplary embodiments may provide a password-less user authentication mechanism that enables users to be authenticated for accessing an online service. The online service may be, for example, a website that provides a service. More generally, an online service is a service that may be accessed via a computing device over a network connection. The exemplary embodiments use cryptographic key pairs as part of the credentials for user authentication. A user registers an account with the online service and then is given a private cryptographic key that is used to gain access to the online service. A public cryptographic key is also generated for the account (which may be referred to as a “primary account”), which is used by the online service in authenticating the user. The exemplary embodiments enable the creation of subaccounts that are affiliated with the primary account. At least one offspring cryptographic key pair (also referred to as “secondary key pair”) for user authentication may be generated for each subaccount. The offspring cryptographic key pairs are derived from the primary cryptographic key pair for user authentication that is associated with the primary account. The offspring cryptographic key pairs are used to gain access to the online service via a subaccount.

When a user wishes to gain access to the online service via a subaccount, the user may provide a username. The online service has an authenticator that generates a cryptographic challenge for the user based upon the public cryptography key associated with the user and the subaccount. The user generates a response to the cryptographic challenge. The authenticator for the online service determines whether the response was proper or not. If the response was proper, the user is given access to the online service via the subaccount.

Each subaccount may have different modes of access. In other words, each subaccount may have different authorizations relative to use of the online service. For example, a first subaccount may have access to an entire website of the online service, whereas a second subaccount may only access a portion of the website of the online service. As an example, an administrative assistant with an organization may only access a portion of a purchasing website relating to office supplies. In addition, the mode of access may limit what actions a user may take relative to the online service. For instance, a user may be limited in what purchases of goods and services a user may realize through the online service. Similarly, a user may be limited in the amount that the user may spend in making purchases via the online service.

Each subaccount may have an associated virtual payment mechanism (e.g., a virtual account number) that is associated with the payment mechanism for the account. The virtual payment mechanism may have a virtual identifier that is derived from the identifier for the payment mechanism the account. For example, if a credit card is associated with the account for making payments, a derived virtual credit card number may be associated with the subaccount and use to make purchases. The online service knows that the charges are to be levied relative to the credit card for the account but associates the charges with the subaccount. When a statement of account is produced by the online service, the statement of account may detail purchases by subaccount.

The exemplary embodiments thus address some of the concerns detailed above with the conventional approach of lending a credit card to members of an organization or providing each member of an organization with a separate credit card. Limitations can be placed on the mode of access for each subaccount. Limitation such as spending limits and restrictions on what items may be purchased help to address some of the concerns found conventionally. Moreover, purchases may be reported by subaccount and thus, the responsible parties may be identified for the purchases. Still further, the login is secured and lost keys may be easily replaced.

In some embodiments, permissions, access, and/or authorizations for subaccounts and sub-pairs of cryptographic keys may be modified by the primary account. For example, a manager may grant additional privileges to a subaccount associated with an employee who reaches a predetermined tenure (e.g., 3 years, 5 years, etc.) and/or remove privileges for another employee on a performance plan. Furthermore, any granted permissions may be based on predetermined periods of time, predetermined dollar amounts, and/or a predetermined number of purchases (e.g., each new employee may receive a subaccount with a $100 allowance for office supplies that expires 30 days after the employee's date of hire). In some embodiments, multiple different key pairs may be assigned to a subaccount (e.g., to give multiple people shared access to the same pool of privileges, budget, etc. with the ability to manage and/or terminate access individually, e.g., after an employee leaves an organization).

Further still, subaccounts and/or tertiary accounts may be used to provide a similar set of privileges (e.g., a subaccount and any tertiary accounts thereof may have the same set of restrictions and/or rules), but using different tertiary accounts provides additional transparency into which individual made a given purchase. Doing so allows individual users (e.g., tertiary accounts) to be added and/or removed from a subaccount as needed. Furthermore, doing so may subject all purchases made by the tertiary accounts to the budget restrictions or any other restrictions that apply to the subaccount.

Reference is now made to the drawings, wherein like reference numerals are used to refer to like elements throughout. In the following description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding thereof. However, the novel embodiments can be practiced without these specific details. In other instances, well known structures and devices are shown in block diagram form in order to facilitate a description thereof. The intention is to cover all modifications, equivalents, and alternatives consistent with the claimed subject matter.

In the Figures and the accompanying description, the designations “a” and “b” and “c” (and similar designators) are intended to be variables representing any positive integer. Thus, for example, if an implementation sets a value for a=5, then a complete set of components 121 illustrated as components 121-1 through 121-a may include components 121-1, 121-2, 121-3, 121-4, and 121-5. The embodiments are not limited in this context.

Operations for the disclosed embodiments may be further described with reference to the following figures. Some of the figures may include a logic flow. Although such figures presented herein may include a particular logic flow, it can be appreciated that the logic flow merely provides an example of how the general functionality as described herein can be implemented. Further, a given logic flow does not necessarily have to be executed in the order presented unless otherwise indicated. Moreover, not all acts illustrated in a logic flow may be required in some embodiments. In addition, the given logic flow may be implemented by a hardware element, a software element executed by a processor, or any combination thereof. The embodiments are not limited in this context.

In the exemplary embodiments, a user may be required to register with an online service before the user is permitted to access the online service. The registration may create an account that is associated with the user and that may be used to access the online service. FIG. 1 depicts a flowchart 100 of illustrative steps that may be performed in exemplary embodiments to register a user for an account with an online service. Initially, at 102, the user may access the online service such as via a web browser or application and may be provided with a prompt to enter a username and email address. The username uniquely identifies the user in accessing the online service. The email address may be used to contact the user, such as in issuing a cryptographic challenge or to provide the user with information. The user may provide the username and email address in response to the prompt so that the username and email address are received by the online service at 104. At 106, the online service generates a pair of primary cryptographic user authentication keys that include a primary private user authentication cryptographic key and a primary public user authentication cryptographic key. The primary private cryptographic key is forwarded to the user. The user may use the primary private cryptographic key to gain access to the online service via the account. Known cryptographic techniques may be used for generating the keys. In some embodiments, an entity separate from the online service may generate the keys. For example, a third-party key generation service may generate the key pairs and provide both keys to the requesting user. The requesting user may then provide/register the public key with the online service along with the username, email, etc. for the account, and same for any sub-accounts and secondary key pairs.

FIG. 2 shows an example of a prompt 200 that may be used in an exemplary embodiment to obtain the information needed to register the user for an account, such as described above relative to step 102. The prompt 200 may include text 202 to get the user to enter information to register. A text box 204 for a user to enter a username and a text box 206 for the user to enter an email address are provided. It should be appreciated that other user interfaces may be used to solicit such information.

FIG. 3 depicts a diagram 300 of the exchange that may take place for the user to register in exemplary embodiments. In this depiction, the user or a client computing device is the requester 302. The requester 302 submits registration information 306, such as a username and email address, to the online service 304. In response, the online service returns a primary private cryptographic key 308 for the account. The requester 302 securely stores the primary private cryptographic key 308 for future use.

Once the user has obtained a primary private cryptographic key for an account, the user may wish to generate subaccounts and obtained offspring cryptographic key pairs for the subaccounts. For example, suppose that a manager of a corporation opens an account with an online marketplace and wishes to provide access to the online marketplace to a number of the employees that are under his/her management. One way to facilitate such access in the exemplary embodiments is to generate subaccounts and associate offspring cryptographic key pairs with the subaccounts. The offspring cryptographic key pairs may be generated from the public cryptographic key for the account. The offspring cryptographic key pairs may be used to perform user authentication for the subaccounts as will be detailed below.

FIG. 4 depicts a flowchart 400 of illustrative steps that may be performed to generate such offspring key pairs. At 402, the online service receives a request for the generation of offspring cryptographic key pair(s). For example, the manager mentioned in the above example may wish to generate offspring key pairs for the subaccounts. Hence the manager may submit a request to the online service. The manager may request a single offspring cryptographic key pair for a single subaccount or multiple offspring cryptographic key pairs for multiple subaccounts. Each subaccount has an associated offspring cryptographic key pair. At 404, the online service generates offspring cryptographic key pair(s). A number of different approaches may be used to derive such offspring cryptographic key pairs from the primary cryptographic key pair. The key derivation approach used in EMV key management may be used, for example. At 406, the offspring cryptographic key pair is forwarded to the requester. Thus, the requester is in possession of the private cryptographic key(s) that is/are generated in response to the request.

FIG. 5 depicts a diagram 500 showing the interaction between the requester 502 and the online service 506 when such a request for offspring cryptographic key(s) is submitted. The online service 506 forwards the offspring private cryptographic key(s) to the requester 502 as discussed above.

Once the users are in possession of the offspring private cryptographic keys for subaccounts, the users may wish to login to the online service using the subaccounts. FIG. 6 depicts a flowchart of illustrative steps that may be performed in exemplary embodiments to login to such subaccounts. At 602, the online service may generate a prompt for the user to enter a username. FIG. 7 depicts an illustrative prompt 700. The prompt includes text 702 instructing the user to enter their username. A text box 704 is provided for the user to enter the username. At 604, the online service receives the username that has been entered in response to the prompt. FIG. 8 depicts a diagram 800 illustrating the flow of information between a requester 802 and the online service 804. Initially, the requester (e.g., user) makes a request 806 to login by providing the username in response to the prompt 700. With reference to FIG. 6 again, at 604, the username is received by the online service 804. At 606, the online service 804 generates a cryptographic challenge using the public cryptographic key for the user associated with the username and subaccount. That generation of the challenge may be performed using known techniques for generating a cryptographic challenge. For example, the techniques used in the FIDO2 standard may be employed. They challenge 808 is said from the online service 804 to the requester 802. The requester 802 generates a response 810 that is received by the online service 804 at 608. The online service 804, at 610, determines whether the response is proper or not. If the response is proper, at 612, the user is granted modal access to the online service per the mode of access permitted for the subaccount. If the response is not proper, at 614, access to the online service via the subaccount is denied. As shown in FIG. 8, the communication indicating that access is granted or denied 812 is sent from the online service 804 to the requester 802.

As was mentioned above, a hierarchy of cryptographic key pairs may be generated for hierarchically organized subaccounts. FIG. 9 depicts an illustrative hierarchy 900. In the hierarchy 900 depicted in FIG. 9, there are two primary private cryptographic keys 902 and 904. Two secondary private cryptographic keys 906 and 908 have been derived from the primary private cryptographic key 904. In addition, a tertiary private cryptographic key 910 has been derived from the secondary private cryptographic key 908. The tertiary private cryptographic key 910 may be appropriate when there is a subaccount of a subaccount. It should be appreciated that this depiction of the hierarchy is intended to be merely illustrative and not limiting. Other hierarchical organizations of subaccounts and private cryptographic keys may be deployed in the exemplary embodiments.

FIG. 10 depicts a flowchart 1000 of illustrative steps that may be performed in exemplary embodiments in configuring a subaccount. Initially, at 1002, the subaccount is created by the online service. Data structures and other records may be created to store information regarding the subaccount. Alternatively, a subaccount object may be instantiated. At 1004, offspring key(s) may be registered with the subaccount. In many cases only a single offspring key will be associated with the subaccount. However, it may be possible that multiple offspring keys may be associated with the subaccount. At 1006, the subaccount is associated with the username(s) that have access to the subaccount. This registration identifies what users have access to a subaccount. At 1008, the payment mechanism for the subaccount is registered with subaccount. As was discussed above, a virtual payment account identifier may be associated with the subaccount and used in making purchases of goods or services via the online service. As was mentioned above, the virtual payment account identifier may be derived from the payment account identifier for the account with which the subaccount is associated. At 1010, the modal access for the subaccount is defined. The modal access may be defined by specifying rights or limitations on the user's access to and use of the online service. As was mentioned above, the user may be limited what portion of the online service user's access to and may be limited in purchases both in what may be purchased and in how much may be purchased. Other modal restrictions and rights may also be specified.

FIG. 11 depicts an illustration of subaccount information 1100 that may be stored by the online service for a subaccount and used as needed. The subaccount information 1100 may include identification information 1102. The identification information 1102 may include, for example, an identifier for the subaccount, such as a subaccount number. In addition, the identification information 1102 may store a list of the usernames for users that have access to the subaccount. The subaccount information 1100 may also store the public cryptographic key(s) that is/are associated with the subaccount. The subaccount information 1100 may specify the payment mechanism 1106 that is associated with the subaccount. The subaccount information 1100 may further specify the modal access 1108 for the subaccount. The modal of access information 1108 may specify the rights and limitations of access to the online service associated with a subaccount.

FIG. 12 depicts a diagram showing example of what may be held in the mode of access information 1200. The mode of access information 1200 may include a specification of the restrictions as to what portions of the online service are available to the user 1202. For instance, if the online service is a website, the specification restrictions may specify what portions of the website are accessible to the user and/or what functionality is available to the user via the website. The mode of access information 1200 may also specify payment limits 1204. The payment limits may specify a maximum of the user is allowed to spend over a time window or in any purchase. The mode of access information 1200 may also specify restrictions as to what may be purchased 1206. It should be appreciated that other restrictions and rights may be specified in the motive access information 1200. The mode of access information 1200 may specify a privilege level. The mode of access information 1200 may specify access control information, such as traditionally found in access control lists. The information in the mode of access information 1200 is used by the online service to determine what a user is authorized to do relative to the online service. The mode of access information 1200 may further specify the ability to make changes to the account (e.g., the ability to manage subaccounts, modify profile information such as email addresses, user names, shipping addresses, billing addresses, payment methods, notification settings, contact information, payment methods, and/or payment terms, and the ability to see past purchases and/or billing reports. Further still, the mode of access information 1200 may specify restrictions on delivery methods (e.g., ground shipments only vs. overnight or Saturday delivery service), restrictions on ship-to locations (e.g., only able to ship to the local office vs. all offices, or only able to ship to existing ship-to addresses), restrictions on purchase frequency, restrictions on basket value, monthly spending limits, etc. Any spending limits may be applied to the payment method subaccounts and/or the online account/subaccounts.

Different payment mechanisms 1300 may be associated with accounts and subaccounts. As shown in FIG. 13 the payment mechanisms 1300 may include a credit card account 1302. The credit card associated with a credit card account may be charged for purchases made via the account or subaccount. The payment mechanism 1300 may be a debit card account 1304 which debits charges relative to a bank account or other designated account. The payment mechanism 1300 may be a bank account 1306. The payment mechanism 1300 may be a peer-to-peer payment account 1308 or may be a crypto currency account 1310. Each such payment mechanisms 1300 will have identifiers that uniquely identify the associated accounts.

FIG. 14 depicts a flowchart 1400 of illustrative steps that may be performed in exemplary embodiments relative to a virtual payment mechanism for a subaccount. At 1402, a virtual payment mechanism identifier is generated from the primary account mechanism identifier. For example, if the primary account payment mechanism is a credit card, the credit card number is used to derive a virtual credit card number for the subaccount. A number of different techniques may be used to perform this derivation. For example, tokenization may be employed (e.g., using a one-way tokenization function that is based on characteristic account information.). As another example, a signature (private key) or reverse signature (public key) may be used to perform the derivation. At 1404, the virtual payment mechanism identified is provided to user(s) registered for the subaccount. In this way, the users know what virtual payment mechanism identifier to use when making payments via the subaccount. At 1406, the user(s) uses/use the virtual payment mechanism identifier and paying for goods or services with the online service that is accessed via a subaccount. Since each subaccount has its own virtual payment mechanism with an associated virtual payment mechanism identifier, it is easy to track payment activity by subaccount and by user.

As was discussed above, each subaccount may have a specified mode of access. The mode of access may vary amongst subaccounts. For example, FIG. 15A depicts a web page 1500 of the online service that may be displayed when a user accesses the online service using a first subaccount. As indicated by the text in the webpage 1500, the webpages for an online marketplace through which items may be purchased. The user is displayed the options of purchasing clothing 1502, office supplies 1504, furniture 1506 or food 1508. However, a second user that access the online service via a second subaccount does not have access to as much of the website as the first user. As shown in FIG. 15B, the webpage 1510 for the second user only displays the option of purchasing office supplies 1504 or furniture 1506. The online service accesses the subaccount information and the mode of access information to determine what is displayed to the user. A third user using a third subaccount may have even more limited access to the website. As shown in FIG. 15C, the third user may be shown webpage 1520, which only enables the user to purchase office supplies 1504.

FIG. 16A depicts a flowchart 1600 of illustrative steps that may be performed in exemplary embodiments to determine whether user actions are authorized or not with respect to the online service. At 1602, a user attempts an action with the online service. At 1604, the online service determines whether the user is authorized to perform the action or not. The online service may access the mode of access information that is stored for the subaccount to determine whether the user is authorized or not. If the user is authorized, at 1606, the action is permitted. If not, at 1608, the action is prohibited.

FIG. 16B depicts a flowchart 1620 of illustrative steps that may be performed when a user attempts to purchase an item via the online service. At 1622, the user seeks to make a purchase via the subaccount. At 1624, check is made whether the user is permitted to purchase the item that the user wishes to purchase. If not, at 1626, the purchase is prohibited. At 1628, an additional check is made to determine whether the purchase would exceed the spending limit set for the subaccount. If the purchase would exceed the spending limit, at 1626, the purchase is prohibited. If the purchase would not exceed the spending limit, at 1630, the purchase is permitted.

One of the benefits of using subaccounts concerns the ability to display an account for spending on a per subaccount basis. FIG. 17 illustrates an exemplary billing statement 1700 for an account for an online service. The billing statement 1700 includes an identification 1702 of the account number to which the billing state pertains. In this example, the billing statement is for account number 333. The billing statements 1700 includes an itemization for subaccount number 333-001 as indicated by heading 1704. Under the heading 1704 are purchases sorted by date. Each purchase itemizes both a description of the items purchased and the cost. For instance, line 1708 specifies that 3 boxes of paper were purchased on December 3 for $25, and line 1710 specifies that 4 boxes of pens were purchased on December 7 for $38. There also is a heading 1706 for subaccount number 333-002. Underneath that heading 1706 is line 1712, which specifies that a desk chair was purchased on December 5 for $300. The use of the subaccounts and associated virtual payment mechanism identifiers enables the itemization of purchases by subaccounts in the billing statement for the account.

FIG. 18 depicts a computing environment 1800 that is suitable for practicing exemplary embodiments. The user may use a client computing device 1802 to gain access to the online service 1806 over network 1804. The client computing device 1802 may be any of a number of different types of computing devices, including but not limited to a desktop computer, laptop computer, a tablet computer, a smart phone, a smartwatch or other variety of computing device. The network 1804 may include both local area networks and wide area networks. The network 1804 may include the Internet and networks providing access to the Internet. The online service 1806 may be resident on a server computer system and may, in some instances, be provided by cloud computing services.

FIG. 19 depicts a block diagram 1900 of a client computing device that is suitable for practicing exemplary embodiments. The client computing device may include a processor 1902. The processor 1902 may be a central processing unit (CPU), a graphics processing unit (GPU), a field programmable gate array (FPGA), an application specific integrated circuit (ASIC) or a combination thereof. Storage 1904 is provided. The storage 1904 may include different types of non-transitory computer-readable storage media. The storage 1904 may include random access memory (RAM), read only memory (ROM), solid state memory, magnetic storage media, optical storage media in other types of storage. The storage 1904 may hold a web browser 1906 for accessing webpages, such as webpages for the online service. The storage 1904 may hold an application 1908 that facilitates access to the online service. The storage 1904 may store a primary private cryptographic key 1910 and secondary private key(s) 1912. The client computing device may include a display 1914, such as a liquid crystal display (LCD), a retina display or a light emitting diode (LED) display. The client computing device 1900 may include input device 1916, such as a keyboard, a microphone, the thumbpad or the like. The client computing device 1900 may include a network adapter, such as an Ethernet adapter or a wireless network adapter, to facilitate access to a network.

FIG. 20 depicts a block diagram of the computing device 2000 on which the online service is running. The computing device includes a processor 2002, such as that found in the client computing device 1900. The computing device 2000 include storage 2004. The storage 2004 may be of the variety described above relative to the client computing device 1900. The storage 2004 may store an authenticator 2006 that is responsible for performing the user authentication described herein. The storage may store computer programming instructions for the online service 2008. These instructions may be executed by the processor to provide the online service. The online service may provide a series of webpages that are visible to the user. The authenticator 2006 may be part of the online service 2008 in some instances. The storage 2004 may also store accounts information 2010 for each of the accounts and subaccounts, such as described above. The storage 2004 may store the primary public keys 2012 for accounts as well as the offspring public keys 2014 for subaccounts. The computing device 2000 may include a display 2016, input devices 2018 and a network adapter 2020, such as described above relative to the client computing device 1900.

The components and features of the devices described above may be implemented using any combination of discrete circuitry, application specific integrated circuits (ASICs), logic gates and/or single chip architectures. Further, the features of the devices may be implemented using microcontrollers, programmable logic arrays and/or microprocessors or any combination of the foregoing where suitably appropriate. It is noted that hardware, firmware and/or software elements may be collectively or individually referred to herein as “logic” or “circuit.”

It will be appreciated that the exemplary devices shown in the block diagrams described above may represent one functionally descriptive example of many potential implementations. Accordingly, division, omission or inclusion of block functions depicted in the accompanying figures does not infer that the hardware components, circuits, software and/or elements for implementing these functions would necessarily be divided, omitted, or included in embodiments.

At least one computer-readable storage medium may include instructions that, when executed, cause a system to perform any of the computer-implemented methods described herein.

Some embodiments may be described using the expression “one embodiment” or “an embodiment” along with their derivatives. These terms mean that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one embodiment. The appearances of the phrase “in one embodiment” in various places in the specification are not necessarily all referring to the same embodiment. Moreover, unless otherwise noted the features described above are recognized to be usable together in any combination. Thus, any features discussed separately may be employed in combination with each other unless it is noted that the features are incompatible with each other.

With general reference to notations and nomenclature used herein, the detailed descriptions herein may be presented in terms of program procedures executed on a computer or network of computers. These procedural descriptions and representations are used by those skilled in the art to most effectively convey the substance of their work to others skilled in the art.

A procedure is here, and generally, conceived to be a self-consistent sequence of operations leading to a desired result. These operations are those requiring physical manipulations of physical quantities. Usually, though not necessarily, these quantities take the form of electrical, magnetic or optical signals capable of being stored, transferred, combined, compared, and otherwise manipulated. It proves convenient at times, principally for reasons of common usage, to refer to these signals as bits, values, elements, symbols, characters, terms, numbers, or the like. It should be noted, however, that all of these and similar terms are to be associated with the appropriate physical quantities and are merely convenient labels applied to those quantities.

Further, the manipulations performed are often referred to in terms, such as adding or comparing, which are commonly associated with mental operations performed by a human operator. No such capability of a human operator is necessary, or desirable in most cases, in any of the operations described herein, which form part of one or more embodiments. Rather, the operations are machine operations. Useful machines for performing operations of various embodiments include general purpose digital computers or similar devices.

Some embodiments may be described using the expression “coupled” and “connected” along with their derivatives. These terms are not necessarily intended as synonyms for each other. For example, some embodiments may be described using the terms “connected” and/or “coupled” to indicate that two or more elements are in direct physical or electrical contact with each other. The term “coupled,” however, may also mean that two or more elements are not in direct contact with each other, but yet still co-operate or interact with each other.

Various embodiments also relate to apparatus or systems for performing these operations. This apparatus may be specially constructed for the required purpose or it may comprise a general purpose computer as selectively activated or reconfigured by a computer program stored in the computer. The procedures presented herein are not inherently related to a particular computer or other apparatus. Various general purpose machines may be used with programs written in accordance with the teachings herein, or it may prove convenient to construct more specialized apparatus to perform the required method steps. The required structure for a variety of these machines will appear from the description given.

What has been described above includes examples of the disclosed architecture. It is, of course, not possible to describe every conceivable combination of components and/or methodologies, but one of ordinary skill in the art may recognize that many further combinations and permutations are possible. Accordingly, the novel architecture is intended to embrace all such alterations, modifications and variations that fall within the spirit and scope of the appended claims.

The various elements of the devices as previously described with reference to FIGS. 1-20 may include various hardware elements, software elements, or a combination of both. Examples of hardware elements may include devices, logic devices, components, processors, microprocessors, circuits, processors, circuit elements (e.g., transistors, resistors, capacitors, inductors, and so forth), integrated circuits, application specific integrated circuits (ASIC), programmable logic devices (PLD), digital signal processors (DSP), field programmable gate array (FPGA), memory units, logic gates, registers, semiconductor device, chips, microchips, chip sets, and so forth. Examples of software elements may include software components, programs, applications, computer programs, application programs, system programs, software development programs, machine programs, operating system software, middleware, firmware, software modules, routines, subroutines, functions, methods, procedures, software interfaces, application program interfaces (API), instruction sets, computing code, computer code, code segments, computer code segments, words, values, symbols, or any combination thereof. However, determining whether an embodiment is implemented using hardware elements and/or software elements may vary in accordance with any number of factors, such as desired computational rate, power levels, heat tolerances, processing cycle budget, input data rates, output data rates, memory resources, data bus speeds and other design or performance constraints, as desired for a given implementation.

One or more aspects of at least one embodiment may be implemented by representative instructions stored on a machine-readable medium which represents various logic within the processor, which when read by a machine causes the machine to fabricate logic to perform the techniques described herein. Such representations, known as “IP cores” may be stored on a tangible, machine readable medium and supplied to various customers or manufacturing facilities to load into the fabrication machines that make the logic or processor. Some embodiments may be implemented, for example, using a machine-readable medium or article which may store an instruction or a set of instructions that, if executed by a machine, may cause the machine to perform a method and/or operations in accordance with the embodiments. Such a machine may include, for example, any suitable processing platform, computing platform, computing device, processing device, computing system, processing system, computer, processor, or the like, and may be implemented using any suitable combination of hardware and/or software. The machine-readable medium or article may include, for example, any suitable type of memory unit, memory device, memory article, memory medium, storage device, storage article, storage medium and/or storage unit, for example, memory, removable or non-removable media, erasable or non-erasable media, writeable or re-writeable media, digital or analog media, hard disk, floppy disk, Compact Disk Read Only Memory (CD-ROM), Compact Disk Recordable (CD-R), Compact Disk Rewriteable (CD-RW), optical disk, magnetic media, magneto-optical media, removable memory cards or disks, various types of Digital Versatile Disk (DVD), a tape, a cassette, or the like. The instructions may include any suitable type of code, such as source code, compiled code, interpreted code, executable code, static code, dynamic code, encrypted code, and the like, implemented using any suitable high-level, low-level, object-oriented, visual, compiled and/or interpreted programming language.

At least one computer-readable storage medium may include instructions that, when executed, cause a system to perform any of the computer-implemented methods described herein.

It is emphasized that the Abstract of the Disclosure is provided to allow a reader to quickly ascertain the nature of the technical disclosure. It is submitted with the understanding that it will not be used to interpret or limit the scope or meaning of the claims. In addition, in the foregoing Detailed Description, it can be seen that various features are grouped together in a single embodiment for the purpose of streamlining the disclosure. This method of disclosure is not to be interpreted as reflecting an intention that the claimed embodiments require more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive subject matter lies in less than all features of a single disclosed embodiment. Thus the following claims are hereby incorporated into the Detailed Description, with each claim standing on its own as a separate embodiment. In the appended claims, the terms “including” and “in which” are used as the plain-English equivalents of the respective terms “comprising” and “wherein,” respectively. Moreover, the terms “first,” “second,” “third,” and so forth, are used merely as labels, and are not intended to impose numerical requirements on their objects.

The foregoing description of example embodiments has been presented for the purposes of illustration and description. It is not intended to be exhaustive or to limit the present disclosure to the precise forms disclosed. Many modifications and variations are possible in light of this disclosure. It is intended that the scope of the present disclosure be limited not by this detailed description, but rather by the claims appended hereto. Future filed applications claiming priority to this application may claim the disclosed subject matter in a different manner, and may generally include any set of one or more limitations as variously disclosed or otherwise demonstrated herein.

While exemplary embodiments have been described herein, it should be appreciated that various changes to the exemplary embodiments may be made without departing from the intended scope as defined by the appended claims.

MULTI-MODAL ACCESS TO AN ONLINE SERVICE USING HIERARCHICAL CRYPTOGRAPHIC KEYS FOR USER AUTHENTICATION OF ACCOUNTS AND SUBACCOUNTS

Information

Publication Number

Date Filed

Date Published

Inventors

Original Assignees

CPC

International Classifications

Abstract

Description

Claims