Techniques for facilitating secure, credential-free user access to resources

US 10,515,232 B2
Filed: 02/11/2019
Issued: 12/24/2019
Est. Priority Date: 01/21/2015
Status: Active Grant

First Claim

Patent Images

1. A method of operating a credential management platform:

receiving a request to access a protected resource from a first computing device, wherein the request comprises a modified secure shell (SSH) key;

identifying an authentication policy for the protected resource;

establishing a first secure session between the credential management platform and the first computing device;

authenticating the first computing device using authentication information specified by the authentication policy, wherein the authentication information is obtained from a zero-password login application installed on a second computing device;

upon authenticating the first computing device, providing the modified SSH key to the protected resource;

establishing a second secure session between the credential management platform and the protected resource; and

providing the first computing device with access to the protected resource by joining the first secure session and the second secure session.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are disclose herein for facilitating secure user access to resources without user-provided credentials. More specifically, the techniques described herein eliminate the need for end users to remember and provide privileged resource authentication information (e.g., credentials) at the time of resource access. The system accepts and securely stores registration information for accessing privileged resources during a registration process. As discussed herein, the registration information can include identification and authentication information for each privileged resource. The authentication process can also include registration of one or more secondary authentication devices that are used to verify the identity of the end user in lieu of the end user providing credentials.

Citations

18 Claims

1. A method of operating a credential management platform:
- receiving a request to access a protected resource from a first computing device, wherein the request comprises a modified secure shell (SSH) key;
  
  identifying an authentication policy for the protected resource;
  
  establishing a first secure session between the credential management platform and the first computing device;
  
  authenticating the first computing device using authentication information specified by the authentication policy, wherein the authentication information is obtained from a zero-password login application installed on a second computing device;
  
  upon authenticating the first computing device, providing the modified SSH key to the protected resource;
  
  establishing a second secure session between the credential management platform and the protected resource; and
  
  providing the first computing device with access to the protected resource by joining the first secure session and the second secure session.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein:
    - the request to access the protected resource is initiated by a shell executing on the first computing device; and
      
      the modified SSH key uniquely identifies a user of the first computing device.
  - 3. The method of claim 1, wherein:
    - the request to access the protected resource is initiated by a browser extension of the first computing device; and
      
      the SSH key uniquely identifies a user of the first computing device.
  - 4. The method of claim 1, wherein authenticating the first computing device using authentication information specified by the authentication policy and obtained from a second computing device comprises:
    - generating a request for authentication information based on the authentication policy associated with the protected resource and a user of the first computing device;
      
      sending the request for authentication information for delivery to the second computing device, wherein the second computing device is associated with the user of the first computing device;
      
      receiving a response to the request for authentication sent by the user device;
      
      processing the response to the request for authentication; and
      
      determining that the authentication policy is satisfied.
  - 5. The method of claim 1, wherein the authentication policy includes a geofencing policy that is satisfied when the second computing device is located within a predetermined area.
  - 6. The method of claim 1, wherein the authentication policy includes a proximity policy that is satisfied when the second computing device is proximate to the first computing device.
  - 7. The method of claim 6, wherein a Bluetooth connection is indicative of the second computing device and the first computing device being sufficiently proximate to satisfy the proximity policy.

8. A credential management apparatus comprising:
- one or more non-transitory computer readable media;
  
  one or more processors coupled to the one or more non-transitory computer readable media; and
  
  program instructions stored on the non-transitory computer readable media, wherein the program instructions direct the one or more processors to;
  
  receive a protected resource access request initiated on a first computing device, wherein the request comprises a modified (secure shell) SSH key that uniquely identifies a user;
  
  establish a first secure session between the first computing device and the credential management apparatus;
  
  authenticate the user according to an authentication policy associated with the protected resource, wherein authentication information specified by the authentication policy is obtained from a zero-password login application installed on a second computing device;
  
  provide the modified SSH key to the protected resource;
  
  establish a second secure session between the credential management apparatus and the protected resource; and
  
  provide user access to the protected resource by joining the first secure session and the second secure session.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15)
- - 9. The credential management apparatus of claim 8, wherein the request to access the protected resource is initiated by a shell executing on the first computing device or a browser extension of the first computing device.
  - 10. The credential management apparatus of claim 8, wherein the SSH key uniquely identifies a user of the first computing device.
  - 11. The credential management apparatus of claim 8, wherein the authentication policy is further based on information related to the first computing device.
  - 12. The credential management apparatus of claim 8, wherein, to authenticate the user according to an authentication policy associated with the protected resource, the program instructions further direct the one or more processors to:
    - generate a request for authentication information based on the authentication policy associated with the protected resource and a user of the first computing device;
      
      send the request for authentication information for delivery to a second computing device, wherein the second computing device is associated with the user of the first computing device;
      
      receive a response to the request for authentication sent by the user device;
      
      process the response to the request for authentication; and
      
      determine that the authentication policy is satisfied.
  - 13. The credential management apparatus of claim 12, wherein the authentication policy includes a geofencing policy that is satisfied when the second computing device is located within a predetermined area.
  - 14. The credential management apparatus of claim 12, wherein the authentication policy includes a proximity policy that is satisfied when the second computing device is proximate to the first computing device.
  - 15. The credential management apparatus of claim 14, wherein a Bluetooth connection is indicative of the second computing device and the first computing device being sufficiently proximate to satisfy the proximity policy.

16. A method comprising:
- in a first computing device;
  
  receiving a request to access a protected resource; and
  
  sending the request to a credential management platform, wherein the request includes a modified secure shell (SSH) that uniquely identifies a user;
  
  in the credential management platform;
  
  receiving the request from the first computing device;
  
  identifying an authentication policy for the protected resource;
  
  establishing a first secure session between the first computing device and the credential management platform; and
  
  sending a request for authentication information to a second computing device associated with the user, wherein the second computing device has a zero-password login application installed thereon;
  
  in the second computing device;
  
  receiving the request for authentication information;
  
  obtaining the authentication information from the zero-password login application; and
  
  sending a response to the request to the credential management platform that includes the authentication information; and
  
  in the credential management platform;
  
  receiving the response to the request for authentication information;
  
  determining that the authentication policy is satisfied;
  
  providing the modified SSH key to the protected resource;
  
  establishing a second secure session between the credential management platform and the protected resource; and
  
  providing the first computing device access to the protected resource by joining the first second session and the second secure session.
- View Dependent Claims (17, 18)
- - 17. The method of claim 16, wherein the authentication policy includes a geofencing policy that is satisfied when the second computing device is located within a predetermined area.
  - 18. The method of claim 16, wherein the authentication policy includes a proximity policy that is satisfied when the second computing device is proximate to the first computing device and a Bluetooth connection is indicative of the second computing device and the first computing device being sufficiently proximate.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Delinea
Original Assignee
Onion ID, Inc. (Centrify Corporation)
Inventors
Banerjee, Anirban
Primary Examiner(s)
Arani, Taghi T
Assistant Examiner(s)
Champakesan, Badri

Application Number

US16/272,115
Publication Number

US 20190251293A1
Time in Patent Office

316 Days
Field of Search

726 1
US Class Current
CPC Class Codes

G06F 21/31   User authentication

G06F 21/6272   by registering files or doc...

H04L 63/06   for supporting key manageme...

H04L 63/083   using passwords cryptograph...

H04L 63/0853   using an additional device,...

H04L 63/10   for controlling access to d...

H04L 63/20   for managing network securi...

H04W 12/06   Authentication

H04W 12/64   using geofenced areas

H04W 4/021   Services related to particu...

Techniques for facilitating secure, credential-free user access to resources

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Techniques for facilitating secure, credential-free user access to resources

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links