Methods and systems for multifactor authentication

US 20070234408A1
Filed: 03/31/2006
Published: 10/04/2007
Est. Priority Date: 03/31/2006
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

intercepting an attempt by a first principal to access a second principal;

determining whether authentication credentials are available for authenticating the first principal, where the authentication credentials are defined by a policy;

passing select ones of the authentication credentials to the second principal giving access to the first principal if the authentication credentials are available, and wherein the second principal expects the select ones of the authentication credentials for access; and

redirecting the first principal to an identity service if the authentication credentials are unavailable.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In various embodiments of the invention, techniques are presented for providing multifactor authentication. A first set of credentials are received, which are associated with a first principal, and at least one identifier also associated with the first principal is obtained from a second principal. Next, the first principal'"'"'s knowledge of the at least one identifier is verified and an authentication credential is generated for the first principal. The authentication credential permits the first principal to access the second principal.

205 Citations

26 Claims

1. A method comprising:
- intercepting an attempt by a first principal to access a second principal;
  
  determining whether authentication credentials are available for authenticating the first principal, where the authentication credentials are defined by a policy;
  
  passing select ones of the authentication credentials to the second principal giving access to the first principal if the authentication credentials are available, and wherein the second principal expects the select ones of the authentication credentials for access; and
  
  redirecting the first principal to an identity service if the authentication credentials are unavailable.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1 further comprising, acquiring the authentication credentials from the identity service in response to the redirection.
  - 3. The method of claim 2, wherein acquiring further includes obtaining the authentication credentials via a secure communications link.
  - 4. The method of claim 2 further comprising, caching the authentication credentials if available or if subsequently supplied by the identity service.
  - 5. The method of claim 2, further comprising:
    - accessing the policy associated with the second principal; and
      
      determining, in accordance with the policy, the select authentication credentials to acquire from the identity service, if the authentication credentials are unavailable.
  - 6. The method of claim 1, wherein redirecting to an identity service further includes an intermediate redirection to a service provider.
  - 7. The method of claim 6 further comprising, acquiring the authentication credentials and the select authentication credentials from the service provider in response to the redirection.

8. A method, comprising:
- receiving credentials associated with a first principal;
  
  obtaining at least one identifier associated with the first principal from a second principal using at least one of the credentials and in response to a policy;
  
  verifying the at least one identifier with the first principal; and
  
  generating an authentication credential for the first principal, granting it access to the second principal in response to verifying.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The method of claim 8 further comprising, receiving an authentication request from the first principal for access to the second principal.
  - 10. The method of claim 9 further comprising, redirecting the first principal to the second principal.
  - 11. The method of claim 10 further comprising, communicating with one or more front-end services of the second principal over a secure communications link.
  - 12. The method of claim 11 further comprising:
    - receiving a request associated with a second principal for a credential for authenticating the first principal;
      
      generating the credential for the second principal; and
      
      providing the credential.
  - 13. The method of claim 8, wherein obtaining further includes obtaining the at least one identifier from the second principal via an interface associated with the second principal and by posing as the first principal using the credentials to gain access to the second principal.
  - 14. The method of claim 8 further comprising:
    - accessing the policy associated with the second principal; and
      
      determining, in accordance with the policy, the at least one identifier to be requested from the second principal.

15. A system, comprising:
- an identity service, wherein the identity service is to be in communication with a first and second principal, wherein at least one credential is to be received from the first principal, and at least one identifier associated with the first principal is to be obtained from the second principal using the at least one credential, and wherein, if the first principal verifies the at least one identifier via the identity service, an authentication credential is to be generated by the identity service for the first principal, the authentication credential is to be subsequently used by the first principal to gain access to the second principal, and wherein the at least one identifier is identified by the identity service pursuant to a policy.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The system of claim 15, wherein the identity service is to receive an authentication request from the first principal.
  - 17. The system of claim 16, wherein the authentication request is to be received by the identity service from a front-end service that first receives the authentication request from the first principal.
  - 18. The system of claim 15, wherein the identity service is to respond to a request for the authentication credential.
  - 19. The system of claim 18, wherein the authentication credential is to be provided via a secure communication'"'"'s link.
  - 20. The system of claim 15, wherein the at least one identifier is obtained from the second principal via a user interface provided by the second principal.

21. A system, comprising:
- a front-end service to a legacy service interposed between a requesting principal and a target principal, wherein requests from the requesting principal are directed to the target principal and are to be passed through the front-end service, and wherein the front-end service is to detect an authentication request from the target principal in response to the pass though and the front-end service is to determine whether an authentication credential associated with the requesting principal is available and if it is, the front-end service is to respond by forwarding select credentials to the target principal, and wherein if the authentication credential is unavailable the front-end service is to engage one or more third party services to obtain the authentication credential on behalf of the front-end service via interactions between the one or more third party services and the requesting principal and the target principal, and wherein information used to produce the authentication principal is defined by a policy.
- View Dependent Claims (22, 23, 24, 25, 26)
- - 22. The system of claim 21, wherein the authentication credential, if available, is to be originally obtained by the one or more third party services from the target principal on behalf of the requesting principal.
  - 23. The system of claim 22, wherein the authentication credential is retrieved via a secure communication'"'"'s link between the front-end service and the one or more third party services.
  - 24. The system of claim 22, wherein the front-end service is to cache the authentication credential for future use and interaction with the requesting principal.
  - 25. The system of claim 24, wherein the front-end service is to clear the authentication credential associated with the requesting principal responsive to termination of a session between the requesting principal and the target principal.
  - 26. The system of claim 21, wherein a policy associated with the target principal is to be accessed and, in accordance with the policy, identifying information that is to be verified by the one or more third party services via the requesting principal is communicated from the front-end service to the one or more third party services, and if such identifying information is validated the one or more third party services are to supply the authentication credential to the front-end service on behalf of the requesting principal.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Novell Incorporated (Open Text Corporation)
Inventors
Carter, Stephen, Burch, Lloyd

Granted Patent

US 7,739,744 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/6
CPC Class Codes

G06F 21/31   User authentication

G06F 2221/2115   Third party

H04L 63/0281   Proxies

H04L 63/08   for authentication of entit...

H04L 63/0815   providing single-sign-on or...

H04L 63/20   for managing network securi...

Methods and systems for multifactor authentication

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

205 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and systems for multifactor authentication

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

205 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links