Multi-factor authentication for managed directories

US 10,547,599 B1
Filed: 02/19/2015
Issued: 01/28/2020
Est. Priority Date: 02/19/2015
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

obtaining, by an authentication service from a client device, a request to access a directory managed by a computer system, the request including a first set of credentials;

determining, by the computer system that manages the directory, that the first set of credentials is valid;

transmitting, by the authentication service to the client device, a second request to obtain a set of multi-factor authentication codes;

obtaining, by the authentication service from the client device, the set of multi-factor authentication codes;

as a result of the first set of credentials being valid and in response to obtaining the set of multi-factor authentication codes from the client device, providing, by the authentication service, the set of multi-factor authentication codes to a remote authentication dial in user service server for validation; and

as a result of the remote authentication dial in user service server validating the set of multi-factor authentication codes, issuing, by the authentication service, an access token to the client device to allow access to the directory.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A user transmits a request to an authentication service to access a managed directory. The request may include a first set of credentials usable by a managed directory service to authenticate the user. As a result of the first set of credentials being valid, the authentication service may prompt the user to provide a multi-factor authentication code, which may be used by an authentication server to further authenticate the user and enable the user to access the managed directory. The authentication service subsequently provides the multi-factor authentication code to the authentication server for validation. If the multi-factor authentication code is valid, the authentication service may enable the user to access the managed directory through an encrypted communications session.

Citations

20 Claims

1. A computer-implemented method comprising:
- obtaining, by an authentication service from a client device, a request to access a directory managed by a computer system, the request including a first set of credentials;
  
  determining, by the computer system that manages the directory, that the first set of credentials is valid;
  
  transmitting, by the authentication service to the client device, a second request to obtain a set of multi-factor authentication codes;
  
  obtaining, by the authentication service from the client device, the set of multi-factor authentication codes;
  
  as a result of the first set of credentials being valid and in response to obtaining the set of multi-factor authentication codes from the client device, providing, by the authentication service, the set of multi-factor authentication codes to a remote authentication dial in user service server for validation; and
  
  as a result of the remote authentication dial in user service server validating the set of multi-factor authentication codes, issuing, by the authentication service, an access token to the client device to allow access to the directory.
- View Dependent Claims (2, 3, 4)
- - 2. The computer-implemented method of claim 1, wherein:
    - the remote authentication dial in user service server and the computer system are provided through an on-premises customer network; and
      
      the method further comprises;
      
      establishing an encrypted communications session between an agent operating within a network other than the on-premises customer network and the remote authentication dial in user service server; and
      
      accessing the remote authentication dial in user service server through the agent in order to provide the set of multi-factor authentication codes to the remote authentication dial in user service server for validation.
  - 3. The computer-implemented method of claim 1, further comprising:
    - obtaining, at the computer system, a request to enable multi-factor authentication for the directory, the request specifying a set of shared secret codes for establishing an encrypted communications channel with the remote authentication dial in user service server;
      
      identifying the remote authentication dial in user service server for validation of the set of multi-factor authentication codes; and
      
      providing the set of shared secret codes to the remote authentication dial in user service server to establish the encrypted communications channel through which the multi-factor authentication codes are transmitted.
  - 4. The computer-implemented method of claim 1, wherein the remote authentication dial in user service server is operated and managed through the computer system.

5. A system, comprising:
- one or more processors; and
  
  memory storing thereon a set of instructions, that as a result of being performed by the one or more processors, cause the system to at least;
  
  obtain, from a first computer system, a request to access a directory managed by a second computer system operating within a network distinct from an on-premises customer network, the request including a first set of credentials;
  
  provide the first set of credentials to the second computer system to cause the second computer system to determine whether the first set of credentials are valid;
  
  obtain, from the first computer system, a second set of credentials, the second set of credentials being different from the first set of credentials;
  
  as a result of the first set of credentials being determined to be valid by the second computer system, provide the second set of credentials to an authentication server to determine whether the second set of credentials are valid; and
  
  as a result of the second set of credentials being determined to be valid by the authentication server, allow the first computer system to access the directory.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12)
- - 6. The system of claim 5, wherein the authentication server is a remote authentication dial in user service (RADIUS) that receives and transmits messages through a user datagram protocol (UDP) port.
  - 7. The system of claim 5, wherein the authentication server is managed by the second computer system within the network distinct from the on-premises customer network.
  - 8. The system of claim 5, wherein, as a result of the first set of credentials not being valid, the set of instructions further cause the system to:
    - in response to obtaining the second set of credentials, delay a notification that the request has been denied for a particular period of time; and
      
      as a result of the particular period of time being elapsed, transmit the notification.
  - 9. The system of claim 5, wherein the set of instructions further cause the system to:
    - obtain a request to enable multi-factor authentication for the directory, the request specifying a set of shared secret codes to be used to establish an encrypted communications channel with the authentication server;
      
      identify the authentication server to be used to validate the second set of credentials; and
      
      provide the set of shared secret codes to the authentication server to establish the encrypted communications channel through which the second set of credentials are transmitted.
  - 10. The system of claim 9, wherein the set of instructions further cause the system to determine, based at least in part on characteristics of an interface used to provide one or more sets of credentials, whether to require multi-factor authentication.
  - 11. The system of claim 5, wherein:
    - the authentication server is provided through the on-premises customer network; and
      
      the set of instructions further cause the system to;
      
      establish an encrypted communications session with an agent of the second computer system, wherein access to the authentication server is performable through the agent; and
      
      access, through the agent, the authentication server to provide the second set of credentials to the authentication server to cause the authentication server to perform validation of the second set of credentials.
  - 12. The system of claim 5, wherein:
    - the directory is managed and operated within the on-premises customer network;
      
      the first set of credentials includes a set of domain credentials; and
      
      providing the first set of credentials to the second computer system cause the second computer system to use the set of domain credentials to establish an encrypted communications session with the on-premises customer network.

13. A non-transitory computer-readable storage medium storing thereon a set of instructions that, as a result of being performed by one or more processors of a computer system, cause the computer system to at least:
- in response to obtaining, from a second computer system, a request to access a directory, the directory being managed by another computer system operating within a network distinct from an on-premises customer network, and a first set of credentials, provide the first set of credentials to the other computer system to authenticate the second computer system;
  
  transmit, to the second computer system, a second request for a second set of credentials;
  
  obtain, from the second computer system, the second set of credentials; and
  
  as a result of a determination, by the other computer system, that the first set of credentials is valid;
  
  provide the second set of credentials to an authentication server to authenticate the second computer system using the second set of credentials; and
  
  as a result of the authentication server determining that the second set of credentials are valid and authenticating the second computer system, allow the second computer system to access the directory.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The non-transitory computer-readable storage medium of claim 13, wherein the set of instructions further cause the computer system to:
    - obtain a request to enable multi-factor authentication for the directory, the request specifying a set of shared secret codes to be utilized to establish an encrypted communications channel with the authentication server;
      
      cause the authentication server to validate the set of shared secret codes in response to obtaining the second set of credentials to determine whether the encrypted communications channel can be established; and
      
      provide the set of shared secret codes to the authentication server.
  - 15. The non-transitory computer-readable storage medium of claim 13, wherein the second set of credentials includes a set of shared secret codes that, as a result of being used by the authentication server, cause the authentication server to authenticate the second computer system.
  - 16. The non-transitory computer-readable storage medium of claim 13, wherein:
    - the directory is managed and operated within the on-premises customer network;
      
      the first set of credentials includes a set of domain credentials; and
      
      the set of instructions further cause the computer system to use the set of domain credentials to establish an encrypted communications session with the on-premises customer network.
  - 17. The non-transitory computer-readable storage medium of claim 13, wherein the authentication server and the directory are operated and managed through the other computer system.
  - 18. The non-transitory computer-readable storage medium of claim 13, wherein the set of instructions further cause the computer system to provide an OAuth token to the second computer system to allow the second computer system to use the OAuth token to access the directory.
  - 19. The non-transitory computer-readable storage medium of claim 13, wherein the set of instructions further cause the computer system to, if the first set of credentials are invalid, deny the request after obtaining the second set of credentials and wait a particular period of time prior to denial of the request.
  - 20. The non-transitory computer-readable storage medium of claim 13, wherein the authentication server is a RADIUS server comprising a UDP port to allow transmission and receipt of one or more messages by the authentication server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Mehta, Gaurang Pankaj, Palande, Sameer, Aung, Lawrence Hun-Gi, Madakkagari, Raghavendra Reddy, Wang, Shuo, Paracha, Salman Aftab, Pandya, Chirag Pravin
Primary Examiner(s)
Giddins, Nelson S.

Application Number

US14/626,843
Time in Patent Office

1,804 Days
Field of Search
US Class Current
CPC Class Codes

H04L 2463/082   applying multi-factor authe...

H04L 63/08   for authentication of entit...

H04L 63/0838   using one-time-passwords

H04L 63/0892   by using authentication-aut...

Multi-factor authentication for managed directories

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Multi-factor authentication for managed directories

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links