TRUSTED DEVICE-SPECIFIC AUTHENTICATION

US 20110247055A1
Filed: 06/17/2011
Published: 10/06/2011
Est. Priority Date: 06/02/2008
Status: Active Grant

First Claim

Patent Images

1. A method of performing multiple-factor authentication of a user within an account network, the method comprising:

associating a user identifier of user credentials of the user with a device identifier of device credentials employed by the user to access the account network to represent a trust relationship between the user and the device;

evaluating the user credentials and the device credentials to generate verification results; and

providing evidence of identity of the user based on the verification results of both the user credentials and the device credentials to grant a level of privilege, the level of privilege being dependent upon whether the evidence of identity indicates successful verification of the device credentials.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An authentication system combines device credential verification with user credential verification to provide a more robust authentication mechanism that is convenient to the user and effective across enterprise boundaries. In one implementation, user credential verification and device credential verification are combined to provide a convenient two-factor authentication. In this manner, an account authority service or other authentication provider verify both factors and provide a security token in accordance with the security policy of the account network resource the user is intending to access. The level of privilege granted by the target account network resource can vary depending on the number and type of factors verified by the account authority service.

Citations

20 Claims

1. A method of performing multiple-factor authentication of a user within an account network, the method comprising:
- associating a user identifier of user credentials of the user with a device identifier of device credentials employed by the user to access the account network to represent a trust relationship between the user and the device;
  
  evaluating the user credentials and the device credentials to generate verification results; and
  
  providing evidence of identity of the user based on the verification results of both the user credentials and the device credentials to grant a level of privilege, the level of privilege being dependent upon whether the evidence of identity indicates successful verification of the device credentials.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1 wherein the evidence of identity of the user includes both the user identifier and the device identifier.
  - 3. The method of claim 1 wherein the associating operation comprises:
    - associatively recording the user identifier and the device identifier in an account of the user within the account network.
  - 4. The method of claim 1 wherein the associating operation comprises:
    - recording the user identifier and the device identifier and at least one other device identifier, the recording operation designating devices identified by the device identifier and the at least one other device identifier as trusted devices of the user.
  - 5. The method of claim 1 wherein the providing operation comprises:
    - generating a security token as the evidence of identity of the user, wherein the security token includes both the user identifier and the device identifier.
  - 6. The method of claim 1 wherein the providing operation comprises:
    - generating a security token as the evidence of identity of the user, wherein the security token includes a programming interface allowing a recipient of the security token to access both the user identifier and the device identifier from the security token.
  - 7. The method of claim 1 further comprising:
    - disassociating the user identifier from the device identifier, after the associating operation, to remove the device as a trusted device of the user.
  - 8. The method of claim 1 wherein the providing operation provides the evidence of identity only upon successful verification of both the user credentials and the device credentials, and further comprising:
    - withholding the evidence of identity of the user if verification of both the user credentials and the device credentials is unsuccessful.
  - 9. The method of claim 1 wherein the providing operation provides the evidence of identity only upon successful verification of both the user credentials and the device credentials, and further comprising:
    - blocking an attempt by the user to change the user credentials and the device credentials if the user credentials are successfully verified but the device credentials are not successfully verified.
  - 10. The method of claim 1 wherein the providing operation provides the evidence of identity only upon successful verification of both the user credentials and the device credentials, and further comprising:
    - notifying the user of an attempt to authenticate using the user credentials resulted in successful verification of the user credentials but not successful authentication of the device credentials.
  - 11. The method of claim 1 wherein the level of privilege granted by the account network resource in response to receipt of the evidence of identity indicating successful verification of the device credentials is higher than the level of privilege granted by the account network resource in response to receipt of the evidence of identity indicating unsuccessful verification of the device credentials.

12. One or more computer-readable storage media having computer-executable instructions for performing a computer process that performs multiple-factor authentication of a user within an account network, the computer process comprising:
- associating a user identifier of user credentials of the user with a device identifier of device credentials employed by the user to access the account network to represent a trust relationship between the user and the device;
  
  evaluating the user credentials and the device credentials to generate verification results; and
  
  providing evidence of identity of the user based on the verification results of both the user credentials and the device credentials to grant a level of privilege, the level of privilege being dependent upon whether the evidence of identity indicates successful verification of the device credentials.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The one or more computer-readable storage media of claim 12 wherein the evidence of identity of the user includes both the user identifier and the device identifier.
  - 14. The one or more computer-readable storage media of claim 12 wherein the associating operation comprises:
    - recording the user identifier and the device identifier and at least one other device identifier, the recording operation designating devices identified by the device identifier and the at least one other device identifier as trusted devices of the user.
  - 15. The one or more computer-readable storage media of claim 12 wherein the providing operation comprises:
    - generating a security token as the evidence of identity of the user, wherein the security token includes both the user identifier and the device identifier.
  - 16. The one or more computer-readable storage media of claim 12 wherein the providing operation comprises:
    - generating a security token as the evidence of identity of the user, wherein the security token includes a programming interface allowing a recipient of the security token to access both the user identifier and the device identifier from the security token.
  - 17. The one or more computer-readable storage media of claim 12 wherein the level of privilege granted by an account network resource in response to receipt of the evidence of identity indicating successful verification of the device credentials is higher than the level of privilege granted by an account network resource in response to receipt of the evidence of identity indicating unsuccessful verification of the device credentials.

18. A method of authorizing a user with a level of privilege for accessing an account network resource, the method comprising:
- receiving evidence of identity from a device through which the user is attempting to access the account network resource;
  
  interrogating the evidence of identity to determine whether the evidence of identity indicates successful verification of both user credentials of the user and device credentials of the device by an authentication provider trusted by the account network resource;
  
  granting a first level of privilege if the evidence of identity indicates successful verification of both the user credentials of the user and the device credentials of the device by the authentication provider; and
  
  granting a second level of privilege if the evidence of identity indicates unsuccessful verification of either the user credentials of the user or the device credentials of the device by the authentication provider.
- View Dependent Claims (19, 20)
- - 19. The method of claim 18 wherein the first level of privilege is higher than the second level of privilege.
  - 20. The method of claim 18 wherein the evidence of identity includes a security token providing a programming interface through which the account network resource can access a user identifier of the user credentials and a device identifier of the device credentials.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Guo, Wei-Qiang Michael, Rouskov, Yordan, Chen, Rui, Wong, Pui-Yin Winfred

Granted Patent

US 8,800,003 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/4
CPC Class Codes

G06F 21/31   User authentication

G06F 21/32   using biometric data, e.g. ...

G06F 21/34   involving the use of extern...

H04L 2209/56   Financial cryptography, e.g...

H04L 63/0823   using certificates cryptogr...

H04L 63/0876   based on the identity of th...

H04L 63/105   Multiple levels of security

H04L 9/3234   involving additional secure...

H04L 9/3263   involving certificates, e.g...

TRUSTED DEVICE-SPECIFIC AUTHENTICATION

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

TRUSTED DEVICE-SPECIFIC AUTHENTICATION

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links