Recovery of managed security credentials

US 8,955,065 B2
Filed: 02/01/2012
Issued: 02/10/2015
Est. Priority Date: 02/01/2012
Status: Active Grant

First Claim

Patent Images

1. A non-transitory computer-readable medium embodying a program executable in a first computing device, the program comprising:

code that sends a request for an account data to an authentication management service executed in at least one second computing device, the request for the account data specifying a security credential for accessing the account data and a client-identifying token, the account data including a plurality of security credentials of a user for accessing a plurality of network sites, wherein the authentication management service is configured to maintain the account data in an encrypted form;

code that obtains the account data from the authentication management service in response to the request for the account data;

code that obtains a master security credential from the user;

code that decrypts the account data using the master security credential;

code that obtains a request from the user to reset the security credentials to a single temporary security credential specified by the user; and

code that, responsive to the request from the user to reset the security credentials, after the decrypting, automatically resets individual ones of the security credentials included in the account data to the single temporary security credential by;

authenticating with a respective authentication service executed in a respective at least one third computing device using a respective one of the security credentials included in the account data; and

sending a corresponding reset request specifying the single temporary security credential to the respective authentication service.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed are various embodiments for recovery and other management functions relating to security credentials which may be centrally managed. Account data, which includes multiple security credentials for multiple network sites for a user, is stored by a service in an encrypted form. A request for the account data is obtained from a client. The request specifies a security credential for accessing the account data. The account data is sent to the client in response to determining that the client corresponds to a preauthorized client and in response to determining that the security credential for accessing the account data is valid.

Citations

27 Claims

1. A non-transitory computer-readable medium embodying a program executable in a first computing device, the program comprising:
- code that sends a request for an account data to an authentication management service executed in at least one second computing device, the request for the account data specifying a security credential for accessing the account data and a client-identifying token, the account data including a plurality of security credentials of a user for accessing a plurality of network sites, wherein the authentication management service is configured to maintain the account data in an encrypted form;
  
  code that obtains the account data from the authentication management service in response to the request for the account data;
  
  code that obtains a master security credential from the user;
  
  code that decrypts the account data using the master security credential;
  
  code that obtains a request from the user to reset the security credentials to a single temporary security credential specified by the user; and
  
  code that, responsive to the request from the user to reset the security credentials, after the decrypting, automatically resets individual ones of the security credentials included in the account data to the single temporary security credential by;
  
  authenticating with a respective authentication service executed in a respective at least one third computing device using a respective one of the security credentials included in the account data; and
  
  sending a corresponding reset request specifying the single temporary security credential to the respective authentication service.
- View Dependent Claims (2, 3)
- - 2. The non-transitory computer-readable medium of claim 1, wherein the program further comprises code that enforces an expiration of the single temporary security credential.
  - 3. The non-transitory computer-readable medium of claim 1, wherein the program further comprises:
    - code that obtains a request from the user to reset the single temporary security credential to a plurality of new security credentials; and
      
      code that automatically resets the single temporary security credential for the respective authentication service by;
      
      authenticating with the respective authentication service using the single temporary security credential; and
      
      resetting the single temporary security credential to a respective one of the new security credentials for the respective authentication service.

4. A method, comprising:
- sending, in a first computing device, a request for account data to an authentication management service executed in at least one second computing device, the request specifying a security credential for accessing the account data, the account data including a plurality of security credentials of a user for accessing a plurality of network sites;
  
  obtaining, in the first computing device, the account data from the authentication management service in response to the request for the account data;
  
  obtaining, in the first computing device, a master security credential associated with the account data indicated by the request;
  
  decrypting, in the first computing device, the account data using the master security credential, thereby generating decrypted account data; and
  
  automatically resetting, in the first computing device, after the decrypting, individual ones of the security credentials to a single temporary security credential by;
  
  authenticating, in the first computing device, with a respective authentication service executed in a respective at least one third computing device and associated with at least one of the network sites using a respective one of the security credentials included in the decrypted account data; and
  
  sending, in the first computing device, a corresponding reset request specifying the single temporary security credential to the respective authentication service.
- View Dependent Claims (5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 5. The method of claim 4, wherein obtaining, in the first computing device, the master security credential further comprises:
    - obtaining, in the first computing device, an encrypted version of the master security credential from a removable computer-readable medium; and
      
      decrypting, in the first computing device, the encrypted version of the master security credential based at least in part on another security credential stored in the first computing device.
  - 6. The method of claim 4, wherein the master security credential is associated with an operating system of the first computing device.
  - 7. The method of claim 4, further comprising:
    - generating, in the first computing device, a plurality of one-time security credentials; and
      
      storing, in the first computing device, the one-time security credentials with the account data.
  - 8. The method of claim 7, further comprising:
    - obtaining, in the first computing device, a one of the one-time security credentials from the user;
      
      generating, in the first computing device, the master security credential based at least in part on the one of the one-time security credentials; and
      
      removing, in the first computing device, the one of the one-time security credentials from the account data.
  - 9. The method of claim 4, wherein the automatically resetting is performed in response to a reset request initiated by the user.
  - 10. The method of claim 9, further comprising:
    - presenting, in the first computing device, at least one knowledge-based question to the user in response to the reset request;
      
      obtaining, in the first computing device, at least one answer to the at least one knowledge-based question from the user;
      
      querying, in the first computing device, the authentication management service to determine whether the at least one answer is valid; and
      
      wherein the automatically resetting is performed in response to the at least one answer being valid.
  - 11. The method of claim 4, wherein the automatically resetting is performed in response to a predetermined reset time interval.
  - 12. The method of claim 4, wherein a one of the security credentials is associated with a plurality of the network sites.
  - 13. The method of claim 4, wherein the request for the account data includes a client-identifying token stored by the first computing device.
  - 14. The method of claim 4, further comprising:
    - obtaining, in the first computing device, a request from the user to reset the single temporary security credential to a plurality of new security credentials; and
      
      automatically resetting, in the first computing device, the single temporary security credential for the respective authentication service by;
      
      authenticating with the respective authentication service using the single temporary security credential; and
      
      resetting the single temporary security credential to a respective one of the new security credentials for the respective authentication service.
  - 15. The method of claim 14, wherein the new security credentials correspond to a single new security credential obtained from the user.
  - 16. The method of claim 14, further comprising automatically generating, in the first computing device, at least some of the new security credentials according to at least one security credential specification associated with at least one of the corresponding network sites.
  - 17. The method of claim 14, further comprising:
    - obtaining, in the first computing device, a request to manually export the new security credentials; and
      
      rendering, in the first computing device, a listing of the new security credentials in clear text.
  - 18. The method of claim 14 further comprising updating, in the first computing device, the account data maintained by the authentication management service to store the new security credentials.
  - 19. The method of claim 18, wherein the updating further comprises encrypting, in the first computing device, the account data including the new security credentials using the master security credential before sending the account data to the authentication management service.
  - 20. The method of claim 4, wherein the master security credential comprises a user input.

21. A system, comprising:
- at least one first computing device, configured to at least;
  
  send a request for account data to an authentication management service executed in at least one second computing device, the request specifying a security credential for accessing the account data, the account data including a plurality of security credentials of a user for accessing a plurality of network sites;
  
  obtain the account data from the authentication management service in response to the request for the account data;
  
  obtain a master security credential associated with the account data indicated by the request;
  
  decrypt the account data using the master security credential, thereby generating decrypted account data; and
  
  automatically reset, after the decrypting, individual ones of the security credentials to a single temporary security credential by;
  
  authenticating with a respective authentication service executed in a respective at least one third computing device and associated with at least one of the network sites using a respective one of the security credentials included in the decrypted account data; and
  
  sending a corresponding reset request specifying the single temporary security credential to the respective authentication service.
- View Dependent Claims (22, 23, 24, 25, 26, 27)
- - 22. The system of claim 21, wherein obtaining the master security credential further comprises:
    - obtaining an encrypted version of the master security credential from a removable computer-readable medium; and
      
      decrypting the encrypted version of the master security credential based at least in part on another security credential stored in the first computing device.
  - 23. The system of claim 21, wherein the master security credential is associated with an operating system of the at least one first computing device.
  - 24. The system of claim 21, wherein the at least one first computing device is further configured to at least:
    - generate a plurality of one-time security credentials; and
      
      store the one-time security credentials with the account data.
  - 25. The system of claim 24, wherein the at least one first computing device is further configured to at least:
    - obtain a one of the one-time security credentials from the user;
      
      generate the master security credential based at least in part on the one of the one-time security credentials; and
      
      remove the one of the one-time security credentials from the account data.
  - 26. The system of claim 21, wherein the automatically resetting is performed in response to a reset request initiated by the user.
  - 27. The system of claim 26, wherein the at least one first computing device is further configured to at least:
    - present at least one knowledge-based question to the user in response to the reset request;
      
      obtain at least one answer to the at least one knowledge-based question from the user;
      
      query the authentication management service to determine whether the at least one answer is valid; and
      
      wherein the automatically resetting is performed in response to the at least one answer being valid.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Hitchcock, Daniel W., Campbell, Brad Lee
Primary Examiner(s)
Colin, Carl
Assistant Examiner(s)
ZHAO, DON GORDON

Application Number

US13/363,681
Publication Number

US 20130198824A1
Time in Patent Office

1,105 Days
Field of Search

726 1- 21, 713150-181
US Class Current

726/5
CPC Class Codes

G06F 21/00   Security arrangements for p...

G06F 21/41   where a single sign-on prov...

G06F 21/45   Structures or tools for the...

G06F 2221/2131   Lost password, e.g. recover...

H04L 63/06   for supporting key manageme...

H04L 63/08   for authentication of entit...

H04L 63/0815   providing single-sign-on or...

H04L 63/083   using passwords cryptograph...

H04L 63/0838   using one-time-passwords

H04L 63/0876   based on the identity of th...

H04L 63/102   Entity profiles

Recovery of managed security credentials

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Recovery of managed security credentials

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links