Trusted device-specific authentication

US 8,800,003 B2
Filed: 06/17/2011
Issued: 08/05/2014
Est. Priority Date: 06/02/2008
Status: Active Grant

First Claim

Patent Images

1. A method of performing multiple-factor authentication of a user of a device within an account network, the method comprising:

accessing a user credential stored by an account authority service of the account network, the user credential comprising a user identifier and a corresponding password, the account authority service comprising a network service that provides account authorization services via a network to users of the account network;

receiving and storing via the network, at the account authority service, a device credential for the device and association information indicating that the device credential is to be associated with the user credential, the device credential comprising an identifier and a corresponding device password, the account authority service responding to the association information by storing an association between the device identifier and the user identifier, wherein the device credential is employed by the user to access the account network, the association representing a trust relationship between the user and the device;

when accessing the account network by the device, receiving the device credential and user credential via the network from the device at the account authority service and in response attempting to verify the user credential and the device credential; and

generating a security token and sending the security token to the device to be used to access the account network, wherein the security token is configured by the account authority service to comprise an indication of a level of privilege granted by the account authority service in accordance with the attempting to verify the user credential and the device credential, the granted level of privilege when the user credential is successfully verified being dependent upon whether the device credential is successfully verified, the level of privilege used by servers of the account network to determine which resources are to be accessible on the servers of the account network.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An authentication system combines device credential verification with user credential verification to provide a more robust authentication mechanism that is convenient to the user and effective across enterprise boundaries. In one implementation, user credential verification and device credential verification are combined to provide a convenient two-factor authentication. In this manner, an account authority service or other authentication provider verify both factors and provide a security token in accordance with the security policy of the account network resource the user is intending to access. The level of privilege granted by the target account network resource can vary depending on the number and type of factors verified by the account authority service.

62 Citations

View as Search Results

20 Claims

1. A method of performing multiple-factor authentication of a user of a device within an account network, the method comprising:
- accessing a user credential stored by an account authority service of the account network, the user credential comprising a user identifier and a corresponding password, the account authority service comprising a network service that provides account authorization services via a network to users of the account network;
  
  receiving and storing via the network, at the account authority service, a device credential for the device and association information indicating that the device credential is to be associated with the user credential, the device credential comprising an identifier and a corresponding device password, the account authority service responding to the association information by storing an association between the device identifier and the user identifier, wherein the device credential is employed by the user to access the account network, the association representing a trust relationship between the user and the device;
  
  when accessing the account network by the device, receiving the device credential and user credential via the network from the device at the account authority service and in response attempting to verify the user credential and the device credential; and
  
  generating a security token and sending the security token to the device to be used to access the account network, wherein the security token is configured by the account authority service to comprise an indication of a level of privilege granted by the account authority service in accordance with the attempting to verify the user credential and the device credential, the granted level of privilege when the user credential is successfully verified being dependent upon whether the device credential is successfully verified, the level of privilege used by servers of the account network to determine which resources are to be accessible on the servers of the account network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1 wherein the security token is based on evidence of verification of both the user identifier and the device identifier.
  - 3. The method of claim 1 further comprising:
    - associatively recording the user identifier and the device identifier in an account of the user within the account network that is managed by the account authority service.
  - 4. The method of claim 1 further comprising:
    - recording the user identifier and the device identifier and at least one other device identifier corresponding to another device, the recording operation designating devices identified by the device identifier and the at least one other device identifier as trusted devices of the user.
  - 5. The method of claim 1 wherein the security token includes both the user identifier and the device identifier.
  - 6. The method of claim 1 wherein the security token comprises evidence of identity of the user, and wherein the security token includes an interface allowing a recipient of the security token to access both the user identifier and the device identifier from the security token.
  - 7. The method of claim 1 further comprising:
    - disassociating the user identifier from the device identifier to remove the device as a trusted device of the user.
  - 8. The method of claim 1 wherein the generating operation provides evidence of identity only upon successful verification of both the user credential and the device credential, and further comprising:
    - withholding the evidence of identity of the user if verification of both the user credential and the device credential is unsuccessful.
  - 9. The method of claim 1 further comprising:
    - blocking an attempt by the user to change the user credential and the device credential if the user credential is successfully verified but the device credential is not successfully verified.
  - 10. The method of claim 1 further comprising:
    - notifying the user that an attempt to authenticate using the user credential resulted in successful verification of the user credential but not successful authentication of the device credential.
  - 11. The method of claim 1 wherein the level of privilege when the device credential is determined to be verified the level of privilege grants access to at least some resources that are accessible when the device credential is verified, and when the device credential is not successfully verified the level of privilege does not grant access to the some of the resources but does grant access to other resources based on the verification of the user credential.

12. One or more computer readable storage devices having computer-executable instructions to enable a computer process to perform multiple-factor authentication of a user within an account network, the account network having an authorization service that manages user accounts of users of the account network and that verifies requests, received via a network, of the users of the account network to access servers in the account network, the computer process comprising:
- receiving via the network, by the authorization service, a request initiated by a device to associate a device identifier of a device credential with a user identifier of a user credential of the user, the device credential corresponding to the device and employed by the user to access the account network, the device operated by the user;
  
  responsive to the request, configuring an account of the user to comprise an association between the user identifier and the device identifier, the association representing a trust relationship between the user and the device;
  
  responsive to an access request by the device, evaluating a credential from the device against the user credential and the device credential to generate verification results; and
  
  according to the verification results, generating a token usable by the device to access the servers in the account network, wherein the token is generated to comprise an indication of a first privilege granted when the user credential and the device credential have been verified, and wherein the token is generated to comprise an indication of a second privilege when the user credential is verified and the device credentials has not been verified.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The one or more computer readable storage devices of claim 12 wherein the token includes both the user identifier and the device identifier.
  - 14. The one or more computer readable storage devices of claim 12 wherein the configuring operation comprises:
    - recording the user identifier and the device identifier and at least one other device identifier.
  - 15. The one or more computer readable storage devices of claim 12 wherein the generating operation comprises:
    - adding the user identifier and the device identifier to the token.
  - 16. The one or more computer readable storage devices of claim 12 wherein the generating operation comprises:
    - including with the token an interface allowing a server to access both the user identifier and the device identifier from the token.
  - 17. The one or more computer readable storage devices of claim 12 wherein the first privilege is higher than the second privilege.

18. A method of authorizing a user with a level of privilege for accessing an account network resource, the method comprising:
- receiving, via a network, evidence of identity from a device through which the user is attempting to access the account network resource;
  
  interrogating the evidence of identity to determine whether the evidence of identity indicates successful verification of both a user credential of the user and a device credential&
  
  of the device by an authentication provider trusted by the account network resource, the authentication provider comprising a network service used by users of the account network resource for authentication over the network;
  
  generating a first token granting a first level of privilege to the user when using the device within the account network if the evidence of identity indicates successful verification of both the user credential of the user and the device credential of the device by the authentication provider; and
  
  generating a second token granting a second level of privilege to the user using the device within the account network if the evidence of identity indicates successful verification of the user credentials and unsuccessful verification of the device credentials of the device by the authentication provider.
- View Dependent Claims (19, 20)
- - 19. The method of claim 18 wherein the first level of privilege is higher than the second level of privilege and authorizes access to resources not authorized by the second level of privilege.
  - 20. The method of claim 18 wherein the first and second tokens provide a programming interface through which the account network resource can access a user identifier of the user credential and a device identifier of the device credential.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Guo, Wei-Qiang (Michael), Rouskov, Yordan, Chen, Rui, Wong, Pui-Yin Winfred
Primary Examiner(s)
Le, Chau
Assistant Examiner(s)
ZHAO, DON GORDON

Application Number

US13/162,834
Publication Number

US 20110247055A1
Time in Patent Office

1,145 Days
Field of Search

726/4
US Class Current

726/4
CPC Class Codes

G06F 21/31   User authentication

G06F 21/32   using biometric data, e.g. ...

G06F 21/34   involving the use of extern...

H04L 2209/56   Financial cryptography, e.g...

H04L 63/0823   using certificates cryptogr...

H04L 63/0876   based on the identity of th...

H04L 63/105   Multiple levels of security

H04L 9/3234   involving additional secure...

H04L 9/3263   involving certificates, e.g...

Trusted device-specific authentication

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

62 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Trusted device-specific authentication

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

62 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links