Data sensitivity based authentication and authorization

US 10,038,726 B2
Filed: 06/12/2014
Issued: 07/31/2018
Est. Priority Date: 06/12/2013
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, by a mobile device including one or more processors, a request by a user to access data required to be used by an application executing on the mobile device;

determining, by the mobile device, a data sensitivity level associated with the data, wherein data having a higher data sensitivity level requires a greater authentication level to access the data and data having a lower data sensitivity level requires a lower authentication level to access the data, wherein the data sensitivity level associated with the data is dependent on a plurality of security inputs, wherein the data sensitivity level varies between a first user having a first set of security inputs and a second user having a second set of security inputs different from the first user, and wherein the data sensitivity level varies according to a type of the data required to be used by the application requested by the user;

determining, by the mobile device, an authentication level associated with the user making the request in order to access the data requested by the user;

comparing, by the mobile device, the data sensitivity level of the data requested by the user to the authentication level associated with the user;

determining, by the mobile device, whether the authentication level of the user satisfies the data sensitivity level required to be used by the application;

in response to determining that the authentication level of the user is lower than the data sensitivity level for the data, sending a request to the user for authentication information;

in response to sending the request for authentication information, receiving authentication information from the user; and

in response to determining whether the authentication level of the user and the authentication information received from the user satisfies the data sensitivity level required for the data required to be used by the application, providing or denying access to the data required to be used by the application.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, devices, apparatuses, and methods of the present invention distribute authentication across multiple users. A data sensitivity model can define the sensitivity of different types of data. When an application requests access to a particular data item, the sensitivity of that data item can be determined. If the data item has a low sensitivity, access to the data item can be granted. If the data item has a high sensitivity, the system can request authentication before granting access to the data item.

18 Citations

View as Search Results

21 Claims

1. A method comprising:
- receiving, by a mobile device including one or more processors, a request by a user to access data required to be used by an application executing on the mobile device;
  
  determining, by the mobile device, a data sensitivity level associated with the data, wherein data having a higher data sensitivity level requires a greater authentication level to access the data and data having a lower data sensitivity level requires a lower authentication level to access the data, wherein the data sensitivity level associated with the data is dependent on a plurality of security inputs, wherein the data sensitivity level varies between a first user having a first set of security inputs and a second user having a second set of security inputs different from the first user, and wherein the data sensitivity level varies according to a type of the data required to be used by the application requested by the user;
  
  determining, by the mobile device, an authentication level associated with the user making the request in order to access the data requested by the user;
  
  comparing, by the mobile device, the data sensitivity level of the data requested by the user to the authentication level associated with the user;
  
  determining, by the mobile device, whether the authentication level of the user satisfies the data sensitivity level required to be used by the application;
  
  in response to determining that the authentication level of the user is lower than the data sensitivity level for the data, sending a request to the user for authentication information;
  
  in response to sending the request for authentication information, receiving authentication information from the user; and
  
  in response to determining whether the authentication level of the user and the authentication information received from the user satisfies the data sensitivity level required for the data required to be used by the application, providing or denying access to the data required to be used by the application.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1 wherein determining a data sensitivity level associated with the data further comprises:
    - querying a data sensitivity level cache for the data; and
      
      returning the data sensitivity level associated with the data from the data sensitivity level cache.
  - 3. The method of claim 1 wherein the plurality of security inputs include one or more of:
    - initial permissions associated with a requesting application;
      
      customizations; and
      
      mobile device state.
  - 4. The method of claim 2, further comprising analyzing the plurality of security inputs by a decision model, wherein the analyzing further comprises:
    - assigning a weight to each of the plurality of security inputs;
      
      identifying one or more of the plurality of inputs having a highest weight; and
      
      determining the data sensitivity level associated with the one or more of the plurality of inputs having the highest weight.
  - 5. The method of claim 1, further comprising updating the data sensitivity level based on aggregate permission data from a plurality of users.
  - 6. The method of claim 1, further comprising:
    - determining that the authentication level is lower than the data sensitivity level; and
      
      sending an authentication request for a security credential having a second authentication level equal to or greater than the data sensitivity level.
  - 7. The method of claim 6, wherein the security credential is associated with temporal limitation and a security event limitation.
  - 8. The method of claim 2, further comprising:
    - periodically requesting updates to the data sensitivity level stored in the data sensitivity level cache from a cloud security provider server.
  - 9. The method according to claim 1, wherein the request to access the data required to be used by the application is received via the application.

10. A mobile device, comprising:
- one or more processors; and
  
  a memory communicatively coupled to the one or more processors, wherein the one or more processors are configured to execute instructions included in the memory to perform operations for a data sensitivity module, the operations comprising;
  
  a request by a user to access data required to be used by an application executing on the mobile device;
  
  determining a data sensitivity level associated with the data, wherein data having a higher data sensitivity level requires a greater authentication level to access the data and data having a lower data sensitivity level requires a lower authentication level to access the data, wherein the data sensitivity level associated with the data is dependent on a plurality of security inputs, wherein the data sensitivity level varies between a first user having a first set of security inputs and a second user having a second set of security inputs different from the first user, and wherein the data sensitivity level varies according to a type of the data required to be used by the application requested by the user;
  
  determining an authentication level associated with the user making the request in order to access the data requested by the user;
  
  comparing the data sensitivity level of the data requested by the user to the authentication level associated with the user;
  
  determining, by the mobile device, whether the authentication level of the user satisfies the data sensitivity level for the data required to be used by the application;
  
  in response to determining that the authentication level of the user is lower than the data sensitivity level for the data, sending a request to the user for authentication information;
  
  in response to sending the request for authentication information, receiving authentication information from the user; and
  
  in response to determining whether the authentication level of the user and the authentication information from the user satisfies the data sensitivity level required for the data required to be used by the application, providing or denying access to the data required to be used by the application.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. The mobile device of claim 10 wherein determining a data sensitivity level associated with the data further comprises:
    - querying a data sensitivity level cache for the data; and
      
      returning the data sensitivity level associated with the data from the data sensitivity level cache.
  - 12. The mobile device of claim 10 wherein the plurality of inputs include one or more of:
    - initial permissions associated with a requesting application;
      
      customizations; and
      
      mobile device state.
  - 13. The mobile device of claim 11, wherein the one or more processors are configured to execute instructions included in the memory to perform operations comprising analyzing the plurality of security inputs by a decision model, wherein the analyzing comprises:
    - assigning a weight to each of the plurality of security inputs;
      
      identifying one or more of the plurality of inputs having a highest weight; and
      
      determining the data sensitivity level associated with the one or more of the plurality of inputs having the highest weight.
  - 14. The mobile device of claim 10, wherein the data sensitivity module is further configured to update the data sensitivity level based on aggregate permission data from a plurality of users.
  - 15. The mobile device of claim 10, wherein the data sensitivity module is further configured to:
    - determine that the authentication level is lower than the data sensitivity level; and
      
      send an authentication request for a security credential having a second authentication level equal to or greater than the data sensitivity level.
  - 16. The mobile device of claim 15, wherein the security credential is associated with temporal limitation and a security event limitation.
  - 17. The mobile device of claim 11, wherein the data sensitivity level cache is configured to periodically request updates to the cached data sensitivity levels from a cloud security provider server.

18. A method comprising:
- receiving a request from an administrator to register a first user through an application executing on a mobile device;
  
  presenting, to the administrator, one or more predefined security profiles, each of the one or more predefined security profiles including customization points that are configurable for varying a sensitivity level for a selection of data required to be used by the application executing on the mobile device;
  
  receiving, from the administrator, a selection of a predefined security profile and one or more customizations for the customization points corresponding to the selected predefined security profile, the one or more customizations including the selection of data required to be used by the application and a sensitivity level, wherein data having a higher data sensitivity level requires a greater authentication level and additional authentication information for the first time user in order to access the data required to be used by the application and data having a lower data sensitivity level requires a lower authentication level and authentication information for the first user in order to access the data required to be used by the application, and wherein the data sensitivity level varies according to a type of the data required to be used by the application; and
  
  registering the first user with a custom security profile based on the predefined security profile and the one or more customizations, wherein the data sensitivity level for the first user indicated by the custom security profile is different from other users with different customizations.
- View Dependent Claims (19, 20, 21)
- - 19. The method of claim 18 wherein the one or more predefined security profiles are generated based on aggregate security profile information stored in a registration authority database.
  - 20. The method of claim 19 wherein the aggregate security profile information is updated periodically by a cloud security provider server.
  - 21. The method of claim 18 wherein the one or more customizations include a selection of data and a custom data sensitivity level.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Visa International Service Association (Visa, Inc.)
Original Assignee
Visa International Service Association (Visa, Inc.)
Inventors
Gaddam, Ajit, Aissi, Selim, Kgil, Taeho
Primary Examiner(s)
Armouche, Hadi S
Assistant Examiner(s)
Callahan, Paul E

Application Number

US14/303,461
Publication Number

US 20140373104A1
Time in Patent Office

1,510 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/105 Multiple levels of security

H04L 63/205 involving negotiation or de...

Data sensitivity based authentication and authorization

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

18 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Data sensitivity based authentication and authorization

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

18 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links