Trusted device-specific authentication

US 7,979,899 B2
Filed: 06/02/2008
Issued: 07/12/2011
Est. Priority Date: 06/02/2008
Status: Active Grant

First Claim

Patent Images

1. A method of performing multiple-factor authentication of a user within an account network, the method comprising:

receiving user credentials of the user and device credentials generated by a device employed by the user to access the account network;

associating a user identifier of the user credentials with a device identifier of the device credentials to represent a trust relationship between the user and the device;

evaluating the user credentials and the device credentials to generate verification results;

providing evidence of identity of the user based on the verification results of both the user credentials and the device credentials;

blocking an attempt by the user to change the user credentials and the device credentials if the user credentials are successfully verified but the device credentials are not successfully verified;

granting a higher level of privilege if the evidence of identity of both the user credentials and the device credentials indicate successful verification and granting a lower level of privilege if the evidence of identity of either of the user credentials and the device credentials indicates unsuccessful verification.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An authentication system combines device credential verification with user credential verification to provide a more robust authentication mechanism that is convenient to the user and effective across enterprise boundaries. In one implementation, user credential verification and device credential verification are combined to provide a convenient two-factor authentication. In this manner, an account authority service or other authentication provider verify both factors and provide a security token in accordance with the security policy of the account network resource the user is intending to access. The level of privilege granted by the target account network resource can vary depending on the number and type of factors verified by the account authority service.

109 Citations

View as Search Results

19 Claims

1. A method of performing multiple-factor authentication of a user within an account network, the method comprising:
- receiving user credentials of the user and device credentials generated by a device employed by the user to access the account network;
  
  associating a user identifier of the user credentials with a device identifier of the device credentials to represent a trust relationship between the user and the device;
  
  evaluating the user credentials and the device credentials to generate verification results;
  
  providing evidence of identity of the user based on the verification results of both the user credentials and the device credentials;
  
  blocking an attempt by the user to change the user credentials and the device credentials if the user credentials are successfully verified but the device credentials are not successfully verified;
  
  granting a higher level of privilege if the evidence of identity of both the user credentials and the device credentials indicate successful verification and granting a lower level of privilege if the evidence of identity of either of the user credentials and the device credentials indicates unsuccessful verification.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1 wherein the evidence of identity of the user includes both the user identifier and the device identifier.
  - 3. The method of claim 1 wherein the associating operation comprises:
    - associatively recording the user identifier and the device identifier in an account of the user within the account network.
  - 4. The method of claim 1 wherein the associating operation comprises:
    - recording the user identifier and the device identifier and at least one other device identifier, the recording operation designating the devices identified by the device identifier and the at least one other device identifier as trusted devices of the user.
  - 5. The method of claim 1 wherein the providing operation comprises:
    - generating a security token as the evidence of identity of the user, wherein the security token includes both the user identifier and the device identifier.
  - 6. The method of claim 1 wherein the providing operation comprises:
    - generating a security token as the evidence of identity of the user, wherein the security token includes a programming interface allowing a recipient of the security token to access both the user identifier and the device identifier from the security token.
  - 7. The method of claim 1 further comprising:
    - disassociating the user identifier from the device identifier, after the associating operation, to remove the device as a trusted device of the user.
  - 8. The method of claim 1 wherein the providing operation provides the evidence of identity only upon successful verification of both the user credentials and the device credentials, and further comprising:
    - withholding the evidence of identity of the user if verification of both the user credentials and the device credentials is unsuccessful.
  - 9. The method of claim 1 wherein the providing operation provides the evidence of identity only upon successful verification of both the user credentials and the device credentials.
  - 10. The method of claim 1 wherein the providing operation provides the evidence of identity only upon successful verification of both the user credentials and the device credentials, and further comprising:
    - notifying the user of an attempt to authenticate using the user credentials resulted in successful verification of the user credentials but not successful authentication of the device credentials.
  - 11. The method of claim 1 wherein a level of privilege granted by an account network resource in response to receipt of the evidence of identity is dependent upon whether the evidence of identity indicates successful verification of the device credentials.

12. A computer-readable storage medium having computer-executable instructions for performing a computer process that performs multiple-factor authentication of a user within an account network, the computer process comprising:
- receiving user credentials of the user and device credentials generated by a device employed by the user to access the account network, the user credentials including a user identifier of the user and the device credentials including a device identifier of the device;
  
  associatively recording the user identifier and the device identifier in an account of the user within the account network to represent a trust relationship between the user and the device;
  
  evaluating the user credentials and the device credentials to generate verification results;
  
  providing evidence of identity of the user based on the verification results of both the user credentials and the device credentials;
  
  blocking an attempt by the user to change the user credentials and the device credentials if the user credentials are successfully verified but the device credentials are not successfully verified;
  
  granting a higher level of privilege if the evidence of identity of both the user credentials and the device credentials indicate successful verification and granting a lower level of privilege if the evidence of identity of either of the user credentials and the device credentials indicates unsuccessful verification.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The computer-readable storage medium of claim 12 wherein the evidence of identity of the user includes both the user identifier and the device identifier.
  - 14. The computer-readable storage medium of claim 12 wherein the associating operation comprises:
    - recording the user identifier and the device identifier and at least one other device identifier, the recording operation designating the devices identified by the device identifier and the at least one other device identifier as trusted devices of the user.
  - 15. The computer-readable storage medium of claim 12 wherein the providing operation comprises:
    - generating a security token as the evidence of identity of the user, wherein the security token includes both the user identifier and the device identifier.
  - 16. The computer-readable storage medium of claim 12 wherein the providing operation comprises:
    - generating a security token as the evidence of identity of the user, wherein the security token includes a programming interface allowing a recipient of the security token to access both the user identifier and the device identifier from the security token.
  - 17. The computer-readable storage medium of claim 12 wherein a level of privilege granted by an account network resource in response to receipt of the evidence of identity is dependent upon whether the evidence of identity indicates successful verification of the device credentials.

18. A method of authorizing a user with a level of privilege for accessing an account network resource, the method comprising:
- receiving evidence of identity from a device through which the user is attempting to access the account network resource;
  
  interrogating the evidence of identity to determine whether the evidence of identity indicates successful verification of both user credentials of the user and device credentials of the device by an authentication provider trusted by the account network resource;
  
  blocking an attempt by the user to change the user credentials and the device credentials if the user credentials are successfully verified but the device credentials are not successfully verified;
  
  granting a first level of privilege if the evidence of identity indicates successful verification of both the user credentials of the user and the device credentials of the device by the authentication provider;
  
  granting a second level of privilege if the evidence of identity indicates unsuccessful verification of either the user credentials of the user or the device credentials of the device by the authentication provider;
  
  wherein the first level of privilege is higher than the second level of privilege.
- View Dependent Claims (19)
- - 19. The method of claim 18 wherein the evidence of identity includes a security token providing a programming interface through which the account network resource can access a user identifier of the user credentials and a device identifier of the device credentials.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Chen, Rui, Guo, Wei-Qiang (Michael), Rouskov, Yordan, Wong, Pui-Yin Winfred
Primary Examiner(s)
Homayounmehr; Farid

Application Number

US12/131,142
Publication Number

US 20090300744A1
Time in Patent Office

1,135 Days
Field of Search

726/7, 726/20
US Class Current

726/7
CPC Class Codes

G06F 21/31   User authentication

G06F 21/32   using biometric data, e.g. ...

G06F 21/34   involving the use of extern...

H04L 2209/56   Financial cryptography, e.g...

H04L 63/0823   using certificates cryptogr...

H04L 63/0876   based on the identity of th...

H04L 63/105   Multiple levels of security

H04L 9/3234   involving additional secure...

H04L 9/3263   involving certificates, e.g...

Trusted device-specific authentication

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

109 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Trusted device-specific authentication

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

109 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links