Organization-level password management employing user-device password vault
First Claim
1. A method of operating a management computer to automatically change a password used by a user to authenticate to a service application executing in a service computer system communicatively coupled to the management computer, the service computer system including a service application server and an active directory server, the user having a computerized user device including a vault in which active passwords are stored, the vault being managed by a password management application executing either on the user device or on a password management server coupled to the user device, the method comprising:
- monitoring for occurrence of an event signifying that the password is to be changed, the event being a single use of the password for authenticating the user to the service application, andin response to occurrence of the event;
assigning a new password;
generating a first message and sending it to the service computer system, the first message including the new password and an indication that the service application is to begin using the new password to authenticate the user to the service application, the first message being sent via a first interface of the management computer, the first interface coupling the management computer to a first network and the service computer system, the first message being sent to the active directory server to update a user authentication record used by the active directory server in authenticating the user to the service application; and
generating a second message and sending it to the password management application, the second message including the new password and an indication that the new password is to replace a current password in the vault for use in authenticating the user to the service application, the second message being sent via a second interface of the management computer, the second interface coupling the management computer to a second network and the user device used by the user,wherein generating the second message and sending it to the password management application includes communicating with the user device using a vault application programming interface (API) that (i) enables external management of contents of the password vault and of the operation of the password management application, and (ii) causes the new password to be stored in the vault in association with an identification of the service application for use in the authenticating of the user thereto.
9 Assignments
0 Petitions
Accused Products
Abstract
A computer system includes a management computer for automatically changing a password used to authenticate a user to a service application. A user device includes a password vault managed by a password management application. The management computer monitors for an event signifying that the password is to be changed, e.g., a predetermined number of uses, etc. A new password is assigned, and a first message is generated and sent to the service application including the new password and an indication that it is to be used for subsequent user authentication. A second message is also generated and sent to the password management application, also including the new password and an indication that it replaces a current password in the vault for user authentication. The new password is automatically used by both the service application and the user device during subsequent authentications until expiration.
46 Citations
18 Claims
-
1. A method of operating a management computer to automatically change a password used by a user to authenticate to a service application executing in a service computer system communicatively coupled to the management computer, the service computer system including a service application server and an active directory server, the user having a computerized user device including a vault in which active passwords are stored, the vault being managed by a password management application executing either on the user device or on a password management server coupled to the user device, the method comprising:
-
monitoring for occurrence of an event signifying that the password is to be changed, the event being a single use of the password for authenticating the user to the service application, and in response to occurrence of the event; assigning a new password; generating a first message and sending it to the service computer system, the first message including the new password and an indication that the service application is to begin using the new password to authenticate the user to the service application, the first message being sent via a first interface of the management computer, the first interface coupling the management computer to a first network and the service computer system, the first message being sent to the active directory server to update a user authentication record used by the active directory server in authenticating the user to the service application; and generating a second message and sending it to the password management application, the second message including the new password and an indication that the new password is to replace a current password in the vault for use in authenticating the user to the service application, the second message being sent via a second interface of the management computer, the second interface coupling the management computer to a second network and the user device used by the user, wherein generating the second message and sending it to the password management application includes communicating with the user device using a vault application programming interface (API) that (i) enables external management of contents of the password vault and of the operation of the password management application, and (ii) causes the new password to be stored in the vault in association with an identification of the service application for use in the authenticating of the user thereto. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A management computer, comprising:
-
one or more processors; memory coupled to the processors by a high-speed data bus; and input/output interface circuitry coupled to the memory and the processors by the high-speed data bus, the input/output interface circuitry coupling the management computer to a service computer system and a computerized user device used by a user, the user device including a vault in which active passwords are stored, the vault being managed by a password management application executing either on the user device or on a password management server coupled to the user device, the memory storing instructions which, when executed by the processors, cause the management computer to operate to automatically change a password used by the user to authenticate to a service application executing in the service computer system, by; (1) monitoring for occurrence of an event signifying that the password is to be changed, the event being a single use of the password for authenticating the user to the service application, and (2) in response to occurrence of the event; (a) assigning a new password; (b) generating a first message and sending it to the service computer system, the first message including the new password and an indication that the service application is to begin using the new password to authenticate the user to the service application; and (c) generating a second message and sending it to the password management application, the second message including the new password and an indication that the new password is to replace a current password in the vault for use in authenticating the user to the service application, wherein the instructions, when executed by the processors to cause the management computer to generate the second message and send it to the password management application, cause the management computer to communicate with either the user device or password management server via a vault application programming interface (API) that (i) enables external management of contents of the password vault and of the operation of the password management application, and (ii) causes the new password to be stored in the vault in association with an identification of the service application for use in authenticating the user thereto, wherein the input/output interface circuitry includes a first interface to a first network for coupling the management computer to the service computer system, and includes a second interface to a second network for coupling the management computer to the computerized user device used by the user, and wherein (i) the first message is sent to the service computer system via the first interface, and (ii) the second message is sent to the password management application via the second interface, and wherein the service computer system includes a service application server and an active directory server, and the first message is sent to the active directory server to update a user authentication record used by the active directory server in the authenticating of the user to the service application. - View Dependent Claims (9, 10, 11, 12, 13, 14, 15)
-
-
16. A computer system, comprising:
-
a service computer system executing a service application; a computerized user device including a vault in which active passwords are stored, the passwords including a password used by a user to authenticate to the service application, the vault being managed by a password management application executing either on the user device or on a password management server coupled to the user device; and a management computer used to automatically change the password used by the user to authenticate to the service application, the management computer being configured and operative to monitor for occurrence of an event signifying that the password is to be changed, the event being a single use of the password for authenticating the user to the service application, and in response to occurrence of the event (1) assign a new password, (2) generate a first message and send it to the service computer system, the first message including the new password and an indication that the service application is to begin using the new password to authenticate the user to the service application, and (3) generate a second message and send it to the password management application using a vault application programming interface (API), the second message including the new password and an indication that the new password is to replace a current password in the vault for use in authenticating the user to the service application, the password management application being configured and operative, in response to communications from the management server using the vault API, to (i) enable the management server to manage contents of the password vault and operation of the password management application, and (ii) in response to the second message using the vault API, to store the new password in the vault in association with an identification of the service application for subsequent use by the user device in authenticating the user to the service application, wherein the management computer includes a first interface to a first network for coupling the management computer to the service computer system, and includes a second interface to a second network for coupling the management computer to the computerized user device used by the user, and wherein (i) the first message is sent to the service computer system via the first interface, and (ii) the second message is sent to the password management application via the second interface, and wherein the service computer system includes a service application server and an active directory server, and the first message is sent to the active directory server to update a user authentication record used by the active directory server in the authenticating of the user to the service application. - View Dependent Claims (17, 18)
-
Specification