Credential management system and method
First Claim
Patent Images
1. A method comprising:
- storing, within a vault account at a vault system, at least one encrypted website credential that is encrypted using an encryption key that is not available to the vault system, wherein the encrypted website credential is for authenticating a user to a third party website;
sending, to a client device, executable code for storing a bookmarklet link at the client device, wherein the bookmarklet link stores the encryption key and an application program interface (API) key, wherein the executable code obfuscates the stored encryption key within the bookmarklet link, and wherein a processor at the client device executes the executable code;
receiving, from the client device, at least one first vault credential to authenticate the user with the vault account;
authenticating the first vault credential;
assessing a risk that the first vault credential is not authentic, wherein assessing the risk comprises quantifying the risk;
comparing the quantified risk to a threshold to determine that the quantified risk is greater than the threshold;
requesting, from the client device and in response to the determination that the quantified risk is greater than the threshold, at least one second vault credential to authenticate the user with the vault account, wherein the second vault credential is distinct from the first vault credential;
authenticating the second vault credential;
receiving, from the client device, a request for the encrypted website credential as a result of a user selection of the bookmarklet link at the client device, wherein the request includes the API key;
authenticating the API key;
retrieving the requested encrypted website credential from the vault account at the vault system; and
sending, to the client device, the requested encrypted website credential and at least one form fill parameter in response to successfully authenticating the first vault credential, the second vault credential, and the API key, wherein the executable code decrypts the requested encrypted website credential into a decrypted website credential using the obfuscated stored encryption key, and wherein the executable code uses the form fill parameter to inject the decrypted website credential into at least one form field in an authentication page of the third party website.
5 Assignments
0 Petitions
Accused Products
Abstract
A centralized credential management system includes website credentials that are stored at a vault. The website credentials are encrypted based upon a key not available to the vault and are for authenticating a user to a third party website. Through a client, a user authenticates to the vault and retrieves the encrypted website credentials and parameters and code for properly injecting the credentials into a website authentication form. The website credentials are decrypted at the client and injected into the authentication form using the parameters and code.
57 Citations
10 Claims
-
1. A method comprising:
-
storing, within a vault account at a vault system, at least one encrypted website credential that is encrypted using an encryption key that is not available to the vault system, wherein the encrypted website credential is for authenticating a user to a third party website; sending, to a client device, executable code for storing a bookmarklet link at the client device, wherein the bookmarklet link stores the encryption key and an application program interface (API) key, wherein the executable code obfuscates the stored encryption key within the bookmarklet link, and wherein a processor at the client device executes the executable code; receiving, from the client device, at least one first vault credential to authenticate the user with the vault account; authenticating the first vault credential; assessing a risk that the first vault credential is not authentic, wherein assessing the risk comprises quantifying the risk; comparing the quantified risk to a threshold to determine that the quantified risk is greater than the threshold; requesting, from the client device and in response to the determination that the quantified risk is greater than the threshold, at least one second vault credential to authenticate the user with the vault account, wherein the second vault credential is distinct from the first vault credential; authenticating the second vault credential; receiving, from the client device, a request for the encrypted website credential as a result of a user selection of the bookmarklet link at the client device, wherein the request includes the API key; authenticating the API key; retrieving the requested encrypted website credential from the vault account at the vault system; and sending, to the client device, the requested encrypted website credential and at least one form fill parameter in response to successfully authenticating the first vault credential, the second vault credential, and the API key, wherein the executable code decrypts the requested encrypted website credential into a decrypted website credential using the obfuscated stored encryption key, and wherein the executable code uses the form fill parameter to inject the decrypted website credential into at least one form field in an authentication page of the third party website. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A system comprising:
-
a memory to store, within a vault account at a vault system, at least one encrypted website credential that is encrypted using an encryption key that is not available to the vault system, wherein the encrypted website credential is for authenticating a user to a third party website; a server processor coupled to the memory to; send, to a client device, executable code for storing a bookmarklet link at the client device, wherein the bookmarklet link stores the encryption key and an application program interface (API) key, wherein the executable code obfuscates the stored encryption key within the bookmarklet link, and wherein a client processor at the client device executes the executable code; receive, from the client device, at least one first vault credential to authenticate the user with the vault account; authenticate the first vault credential; assess a risk that the first vault credential is not authentic, wherein assessment of the risk comprises quantification of the risk; compare the quantified risk to a threshold to determine that the quantified risk is greater than the threshold; request, from the client device and in response to the determination that the quantified risk is greater than the threshold, at least one second vault credential to authenticate the user with the vault account, wherein the second vault credential is distinct from the first vault credential; authenticate the second vault credential; receive, from the client device, a request for the encrypted website credential as a result of a user selection of the bookmarklet link at the client device, wherein the request includes the API key; authenticate the API key; retrieve the requested encrypted website credential from the vault account at the vault system; and send, to the client device, the requested encrypted website credential and at least one form fill parameter in response to successful authentication of the first vault credential, the second vault credential, and the API key, wherein the executable code decrypts the requested encrypted website credential into a decrypted website credential using the obfuscated stored encryption key, and wherein the executable code uses the form fill parameter to inject the decrypted website credential into at least one form field in an authentication page of the third party website. - View Dependent Claims (8)
-
-
9. A method comprising:
-
sending, to a vault system, at least one encrypted website credential that is encrypted using an encryption key that is not available to the vault system, wherein the encrypted website credential is for authenticating a user to a third party website, and wherein the vault system stores the encrypted website credential within a vault account; receiving, at a client device from the vault system, executable code for storing a bookmarklet link at the client device, wherein the bookmarklet link stores the encryption key and an application program interface (API) key, wherein the executable code obfuscates the stored encryption key within the bookmarklet link; executing, by a processor at the client device, the executable code to store the bookmarklet link at the client device; receiving, at the client device, an indication to provide the encrypted website credential; sending, from the client device to the vault system, at least one first vault credential to authenticate the user with the vault account; sending, from the client device to the vault system, at least one second vault credential to authenticate the user with the vault account in response to an assessment of a quantification of a risk that the first vault credential is not authentic and a comparison of the quantified risk to a threshold to determine that the quantified risk is greater than the threshold, wherein the second vault credential is distinct from the first vault credential; sending, from the client device to the vault system, a request for the encrypted website credential in response to a user selection of the bookmarklet link at the client device, wherein the executable code includes the API key in the request; receiving, at the client device from the vault system, the requested encrypted website credential and at least one form fill parameter in response to a successful authentication of the first vault credential, second vault credential, and the API key; executing, at the client device, the executable code to decrypt the received encrypted website credential into a decrypted website credential using the obfuscated stored encryption key; and executing, by the processor at the client device, the executable code to inject the decrypted website credential into at least one form field of an authentication page of the third party website using the form fill parameter.
-
-
10. A non-transitory computer-readable medium comprising computer-readable instructions for causing a processor to perform operations comprising:
-
sending, to a vault system, at least one encrypted website credential that is encrypted using an encryption key that is not available to the vault system, wherein the encrypted website credential is for authenticating a user to a third party website, and wherein the vault system stores the encrypted website credential within a vault account; receiving, at a client device from the vault system, executable code for storing a bookmarklet link at the client device, wherein the bookmarklet link stores the encryption key and an application program interface (API) key, wherein the executable code obfuscates the stored encryption key within the bookmarklet link; executing, by the processor at the client device, the executable code to store the bookmarklet link at the client device; receiving, at the client device, an indication to provide the encrypted website credential; sending, from the client device to the vault system, at least one first vault credential to authenticate the user with the vault account; sending, from the client device to the vault system, at least one second vault credential to authenticate the user with the vault account in response to an assessment of a quantification of a risk that the first vault credential is not authentic and a comparison of the quantified risk to a threshold to determine that the quantified risk is greater than the threshold, wherein the second vault credential is distinct from the first vault credential; sending, from the client device to the vault system, a request for the encrypted website credential in response to a user selection of the bookmarklet link at the client device, wherein the executable code includes the API key in the request; receiving, at the client device from the vault system, the requested encrypted website credential and at least one form fill parameter in response to a successful authentication of the first vault credential, second vault credential, and the API key; executing, by the processor at the client device, the executable code to decrypt the received encrypted website credential into a decrypted website credential using the obfuscated stored encryption key; and executing, at the client device, the executable code to inject the decrypted website credential into at least one form field of an authentication page of the third party website using the form fill parameter.
-
Specification