Managing user authentication in association with application access
First Claim
Patent Images
1. A system comprising a processor of an application server and a memory having program instructions embodied thereon, the program instructions configured to, when executed by the processor, cause the processor to perform a method comprising:
- receiving, by an application server and as part of a user attempting to access an application hosted on the application server, primary user credentials from a client computer at which the user is located, wherein the client computer is remote from the application server, and wherein the primary user credentials include a user identifier and a first alphanumeric password;
attempting, by the application server and in response to the receiving the primary user credentials, to authenticate the primary user credentials via a primary authentication mechanism hosted on an authentication server, wherein the authentication server is remote from both the client computer and the application server;
failing, by the application server, to complete the attempt to authenticate the primary user credentials via the primary authentication mechanism due to the application server being unable to establish a network connection with the authentication server;
identifying, by the application server, an access allowance rate for the primary authentication mechanism, the access allowance rate based on a plurality of prior completed authentication attempts associated with the user identifier, wherein the access allowance rate is stored locally on the application server;
comparing, by the application server and in response to the failure to complete the authentication attempt via the primary authentication mechanism, the access allowance rate to a set of criteria;
determining, by the application server and based on the comparing, that the access allowance rate satisfies the set of criteria;
prompting, by the application server and in response to the determining that the access allowance rate satisfies the set of criteria, the user to provide a second alphanumeric password via the client computer;
receiving, by the application server and in response to the prompting, the second alphanumeric password;
authenticating, by a secondary authentication mechanism hosted on the application server, the second alphanumeric password;
allowing, in response to the authentication via the secondary authentication mechanism, the user access to the application, wherein the inability to complete the authentication attempt via the primary authentication mechanism causes the allowed access to be read-only access for a main portion of a database stored on the application server, the main portion of the database including a primary version of a data set;
receiving, by the application server and after the allowing the user access to the application, a user request to modify the data set;
storing, in response to the user request, a modified version of the data set in a quarantine portion of the database;
establishing, by the application server and after the storing the modified version of the data set, the network connection with the authentication server;
determining, by the application server and in response to the establishing the network connection, whether the primary user credentials are currently authenticated by the primary authentication mechanism;
in response to determining that the primary user credentials are currently authenticated by the primary authentication mechanism, replacing, by the application server, the primary version of the data set in the main portion of the database with the modified version of the data set and expanding, by the application server, the allowed access for the main portion of the database from read-only access to full access; and
in response to determining that the primary user credentials are not currently authenticated by the primary authentication mechanism, deleting, by the application server, the modified version of the data set in the quarantine portion of the database and revoking, by the application server, the allowed access.
1 Assignment
0 Petitions
Accused Products
Abstract
A determination is made that an authentication mechanism is unable to complete an attempt to authenticate, in association with a user attempting to access an application, user credentials. The user credentials include a user identifier and an additional authentication factor. An access allowance rate for the authentication mechanism is identified. The access allowance rate is based on a plurality of prior completed authentication attempts associated with the user identifier. A determination is made that the access allowance rate satisfies a set of criteria. In response to the determination that the authentication mechanism is unable to complete the authentication attempt and further in response to the determination that the access allowance rate satisfies the set of criteria, the user is allowed access to the application.
40 Citations
1 Claim
-
1. A system comprising a processor of an application server and a memory having program instructions embodied thereon, the program instructions configured to, when executed by the processor, cause the processor to perform a method comprising:
-
receiving, by an application server and as part of a user attempting to access an application hosted on the application server, primary user credentials from a client computer at which the user is located, wherein the client computer is remote from the application server, and wherein the primary user credentials include a user identifier and a first alphanumeric password; attempting, by the application server and in response to the receiving the primary user credentials, to authenticate the primary user credentials via a primary authentication mechanism hosted on an authentication server, wherein the authentication server is remote from both the client computer and the application server; failing, by the application server, to complete the attempt to authenticate the primary user credentials via the primary authentication mechanism due to the application server being unable to establish a network connection with the authentication server; identifying, by the application server, an access allowance rate for the primary authentication mechanism, the access allowance rate based on a plurality of prior completed authentication attempts associated with the user identifier, wherein the access allowance rate is stored locally on the application server; comparing, by the application server and in response to the failure to complete the authentication attempt via the primary authentication mechanism, the access allowance rate to a set of criteria; determining, by the application server and based on the comparing, that the access allowance rate satisfies the set of criteria; prompting, by the application server and in response to the determining that the access allowance rate satisfies the set of criteria, the user to provide a second alphanumeric password via the client computer; receiving, by the application server and in response to the prompting, the second alphanumeric password; authenticating, by a secondary authentication mechanism hosted on the application server, the second alphanumeric password; allowing, in response to the authentication via the secondary authentication mechanism, the user access to the application, wherein the inability to complete the authentication attempt via the primary authentication mechanism causes the allowed access to be read-only access for a main portion of a database stored on the application server, the main portion of the database including a primary version of a data set; receiving, by the application server and after the allowing the user access to the application, a user request to modify the data set; storing, in response to the user request, a modified version of the data set in a quarantine portion of the database; establishing, by the application server and after the storing the modified version of the data set, the network connection with the authentication server; determining, by the application server and in response to the establishing the network connection, whether the primary user credentials are currently authenticated by the primary authentication mechanism; in response to determining that the primary user credentials are currently authenticated by the primary authentication mechanism, replacing, by the application server, the primary version of the data set in the main portion of the database with the modified version of the data set and expanding, by the application server, the allowed access for the main portion of the database from read-only access to full access; and in response to determining that the primary user credentials are not currently authenticated by the primary authentication mechanism, deleting, by the application server, the modified version of the data set in the quarantine portion of the database and revoking, by the application server, the allowed access.
-
Specification
-
- Resources
Litigation Campaign Assessment
Thank you for your request. You will receive a custom alert email when the Litigation Campaign Assessment is available.
×
-
Current AssigneeInternational Business Machines Corporation
-
Original AssigneeInternational Business Machines Corporation
-
InventorsAddala, Prasanth N. S., Agarwal, Pranab
-
Primary Examiner(s)LESNIEWSKI, VICTOR D
-
Application NumberUS15/268,659Publication NumberTime in Patent Office218 DaysField of SearchUS Class CurrentCPC Class CodesG06F 21/316 by observing the pattern of...H04L 2463/082 applying multi-factor authe...H04L 63/0807 using tickets, e.g. Kerbero...H04L 63/083 using passwords cryptograph...H04L 63/0853 using an additional device,...H04L 63/0892 by using authentication-aut...H04L 63/10 for controlling access to d...H04L 63/102 Entity profilesH04L 63/105 Multiple levels of securityH04L 9/3226 using a predetermined code,...
