Multi-party authentication and authorization

US 10,032,044 B2
Filed: 10/09/2015
Issued: 07/24/2018
Est. Priority Date: 08/08/2015
Status: Active Grant

First Claim

Patent Images

1. A non-transitory computer-readable medium embodying a program executable in a first client computing device, the program, when executed by the first client computing device, being configured to cause the first client computing device to at least:

receive an access request from a first user to access secured data stored on the first client computing device, wherein the first client computing device has a display, the first user is using the first client computing device by interacting with a user interface rendered on the display, and the first user has access to other data stored on the first client computing device when the access request is received;

determine that an authorization from a second user is required to grant the access request;

send an authorization request to a second client computing device associated with the second user;

receive the authorization by the second user from the second client computing device; and

facilitate access by the first user to the secured data in response to the authorization.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed are various examples for multi-party authentication and authentication. In one example, a user who forgets a password can gain access to secured data stored by a managed device by way of an authorization by one or more other users. This access can be granted even if the managed device is in an off-line mode or if a management server cannot be reached. In another example, access to secured data can depend upon authorization by a minimum quantity of other users. The authorization can involve an explicit approval or disapproval. Alternatively, the authorization can correspond to the presence of the minimum quantity of other users within a threshold proximity of the user who desires access.

8 Citations

View as Search Results

20 Claims

1. A non-transitory computer-readable medium embodying a program executable in a first client computing device, the program, when executed by the first client computing device, being configured to cause the first client computing device to at least:
- receive an access request from a first user to access secured data stored on the first client computing device, wherein the first client computing device has a display, the first user is using the first client computing device by interacting with a user interface rendered on the display, and the first user has access to other data stored on the first client computing device when the access request is received;
  
  determine that an authorization from a second user is required to grant the access request;
  
  send an authorization request to a second client computing device associated with the second user;
  
  receive the authorization by the second user from the second client computing device; and
  
  facilitate access by the first user to the secured data in response to the authorization.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The non-transitory computer-readable medium of claim 1, wherein the program, when executed by the first client computing device, is further configured to cause the first client computing device to at least:
    - determine that the second user has failed to approve the authorization; and
      
      deny access by the first user to the secured data in response to determining that the second user has failed to approve the authorization.
  - 3. The non-transitory computer-readable medium of claim 1, wherein the second user comprises a plurality of second users, and the second client computing device comprises a plurality of second client computing devices individually associated with the plurality of second users.
  - 4. The non-transitory computer-readable medium of claim 1, wherein the secured data is stored in an encrypted format on the first client computing device, and facilitating access by the first user to the secured data further comprises decrypting the secured data.
  - 5. The non-transitory computer-readable medium of claim 1, wherein the program, when executed by the first client computing device, is further configured to cause the first client computing device to at least:
    - receive an indication that the first user cannot provide a security credential, wherein the program is configured to facilitate access by the first user to the secured data based at least in part on the security credential without requiring the authorization; and
      
      determine that the authorization from the second user is required to grant the access request in response to the indication that the first user cannot provide the security credential.
  - 6. The non-transitory computer-readable medium of claim 1, wherein the authorization request is sent directly from the first client computing device to the second client computing device by way of a local wireless connection.
  - 7. The non-transitory computer-readable medium of claim 1, wherein the second user is identified based at least in part on a predetermined association between the second user specifically and the secured data.
  - 8. The non-transitory computer-readable medium of claim 1, wherein the second user is identified based at least in part on a predetermined association between a role of the second user and the secured data.

9. A system, comprising:
- a client computing device; and
  
  a management agent executable by the client computing device, the management agent configured to cause the client computing device to at least;
  
  receive an access request from a first user to access secured data stored on the client computing device, wherein the client computing device has a display, the first user is using the client computing device by interacting with a user interface rendered on the display, and the first user has access to other data stored on the client computing device when the access request is received;
  
  determine that access by the first user to the secured data requires a respective authorization from each of a minimum quantity of a set of second users;
  
  send a respective authorization request to at least one of the set of second users;
  
  determine that the respective authorizations have been received from the minimum quantity of the set of second users; and
  
  facilitate access by the first user to the secured data in response to determining that the respective authorizations have been received from the minimum quantity of the set of second users.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The system of claim 9, wherein the management agent is further configured to cause the client computing device to at least:
    - determine that the respective authorizations have not been received from the minimum quantity of the set of second users; and
      
      disable access by the first user to the secured data in response to determining that the respective authorizations have not been received from the minimum quantity of the set of second users.
  - 11. The system of claim 9, wherein the management agent is further configured to cause the client computing device to at least:
    - receive a security credential from the first user;
      
      authenticate the first user based at least in part on the security credential; and
      
      wherein the respective authorizations are required in addition to authenticating the first user.
  - 12. The system of claim 9, wherein the set of second users includes at least two users, and the minimum quantity corresponds to all of the set of second users.
  - 13. The system of claim 9, wherein the respective authorization requests are sent to a management server, and the respective authorizations are received from the management server.
  - 14. The system of claim 9, wherein at least one of the respective authorization requests are sent to at least one of the set of second users in a text message.
  - 15. The system of claim 9, wherein the set of second users includes at least two users, and the minimum quantity corresponds to fewer than all of the set of second users.

16. A method, comprising:
- receiving an access request from a first user to access secured data stored on a first client computing device, wherein the first client computing device has a display, the first user is using the first client computing device by interacting with a user interface rendered on the display, and the first user has access to other data stored on the first client computing device when the access request is received;
  
  determining that an authorization from a second user is required to grant the access request;
  
  sending an authorization request to a second client computing device associated with the second user;
  
  receiving the authorization by the second user from the second client computing device; and
  
  facilitating access by the first user to the secured data in response to the authorization.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The method of claim 16, wherein the second user comprises a plurality of second users, and the second client computing device comprises a plurality of second client computing devices individually associated with the plurality of second users.
  - 18. The method of claim 16, wherein the secured data is stored in an encrypted format on the first client computing device, and facilitating access by the first user to the secured data further comprises decrypting the secured data.
  - 19. The method of claim 16, further comprising:
    - receiving an indication that the first user cannot provide a security credential, wherein access by the first user to the secured data is facilitated without requiring the authorization if the security credential is provided; and
      
      determining that the authorization from the second user is required to grant the access request in response to the indication that the first user cannot provide the security credential.
  - 20. The method of claim 16, wherein the second user is identified based at least in part on a predetermined association between the second user specifically and the secured data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
AirWatch LLC (Broadcom, Inc.)
Original Assignee
AirWatch LLC (Broadcom, Inc.)
Inventors
Vas, Sachin, Panchapakesan, Ramani, Bhat, Vijaykumar, Vasavan, Sushilvas
Primary Examiner(s)
Herzog, Madhuri R

Application Number

US14/879,114
Publication Number

US 20170039388A1
Time in Patent Office

1,019 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/40   by quorum, i.e. whereby two...

G06F 21/6245   Protecting personal data, e...

H04L 63/0823   using certificates cryptogr...

H04L 63/083   using passwords cryptograph...

H04L 63/107   wherein the security polici...

H04L 9/321   involving a third party or ...

H04W 12/63   Location-dependent; Proximi...

Multi-party authentication and authorization

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

8 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Multi-party authentication and authorization

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

8 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links