Techniques for facilitating secure, credential-free user access to resources

US 10,223,549 B2
Filed: 12/16/2015
Issued: 03/05/2019
Est. Priority Date: 01/21/2015
Status: Active Grant

First Claim

Patent Images

1. A cloud-based credential management apparatus comprising:

one or more non-transitory computer readable storage media; and

program instructions that when executed by one or more processors communicatively coupled to memory, direct the one or more processors to;

detect a protected resource access request initiated by a shell executing on a resource access system, wherein the protected resource access request comprises a modified SSH key that uniquely identifies a user;

process the protected resource access request to identify the user and a protected resource that the user is attempting to access, wherein the protected resource and the credential management apparatus are different entities;

identify a predetermined authentication policy associated with the protected resource;

generate a request for authentication information based on the authentication policy associated with the protected resource;

send the request for authentication information for delivery to a mobile device associated with the user, wherein the mobile device and the resource access system are different entities;

receive a response to the request for authentication sent by the mobile device;

process the response to the request for authentication to determine that the authentication policy is satisfied; and

in response to determining that the authentication policy is satisfied,generate a response to the protected resource access request including login credentials to access the protected resource;

establish a first secure session between the resource access system and the cloud-based credential management apparatus;

send the response to the protected resource access request for delivery to the protected resource;

establish a second secure session between the cloud-based credential management apparatus and the protected resource; and

join the first secure session and the second secure session to establish a secure communication link between the resource access system and the protected resource.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are disclose herein for facilitating secure user access to resources without user-provided credentials. More specifically, the techniques described herein eliminate the need for end users to remember and provide privileged resource authentication information (e.g., credentials) at the time of resource access. The system accepts and securely stores registration information for accessing privileged resources during a registration process. As discussed herein, the registration information can include identification and authentication information for each privileged resource. The authentication process can also include registration of one or more secondary authentication devices that are used to verify the identity of the end user in lieu of the end user providing credentials.

Citations

19 Claims

1. A cloud-based credential management apparatus comprising:
- one or more non-transitory computer readable storage media; and
  
  program instructions that when executed by one or more processors communicatively coupled to memory, direct the one or more processors to;
  
  detect a protected resource access request initiated by a shell executing on a resource access system, wherein the protected resource access request comprises a modified SSH key that uniquely identifies a user;
  
  process the protected resource access request to identify the user and a protected resource that the user is attempting to access, wherein the protected resource and the credential management apparatus are different entities;
  
  identify a predetermined authentication policy associated with the protected resource;
  
  generate a request for authentication information based on the authentication policy associated with the protected resource;
  
  send the request for authentication information for delivery to a mobile device associated with the user, wherein the mobile device and the resource access system are different entities;
  
  receive a response to the request for authentication sent by the mobile device;
  
  process the response to the request for authentication to determine that the authentication policy is satisfied; and
  
  in response to determining that the authentication policy is satisfied,generate a response to the protected resource access request including login credentials to access the protected resource;
  
  establish a first secure session between the resource access system and the cloud-based credential management apparatus;
  
  send the response to the protected resource access request for delivery to the protected resource;
  
  establish a second secure session between the cloud-based credential management apparatus and the protected resource; and
  
  join the first secure session and the second secure session to establish a secure communication link between the resource access system and the protected resource.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The cloud-based credential management apparatus of claim 1, wherein the protected resource access request is initiated by a browser extension of the resource access system.
  - 3. The cloud-based credential management apparatus of claim 2, wherein the program instructions, when executed by the one or more processors, further direct the one or more processors to:
    - send the response to the protected resource access request for delivery to the browser extension of the resource access system.
  - 4. The cloud-based credential management apparatus of claim 2, wherein the login credentials comprise a username and password combination for accessing the protected resource.
  - 5. The cloud-based credential management apparatus of claim 1, wherein the protected resource comprises a website and the protected resource access request comprises a request to access a URL associated with the website.
  - 6. The cloud-based credential management apparatus of claim 1, wherein the login credentials comprise an SSH key.
  - 7. The cloud-based credential management apparatus of claim 1, wherein the authentication policy includes a geofencing policy that is satisfied when the mobile device is located within a predetermined area.
  - 8. The cloud-based credential management apparatus of claim 7, wherein the requested authentication information includes a request for geolocation information including one or more of GPS information or Internet Protocol address information.
  - 9. The cloud-based credential management apparatus of claim 1, wherein the authentication policy includes a proximity policy that is satisfied when the mobile device is proximate to the resource access system.
  - 10. The cloud-based credential management apparatus of claim 9, wherein the requested authentication information includes an indication regarding the proximity between the mobile device and the resource access system, a Bluetooth connection is indicative of the mobile device and the resource access system being sufficiently proximate to satisfy the proximity policy.
  - 11. The secure cloud-based credential management apparatus of claim 1, wherein the program instructions, when executed by the one or more processors, further direct the one or more processors to:
    - in response to determining that the policy is satisfied,accessing one or more decryption keys; and
      
      decrypting the login credentials for the user to access the protected resource using the one or more decryption keys.

12. A non-transitory computer-readable storage medium having a browser extension for operating with a web browser on an electronic computing device stored thereon, the browser extension including program instructions, which when executed by the one or more processors of the electronic computing device, cause the electronic computing device to:
- detect an attempt initiated by a user of the electronic computing device to access a resource;
  
  determine that the resource is a protected resource;
  
  responsive to determining that the resource is the protected resource, generate a protected resource access request, wherein the protected resource access request identifies the user, through a modified SSH key that is unique to the and the protected resource that the user is attempting to access;
  
  send the protected resource access request to a credential management system;
  
  establish a secure session between the electronic computing device and the credential management system;
  
  receive from the credential management system processing login credentials for accessing the resource;
  
  populate a login form for the resource with the received login credentials without storing the login credentials; and
  
  establish a secure communication link between the electronic computing device and the resource.

13. The computer-readable storage medium 12, wherein the resource comprises a website and the resource access request comprises a request to access a URL associated with the website.

14. The computer-readable storage medium 12, wherein to determine that the resource is a protected resource, the electronic computing device looks up a hash value stored in the browser.

15. The computer-readable storage medium 14, wherein the hash value is periodically updated by an enterprise credential administrative system.

16. A method of operating a credential management system to provide a user with secure access to a resource without user-provided credentials, the method comprising:
- receiving a protected resource access request initiated by a resource access system to identify the user and a protected resource that the user is attempting to access, wherein the protected resource access request comprises a modified SSH key that uniquely identifies the user;
  
  identifying a predetermined authentication policy associated with the protected resource;
  
  generating a request for authentication information for delivery to a mobile device associated with the user, wherein the requested authentication information is determined based on the authentication policy associated with the protected resource;
  
  sending the request for authentication information to the mobile device;
  
  receiving a response to the request for authentication sent by the mobile device;
  
  determining a security score corresponding to the protected resource access request;
  
  determining if the authentication policy is satisfied, wherein the authentication policy comprises a progressive multi-factor authentication; and
  
  if the authentication policy is satisfied,generating a response to the protected resource access request including login credentials to access the protected resource;
  
  establishing a first secure session between the resource access system and the credential management system;
  
  sending the response to the protected resource access request for delivery to the protected resource; and
  
  establishing a second secure session between the credential management system and the protected resource; and
  
  joining the first secure session and the second secure session to establish a secure communication link between the resource access system and the protected resource.
- View Dependent Claims (17, 18, 19)
- - 17. The method of claim 16, wherein the authentication information comprises encryption keys.
  - 18. The method of claim 16, wherein the protected resource access request is initiated by a browser extension of the resource access system.
  - 19. The method of claim 16, wherein the progressive multi-factor authentication includes two or more factors including:
    - geolocation information, device proximity information, biomarker information, password information, of device movement information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Delinea
Original Assignee
Onion ID, Inc. (Centrify Corporation)
Inventors
Banerjee, Anirban
Primary Examiner(s)
Arani, Taghi T
Assistant Examiner(s)
Champakesan, Badrinarayanan

Application Number

US14/971,778
Publication Number

US 20160212113A1
Time in Patent Office

1,175 Days
Field of Search

726 1
US Class Current
CPC Class Codes

G06F 21/31   User authentication

G06F 21/6272   by registering files or doc...

H04L 63/06   for supporting key manageme...

H04L 63/083   using passwords cryptograph...

H04L 63/0853   using an additional device,...

H04L 63/10   for controlling access to d...

H04L 63/20   for managing network securi...

H04W 12/06   Authentication

H04W 12/64   using geofenced areas

H04W 4/021   Services related to particu...

Techniques for facilitating secure, credential-free user access to resources

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Techniques for facilitating secure, credential-free user access to resources

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links