Self-service credential management

US 8,474,022 B2
Filed: 06/15/2007
Issued: 06/25/2013
Est. Priority Date: 06/15/2007
Status: Active Grant

First Claim

Patent Images

1. A method for determining whether to permit a user to reset a credential used to access a resource, comprising the steps of:

receiving, by at least one processing unit, a first request from a first user to reset a first credential, wherein the first request includes first user information;

determining, based at least on the first user information, an applicable reset policy from among at least a first reset policy comprising a first gate and a second reset policy comprising a second gate identical to the first gate, wherein the first reset policy comprises a different pass/fail threshold than the second reset policy;

receiving a response from the first user; and

granting the first request if the response satisfies the applicable reset policy;

wherein the determining step further comprises determining;

that the first user is a member of both a first group having a first set of permissions within the resource and a second group having a second set of permissions within the resource;

that the first reset policy is associated with users in the first group and the second reset policy is associated with users in the second group;

that the first reset policy is more stringent than the second reset policy based on a ranking of the first reset policy and the second reset policy according to stringency; and

that the applicable reset policy is the first reset policy and not the second reset policy.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A self-service system and method for credential reset permits an administrator to customize policies for credential reset based on any user or group of users. Administrators may choose to set a more stringent policy for credential reset for users or groups that have higher-level permissions to access sensitive information within the resource protected by the credential. Customizable, plug-in gates are provided to permit administrators fine grained control over reset policy definition. When the user initiates a credential reset, the reset policy applicable to that user is invoked, and the user is presented with gates to pass pursuant to the applicable reset policy. The user'"'"'s responses are compared to responses presented by the user at registration. If the responses meet the reset policy'"'"'s threshold for accuracy, the user is permitted to reset the credential.

44 Citations

13 Claims

1. A method for determining whether to permit a user to reset a credential used to access a resource, comprising the steps of:
- receiving, by at least one processing unit, a first request from a first user to reset a first credential, wherein the first request includes first user information;
  
  determining, based at least on the first user information, an applicable reset policy from among at least a first reset policy comprising a first gate and a second reset policy comprising a second gate identical to the first gate, wherein the first reset policy comprises a different pass/fail threshold than the second reset policy;
  
  receiving a response from the first user; and
  
  granting the first request if the response satisfies the applicable reset policy;
  
  wherein the determining step further comprises determining;
  
  that the first user is a member of both a first group having a first set of permissions within the resource and a second group having a second set of permissions within the resource;
  
  that the first reset policy is associated with users in the first group and the second reset policy is associated with users in the second group;
  
  that the first reset policy is more stringent than the second reset policy based on a ranking of the first reset policy and the second reset policy according to stringency; and
  
  that the applicable reset policy is the first reset policy and not the second reset policy.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the first credential includes a password and the first user information includes a user name.
  - 3. The method of claim 1, wherein the applicable reset policy is the first reset policy and the first reset policy includes a first gate, further comprising the step of:
    - after the step of determining, sending the first gate to the first user.
  - 4. The method of claim 1, wherein:
    - the first reset policy includes at least a first gate and a second gate, and the second gate is different from the first gate;
      
      the step of receiving a response includes receiving a first response to the first gate and a second response to the second gate; and
      
      the step of granting the first request comprises granting the first request if the first response satisfies the first gate and the second response satisfies the second gate.
  - 5. The method of claim 1, wherein the first reset policy includes at least a first gate, the second reset policy includes at least a second gate, and the first gate is of a different type from the second gate.
  - 6. The method of claim 1, wherein the first reset policy includes at least a first gate, the second reset policy includes at least a second gate, and the first gate is of the same type as the second gate but has different characteristics from the second gate.
  - 7. The method of claim 1, wherein the first user information includes an identifier corresponding to the first user and the step of determining includes using the identifier to look up a first user registration stored in computer storage media.

8. A system for determining whether to allow users to reset credentials protecting a resource, comprising:
- a processing unit; and
  
  a memory coupled with and readable by the processing unit and having stored therein instructions which, when executed by the processing unit, cause a credential reset module to perform the following acts;
  
  receiving, by at least one processing unit, a first request from a first user to reset a first credential, wherein the first request includes first user information;
  
  determining, based at least on the first user information, an applicable reset policy from among at least a first reset policy comprising a first gate and a second reset policy comprising a second gate identical to the first gate, wherein the first reset policy comprises a different pass/fail threshold than the second reset policy;
  
  receiving a response from the first user; and
  
  granting the first request if the response satisfies the applicable reset policy;
  
  wherein the determining step further comprises determining;
  
  that the first user is a member of both a first group having a first set of permissions within the resource and a second group having a second set of permissions within the resource;
  
  that the first reset policy is associated with users in the first group and the second reset policy is associated with users in the second group;
  
  that the first reset policy is more stringent than the second reset policy based on a ranking of the first reset policy and the second reset policy according to stringency; and
  
  that the applicable reset policy is the first reset policy and not the second reset policy.
- View Dependent Claims (12, 13)
- - 12. The system of claim 8, wherein the first reset policy includes at least a first gate, the second reset policy includes at least a second gate, and the first gate is of a different type from the second gate.
  - 13. The system of claim 8, wherein the first reset policy includes at least a first gate, the second reset policy includes at least a second gate, and the first gate is of the same type as the second gate but has different characteristics from the second gate.

9. A storage device encoding a computer executable instructions that, when executed by at least one processor, perform a method for setting requirements to permit reset of a credential used to access a resource, the method comprising:
- associating a first user with a first group and a second group;
  
  associating the first group with a first reset policy comprising a first gate and the second group with a second reset policy comprising a second gate identical to the first gate, wherein the first reset policy comprises a different pass/fail threshold than the second reset policy, and wherein the first reset policy comprises a different pass/fail threshold than the second reset policy;
  
  ranking at least the first reset policy and the second reset policy based on stringency;
  
  receiving a request for access to the resource from the first user;
  
  determining that the first user is associated with the first group and the second group;
  
  determining that the first reset policy is more stringent based on the ranking;
  
  requiring the user to satisfy the first reset policy and not the second reset policy;
  
  receiving a response from the first user;
  
  when the response from the first user satisfies the first reset policy, allowing the first user to access the resource.
- View Dependent Claims (10, 11)
- - 10. The storage device of claim 9, wherein the first reset policy includes at least a first gate, the second reset policy includes at least a second gate, and further comprising:
    - receiving a third gate; and
      
      modifying the first reset policy to include the third gate.
  - 11. The storage device of claim 10, wherein the third gate comprises a dynamically linked library.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Iftimie, Sorin, Elhassan, Ikrima, Bequette, Bruce P.
Primary Examiner(s)
Mehedi, Morshed

Application Number

US11/763,880
Publication Number

US 20080313731A1
Time in Patent Office

2,202 Days
Field of Search

726/5, 726/6
US Class Current

726/6
CPC Class Codes

G06F 21/31   User authentication

G06F 21/40   by quorum, i.e. whereby two...

G06F 21/6218   to a system of files or obj...

G06F 2221/2113   Multi-level security, e.g. ...

Self-service credential management

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

44 Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

Self-service credential management

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

44 Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links