Facilitating multiple authentications

US 9,344,427 B1
Filed: 11/11/2014
Issued: 05/17/2016
Est. Priority Date: 11/11/2014
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

receiving, at a control layer of a computing resource service provider via an application accessed by a user device, a request to access a service;

receiving, at the control layer of the computing resource service provider via the application, a user identifier and a password associated with the user identifier for accessing the service;

obtaining a first authentication of the user identifier and the password using an authentication directory accessible by the computing resource provider, the authentication directory comprising one of a plurality of directories accessible by the computing resource provider;

at least partly in response to obtaining the first authentication, encrypting the password to create an encrypted password;

transmitting the encrypted password to the application accessed by the user device, wherein the application is configured to decrypt the encrypted password to create a decrypted password and transmit the decrypted password to the user device;

receiving, from the user device, at a data layer of the computing resource provider, and independently of the control layer, the decrypted password; and

obtaining a second authentication of the decrypted password.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques and constructs to facilitate multiple authentications of passwords are described. For instance, the disclosure describes systems and processes that authenticate a password and return an encrypted password that may be subsequently decrypted for additional authentications.

Citations

20 Claims

1. A computer-implemented method comprising:
- receiving, at a control layer of a computing resource service provider via an application accessed by a user device, a request to access a service;
  
  receiving, at the control layer of the computing resource service provider via the application, a user identifier and a password associated with the user identifier for accessing the service;
  
  obtaining a first authentication of the user identifier and the password using an authentication directory accessible by the computing resource provider, the authentication directory comprising one of a plurality of directories accessible by the computing resource provider;
  
  at least partly in response to obtaining the first authentication, encrypting the password to create an encrypted password;
  
  transmitting the encrypted password to the application accessed by the user device, wherein the application is configured to decrypt the encrypted password to create a decrypted password and transmit the decrypted password to the user device;
  
  receiving, from the user device, at a data layer of the computing resource provider, and independently of the control layer, the decrypted password; and
  
  obtaining a second authentication of the decrypted password.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, further comprising determining that the password is required to obtain the second authentication, andwherein the encrypting the password is carried out at least partly in response to the determining that the password is required to obtain the second authentication.
  - 3. The method of claim 1, further comprising receiving a token from one of the plurality of directories at least partly in response to receiving the first authentication, the token allowing for additional access, via the application, to the computing resource service provider.
  - 4. The method of claim 1, further comprising generating an authorization code and associating the encrypted password with the authorization code.
  - 5. The method of claim 1, wherein the obtaining the first authentication comprises transmitting the user name and the password to an agent, and the agent is configured to correspond with the authentication directory to authenticate the user name and the password.

6. A system comprising:
- a control layer accessible by a user device via an application; and
  
  a data layer having a plurality of directories and accessible by the application via the control layer, upon a first authentication of user credentials, and by the user device independent of the control layer, upon a second authentication of the user credentials, the plurality of directories including at least an authentication directory,wherein the control layer comprises one or more computing devices programmed to implement;
  
  a network interface configured to receive, from the application, a request to access a service by a user device, and the user credentials associated with the user device requesting access to the service;
  
  an authentication module configured to obtain the first authentication of the user device from the authentication directory; and
  
  an encryption module configured to, at least partly in response to obtaining the first authentication of the user credentials, encrypt at least a portion of the user credentials to create encrypted user credentials,wherein the network interface is further configured to transmit, to the application, the encrypted user credentials, andwherein the encrypted user credentials are decrypted and presented to the data layer to obtain the second authentication of the user device.
- View Dependent Claims (7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 7. The system of claim 6, wherein the authentication directory comprises a key distribution center, the key distribution center generates a ticket upon an authentication of user credentials, and the authentication module is configured to obtain the ticket as the first authentication of the user device.
  - 8. The system of claim 7, wherein the ticket is a Kerberos ticket.
  - 9. The system of claim 6, wherein the user device is one of a plurality of networked devices and each of the plurality of networked devices is registered with one or more directories on the data layer to access the data layer independently of the control layer.
  - 10. The system of claim 6, wherein the encryption module is further configured to encrypt the at least a portion of the user credentials using a key associated with the application.
  - 11. The system of claim 10, wherein one of the plurality of directories stores the key associated with the application.
  - 12. The system of claim 10, wherein the key associated with the application comprises a public key of the application.
  - 13. The system of claim 10, wherein the key is rotated by the application.
  - 14. The system of claim 6, wherein the data layer further comprises an agent configured to facilitate communication between the first subsystem and the directory subsystem.
  - 15. The system of claim 6, wherein the control layer is further configured to implement an authorization code generation module for generating an authorization code at least partly in response to the first authentication.
  - 16. The system of claim 15, wherein the authorization code is associated with the encrypted user credentials.

17. A computer-implemented method comprising:
- receiving, from a user device, a request to access an application provided by a computing resource service provider, wherein the application requires that the user device is authenticated, via a first authentication of a password, to create a session with the application and access one or more directories during the session, and authenticated, via a second authentication of the password, to access the one or more directories independently of the session;
  
  receiving, from the user device, the password;
  
  transmitting, to an authentication module, the password;
  
  receiving, from the authentication module, the first authentication of the user credentials;
  
  receiving, at least in part in response to an indication that the password will be required to obtain the second authentication, from the authentication module, an encrypted password comprising the password encrypted using a key associated with the application;
  
  decrypting the encrypted password to obtain a decrypted password; and
  
  transmitting the decrypted password to the user device, wherein the decrypted password is used by the user device to obtain the second authentication.
- View Dependent Claims (18, 19, 20)
- - 18. The method of claim 17, wherein the user device is joined by a domain to the one or more directories to access the one or more directories independently of the session.
  - 19. The method of claim 17, wherein the password is encrypted with a public key associated with the application and wherein the decrypting the encrypted password comprises decrypting the encrypted password with the private key of the application.
  - 20. The method of claim 17, further comprising:
    - receiving, from the authentication module, an authorization code; and
      
      exchanging the authorization code for one or more tokens,wherein the encrypted password is received at least in part in response to exchanging the authorization code.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Mehta, Gaurang Pankaj, Pandya, Chirag Pravin
Primary Examiner(s)
Najjar, Saleh
Assistant Examiner(s)
Korsak, Oleg

Application Number

US14/538,187
Time in Patent Office

553 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 63/083   using passwords cryptograph...

H04L 63/0884   by delegation of authentica...

Facilitating multiple authentications

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Facilitating multiple authentications

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links