Methods and apparatus for risk-based authentication between two servers on behalf of a user

US 10,592,978 B1
Filed: 06/29/2012
Issued: 03/17/2020
Est. Priority Date: 06/29/2012
Status: Active Grant

First Claim

Patent Images

1. A method for controlling access by a consumer to a service provider on behalf of a user, the method comprising the steps of:

obtaining by an authentication manager and gateway one or more rules from said user specifying one or more permissions of the consumer;

issuing an authentication request responsive to an initial access request from the consumer to access the service provider on behalf of the user in accordance with a server-to-server protocol;

providing an access token to the consumer upon approval from the user to grant access to the consumer on behalf of said user, wherein said access token authorizes the consumer to act on behalf of said user until said access token is revoked;

enabling said consumer to use said access token for initial access to the service provider on behalf of the user;

receiving, using at least one processing device of the authentication manager and gateway, a subsequent access request from the consumer with said access token to access the service provider on behalf of the user, wherein the subsequent access request is subsequent to said initial access to the service provider;

performing a risk analysis, using at least one processing device of the authentication manager and gateway, in response to receiving from said consumer said subsequent access request with said access token authorizing the consumer to act on behalf of said user when said access token has not been revoked, to improve security by detecting an anomalous access request by said authorized consumer, wherein said risk analysis (i) determines when the subsequent access request from said consumer to act on behalf of said user should be granted, and (ii) determines when said subsequent access request demonstrates anomalous behavior comprising one or more of abnormal, risky and atypical behavior relative to (a) prior transactions, stored in at least one memory, performed by said consumer on behalf of said user, and (b) said one or more rules, stored in said at least one memory, specified by said user who has granted access to the consumer on behalf of said user;

initiating an investigating by the user when the subsequent access request is denied by the authentication manager and gateway based upon said risk analysis; and

prompting said user, by the authentication manager and gateway, based on said risk analysis, to specify whether to allow said subsequent access request by said consumer when said subsequent access request is determined to demonstrate said anomalous behavior;

receiving an updating of the one or more rules by the user based upon the results of the user investigating when the subsequent access request was denied; and

validating the updated one or more rules by the authentication manager and gateway.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatus are provided for risk-based authentication between two servers on behalf of a user. A method is provided for controlling access by a consumer to a service provider on behalf of a user. An authentication request is issued responsive to an initial access request from the consumer to access the service provider on behalf of the user. An access token is provided to the consumer upon approval from the user to grant access to the consumer. Upon receiving a subsequent access request from the consumer with the access token to access the service provider on behalf of the user; a risk analysis is performed to determine if the subsequent access request should be granted. The risk analysis can determine if the subsequent access complies with one or more rules of the user. The user is optionally prompted to specify whether to allow the subsequent access request and/or future similar transactions.

Citations

20 Claims

1. A method for controlling access by a consumer to a service provider on behalf of a user, the method comprising the steps of:
- obtaining by an authentication manager and gateway one or more rules from said user specifying one or more permissions of the consumer;
  
  issuing an authentication request responsive to an initial access request from the consumer to access the service provider on behalf of the user in accordance with a server-to-server protocol;
  
  providing an access token to the consumer upon approval from the user to grant access to the consumer on behalf of said user, wherein said access token authorizes the consumer to act on behalf of said user until said access token is revoked;
  
  enabling said consumer to use said access token for initial access to the service provider on behalf of the user;
  
  receiving, using at least one processing device of the authentication manager and gateway, a subsequent access request from the consumer with said access token to access the service provider on behalf of the user, wherein the subsequent access request is subsequent to said initial access to the service provider;
  
  performing a risk analysis, using at least one processing device of the authentication manager and gateway, in response to receiving from said consumer said subsequent access request with said access token authorizing the consumer to act on behalf of said user when said access token has not been revoked, to improve security by detecting an anomalous access request by said authorized consumer, wherein said risk analysis (i) determines when the subsequent access request from said consumer to act on behalf of said user should be granted, and (ii) determines when said subsequent access request demonstrates anomalous behavior comprising one or more of abnormal, risky and atypical behavior relative to (a) prior transactions, stored in at least one memory, performed by said consumer on behalf of said user, and (b) said one or more rules, stored in said at least one memory, specified by said user who has granted access to the consumer on behalf of said user;
  
  initiating an investigating by the user when the subsequent access request is denied by the authentication manager and gateway based upon said risk analysis; and
  
  prompting said user, by the authentication manager and gateway, based on said risk analysis, to specify whether to allow said subsequent access request by said consumer when said subsequent access request is determined to demonstrate said anomalous behavior;
  
  receiving an updating of the one or more rules by the user based upon the results of the user investigating when the subsequent access request was denied; and
  
  validating the updated one or more rules by the authentication manager and gateway.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein said risk analysis determines if said subsequent access request complies with said one or more rules from said user.
  - 3. The method of claim 1, further comprising the step of prompting said user to specify whether to allow future transactions that are similar to said subsequent access request.
  - 4. The method of claim 1, wherein the service provider comprises one or more of an application, web site or hardware device.
  - 5. The method of claim 1, wherein the authentication request comprises a request for at least a portion of at least one password or other authentication credential associated with the user.
  - 6. The method of claim 1, further comprising the step of learning typical access patterns of said consumer.
  - 7. The method of claim 1, wherein said one or more rules from said user specifying said one or more permissions of the consumer comprise permissions of the consumer to act on behalf of said user.

8. An apparatus for controlling access by a consumer to a service provider on behalf of a user, the apparatus comprising:
- a memory; and
  
  at least one processing device, coupled to the memory, operative to implement the following steps;
  
  obtaining by an authentication manager and gateway one or more rules from said user specifying one or more permissions of the consumer;
  
  issuing an authentication request responsive to an initial access request from the consumer to access the service provider on behalf of the user in accordance with a server-to-server protocol;
  
  providing an access token to the consumer upon approval from the user to grant access to the consumer on behalf of said user, wherein said access token authorizes the consumer to act on behalf of said user until said access token is revoked;
  
  enabling said consumer to use said access token for initial access to the service provider on behalf of the user;
  
  receiving, using at least one processing device of the authentication manager and gateway, a subsequent access request from the consumer with said access token to access the service provider on behalf of the user, wherein the subsequent access request is subsequent to said initial access to the service provider;
  
  performing a risk analysis, using at least one processing device of the authentication manager and gateway, in response to receiving from said consumer said subsequent access request with said access token authorizing the consumer to act on behalf of said user when said access token has not been revoked, to improve security by detecting an anomalous access request by said authorized consumer, wherein said risk analysis (i) determines when the subsequent access request from said consumer to act on behalf of said user should be granted, and (ii) determines when said subsequent access request demonstrates anomalous behavior comprising one or more of abnormal, risky and atypical behavior relative to (a) prior transactions, stored in at least one memory, performed by said consumer on behalf of said user, and (b) said one or more rules, stored in said at least one memory, specified by said user who has granted access to the consumer on behalf of said user;
  
  initiating an investigating by the user when the subsequent access request is denied by the authentication manager and gateway based upon said risk analysis; and
  
  prompting said user, by the authentication manager and gateway, based on said risk analysis, to specify whether to allow said subsequent access request by said consumer when said subsequent access request is determined to demonstrate said anomalous behavior;
  
  receiving an updating of the one or more rules by the user based upon the results of the user investigating when the subsequent access request was denied; and
  
  validating the updated one or more rules by the authentication manager and gateway.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The apparatus of claim 8, wherein said risk analysis determines if said subsequent access request complies with said one or more rules from said user.
  - 10. The apparatus of claim 8, wherein said at least one processing device is further configured to prompt said user to specify whether to allow future transactions that are similar to said subsequent access request.
  - 11. The apparatus of claim 8, wherein the service provider comprises one or more of an application, web site or hardware device.
  - 12. The apparatus of claim 8, wherein the authentication request comprises a request for at least a portion of at least one password or other authentication credential associated with the user.
  - 13. The apparatus of claim 8, wherein said one or more rules from said user specifying said one or more permissions of the consumer comprise permissions of the consumer to act on behalf of said user.

14. An article of manufacture for controlling access by a consumer to a service provider on behalf of a user, comprising a non-transitory machine readable recordable medium containing one or more programs which when executed implement the steps of:
- obtaining by an authentication manager and gateway one or more rules from said user specifying one or more permissions of the consumer;
  
  issuing an authentication request responsive to an initial access request from the consumer to access the service provider on behalf of the user in accordance with a server-to-server protocol;
  
  providing an access token to the consumer upon approval from the user to grant access to the consumer on behalf of said user, wherein said access token authorizes the consumer to act on behalf of said user until said access token is revoked;
  
  enabling said consumer to use said access token for initial access to the service provider on behalf of the user;
  
  receiving, using at least one processing device of the authentication manager and gateway a subsequent access request from the consumer with said access token to access the service provider on behalf of the user, wherein the subsequent access request is subsequent to said initial access to the service provider;
  
  performing a risk analysis, using at least one processing device of the authentication manager and gateway, in response to receiving from said consumer said subsequent access request with said access token authorizing the consumer to act on behalf of said user when said access token has not been revoked, to improve security by detecting an anomalous access request by said authorized consumer, wherein said risk analysis (i) determines when the subsequent access request from said consumer to act on behalf of said user should be granted, and (ii) determines when said subsequent access request demonstrates anomalous behavior comprising one or more of abnormal, risky and atypical behavior relative to (a) prior transactions, stored in at least one memory, performed by said consumer on behalf of said user, and (b) said one or more rules, stored in said at least one memory, specified by said user who has granted access to the consumer on behalf of said user;
  
  initiating an investigating by the user when the subsequent access request is denied by the authentication manager and gateway based upon said risk analysis; and
  
  prompting said user, by the authentication manager and gateway, based on said risk analysis, to specify whether to allow said subsequent access request by said consumer when said subsequent access request is determined to demonstrate said anomalous behavior;
  
  receiving an updating of the one or more rules by the user based upon the results of the user investigating when the subsequent access request was denied; and
  
  validating the updated one or more rules by the authentication manager and gateway.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The article of manufacture of claim 14, wherein said risk analysis determines if said subsequent access request complies with said one or more rules from said user.
  - 16. The article of manufacture of claim 14, wherein the service provider comprises one or more of an application, web site or hardware device.
  - 17. The article of manufacture of claim 14, wherein the authentication request comprises a request for at least a portion of at least one password or other authentication credential associated with the user.
  - 18. The article of manufacture of claim 14, further comprising the step of prompting said user to specify whether to allow future transactions that are similar to said subsequent access request.
  - 19. The article of manufacture of claim 14, further comprising the step of learning typical access patterns of said consumer.
  - 20. The article of manufacture of claim 14, wherein said one or more rules from said user specifying said one or more permissions of the consumer comprise permissions of the consumer to act on behalf of said user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Inventors
Vaystikh, Alex, Kaufman, Alon, Villa, Yael
Primary Examiner(s)
Lynch, Sharon S

Application Number

US13/537,525
Time in Patent Office

2,818 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/31   User authentication

G06F 21/44   Program or device authentic...

G06F 21/50   Monitoring users, programs ...

G06Q 40/00   Finance; Insurance; Tax str...

Methods and apparatus for risk-based authentication between two servers on behalf of a user

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and apparatus for risk-based authentication between two servers on behalf of a user

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links