Granular authorization for network user sessions

US 7,076,797 B2
Filed: 10/05/2001
Issued: 07/11/2006
Est. Priority Date: 10/05/2001
Status: Expired due to Fees

First Claim

Patent Images

1. In a computing device including a security module that grants a user session access to network resources based on dynamic combinations of security characteristics associated with a user session, a method for granting dynamic mobile user session access to network resources depending on one or more authentication methods and the security of one or more devices associated with the mobile user session so as to grant dynamic access that corresponds to the trustworthiness of the associated authentication methods and devices, the method comprising:

an act of accessing one or more security characteristics of one or more authentication methods for a user device that is associated with the mobile user session, the one or more security characteristics accounting for security differences in different authentication methods, different users devices, or both, in that different security characteristics correspond to different levels of trustworthiness;

an act of generating an authentication bundle representative of access to network resources by synthesizing the one or more accessed security characteristics, wherein the authentication bundle is used to grant the mobile user session one of a plurality of access levels to network resources, the granted level of access corresponding to a level of trustworthiness identified by the one or more accessed security characteristics synthesized in the authentication bundle, but wherein the mobile user session is granted a dynamically variable level of access; and

in response to detecting a change in a security characteristic that reduces security of the device or the mobile user session, dynamically reducing the granted level of access to a level of access which is less than the maximium level of access associated with the user.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Providing access to a mobile user session in a manner that more closely corresponds access to network resources to the trustworthiness of authentication methods and devices associated with the mobile user session. Characteristics of authentication methods associated with a mobile user session are synthesized to generate an authentication bundle. Characteristics may include data associated with passwords, biometric data or devices used to execute an authentication method. By synthesizing characteristics in varied manners, a non-binary sliding scale of access to network resources may be generated. An authentication bundle may be accessed to grant a mobile user session appropriate access to network resources. Granting access may include generating an authorization token that is passed to a filter or reverse proxy. Access to network resources may be dynamically modified as authentication methods associated with a mobile user session change.

181 Citations

View as Search Results

47 Claims

1. In a computing device including a security module that grants a user session access to network resources based on dynamic combinations of security characteristics associated with a user session, a method for granting dynamic mobile user session access to network resources depending on one or more authentication methods and the security of one or more devices associated with the mobile user session so as to grant dynamic access that corresponds to the trustworthiness of the associated authentication methods and devices, the method comprising:
- an act of accessing one or more security characteristics of one or more authentication methods for a user device that is associated with the mobile user session, the one or more security characteristics accounting for security differences in different authentication methods, different users devices, or both, in that different security characteristics correspond to different levels of trustworthiness;
  
  an act of generating an authentication bundle representative of access to network resources by synthesizing the one or more accessed security characteristics, wherein the authentication bundle is used to grant the mobile user session one of a plurality of access levels to network resources, the granted level of access corresponding to a level of trustworthiness identified by the one or more accessed security characteristics synthesized in the authentication bundle, but wherein the mobile user session is granted a dynamically variable level of access; and
  
  in response to detecting a change in a security characteristic that reduces security of the device or the mobile user session, dynamically reducing the granted level of access to a level of access which is less than the maximium level of access associated with the user.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 39, 40, 43, 44, 45, 46, 47)
- - 2. The method as recited in claim 1, wherein accessing one or more security characteristics of one or more authentication methods associated with the mobile user session comprises the following:
    - an act of accessing characteristics of one or more authentication methods representative of the mobile user session.
  - 3. The method as recited in claim 1, wherein accessing one or more security characteristics of one or more authentication methods associated with the mobile user session comprises the following:
    - an act of accessing characteristics of a device associated with one or more of the authentication methods.
  - 4. The method as recited in claim 3, wherein accessing characteristics of a device associated with one or more authentication methods comprises the following:
    - an act of accessing characteristics of a telephone associated with one or more of the authentication methods.
  - 5. The method as recited in claim 3, wherein accessing characteristics of a device associated with one or more authentication methods comprises the following:
    - an act of accessing characteristics of an unknown device associated with one or more of the authentication methods.
  - 6. The method as recited in claim 3, wherein accessing characteristics representative of a device associated with one or more authentication methods comprises the following:
    - an act of accessing characteristics of an known device associated with one or more of the authentication methods.
  - 7. The method as recited in claim 6, wherein accessing characteristics of a known device associated with one or more of the authentication methods comprises the following:
    - an act of accessing caller line identification data associated with a device.
  - 8. The method as recited in claim 3, wherein accessing characteristics of a device associated with one or more authentication methods comprises the following:
    - an act of accessing characteristics of a secure device associated with one or more of the authentication methods.
  - 9. The method as recited in claim 3, wherein accessing characteristics of a device associated with one or more of the authentication methods comprises the following:
    - an act of accessing characteristics of a computing device associated with one or more of the authentication methods.
  - 10. The method as recited in claim 9, wherein accessing characteristics of a computing device associated with one or more of the authentication methods comprises the following:
    - an act of accessing characteristics a personal computer associated with one or more of the authentication methods.
  - 11. The method as recited in claim 9, wherein accessing characteristics of a computing device associated with one or more of the authentication methods comprises the following:
    - an act of accessing characteristics of a mobile computing device associated with one or more of the authentication methods.
  - 12. The method as recited in claim 11, wherein accessing characteristics of a mobile computing device associated with one or more of the authentication methods comprises the following:
    - an act of accessing characteristics of a mobile telephone associated with one or more of the authentication methods.
  - 13. The method as recited in claim 11, wherein accessing characteristics of a mobile computing device associated with one or more of the authentication methods comprises the following:
    - an act of accessing characteristics of a personal digital assistant associated with one or more of the authentication methods.
  - 14. The method as recited in claim 11, wherein accessing characteristics of a mobile computing device associated with one or more of the authentication methods comprises the following:
    - an act of accessing characteristics of a hand-held computer associated with one or more of the authentication methods.
  - 15. The method as recited in claim 1, wherein accessing one or more security characteristics of one or more authentication methods associated with the mobile user session comprises the following:
    - an act of accessing characteristics of a password associated with one or more of authentication methods.
  - 16. The method as recited in claim 15, wherein accessing characteristics of a password associated with one or more authentication methods comprises the following:
    - an act of accessing characteristics of a personal identification number including dual tone multi-frequency tones associated with one or more of authentication methods.
  - 17. The method as recited in claim 15, wherein accessing characteristics of a password associated with one or more authentication methods comprises the following:
    - an act of accessing characteristics of a personal identification number that includes spoken phrases associated with one or more of authentication methods.
  - 18. The method as recited in claim 15, wherein accessing characteristics of a password associated with one or more authentication methods comprises the following:
    - an act of accessing characteristics of a password that was transmitted from a mobile computing device out of band, the password being associated with one or more authentication methods.
  - 19. The method as recited in claim 1, wherein accessing one or more security characteristics of one or more authentication methods associated with the mobile user session comprises the following:
    - an act of accessing characteristics of biometric data associated with one or more authentication methods.
  - 20. The method as recited in claim 19, wherein accessing characteristics of biometric data associated with one or more authentication methods comprises the following:
    - an act of accessing characteristics of a voiceprint associated with one or more authentication methods.
  - 21. The method as recited in claim 19, wherein accessing characteristics of biometric data associated with one or more authentication methods comprises the following:
    - an act of accessing characteristics of a fingerprint associated with one or more authentication methods.
  - 22. The method as recited in claim 19, wherein accessing characteristics of biometric data associated with one or more authentication methods comprises the following:
    - an act of accessing characteristics of a retinal scan associated with one or more authentication methods.
  - 23. The method as recited in claim 1, wherein generating an authentication bundle representative of access to network resources by synthesizing the accessed characteristics comprises the following:
    - an act of generating an authentication bundle representative of access to network resources by synthesizing accessed characteristics associated with a device and accessed characteristics associated with a password.
  - 24. The method as recited in claim 1, wherein generating an authentication bundle representative of access to network resources by synthesizing the accessed characteristics comprises the following:
    - an act of generating an authentication bundle representative of access to network resources by synthesizing accessed characteristics associated with a device and accessed characteristics associated with biometric data.
  - 25. The method as recited in claim 1, wherein generating an authentication bundle representative of access to network resources by synthesizing the accessed characteristics comprises the following:
    - an act of generating an authentication bundle representative of access to network resources by synthesizing accessed characteristics associated with a password and accessed characteristics associated with biometric data.
  - 26. The method as recited in claim 1, wherein generating an authentication bundle representative of access to network resources by synthesizing the accessed characteristics comprises the following:
    - an act of generating an authentication bundle representative of access to network resources by synthesizing accessed characteristics associated with a device, accessed characteristics associated with a password and accessed characteristics associated with biometric data.
  - 27. The method as recited in claim 1, wherein generating an authentication bundle representative of access to network resources by synthesizing the accessed characteristics comprises the following:
    - an act of generating an authentication bundle representative of access to network resources by synthesizing characteristics associated with the time one or more authentication methods were executed.
  - 39. A computer program product for implementing, in a computing device including a security module that grants a user session access to network resources based on dynamic combinations of security characteristics associated with a user session, a method for granting dynamic mobile user session access to network resources depending on one or more authentication methods and the security of one or more devices so as to grant access that corresponds to the trustworthiness of the associated authentication methods and devices, the computer program product comprising:
    - a computer-readable medium carrying computer-executable instructions, that when executed at the computing device, cause the computing device to perform the method recited in claim 1.
  - 40. The computer program product as recited claim 39, wherein the computer-readable medium is a physical storage media.
  - 43. A method as recited in claim 1, wherein the method includes detecting a change in one of the security characteristics comprising a transition of the device to a less secure device.
  - 44. A method as recited in claim 1, wherein the method includes detecting a change in one of the security characteristics comprises a change in availability of authentication methods.
  - 45. A method as recited in claim 1, wherein the method includes detecting a change in one of the security characteristics comprising a change is a configuration of the device.
  - 46. A method as recited in claim 1, wherein the method includes detecting a change in one of the security characteristics comprising a change in a physical condition of a user.
  - 47. A method as recited in claim 1, wherein the method includes detecting a change in one of the security characteristics comprising a deterioration of a voice connection.

28. In a computing device including an access granting module that grants a user session access to network resources based on dynamic combinations of security characteristics associated with a user session, a method for granting dynamic mobile user session access to network resources depending on one or more authentication methods and the security of one or more devices associated with the mobile user session so as to grant dynamic access that corresponds to the trustworthiness of the associated authentication methods and devices, the method comprising:
- an act of accessing an authentication bundle, the authentication bundle having been generated by synthesizing one or more security characteristics of one or more authentication methods for a user device that is associated with the mobile user session the one or more security characteristics accounting for security differences in different authentication methods, different users devices, or both, in different security characteristics correspond to different levels of trustworthiness;
  
  an act of granting one of a plurality of access levels to network resources, the granted level of access corresponding to a level of trustworthiness identified by the one or more accessed security characteristics synthesized in the authentication bundle, wherein granting one of the plurality of access levels comprises granting a mobile user session a dynamically variable level of access; and
  
  in response to detecting a change in a security characteristic that reduces security of the device or the mobile user session, dynamically reducing the granted level of access to a level of access which is less than the maximum level of access associated with the user.
- View Dependent Claims (29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 41, 42)
- - 29. The method as recited in claim 28, wherein accessing an authentication bundle comprises the following:
    - an act of the access granting module accessing an authentication bundle.
  - 30. The method as recited in claim 28, wherein accessing an authentication bundle comprises the following:
    - an act of accessing an authentication bundle which causes the mobile user session to be granted access to the network resources represented by the authentication bundle.
  - 31. The method as recited in claim 28, wherein accessing an authentication bundle comprises the following:
    - an act of accessing an authentication bundle which causes generation of an authorization token associated with a level of access to network resources.
  - 32. The method as recited in claim 28, wherein accessing an authentication bundle comprises the following:
    - an act of accessing an authentication bundle which causes generation of an authorization token that includes data representative of one or more authentication methods associated with the mobile user session.
  - 33. The method as recited in claim 28, wherein granting a mobile user session less than the maximum level of access associated with a user comprises the following:
    - an act of receiving an authentication bundle, which causes a filter to reduce the mobile user session'"'"'s access to network resources to less than the maximum level of access associated with a user.
  - 34. The method as recited in claim 28, wherein granting a mobile user session less than the maximum level of access associated with a user comprises the following:
    - an act of receiving an authentication bundle, which causes a reverse proxy to reduce the mobile user session'"'"'s access to network resources to less than the maximum level of access associated with a user.
  - 35. The method as recited in claim 28, wherein granting one of a plurality of access levels to network resources comprises the following:
    - an act of modifying a mobile user session'"'"'s existing access to network resources, the modified access being different than the existing access.
  - 36. The method as in claim 35 wherein modifying a mobile user session'"'"'s existing access to network resources, the modified access being different than the existing access comprises the following:
    - an act of modifying a mobile user session'"'"'s existing access to network resources by granting access to network resources in addition to the existing access.
  - 37. The method as in claim 35 wherein modifying a mobile user session'"'"'s existing access to network resources, the modified updated access being different than the existing access comprises the following:
    - an act of modifying a mobile user session'"'"'s access to network resources by revoking some of the existing access to network resource.
  - 38. The method as recited in claim 28, further comprising:
    - an act of notifying a user associated with the mobile user session what network resources the mobile user session may access.
  - 41. A computer program product for implementing, in a computing device including a security module that grants a user session access to network resources based on dynamic combinations of security characteristics associated with a user session, a method for granting dynamic mobile user session access to network resources depending on one or more authentication methods and the security of one or more devices so as to grant access that corresponds to the trustworthiness of the associated authentication methods and devices, the computer program product comprising:
    - a computer-readable medium carrying computer-executable instructions, that when executed at the computing device, cause the computing device to perform the method, recited in claim 28.
  - 42. The computer program product as recited claim 41, wherein the computer-readable medium is a physical storage media.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Loveland, Shawn Domenic
Primary Examiner(s)
Revak, Christopher
Assistant Examiner(s)
Cervetti, David Garcia

Application Number

US09/972,512
Publication Number

US 20030070091A1
Time in Patent Office

1,740 Days
Field of Search

713/201, 726/3, 726/4
US Class Current

726/4
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/083   using passwords cryptograph...

H04L 63/0861   using biometrical features,...

H04L 63/104   Grouping of entities

H04L 63/205   involving negotiation or de...

H04L 67/30   Profiles

H04W 12/068   using credential vaults, e....

H04W 12/082   using revocation of authori...

H04W 12/088   using filters or firewalls

Granular authorization for network user sessions

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

181 Citations

47 Claims

Specification

Solutions

Use Cases

Quick Links

Granular authorization for network user sessions

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

181 Citations

47 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links