Establishing a trusted session from a non-web client using adaptive authentication

US 8,701,199 B1
Filed: 12/23/2011
Issued: 04/15/2014
Est. Priority Date: 12/23/2011
Status: Active Grant

First Claim

Patent Images

1. A method of launching a client application on an electronic device, the method comprising:

after the client application is installed on the electronic device, providing input from the electronic device to an adaptive authentication service of a remote authentication server;

receiving a credential from the adaptive authentication service of the remote authentication server in response to a successful adaptive authentication result which is based on the input provided from the electronic device; and

invoking the client application with the credential on the electronic device to establish a trusted session between the client application and an application server;

wherein providing the input from the electronic device to the adaptive authentication service of the remote authentication server includes providing a set of adaptive authentication factors from a web browser of the electronic device as input to a risk-based authentication operation performed by the adaptive authentication service, the risk-based authentication operation outputting a numerical risk score which quantitatively identifies a level of risk;

wherein receiving the credential from the adaptive authentication service includes obtaining the credential in response to a determination, by the adaptive authentication service, that the numerical risk score exceeds a predefined risk score threshold maintained by the adaptive authentication service on behalf of the application server; and

wherein invoking includes;

automatically activating the client application on the electronic device in response to receipt of the credential from the adaptive authentication service.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A technique controls launching of a client application on an electronic device. The technique involves, after the client application is installed on the electronic device, providing input from the electronic device to an adaptive authentication service of a remote authentication server. The technique further involves receiving a credential from the adaptive authentication service of the remote authentication server in response to a successful adaptive authentication result which is based on the input provided from the electronic device. The technique further involves invoking the client application with the credential on the electronic device to establish a trusted session between the client application and an application server. Such a technique is well suited for use by multi environment clients such as general purpose computers, tablets and smart phones.

57 Citations

View as Search Results

19 Claims

1. A method of launching a client application on an electronic device, the method comprising:
- after the client application is installed on the electronic device, providing input from the electronic device to an adaptive authentication service of a remote authentication server;
  
  receiving a credential from the adaptive authentication service of the remote authentication server in response to a successful adaptive authentication result which is based on the input provided from the electronic device; and
  
  invoking the client application with the credential on the electronic device to establish a trusted session between the client application and an application server;
  
  wherein providing the input from the electronic device to the adaptive authentication service of the remote authentication server includes providing a set of adaptive authentication factors from a web browser of the electronic device as input to a risk-based authentication operation performed by the adaptive authentication service, the risk-based authentication operation outputting a numerical risk score which quantitatively identifies a level of risk;
  
  wherein receiving the credential from the adaptive authentication service includes obtaining the credential in response to a determination, by the adaptive authentication service, that the numerical risk score exceeds a predefined risk score threshold maintained by the adaptive authentication service on behalf of the application server; and
  
  wherein invoking includes;
  
  automatically activating the client application on the electronic device in response to receipt of the credential from the adaptive authentication service.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. A method as in claim 1 wherein providing the set of adaptive authentication factors includes:
    - sending a HyperText Transfer Protocol (HTTP) message from the web browser of the electronic device to the adaptive authentication service of the remote authentication server through a computerized network, the HTTP message including an HTTP cookie; and
      
      wherein cookie data of the HTTP cookie is processed as at least some of the adaptive authentication factors by the risk-based authentication operation to determine the numerical risk score.
  - 3. A method as in claim 1 wherein providing the set of adaptive authentication factors includes:
    - running JavaScript to collect and provide browser settings and user preferences from the web browser to the adaptive authentication service; and
      
      wherein the browser settings and user preferences are processed as at least some of the adaptive authentication factors by the risk-based authentication operation to determine the numerical risk score.
  - 4. A method as in claim 1 wherein providing the set of adaptive authentication factors includes:
    - providing, to the adaptive authentication service, an electronic device identifier which distinctively identifies the electronic device among other electronic devices, and geographical location information which identifies a location associated with the electronic device; and
      
      wherein the electronic device identifier and the geographical location information are processed as at least some of the adaptive authentication factors by the risk-based authentication operation to determine the numerical risk score.
  - 5. A method as in claim 1 wherein receiving the credential from the adaptive authentication service includes:
    - obtaining, as the credential, a Public Key Infrastructure (PKI) certificate assigned to the electronic device.
  - 6. A method as in claim 1, further comprising:
    - automatically starting a timer on the electronic device, andautomatically terminating the client application upon an expiration of the timer.
  - 7. A method as in claim 1, further comprising:
    - at a time following termination of the trusted session between the client application and the application server, providing new input from the electronic device to the adaptive authentication service of the remote authentication server; and
      
      receiving an out of band challenge in response to an unsuccessful adaptive authentication result which is based on the new input provided from the electronic device.
  - 8. A method as in claim 1, further comprising:
    - installing the client application on the electronic device to configure the electronic device as a multi-environment client which is capable of operating within infrastructures of multiple electronic environments;
      
      wherein the application server is constructed and arranged to provide at least part of an infrastructure of a particular electronic environment of the multiple electronic environments.
  - 9. A method as in claim 8 wherein invoking includes:
    - providing authentication credentials from the electronic device to the application server to authenticate with the application server separately from involvement of the adaptive authentication service of the remote authentication server.
  - 10. A method as in claim 8 wherein the application server is constructed and arranged to operate as a virtual desktop infrastructure (VDI) server;
    - andwherein invoking includes obtaining access to a VDI which is managed by the VDI server.
  - 11. A method as in claim 8 wherein the application server is constructed and arranged to operate as a virtual private network (VPN) server;
    - andwherein invoking includes obtaining access to a VPN which is managed by the VPN server.
  - 12. A method as in claim 11, further comprising:
    - preventing the web browser from accessing the VPN during the trusted session between the client application and the application server.
  - 13. A method as in claim 11, further comprising:
    - closing the web browser while the electronic device accesses the VPN.
  - 14. A method as in claim 1 wherein the client application on the electronic device resides at a first location;
    - wherein the adaptive authentication service of the remote authentication server resides at a second location which is separate from the first location;
      
      wherein the application server resides at a third location which is separate from the first and second locations; and
      
      wherein invoking the client application to establish the trusted session between the client application and the application server includes;
      
      enabling a user to operate the application server in a secure server zone in the third location remotely from the client application on the electronic device in a secure user zone of the first location of the end user device using at least a portion the adaptive authentication server in a demilitarized zone in the second location, wherein communication between the first and third zones are via the second zone.
  - 15. A method as in claim 1 wherein the electronic device is constructed and arranged to run the client application only when the credential from the adaptive authentication service of the remote authentication server is present on the electronic device;
    - and wherein the method further comprises;
      
      prior to receiving the credential from the adaptive authentication service of the remote authentication server, disabling execution of the client application on the electronic device.

16. An electronic device, comprising:
- a communications interface;
  
  memory which stores a client application; and
  
  a controller coupled to the communications interface and the memory, the controller being constructed and arranged to;
  
  provide, after the client application is installed on the electronic device, input to an adaptive authentication service of a remote authentication server through the communications interface,receive a credential from the adaptive authentication service of the remote authentication server through the communications interface in response to a successful adaptive authentication result which is based on the input provided from the electronic device, andinvoke the client application with the credential on the electronic device to establish a trusted session between the client application and an application server through the communications interface;
  
  wherein the controller provides the input from the electronic device to the adaptive authentication service of the remote authentication server including a set of adaptive authentication factors from a web browser of the electronic device as input to a risk-based authentication operation performed by the adaptive authentication service, the risk-based authentication operation outputting a numerical risk score which quantitatively identifies a level of risk;
  
  wherein, when the controller receives the credential from the adaptive authentication service, the credential further includes, in response to a determination by the adaptive authentication service, that the numerical risk score exceeds a predefined risk score threshold maintained by the adaptive authentication service on behalf of the application server; and
  
  wherein, when the controller invokes the client application, further includes automatically activating the client application on the electronic device in response to receipt of the credential from the adaptive authentication service.
- View Dependent Claims (17)
- - 17. An electronic device as in claim 16 wherein the controller, when providing the input to the adaptive authentication service, is constructed and arranged to:
    - provide a set of adaptive authentication factors from a web browser as input to a risk-based authentication operation performed by the adaptive authentication service, the risk-based authentication operation outputting a numerical risk score which quantitatively identifies a level of risk.

18. A computer program product having a non-transitory computer readable medium which stores a set of instructions for launching a client application, the set of instructions causing a computerized device to perform a method of:
- after the client application is installed on the computerized device, providing input from the computerized device to an adaptive authentication service of a remote authentication server;
  
  receiving a credential from the adaptive authentication service of the remote authentication server in response to a successful adaptive authentication result which is based on the input provided from the computerized device; and
  
  invoking the client application with the credential on the computerized device to establish a trusted session between the client application and an application server;
  
  wherein providing the input from the electronic device to the adaptive authentication service of the remote authentication server includes providing a set of adaptive authentication factors from a web browser of the electronic device as input to a risk-based authentication operation performed by the adaptive authentication service, the risk-based authentication operation outputting a numerical risk score which quantitatively identifies a level of risk;
  
  wherein receiving the credential from the adaptive authentication service includes obtaining the credential in response to a determination, by the adaptive authentication service, that the numerical risk score exceeds a predefined risk score threshold maintained by the adaptive authentication service on behalf of the application server; and
  
  wherein invoking includes automatically activating the client application on the electronic device in response to receipt of the credential from the adaptive authentication service.
- View Dependent Claims (19)
- - 19. A computer program product as in claim 18 wherein providing the input from the computerized device to the adaptive authentication service of the remote authentication server includes:
    - providing a set of adaptive authentication factors from a web browser of the computerized device as input to a risk-based authentication operation performed by the adaptive authentication service, the risk-based authentication operation outputting a numerical risk score which quantitatively identifies a level of risk.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
EMC Corporation (Dell Technologies Inc.)
Inventors
Dotan, Yedidya, Friedman, Lawrence N., Wiese, James
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
GUIRGUIS, MICHAEL M

Application Number

US13/336,570
Time in Patent Office

844 Days
Field of Search

726/25, 726/5
US Class Current

726/25
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/0853   using an additional device,...

H04L 63/18   using different networks or...

Establishing a trusted session from a non-web client using adaptive authentication

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

57 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Establishing a trusted session from a non-web client using adaptive authentication

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

57 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links