Flexible authentication for online services with unreliable identity providers

US 8,505,085 B2
Filed: 04/08/2011
Issued: 08/06/2013
Est. Priority Date: 04/08/2011
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for authenticating a user to access one or more online services, the method comprising:

receiving a request from a user to login to use an online service provided by a relying party;

in response to the received login request, attempting to perform federated authentication by communicating with an identity provider that can authenticate the user for the relying party; and

upon determining that federated authentication failed due to unavailability of the identity provider,accessing user information stored by the relying party that includes at least one contact address for the user;

generating a temporary token or challenge that correlates with;

(1) duration information and (2) data associated with the user'"'"'s identity; and

sending the generated temporary token to the user using the at least one contact address,wherein the preceding steps are performed by at least one processor.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A flexible authentication system is described herein that fluidly switches between a federated authentication model and a local short-lived token model that does not require sophisticated authentication infrastructure at the relying party site. Upon detecting an event that causes the identity provider to be unavailable for authentication, the relying party switches to a temporary token model. The system generates a bearer token or challenge associated with the user'"'"'s identity and (optionally) associated with time data that limits the period during which the token is valid. The relying party communicates the short-lived token to the user using contact information associated with the user and already stored by the relying party. Upon receiving the short-lived token, the user provides the short-lived token to the relying party, and the relying party processes the token to validate the user'"'"'s identity and then allows the user to access the relying party'"'"'s online services.

74 Citations

View as Search Results

20 Claims

1. A computer-implemented method for authenticating a user to access one or more online services, the method comprising:
- receiving a request from a user to login to use an online service provided by a relying party;
  
  in response to the received login request, attempting to perform federated authentication by communicating with an identity provider that can authenticate the user for the relying party; and
  
  upon determining that federated authentication failed due to unavailability of the identity provider,accessing user information stored by the relying party that includes at least one contact address for the user;
  
  generating a temporary token or challenge that correlates with;
  
  (1) duration information and (2) data associated with the user'"'"'s identity; and
  
  sending the generated temporary token to the user using the at least one contact address,wherein the preceding steps are performed by at least one processor.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1 wherein receiving the request to login comprises receiving credentials previously provided by an identity provider for authenticating the user.
  - 3. The method of claim 1 wherein attempting federated authentication comprises determining whether the identity provider is currently unavailable to provide authentication services.
  - 4. The method of claim 1 wherein attempting federated authentication comprises determining whether a previous request to the identity provider was successful.
  - 5. The method of claim 1 wherein the accessed user information does not include login credentials related to the user and stored by the relying party.
  - 6. The method of claim 1 wherein the contact address is selected from the group consisting of:
    - an email address, a mobile phone number, a voice mailbox, a land phone number, and a postal address associated with the user.
  - 7. The method of claim 1 wherein generating a temporary token comprises creating token data that is an opaque identifier associated with data stored by the relying party that the relying party can use to identify the user'"'"'s profile record for accessing the online service.
  - 8. The method of claim 1 wherein the duration information associated with the temporary token defines the time and circumstances during which the temporary token is valid.
  - 9. The method of claim 1 wherein the duration information associated with the temporary token provides for a one-time use of the temporary token.
  - 10. The method of claim 1 wherein the duration information associated with the temporary token provides a set expiration time for the temporary token.
  - 11. The method of claim 1 wherein the duration information associated with the temporary token provides a dynamically determined event for expiring the temporary token.
  - 12. The method of claim 1 wherein sending the temporary token comprises sending the user a uniform resource locator that the user can activate to navigate to the relying party'"'"'s website and provide the token to one or more online services of the relying party.
  - 13. The method of claim 1 wherein sending the temporary token comprises sending the user a challenge that will allow the user to access the online service if the user can reply with a correct related response.

14. A flexible authentication system for authenticating a user in the event of an unreliable identity provider, the system comprising:
- a processor and memory configured to execute software instructions embodied within the following components;
  
  a user login component that receives requests to authenticate at least one user to use one or more online services provided by a relying party;
  
  an outage detection component that detects an event that causes an identity provider that provides authentication services to the relying party to be unavailable for handling one or more received authentication requests;
  
  a federated authentication component that sends to an identity provider authentication requests on behalf of the relying party that offloads authentication handling to the identity provider and receives an authentication response that verifies the at least one user'"'"'s digital identity;
  
  a token generation component that generates a temporary token that validates the at least one user'"'"'s digital identity, has a limited lifetime, and allows the at least one user in possession of the temporary token to access one or more online services of the relying party without authenticating with an identity provider and without the relying party storing local security credentials on behalf of the at least one user;
  
  a token communication component that accesses information about a contact point associated with the at least one user and communicates the generated temporary token to at least one contact point based on the accessed information;
  
  a token receiving component that receives a request from the at least one user to access an online service of the relying party, wherein the request includes the temporary token previously generated and communicated to the at least one user at the one or more contact points;
  
  a token validation component that validates the temporary token that was received by determining the user identity associated with the token and verifying that the token is being used during the token'"'"'s valid lifetime; and
  
  a user access component that provides the at least one user access to the online services of the relying party based on the temporary token having been received and validated.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The system of claim 14 wherein the outage detection component, upon detecting an outage or other unavailability of the identity provider, invokes the token generation component to begin the process of providing the user with a short-lived temporary token for accessing the online services of the relying party in the absence of the identity provider'"'"'s services.
  - 16. The system of claim 14 wherein the token generation component generates a token that is a challenge associated with a user profile identifier and a duration of the token'"'"'s lifetime to which the token receiving component receives a corresponding response.
  - 17. The system of claim 14 wherein the token generation component, after generating the token, invokes the token communication component to provide the generated token to the appropriate user.
  - 18. The system of claim 14 wherein the token communication component sends the token or other verification information to multiple contact points of the user and wherein the token receiving component asks the user for all of the information sent to each contact point to validate the user'"'"'s identity.
  - 19. The system of claim 14 wherein the token receiving component validates that a device providing the received token is the same device from which the user requested the temporary token.

20. A computer-readable storage device comprising instructions for controlling a computer system to authenticate a user to access a service while an identity provider for the user is unavailable, wherein the instructions, upon execution, cause a processor to perform actions comprising:
- receiving a temporary token from the user, the temporary token previously issued by a relying party operating an online service that normally relies upon a third-party identity provider to provide authentication services;
  
  determining that the third-party identity provider for the user is unavailable;
  
  retrieving user identity information from the received temporary token that identifies a user profile stored by the relying party that is associated with the user providing the temporary token;
  
  determining that the temporary token is a token validly issued by the relying party;
  
  determining a valid lifetime of the received temporary token and that the temporary token is not expired; and
  
  when the temporary token is not expired, allowing the user to access the online service based on the user'"'"'s access rights and the user'"'"'s authenticated identity verified by the user'"'"'s possession of the temporary token and without the relying party separately storing security credentials for the user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Ryland, Mark, Gordon, Ariel, Bertocci, Vittorio, Logan, Angus P. D.
Primary Examiner(s)
Zee, Edward

Application Number

US13/082,403
Publication Number

US 20120260322A1
Time in Patent Office

851 Days
Field of Search

726/8, 726/9, 726/10, 726/5
US Class Current

726/9
CPC Class Codes

G06F 21/33 using certificates

Flexible authentication for online services with unreliable identity providers

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

74 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Flexible authentication for online services with unreliable identity providers

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

74 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links