Selectively enabling multi-factor authentication for managed devices

US 9,866,546 B2
Filed: 10/29/2015
Issued: 01/09/2018
Est. Priority Date: 10/29/2015
Status: Active Grant

First Claim

Patent Images

1. A non-transitory computer-readable medium embodying a program executable in at least one computing device, the program, when executed by the at least one computing device, being configured to cause the at least one computing device to at least:

receive an authentication request for a first client application executed in a managed client device, the authentication request including a first authentication factor corresponding to a management single sign-on (“

SSO”

) credential wherein the SSO credential is downloaded to the managed client device during or after enrollment with a device management service;

determine a version of an operating system of the managed client device;

determine, at an identity provider service separate from the managed client device, whether at least one second authentication factor should be requested when the version of the operating system corresponds to a particular operating system version; and

in response to determining that the at least one second authentication factor should be requested based on the particular operating system version;

request the at least one second authentication factor from a second client application;

receive the at least one second authentication factor from the second client application; and

authenticate the first client application in response to verifying the first authentication factor and the at least one second authentication factor.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed are various examples of selectively enabling multi-factor authentication for applications on managed devices. An identity provider receives an authentication request for a first client application executed in a managed client device. The authentication request includes a first authentication factor corresponding to a management credential. The identity provider then determines whether one or more second authentication factors should be requested. If so, the identity provider then requests the second authentication factor(s) from a second client application. The identity provider receives the second authentication factor(s) from the second client application. The identity provider then authenticates the first client application in response to verifying the first authentication factor and the second authentication factor(s).

Citations

18 Claims

1. A non-transitory computer-readable medium embodying a program executable in at least one computing device, the program, when executed by the at least one computing device, being configured to cause the at least one computing device to at least:
- receive an authentication request for a first client application executed in a managed client device, the authentication request including a first authentication factor corresponding to a management single sign-on (“
  
  SSO”
  
  ) credential wherein the SSO credential is downloaded to the managed client device during or after enrollment with a device management service;
  
  determine a version of an operating system of the managed client device;
  
  determine, at an identity provider service separate from the managed client device, whether at least one second authentication factor should be requested when the version of the operating system corresponds to a particular operating system version; and
  
  in response to determining that the at least one second authentication factor should be requested based on the particular operating system version;
  
  request the at least one second authentication factor from a second client application;
  
  receive the at least one second authentication factor from the second client application; and
  
  authenticate the first client application in response to verifying the first authentication factor and the at least one second authentication factor.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The non-transitory computer-readable medium of claim 1, wherein the program, when executed by the at least one computing device, is further configured to cause the at least one computing device to:
    - determine a location of the managed client device; and
      
      determine a risk score based at least in part on the location,wherein determining whether the at least one second authentication factor should be requested is based at least in part on the risk score.
  - 3. The non-transitory computer-readable medium of claim 1, wherein the program, when executed by the at least one computing device, is further configured to cause the at least one computing device to at least:
    - determine a version of the first client application; and
      
      determine that the at least one second authentication factor should be requested when the version of the first client application corresponds to a particular version of the first client application.
  - 4. The non-transitory computer-readable medium of claim 1, wherein the program is configured to determine that the at least one second authentication factor should be requested in response to verifying the first authentication factor.
  - 5. The non-transitory computer-readable medium of claim 1, wherein the first authentication factor corresponds to data generated by a secure certificate or a Kerberos profile.
  - 6. The non-transitory computer-readable medium of claim 1, wherein the at least one second authentication factor is not natively supported by the first client application.
  - 7. The non-transitory computer-readable medium of claim 1, wherein the second client application is executed in an unmanaged client device.

8. A system, comprising:
- at least one computing device; and
  
  an identity provider service executable by the at least one computing device, the identity provider service configured to cause the at least one computing device to at least;
  
  receive an authentication request for a first client application executed in a managed client device, the authentication request including a first authentication factor corresponding to a management single sign-on (“
  
  SSO”
  
  ) credential wherein the SSO credential is downloaded to the managed client device during or after enrollment with a device management service;
  
  determine a version of an operating system of the managed client device;
  
  determine whether at least one second authentication factor should be requested when the version of the operating system corresponds to a particular operating system version; and
  
  in response to determining that the at least one second authentication factor should be requested based on the particular operating system version;
  
  request the at least one second authentication factor from a second client application;
  
  receive the at least one second authentication factor from the second client application; and
  
  authenticate the first client application in response to verifying the first authentication factor and the at least one second authentication factor.
- View Dependent Claims (9, 10, 11)
- - 9. The system of claim 8, wherein at least one of the plurality of criteria is based at least in part on a location of the managed client device.
  - 10. The system of claim 8, wherein at least one of the plurality of criteria is based at least in part on a version of the first client application.
  - 11. The system of claim 8, wherein the first client application is redirected to authenticate with the identity provider service by a service provider, and a decision whether to request the at least one second authentication factor is made by the identity provider service independently of the service provider.

12. A method, comprising:
- receiving a first authentication request for a first client application executed in a managed client device, the first authentication request including a first authentication factor corresponding to a management single sign-on (“
  
  SSO”
  
  ) credential wherein the SSO credential is downloaded to the managed client device during or after enrollment with a device management service;
  
  determine a version of an operating system of the managed client device;
  
  determining, at an identity provider service separate from the managed client device, that at least one second authentication factor should be requested based on the particular operating system version, and in response to the first authentication request;
  
  requesting the at least one second authentication factor from a second client application when the version of the operating system corresponds to a particular operating system version;
  
  receiving the at least one second authentication factor from the second client application;
  
  authenticating the first client application in response to verifying the first authentication factor and the at least one second authentication factor,receiving a second authentication request for the first client application, the first authentication request including the first authentication factor;
  
  determining, at the identity provider service separate from the managed client device, that at least one second authentication factor should be not requested in response to the second authentication request; and
  
  authenticating the first client application in response to verifying the first authentication factor.
- View Dependent Claims (13, 14, 15, 16, 17, 18)
- - 13. The method of claim 12, wherein authenticating the first client application further comprises:
    - generating an authentication token; and
      
      sending the authentication token to the first client application.
  - 14. The method of claim 12, further comprising:
    - determining a respective risk profile associated with each of the first authentication request and the second authentication request,wherein determining that at least one second authentication factor should or should not be requested is based at least in part on the risk profile.
  - 15. The method of claim 12, further comprising:
    - determining a level of network traffic associated with a network,wherein the respective risk profile is based at least in part on the level of network traffic.
  - 16. The method of claim 12, further comprising:
    - determining a quantity of client applications installed in the managed client device,wherein the respective risk profile is based at least in part on the quantity of client applications.
  - 17. The method of claim 12, wherein the second client application is executed in the managed client device.
  - 18. The method of claim 12, wherein the second client application is executed in a trusted client device, and the at least one second authentication factor comprises a user approval.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Omnissa, LLC
Original Assignee
AirWatch LLC (Broadcom, Inc.)
Inventors
Brannon, Jonathan Blake
Primary Examiner(s)
Pham, Luu
Assistant Examiner(s)
JACKSON, JENISE E

Application Number

US14/926,763
Publication Number

US 20170126660A1
Time in Patent Office

803 Days
Field of Search

726 6
US Class Current
CPC Class Codes

H04L 2463/082   applying multi-factor authe...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0815   providing single-sign-on or...

H04L 63/0823   using certificates cryptogr...

H04L 63/12   Applying verification of th...

Selectively enabling multi-factor authentication for managed devices

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Selectively enabling multi-factor authentication for managed devices

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links