Techniques for access management based on multi-factor authentication including knowledge-based authentication
First Claim
1. A method comprising:
- performing a first authentication of a user in response to receiving, from a first device of the user, a request to access a resource;
based on the first authentication being successful, performing a second authentication of the user to determine whether to permit access to the resource, the second authentication comprising;
identifying, by a computer system of an access management system, a second device associated with the user, wherein the second device is registered with the access management system as a trusted device for the user, and wherein the second device is different from the first device;
transmitting, by the computer system, via a communication system, to the second device, encrypted data including a first identifier, wherein the first identifier is used by an application on the second device when communicating with the access management system;
receiving, from the application, a request to perform the second authentication;
determining that the request to perform the second authentication includes a second identifier;
responsive to determining that the second identifier matches the first identifier, obtaining authentication data, the authentication data including media content provided by the user at the first device for use in connection with the second authentication, one or more questions related to the media content, and one or more answers corresponding to the one or more questions;
sending, to the second device, the media content, wherein the application displays the media content to the user at the second device;
sending, to the first device, the one or more questions related to the media content, wherein the first device displays the one or more questions to the user;
receiving, from the first device, a response by the user to the one or more questions; and
determining, by the computer system, whether the response satisfies the one or more answers corresponding to the one or more questions; and
based on determining that the response satisfies the one or more answers corresponding to the one or more questions, permitting the first device to access the resource.
1 Assignment
0 Petitions
Accused Products
Abstract
An access management system is disclosed that can employ multi-factor authentication (MFA) using multiple types of authentication. In at least one embodiment, techniques may include implementing multi-factor authentication (MFA) including knowledge-based authentication (KBA). MFA may be based on multiple factors, such as “what you know” (e.g., a password or an answer to a question known by a user) and “what you have” (e.g., a trusted device registered for a user). In at least one embodiment, multiple devices (e.g., a desktop computer and a mobile device) may be utilized to provide for stronger authentication using a combination of what a user has. The combination of MFA based on what you know (e.g., KBA) and what you have (e.g., a trusted device) may further ensure authentication is not compromised. The techniques disclosed herein may provide for a stronger form of authentication to reduce, if not eliminate, possible vulnerabilities for access management.
-
Citations
20 Claims
-
1. A method comprising:
-
performing a first authentication of a user in response to receiving, from a first device of the user, a request to access a resource; based on the first authentication being successful, performing a second authentication of the user to determine whether to permit access to the resource, the second authentication comprising; identifying, by a computer system of an access management system, a second device associated with the user, wherein the second device is registered with the access management system as a trusted device for the user, and wherein the second device is different from the first device; transmitting, by the computer system, via a communication system, to the second device, encrypted data including a first identifier, wherein the first identifier is used by an application on the second device when communicating with the access management system; receiving, from the application, a request to perform the second authentication; determining that the request to perform the second authentication includes a second identifier; responsive to determining that the second identifier matches the first identifier, obtaining authentication data, the authentication data including media content provided by the user at the first device for use in connection with the second authentication, one or more questions related to the media content, and one or more answers corresponding to the one or more questions; sending, to the second device, the media content, wherein the application displays the media content to the user at the second device; sending, to the first device, the one or more questions related to the media content, wherein the first device displays the one or more questions to the user; receiving, from the first device, a response by the user to the one or more questions; and determining, by the computer system, whether the response satisfies the one or more answers corresponding to the one or more questions; and based on determining that the response satisfies the one or more answers corresponding to the one or more questions, permitting the first device to access the resource. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. An access management system comprising:
-
one or more processors; and a memory accessible to the one or more processors, the memory storing one or more instructions that, upon execution by the one or more processors, cause the one or more processors to; perform a first authentication of a user in response to receiving, from a first device of the user, a request to access a resource; based on the first authentication being successful, perform a second authentication of the user to determine whether to permit access to the resource, the second authentication comprising; identifying a second device associated with the user, wherein the second device is registered with the access management system as a trusted device for the user, and wherein the second device is different from the first device; transmitting, via a communication system, to the second device, encrypted data including a first identifier, wherein the first identifier is used by an application on the second device when communicating with the access management system; receiving, from the application, a request to perform the second authentication; determining that the request to perform the second authentication includes a second identifier; responsive to determining that the second identifier matches the first identifier, obtaining authentication data, the authentication data including media content provided by the user at the first device for use in connection with the second authentication, one or more questions related to the media content, and one or more answers corresponding to each of the one or more questions; sending, to the second device, the media content, wherein the application displays the media content to the user at the second device; sending, to the first device, the one or more questions related to the media content, wherein the first device displays the one or more questions to the user; receiving, from the first device, a response by the user to the one or more questions; and determining whether the response satisfies the one or more answers corresponding to the one or more questions; and based on determining that the response satisfies the one or more answers corresponding to the one or more questions, permit the first device to access the resource. - View Dependent Claims (12, 13, 14, 15, 16)
-
-
17. A non-transitory computer-readable medium storing one or more instructions that, upon execution by one or more processors, causes the one or more processors to:
-
perform a first authentication of a user in response to receiving, from a first device of the user, a request to access a resource; based on the first authentication being successful, perform a second authentication of the user to determine whether to permit access to the resource, the second authentication comprising; identifying, at an access management system, a second device associated with the user, wherein the second device is registered with the access management system as a trusted device for the user, and wherein the second device is different from the first device; transmitting, via a communication system, to the second device, encrypted data including a first identifier, wherein the first identifier is used by an application on the second device when communicating with the access management system; receiving, from the application, a request to perform the second authentication; determining that the request to perform the second authentication includes a second identifier; responsive to determining that the second identifier matches the first identifier, obtaining authentication data, the authentication data including media content provided by the user at the first device for use in connection with the second authentication, one or more questions related to the media content, and one or more answers corresponding to the one or more questions; sending, to the second device, the media content, wherein the application displays the media content to the user at the second device; sending, to the first device, the one or more questions related to the media content, wherein the first device displays the one or more questions to the user; receiving, from the first device, a response by the user to the one or more questions; and determining whether the response satisfies the one or more answers corresponding to the one or more questions; and based on determining that the response satisfies the one or more answers corresponding to the one or more questions, permit the first device to access the resource. - View Dependent Claims (18, 19, 20)
-
Specification