Techniques for facilitating secure, credential-free user access to resources
First Claim
1. A cloud-based credential management apparatus comprising:
- one or more non-transitory computer readable storage media; and
program instructions that when executed by one or more processors communicatively coupled to memory, direct the one or more processors to;
detect a protected resource access request initiated by a shell executing on a resource access system, wherein the protected resource access request comprises a modified SSH key that uniquely identifies a user;
process the protected resource access request to identify the user and a protected resource that the user is attempting to access, wherein the protected resource and the credential management apparatus are different entities;
identify a predetermined authentication policy associated with the protected resource;
generate a request for authentication information based on the authentication policy associated with the protected resource;
send the request for authentication information for delivery to a mobile device associated with the user, wherein the mobile device and the resource access system are different entities;
receive a response to the request for authentication sent by the mobile device;
process the response to the request for authentication to determine that the authentication policy is satisfied; and
in response to determining that the authentication policy is satisfied,generate a response to the protected resource access request including login credentials to access the protected resource;
establish a first secure session between the resource access system and the cloud-based credential management apparatus;
send the response to the protected resource access request for delivery to the protected resource;
establish a second secure session between the cloud-based credential management apparatus and the protected resource; and
join the first secure session and the second secure session to establish a secure communication link between the resource access system and the protected resource.
6 Assignments
0 Petitions
Accused Products
Abstract
Techniques are disclose herein for facilitating secure user access to resources without user-provided credentials. More specifically, the techniques described herein eliminate the need for end users to remember and provide privileged resource authentication information (e.g., credentials) at the time of resource access. The system accepts and securely stores registration information for accessing privileged resources during a registration process. As discussed herein, the registration information can include identification and authentication information for each privileged resource. The authentication process can also include registration of one or more secondary authentication devices that are used to verify the identity of the end user in lieu of the end user providing credentials.
-
Citations
19 Claims
-
1. A cloud-based credential management apparatus comprising:
-
one or more non-transitory computer readable storage media; and
program instructions that when executed by one or more processors communicatively coupled to memory, direct the one or more processors to;detect a protected resource access request initiated by a shell executing on a resource access system, wherein the protected resource access request comprises a modified SSH key that uniquely identifies a user; process the protected resource access request to identify the user and a protected resource that the user is attempting to access, wherein the protected resource and the credential management apparatus are different entities; identify a predetermined authentication policy associated with the protected resource; generate a request for authentication information based on the authentication policy associated with the protected resource; send the request for authentication information for delivery to a mobile device associated with the user, wherein the mobile device and the resource access system are different entities; receive a response to the request for authentication sent by the mobile device; process the response to the request for authentication to determine that the authentication policy is satisfied; and in response to determining that the authentication policy is satisfied, generate a response to the protected resource access request including login credentials to access the protected resource; establish a first secure session between the resource access system and the cloud-based credential management apparatus; send the response to the protected resource access request for delivery to the protected resource; establish a second secure session between the cloud-based credential management apparatus and the protected resource; and join the first secure session and the second secure session to establish a secure communication link between the resource access system and the protected resource. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A non-transitory computer-readable storage medium having a browser extension for operating with a web browser on an electronic computing device stored thereon, the browser extension including program instructions, which when executed by the one or more processors of the electronic computing device, cause the electronic computing device to:
-
detect an attempt initiated by a user of the electronic computing device to access a resource; determine that the resource is a protected resource; responsive to determining that the resource is the protected resource, generate a protected resource access request, wherein the protected resource access request identifies the user, through a modified SSH key that is unique to the and the protected resource that the user is attempting to access; send the protected resource access request to a credential management system; establish a secure session between the electronic computing device and the credential management system; receive from the credential management system processing login credentials for accessing the resource; populate a login form for the resource with the received login credentials without storing the login credentials; and establish a secure communication link between the electronic computing device and the resource.
-
-
13. The computer-readable storage medium 12, wherein the resource comprises a website and the resource access request comprises a request to access a URL associated with the website.
-
14. The computer-readable storage medium 12, wherein to determine that the resource is a protected resource, the electronic computing device looks up a hash value stored in the browser.
-
15. The computer-readable storage medium 14, wherein the hash value is periodically updated by an enterprise credential administrative system.
-
16. A method of operating a credential management system to provide a user with secure access to a resource without user-provided credentials, the method comprising:
-
receiving a protected resource access request initiated by a resource access system to identify the user and a protected resource that the user is attempting to access, wherein the protected resource access request comprises a modified SSH key that uniquely identifies the user; identifying a predetermined authentication policy associated with the protected resource; generating a request for authentication information for delivery to a mobile device associated with the user, wherein the requested authentication information is determined based on the authentication policy associated with the protected resource; sending the request for authentication information to the mobile device; receiving a response to the request for authentication sent by the mobile device; determining a security score corresponding to the protected resource access request; determining if the authentication policy is satisfied, wherein the authentication policy comprises a progressive multi-factor authentication; and if the authentication policy is satisfied, generating a response to the protected resource access request including login credentials to access the protected resource; establishing a first secure session between the resource access system and the credential management system; sending the response to the protected resource access request for delivery to the protected resource; and establishing a second secure session between the credential management system and the protected resource; and joining the first secure session and the second secure session to establish a secure communication link between the resource access system and the protected resource. - View Dependent Claims (17, 18, 19)
-
Specification