Context-based authentication of mobile devices

CAFC

US 9,426,182 B1
Filed: 01/07/2014
Issued: 08/23/2016
Est. Priority Date: 01/07/2013
Status: Active Grant

- Alert
- Pin

Associated Cases

Associated Defendants

First Claim

Patent Images

1. A method comprising:

storing, by an access control system, action control policies for a plurality of enterprises, wherein the access control system is external to each of the plurality of enterprises;

storing, by the access control system, action control policies for the plurality of enterprises as a mapping from contexts of requests to the action control policies, each context specifying one or more attributes describing a request received from a client device, wherein the request is for an action performed by an application hosted by a software as a services (SaaS) hosting system, each action control policy identifying actions that the client device is allowed in a given context;

receiving, by the access control system, from a first client device, a first request for interacting with the application hosted by the SaaS hosting system, the first request providing information describing a first context;

identifying a first enterprise from the plurality of enterprises, the first enterprise associated with the first client device;

determining, by the access control system, a first action control policy associated with the first enterprise for the first context based on the mapping, the first action control policy allowing a first set of actions supported by the application;

sending information describing the first action control policy to the first client device for enforcement of the first action control policy by an agent executing on the first client device;

receiving from a second client device, a second request for interacting with the application hosted by the SaaS hosting system, the second request providing information describing a second context;

identifying a second enterprise from the plurality of enterprises, the second enterprise associated with the second client device;

determining a second action control policy associated with the second enterprise for the second context based on the mapping, the second action control policy allowing a second set of actions supported by the application; and

sending information describing the second action control policy to the second client device for enforcement of the second action control policy by the agent executing on the second client device.

View all claims

5 Assignments

Timeline View

Assignment View

1 Petition

Accused Products

Abstract

A system and method are disclosed for adaptive authentication. An access control system stores policies for an enterprise, where each policy specifies a type of access control. The type of access control includes one or more security rules, which may specify authentication procedures, allowable behaviors, or both. The access control system stores a mapping from contexts of requests to interact with applications and access control policies. When a user requests access to an application associated with the enterprise via a client, the access control system receives the context of the request. The access control system selects an access control policy for the context of the request. The access control system sends access control information from the access control policy selected to the client. The client interacts with the user to perform the authentication.

54 Citations

View as Search Results

18 Claims

1. A method comprising:
- storing, by an access control system, action control policies for a plurality of enterprises, wherein the access control system is external to each of the plurality of enterprises;
  
  storing, by the access control system, action control policies for the plurality of enterprises as a mapping from contexts of requests to the action control policies, each context specifying one or more attributes describing a request received from a client device, wherein the request is for an action performed by an application hosted by a software as a services (SaaS) hosting system, each action control policy identifying actions that the client device is allowed in a given context;
  
  receiving, by the access control system, from a first client device, a first request for interacting with the application hosted by the SaaS hosting system, the first request providing information describing a first context;
  
  identifying a first enterprise from the plurality of enterprises, the first enterprise associated with the first client device;
  
  determining, by the access control system, a first action control policy associated with the first enterprise for the first context based on the mapping, the first action control policy allowing a first set of actions supported by the application;
  
  sending information describing the first action control policy to the first client device for enforcement of the first action control policy by an agent executing on the first client device;
  
  receiving from a second client device, a second request for interacting with the application hosted by the SaaS hosting system, the second request providing information describing a second context;
  
  identifying a second enterprise from the plurality of enterprises, the second enterprise associated with the second client device;
  
  determining a second action control policy associated with the second enterprise for the second context based on the mapping, the second action control policy allowing a second set of actions supported by the application; and
  
  sending information describing the second action control policy to the second client device for enforcement of the second action control policy by the agent executing on the second client device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein the first context comprises one or more of a user identifier, the application, and a time of the first request.
  - 3. The method of claim 1, wherein the first context comprises one or more of a request type and a parameter of the request.
  - 4. The method of claim 1, wherein determining the first action control policy comprises:
    - receiving an identifier of a user associated with the first request;
      
      determining a user type of the user; and
      
      selecting the first action control policy based on the user type of the user.
  - 5. The method of claim 1, wherein determining the first action control policy comprises:
    - generating a contextual model identifying expected contexts of the client device;
      
      comparing the context to the contextual model; and
      
      determining the first action control policy based on a deviation of the context from the contextual model.
  - 6. The method of claim 1, wherein the first action control policy specifies a first cache size for storing data associated with the application and the second action control policy specifies a second cache size for storing data associated with the application.
  - 7. The method of claim 1, wherein the application requires a first authentication process for allowing access to the application and the first control policy requires an additional authentication process distinct from the first authentication process for allowing access to the application.
  - 8. The method of claim 1, wherein the allows a user to perform a set of actions if the application successfully authenticates the user, whereas the first action control policy restricts the actions allowed to the user to a subset of the set of actions based on the first context.
  - 9. The method of claim 1, further comprising:
    - receiving information indicating a change in a particular action control policy associated with the first enterprise effective from a particular time; and
      
      determining a time value associated with the first request; and
      
      determining whether the changed action control policy is applicable to the first request based on the time value associated with the first request.
  - 10. The method of claim 1, wherein the first action control policy includes information identifying a parameter of the first request, wherein the access control system allows the first client device to take a particular action of the application if the identified parameter of the first request satisfies a predetermined criteria.
  - 11. The method of claim 1, wherein the first action control policy includes information identifying a parameter of the first request, wherein the access control system allows the first client device to take a particular action of the application if the identified parameter of the first request is determined to be within a predetermined set of values.
  - 12. The method of claim 1, wherein the first action control policy includes information identifying a parameter of the first request, wherein the access control system requires additional authentication if the identified parameter of the first request satisfies a predefined criteria.

13. A system comprising:
- a computer processor; and
  
  a non-transitory computer readable storage medium storing computer program instructions, the instructions when executed by the computer processor causing the computer processor to perform steps comprising;
  
  storing, by an access control system, action control policies for a plurality of enterprises, wherein the access control system is external to each of the plurality of enterprises;
  
  storing action control policies for the plurality of enterprises as a mapping from contexts of requests to the action control policies, each context specifying one or more attributes describing a request received from a client device, wherein the request is for an action performed by an application hosted by a software as a services (SaaS) hosting system, each action control policy identifying actions that the client device is allowed in a given context;
  
  receiving from a first client device, a first request for interacting with the application hosted by the SaaS hosting system, the first request providing information describing a first context;
  
  identifying a first enterprise associated with the first client device based on the first request;
  
  determining a first action control policy associated with the first enterprise for the first context based on the mapping, the first action control policy allowing a first set of actions supported by the application;
  
  sending information describing the first action control policy to the first client device for enforcement of the first action control policy by an agent executing on the first client device;
  
  receiving from a second client device, a second request for interacting with the application hosted by the SaaS hosting system, the second request providing information describing a second context;
  
  identifying a second enterprise associated with the second client device based on the second request;
  
  determining a second action control policy associated with the second enterprise for the second context based on the mapping, the second action control policy allowing a second set of actions supported by the application; and
  
  sending information describing the second action control policy to the second client device for enforcement of the second action control policy by the agent executing on the second client device.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The system of claim 13, wherein the first action control policy comprises one or more of a user identifier, the application, and a time of the first request.
  - 15. The system of claim 13, wherein the first context comprises one or more of a request type, and a parameter of the request.
  - 16. The system of claim 13, wherein determining the first action control policy comprises:
    - receiving an identifier of a user associated with the first request;
      
      determining a user type of the user; and
      
      selecting the first action control policy based on the user type of the user.
  - 17. The system of claim 13, wherein determining the first action control policy comprises:
    - generating a contextual model identifying expected contexts of the client device;
      
      comparing the context to the contextual model; and
      
      determining the action control policy based on a deviation of the context from the contextual model.

18. A non-transitory computer readable storage medium storing computer program instructions, the instructions when executed by a processor causing the processor to perform steps comprising:
- storing, by an access control system, action control policies for a plurality of enterprises, wherein the access control system is external to each of the plurality of enterprises;
  
  storing, by the access control system, action control policies for the plurality of enterprises as a mapping from contexts of requests to the action control policies, each context specifying one or more attributes describing a request received from a corresponding client device, wherein the request is for an action performed by an application hosted by a software as a services (SaaS) hosting system, each action control policy identifying actions that the client device is allowed in a given context;
  
  receiving, by the access control system, from a first client device, a first request for interacting with the application hosted by the SaaS hosting system, the first request providing information describing a first context;
  
  identifying a first enterprise from the plurality of enterprises, the first enterprise associated with the first client device;
  
  determining, by the access control system, a first action control policy associated with the first enterprise for the first context based on the mapping, the first action control policy allowing a first set of actions supported by the application;
  
  sending information describing the first action control policy to the first client device for enforcement of the first action control policy by an agent executing on the first client device;
  
  receiving from a second client device, a second request for interacting with the application hosted by the SaaS hosting system, the second request providing information describing a second context;
  
  identifying a second enterprise from the plurality of enterprises, the second enterprise associated with the second client device;
  
  determining a second action control policy associated with the second enterprise for the second context based on the mapping, the second action control policy allowing a second set of actions supported by the application; and
  
  sending information describing the second action control policy to the second client device for enforcement of the second action control policy by the agent executing on the second client device.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
Workspot, Inc.
Original Assignee
Workspot, Inc.
Inventors
Chawla, Puneet, Thomas, Christopher N., Vasavada, Yatin, Kumar, Abhijeet, Li, Guang Yuan, Zeljko, Robert, Sinha, Amitabh
Primary Examiner(s)
Hirl, Joseph P
Assistant Examiner(s)
MURPHY, JOSEPH B

Application Number

US14/149,425
Time in Patent Office

959 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/44   Program or device authentic...

G06F 21/604   Tools and structures for ma...

G06F 21/62   Protecting access to data v...

G06F 2221/2111   Location-sensitive, e.g. ge...

H04L 63/08   for authentication of entit...

H04L 63/107   wherein the security polici...

H04L 63/20   for managing network securi...

H04L 67/63   Routing a service request d...

Context-based authentication of mobile devices

First Claim

5 Assignments

1 Petition

Accused Products

Abstract

54 Citations

18 Claims

Specification

Use Cases

Quick Links

Others

Context-based authentication of mobile devices

First Claim

5 Assignments

Subscription Required

Subscription Required

1 Petition

Subscription Required

Accused Products

Subscription Required

Abstract

54 Citations

18 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others