Trusted device-specific authentication
First Claim
1. A method of performing multiple-factor authentication of a user within an account network, the method comprising:
- receiving user credentials of the user and device credentials generated by a device employed by the user to access the account network;
associating a user identifier of the user credentials with a device identifier of the device credentials to represent a trust relationship between the user and the device;
evaluating the user credentials and the device credentials to generate verification results;
providing evidence of identity of the user based on the verification results of both the user credentials and the device credentials;
blocking an attempt by the user to change the user credentials and the device credentials if the user credentials are successfully verified but the device credentials are not successfully verified;
granting a higher level of privilege if the evidence of identity of both the user credentials and the device credentials indicate successful verification and granting a lower level of privilege if the evidence of identity of either of the user credentials and the device credentials indicates unsuccessful verification.
2 Assignments
0 Petitions
Accused Products
Abstract
An authentication system combines device credential verification with user credential verification to provide a more robust authentication mechanism that is convenient to the user and effective across enterprise boundaries. In one implementation, user credential verification and device credential verification are combined to provide a convenient two-factor authentication. In this manner, an account authority service or other authentication provider verify both factors and provide a security token in accordance with the security policy of the account network resource the user is intending to access. The level of privilege granted by the target account network resource can vary depending on the number and type of factors verified by the account authority service.
-
Citations
19 Claims
-
1. A method of performing multiple-factor authentication of a user within an account network, the method comprising:
-
receiving user credentials of the user and device credentials generated by a device employed by the user to access the account network; associating a user identifier of the user credentials with a device identifier of the device credentials to represent a trust relationship between the user and the device; evaluating the user credentials and the device credentials to generate verification results; providing evidence of identity of the user based on the verification results of both the user credentials and the device credentials; blocking an attempt by the user to change the user credentials and the device credentials if the user credentials are successfully verified but the device credentials are not successfully verified; granting a higher level of privilege if the evidence of identity of both the user credentials and the device credentials indicate successful verification and granting a lower level of privilege if the evidence of identity of either of the user credentials and the device credentials indicates unsuccessful verification. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A computer-readable storage medium having computer-executable instructions for performing a computer process that performs multiple-factor authentication of a user within an account network, the computer process comprising:
-
receiving user credentials of the user and device credentials generated by a device employed by the user to access the account network, the user credentials including a user identifier of the user and the device credentials including a device identifier of the device; associatively recording the user identifier and the device identifier in an account of the user within the account network to represent a trust relationship between the user and the device; evaluating the user credentials and the device credentials to generate verification results; providing evidence of identity of the user based on the verification results of both the user credentials and the device credentials; blocking an attempt by the user to change the user credentials and the device credentials if the user credentials are successfully verified but the device credentials are not successfully verified; granting a higher level of privilege if the evidence of identity of both the user credentials and the device credentials indicate successful verification and granting a lower level of privilege if the evidence of identity of either of the user credentials and the device credentials indicates unsuccessful verification. - View Dependent Claims (13, 14, 15, 16, 17)
-
-
18. A method of authorizing a user with a level of privilege for accessing an account network resource, the method comprising:
-
receiving evidence of identity from a device through which the user is attempting to access the account network resource; interrogating the evidence of identity to determine whether the evidence of identity indicates successful verification of both user credentials of the user and device credentials of the device by an authentication provider trusted by the account network resource; blocking an attempt by the user to change the user credentials and the device credentials if the user credentials are successfully verified but the device credentials are not successfully verified; granting a first level of privilege if the evidence of identity indicates successful verification of both the user credentials of the user and the device credentials of the device by the authentication provider; granting a second level of privilege if the evidence of identity indicates unsuccessful verification of either the user credentials of the user or the device credentials of the device by the authentication provider; wherein the first level of privilege is higher than the second level of privilege. - View Dependent Claims (19)
-
Specification