Selectively enabling multi-factor authentication for managed devices
First Claim
1. A non-transitory computer-readable medium containing instructions that, when executed by the at least one computing device, cause the at least one computing device to perform stages comprising:
- receiving an authentication request from a client device, the authentication request including a first authentication factor corresponding to a single sign-on (“
SSO”
) credential, wherein the SSO credential is downloaded to the client device, wherein the authentication request originates at a first client application executing on the client device;
determining, at an identity provider service separate from the client device, whether at least one second authentication factor should be requested, including determining that the at least one second authentication factor should be requested based on a version of an application executing on the client device; and
in response to determining that the at least one second authentication factor should be requested;
requesting the at least one second authentication factor from the client device, including determining the first client application does not natively support the at least one second authentication factor and, as a result, requesting the at least one second authentication factor from a second client application;
receiving the at least one second authentication factor from the client device;
after confirming the at least one second authentication factor from the second client application, sending, from the identity provider service, an identity assertion to the first client application, wherein the first client application provides the identity assertion to a service provider that is separate from the identity provider service; and
authenticating the client device in response to verifying the first authentication factor and the at least one second authentication factor.
2 Assignments
0 Petitions
Accused Products
Abstract
Disclosed are various examples of selectively enabling multi-factor authentication for applications on managed devices. An identity provider receives an authentication request for a first client application executed in a managed client device. The authentication request includes a first authentication factor corresponding to a management credential. The identity provider then determines whether one or more second authentication factors should be requested. If so, the identity provider then requests the second authentication factor(s) from a second client application. The identity provider receives the second authentication factor(s) from the second client application. The identity provider then authenticates the first client application in response to verifying the first authentication factor and the second authentication factor(s).
-
Citations
17 Claims
-
1. A non-transitory computer-readable medium containing instructions that, when executed by the at least one computing device, cause the at least one computing device to perform stages comprising:
-
receiving an authentication request from a client device, the authentication request including a first authentication factor corresponding to a single sign-on (“
SSO”
) credential, wherein the SSO credential is downloaded to the client device, wherein the authentication request originates at a first client application executing on the client device;determining, at an identity provider service separate from the client device, whether at least one second authentication factor should be requested, including determining that the at least one second authentication factor should be requested based on a version of an application executing on the client device; and in response to determining that the at least one second authentication factor should be requested; requesting the at least one second authentication factor from the client device, including determining the first client application does not natively support the at least one second authentication factor and, as a result, requesting the at least one second authentication factor from a second client application; receiving the at least one second authentication factor from the client device; after confirming the at least one second authentication factor from the second client application, sending, from the identity provider service, an identity assertion to the first client application, wherein the first client application provides the identity assertion to a service provider that is separate from the identity provider service; and authenticating the client device in response to verifying the first authentication factor and the at least one second authentication factor. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A computing device that executes an identity provider service configured to cause the computing device to perform stages comprising:
-
receiving an authentication request from a client device, the authentication request including a first authentication factor corresponding to a single sign-on (“
SSO”
) credential, wherein the SSO credential is downloaded to the client device, wherein the authentication request originates at a first client application executing on the client device;determining, at an identity provider service separate from the client device, whether at least one second authentication factor should be requested, including determining that the at least one second authentication factor should be requested based on a version of an application executing on the client device; and in response to determining that the at least one second authentication factor should be requested; requesting the at least one second authentication factor from the client device, including determining the first client application does not natively support the at least one second authentication factor and, as a result, requesting the at least one second authentication factor from a second application; receiving the at least one second authentication factor from the client device; after confirming the at least one second authentication factor, sending, from the identity provider service, an identity assertion to the first client application, wherein the first client application provides the identity assertion to a service provider that is separate from the identity provider service; and authenticating the client device in response to verifying the first authentication factor and the at least one second authentication factor. - View Dependent Claims (8, 9, 10, 11)
-
-
12. A method, comprising:
-
receiving an authentication request from a client device, the authentication request including a first authentication factor corresponding to a single sign-on (“
SSO”
) credential, wherein the SSO credential is downloaded to the client device, wherein the authentication request originates at a first client application executing on the client device;determining, at an identity provider service separate from the client device, whether at least one second authentication factor should be requested, including determining that the at least one second authentication factor should be requested based on a version of an application executing on the client device; and in response to determining that the at least one second authentication factor should be requested; requesting the at least one second authentication factor from the client device, including determining the first client application does not natively support the at least one second authentication factor and, as a result, requesting the at least one second authentication factor from a second client application; receiving the at least one second authentication factor from the client device; after confirming the at least one second authentication factor, sending, from the identity provider service, an identity assertion to the first client application, wherein the first client application provides the identity assertion to a service provider that is separate from the identity provider service; and authenticating the client device in response to verifying the first authentication factor and the at least one second authentication factor. - View Dependent Claims (13, 14, 15, 16, 17)
-
Specification