Multiple credentials in a distributed system

US 7,676,829 B1
Filed: 10/30/2001
Issued: 03/09/2010
Est. Priority Date: 10/30/2001
Status: Active Grant

First Claim

Patent Images

1. In a system including a service that is accessed by a user from one or more devices with varying input capabilities, a method for associating multiple credentials with a single user account such that the user may be authenticated with any one of the multiple credentials, the method comprising an authentication system performing acts of:

receiving an authentication request at the authentication system from a desktop computer, wherein the authentication request includes a first set of credentials of the user, the first set of credentials comprising a username and a password;

determining based on the first set of credentials being a username and password that a first credential store is to be accessed to validate the authentication request from the desktop computer, the first credential store storing sets of credentials that each comprise a username and password;

validating the first set of credentials provided by the user by accessing the first credential store to determine whether the username and password are associated with a single unique user identifier, wherein each set of credentials in the first credential store is associated with a single unique user identifier of a user, a single unique user account, and a single unique user profile such that upon determining that the first set of credentials is associated with a unique user identifier, the unique user identifier is returned to the desktop computer such that the desktop computer may use the unique user identifier to access a service;

receiving a second authentication request at the authentication system from a cellular phone, wherein the authentication request includes a second set of credentials of the user, the second set of credentials comprising a numeric username and a numeric pin, wherein the numeric username is distinct from the username;

determining based on the second set of credentials being a numeric username and a numeric pin that a second credential store is to be accessed to validate the authentication request from the cellular phone, the second credential store storing sets of credentials that each comprise a numeric username and a numeric pin; and

validating the second set of credentials provided by the user by accessing the second credential store to determine whether the numeric username and numeric pin are associated with a single unique user identifier, wherein each set of credentials in the second credential store is also associated with a single unique user identifier of a user, a single unique user account, and a single unique user profile such that upon determining that the second set of credentials is associated with the same unique user identifier as the first set of credentials, the unique user identifier is returned to the cellular phone such that the cellular phone may use the unique user identifier to access the service.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for associating multiple credentials with a single user account in a distributed authentication system. A user can be authenticated to a service by providing any one of the multiple credentials to the authentication system. Thus, a user can provide credentials that are more easily entered or supplied on a given device. All of the credentials are associated with a single user account. The credentials can be associated symmetrically, where the user account is independent of each credential, or asymmetrically, where the user account is stored with a primary credential and the other credentials are secondary credentials that reference the primary credential.

93 Citations

View as Search Results

25 Claims

1. In a system including a service that is accessed by a user from one or more devices with varying input capabilities, a method for associating multiple credentials with a single user account such that the user may be authenticated with any one of the multiple credentials, the method comprising an authentication system performing acts of:
- receiving an authentication request at the authentication system from a desktop computer, wherein the authentication request includes a first set of credentials of the user, the first set of credentials comprising a username and a password;
  
  determining based on the first set of credentials being a username and password that a first credential store is to be accessed to validate the authentication request from the desktop computer, the first credential store storing sets of credentials that each comprise a username and password;
  
  validating the first set of credentials provided by the user by accessing the first credential store to determine whether the username and password are associated with a single unique user identifier, wherein each set of credentials in the first credential store is associated with a single unique user identifier of a user, a single unique user account, and a single unique user profile such that upon determining that the first set of credentials is associated with a unique user identifier, the unique user identifier is returned to the desktop computer such that the desktop computer may use the unique user identifier to access a service;
  
  receiving a second authentication request at the authentication system from a cellular phone, wherein the authentication request includes a second set of credentials of the user, the second set of credentials comprising a numeric username and a numeric pin, wherein the numeric username is distinct from the username;
  
  determining based on the second set of credentials being a numeric username and a numeric pin that a second credential store is to be accessed to validate the authentication request from the cellular phone, the second credential store storing sets of credentials that each comprise a numeric username and a numeric pin; and
  
  validating the second set of credentials provided by the user by accessing the second credential store to determine whether the numeric username and numeric pin are associated with a single unique user identifier, wherein each set of credentials in the second credential store is also associated with a single unique user identifier of a user, a single unique user account, and a single unique user profile such that upon determining that the second set of credentials is associated with the same unique user identifier as the first set of credentials, the unique user identifier is returned to the cellular phone such that the cellular phone may use the unique user identifier to access the service.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method as defined in claim 1 wherein the user selects which set of credentials to provide from among a plurality of sets of credentials valid at the authentication system and associated with the user, the set of credentials being chosen by the user based at least partially on the user'"'"'s device, the method further comprising:
    - receiving a new set of credentials from the user and associating the new set of credentials with the unique user identifier, the user account, and the user profile of the user;
      
      storing the new set of credentials in a credential store of the authentication system such that the authentication system can authenticate the user to the service when the user provides any one of the multiple sets of credentials associated with the user account; and
      
      providing, in response to the request, the unique user identifier.
  - 3. The method as defined in claim 2, wherein the act of receiving a new set of credentials from the user further comprises storing the new set of credentials in a third credential store based on a type of the new set of credentials.
  - 4. The method as defined in claim 3, wherein storing the new set of credentials further comprises an act of caching a copy of the unique user identifier with the new set of credentials.
  - 5. The method as defined in claim 1, wherein the first set of credentials is a primary set of credentials, the method further comprising associating the second set of credentials with the first set of credentials.
  - 6. The method as defined in claim 2, further comprising one or more of:
    - a step for remembering which set of credentials was received in the authentication request;
      
      a step for prompting the user for a more secure set of credentials when the set of credentials received in the authentication request do not meet security requirements of the service, such that the user selects a new set of credentials from among the plurality of sets of credentials valid at the authentication system; and
      
      a step for providing at least one security measure for each set of credentials associated with the user account, wherein the user is not authenticated to a service if the security measure of a particular set of credentials is breached or the user account is locked.
  - 7. The method as defined in claim 1, wherein the unique user account corresponds to the service, the method further comprising:
    - receiving an authentication response from the authentication system, wherein the authentication response includes the unique user identifier that authenticates the user to the service, the response also including the user profile; and
      
      sending an authenticated request to the service, wherein the authenticated request includes the unique user identifier and user profile such that access to the service is obtained.
  - 8. The method as recited in claim 2, wherein the new set of credentials has an associated security level and wherein the user has attempted to authenticate using the first set of credentials and wherein the method further comprises:
    - associating the new set of credentials with the user account such that the user can be authenticated with any of the plurality of sets of credentials,prior to providing the response, and subsequent to receiving the authorization request, prompting the user for a secure set of credentials that is more secure than the first set of credentials if the security level of the first set of credentials is insufficient for a service being accessed by the user, wherein the service is provided with the security level of both the first set of credentials and the secure set of credentials, but is not aware of either the first set of credentials or the secure set of credentials.
  - 9. The method as defined in claim 8, wherein the step for associating the new set of credentials with the user account further comprises a step for symmetrically associating the first set of credentials and the new set of credentials with the user account, wherein the user account is cached with each of the first set of credentials and the set of credentials.
  - 10. The method as defined in claim 9, wherein the step for associating the new set of credentials with the user account further comprises a step for asymmetrically associating the new set of credentials with a primary set of credentials, wherein the primary set of credentials is associated with the user account and wherein the primary set of credentials is cached with each new set of credentials.
  - 11. The method as defined in claim 8, further comprising a step for automatically authenticating the user at different services after the user has been authenticated at a first service.
  - 12. The method as defined in claim 1, wherein the same unique user identifier is provided to the user regardless of the set of credentials received from the user.
  - 13. The method as defined in claim 2, wherein providing the unique user identifier and the user profile to the device comprises sending a cookie containing the unique user identifier and the user profile to the device.
  - 14. The method as defined in claim 1, wherein the user profile includes data about the user comprising name, personal information, preferred language, preferences, and location.
  - 15. The method as defined in claim 2, wherein the act of validating the first and second sets of credentials provided by the user further comprises an act of the authentication system comparing the first and second sets of credentials selected by the user against the plurality of sets of credentials stored in the credential store to determine validity.

16. In a system including a service that is accessed by a user from one or more devices with varying input capabilities, a computer program product for implementing a method for associating multiple credentials with a user account such that the user may be authenticated with anyone of the multiple credentials, the computer program product comprising:
- a computer readable storage medium storing computer readable instructions for performing a method comprising;
  
  receiving an authentication request at the authentication system from a desktop computer, wherein the authentication request includes a first set of credentials of the user, the first set of credentials comprising a username and a password;
  
  determining based on the first set of credentials being a username and password that a first credential store is to be accessed to validate the authentication request from the desktop computer, the first credential store storing sets of credentials that each comprise a username and password;
  
  validating the first set of credentials provided by the user by accessing the first credential store to determine whether the username and password are associated with a single unique user identifier, wherein the each set of credentials in the first credential store is associated with a single unique user identifier of a user, a single unique user account, and a single unique user profile such that upon determining that the first set of credentials is associated with a unique user identifier, the unique user identifier is returned to the desktop computer such that the desktop computer may use the unique user identifier to access a service;
  
  receiving a second authentication request at the authentication system from a cellular phone, wherein the authentication request includes a second set of credentials of the user, the second set of credentials comprising a numeric username and a numeric pin, wherein the numeric username is distinct from the username;
  
  determining based on the second set of credentials being a numeric username and a numeric pin that the second credential store is to be accessed to validate the authentication request from the cellular phone, the second credential store storing sets of credentials that each comprise a numeric username and a numeric pin; and
  
  validating the second set of credentials provided by the user by accessing a second credential store to determine whether the numeric username and numeric pin are associated with a single unique user identifier, wherein the each set of credentials in the second credential store is also associated with a single unique user identifier of a user, a single unique user account, and a single unique user profile such that upon determining that the second set of credentials is associated with the same unique user identifier as the first set of credentials, the unique user identifier is returned to the cellular phone such that the cellular phone may use the unique user identifier to access the service.
- View Dependent Claims (17, 18, 19, 20, 21, 22)
- - 17. The computer readable storage medium of claim 16, wherein the user selects which set of credentials to provide from among a plurality of sets of credentials valid at the authentication system and associated with the user, the set of credentials being chosen by the user based at least partially on the user'"'"'s device, wherein the computer readable instructions further comprise instructions for performing the acts of:
    - receiving a new set of credentials from the user and associating the new set of credentials with the unique user identifier, the user account, and the user profile of the user;
      
      storing the new set of credentials in a credential store of the authentication system such that the authentication system can authenticate the user to the service when the user provides any one of the multiple sets of credentials associated with the user account; and
      
      providing, in response to the request, the unique user identifier.
  - 18. The computer readable storage medium of claim 17, wherein the act of receiving a new set of credentials from the user further comprises storing the new set of credentials in a third credential store based on a type of the new set of credentials.
  - 19. The computer readable storage medium of claim 18, wherein storing the new set of credentials further comprises an act of caching a copy of the unique user identifier with the new set of credentials.
  - 20. The computer readable storage medium of claim 16, wherein the first set of credentials is a primary set of credentials, the method further comprising associating the second set of credentials with the first set of credentials.
  - 21. The computer readable storage medium of claim 16, wherein the computer readable instructions further comprise instructions for performing the acts of:
    - remembering which set of credentials was received in the authentication request; and
      
      prompting the user for a more secure set of credentials when the set of credentials received in the authentication request is not sufficient for the service.
  - 22. The computer readable storage medium of claim 16, wherein the unique user account corresponds to a service, and wherein the computer readable instructions further comprise instructions for performing the acts of:
    - receiving an authentication response from the authentication system, wherein the authentication response includes the unique user identifier that authenticates the user to the service, the response also including the user profile; and
      
      sending an authenticated request to the service, wherein the authenticated request includes the unique user identifier and user profile such that access to the service is obtained.

23. In a system including a service that is accessed by a user from one or more devices with varying input capabilities, a method for associating multiple credentials with a single user account such that the user may be authenticated with any one of the multiple credentials, the method comprising an authentication system performing acts of:
- receiving an authentication request at the authentication system from a first computer, wherein the authentication request includes a first set of credentials of the user;
  
  determining based on a format of the first set of credentials that a first credential store is to be accessed to validate the authentication request from the first computer, the first credential store storing sets of credentials that have the same format;
  
  validating the first set of credentials provided by the user by accessing the first credential store to determine whether the first set of credentials is associated with a single unique user identifier, wherein each set of credentials in the first credential store is associated with a single unique user identifier of a user, a single unique user account, and a single unique user profile such that upon determining that the first set of credentials is associated with a unique user identifier, the unique user identifier is returned to the first computer such that the desktop computer may use the unique user identifier to access a service;
  
  receiving a second authentication request at the authentication system from a second computer, wherein the authentication request includes a second set of credentials of the user, the second set of credentials having a format that is different than the format of the first set of credentials;
  
  determining based on the format of the second set of credentials that a second credential store is to be accessed to validate the authentication request from the second computer, the second credential store storing sets of credentials that each have the same format; and
  
  validating the second set of credentials provided by the user by accessing the second credential store to determine whether the second set of credentials is associated with a single unique user identifier, wherein each set of credentials in the second credential store is also associated with a single unique user identifier of a user, a single unique user account, and a single unique user profile such that upon determining that the second set of credentials is associated with the same unique user identifier as the first set of credentials, the unique user identifier is returned to the second computer such that the second computer may use the unique user identifier to access the service.
- View Dependent Claims (24, 25)
- - 24. The method of claim 23, wherein the first and second computer are the same computer, and wherein the first set and second set of credentials comprise a username and password, and wherein the username of the first set of credentials is different than the username of the second set of credentials.
  - 25. The method of claim 24, wherein the username of first set of credentials is an email address having a first domain and the username of the second set of credentials is an email address having a second domain that is different than the first domain.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Shutt, David, Gui, Wei-Qiang Michael, Coco, Joseph N.
Primary Examiner(s)
Vu; Kimyen
Assistant Examiner(s)
Debnath; Suman

Application Number

US10/020,470
Time in Patent Office

3,052 Days
Field of Search

726 5- 9
US Class Current

726/5
CPC Class Codes

G06F 21/31 User authentication

H04L 63/0815 providing single-sign-on or...

Multiple credentials in a distributed system

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

93 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Multiple credentials in a distributed system

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

93 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links