Password-less authentication for access management
First Claim
1. A method comprising:
- receiving, by a computer system of an access management system, from a first device, a request by a user for access to a resource, wherein the first device is a second computer system;
based on the request, determining, by the computer system, that the first device is registered for the user based on an authentication of the user at the first device prior to the request;
generating, by the computer system, security data for determining authentication of the user to access the resource using the first device, wherein the security data includes first data that is based on information related to the user, and wherein the first data is encrypted based on an encryption key;
sending, by the computer system, the encryption key to a second device that the user has registered with the access management system, wherein the second device is a mobile device separate from the first device;
sending, by the computer system, the security data to the first device, wherein the security data includes a quick response (QR) code that is displayed at the first device for presentation to the second device;
receiving, by the computer system, from the second device, second data that is generated by the second device based on decryption of the first data included in the security data, wherein the decryption of the first data is performed by the second device using the encryption key sent to the second device, and wherein the security data is obtained by the second device from the QR code displayed at the first device;
determining whether the second data includes the information that is included in the first data; and
based on determining that the second data includes the information, enabling the first device to access the resource.
1 Assignment
0 Petitions
Accused Products
Abstract
An access management system is disclosed that can provide access to resources by password-less authentication. The access management system can provide multiple layers of security for authentication taking into account risk factors (e.g., device, location, etc.) to ensure authentication without compromising access. Contextual details of a user based on a mobile device can be used for authentication based on possession of a device. Password-less authentication of a user may be enabled by registration of devices and/or a location (e.g., a geographic location) as trusted. Security data embedded with encrypted data can be sent to a first device for password-less authentication of a user at the device. A second device registered with the user can obtain the security data from the first device. The second device can decrypts the data and send the decrypted data to the access management system for verification to enable password-less authentication at the first device.
-
Citations
17 Claims
-
1. A method comprising:
-
receiving, by a computer system of an access management system, from a first device, a request by a user for access to a resource, wherein the first device is a second computer system; based on the request, determining, by the computer system, that the first device is registered for the user based on an authentication of the user at the first device prior to the request; generating, by the computer system, security data for determining authentication of the user to access the resource using the first device, wherein the security data includes first data that is based on information related to the user, and wherein the first data is encrypted based on an encryption key; sending, by the computer system, the encryption key to a second device that the user has registered with the access management system, wherein the second device is a mobile device separate from the first device; sending, by the computer system, the security data to the first device, wherein the security data includes a quick response (QR) code that is displayed at the first device for presentation to the second device; receiving, by the computer system, from the second device, second data that is generated by the second device based on decryption of the first data included in the security data, wherein the decryption of the first data is performed by the second device using the encryption key sent to the second device, and wherein the security data is obtained by the second device from the QR code displayed at the first device; determining whether the second data includes the information that is included in the first data; and based on determining that the second data includes the information, enabling the first device to access the resource. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A system comprising:
-
one or more processors; and a memory accessible to the one or more processors, the memory storing one or more instructions that, upon execution by the one or more processors, cause the one or more processors to; receive, by an access management system, from a first device, a request by a user for access to a resource, wherein the first device is a second computer system; based on the request, determine that the first device is registered for the user based on an authentication of the user at the first device prior to the request; generate security data for determining authentication of the user to access the resource using the first device, wherein the security data includes first data that is based on information related to the user, and wherein the first data is encrypted based on an encryption key; send the encryption key to a second device that the user has registered with the access management system, wherein the second device is a mobile device separate from the first device; send the security data to the first device, wherein the security data includes a quick response (QR) code that is displayed at the first device for presentation to the second device; receive from the second device, second data that is generated by the second device based on decryption of the first data included in the security data, wherein the decryption of the first data is performed by the second device using the encryption key sent to the second device, and wherein the security data is obtained by the second device from the QR code displayed at the first device; determine whether the second data includes the information that is included in the first data; and based on determining that the second data includes the information, enable the first device to access the resource. - View Dependent Claims (11, 12, 13, 14)
-
-
15. A non-transitory computer-readable medium storing one or more instructions that, upon execution by one or more processors, cause the one or more processors to:
-
receive, by a computer system of an access management system, from a first device, a request by a user for access to a resource, wherein the first device is a second computer system; based on the request, determine, by the computer system, that the first device is registered for the user based on an authentication of the user at the first device prior to the request; generate, by the computer system, security data for determining authentication of the user to access the resource using the first device, wherein the security data includes first data that is based on information related to the user, and wherein the first data is encrypted based on an encryption key; send, by the computer system, the encryption key to a second device that the user has registered with the access management system, wherein the second device is a mobile device separate from the first device; send, by the computer system, the security data to the first device, wherein the security data includes a quick response (QR) code that is displayed at the first device for presentation to the second device; receive, by the computer system, from the second device, second data that is generated by the second device based on decryption of the first data included in the security data, wherein the decryption of the first data is performed by the second device using the encryption key sent to the second device, and wherein the security data is obtained by the second device from the QR code displayed at the first device; determine whether the second data includes the information that is included in the first data; and based on determining that the second data includes the information, enable the first device to access the resource. - View Dependent Claims (16, 17)
-
Specification