Federating Devices to Improve User Experience with Adaptive Security

US 20170126662A1
Filed: 11/02/2015
Published: 05/04/2017
Est. Priority Date: 11/02/2015
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for performing an adaptive security operation comprising:

performing an authentication operation via a first device, the authentication operation analyzing an obligation performed by a first user;

establishing access to a protected resource by the first device based upon the obligation performed by the first user;

generating an attribute list comprising at least one attribute of the first device;

analyzing a second device to determine whether the second device comprises an attribute corresponding to the at least one attribute of the first device; and

,allowing access to the protected resource by the second device when the second device comprises the attribute corresponding to the at least one attribute of the first device.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, system and computer-usable medium for performing an adaptive security operation comprising: performing an authentication operation via a first device, the authentication operation analyzing an obligation performed by a first user; establishing access to a protected resource by the first device based upon the obligation performed by the first user; generating an attribute list comprising at least one attribute of the first device; analyzing a second device to determine whether the second device comprises an attribute corresponding to the at least one attribute of the first device; and, allowing access to the protected resource by the second device when the second device comprises the attribute corresponding to the at least one attribute of the first device.

31 Citations

View as Search Results

20 Claims

1. A computer-implemented method for performing an adaptive security operation comprising:
- performing an authentication operation via a first device, the authentication operation analyzing an obligation performed by a first user;
  
  establishing access to a protected resource by the first device based upon the obligation performed by the first user;
  
  generating an attribute list comprising at least one attribute of the first device;
  
  analyzing a second device to determine whether the second device comprises an attribute corresponding to the at least one attribute of the first device; and
  
  ,allowing access to the protected resource by the second device when the second device comprises the attribute corresponding to the at least one attribute of the first device.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, further comprising:
    - requiring a second factor authentication before allowing the second device access to the protected resource when the second device does not comprise the attribute corresponding to the at least one attribute of the first device.
  - 3. The method of claim 1, further comprising:
    - receiving a request for access to the protected resource from the first user via a third device;
      
      determining whether the first and third devices are associated with the first user; and
      
      ,allowing access to the protected resource by the third device when the third device is associated with the first user.
  - 4. The method of claim 1, wherein:
    - the second device is associated with a second user; and
      
      further comprising determining whether the first device and second device correspond to a federation; and
      
      ,allowing the second user access to the protected resource when the first device and the second device correspond to the federation.
  - 5. The method of claim 4, wherein:
    - the first user and the second user are included within a set of users, each of the set of users having a respective one of a first set of devices; and
      
      further comprising;
      
      performing an authentication process is performed one a first set of users each using a respective one of the first set of devices for a protected resource, wherein the authentication process determines whether a first factor is present;
      
      receiving a request for access to the protected resource from a subset of the first set of users in a new user context;
      
      evaluating the new user context according a security policy based upon the first factor;
      
      requesting a subset of the set of users to input a second factor authentication via respective devices of the first set of devices; and
      
      once a subset of users passes a threshold, allowing access to the network resource to other users belonging to the first set of users without requiring input of the second factor authentication.
  - 6. The method of claim 1, wherein:
    - the list of attributes reflects a user context; and
      
      ,the user context includes at least one of an internet protocol (IP) subnet address and geographic location.

7. A system comprising:
- a processor;
  
  a data bus coupled to the processor; and
  
  a computer-usable medium embodying computer program code, the computer-usable medium being coupled to the data bus, the computer program code used for performing an adaptive security operation and comprising instructions executable by the processor and configured for;
  
  performing an authentication operation via a first device, the authentication operation analyzing an obligation performed by a first user;
  
  establishing access to a protected resource by the first device based upon the obligation performed by the first user;
  
  generating an attribute list comprising at least one attribute of the first device;
  
  analyzing a second device to determine whether the second device comprises an attribute corresponding to the at least one attribute of the first device; and
  
  ,allowing access to the protected resource by the second device when the second device comprises the attribute corresponding to the at least one attribute of the first device.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The system of claim 7, wherein the instructions executable by the processor are further configured for:
    - requiring a second factor authentication before allowing the second device access to the protected resource when the second device does not comprise the attribute corresponding to the at least one attribute of the first device.
  - 9. The system of claim 7, wherein the instructions executable by the processor are further configured for:
    - receiving a request for access to the protected resource from the first user via a third device;
      
      determining whether the first and third devices are associated with the first user; and
      
      ,allowing access to the protected resource by the third device when the third device is associated with the first user.
  - 10. The system of claim 7, wherein:
    - the second device is associated with a second user; and
      
      the instructions executable by the processor are further configured for;
      
      determining whether the first device and second device correspond to a federation; and
      
      ,allowing the second user access to the protected resource when the first device and the second device correspond to the federation.
  - 11. The system of claim 10, wherein:
    - the first user and the second user are included within a set of users, each of the set of users having a respective one of a first set of devices; and
      
      the instructions executable by the processor are further configured for;
      
      performing an authentication process is performed one a first set of users each using a respective one of the first set of devices for a protected resource, wherein the authentication process determines whether a first factor is present;
      
      receiving a request for access to the protected resource from a subset of the first set of users in a new user context;
      
      evaluating the new user context according a security policy based upon the first factor;
      
      requesting a subset of the set of users to input a second factor authentication via respective devices of the first set of devices; and
      
      once a subset of users passes a threshold, allowing access to the network resource to other users belonging to the first set of users without requiring input of the second factor authentication.
  - 12. The system of claim 7, wherein:
    - the list of attributes reflects a user context; and
      
      ,the user context includes at least one of an internet protocol (IP) subnet address and geographic location.

13. A non-transitory, computer-readable storage medium embodying computer program code, the computer program code comprising computer executable instructions configured for:
- performing an authentication operation via a first device, the authentication operation analyzing an obligation performed by a first user;
  
  establishing access to a protected resource by the first device based upon the obligation performed by the first user;
  
  generating an attribute list comprising at least one attribute of the first device;
  
  analyzing a second device to determine whether the second device comprises an attribute corresponding to the at least one attribute of the first device; and
  
  ,allowing access to the protected resource by the second device when the second device comprises the attribute corresponding to the at least one attribute of the first device.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The non-transitory, computer-readable storage medium of claim 13, wherein the computer executable instructions are further configured for:
    - requiring a second factor authentication before allowing the second device access to the protected resource when the second device does not comprise the attribute corresponding to the at least one attribute of the first device.
  - 15. The non-transitory, computer-readable storage medium of claim 13, wherein the computer executable instructions are further configured for:
    - receiving a request for access to the protected resource from the first user via a third device;
      
      determining whether the first and third devices are associated with the first user; and
      
      ,allowing access to the protected resource by the third device when the third device is associated with the first user.
  - 16. The non-transitory, computer-readable storage medium of claim 13, wherein:
    - the second device is associated with a second user; and
      
      determining whether the first device and second device correspond to a federation; and
      
      ,allowing the second user access to the protected resource when the first device and the second device correspond to the federation.
  - 17. The non-transitory, computer-readable storage medium of claim 16, wherein:
    - the first user and the second user are included within a set of users, each of the set of users having a respective one of a first set of devices; and
      
      the computer executable instructions are further configured for;
      
      performing an authentication process is performed one a first set of users each using a respective one of the first set of devices for a protected resource, wherein the authentication process determines whether a first factor is present;
      
      receiving a request for access to the protected resource from a subset of the first set of users in a new user context;
      
      evaluating the new user context according a security policy based upon the first factor;
      
      requesting a subset of the set of users to input a second factor authentication via respective devices of the first set of devices; and
      
      once a subset of users passes a threshold, allowing access to the network resource to other users belonging to the first set of users without requiring input of the second factor authentication.
  - 18. The non-transitory, computer-readable storage medium of claim 13, wherein:
    - the list of attributes reflects a user context; and
      
      ,the user context includes at least one of an internet protocol (IP) subnet address and geographic location.
  - 19. The non-transitory, computer-readable storage medium of claim 13, wherein the computer executable instructions are deployable to a client system from a server system at a remote location.
  - 20. The non-transitory, computer-readable storage medium of claim 13, wherein the computer executable instructions are provided by a service provider to a user on an on-demand basis.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Wardrop, Patrick R., Sreedhar, Pranam C.

Granted Patent

US 10,681,031 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

H04L 2463/082   applying multi-factor authe...

H04L 63/0815   providing single-sign-on or...

H04L 63/104   Grouping of entities

H04L 63/107   wherein the security polici...

Federating Devices to Improve User Experience with Adaptive Security

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

31 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Federating Devices to Improve User Experience with Adaptive Security

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

31 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links