Policy compliance-based secure data access
First Claim
1. A method of verifying client compliance with a set of security policies in order to grant access to secure data, the method comprising:
- under control of one or more computer systems configured with executable instructions,receiving, from a mobile device, a request for an authentication seed that includes security information enabling generation of an authentication code that is distinct from the authentication seed;
after receiving the request for the authentication seed from the mobile device, sending a request for a set of parameter values corresponding to a set of security policies to the mobile device in order to determine whether the mobile device complies with the set of security policies;
instructing the mobile device to impose at least one of the set of security policies on the mobile device;
receiving the set of parameter values from the mobile device;
determining whether the set of parameter values received from the mobile device indicates that the mobile device is in compliance with the set of security policies; and
after determining, sending the authentication seed to the mobile device to enable the mobile device to generate the authentication code when the set of parameter values indicates that the mobile device is in compliance with the set of security policies, the authentication code being generated based at least in part on the authentication seed.
1 Assignment
0 Petitions
Accused Products
Abstract
Access control techniques relate to verifying compliance with security policies before enabling access to the computing resources. An application is provided on a client that generates verification codes using an authentication seed. Prior to granting the client the authentication seed necessary to generate a verification code, a server may perform a policy check on the client. Some embodiments ensure that the client complies with security policies imposed by an authenticating party by retrieving a number of parameter values from the client and then determining whether those parameter values comply with the security policies. Upon determining that the client complies, the authentication seed is issued to the client. In some embodiments, the authentication seed is provided such that a policy check is performed upon the generation of a verification code. The client is given access to secure information when the client is determined to comply with the security policies.
-
Citations
37 Claims
-
1. A method of verifying client compliance with a set of security policies in order to grant access to secure data, the method comprising:
-
under control of one or more computer systems configured with executable instructions, receiving, from a mobile device, a request for an authentication seed that includes security information enabling generation of an authentication code that is distinct from the authentication seed; after receiving the request for the authentication seed from the mobile device, sending a request for a set of parameter values corresponding to a set of security policies to the mobile device in order to determine whether the mobile device complies with the set of security policies; instructing the mobile device to impose at least one of the set of security policies on the mobile device; receiving the set of parameter values from the mobile device; determining whether the set of parameter values received from the mobile device indicates that the mobile device is in compliance with the set of security policies; and after determining, sending the authentication seed to the mobile device to enable the mobile device to generate the authentication code when the set of parameter values indicates that the mobile device is in compliance with the set of security policies, the authentication code being generated based at least in part on the authentication seed. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 34, 35, 36, 37)
-
-
10. A method of authenticating a client by a server, the method comprising:
-
under control of one or more computer systems configured with executable instructions, receiving a request for access to secure information from the client, the request including at least a response code generated based at least in part on an authentication seed accessible to the client and the server, the response code being distinct from the authentication seed; requesting a set of security parameter values from the client upon receiving the request, the set of security parameter values corresponding to a set of security policies imposed by the server; receiving the set of security parameter values from the client in order to determine whether security settings of the client comply with the set of security policies; after receiving the set of security parameter values, determining whether the set of security parameter values indicate that the client complies with the set of security policies; and enabling the client to access secure information upon determining that the client complies with the set of security policies. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
-
-
18. A method of obtaining access to secure information through compliance with security policies, the method comprising:
-
under control of one or more computer systems configured with executable instructions, activating an application that provides access to secure information; generating, on a client, an authentication code based at least in part on a seed value, the authentication code being distinct from the seed value; sending a request for access to secure information to a server, the request including at least the authentication code; providing a set of parameter values to the server that is configured to determine whether the client complies with a set of security policies, the set of parameter values corresponding to the set of security policies imposed by the server; and obtaining access to the secure information when the client is determined to comply with the set of security policies. - View Dependent Claims (19, 20, 21, 22, 23, 24)
-
-
25. A non-transitory computer-readable storage medium including instructions for obtaining access to secure information using at least an authentication code, the instructions when executed by at least one processor of a computing system causing the computing system to, at least:
-
send a request for an authentication seed to a server, the authentication seed being distinct from the authentication code; provide a set of values to the server that is configured to determine whether a client device complies with a set of security policies using the set of values; receive an error message when the client device is determined to not comply with the set of security policies; impose, by the client device, at least one of the set of security polices; receive the authentication seed when the client device is determined to comply with the set of security policies; and generate the authentication code, by the client device, based at least in part on the authentication seed, wherein the client device is capable of obtaining access to secure information using the authentication code generated using the authentication seed. - View Dependent Claims (26, 27, 28, 29, 30)
-
-
31. A system for verifying client compliance with a set of security policies in order to grant client access to secure data, the system comprising:
-
a processor; and memory device including instructions that, when executed by the processor, cause the system to, at least; receive a request for an authentication seed; after receiving the request for the authentication seed, sending, to the client, a request for a response corresponding to a set of security policies; receive the response from the client after sending the request regarding the set of security policies; determine whether the response indicates that the client is in compliance with the set of security policies; instruct the client to impose at least one of the set of policies on the client; send the authentication seed to the client upon determining that the response indicates that the client is in compliance with the set of security policies; and generate an authentication code based at least in part on the authentication seed, the authentication code being distinct from the authentication seed, wherein the client is capable of obtaining access to sensitive information using at least the authentication code. - View Dependent Claims (32, 33)
-
Specification