Methods and systems for gradual expiration of credentials

US 10,007,779 B1
Filed: 09/29/2015
Issued: 06/26/2018
Est. Priority Date: 09/29/2015
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

receiving, at a first access request time, a first access request for accessing a resource using a credential, the first access request time occurring after an initial expiration time associated with the credential and before a final expiration time, the final expiration time determined by adding a predetermined grace period to the initial expiration time;

selecting a first access rule from a plurality of access rules based at least in part on first durations between the first access request time, the initial expiration time, and the final expiration time;

determining a first access right with respect to the resource based at least in part on the selected first access rule, the first access right configured to be more restrictive than an access granted prior to the initial expiration time;

generating a first access response corresponding to the first access request based at least in part on the first access right;

receiving, at a second access request time, a second request for accessing the resource using the credential, the second access request time occurring after the first access request time and before the final expiration time;

selecting a second access rule from the plurality of access rules based at least in part on second durations between the second access request time, the initial expiration time, and the final expiration time;

determining a second access right with respect to the resource based at least in part on the selected second access rule, historical access data associated with aggregated user behavior for selected previous access to the resource, and one or more attributes associated with sensor data indicating security breaches at the resource, the second access right being more restrictive than the first access right; and

generating a second access response corresponding to the second access request based at least in part on the second access right.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems are provided to enable gradual expiration of credentials. Instead of depriving a user of all his access rights upon expiration of his credential (e.g., password), the user'"'"'s access rights may be gradually restricted during a grace period after an expected or initial expiration time and/or before a final expiration time. The access right may be determined based on a duration from a time of the access request to the final expiration time or to the initial expiration time.

Citations

20 Claims

1. A computer-implemented method, comprising:
- receiving, at a first access request time, a first access request for accessing a resource using a credential, the first access request time occurring after an initial expiration time associated with the credential and before a final expiration time, the final expiration time determined by adding a predetermined grace period to the initial expiration time;
  
  selecting a first access rule from a plurality of access rules based at least in part on first durations between the first access request time, the initial expiration time, and the final expiration time;
  
  determining a first access right with respect to the resource based at least in part on the selected first access rule, the first access right configured to be more restrictive than an access granted prior to the initial expiration time;
  
  generating a first access response corresponding to the first access request based at least in part on the first access right;
  
  receiving, at a second access request time, a second request for accessing the resource using the credential, the second access request time occurring after the first access request time and before the final expiration time;
  
  selecting a second access rule from the plurality of access rules based at least in part on second durations between the second access request time, the initial expiration time, and the final expiration time;
  
  determining a second access right with respect to the resource based at least in part on the selected second access rule, historical access data associated with aggregated user behavior for selected previous access to the resource, and one or more attributes associated with sensor data indicating security breaches at the resource, the second access right being more restrictive than the first access right; and
  
  generating a second access response corresponding to the second access request based at least in part on the second access right.
- View Dependent Claims (2, 3, 4)
- - 2. The computer-implemented method of claim 1, wherein the first access right is configured to allow access to the resource and the second access right is configured to deny access to the resource.
  - 3. The computer-implemented method of claim 1, wherein the first access right is configured to allow read/write access to the resource and the second access right is configured to allow read-only access to the resource.
  - 4. The computer-implemented method of claim 1, wherein the credential includes at least one of a password, a cryptographic key, or a digital certificate.

5. One or more non-transitory computer-readable storage media storing computer-executable instructions that, when executed by a computing system, configure the computing system to perform operations comprising:
- in response to receiving, at a request time, a request to access a resource using a credential, the request time occurring after an initial expiration time associated with the credential and before a final expiration time;
  
  selecting a first access rule from a plurality of access rules based at least in part on first durations between the request time, the initial expiration time, and the final expiration time;
  
  determining an access right with a level of a plurality of different access right levels with respect to the resource based at least in part on the selected first access rule, historical access data associated with aggregated user behavior for selected previous access to the resource, and one or more attributes associated with sensor data indicating security breaches at the resource, the different access right levels respectively corresponding to different durations between the request time and the final expiration time for the credential; and
  
  providing a level of access to the resource based at least in part on the level of determined access right.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12)
- - 6. The computer-readable storage media of claim 5, wherein the access right is determined based at least in part on a second duration between the request time and the initial expiration time.
  - 7. The computer-readable storage media of claim 5, wherein determining the access right comprises:
    - selecting a second access rule from the plurality of access rules based at least in part on a duration between the request time and the final expiration time for the credential; and
      
      determining the access right based at least in part on the selected second access rule.
  - 8. The computer-readable storage media of claim 7, wherein determining the access right comprises:
    - comparing the duration with one or more predetermined intermediate durations relative to the final expiration time, each of the one or more intermediate durations associated with a set of one or more access rules of the plurality of access rules;
      
      selecting, based at least in part on the comparison, the set of access rules associated with one of the one or more intermediate durations; and
      
      determining the access right based at least in part on the selected set of access rules.
  - 9. The computer-readable storage media of claim 8, wherein the one or more intermediate durations includes a first intermediate duration with a first set of access rules and a second intermediate duration with a second set of access rules, the second intermediate duration being shorter than the first intermediate duration and the second set of access rules being more restrictive than the first set of access rules.
  - 10. The computer-readable storage media of claim 5, wherein the access right is determined further based at least in part on one or more characteristics associated with the resource or with the credential.
  - 11. The computer-readable storage media of claim 5, wherein the access right indicates a type, a duration, or a scope of access with respect to the resource.
  - 12. The computer-readable storage media of claim 5, wherein the access right indicates an allowance or denial of access to the resource.

13. A computer system, comprising:
- a memory that stores computer-executable instructions; and
  
  a processor configured to access the memory and execute the computer-executable instructions to at least;
  
  receive, at a request time, a request from a requester to access a plurality of resources using a credential, the request time occurring after an initial expiration time associated with the credential and before a final expiration time;
  
  select a first access rule from a plurality of access rules based at least in part on first durations between the request time, the initial expiration time, and the final expiration time;
  
  determine an access right with a level of a plurality of different access right levels with respect to a resource of the plurality of resources based at least in part on the selected first access rule, historical access data associated with aggregated user behavior for selected previous access to the resource, and one or more attributes associated with sensor data indicating security breaches at the resource, the different access right levels respectively corresponding to different durations between the request time and the initial expiration time for the credential; and
  
  provide access to the subset of resources for the requester based at least in part on the access right.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The computer system of claim 13, wherein the plurality of resources comprises at least one of a service, a computing device, or a data object.
  - 15. The computer system of claim 13, wherein the one or more attributes include attributes associated with the requestor, the credential, or at least one of the plurality of resources and wherein final expiration time is determined based at least in part on the one or more attributes.
  - 16. The computer system of claim 15, wherein determining the access right comprises:
    - comparing the duration between the request time and the initial expiration time and one or more intermediate durations relative to the initial expiration time, each of the one or more intermediate durations associated with a set of one or more access rules of the plurality of access rules;
      
      selecting one of the one or more intermediate durations based on the comparison; and
      
      determining the access right based at least in part on the set of access rules associated with the selected intermediate durations.
  - 17. The computer system of claim 16, wherein the one or more intermediate durations are determined based at least in part on the attributes associated with at least one of the requester, the credential, or at least one of the plurality of resources.
  - 18. The computer system of claim 16, wherein the one or more intermediate durations includes a first intermediate duration with a first set of access rules and a second intermediate duration with a second set of access rules, the second intermediate duration being longer than the first intermediate duration and the second set of access rules being more restrictive than the first set of access rules.
  - 19. The computer system of claim 18, wherein the first set of access rules are configured to allow access to the resource that the second set of access rules are configured to prevent access to.
  - 20. The computer system of claim 13, wherein the processor is configured to execute the computer-executable instructions to:
    - receiving, from an authentication server, one or more credential properties of the credential; and
      
      determining the access right based at least in part on the one or more credential properties.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
McClintock, Jon Arron, Golwalkar, Yogesh Vilas, Bhimanaik, Bharath Kumar, McAdams, Darin Keith, Sethi, Tushaar
Primary Examiner(s)
Shaw, Brian F

Application Number

US14/869,185
Time in Patent Office

1,001 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/31 User authentication

G06F 21/45 Structures or tools for the...

Methods and systems for gradual expiration of credentials

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and systems for gradual expiration of credentials

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links