INTEGRATED BIOMETRICS FOR APPLICATION SECURITY

US 20180351956A1
Filed: 05/31/2017
Published: 12/06/2018
Est. Priority Date: 05/31/2017
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

identifying an attempt to authenticate to a system resource using a particular device and particular credentials;

determining an identity of a user associated with the particular credentials;

determining, in association with the attempt to authenticate, a location associated with the particular device;

accessing sensor data generated by a set of sensors deployed in an environment, wherein at least some of the sensor data comprises biometric data;

using the sensor data to detect a location of the user;

determining a degree of proximity between the location associated with the particular device and the location of the user; and

triggering performance an authentication action corresponding to the attempt to authenticate based on the degree of proximity.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An attempt to authenticate to a system resource using a particular device and particular credentials is identified and an identity of a user associated with the particular credentials is determined. In association with the attempt to authenticate, a location associated with the particular device is determined and sensor data generated by a set of sensors deployed in an environment is accessed, at least some of the sensor data including biometric data. The sensor data is used to detect a location of the user, and a degree of proximity between the location associated with the particular device and the location of the user is determined. An authentication action is caused to be performed corresponding to the attempt to authenticate based on the degree of proximity.

Citations

20 Claims

1. A method comprising:
- identifying an attempt to authenticate to a system resource using a particular device and particular credentials;
  
  determining an identity of a user associated with the particular credentials;
  
  determining, in association with the attempt to authenticate, a location associated with the particular device;
  
  accessing sensor data generated by a set of sensors deployed in an environment, wherein at least some of the sensor data comprises biometric data;
  
  using the sensor data to detect a location of the user;
  
  determining a degree of proximity between the location associated with the particular device and the location of the user; and
  
  triggering performance an authentication action corresponding to the attempt to authenticate based on the degree of proximity.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1, wherein determining the location of the user comprises detecting the user at the location based on the biometric data.
  - 3. The method of claim 2, wherein the set of sensors comprises a plurality of sensors and the location of the user is determined based on sensor data from the plurality of sensors.
  - 4. The method of claim 3, wherein the plurality of sensors comprises sensors of different types.
  - 5. The method of claim 4, wherein the plurality of sensors comprise two or more of a camera sensor, voice sensor, card reader, fingerprint reader, and motion detector.
  - 6. The method of claim 1, wherein determining the location of the device comprises:
    - determining an identifier of the device based on the attempt;
      
      accessing device data for the particular device; and
      
      determining from the device data that the particular device comprises a stationary workstation, wherein the location of the particular device is identified based on the device data.
  - 7. The method of claim 1, wherein the particular device comprises a mobile computing device and determining the location of the particular device comprises:
    - determining that the particular device is connected to a wireless network; and
      
      determining the location of the particular device based at least in part on identification of a location of a wireless access point used by the particular device to connect to the wireless network.
  - 8. The method of claim 7, further comprising:
    - tracking a change in location of the particular device;
      
      tracking location of the user; and
      
      determining whether the location of the user follows the change to the location of the particular device, wherein determining that the location of the user does not follow the change to the location of the particular device is to trigger a particular authentication action based on a security policy.
  - 9. The method of claim 1, further comprising:
    - determining a change in the location of the user;
      
      determining from the change in the location of the user that the user has departed from the particular device; and
      
      remotely causing access to the system resource by the particular device to be restricted automatically based on departure of the user.
  - 10. The method of claim 1, wherein the degree of proximity identifies whether the user is in one of a plurality of proximity zones corresponding to the particular device, a first one of the plurality of proximity zones corresponds to collocation of the user with the particular device, a second one of the plurality of proximity zones comprises a proximity zone outside the first proximity zone and corresponding to location of the user within a geographical space associated with the particular device, and different authentication actions are defined for detecting the user in each respective one of the first and second proximity zones.
  - 11. The method of claim 10, wherein the authentication action of the second proximity request comprises generating a challenge for completion by the user at the particular device as a requirement for authentication, and the authentication action of the first proximity zone comprises allowing access to the system resource by the particular device in response to the attempt without completion of the challenge.
  - 12. The method of claim 11, wherein the challenge comprises sending a one-time password to the user via another device associated with the user and presenting a prompt, on the particular device, for the one-time password as a prerequisite for accessing the system resource.
  - 13. The method of claim 10, wherein the plurality of proximity zones comprises a third proximity zone corresponding to a physical premises in which the particular device is located, the third proximity zone is outside both the first and second proximity zones, and the authentication action of the third proximity zone comprises denying access to the system resource.
  - 14. The method of claim 1, further comprising detecting, from the sensor data, another user in closer proximity to the particular device than the user, wherein the authentication action comprises denying access to the system resource and generating an alert for presentation to an administrator.
  - 15. The method of claim 14, further comprising:
    - identifying historical location data for the other user;
      
      determining that location of the other user near the particular device is an anomaly based on the historical location data, wherein the alert is further based on the anomaly.

16. A computer program product comprising a computer readable storage medium comprising computer readable program code embodied therewith, the computer readable program code comprising:
- computer readable program code configured to detect a location of a particular computing device within an environment;
  
  computer readable program code configured to define a plurality of proximity zones corresponding to the location of the particular computing device, wherein a first one of the plurality of proximity zones represents locations collocated with the location of the particular computing device and a second one of the plurality of proximity zones represents locations within a zone outside the first proximity zone;
  
  computer readable program code configured to detect an authentication attempt using a set of credentials associated with a particular user;
  
  computer readable program code configured to determine a location of the particular user from sensor data generated by a plurality of sensors in the environment, wherein the sensor data comprises biometric information;
  
  computer readable program code configured to determine that the location of the particular user is within one of the plurality of proximity zones;
  
  computer readable program code configured to determine a response to the authentication attempt based on the proximity zone containing the location of the particular user.

17. A system comprising:
- a processor apparatus;
  
  a memory element;
  
  a premise security manager, executable by the processor apparatus to;
  
  detect a location of a particular computing device within an environment;
  
  define a plurality of proximity zones corresponding to the location of the particular computing device, wherein a first one of the plurality of proximity zones represents locations collocated with the location of the particular computing device and a second one of the plurality of proximity zones represents locations within a zone outside the first proximity zone;
  
  detect an authentication attempt using a set of credentials associated with a particular user;
  
  determine a location of the particular user from sensor data generated by a plurality of sensors in the environment, wherein the sensor data comprises biometric information;
  
  determine that the location of the particular user is within one of the plurality of proximity zones;
  
  determine a response to the authentication attempt based on the proximity zone containing the location of the particular user.
- View Dependent Claims (18, 19, 20)
- - 18. The system of claim 17, further comprising the plurality of sensors, wherein the plurality of sensors comprise sensors of a plurality of different types, and the location of the particular user is determined based on the biometric information.
  - 19. The system of claim 17, further comprising a plurality of wireless access points, wherein the particular device comprises a mobile device and location of the particular device is based on a location of one of the plurality of wireless access points used by the particular device to access a network associated with the environment.
  - 20. The system of claim 17, wherein the system resource comprises a software service hosted remote from the particular device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Inventors
Verma, Vineet

Granted Patent

US 10,686,793 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0861   using biometrical features,...

H04L 63/102   Entity profiles

H04L 63/107   wherein the security polici...

H04W 12/06   Authentication

H04W 12/068   using credential vaults, e....

H04W 12/08   Access security

H04W 12/086   using security domains

H04W 12/64   using geofenced areas

INTEGRATED BIOMETRICS FOR APPLICATION SECURITY

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

INTEGRATED BIOMETRICS FOR APPLICATION SECURITY

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links