Trusted device-specific authentication
First Claim
1. A method of performing multiple-factor authentication of a user of a device within an account network, the method comprising:
- accessing a user credential stored by an account authority service of the account network, the user credential comprising a user identifier and a corresponding password, the account authority service comprising a network service that provides account authorization services via a network to users of the account network;
receiving and storing via the network, at the account authority service, a device credential for the device and association information indicating that the device credential is to be associated with the user credential, the device credential comprising an identifier and a corresponding device password, the account authority service responding to the association information by storing an association between the device identifier and the user identifier, wherein the device credential is employed by the user to access the account network, the association representing a trust relationship between the user and the device;
when accessing the account network by the device, receiving the device credential and user credential via the network from the device at the account authority service and in response attempting to verify the user credential and the device credential; and
generating a security token and sending the security token to the device to be used to access the account network, wherein the security token is configured by the account authority service to comprise an indication of a level of privilege granted by the account authority service in accordance with the attempting to verify the user credential and the device credential, the granted level of privilege when the user credential is successfully verified being dependent upon whether the device credential is successfully verified, the level of privilege used by servers of the account network to determine which resources are to be accessible on the servers of the account network.
1 Assignment
0 Petitions
Accused Products
Abstract
An authentication system combines device credential verification with user credential verification to provide a more robust authentication mechanism that is convenient to the user and effective across enterprise boundaries. In one implementation, user credential verification and device credential verification are combined to provide a convenient two-factor authentication. In this manner, an account authority service or other authentication provider verify both factors and provide a security token in accordance with the security policy of the account network resource the user is intending to access. The level of privilege granted by the target account network resource can vary depending on the number and type of factors verified by the account authority service.
62 Citations
20 Claims
-
1. A method of performing multiple-factor authentication of a user of a device within an account network, the method comprising:
-
accessing a user credential stored by an account authority service of the account network, the user credential comprising a user identifier and a corresponding password, the account authority service comprising a network service that provides account authorization services via a network to users of the account network; receiving and storing via the network, at the account authority service, a device credential for the device and association information indicating that the device credential is to be associated with the user credential, the device credential comprising an identifier and a corresponding device password, the account authority service responding to the association information by storing an association between the device identifier and the user identifier, wherein the device credential is employed by the user to access the account network, the association representing a trust relationship between the user and the device; when accessing the account network by the device, receiving the device credential and user credential via the network from the device at the account authority service and in response attempting to verify the user credential and the device credential; and generating a security token and sending the security token to the device to be used to access the account network, wherein the security token is configured by the account authority service to comprise an indication of a level of privilege granted by the account authority service in accordance with the attempting to verify the user credential and the device credential, the granted level of privilege when the user credential is successfully verified being dependent upon whether the device credential is successfully verified, the level of privilege used by servers of the account network to determine which resources are to be accessible on the servers of the account network. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. One or more computer readable storage devices having computer-executable instructions to enable a computer process to perform multiple-factor authentication of a user within an account network, the account network having an authorization service that manages user accounts of users of the account network and that verifies requests, received via a network, of the users of the account network to access servers in the account network, the computer process comprising:
-
receiving via the network, by the authorization service, a request initiated by a device to associate a device identifier of a device credential with a user identifier of a user credential of the user, the device credential corresponding to the device and employed by the user to access the account network, the device operated by the user; responsive to the request, configuring an account of the user to comprise an association between the user identifier and the device identifier, the association representing a trust relationship between the user and the device; responsive to an access request by the device, evaluating a credential from the device against the user credential and the device credential to generate verification results; and according to the verification results, generating a token usable by the device to access the servers in the account network, wherein the token is generated to comprise an indication of a first privilege granted when the user credential and the device credential have been verified, and wherein the token is generated to comprise an indication of a second privilege when the user credential is verified and the device credentials has not been verified. - View Dependent Claims (13, 14, 15, 16, 17)
-
-
18. A method of authorizing a user with a level of privilege for accessing an account network resource, the method comprising:
-
receiving, via a network, evidence of identity from a device through which the user is attempting to access the account network resource; interrogating the evidence of identity to determine whether the evidence of identity indicates successful verification of both a user credential of the user and a device credential&
of the device by an authentication provider trusted by the account network resource, the authentication provider comprising a network service used by users of the account network resource for authentication over the network;generating a first token granting a first level of privilege to the user when using the device within the account network if the evidence of identity indicates successful verification of both the user credential of the user and the device credential of the device by the authentication provider; and generating a second token granting a second level of privilege to the user using the device within the account network if the evidence of identity indicates successful verification of the user credentials and unsuccessful verification of the device credentials of the device by the authentication provider. - View Dependent Claims (19, 20)
-
Specification