Mixed-mode authentication

US 8,566,915 B2
Filed: 10/22/2010
Issued: 10/22/2013
Est. Priority Date: 10/22/2010
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

obtaining an authentication request from a client for access to resources from a service provider;

performing mixed-mode authentication to authenticate the client including determining whether a secure mode for the authentication is enabled; and

responsive to authentication of the client, issuing one or more tokens to the client based on the determining, such that;

a secure token and an insecure token configured for access to secure and insecure resources, respectively, are issued when the secure mode is enabled; and

an insecure token configured for access to both secure and insecure resources is issued to the client when the secure mode is disabled.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for mixed-mode authentication are described. In one or more embodiments, an authentication service may be implemented to selectively configure and issue authentication tokens based upon an optional secure mode that enables enhanced security. Clients may be provided with an option to choose between an insecure mode and a secure mode for authentications. Based on this choice, tokens may be configured to include an indication of whether the secure mode is disabled or enabled. When secure mode is disabled, an insecure token valid for both secure sites and other sites is issued to a client when the client is authenticated. When the optional secure mode is enabled, both secure and insecure tokens are provided to the client. The authentication services and/or other services may be configured to reject an insecure token when secure mode is enabled to prevent unauthorized use of a stolen token to access secure resources.

Citations

20 Claims

1. A method comprising:
- obtaining an authentication request from a client for access to resources from a service provider;
  
  performing mixed-mode authentication to authenticate the client including determining whether a secure mode for the authentication is enabled; and
  
  responsive to authentication of the client, issuing one or more tokens to the client based on the determining, such that;
  
  a secure token and an insecure token configured for access to secure and insecure resources, respectively, are issued when the secure mode is enabled; and
  
  an insecure token configured for access to both secure and insecure resources is issued to the client when the secure mode is disabled.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method as described in claim 1, wherein determining whether the secure mode is enabled comprises referencing a mixed-mode indicator that is:
    - configured to indicate whether secure mode is enabled or disabled; and
      
      associated with an account corresponding to the client from which the authentication request is obtained.
  - 3. The method as described in claim 1, wherein the secure resources are secured using Secure Sockets Layer (SSL) protocol.
  - 4. The method as described in claim 1, wherein performing mixed-mode authentication to authenticate the client further includes:
    - validating credentials provided by the client;
      
      determining the client is authenticated and issuing the one or more tokens to access the resources when the credentials are valid; and
      
      determining the client is not authenticated and denying access to the resources when the credentials are invalid.
  - 5. The method as described in claim 1, further comprising configuring the one or more tokens to include a mixed-mode flag that indicates whether secure mode is enabled or disabled.
  - 6. The method as described in claim 5, wherein the mixed-mode flag that indicates whether secure mode is enabled or disabled is configured to be detectable by a service provider to differentiate between the insecure token issued when secure mode is enabled and the insecure token issued when secure mode is disabled.
  - 7. The method as described in claim 1, wherein the insecure token issued when secure mode is enabled is configured to be rejected when presented for access to secure resources to prevent unauthorized access to the secure resources if the insecure token is stolen.
  - 8. The method as described in claim 1, wherein:
    - the secure resources comprise resources from the service provider that are accessible by the client over a network using Hypertext Transfer Protocol Secure (HTTPS); and
      
      the insecure resources comprise resources from the service provider that are accessible by the client over the network via Hypertext Transfer Protocol (HTTP).
  - 9. The method as described in claim 1, further comprising:
    - determining that secure mode for the authentication is disabled; and
      
      redirecting the client to an interstitial sign-up site to provide the client with an option to enable secure mode.
  - 10. The method as described in claim 1, wherein the secure token and the insecure token issued in response to enabling of the secure mode are issued in response to a single sign-on and provide access to multiple resources including a suite of services available from the service provider.
  - 11. The method as described in claim 1, further comprising:
    - obtaining the insecure token issued when secure mode is enabled in another authentication request to access secure resources available from the service provider;
      
      determining that secure mode is enabled by referencing a flag included with the insecure token; and
      
      denying access to the secure resources using the insecure token based upon the determination that secure mode is enabled.
  - 12. The method as described in claim 1, wherein:
    - the secure token is configured as a Hypertext Transfer Protocol Secure (HTTPS) cookie that is compatible with sites that use secure communications; and
      
      the insecure token issued is configured as a Hypertext Transfer Protocol Secure (HTTP) cookie that is compatible with sites that do not support secure communications.

13. One or more computer-readable storage devices comprising instructions stored thereon that, in response to execution by one or more components of a computing system, cause the computing system to implement an authentication service to perform operations to authenticate clients to access resources over a network from a service provider, the operations including for each client that is authenticated:
- determining whether a secure mode for authentication is enabled or disabled for the client; and
  
  responsive to the determination that the secure mode is enabled, issuing to the client both a secure token to enable access to secure sites of the service provider that use secure communications and an insecure token to enable access to other sites of the service provider that do not support secure communications, the insecure token configured to include a indication that secure mode is enabled that is detectable by the secure sites and causes the secure sites not to accept the insecure token.
- View Dependent Claims (14, 15)
- - 14. One or more computer-readable storage devices as described in claim 13, wherein the operations further include responsive to the determination that the secure mode is disabled, issuing to the client a single insecure token configured to be accepted by both the secure sites and the other sites of the service provider.
  - 15. One or more computer-readable storage devices as described in claim 13, wherein the operations further include configuring a mixed-mode flag included with tokens that are issued by the authentication service to indicate whether the secure mode is enabled.

16. A system comprising:
- one or more processing devices;
  
  one or more computer-readable memories storing instructions that, responsive to execution by the one or more processing devices, cause the one or more processing devices to implement an authentication service operable to;
  
  selectively issue tokens to authenticated clients to enable access to resources from a service provider based upon a determination regarding whether a secure mode is enabled or disabled for the authenticated clients, including for each client;
  
  issuing both a secure token and an insecure token to the client when the secure mode is enabled for the client;
  
  orissuing a single insecure token to the client when the secure mode is disabled for the client; and
  
  configure a mixed-mode flag included with tokens that are issued to the authenticated clients to indicate whether the secure mode is enabled.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The system as described in claim 16, wherein the authentication service is further operable to:
    - detect the mixed-mode flag included with a particular token when the particular token is presented by a client to gain access to secure resources from a secure site; and
      
      reject the particular token when the mixed-mode flag indicates that secure mode is enabled and the particular token is an insecure token.
  - 18. A system as described in claim 16, wherein the secure token and the insecure token issued when secure mode is enabled comprise, respectively:
    - a Hypertext Transfer Protocol Secure (HTTPS) cookie that is compatible to access resources from secure sites that use Secure Sockets Layer (SSL) anda Hypertext Transfer Protocol (HTTP) cookie that is compatible to access resources from other sites that do not support Secure Sockets Layer (SSL).
  - 19. A system as described in claim 18, wherein the insecure token issued when secure mode is disabled comprises Hypertext Transfer Protocol (HTTP) cookie that is compatible to access resources from both secure sites that use Secure Sockets Layer (SSL) and other sites that do not support Secure Sockets Layer (SSL).
  - 20. A system as described in claim 16, wherein the authentication service is further operable to:
    - determine when secure mode is disabled for a particular client; and
      
      present the particular client with an option to enable secure mode in response to the determination.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Hsueh, Walter C., Rouskov, Yordan I., Low, Spencer Wong, Crevier, Daniel W.
Primary Examiner(s)
HOFFMAN, BRANDON S

Application Number

US12/910,411
Publication Number

US 20120102553A1
Time in Patent Office

1,096 Days
Field of Search

None
US Class Current

726/6
CPC Class Codes

H04L 63/062   for key distribution, e.g. ...

H04L 63/0815   providing single-sign-on or...

H04L 63/105   Multiple levels of security

H04L 63/166   at the transport layer

H04L 67/02   based on web technology, e....

H04L 9/3234   involving additional secure...

Mixed-mode authentication

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Mixed-mode authentication

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links