Identification and authentication management

US 7,117,529 B1
Filed: 10/22/2001
Issued: 10/03/2006
Est. Priority Date: 10/22/2001
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for managing temporary access to a first user'"'"'s data, comprising:

receiving, from a first user, a message at an authentication server, the first user having an authentication credential with respect to a first user'"'"'s account used to interact with the first user'"'"'s data through an application, the message that a second user be granted temporary access to the first user'"'"'s data through the application;

receiving, from the second user, a request at the authentication server, the request to access the first user'"'"'s data through the application; and

responsive to the request from the second user, obtaining the first user'"'"'s authentication credential from the authentication server and granting the second user temporary access to the first user'"'"'s data through the application by providing to the application the first user'"'"'s authentication credential, wherein the first user'"'"'s authentication credential is not provided to the second user.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An identification and authentication scheme maintains control relationships among identities in order to allow a user to dynamically grant or deny permission for a technical support representative to access the user'"'"'s data, while allowing the user to retain ultimate control over access to the data. Interactions entered by the representative can be distinguished from those entered by the user, while execution paths for representative-entered interactions are configured so that, to an application, the representative-entered transactions appear substantially identical to user-entered transactions. Technical support representatives are thereby able to duplicate users'"'"' problems to enable diagnosis and resolution of problems without requiring users to reveal their passwords or login credentials.

Citations

60 Claims

1. A computer-implemented method for managing temporary access to a first user'"'"'s data, comprising:
- receiving, from a first user, a message at an authentication server, the first user having an authentication credential with respect to a first user'"'"'s account used to interact with the first user'"'"'s data through an application, the message that a second user be granted temporary access to the first user'"'"'s data through the application;
  
  receiving, from the second user, a request at the authentication server, the request to access the first user'"'"'s data through the application; and
  
  responsive to the request from the second user, obtaining the first user'"'"'s authentication credential from the authentication server and granting the second user temporary access to the first user'"'"'s data through the application by providing to the application the first user'"'"'s authentication credential, wherein the first user'"'"'s authentication credential is not provided to the second user.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 32, 33)
- - 2. The method of claim 1, wherein granting the second user temporary access comprises activating a temporary access credential for the second user.
  - 3. The method of claim 1, wherein granting the second user temporary access comprises creating an entity relationship between an account associated with the second user and an account associated with the first user.
  - 4. The method of claim 3, wherein the account associated with the second user comprises a support representative account.
  - 5. The method of claim 1, wherein the message identifies the second user and specifies a level of access for the second user, and wherein granting the second user temporary access comprises granting the specified level of access.
  - 6. The method of claim 1, wherein the second user belongs to a group of users, and the message identifies the group of users to which the second user belongs.
  - 7. The method of claim 6, further comprising:
    - receiving an identifier from the second user, identifying the second user as belonging to the group of users.
  - 8. The method of claim 6, further comprising:
    - authenticating the second user as belonging to the group of users.
  - 9. The method of claim 6, wherein the group comprises support representatives.
  - 10. The method of claim 1, further comprising:
    - authenticating the second user;
      
      and wherein granting the second user temporary access to the first user'"'"'s data comprises;
      
      responsive to the request from the second user and responsive to the authentication of the second user being successful, granting the second user temporary access to the first user'"'"'s data by providing the first user'"'"'s authentication credential.
  - 11. The method of claim 1, wherein granting the second user temporary access to the first user'"'"'s data comprises granting the second user a level of access different from a level of access available to the first user.
  - 12. The method of claim 1, wherein receiving the message comprises receiving the message via a network.
  - 13. The method of claim 12, wherein receiving the request comprises receiving the request via the network.
  - 14. The method of claim 12, wherein receiving the request comprises receiving the request via a second network.
  - 15. The method of claim 1, further comprising storing in an audit log information describing the second user'"'"'s access to the first user'"'"'s data and identifying the second user in connection with the access.
  - 19. The method of claim 1 or 16, further comprising:
    - terminating the second user'"'"'s access to the first user'"'"'s data after a predetermined time period.
  - 20. The method of claim 19, wherein the predetermined time period is selectable by the first user.
  - 21. The method of claim 1 or 16, further comprising:
    - terminating the second user'"'"'s access to the first user'"'"'s data after the second user has accessed the first user'"'"'s data a predetermined number of times.
  - 22. The method of claim 21, wherein the predetermined number of times is selectable by the first user.
  - 23. The method of claim 1 or 16, further comprising:
    - terminating the second user'"'"'s access to the first user'"'"'s data in response to a command received from the first user.
  - 24. The method of claim 1 or 16, further comprising:
    - terminating the second user'"'"'s access to the first user'"'"'s data in response to a predetermined event.
  - 25. The method of claim 1 or 16, further comprising:
    - responsive to granting the second user access, outputting, to the first user, notification of the second user'"'"'s access to the first user'"'"'s data.
  - 26. The method of claim 1 or 16, further comprising:
    - responsive to granting the second user access, storing information describing the second user'"'"'s access to the first user'"'"'s data.
  - 27. The method of claim 26, wherein storing information comprises storing the information in an audit log.
  - 28. The method of claim 1 or 16, further comprising:
    - storing information describing at least one subsequent interaction with the first user'"'"'s data.
  - 29. The method of claim 28, wherein storing information comprises, for each interaction, storing information identifying which user accesses the first user'"'"'s data.
  - 30. The method of claim 1 or 16, wherein the access to the first user'"'"'s data by the second user is masked so that an application through which the second user accesses the first user'"'"'s data is unable to distinguish the access by the second user from access by the first user.
  - 32. The method of claim 1 or 16, wherein the first user'"'"'s data comprises at least one selected from the group consisting of:
    - a data file;
      
      a data file stored at a server; and
      
      data associated with the first user.
  - 33. The method of claim 1 or 16, wherein the steps of the method are performed by a web-based application.

16. A computer-implemented method for managing levels of access to a first user'"'"'s data for at least two users, comprising:
- establishing a control relationship between a first user'"'"'s authentication credential and a second user'"'"'s authentication credential, the control relationship allowing the first user to specify at least one parameter of the second user'"'"'s level of access to a first user'"'"'s data;
  
  receiving, from a first user, a message at an authentication server, the first user having an authentication credential with respect to a first user'"'"'s account used to interact with the first user'"'"'s data through an application, the message that a second user be granted temporary access to the first user'"'"'s data through the application;
  
  receiving, from the second user, a request at the authentication server, the request to access the first user'"'"'s data through the application; and
  
  responsive to the request from the second user, granting the second user access to the first user'"'"'s data through the application according to the second user'"'"'s level of access as specified by the first user, by providing to the application the first user'"'"'s authentication credential, wherein the first user'"'"'s authentication credential is obtained from the authentication server and is not provided to the second user.
- View Dependent Claims (17, 18, 31)
- - 17. The method of claim 16, wherein the second user is a support representative.
  - 18. The method of claim 16, further comprising:
    - terminating the second user'"'"'s access to the first user'"'"'s data.
  - 31. The method of claim 16, wherein the first user'"'"'s level of access is different from the second user'"'"'s level of access.

34. A system for granting to a second user access to a first user'"'"'s data in response to a message from a first user, comprising:
- an authenticator communicatively adapted to receive over a network connection authentication credentials of the first and second users and adapted to authenticate each user from the authentication credentials;
  
  an access level control module, communicatively coupled to the authenticator, for defining for each user a level of access to a first user'"'"'s data; and
  
  a resource interface, communicatively coupled to the access level control module, for granting the second user access to the first user'"'"'s data through the resource interface by providing the first user'"'"'s authentication credential to the authenticator for authentication, wherein the first user'"'"'s authentication credential is obtained from an authentication server and is not provided to the second user.
- View Dependent Claims (35, 36, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49)
- - 35. The system of claim 34, wherein the access level control module activates a temporary access credential for the second user.
  - 36. The system of claim 34, wherein the access level control module creates an entity relationship between an account associated with the second user and an account associated with the first user.
  - 38. The system of claim 34 or 37, wherein the resource interface further terminates the second user'"'"'s access to the first user'"'"'s data.
  - 39. The system of claim 34 or 37, wherein the resource interface further terminates the second user'"'"'s access to the first user'"'"'s data after a predetermined time period.
  - 40. The system of claim 39, wherein the predetermined time period is selectable by the first user.
  - 41. The system of claim 34 or 37, wherein the resource interface further terminates the second user'"'"'s access to the first user'"'"'s data after the second user has accessed the first user'"'"'s data a predetermined number of times.
  - 42. The system of claim 41, wherein the predetermined number of times is selectable by the first user.
  - 43. The system of claim 34 or 37, wherein the resource interface further terminates the second user'"'"'s access to the first user'"'"'s data in response to a command received from the first user.
  - 44. The system of claim 34 or 37, wherein the resource interface further terminates the second user'"'"'s access to the first user'"'"'s data in response to a predetermined event.
  - 45. The system of claim 34 or 37, further comprising:
    - an output device, coupled to the resource interface, for outputting, to the first user, notification of the second user'"'"'s access to the first user'"'"'s data.
  - 46. The system of claim 34 or 37, further comprising:
    - a storage device, coupled to the resource interface, for storing information describing the second user'"'"'s access to the first user'"'"'s data.
  - 47. The system of claim 46, wherein the storage device stores information identifying which user accesses the first user'"'"'s data.
  - 48. The system of claim 34 or 37, wherein the access to the first user'"'"'s data by the second user is masked so that an application through which the second user accesses the first user'"'"'s data is unable to distinguish the access by the second user from access by the first user.
  - 49. The system of claim 34 or 37, wherein the first user'"'"'s data comprises at least one selected from the group consisting of:
    - a data file;
      
      a data file stored at a server; and
      
      data associated with the first user.

37. A system for granting to a second user access to a first user'"'"'s data in response to a message from a first user, comprising:
- an access level control module, for establishing a control relationship between an authentication credential associated with the first user and an authentication credential associated with the second user, the control relationship allowing the first user to control at least one parameter of the second user'"'"'s level of access; and
  
  a resource interface, coupled to the access level control module, for granting the second user access to the first user'"'"'s data through the resource interface according to the second user'"'"'s level of access, by providing the first user'"'"'s authentication credential to an authenticator, wherein the first user'"'"'s authentication credential is obtained from an authentication server and is not provided to the second user.

50. In a client/server system for granting to a second user access to a first user'"'"'s data in response to a message from a first user specifying that the second user be granted access to the first user'"'"'s data, a server comprising:
- an authenticator, for authenticating each user according to authentication credentials;
  
  an access level control module, coupled to the authenticator, for defining a level of access to the first user'"'"'s data for each user; and
  
  a resource interface, coupled to the access level control module, for granting to a client operated by the second user access to the first user'"'"'s data through the resource interface by providing the first user'"'"'s authentication credential to the authenticator, wherein the first user'"'"'s authentication credential is obtained from an authentication server and is not provided to the second user.

51. In a client/server system for granting to a second user access to a first user'"'"'s data in response to a message from a first user specifying that the second user be granted access to the first user'"'"'s data, a server comprising:
- an access level control module, for establishing a control relationship between the first user'"'"'s authentication credential and the second user'"'"'s authentication credential, the control relationship allowing the first user to control at least one parameter of the second user'"'"'s level of access; and
  
  a resource interface, coupled to the access level control module, for granting to the client operated by the second user access to the first user'"'"'s data through the resource interface according to the second user'"'"'s level of access, by providing the first user'"'"'s authentication credential to an authenticator, wherein the first user'"'"'s authentication credential is obtained from an authentication server and is not provided to the second user.

52. A computer program product comprising a computer-usable medium having computer-readable code embodied therein for managing temporary access to a first user'"'"'s data, comprising:
- computer-readable program code configured to cause a computer to receive a message at an authentication server from a first user, the first user having an authentication credential with respect to the first user'"'"'s data, the message that a second user be granted temporary access to the first user'"'"'s data;
  
  computer-readable program code configured to cause a computer to receive a request at the authentication server from the second user, the request to access the first user'"'"'s data; and
  
  computer-readable program code configured to cause a computer to, responsive to the request from the second user, obtain the first user'"'"'s authentication credential and grant the second user temporary access to the first user'"'"'s data by providing the first user'"'"'s authentication credential to an authenticator, wherein the first user'"'"'s authentication credential is obtained from the authentication server and is not provided to the second user.
- View Dependent Claims (53, 54, 55, 57, 58, 59, 60)
- - 53. The computer program product of claim 52, wherein the computer-readable program code configured to cause a computer to grant the second user access comprises computer-readable program code configured to cause a computer to activate a temporary access credential for the second user.
  - 54. The computer program product of claim 52, wherein the computer-readable program code configured to cause a computer to grant the second user access comprises computer-readable program code configured to cause a computer to create an entity relationship between an account associated with the second user and an account associated with the first user.
  - 55. The computer program product of claim 52, further comprising:
    - computer-readable program code configured to cause a computer to authenticate the second user;
      
      and wherein the computer-readable program code configured to cause a computer to grant the second user access to the first user'"'"'s data comprises;
      
      computer-readable program code configured to cause a computer to, responsive to the request from the second user and responsive to the authentication of the second user being successful, grant the second user access to the first user'"'"'s data by providing the first user'"'"'s authentication credential.
  - 57. The computer program product of claim 52 or 56, further comprising:
    - computer-readable program code configured to cause a computer to, responsive to granting the second user access, store information describing the second user'"'"'s access to the first user'"'"'s data.
  - 58. The computer program product of claim 52 or 56, further comprising:
    - computer-readable program code configured to cause a computer to store information describing at least one subsequent interaction with the first user'"'"'s data.
  - 59. The computer program product of claim 58, wherein the computer-readable program code configured to cause a computer to store information comprises, computer-readable program code configured to cause a computer to, for each interaction, store information identifying which user accesses the first user'"'"'s data.
  - 60. The computer program product of claim 52 or 56, wherein the access to the first user'"'"'s data by the second user is masked so that an application through which the second user accesses the first user'"'"'s data is unable to distinguish the access by the second user from access by the first user.

56. A computer-implemented computer program product for managing levels of access to a first user'"'"'s data for at least two users, comprising:
- computer-readable program code configured to cause a computer to establish a control relationship between a first user'"'"'s authentication credential and a second user'"'"'s authentication credential, the control relationship allowing the first user to specify at least one parameter of the second user'"'"'s level of access to a first user'"'"'s data;
  
  computer-readable program code configured to cause a computer to receive, from a first user, a message at an authentication server, the first user having an authentication credential with respect to a first user'"'"'s account used to interact with the first user'"'"'s data through an application, the message that a second user be granted temporary access to the first user'"'"'s data through the application;
  
  computer-readable program code configured to cause a computer to receive, from the second user, a request at the authentication server the request to access the first user'"'"'s data through the application; and
  
  computer-readable program code configured to cause a computer to, responsive to the request from the second user, grant the second user access to the first user'"'"'s data through the application according to the second user'"'"'s level of access as specified by the first user, by providing to the application the first user'"'"'s authentication credential, wherein the first user'"'"'s authentication credential is obtained from the authentication server and is not provided to the second user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intuit, Inc.
Original Assignee
Intuit, Inc.
Inventors
Wilks, Daniel, O'Donnell, William
Primary Examiner(s)
Moise, Emmanuel L.
Assistant Examiner(s)
POPHAM, JEFFREY D

Application Number

US10/029,765
Time in Patent Office

1,807 Days
Field of Search

713/170, 715/741, 707/10, 726/10, 726/4, 726/6, 726/11, 726/12, 705/1, 705/35, 705/44
US Class Current

726/6
CPC Class Codes

G06Q 30/018   Certifying business or prod...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0838   using one-time-passwords

Identification and authentication management

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

60 Claims

Specification

Solutions

Use Cases

Quick Links

Identification and authentication management

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

60 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links