On-demand service security system and method for managing a risk of access as a condition of permitting access to the on-demand service

US 8,898,753 B1
Filed: 03/19/2012
Issued: 11/25/2014
Est. Priority Date: 11/15/2007
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

receiving a request to access an on-demand service from a requestor at the on-demand service, the request including credentials for logging into the on-demand service;

determining, utilizing a hardware processor, that the requestor from which the request to access the on-demand service is received is a potentially risky source, the determination being based at least on;

information about the requestor, andinformation about one of a plurality of entities of the on-demand service to which the access is requested, wherein the information about the one of the plurality of entities is stored by the on-demand service;

in response to the request to access the on-demand service and the determination that the requestor is the potentially risky source, managing access to the on-demand service by;

identifying information previously stored in association with the credentials that were received in the request to access the on-demand service, the information previously stored in association with the credentials indicating a message destination,sending, by the on-demand service, a token to the message destination,after sending the token to the message destination, challenging the requestor to provide the token to the on-demand service,determining whether the token is provided by the requestor to the on-demand service in response to the challenge,identifying the requestor as authenticated in response to a determination that the token is provided by the requestor to the on-demand service, and permitting the requested access to the on-demand service by the authenticated requestor, andidentifying the requestor as non-authenticated in response to a determination that the token is not provided by the requestor to the on-demand service, and prohibiting the requested access to the on-demand service by the non-authenticated requestor.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Provided are mechanisms and methods for managing a risk of access to an on-demand service as a condition of permitting access to the on-demand service. These mechanisms and methods for providing such management can help prohibit an unauthorized user from accessing an account of an authorized user when the authorized user inadvertently loses login information. The ability to provide such management may lead to an improved security feature for accessing on-demand services.

228 Citations

12 Claims

1. A method, comprising:
- receiving a request to access an on-demand service from a requestor at the on-demand service, the request including credentials for logging into the on-demand service;
  
  determining, utilizing a hardware processor, that the requestor from which the request to access the on-demand service is received is a potentially risky source, the determination being based at least on;
  
  information about the requestor, andinformation about one of a plurality of entities of the on-demand service to which the access is requested, wherein the information about the one of the plurality of entities is stored by the on-demand service;
  
  in response to the request to access the on-demand service and the determination that the requestor is the potentially risky source, managing access to the on-demand service by;
  
  identifying information previously stored in association with the credentials that were received in the request to access the on-demand service, the information previously stored in association with the credentials indicating a message destination,sending, by the on-demand service, a token to the message destination,after sending the token to the message destination, challenging the requestor to provide the token to the on-demand service,determining whether the token is provided by the requestor to the on-demand service in response to the challenge,identifying the requestor as authenticated in response to a determination that the token is provided by the requestor to the on-demand service, and permitting the requested access to the on-demand service by the authenticated requestor, andidentifying the requestor as non-authenticated in response to a determination that the token is not provided by the requestor to the on-demand service, and prohibiting the requested access to the on-demand service by the non-authenticated requestor.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the on-demand service includes an on-demand database service.
  - 3. The method of claim 2, wherein the on-demand service includes a multi-tenant on-demand database service.
  - 4. The method of claim 1, wherein managing access to the on-demand service further includes generating the token.
  - 5. The method of claim 4, wherein the token is generated in response to a valid username and a valid password being entered by the requestor.
  - 6. The method of claim 5, wherein the token generated in response to the valid username and the valid password entered by the requestor is generated based on the valid username.
  - 7. The method of claim 1, wherein the determination that the requestor is the potentially risky source is further based at least on a device associated with the requestor.
  - 8. The method of claim 7, wherein it is determined that the requestor is the potentially risky source because the device associated with the requestor has not previously been associated with at least one of a plurality of users identified by the information about the one of the plurality of entities of the on-demand service to which the access is requested.
  - 9. The method of claim 7, wherein it is determined that the requestor is the potentially risky source because the device associated with the requestor has previously been associated with at least one of a plurality of users identified by the information about the one of the plurality of entities of the on-demand service to which the access is requested.
  - 10. The method of claim 1, wherein determining that the requestor is the potentially risky source includes comparing the information about the requestor with a list of at least one of users and entities pre-determined to be granted access to the on-demand service.

11. A computer program product, comprising a non-transitory computer usable medium having a computer readable program code embodied therein, the computer readable program code adapted to be executed to cause a computer to implement a method comprising:
- receiving a request to access an on-demand service from a requestor at the on-demand service, the request including credentials for logging into the on-demand service;
  
  determining that the requestor from which the request to access the on-demand service is received is a potentially risky source, the determination being based at least on;
  
  information about the requestor, andinformation about one of a plurality of entities of the on-demand service to which the access is requested, wherein the information about the one of the plurality of entities is stored by the on-demand service;
  
  in response to the request to access the on-demand service and the determination that the requestor is the potentially risky source, managing access to the on-demand service by;
  
  identifying information previously stored in association with the credentials that were received in the request to access the on-demand service, the information previously stored in association with the credentials indicating a message destination,sending, by the on-demand service, a token to the message destination,after sending the token to the message destination, challenging the requestor to provide the token to the on-demand service,determining whether the token is provided by the requester to the on-demand service in response to the challenge,identifying the requestor as authenticated in response to a determination that the token is provided by the requestor to the on-demand service, and permitting the requested access to the on-demand service by the authenticated requestor, andidentifying the requestor as non-authenticated in response to a determination that the token is not provided by the requestor to the on-demand service, and prohibiting the requested access to the on-demand service by the non-authenticated requestor.

12. An apparatus, comprising:
- a hardware processor; and
  
  one or more stored sequences of instructions which, when executed by the hardware processor, cause the hardware processor to carry out the steps of;
  
  receiving a request to access an on-demand service from a requestor at the on-demand service, the request including credentials for logging into the on-demand service;
  
  determining that the requestor from which the request to access the on-demand service is received is a potentially risky source, the determination being based at least on;
  
  information about the requestor, andinformation about one of a plurality of entities of the on-demand service to which the access is requested, wherein the information about the one of the plurality of entities is stored by the on-demand service;
  
  in response to the request to access the on-demand service and the determination that the requestor is the potentially risky source, managing access to the on-demand service by;
  
  identifying information previously stored in association with the credentials that were received in the request to access the on-demand service, the information previously stored in association with the credentials indicating a message destination,sending, by the on-demand service, a token to the message destination,after sending the token to the message destination, challenging the requestor to provide the token to the on-demand service,determining whether the token is provided by the requestor to the on-demand service in response to the challenge,identifying the requestor as authenticated in response to a determination that the token is provided by the requestor to the on-demand service, and permitting the requested access to the on-demand service by the authenticated requestor, andidentifying the requestor as non-authenticated in response to a determination that the token is not provided by the requestor to the on-demand service, and prohibiting the requested access to the on-demand service by the non-authenticated requestor.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Salesforce.com, Inc.
Original Assignee
Salesforce.com, Inc.
Inventors
Junod, Forrest A., Fly, Robert C., Dapkus, Peter, Yancey, Scott W., Lawrance, Steven S., Fell, Simon Z.
Primary Examiner(s)
SHOLEMAN, ABU S

Application Number

US13/424,285
Time in Patent Office

981 Days
Field of Search

726 5- 7, 726/22, 726/24, 726/25, 726/26, 713/165, 713/159, 713/172
US Class Current

726/5
CPC Class Codes

G06F 21/31 User authentication

On-demand service security system and method for managing a risk of access as a condition of permitting access to the on-demand service

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

228 Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

On-demand service security system and method for managing a risk of access as a condition of permitting access to the on-demand service

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

228 Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links