TECHNIQUES FOR FACILITATING SECURE, CREDENTIAL-FREE USER ACCESS TO RESOURCES

US 20160212113A1
Filed: 12/16/2015
Published: 07/21/2016
Est. Priority Date: 01/21/2015
Status: Active Grant

First Claim

Patent Images

1. A cloud-based credential management apparatus comprising:

one or more computer readable storage media; and

program instructions stored on the one or more computer readable storage media, wherein the program instructions, when executed by the one or more processors, direct the one or more processors to;

process a protected resource access request initiated by a resource access system to identify a user and a protected resource that the user is attempting to access;

identify a predetermined authentication policy associated with the protected resource;

generate a request for authentication information based on the authentication policy associated with the protected resource;

send the request for authentication information for delivery to a mobile device associated with the user;

process a response to the authentication request sent by the mobile device to determine that the authentication policy is satisfied; and

in response to determining that the policy is satisfied, generate a response to the protected resource access request including login credentials to access the protected resource.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are disclose herein for facilitating secure user access to resources without user-provided credentials. More specifically, the techniques described herein eliminate the need for end users to remember and provide privileged resource authentication information (e.g., credentials) at the time of resource access. The system accepts and securely stores registration information for accessing privileged resources during a registration process. As discussed herein, the registration information can include identification and authentication information for each privileged resource. The authentication process can also include registration of one or more secondary authentication devices that are used to verify the identity of the end user in lieu of the end user providing credentials.

49 Citations

View as Search Results

20 Claims

1. A cloud-based credential management apparatus comprising:
- one or more computer readable storage media; and
  
  program instructions stored on the one or more computer readable storage media, wherein the program instructions, when executed by the one or more processors, direct the one or more processors to;
  
  process a protected resource access request initiated by a resource access system to identify a user and a protected resource that the user is attempting to access;
  
  identify a predetermined authentication policy associated with the protected resource;
  
  generate a request for authentication information based on the authentication policy associated with the protected resource;
  
  send the request for authentication information for delivery to a mobile device associated with the user;
  
  process a response to the authentication request sent by the mobile device to determine that the authentication policy is satisfied; and
  
  in response to determining that the policy is satisfied, generate a response to the protected resource access request including login credentials to access the protected resource.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The cloud-based credential management apparatus of claim 1, wherein the protected resource access request is initiated by a browser extension of the resource access system and includes an identifier that uniquely identifies the user.
  - 3. The cloud-based credential management apparatus of claim 2, wherein the program instructions, when executed by the one or more processors, further direct the one or more processors to:
    - send the response to the protected resource access request for delivery to the browser extension of the resource access system.
  - 4. The cloud-based credential management apparatus of claim 2, wherein the login credentials comprise a username and password combination for accessing the protected resource.
  - 5. The cloud-based credential management apparatus of claim 1, wherein the protected resource access request is initiated by a shell executing on the resource access system and includes a modified SSH key that uniquely identifies the user.
  - 6. The cloud-based credential management apparatus of claim 5, wherein the program instructions, when executed by the one or more processors, further direct the one or more processors to:
    - establish a first secure session between the resource access system and the cloud-based credential management apparatus;
      
      send the response to the protected resource access request for delivery to the protected resource; and
      
      subsequently establish a second secure session between the cloud-based credential management apparatus and the protected resource; and
      
      join the first secure session and the second secure session to establish a secure communication link between the resource access system and the protected resource.
  - 7. The cloud-based credential management apparatus of claim 5, wherein the login credentials comprise an SSH key.
  - 8. The cloud-based credential management apparatus of claim 1, wherein the authentication policy includes a geofencing policy that is satisfied when the mobile device is located within a predetermined area.
  - 9. The cloud-based credential management apparatus of claim 8, wherein the requested authentication information includes a request for geolocation information including one or more of GPS information or Internet Protocol address information.
  - 10. The cloud-based credential management apparatus of claim 1, wherein the authentication policy includes a proximity policy that is satisfied when the mobile device is proximate to the resource access system.
  - 11. The cloud-based credential management apparatus of claim 10, wherein the requested authentication information includes an indication regarding the proximity between the mobile device and the resource access system, the a Bluetooth connection is indicative of the mobile device and the resource access system being sufficiently proximate to satisfy the proximity policy.
  - 12. The secure cloud-based credential management apparatus of claim 1, wherein the program instructions, when executed by the one or more processors, further direct the one or more processors to:
    - in response to determining that the policy is satisfied,accessing one or more decryption keys; and
      
      decrypting the login credentials for the user to access the protected resource using the one or more decryption keys.

13. A computer-readable storage medium having a browser extension for operating with a web browser on an electronic computing device stored thereon, the browser extension including program instructions, which when executed by the one or more processors of the electronic computing device, cause the electronic computing device to:
- detect an attempt initiated by a user of the electronic device to access a resource;
  
  determine that the resource is a protected resource;
  
  responsive to determining that the resource is a protected resource, generate a protected resource access request, wherein the protected resource access request identifies the user and the protected resource that the user is attempting to access;
  
  receive processing login credentials for accessing the resource; and
  
  populating a login form for the resource with the received login credentials without storing the login credentials.

14. The computer-readable storage medium 13, wherein the resource comprises a website and the resource access request comprises a request to access a URL associated with the website.

15. The computer-readable storage medium 13, wherein to determine that the resource is a protected resource, the electronic computing device looks up a hash value stored in the browser.

16. The computer-readable storage medium 15, wherein the hash value is periodically updated by an enterprise credential administrative system.

17. A method of operating a credential management system to provide a user with secure access to a resource without user-provided credentials, the method comprising:
- receiving a protected resource access request initiated by a resource access system to identify a user and a protected resource that the user is attempting to access;
  
  identifying a predetermined authentication policy associated with the protected resource;
  
  generating a request for authentication information for delivery to a mobile device associated with the user, wherein the requested authentication information is determined based on the authentication policy associated with the protected resource;
  
  receiving a response to the authentication request sent by the mobile device;
  
  determining if the authentication policy is satisfied, wherein the authentication policy comprises a progressive multi-factor authentication; and
  
  if the authentication policy is satisfied, generating a response to the protected resource access request including login credentials to access the protected resource.
- View Dependent Claims (18, 19, 20)
- - 18. The method of claim 17, further comprising:
    - determining a security score corresponding to the protected resource access request.
  - 19. The method of claim 17, wherein the authentication policy is determined based, at least in part, on a progressive multi-factor authentication is determined
  - 20. The method of claim 17, wherein the progressive multi-factor authentication includes two or more factors including:
    - geolocation information, device proximity information, biomarker information, password information, of device movement information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Delinea
Original Assignee
Onion ID, Inc. (Centrify Corporation)
Inventors
Banerjee, Anirban

Granted Patent

US 10,223,549 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/31   User authentication

G06F 21/6272   by registering files or doc...

H04L 63/06   for supporting key manageme...

H04L 63/083   using passwords cryptograph...

H04L 63/0853   using an additional device,...

H04L 63/10   for controlling access to d...

H04L 63/20   for managing network securi...

H04W 12/06   Authentication

H04W 12/64   using geofenced areas

H04W 4/021   Services related to particu...

TECHNIQUES FOR FACILITATING SECURE, CREDENTIAL-FREE USER ACCESS TO RESOURCES

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

49 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

TECHNIQUES FOR FACILITATING SECURE, CREDENTIAL-FREE USER ACCESS TO RESOURCES

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

49 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links