Selectively enabling multi-factor authentication for managed devices
First Claim
1. A non-transitory computer-readable medium embodying a program executable in at least one computing device, the program, when executed by the at least one computing device, being configured to cause the at least one computing device to at least:
- receive an authentication request for a first client application executed in a managed client device, the authentication request including a first authentication factor corresponding to a management single sign-on (“
SSO”
) credential wherein the SSO credential is downloaded to the managed client device during or after enrollment with a device management service;
determine a version of an operating system of the managed client device;
determine, at an identity provider service separate from the managed client device, whether at least one second authentication factor should be requested when the version of the operating system corresponds to a particular operating system version; and
in response to determining that the at least one second authentication factor should be requested based on the particular operating system version;
request the at least one second authentication factor from a second client application;
receive the at least one second authentication factor from the second client application; and
authenticate the first client application in response to verifying the first authentication factor and the at least one second authentication factor.
3 Assignments
0 Petitions
Accused Products
Abstract
Disclosed are various examples of selectively enabling multi-factor authentication for applications on managed devices. An identity provider receives an authentication request for a first client application executed in a managed client device. The authentication request includes a first authentication factor corresponding to a management credential. The identity provider then determines whether one or more second authentication factors should be requested. If so, the identity provider then requests the second authentication factor(s) from a second client application. The identity provider receives the second authentication factor(s) from the second client application. The identity provider then authenticates the first client application in response to verifying the first authentication factor and the second authentication factor(s).
-
Citations
18 Claims
-
1. A non-transitory computer-readable medium embodying a program executable in at least one computing device, the program, when executed by the at least one computing device, being configured to cause the at least one computing device to at least:
-
receive an authentication request for a first client application executed in a managed client device, the authentication request including a first authentication factor corresponding to a management single sign-on (“
SSO”
) credential wherein the SSO credential is downloaded to the managed client device during or after enrollment with a device management service;determine a version of an operating system of the managed client device; determine, at an identity provider service separate from the managed client device, whether at least one second authentication factor should be requested when the version of the operating system corresponds to a particular operating system version; and
in response to determining that the at least one second authentication factor should be requested based on the particular operating system version;request the at least one second authentication factor from a second client application; receive the at least one second authentication factor from the second client application; and authenticate the first client application in response to verifying the first authentication factor and the at least one second authentication factor. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A system, comprising:
-
at least one computing device; and an identity provider service executable by the at least one computing device, the identity provider service configured to cause the at least one computing device to at least; receive an authentication request for a first client application executed in a managed client device, the authentication request including a first authentication factor corresponding to a management single sign-on (“
SSO”
) credential wherein the SSO credential is downloaded to the managed client device during or after enrollment with a device management service;determine a version of an operating system of the managed client device; determine whether at least one second authentication factor should be requested when the version of the operating system corresponds to a particular operating system version; and in response to determining that the at least one second authentication factor should be requested based on the particular operating system version; request the at least one second authentication factor from a second client application; receive the at least one second authentication factor from the second client application; and authenticate the first client application in response to verifying the first authentication factor and the at least one second authentication factor. - View Dependent Claims (9, 10, 11)
-
-
12. A method, comprising:
-
receiving a first authentication request for a first client application executed in a managed client device, the first authentication request including a first authentication factor corresponding to a management single sign-on (“
SSO”
) credential wherein the SSO credential is downloaded to the managed client device during or after enrollment with a device management service;determine a version of an operating system of the managed client device; determining, at an identity provider service separate from the managed client device, that at least one second authentication factor should be requested based on the particular operating system version, and in response to the first authentication request; requesting the at least one second authentication factor from a second client application when the version of the operating system corresponds to a particular operating system version; receiving the at least one second authentication factor from the second client application; authenticating the first client application in response to verifying the first authentication factor and the at least one second authentication factor, receiving a second authentication request for the first client application, the first authentication request including the first authentication factor; determining, at the identity provider service separate from the managed client device, that at least one second authentication factor should be not requested in response to the second authentication request; and authenticating the first client application in response to verifying the first authentication factor. - View Dependent Claims (13, 14, 15, 16, 17, 18)
-
Specification