METHODS TO AUTHORIZING SECONDARY USER DEVICES FOR NETWORK SERVICES AND RELATED USER DEVICES AND BACK-END SYSTEMS

TECHNICAL FIELD

[0001] The present disclosure generally relates to communications, and more particularly, to a method for authorizing a secondary user device for a network service provided over a network and related methods, devices, and systems.

BACKGROUND

[0002] Some embodiments disclosed herein may be related to

authorization/authentication of mobile and/or fixed user devices (e.g., including smartphones, tablet computers, laptop computers, desktop computers, etc.) for access to network services, such as IP -based communication services, (e.g., including Wi-Fi calling and other FMS-based voice, video and/ messaging services).

[0003] There is an increasing demand for communication services that are flexibly usable across multiple user devices of diverse types. For example, multiple solutions exist to provide that voice and/or video calls to a specific service identifier (e.g., a Mobile

Subscription ISDN Number or MSISDN) are directed toward multiple user devices registered for the service by the user that owns that identifier, so that the user can decide from which specific user device he/she wants to pick-up the call at his/her convenience.

[0004] Types of user devices relevant in this context may include smartphones, tablet computers, laptop computers, desktop computers, set-top-boxes, gaming consoles, etc.

Relevant user devices may include both user devices equipped with SIM (Subscriber Identity Module) cards and user devices not equipped with SIM cards.

[0005] In general, although technical details of a user device enrollment process may vary from case to case, a common denominator may be that the user is expected to enter some credentials on each and every user device he/she wants to be usable for a specific service so that the system supporting the service can securely recognize those user devices as being used by the user. Entry of credentials on multiple user devices may be sufficiently cumbersome, however, that some users may be discouraged from setting up multiple user devices for a desired service.

SUMMARY

[0006] According to some embodiments of inventive concepts, a method of authorizing a secondary user device for a network service provided over a network may be provided. Responsive to receiving a request from a primary user device, a voucher may be transmitted over the network to the primary user device. A request for an authorization waiver may be received from the secondary user device over the network wherein the request for the authorization waiver includes the voucher that was transmitted to the primary user device. Responsive to receiving the request from the secondary user device including the voucher, an authorization waiver may be transmitted to the secondary user device.

[0007] The primary user device and the secondary user device may be different.

[0008] The voucher may be related to authorization of the secondary user device.

[0009] The authorization waiver may include a session cookie.

[0010] The network service may be provided for a user of both of the primary and secondary user devices. In addition, the voucher may be invalidated responsive to receiving the request for an authorization waiver including the voucher. Moreover, invalidating the voucher may include invalidating the voucher with respect to the user so that the voucher is not reused for the network service with respect to the user.

[0011] Transmitting the voucher may include transmitting the voucher from a back- end server to the primary user device. Receiving the request from the secondary user device may include receiving the request from the secondary user device at the back-end server, and transmitting the authorization waiver may include transmitting the authorization waiver from the back-end server to the secondary user device.

[0012] The authorization waiver may include a session cookie. In addition, a request for an access token may be received from the secondary user device, and the request for an access token may include the session cookie. Responsive to receiving the request for an access token, an access token may be transmitted to the secondary user device wherein the access token is valid for the back-end server.

[0013] Receiving the request for an access token may include receiving the request for an access token from the secondary user device over the network at an authorization server, and transmitting the access token may include transmitting the access token from the authorization server over the network to the secondary user device.

[0014] Responsive to receiving the request for an access token, the secondary user device may be redirected to an authorization portal. The authorization waiver including the session cookie may be received at the authorization portal from the secondary user device. Authorization for the secondary user device may be provided based on the session cookie, and transmitting the access token may include transmitting the access token responsive to providing the authorization based on the session cookie. [0015] The back-end server may be an element of a back-end system supporting operation of the network service.

[0016] The back-end server and the authorization server may be elements of a back- end system supporting operation of the network service.

[0017] The back-end server, the authorization server, and the authorization portal may include elements of a back-end system supporting operation of the network service.

[0018] A request may be received from the secondary user device wherein the request includes the access token. Responsive to receiving the request including the access token, communication for the secondary user device may be provided through the network in accordance with the network service.

[0019] The network service may include at least one of a voice, video, and/or messaging service.

[0020] Receiving the request including the access token may include receiving the request including the access token at the back-end server over the network from the secondary user device.

[0021] According to some embodiments, a back-end system for a network service provided over a network may include a network interface configured to provide

communication over the network, and a processor coupled with the network interface. The processor may be configured to transmit a voucher through the network interface over the network to the primary user device responsive to receiving a request from a primary user device. The processor may also be configured to receive a request for an authorization waiver through the network interface from the secondary user device over the network wherein the request for the authorization waiver includes the voucher that was transmitted to the primary user device. The processor may also be configured to transmit an authorization waiver to the secondary user device responsive to receiving the request from the secondary user device including the voucher.

[0022] According to some other embodiments, a back-end system for a network service provided over a network may be adapted to transmit a voucher over the network to the primary user device responsive to receiving a request from a primary user device. The back-end system may also be adapted to receive a request for an authorization waiver from the secondary user device over the network wherein the request for the authorization waiver includes the voucher that was transmitted to the primary user device. The back-end system may also be adapted to transmit an authorization waiver to the secondary user device responsive to receiving the request from the secondary user device including the voucher. [0023] According to still other embodiments of inventive concepts, a method may be provided to operate a secondary user device to provide authorization for a network service. A voucher may be received from a primary user device. A request for an authorization waiver may be transmitted over the network to a back-end system for the network service, wherein the request for the authorization waiver includes the voucher. After transmitting the request for the authorization waiver, an authorization waiver may be received from the back-end system.

[0024] The authorization waiver may include a session cookie.

[0025] A request for an access token may be transmitted to the back-end system, wherein the request for an access token includes the session cookie.

[0026] An access token may be received from the back-end system. A request may be transmitted to the back-end system, wherein the request includes the access token. A session may be established using the access token to provide communication through the network in accordance with the network service.

[0027] A request for an access token may be transmitted to the back-end system, wherein the request for an access token includes a session cookie, and wherein receiving the access token includes receiving the access token after transmitting the request for an access token.

[0028] The back-end system may include a back-end server, transmitting the request for an authorization waver may include transmitting the request to the back-end server, and receiving the authorization waver may include receiving the authorization waiver from the back-end server.

[0029] Receiving the access token may include receiving the access token from the back-end server, and the access token may be valid for the back-end server.

[0030] Receiving the voucher may include receiving the voucher directly from the primary user device.

[0031] Receiving the voucher directly from the primary user device may include receiving the voucher directly from the primary user device without user input of the voucher through a user interface of the secondary user device.

[0032] Receiving the voucher may include receiving the voucher from the primary user device via a short range communication interface. The short range communication interface may include one of a Near Field Communications, NFC, interface, a Bluetooth interface, or an infrared interface. [0033] Receiving the voucher may include receiving the voucher optically from a display of the primary user device using an image capture device on the secondary user device.

[0034] Transmitting the request for an authorization waiver may include transmitting the request automatically without user intervention responsive to receiving the voucher from the primary user device.

[0035] Transmitting the request for an access token may include transmitting the request for the access token automatically without user intervention responsive to receiving the authorization waiver.

[0036] Transmitting the request including the access token may include transmitting the request automatically responsive to receiving the access token.

[0037] The network service may include at least one of a voice, video, and/or messaging service.

[0038] According to some embodiments, a secondary user device may include a communication interface configured to provide communication over a network, and a processor coupled with the communication interface. The processor may be configured to receive a voucher from a primary user device through the communication interface, and transmit a request for an authorization waiver through the communication interface over the network to a back-end system for the network service. Moreover, the request for the authorization waiver may include the voucher. The processor may be configured to receive an authorization waiver through the communication interface from the back-end system after transmitting the request for the authorization waiver.

[0039] According to some other embodiments, a secondary user device may be adapted to receive a voucher from a primary user device and transmit a request for an authorization waiver over the network to a back-end system for the network service.

Moreover, the request for the authorization waiver may include the voucher. The secondary user device may also be adapted to receive an authorization waiver from the back-end system after transmitting the request for the authorization waiver.

[0040] According to yet other embodiments of inventive concepts, a method of operating a primary user device may provide authorization for a network service on a secondary on a secondary user device. A request for a voucher may be transmitted over a network (501) to a back-end system. After transmitting the request for a voucher, a voucher may be received over the network from the back-end system, and the voucher may be transmitted to the secondary user device. [0041] Transmitting the request for a voucher may include transmitting the request responsive to user input to assist authorization of the secondary user device.

[0042] Responsive to receiving the voucher, a prompt for user input may be provided to initiate transferring the voucher to the secondary user device. User input may be accepted to initiate transferring the voucher to the secondary user device based on the prompt, wherein transferring the voucher includes transferring the voucher responsive to accepting the user input to initiate transferring the voucher.

[0043] Transferring the voucher may include transferring the voucher directly to the secondary user device. Transferring the voucher directly may include transferring the voucher directly to the secondary user device without user input of the voucher through a user interface at the secondary user device.

[0044] Transferring the voucher may include transferring the voucher to the secondary user device via a short range communication interface, such as a Near Field Communications (NFC) interface, a Bluetooth interface, or an infrared interface.

[0045] Transferring the voucher may include providing an image including the voucher on a display of the primary communication device. The voucher may be encoded in the image.

[0046] The voucher may be related to authorization of the of the secondary user device.

[0047] An access token may be received from the back-end system, and the request for a voucher may include the access token.

[0048] A prompt for user input of credentials for the network service may be provided, and user input of credentials for the network service may be accepted through a user interface of the primary user device. The user credentials for the network service may be transmitted over the network to the back-end system. Moreover, receiving the access token may include receiving the access token after transmitting the user credentials for the network service. The user credentials for the network service may include a username and a password associated with the user for the network service.

[0049] According to some embodiments, a primary user device may include a communication interface configured to provide communication over a network, and a processor coupled with the communication interface. The processor may be configured to transmit a request for a voucher through the communication interface over a network to a back-end system and to receive a voucher through the communication interface over the network from the back-end system after transmitting the request for a voucher. The processor may also be configured to transfer the voucher to the secondary user device.

[0050] According to some other embodiments, a primary user device may be adapted to transmit a request for a voucher over a network to a back-end system, receive a voucher over the network from the back-end system after transmitting the request for a voucher, and transfer the voucher to the secondary user device.

[0051] According to some embodiments disclosed herein, a user may activate and/or manage a communication service on a secondary user device without the need to enter credentials for the secondary user device, provided that the user has already authenticated on a primary user device. Usability of a secondary user device for a communication service may thus be improved without significantly impacting security, and a user experience may thus be improved.

BRIEF DESCRIPTION OF THE DRAWINGS

[0052] The accompanying drawings, which are included to provide a further understanding of the disclosure and are incorporated in a constitute a part of this application, illustrate certain non-limiting embodiments of inventive concepts. In the drawings:

[0053] Figure 1 is a schematic diagram illustrating interaction between a user device and a back-end server according to some embodiments of inventive concepts;

[0054] Figure 2 is a schematic diagram illustrating collection and processing of user credentials according to some embodiments of inventive concepts;

[0055] Figure 3 is a message flow diagram illustrating operations providing an access token for a primary user device according to some embodiments of inventive concepts;

[0056] Figures 4A, 4B, and 4C are message flow diagrams illustrating operations providing an access token for a secondary user device according to some embodiments of inventive concepts;

[0057] Figure 5 is a schematic diagram illustrating first and second user devices in a network environments according to some embodiments of inventive concepts;

[0058] Figure 6 is a block diagram illustrating elements of a user device according to some embodiments of inventive concepts;

[0059] Figure 7 is a block diagram illustrating elements of a server according to some embodiments of inventive concepts; [0060] Figure 8 is a flow chart illustrating operations of a back-end system according to some embodiments of inventive concepts, and Figure 9 is a block diagram illustrating related modules;

[0061] Figure 10 is a flow chart illustrating operations of a secondary user device according to some embodiments of inventive concepts, and Figure 11 is a block diagram illustrating related modules;

[0062] Figures 12 and 14 are flow charts illustrating operations of a primary user device according to some embodiments of inventive concepts, and Figures 13 and 15 are block diagrams illustrating related modules.

DETAILED DESCRIPTION OF EMB ODFMENT S

[0063] Inventive concepts will now be described more fully hereinafter with reference to the accompanying drawings, in which examples of embodiments of inventive concepts are shown. Inventive concepts may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of present inventive concepts to those skilled in the art. It should also be noted that these embodiments are not mutually exclusive. Components from one embodiment may be tacitly assumed to be present/used in another embodiment.

[0064] Figure 5 is a schematic diagram illustrating first (primary) and second

(secondary) user devices 101 and 102 under control of a same user 103 wherein first and second user devices 101 and 102 are configured for communication over network(s) 501. By way of example, each of first and second user devices 101 and 102 may be a smartphone, a tablet computer, a laptop computer, a desktop computer, etc., and each of first and second user devices 101 and 102 may be configured to network communication via a wired (e.g., Local Area Network) and/or wireless (cellular radio access network RAN, wireless local area network WLAN, WiFi, etc.) interface. Moreover, network(s) 501 may include one or more of a cellular radio access network RAN, wireless local area network WLAN, wired local area network LAN, the Internet, etc. Moreover, a network service or services (such as an IP -based communication service) may be supported by back-end server 105, authorization server 107, and authorization portal 109, each of which is also coupled to network(s) 501.

[0065] Figure 6 is a block diagram illustrating a user device 600 (either of user device

101 or user device 102) of Figure 5 according to some embodiments. As shown, user device 600 may include processor 601 coupled with user interface 603, communication interface 605, and memory 609. In addition, user device may include image capture device (e.g., a camera) 607 coupled with processor 601. As shown, user interface may include one or more of microphone 603a, speaker 603b, user input device 603c, and/or display 603c. User input device may include a keypad, keyboard, mouse, trackball, button(s), etc., and/or display 603d and portions of user input device 603 c may be integrated in a touch sensitive screen.

Communication interface may include one or more of a cellular radio access network (RAN) interface (also referred to as a RAN transceiver), a short range wireless communication interface (e.g., a Near Field Communication NFC transceiver, a BlueTooth transceiver, an infrared IR transceiver, a WiFi transceiver, etc.), and/or a wired network communication interface. User device 600 can thus provide communication through network(s) 501 using communication interface 605 (e.g., using one or more of cellular RAN communication interface 605a, short range wireless communication interface 605b, and/or wired

communication interface 605c). In addition, user device 600 may be configured to communication with one or more other user devices directly (without using network(s) 501) using one or more elements of communication interface (e.g., using short range

communication interface 605b and/or wired communication interface 605c).

[0066] Processor 601 (also referred to as a processor circuit or processing circuitry) may include one or more data processing circuits, such as a general purpose and/or special purpose processor (e.g., microprocessor and/or digital signal processor). Processor 601 may be configured to execute computer program instructions from functional modules in memory 609 (also referred to as a memory circuit or memory circuitry), described below as a computer readable medium, to perform some or all of the operations and methods that are described herein for one or more of the embodiments. Moreover, processor 601 may be defined to include memory so that separate memory 609 may not be required.

[0067] When a structure of a particular user device (i.e., primary/first user device 101 or secondary/second user device 102) is described, or "-2" will be respectively added to the reference number to designate the particular device. Primary user device 101, for example, may be discussed as including processor 600-1, user interface 603-1 (e.g., including one or more of microphone 603a-l, speaker 603b-l, user input device 603c-l, and/or display 603d-l), communication interface 605-1 (including one or more of cellular RAN interface 605a- 1, short range communication interface 605b- 1, and/or wired communication interface 605c-l), image capture device 607-1, and memory 609-1. Similarly, secondary user device 102, for example, may be discussed as including processor 600-2, user interface 603-2 (e.g., including one or more of microphone 603 a-2, speaker 603b-2, user input device 603 c-2, and/or display 603d-2), communication interface 605-2 (including one or more of cellular RAN interface 605a-2, short range communication interface 605b-2, and/or wired communication interface 605c-2), image capture device 607-2, and memory 609-2.

[0068] A common form of credentials includes a user identifier (such as username, email address, account number, etc.) and a password. However, several other different approaches are possible, including the use of smart cards (such as SIM cards), single-use (also referred to as one-time or one-time use) codes/tokens, biometric data (fingerprint detection, voice recognition, facial recognition), and/or digital certificates. Also, approaches used for a same service on different user devices may not necessarily be the same. For example, once authorized/authenticated with his/her username and password on a smartphone, a user could receive a unique single-use token on the smartphone (e.g., in the form of a text message) and then use that single-use token as a credential on another user device in his/her possession.

[0069] In any case, the user may perform some operations on the user device to authorize/authenticate himself/herself with a back-end system (e.g., a server, portal, etc.) and provide a presumption/indication/proof that he/she is in control of the user device and thus in a condition to legitimately request activation, suspension, reactivation, cancellation - or whatever other relevant operation - of the service on the specific user device. The operation may be repeated - either with the same or with different types of credentials - across the set of user devices the user wants to be enrolled in the service.

[0070] Multiple different approaches may be used to reduce a number of times a user is required to authorize/authenticate himself/herself with the system providing the services he/she intends to use. Approaches may broadly fall in two categories:

• Approaches intended to reduce/avoid a need for the user to re-authorize/re- authenticate multiple times on the same user device;

• Approaches intended to reduce/avoid a need for the user to re-authorize/re- authenticate multiple times on different user devices.

[0071] An approach that may fall in the category of reducing/avoiding re- authorization/re-authentication on the same user device may include allowing the user to perform multiple consecutive operations on a single user device (e.g., activation of multiple services) without the need to re-enter credentials multiple times. [0072] Some approaches may include creating some sort of association (also referred to as session) between the user device and the back-end authorization/authentication system and keeping it in effect for a determined amount of time or until a certain event occurs.

[0073] An embodiment of this approach may be found in communication between web browsers and web servers. A user can login on the server with some credentials, and the server can automatically assign a session "cookie" to the browser-server association and pass the session cookie to the browser. The browser can re-submit the session cookie to the server (in lieu of repeating the user authorization/authentication) for as long as the server decides to rely on the previous user authorization/authentication.

[0074] Another approach that may fall into the category of reducing/avoiding re- authorization/re-authentication on different user devices may include allowing the user to activate a service on a user device without entering credentials if the user has another user device (on which he/she has successfully authorized/authenticated) that can serve as a "trust anchor" (also referred to as an "anchor device" or an "anchor user device").

[0075] This approach may include using the anchor user device (also referred to as a primary user device or a first user device) to obtain a single-use code (also referred to as a one-time code or a one-time use code) from the back-end authorization/authentication system and then using that single-use code on the second user device (also referred to as a secondary user device) on which the user wants to perform the activation as a streamlined form of authorization/authentication. In other words, the user can enter the single-use code for the secondary user device instead of entering his/her full credentials for the secondary user device.

[0076] Some embodiments of present inventive concepts may be related to reducing/avoiding re-authorization/re-authentication on different user devices. More particularly, some embodiments disclosed herein may define methods that securely enable a user to manage services on a second user device (also referred to as "secondary device" or "secondary user device") by relying on an authorization/authentication toward a back-end system the user has previously performed on a first user device (also referred to as a "primary device", "primary user device", "anchor device", "anchor user device", etc.) rather than requiring the user to re-enter his/her credentials on the secondary user device.

As noted above, some approaches may rely on obtaining a single-use code on the primary user device and using the single-use code as a form of streamlined

authorization/authentication on the secondary user device. Such re-authorization/re- authentication for the secondary user device, however, may be inconvenient and/or annoying. [0077] Figure 7 is a block diagram illustrating a server (e.g., back-end server 105, authorization server 107, and/or authorization portal 109), also referred to as a network node of Figure 5 according to some embodiments. As shown, server 700 may include processor 701 coupled with network interface 705, and memory 709. Server 700 may thus provide communication through network(s) 501 using network interface 705. Processor 701 (also referred to as a processor circuit or processing circuitry) may include one or more data processing circuits, such as a general purpose and/or special purpose processor (e.g., microprocessor and/or digital signal processor). Processor 701 may be configured to execute computer program instructions from functional modules in memory 709 (also referred to as a memory circuit or memory circuitry), described below as a computer readable medium, to perform some or all of the operations and methods that are described herein for one or more of the embodiments. Moreover, processor 701 may be defined to include memory so that separate memory 709 may not be required.

[0078] When a structure of a particular server (i.e., back-end server 105, authorization server 107, and/or authorization portal 109) is described, "-5", "-7", or "-9" will be respectively added to the reference number to designate the particular device. Back-end server 105, for example, may be discussed as including processor 701-5, network interface 705-5, and memory 709-5. Similarly, authorization server 107 may be discussed as including processor 701-7, network interface 705-7, and memory 709-7, and authorization portal 109 may be discussed as including processor 701-9, network interface 705-9, and memory 709-9. Moreover, while back-end server, authorization server, and authorization server may be implemented as separate servers, functionality of one or more of these elements may be combined in a same server.

[0079] According to some embodiments of inventive concepts, primary user device

101 may be used to request and obtain a single-use voucher for secondary user device 102 from the back-end system (e.g., back-end server 105), and that voucher may then be passed from primary user device 101 to secondary user device 102 without a need for the user to manually enter any value or code. Thereafter, secondary user device 102 can present the voucher to the back end system (e.g., back-end server 105) as:

• an identifier for the user that is requesting the operation;

• an indication/presumption/proof that the user is in possession of both primary user device 101 (on which he/she successfully authorized/authenticated) and secondary user device 102 by virtue of the fact that he/she has deliberately moved the voucher from primary user device 101 to secondary user device 102.

Secondary user device 102 may then exchange the voucher for an authorization code, access token or session cookie deliberately generated by the back-end system (e.g., back-end server 105) for secondary user device 102.

[0080] Multiple approaches are possible for the exchange of the voucher from primary user device 101 to secondary user device 102. The following criteria may be provided for the exchange of the voucher between primary and secondary user devices:

• The voucher exchange from primary user device 101 to secondary user device 102 may be possible only while the two user devices are in close proximity (i.e., while the user is in direct control of both devices).

• The voucher exchange from primary user device 101 to secondary user device 102 may be reasonably protected from eavesdropping, as to reduce/prevent interception of the exchange and to reduce/prevent the possibility of the voucher ending up in an unintended device.

Examples of suitable approaches may include exchange based on direct short-range communication (e.g., Bluetooth, NFC, etc.) between the two devices and/or exchange through encoding in a still or animated image displayed on primary user device 101 and scanned on secondary user device 102 (e.g., a QR code). Moreover, by allowing only one use of the single-use voucher at back-end server 105 during a limited period of time, a likelihood of misuse may be further reduced.

[0081] According to some embodiments of inventive concepts, a user may be able to activate and manage communication services on secondary user device 102 without the need to enter credentials, provided that he/she has already authorized/authenticated on primary user device 101. This may improve the user experience.

[0082] According to some embodiments of inventive concepts, a user may

authorize/authenticate himself/herself with his/her complete credentials (e.g., user name/identification and password) on primary user device 101 (e.g., a smartphone) and then activate services on secondary user device 102 (e.g., a tablet computer) without the need to manually enter any credential on secondary user device 102.

[0083] Any solution related to identity management and user

authorization/authentication may involve a trade-off between usability (in terms of annoyance for the user) and security. According to some embodiments of present inventive concepts, usability may be increased without introducing significant reduction of security.

[0084] According to some embodiments of inventive concepts, a single sign-on for multiple user devices (also referred to as communication devices) may be implemented as part of a system in which user devices (including smartphones, tablet computers, laptop computers, desktop computers, set-top-boxes, gaming consoles, etc.) interact with a back-end server to execute operations requested by the corresponding users.

[0085] According to examples of some embodiments of inventive concepts discussed herein, a user may change settings of his/her smartphone to have a Wi-Fi calling service (or other network service) enabled and the smartphone may interact with a service activation server to obtain the activation. However, this should be understood merely as an example, and the applicability of proposed embodiments are in no way limited to the disclosed examples of communication devices and services.

[0086] According to some embodiments of inventive concepts, an interaction between a primary user device (e.g., a smartphone) and a back-end server may be subject to authorization/authentication so that the back-end server can reliably determine whether a request was originated by a user device under control of a legitimate user, as shown in Figure 1.

[0087] A back-end of the system may include an authentication and/or authorization function (e.g., implemented using an authorization server and an authorization portal) used to collect and process user credentials to verify the identity of the user that is in control of the user device, as shown in Figure 2. In Figure 2 with authentication and authorization functions in the system back-end, authorization of a user device to interact with the back-end server may require user authorization/authentication toward the authentication and authorization function to be performed from that specific user device.

[0088] According to some embodiments of inventive concepts, authentication and authorization functions may be provided based on an OAuth authorization server compliant with RFC 6749, The OAuth 2.0 Authorization Framework, http s : //tool s . i etf . org/html/rfc6749, October 2012. In embodiments illustrated in Figure 3, primary user device 101 may use access tokens to prove the legitimacy of its requests to back-end server 105. Operations according to an example of such embodiments are provided as follows:

Operation 301. Primary user device 101 contacts authorization server 107 to request an access token valid for back-end server 105. Operation 302. Authorization server 107 redirects primary user device 101 to authorization portal 109.

Operation 303. Primary user device 101 connects to authorization portal 109 and requests an access token that is valid for back-end server 105 (if no session cookie is available).

Operation 304. Authorization portal 109 provides a login page for primary device 101 to present to the user.

Operation 305. Primary user device 101 presents the login page on a display as a prompt for the user to enter login credentials (e.g., username and password).

Operation 306. Primary user device 101 accepts user entry of login credentials from the user 103 via a user interface (e.g., via keypad and/or touch sensitive display of primary user device).

Operation 307. Primary user device 101 submits the user's login credentials to authorization portal 109 to authorize/authenticate the user.

Operation 308. Responsive to authorization portal 109 successfully validating the user's login credentials, authorization portal 109 and authorization server 108 agree on an access token to be used by primary user device 101.

Operation 309. Responsive to agreeing on the Access Token, authorization portal 109 provides the access token (usable for a certain period of time) to primary user device 101 to allow primary user device 101 to submit requests to back-end server 105. Operation 310. Primary user device 101 may submit request(s) accompanied by the access token to back-end server 105 relating to the service.

In general, if a user has more than one user device, operations discussed above with respect to Figure 3 may be repeated on a per user device basis. Some proposed embodiments may offer an alternative approach where the user authorization/authentication on a first user device (e.g., a primary user device) can be used to avoid re-authorization/re-authentication on other user devices (e.g., secondary user devices).

[0089] According to embodiments of inventive concepts illustrated in Figure 4A, primary user device 101 may obtain a single-use voucher (also referred to as a one-time voucher, or a one-time use voucher) for secondary user device 102, and secondary user device 102 may use the single-use voucher to obtain an access token valid for back-end server 105. Operations for such embodiments are discussed below:

Operation 401. The user takes device 101 (herein referred to as "first device" or a "primary device") which he/she has already authorized/authenticated for a network service (e.g., as discussed above with respect to Figure 3) and, using some device settings or dedicated application, indicates his/her intention to authorize another device 102 (herein referred to a "second device" or a "secondary device") to interact with the system (e.g., network service) on his/her behalf.

Operation 402. First device 101 contacts back-end server 105 and requests a single- use authorization voucher for second device 102.

Operation 403. Back-end server 105 generates the single-use voucher and returns the single-use voucher to first device 101.

Operation 404. First user device 101 prompts the user to transfer/pass the single-use voucher from first device 101 to second user device 102 (operation 403.1), and accepts user input to transfer the voucher (operation 403.2), so that the voucher is transferred from first user device 101 to second user device 102 (Operation 404). In an example embodiment, the transfer may be achieved by displaying a QR code with the voucher encoded in the QR code on a display of first user device 101 and requesting the user to align a camera of second user device 102 to scan the QR code and thus acquire the voucher at second user device 102. Other possible mechanisms may include use of a short-range communication mechanism such as Bluetooth or NFC (near field communication) to transfer the voucher. According to some embodiments, the selected transfer mechanism may provide that the transfer of the voucher from first user device 101 to second user device 102 may be possible only while the user is in direct control of both devices.

Operation 405. Second user device 101 may use the single-use voucher to contact back-end server 105 and request a waiver from the requirement to have the user authorize/authenticate himself/herself on second user device 102, and back-end server 105 and authorization portal 109 may agree to the waiver (Operation 405.1).

Operation 406. The waiver is returned to second user device 102 in the form of a session cookie that second user device 102 can present to the authorization portal 109. Operation 406.1. Back-end server 105 may invalidate the voucher with respect to user 103 so that the voucher is not reused for the network service with respect to user 103.

Operation 407. Second user device 102 contacts authorization server 107 to request an access token valid for back-end server 407.

Operation 408. Authorization server 107 redirects second user device 102 to authorization portal 109. Operation 409. Second user device 102 presents the session cookie (obtained at operation 406) to authorization portal 109.

Operation 409.1. Authorization portal 109 recognizes and authorizes/authenticates second user device 102 from the session cookie without requesting entry of any credential.

Operation 410. Authorization server 107 provides the access token (valid for back- end server 105) to second user device 102, wherein the access token is valid for a certain period of time.

Operation 411. Second user device 102 submits the access token to back-end server 105 to access the service. Stated in other words, the access token is used by second user device 102 to prove authorization to use the service without requiring user entry of credentials through second user device 102.

Operation 412. Back-end server may provide for secondary user device 102 through network 501 in accordance with the network service.

[0090] Figure 4B is a message diagram illustrating operations according to some other embodiments of inventive concepts. In embodiments of Figure 4B, operations 401 to 409 and 411 may be the same as discussed above with respect to Figure 4 A. Operations of Figure 4B are discussed below:

Operation 409. Second user device 102 presents the session cookie (obtained at operation 406) to authorization portal 109, as discussed above with respect to Figure

4A.

Operation 409. IB. Authorization portal 109 recognizes and authorized/authenticates second user device 102 from the session cookie without requesting entry of any credential, and authorization server 107 and authorization portal 109 agree on an access token for second user device 102.

Operation 410B. Authorization portal 109 provides the access token (valid for back- end server 105) to second user device 102, wherein the access token is valid for a certain period of time.

Operation 411. Second user device 102 submits the access token to back-end server 105 to access the service. Stated in other words, the access token is used by second user device 102 to prove authorization to use the service without requiring user entry of credentials through second user device 102.

According to Figure 4B, the access token is thus returned by authorization portal 109 (after handshake with authorization server 107). [0091] Figure 4C is a message diagram illustrating operations according to some other embodiments of inventive concepts. In embodiments of Figure 4C, operations 401 to 409 may be the same as discussed above with respect to Figure 4A, and Operation 411 may be the same as operation 411 of Figure 4A. Operations of Figure 4C are discussed below:

Operation 409. Second user device 102 presents the session cookie (obtained at operation 406) to authorization portal 109, as discussed above with respect to Figure 4A.

Operation 409.1C. Authorization portal 109 recognizes and authorizes/authenticates second user device 102 from the session cookie without requesting entry of any credential, and authorization server 107 and authorization portal 109 agree on an authorization code for second user device 102, wherein the authorization code is valid for authorization server 107.

Operation 409.2C. Authorization portal 109 provides the authorization code to second user device 102

Operation 409.3C. Second user device 102 presents the authorization code to authorization server 107.

Operation 410B. Responsive to receiving the authorization code from second user device 102, authorization server 107 provides the access token (valid for back-end server 105) to second user device 102, wherein the access token is valid for a certain period of time.

Operation 411. Second user device 102 submits the access token to back-end server 105 to access the service. Stated in other words, the access token is used by second user device 102 to prove authorization to use the service without requiring user entry of credentials through second user device 102.

According to Figure 4C, authorization portal 109 returns an authorization code, and the authorization code can be exchanged for the access token which is returned by authorization server 107.

[0092] It should be noted that some embodiments may omit any step at which second user device 102 uses a token, code or cookie that was generated by the system for use on first user device 103. For example, the session cookie (returned to second user device 102 by back-end server 105) can be crafted to be usable only on that specific device (i.e., only on second user device 102), and this may be a significant characteristic of some embodiments, which may provide that the overall security posture is not unnecessarily relaxed. [0093] Back-end server 105 may thus process the request of primary/anchor user device 101 (received at Operation 402), and generate a single-use voucher that is transmitted to primary user device 101 (at Operation 403) but usable by secondary user device 102 that is to be authorized for the network service. Back-end server 105 thus provides the single-use voucher to primary user device 101 with the expectation that the single-use voucher will be transferred from primary user device 101 to secondary user device 102 in a secure manner (at Operation 404).

[0094] Back-end server 105 can thus authorize/authenticate secondary user device

102 for the network service based on identification using the single-use voucher that was provided to primary user device 101. Without having prior knowledge of secondary user device 102, back-end server 105 can thus use the single-use voucher to recognize secondary user device 102 as being under control of a same user who controls primary user device 101.

[0095] Back-end server 105 interacts with authorization portal 109 at Operation 405.1 to obtain/generate an authorization waiver, e.g., a session cookie that is bound to the user and secondary user device 102, and the authorization/authentication waiver (e.g., session cookie) is provided to second user device 102 at Operation 406. Moreover, back-end server 105 may invalidate the single-use voucher after secondary user device 102 uses the single-use voucher to request/gain access at operations 405/406 so that the single-use voucher is not reused. For example, the single-use voucher may be invalidated with respect to user 103 of devices 101 and 102 so that the voucher is not reused for the network service with respect to user (103).

[0096] Elements of some embodiments of inventive concepts may include:

• A first user device 101 on which the user has successfully authorized/authenticated with an authorization portal 109 may be used as "trust anchor" device (also referred to as "a primary user device") to reduce/avoid a need to re-authorize/re-authenticate toward the same authorization portal on second user device 102 (also referred to as a "secondary device");

• A capability to transfer a single-use voucher from first user device 101 (the anchor device) to second user device 102 may be used as indication/evidence/proof that the user is in direct control of both first and second user devices;

• The single-use voucher may be used by second user device 102 as a way to identify itself with a back-end system and obtain a session cookie usable to skip

authorizing/authenticating with authorization portal 109; • A session cookie generated in concert by the back-end system and authorization portal and delivered to first user device (anchor device) may be used with the intent to be passed to second user device 102 (as opposed to simply passing a session cookie obtained by first user device 101 (anchor device) for itself to second user device 102);

• The above mechanisms may be used in the context of obtaining OAuth access tokens usable by second user device(s) 102 to authorize/authenticate their requests toward a back-end system.

[0097] Operations of a back-end system will now be discussed with reference to the flow chart of Figure 8 and the modules of Figure 9. For example, modules of Figure 9 may be stored in server memory 709 of Figure 7, and these modules may provide instructions so that when the instructions of a module are executed by server processor 701, processor 701 performs respective operations of the flow chart of Figure 8.

[0098] As shown in Figures 5 and 7, server 700 of the back-end system may communicate over network 501 with primary user device 101 and/or secondary user device 102 using network interface 705. Server processor 701 may thus transmit and/or receive communications through network interface 705.

[0099] Methods of authorizing secondary user device 102 for a network service provided over a network 501 are thus discussed with respect to Figures 8 and 9. For example, the network service may be provided for a user 103 of both of the primary and secondary user devices 101 and 102.

[00100] At block 802, processor 701 may receive a request from primary user device 101 (e.g., using voucher request reception module 902) through network interface 705.

Responsive to receiving the request from primary user device 101, processor 701 may transmit a voucher through network interface 705 over the network 501 to primary user device 101 at block 803 (e.g., using voucher transmission module 903). The voucher may be related to authorization of the secondary user device.

[00101] At block 805, processor 701 may receive a request for an authorization waiver from secondary user device 102 through network interface 705 over network 501 wherein the request for the authorization waiver includes the voucher that was transmitted to the primary user device 101 (e.g., using authorization waiver request reception module 905). Responsive to receiving the request from the secondary user device including the voucher, processor 701 may transmit an authorization waiver to the secondary user device 102 at block 806 (e.g., using authorization waiver transmission module 906). The authorization waiver may include a session cookie.

[00102] Responsive to receiving the request for an authorization waiver including the voucher, processor 701 may invalidate the voucher at block 806.1 (e.g., using voucher invalidation module 906.1). Invalidating the voucher may include invalidating the voucher with respect to the user so that the voucher is not reused for the network service with respect to the user 103.

[00103] Transmitting the voucher at block 803 may include transmitting the voucher from back-end server 105 to primary user device 101, receiving the request from secondary user device 102 at block 805 may include receiving the request from secondary user device 102 at the back-end server 105, and transmitting the authorization waiver at block 806 may include transmitting the authorization waiver from back-end server 105 to secondary user device 102.

[00104] At block 807, processor 701 may receive a request for an access token from secondary user device 102 over network 501 at an authorization server wherein the request for an access token includes the session cookie (e.g., using access token request reception module 907).

[00105] Responsive to receiving the request for an access token, processor 701 may redirect the secondary user device to authorization portal 109 at block 808 (e.g., using authorization portal redirection module 908). At block 809, processor may receive the authorization waiver including the session cookie at authorization portal 109 from secondary user device 102 (e.g., using authorization waiver reception module 909). At block 809.1, processor may provide authorization for secondary user device 102 based on the session cookie (e.g., using authorization provision module 909.1), wherein transmitting the access token comprises transmitting the access token responsive to providing the authorization based on the session cookie. Responsive to receiving the request for an access token, processor 701 may transmit an access token through network interface 705 to the secondary user device 102 at block 810 (e.g., using access token transmission module 910) wherein the access token is valid for back-end server 105. More particularly, processor 701 may transmit the access token from authorization server 107 over network 501 to secondary user device 102.

Moreover, back-end server 105, authorization server 107, and/or authorization portal 109 may be elements of a back-end system supporting operation of the network service.

[00106] Processor 701 may receive a request through network interface 705 from secondary user device 102 at block 811 (e.g., using request reception module 911) wherein the request includes the access token. Responsive to receiving the request including the access token, processor 701 may provide communication for secondary user device 102 through network interface 705 and network 501 in accordance with the network service at block 812 (e.g., using communication module 912). The network service, for example, may be at least one of a voice, video, and/or messaging service. Moreover, receiving the request including the access token may include receiving the request including the access token at back-end server 105 over network 501 from secondary user device 102.

[00107] Various operations of Figure 8 and/or modules of Figure 9 may be optional with respect to some embodiments of back-end systems/servers and related methods.

Regarding methods of example embodiment 1 (set forth below), for example, operations of blocks 802, 806.1, 807, 808, 809, 809.1, 810, 811, and 812 of Figure 8 may be optional, and regarding related back-end systems/servers, modules 902, 806.1, 907, 908, 909, 909.1, 910, 911, and 912 of Figure 9 may be optional.

[00108] Operations of a secondary user device 102 will now be discussed with reference to the flow chart of Figure 10 and the modules of Figure 11. For example, modules of Figure 10 may be stored in user device memory 609 of Figure 6, and these modules may provide instructions so that when the instructions of a module are executed by user device processor 601, processor 601 performs respective operations of the flow chart of Figure 10.

[00109] As shown in Figures 5 and 6, secondary user device 102 may communicate over network 501 with elements of a back-end system/server communication interface 605. Processor 601 may thus transmit and/or receive communications through communication interface 605.

[00110] Methods of operating secondary user device 102 to provide authorization for a network service are discussed with respect to Figures 10 and 11. At block 1004, processor 601 may receive a voucher through communication interface 605 and/or image capture device 607 from a primary user device 101 (e.g., using voucher reception module 1104). At block 1005, processor 601 may transmit a request for an authorization waiver through network interface 605 over network 501 to a back-end system for the network service (e.g., using authorization waiver request transmission module 1105), wherein the request for the authorization waiver includes the voucher. After transmitting the request for the

authorization waiver, processor 601 may receive an authorization waiver through

communication interface 605 from the back-end system at block 1006 (e.g., using

authorization waiver reception module 1106), and the authorization waiver may include a session cookie. [00111] Processor 601 may transmit a request for an access token to the back-end system at block 1007 (e.g., using access token request transmission module 1107), wherein the request for an access token includes the session cookie. After transmitting the request for an access token, processor 601 may receive an access token through communication interface 605 from the back-end system at block 1010 (e.g., using access token reception module

1110) . At block 1011, processor 601 may transmit a request through communication interface 605 to the back-end system (e.g., using communication request transmission module

1111) , wherein the request includes the access token. At block 1012, processor may establish a session using the access token to provide communication through communication interface 605 and network 501 in accordance with the network service (e.g., using session

establishment module 1112).

[00112] Various operations of Figure 10 and/or modules of Figure 11 may be optional with respect to some embodiments of secondary user devices and related methods.

Regarding methods of example embodiment 19 (set forth below), for example, operations of blocks 1007, 1010, 1011, and 1012 of Figure 10 may be optional, and regarding related secondary user devices, modules 1107, 1110, 1111, and 1112 of Figure 11 may be optional.

[00113] Operations of a primary user device 101 will now be discussed with reference to the flow chart of Figure 12 and the modules of Figure 13. For example, modules of Figure 12 may be stored in user device memory 609 of Figure 6, and these modules may provide instructions so that when the instructions of a module are executed by user device processor 601, processor 601 performs respective operations of the flow chart of Figure 12.

[00114] As shown in Figures 5 and 6, primary user device 101 may communicate over network 501 with elements of a back-end system/server using communication interface 605. Processor 601 may thus transmit and/or receive communications through communication interface 605.

[00115] Methods of operating a primary user device 101 to provide authorization for a network service on a secondary user device 102 are discussed below with respect to Figures 12 and 13. At block 1222, processor 601 may transmit a request for a voucher through communication interface 605 over network 501 to a back-end system (e.g., using voucher request transmission module 1322). Moreover, transmitting the request for a voucher may include transmitting the request responsive to user input to assist authorization of the secondary user device. At block 1223, processor 601 may receive a voucher over network 501 from the back-end system through communication interface 605 after transmitting the request for a voucher (e.g., using voucher reception module 1323), wherein the voucher is related to authorization of the of the secondary user device.

[00116] At block 1223.1, processor 601 may provide a prompt (e.g., on display 603d) for user input to initiate transferring the voucher to the secondary user device responsive to receiving the voucher (e.g., using prompt provision module 1323.1). At block 1223.2, processor 601 may accept user input to initiate transferring the voucher to the secondary user device based on the prompt (e.g., using input acceptance module 1323.2), and transferring the voucher may include transferring the voucher responsive to accepting the user input to initiate transferring the voucher.

[00117] At block 1224, processor 601 may transfer the voucher through display 603d and/or communication interface 604 to secondary user device 102 (e.g., using voucher transfer module 1324). Transferring the voucher may include transferring the voucher directly to the secondary user device 102. For example, transferring the voucher directly may include transferring the voucher directly to the secondary user device 102 without user input of the voucher through a user interface at the secondary user device. Transferring the voucher may include transferring the voucher to the secondary user device 102 via a short range communication interface such as a Near Field Communications (NFC) interface, a Bluetooth interface, and/or an infrared interface. Transferring the voucher may include providing an image including the voucher on display 603d of the primary communication device 101, for example, with the voucher encoded in the image.

[00118] Various operations of Figure 12 and/or modules of Figure 13 may be optional with respect to some embodiments of primary user devices and related methods. Regarding methods of example embodiment 37 (set forth below), for example, operations of blocks 1223.1 and 1223.2 of Figure 12 may be optional, and regarding related primary user devices, modules 1323.1 and 1323.2 of Figure 13 may be optional.

[00119] Additional operations of a primary user device 101 will now be discussed with reference to the flow chart of Figure 14 and the modules of Figure 15. For example, modules of Figure 15 may be stored in user device memory 609 of Figure 6, and these modules may provide instructions so that when the instructions of a module are executed by user device processor 601, processor 601 performs respective operations of the flow chart of Figure 14. Moreover, operations of blocks 1222, 1223, 1223.1, 1223.2, and 1224 of Figure 14 and related modules 1322, 1323, 1323.1, 1323.2, and 1324 of Figure 15 may be similar to blocks/modules of Figures 12 and 13. [00120] As shown in Figures 5 and 6, primary user device 101 may communicate over network 501 with elements of a back-end system/server using communication interface 605. Processor 601 may thus transmit and/or receive communications through communication interface 605.

[00121] Methods of operating a primary user device 101 to provide authorization for a network service on a secondary user device 102 are discussed below with respect to Figures 12 and 13. At block 1205, processor 601 may provide a prompt for user input of credentials for the network service on display 603d (e.g., using prompt provision module 1305). At block 1206, processor may accept user input of credentials for the network service (e.g., including a username and a password associate with the user for the network service) through a user interface (e.g., user input device 603d) of primary user device 101 (e.g., using credential acceptance module 1306). At block 1207, processor 601 may transmit the user credentials for the network service through communication interface 605 over network 501 to the back-end system. At block 1209, processor 601 may receive an access token through communication interface 605 from the back-end system (e..g, using access token reception module 1309), wherein receiving the access token includes receiving the access token after transmitting the user credentials for the network service.

[00122] At block 1222, processor 601 may transmit a request for a voucher through communication interface 605 over network 501 to a back-end system (e.g., using voucher request transmission module), and the request may include the access token. After transmitting the request for a voucher, processor 601 may receive a voucher over the network 501 through communication interface 605 from the back-end system at block 1223 (e.g., using voucher reception module 1323). At block 1223.1, processor 601 may provide a prompt on display 603c for user input to initiate transferring the voucher to the secondary user device responsive to receiving the voucher (e.g., using prompt provision module 1323.1). At block 1223.2, processor 601 may accept user input through user input device 603c to initiate transferring the voucher to the secondary user device based on the prompt (e.g., using input acceptance module 1323.2), wherein transferring the voucher may include transferring the voucher responsive to accepting the user input to initiate transferring the voucher. At block 1224, processor 601 may transfer the voucher to secondary user device 102 through display 603d and/or communication interface 605 (e.g., using voucher transfer module 1324).

[00123] Various operations of Figure 14 and/or modules of Figure 15 may be optional with respect to some embodiments of primary user devices and related methods. Regarding methods of example embodiment 47 (set forth below), for example, operations of blocks 1205, 1206, 1207, 1223.1 and 1223.2 of Figure 14 may be optional, and regarding related primary user devices, modules 1305, 1306, 1307, 1323.1 and 1323.2 of Figure 15 may be optional.

ABBREVIATIONS

Abbreviation Explanation

IMS IP Multimedia Subsystem

IP Internet Protocol

ISDN Integrated Services Digital Network

MSISDN Mobile Subscriber ISDN Number

NFC Near Field Communication

QR Quick Response

SIM Subscriber Identity Module

[00125] References

[1] RFC 6749 - The OAuth 2.0 Authorization Framework,

https://tools.ietf.org/html/rfc6749;

[2] US 20060185004 Al - Method and system for single sign-on in a network, https://www.google.com/patents/US20060185004; and

[3] US 20120210413 Al - Facilitating single sign-on (sso) across multiple browser instance, https://www.google.com/patents/US20120210413.

[00126] EXAMPLE EMBODIMENTS

[00127] Embodiment 1. A method of authorizing a secondary user device (102) for a network service provided over a network (501), the method comprising: responsive to receiving a request from a primary user device (101), transmitting (403) a voucher over the network (501) to the primary user device (101); receiving (405) a request for an

authorization waiver from the secondary user device (102) over the network (501) wherein the request for the authorization waiver includes the voucher that was transmitted to the primary user device (101); and responsive to receiving the request from the secondary user device including the voucher, transmitting (406) an authorization waiver to the secondary user device (102).

[00128] Embodiment 2. The method of Embodiment 1, wherein the primary user device (101) and the secondary user device (102) are different.

[00129] Embodiment 3. The method of any of Embodiments 1-2, wherein the voucher is related to authorization of the secondary user device. [00130] Embodiment 4. The method of any of Embodiments 1-3, wherein the authorization waiver includes a session cookie.

[00131] Embodiment 5. The method of any of Embodiments 1-4, wherein the network service is provided for a user (103) of both of the primary and secondary user devices (101 and 102), the method further comprising: responsive to receiving the request for an authorization waiver including the voucher, invalidating the voucher.

[00132] Embodiment 6. The method of Embodiment 5 wherein invalidating the voucher comprises invalidating the voucher with respect to the user so that the voucher is not reused for the network service with respect to the user (103).

[00133] Embodiment 7. The method of any of Embodiments 1-6 wherein transmitting the voucher comprises transmitting the voucher from a back-end server (105) to the primary user device (101), wherein receiving the request from the secondary user device (102) comprises receiving the request from the secondary user device (102) at the back-end server (105), and wherein transmitting the authorization waiver comprises transmitting the authorization waiver from the back-end server (105) to the secondary user device (102).

[00134] Embodiment 8. The method of Embodiment 7, wherein the authorization waiver includes a session cookie, the method further comprising: receiving (407) a request for an access token from the secondary user device (102) wherein the request for an access token includes the session cookie; and responsive to receiving the request for an access token, transmitting (410) an access token to the secondary user device (102) wherein the access token is valid for the back-end server (105).

[00135] Embodiment 9. The method of Embodiment 8, wherein receiving the request for an access token comprises receiving the request for an access token from the secondary user device over the network (501) at an authorization server (107), and wherein transmitting the access token comprises transmitting the access token from the authorization server (107) over the network (501) to the secondary user device (102).

[00136] Embodiment 10. The method of Embodiment 9 further comprising:

responsive to receiving the request for an access token, redirecting (408) the secondary user device to an authorization portal (109); receiving (409) the authorization waiver including the session cookie at the authorization portal (109) from the secondary user device (102); and providing (409.1) authorization for the secondary user device (102) based on the session cookie, wherein transmitting the access token comprises transmitting the access token responsive to providing the authorization based on the session cookie. [00137] Embodiment 11. The method of any of Embodiments 7-10, wherein the back- end server (105) server is an element of a back-end system supporting operation of the network service.

[00138] Embodiment 12. The method of any of Embodiments 9-10 wherein the back- end server (105) and the authorization server (107) are elements of a back-end system supporting operation of the network service.

[00139] Embodiment 13. The method of Embodiment 10 wherein the back-end server (105), the authorization server (107), and the authorization portal (109) comprise elements of a back-end system supporting operation of the network service.

[00140] Embodiment 14. The method of any of Embodiments 8-13 further comprising: receiving (411) a request from the secondary user device (102) wherein the request includes the access token; and responsive to receiving the request including the access token, providing communication for the secondary user device (102) through the network (501) in accordance with the network service.

[00141] Embodiment 15. The method of Embodiment 14 wherein the network service comprises at least one of a voice, video, and/or messaging service.

[00142] Embodiment 16. The method of any of Embodiments 14-15 wherein receiving the request including the access token comprises receiving the request including the access token at the back-end server (105) over the network (501) from the secondary user device (102).

[00143] Embodiment 17. A back-end system (105, 107, and/or 109), wherein the back-end system is adapted to perform according to any of embodiments 1-16.

[00144] Embodiment 18. A back-end system comprising: a network interface (705) configured to provide communication over a network (501); and a processor (705) coupled with the network interface, where the processor is configured to perform operations according to any of Embodiments 1-16, and wherein the processor is configured to transmit and/or receive communications to/from the primary and/or secondary user devices through the network interface over the network.

[00145] Embodiment 19. A method of operating a secondary user device (102) to provide authorization for a network service, the method comprising: receiving (404) a voucher from a primary user device (101); transmitting (405) a request for an authorization waiver over the network (501) to a back-end system for the network service, wherein the request for the authorization waiver includes the voucher; after transmitting the request for the authorization waiver, receiving (406) an authorization waiver from the back-end system. [00146] Embodiment 20. The method of Embodiment 19, wherein the authorization waiver includes a session cookie.

[00147] Embodiment 21. The method of Embodiment 20, the method further comprising: transmitting (407) a request for an access token to the back-end system, wherein the request for an access token includes the session cookie.

[00148] Embodiment 22. The method of any of Embodiments 19-20, the method further comprising: receiving (410) an access token from the back-end system; transmitting (411) a request to the back-end system, wherein the request includes the access token; and establishing a session using the access token to provide communication through the network (501) in accordance with the network service.

[00149] Embodiment 23. The method of Embodiment 22, the method further comprising: transmitting (407) a request for an access token to the back-end system, wherein the request for an access token includes a session cookie, and wherein receiving the access token comprises receiving the access token after transmitting the request for an access token.

[00150] Embodiment 24. The method of any of Embodiments 19-23 wherein the back-end system includes a back-end server (105), wherein transmitting the request for an authorization waver comprises transmitting the request to the back-end server, and wherein receiving the authorization waver comprises receiving the authorization waiver from the back-end server.

[00151] Embodiment 25. The method of any of Embodiments 22-24 wherein receiving the access token comprises receiving the access token from the back-end server, and wherein the access token is valid for the back-end server.

[00152] Embodiment 26. The method of any of Embodiments 19-25 wherein receiving the voucher comprises receiving the voucher directly from the primary user device

(101).

[00153] Embodiment 27. The method of Embodiment 26 wherein receiving the voucher directly from the primary user device comprises receiving the voucher directly from the primary user device without user input of the voucher through a user interface of the secondary user device.

[00154] Embodiment 28. The method of any of Embodiments 19-27 wherein receiving the voucher comprises receiving the voucher from the primary user device (101) via a short range communication interface. [00155] Embodiment 29. The method of Embodiment 28 wherein the short range communication interface comprises one of a Near Field Communications, NFC, interface, a Bluetooth interface, or an infrared interface.

[00156] Embodiment 30. The method of any of Embodiments 19-27 wherein receiving the voucher comprises receiving the voucher optically from a display of the primary user device using an image capture device on the secondary user device.

[00157] Embodiment 31. The method of any of Embodiments 19-30 wherein transmitting the request for an authorization waiver comprises transmitting the request automatically without user intervention responsive to receiving the voucher from the primary user device.

[00158] Embodiment 32. The method of any of Embodiments 21-31, wherein transmitting the request for an access token comprises transmitting the request for the access token automatically without user intervention responsive to receiving the authorization waiver.

[00159] Embodiment 33. The method of any of Embodiments 22-32 wherein transmitting the request including the access token comprises transmitting the request automatically responsive to receiving the access token.

[00160] Embodiment 34. The method of any of Embodiments 19-33 wherein the network service comprises at least one of a voice, video, and/or messaging service.

[00161] Embodiment 35. A secondary user device, wherein the secondary user device is adapted to perform according to any of Embodiments 19-34.

[00162] Embodiment 36. A secondary user device comprising: a communication interface configured to provide communication over a network; and a processor coupled with the communication interface, wherein the processor is configured to perform actions according to any of Embodiments 19-34, and wherein the processor is configured to transmit and/or receive communications over the network through the communication interface.

[00163] Embodiment 37. A method of operating a primary user device (101) to provide authorization for a network service on a secondary on a secondary user device (102), the method comprising: transmitting (402) a request for a voucher over a network (501) to a back-end system; after transmitting the request for a voucher, receiving (403) a voucher over the network (501) from the back-end system; and transferring (404) the voucher to the secondary user device (102). [00164] Embodiment 38. The method of Embodiment 37, wherein transmitting the request for a voucher comprises transmitting the request responsive to user input to assist authorization of the secondary user device (102).

[00165] Embodiment 39. The method of any of Embodiments 37-38, further comprising: responsive to receiving the voucher, providing (403.1) a prompt for user input to initiate transferring the voucher to the secondary user device; and accepting (403.2) user input to initiate transferring the voucher to the secondary user device based on the prompt, wherein transferring the voucher comprises transferring the voucher responsive to accepting the user input to initiate transferring the voucher.

[00166] Embodiment 40. The method of any of Embodiments 37-39 wherein transferring the voucher comprises transferring the voucher directly to the secondary user device (102).

[00167] Embodiment 41. The method of Embodiment 40 wherein transferring the voucher directly comprises transferring the voucher directly to the secondary user device (102) without user input of the voucher through a user interface at the secondary user device.

[00168] Embodiment 42. The method of any of Embodiments 37-41 wherein transferring the voucher comprises transferring the voucher to the secondary user device (102) via a short range communication interface.

[00169] Embodiment 43. The method of Embodiment 42 wherein the short range communication interface comprises one of a Near Field Communications, NFC, interface, a Bluetooth interface, or an infrared interface.

[00170] Embodiment 44. The method of any of Embodiments 37-41 wherein transferring the voucher comprises providing an image including the voucher on a display of the primary communication device (101).

[00171] Embodiment 45. The method of Embodiment 44 wherein the voucher is encoded in the image.

[00172] Embodiment 46. The method of any of Embodiments 37-45, wherein the voucher is related to authorization of the of the secondary user device.

[00173] Embodiment 47. The method of any of Embodiments 37-46, the method further comprising: receiving (309) an access token from the back-end system; wherein request for a voucher includes the access token.

[00174] Embodiment 48. The method of Embodiment 47 further comprising:

providing a prompt for user input of credentials for the network service; accepting user input of credentials for the network service through a user interface of the primary user device (101); and transmitting the user credentials for the network service over the network (501) to the back-end system; wherein receiving the access token comprises receiving the access token after transmitting the user credentials for the network service.

[00175] Embodiment 49. The method of Embodiment 49 wherein the user credentials for the network service comprise a username and a password associated with the user for the network service.

[00176] Embodiment 50. A primary user device, wherein the primary user device is adapted to perform according to any of Embodiments 37-49.

[00177] Embodiment 51. A primary user device comprising: a communication interface configured to provide communication over a network; and a processor coupled with the communication interface, wherein the processor is configured to perform actions according to any of Embodiments 37-49, and wherein the processor is configured to transmit and/or receive communications over the network through the communication interface.

[00178] Embodiment 52. A secondary user device (102) comprising: a communication interface (605-2) configured to provide communication over a network (501); and a processor (601-2) coupled with the communication interface (605-2), wherein the processor (601-2) is configured to, receive a voucher from a primary user device (101) through the

communication interface (605-2), transmit a request for an authorization waiver through the communication interface (605-2) over the network (501) to a back-end system for the network service, wherein the request for the authorization waiver includes the voucher, and receive an authorization waiver through the communication interface (605-2) from the back- end system after transmitting the request for the authorization waiver.

[00179] Embodiment 53. The secondary user device of Embodiment 52, wherein the authorization waiver includes a session cookie.

[00180] Embodiment 54. The secondary user device of Embodiment 53, wherein the processor is further configured to, transmit a request for an access token through the communication interface (605-2) to the back-end system, wherein the request for an access token includes the session cookie.

[00181] Embodiment 55. The secondary user device of any of Embodiments 52-53, wherein the processor is further configured to, receive an access token through the communication interface from the back-end system, transmit a request through the communication interface to the back-end system, wherein the request includes the access token, and establish a session through the communication interface using the access token to provide communication through the network (501) in accordance with the network service. [00182] Embodiment 56. The secondary user device of Embodiment 55, wherein the processor is further configured to, transmit a request for an access token to the back-end system, wherein the request for an access token includes a session cookie, and wherein receiving the access token comprises receiving the access token after transmitting the request for an access token.

[00183] Embodiment 57. The secondary user device of any of Embodiments 52-56 wherein the back-end system includes a back-end server (105), wherein transmitting the request for an authorization waver comprises transmitting the request to the back-end server, and wherein receiving the authorization waver comprises receiving the authorization waiver from the back-end server.

[00184] Embodiment 58. The secondary user device of any of Embodiments 55-57 wherein receiving the access token comprises receiving the access token from the back-end server, and wherein the access token is valid for the back-end server.

[00185] Embodiment 59. The secondary user device of any of Embodiments 52-58 wherein receiving the voucher comprises receiving the voucher directly from the primary user device (101).

[00186] Embodiment 60. The secondary user device of Embodiment 59 wherein receiving the voucher directly from the primary user device comprises receiving the voucher directly from the primary user device without user input of the voucher through a user interface of the secondary user device.

[00187] Embodiment 61. The secondary user device of any of Embodiments 52-60 wherein receiving the voucher comprises receiving the voucher from the primary user device (101) via a short range communication interface (605b) of the communication interface (605).

[00188] Embodiment 62. The secondary user device of Embodiment 61 wherein the short range communication interface (605b) comprises one of a Near Field Communications, NFC, interface, a Bluetooth interface, or an infrared interface.

[00189] Embodiment 63. The secondary user device of any of Embodiments 52-60 wherein receiving the voucher comprises receiving the voucher optically from a display of the primary user device using an image capture device (607) on the secondary user device.

[00190] Embodiment 64. The secondary user device of any of Embodiments 52-63 wherein transmitting the request for an authorization waiver comprises transmitting the request automatically without user intervention responsive to receiving the voucher from the primary user device. [00191] Embodiment 65. The secondary user device of any of Embodiments 54-64, wherein transmitting the request for an access token comprises transmitting the request for the access token automatically without user intervention responsive to receiving the authorization waiver.

[00192] Embodiment 66. The secondary user device of any of Embodiments 55-65 wherein transmitting the request including the access token comprises transmitting the request automatically responsive to receiving the access token.

[00193] Embodiment 67. The secondary user device of any of Embodiments 52-66 wherein the network service comprises at least one of a voice, video, and/or messaging service.

[00194] Embodiment 68. A primary user device (101) comprising: a communication interface (605-1) configured to provide communication over a network; and a processor (601- 1) coupled with the communication interface (605-1), wherein the processor is configured to, transmit a request for a voucher through the communication interface (605-1) over a network (501) to a back-end system, receive a voucher through the communication interface over the network (501) from the back-end system after transmitting the request for a voucher, and transfer (404) the voucher to the secondary user device (102).

[00195] Embodiment 69. The primary user device of Embodiment 68, wherein transmitting the request for a voucher comprises transmitting the request responsive to user input to assist authorization of the secondary user device (102) for the network service.

[00196] Embodiment 70. The primary user device of any of Embodiments 68-69, wherein the processor is further configured to, provide a prompt for user input to initiate transferring the voucher to the secondary user device responsive to receiving the voucher, and accept user input to initiate transferring the voucher to the secondary user device based on the prompt, wherein transferring the voucher comprises transferring the voucher responsive to accepting the user input to initiate transferring the voucher.

[00197] Embodiment 71. The primary user device of any of Embodiments 68-70 wherein transferring the voucher comprises transferring the voucher directly to the secondary user device (102).

[00198] Embodiment 72. The primary user device of Embodiment 71 wherein transferring the voucher directly comprises transferring the voucher directly to the secondary user device (102) without user input of the voucher through a user interface at the secondary user device. [00199] Embodiment 73. The primary user device of any of Embodiments 68-72 wherein transferring the voucher comprises transferring the voucher to the secondary user device (102) via a short range communication interface (605b-l).

[00200] Embodiment 74. The primary user device of Embodiment 73 wherein the short range communication interface (605b- 1) comprises one of a Near Field

Communications, NFC, interface, a Bluetooth interface, or an infrared interface.

[00201] Embodiment 75. The primary user device of any of Embodiments 68-72 wherein transferring the voucher comprises providing an image including the voucher on a display (603d-l) of the primary communication device (101).

[00202] Embodiment 76. The primary user device of Embodiment 75 wherein the voucher is encoded in the image.

[00203] Embodiment 77. The primary user device of any of Embodiments 68-76, wherein the voucher is related to authorization of the of the secondary user device.

[00204] Embodiment 78. The primary user device of any of Embodiments 68-77, wherein the processor is further configured to, receive an access token from the back-end system, wherein request for a voucher includes the access token.

[00205] Embodiment 79. The primary user device of Embodiment 78, wherein the processor is further configured to, provide a prompt for user input of credentials for the network service, accept user input of credentials for the network service through a user interface of the primary user device (101), and transmit the user credentials for the network service through the communication interface (605-1) over the network (501) to the back-end system, wherein receiving the access token comprises receiving the access token after transmitting the user credentials for the network service.

[00206] Embodiment 80. The primary user device of Embodiment 79 wherein the user credentials for the network service comprise a username and a password associated with the user for the network service.

[00207] Embodiment 81. A back-end system for a network service provided over a network (501), the back-end system comprising: a network interface (705) configured to provide communication over the network (501); and a processor (701) coupled with the network interface, wherein the processor is configured to, transmit a voucher through the network interface over the network (501) to the primary user device (101) responsive to receiving a request from a primary user device (101), receive a request for an authorization waiver through the network interface from the secondary user device (102) over the network (501) wherein the request for the authorization waiver includes the voucher that was transmitted to the primary user device (101), and transmit an authorization waiver to the secondary user device (102) responsive to receiving the request from the secondary user device including the voucher.

[00208] Embodiment 82. The back-end system of Embodiment 81, wherein the primary user device (101) and the secondary user device (102) are different.

[00209] Embodiment 83. The back-end system of any of Embodiments 81-82, wherein the voucher is related to authorization of the secondary user device for the network service.

[00210] Embodiment 84. The back-end system of any of Embodiments 81-83, wherein the authorization waiver includes a session cookie.

[00211] Embodiment 85. The back-end system of any of Embodiments 81-84, wherein the network service is provided for a user (103) of both of the primary and secondary user devices (101 and 102), wherein the processor is further configured to, invalidate the voucher responsive to receiving the request for an authorization waiver including the voucher.

[00212] Embodiment 86. The back-end system of Embodiment 85 wherein invalidating the voucher comprises invalidating the voucher with respect to the user so that the voucher is not reused for the network service with respect to the user (103).

[00213] Embodiment 87. The back-end system of any of Embodiments 81-86 wherein the processor comprises a back-end server processor (701-5) and the network interface comprises a back-end server network interface (705-5), wherein transmitting the voucher comprises the back-end server processor (701-5) transmitting the voucher through the back- end server network interface (705-5) over the network to the primary user device (101), wherein receiving the request from the secondary user device (102) comprises the back-end server processor (701-5) receiving the request from the secondary user device (102) through the back-end server network interface (705-5), and wherein transmitting the authorization waiver comprises the back-end server processor (701-5) transmitting the authorization waiver through the back-end server network interface (705-5) to the secondary user device (102).

[00214] Embodiment 88. The back-end system of Embodiment 87, wherein the authorization waiver includes a session cookie, wherein the processor (701) is further configured to, receive a request for an access token through the network interface (705) from the secondary user device (102) wherein the request for an access token includes the session cookie, and transmit an access token through the network interface (701) to the secondary user device (102) responsive to receiving the request for an access token wherein the access token is valid for the back-end server (105).

[00215] Embodiment 89. The back-end system of Embodiment 88, wherein the processor (701) comprises an authorization server processor (701-7) and the network interface (705) comprises an authorization server network interface (705-7), wherein receiving the request for an access token comprises the authorization server processor (701-7) receiving the request for an access token through the authorization server network interface (705-7) from the secondary user device over the network (501), and wherein transmitting the access token comprises the authorization server processor (701-5) transmitting the access token through the authorization server network interface (705-7) over the network (501) to the secondary user device (102).

[00216] Embodiment 90. The back-end system of Embodiment 89 wherein the processor (701) is further configured to, redirect the secondary user device to an authorization portal (109) responsive to receiving the request for an access token, receive the authorization waiver including the session cookie at the authorization portal (109) from the secondary user device (102), and provide authorization for the secondary user device (102) based on the session cookie, wherein transmitting the access token comprises transmitting the access token responsive to providing the authorization based on the session cookie.

[00217] Embodiment 91. The back-end system of any of Embodiments 88-90 wherein the processor (701) is further configured to, receive a request through the network interface (705) from the secondary user device (102) wherein the request includes the access token, and provide communication for the secondary user device (102) through the network interface (701) in accordance with the network service responsive to receiving the request including the access token.

[00218] Embodiment 92. The back-end system of Embodiment 91 wherein the network service comprises at least one of a voice, video, and/or messaging service.

[00219] Embodiment 93. The back-end system of any of Embodiments 91-92 wherein receiving the request including the access token comprises the back-end server processor (701-5) receiving the request including the access token through the back-end server network interface (701-5) from the secondary user device (102).

[00220] FURTHER DEFINITIONS

[00221] In the above-description of various embodiments of present inventive concepts, it is to be understood that the terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of present inventive concepts. Unless otherwise defined, all terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art to which present inventive concepts belongs. It will be further understood that terms, such as those defined in commonly used dictionaries, should be interpreted as having a meaning that is consistent with their meaning in the context of this specification and the relevant art and will not be interpreted in an idealized or overly formal sense unless expressly so defined herein.

[00222] When an element is referred to as being "connected", "coupled", "responsive", or variants thereof to another element, it can be directly connected, coupled, or responsive to the other element or intervening elements may be present. In contrast, when an element is referred to as being "directly connected", "directly coupled", "directly responsive", or variants thereof to another element, there are no intervening elements present. Like numbers refer to like elements throughout. Furthermore, "coupled", "connected", "responsive", or variants thereof as used herein may include wirelessly coupled, connected, or responsive. As used herein, the singular forms "a", "an" and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. Well-known functions or constructions may not be described in detail for brevity and/or clarity. The term "and/or" includes any and all combinations of one or more of the associated listed items.

[00223] It will be understood that although the terms first, second, third, etc. may be used herein to describe various elements/operations, these elements/operations should not be limited by these terms. These terms are only used to distinguish one element/operation from another element/operation. Thus a first element/operation in some embodiments could be termed a second element/operation in other embodiments without departing from the teachings of present inventive concepts. The same reference numerals or the same reference designators denote the same or similar elements throughout the specification.

[00224] As used herein, the terms "comprise", "comprising", "comprises", "include", "including", "includes", "have", "has", "having", or variants thereof are open-ended, and include one or more stated features, integers, elements, steps, components or functions but does not preclude the presence or addition of one or more other features, integers, elements, steps, components, functions or groups thereof. Furthermore, as used herein, the common abbreviation "e.g.", which derives from the Latin phrase "exempli gratia," may be used to introduce or specify a general example or examples of a previously mentioned item, and is not intended to be limiting of such item. The common abbreviation "i.e.", which derives from the Latin phrase "id est," may be used to specify a particular item from a more general recitation.

[00225] Example embodiments are described herein with reference to block diagrams and/or flowchart illustrations of computer-implemented methods, apparatus (systems and/or devices) and/or computer program products. It is understood that a block of the block diagrams and/or flowchart illustrations, and combinations of blocks in the block diagrams and/or flowchart illustrations, can be implemented by computer program instructions that are performed by one or more computer circuits. These computer program instructions may be provided to a processor circuit of a general purpose computer circuit, special purpose computer circuit, and/or other programmable data processing circuit to produce a machine, such that the instructions, which execute via the processor of the computer and/or other programmable data processing apparatus, transform and control transistors, values stored in memory locations, and other hardware components within such circuitry to implement the functions/acts specified in the block diagrams and/or flowchart block or blocks, and thereby create means (functionality) and/or structure for implementing the functions/acts specified in the block diagrams and/or flowchart block(s).

[00226] These computer program instructions may also be stored in a tangible computer-readable medium that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer- readable medium produce an article of manufacture including instructions which implement the functions/acts specified in the block diagrams and/or flowchart block or blocks.

Accordingly, embodiments of present inventive concepts may be embodied in hardware and/or in software (including firmware, resident software, micro-code, etc.) that runs on a processor such as a digital signal processor, which may collectively be referred to as

"circuitry," "a module" or variants thereof.

[00227] It should also be noted that in some alternate implementations, the

functions/acts noted in the blocks may occur out of the order noted in the flowcharts. For example, two blocks shown in succession may in fact be executed substantially concurrently or the blocks may sometimes be executed in the reverse order, depending upon the functionality/acts involved. Moreover, the functionality of a given block of the flowcharts and/or block diagrams may be separated into multiple blocks and/or the functionality of two or more blocks of the flowcharts and/or block diagrams may be at least partially integrated. Finally, other blocks may be added/inserted between the blocks that are illustrated, and/or blocks/operations may be omitted without departing from the scope of inventive concepts. Moreover, although some of the diagrams include arrows on communication paths to show a primary direction of communication, it is to be understood that communication may occur in the opposite direction to the depicted arrows.

[00228] Many variations and modifications can be made to the embodiments without substantially departing from the principles of the present inventive concepts. All such variations and modifications are intended to be included herein within the scope of present inventive concepts. Accordingly, the above disclosed subject matter is to be considered illustrative, and not restrictive, and the examples of embodiments are intended to cover all such modifications, enhancements, and other embodiments, which fall within the spirit and scope of present inventive concepts. Thus, to the maximum extent allowed by law, the scope of present inventive concepts are to be determined by the broadest permissible interpretation of the present disclosure including the examples of embodiments and their equivalents, and shall not be restricted or limited by the foregoing detailed description.