Authenticating linked accounts

US 8,327,428 B2
Filed: 11/30/2006
Issued: 12/04/2012
Est. Priority Date: 11/30/2006
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving one or more inputs from a client that define a link between a plurality of user accounts at a plurality of service providers;

forming a link identifier that identifies a plurality of account identifiers corresponding to the plurality of user accounts as a set of linked accounts;

storing the link identifier at an authentication service;

forming an authentication token for communication to a client, the authentication token including the link identifier to reference the set of linked accounts; and

managing authentication of the client to the set of linked accounts, such that the client, upon providing to the authentication service credentials corresponding to one account in the set of linked accounts, receives an access to each account in the set of linked accounts,wherein the link identifier permits the plurality of service providers presented with the authentication token to use the authentication token as proof of the client'"'"'s identity to identify the set of linked accounts.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of authenticating linked accounts are presented herein. In an implementation, an authentication service provides functionality to form links between a plurality of user accounts. A client may then authenticate by providing credentials for one account in a group of linked accounts, and is permitted access to each account in the group of linked accounts based upon the linking. Thus, a single sign-in of a client to one account may permit the client to obtain services for service providers corresponding to multiple linked accounts, without an individual sign-in to each account.

111 Citations

View as Search Results

22 Claims

1. A method comprising:
- receiving one or more inputs from a client that define a link between a plurality of user accounts at a plurality of service providers;
  
  forming a link identifier that identifies a plurality of account identifiers corresponding to the plurality of user accounts as a set of linked accounts;
  
  storing the link identifier at an authentication service;
  
  forming an authentication token for communication to a client, the authentication token including the link identifier to reference the set of linked accounts; and
  
  managing authentication of the client to the set of linked accounts, such that the client, upon providing to the authentication service credentials corresponding to one account in the set of linked accounts, receives an access to each account in the set of linked accounts,wherein the link identifier permits the plurality of service providers presented with the authentication token to use the authentication token as proof of the client'"'"'s identity to identify the set of linked accounts.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 19, 20, 21, 22)
- - 2. The method as recited in claim 1, wherein:
    - the authentication service manages authentication of clients on behalf of a plurality of service providers; and
      
      the access to each account in the set of linked accounts includes access to corresponding services provided by the plurality of service providers.
  - 3. The method as recited in claim 1, further comprising:
    - exposing an application programming interface callable by the client;
      
      indicating a plurality of user accounts that are linkable to one another by the client; and
      
      storing the link identifier in response to an indication linking more than one of the user accounts received from the client via the interface.
  - 4. The method as recited in claim 1, wherein, the link identifier permits access to services corresponding to each account described by the link identifier without additional authentication of the client.
  - 5. The method as recited in claim 1, wherein managing authentication of the client comprises:
    - exposing one or more interfaces; and
      
      receiving input from the client through the one or more interfaces as client interaction with the set of linked accounts.
  - 6. The method as recited in claim 5, wherein the one or more interfaces comprise:
    - an application programming interface, callable by the client, indicative of a plurality of accounts that are linkable to one another by the client; and
      
      an additional application programming interface, callable by the client, indicative of at least one link that is removable from the set of linked accounts by the client.
  - 7. The method as recited in claim 1, wherein managing authentication of the client comprises:
    - exposing one or more interfaces; and
      
      permitting interactions of one or more service providers with the set of linked accounts through the one or more interfaces.
  - 8. The method as recited in claim 7, wherein the one or more interfaces comprise an application programming interface that:
    - receives from one of the plurality of service providers the link identifier obtained by the one of the service providers from an authentication token provided by the client; and
      
      provides the one of the plurality of service providers access to data corresponding to the set of linked accounts which are linked via the link identifier.
  - 9. The method as recited in claim 7, wherein the one or more interfaces comprise one or more interfaces that:
    - receive from one of the plurality of service providers the link identifier obtained by the one of the service providers from an authentication token provided by the client, the authentication token correlated to a first account in the set of linked accounts, the authentication token issued to the client by the authentication service upon verification of credentials for the first account provided by the client;
      
      identify the set of linked accounts based on the link identifier;
      
      select one of the set of linked accounts;
      
      receive from the one of the plurality of service providers a user selection of a second account in the set of linked accounts; and
      
      correlate the authentication token to the second account.
  - 10. The method as recited in claim 9, wherein correlating the authentication token to the second account comprises overwriting an account identifier of the first account in the authentication token with an account identifier of the second account.
  - 11. The method as recited in claim 10 wherein:
    - when the authentication token correlates to the first account, the one of the plurality of service providers provides services to the client corresponding to the first account; and
      
      when the authentication token correlates to the second account, the one of the service providers provides services to the client corresponding to the second account.
  - 12. The method as recited in claim 9, wherein the act of correlating the authentication token to the second account comprises correlating the authentication token to the second account without additional credentials being provided.
  - 19. The method as recited in claim 1, wherein the authentication token includes a time stamp to determine when the authentication token expires or to determine when one of the set of linked accounts needs updating.
  - 20. The method as recited in claim 1, wherein the access to each account in the set of linked accounts includes access to each account without providing to the authentication service credentials corresponding to each account except for the credentials provided to the authentication service corresponding to the one account in the set of linked accounts.
  - 21. The method as recited in claim 1, wherein the plurality of user accounts include two or more user accounts of a same type of service.
  - 22. The method as recited in claim 1, wherein the plurality of user accounts include two or more user accounts of a different type of service.

13. One or more computer readable memory devices comprising computer executable instructions which, when executed, direct an authentication server to:
- expose an interface accessible by a client over a network;
  
  receive an input from the client via the interface that defines a link between a plurality of user accounts at a plurality of service providers;
  
  form a link identifier that identifies the plurality of user accounts as a set of linked accounts;
  
  store the link identifier;
  
  receive a single sign-in of the client to one account in the set of linked accounts;
  
  form an authentication token that includes the link identifier to reference the set of linked accounts; and
  
  manage authentication of the client to the set of linked accounts, such that the client, upon providing to the authentication service the single sign-in corresponding to the one account in the set of linked accounts, receives access to each account in the set of linked accounts,wherein the link identifier permits the plurality of service providers presented with the authentication token to use the authentication token as proof of the client'"'"'s identity to identify the set of linked accounts.
- View Dependent Claims (14, 15)
- - 14. One or more computer readable memory devices as recited in claim 13, wherein the link identifier included in the authentication token permits the client to access services from one or more service providers corresponding to each of the accounts in the set of linked accounts with the single sign-in.
  - 15. One or more computer readable memory devices as recited in claim 13, further comprising instructions to direct the authentication server to:
    - receive the link identifier via the network from a service provider, the link identifier obtained by the service provider to which the client presents the authentication token for proof of identity to access corresponding services; and
      
      provide the service provider access to data corresponding to the set of linked accounts, the data utilized by the service provider to output a user interface for the client to interact with the set of linked accounts.

16. A method comprising:
- receiving, via a network from a client, an authentication token issued by an authentication service to the client, the authentication token including a link identifier that identifies a plurality of user accounts at a plurality of service providers as a set of linked accounts via the authentication service, the authentication token further corresponding to a first account in the set of linked accounts, each of the plurality of user accounts corresponding to a service with which the client is permitted to interact, each of the plurality of user accounts including a user profile, the link identifier permitting the plurality of service providers presented with the authentication token to use the authentication token as proof of the client'"'"'s identity to identify the set of linked accounts;
  
  outputting an indication of services corresponding to the first account;
  
  providing a selectable portion in a user interface permitting selection of a second account in the set of linked accounts identifiable via the link identifier;
  
  receiving a selection of the second account via the selectable portion;
  
  communicating the selection of the second account to the authentication service;
  
  receiving an indication that the authentication token has a change to correspond to the second account, the change including an account identifier of the first account in the authentication token overwritten with an account identifier of the second account; and
  
  outputting an indication of services corresponding to the second account.
- View Dependent Claims (17, 18)
- - 17. The method as recited in claim 16, wherein the authentication token is changed to correspond to the second account without additional credentials being provided.
  - 18. The method as recited in claim 16, wherein the authentication token includes the account identifier of the first account when the authentication token corresponds to the first account, and wherein the authentication token includes the account identifier of the second account when the authentication token corresponds to the second account.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Bailey, David W., Ayres, Lynn C., Huang, Lin, Rouskov, Yordan I, Guo, Weiqiang Michael
Primary Examiner(s)
Arani, Taghi
Assistant Examiner(s)
HERZOG, MADHURI R

Application Number

US11/565,611
Publication Number

US 20080134295A1
Time in Patent Office

2,196 Days
Field of Search

726 2- 10, 726 16- 21, 713168-175, 713182-186, 709217-219, 709223-229
US Class Current

726/8
CPC Class Codes

G06F 21/30   Authentication, i.e. establ...

G06F 21/31   User authentication

G06F 21/41   where a single sign-on prov...

H04L 63/08   for authentication of entit...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0815   providing single-sign-on or...

H04L 63/083   using passwords cryptograph...

H04L 67/10   in which an application is ...

Authenticating linked accounts

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

111 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Authenticating linked accounts

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

111 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links