Use of device risk evaluation to manage access to services

US 10,218,697 B2
Filed: 06/09/2017
Issued: 02/26/2019
Est. Priority Date: 06/09/2017
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

receiving data in a communication from a computing device of an identity provider;

subsequent to receiving the data, receiving, by a second computing device, a request from a first computing device, the request for access by the first computing device to a service, wherein the access requires authorization by the computing device of the identity provider, and access to the service requires that a software component is installed on the first computing device;

in response to the request, performing, by the second computing device, an evaluation of a configuration of the first computing device, wherein the evaluation comprises determining a risk level, and wherein the evaluation is based at least in part on the received data from the identity provider;

performing, by the second computing device, an action based on the evaluation, wherein the action comprises sending a first communication to the computing device of the identity provider, the first communication indicating the risk level, wherein the identity provider is of record with the second computing device to use for authorizing requests for access to the service, and wherein the identity provider is configured to authorize access to the service in response to receiving the first communication;

determining whether the software component is installed on the first computing device; and

in response to determining that the software component is not installed on the first computing device;

creating a fingerprint of the first computing device, the fingerprint including data extracted from at least one communication from the first computing device; and

determining whether the fingerprint matches a fingerprint of another computing device that has previously communicated with the second computing device.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method includes: receiving a request regarding access by a first computing device (e.g., a mobile device of a user) to a service; in response to the request, performing, by a second computing device (e.g., a device risk evaluation server, or a server of an identity provider), an evaluation of the first computing device; and performing, by the second computing device, an action (e.g., authorizing access to the service) based on the evaluation.

715 Citations

19 Claims

1. A method, comprising:
- receiving data in a communication from a computing device of an identity provider;
  
  subsequent to receiving the data, receiving, by a second computing device, a request from a first computing device, the request for access by the first computing device to a service, wherein the access requires authorization by the computing device of the identity provider, and access to the service requires that a software component is installed on the first computing device;
  
  in response to the request, performing, by the second computing device, an evaluation of a configuration of the first computing device, wherein the evaluation comprises determining a risk level, and wherein the evaluation is based at least in part on the received data from the identity provider;
  
  performing, by the second computing device, an action based on the evaluation, wherein the action comprises sending a first communication to the computing device of the identity provider, the first communication indicating the risk level, wherein the identity provider is of record with the second computing device to use for authorizing requests for access to the service, and wherein the identity provider is configured to authorize access to the service in response to receiving the first communication;
  
  determining whether the software component is installed on the first computing device; and
  
  in response to determining that the software component is not installed on the first computing device;
  
  creating a fingerprint of the first computing device, the fingerprint including data extracted from at least one communication from the first computing device; and
  
  determining whether the fingerprint matches a fingerprint of another computing device that has previously communicated with the second computing device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, wherein the service is provided by a third computing device.
  - 3. The method of claim 1, wherein the evaluation determines that the configuration is not secure, and the action further comprises blocking access of the first computing device to the service.
  - 4. The method of claim 1, wherein the service is provided by a third computing device, the method further comprises receiving first data from the first computing device that is used in the evaluation, and the action further comprises sending the first data to the third computing device.
  - 5. The method of claim 4, wherein the first data is received from the software component, and the software component obtains the first data from the first computing device.
  - 6. The method of claim 1, wherein software is installed on the first computing device, and wherein the evaluation comprises at least one of determining a source of the software, evaluating authenticity of the software, or analyzing at least one component of the software.
  - 7. The method of claim 1, wherein the evaluation determines an extent of security risk for the configuration of the first computing device, and wherein an extent of access to the service provided to the first computing device is based on the determined extent of security risk.
  - 8. The method of claim 1, wherein the evaluation determines that the configuration passes a security threshold, and the action further comprises sending a communication to a third computing device regarding the passed security threshold.
  - 9. The method of claim 1, wherein a third computing device provides the service, and the method further comprises:
    - generating a token for the first computing device, the token comprising first data encoding the risk level from the evaluation; and
      
      providing the token to the first computing device, wherein the first data is used by the third computing device to configure the service provided to the first computing device.
  - 10. The method of claim 9, wherein the third computing device is configured to determine, using the first data, a risk state associated with providing service to the first computing device.
  - 11. The method of claim 1, wherein the service is provided by a third computing device, and the method further comprises:
    - extracting first data from a communication received from the first computing device; and
      
      performing the evaluation using the first data.
  - 12. The method of claim 1, wherein:
    - the request for access to the service is generated by an application executing on the first computing device;
      
      performing the evaluation comprises determining an authenticity of the application; and
      
      performing the evaluation further comprises assessing a context of a user of the first computing device, the context comprising at least one of;
      
      a location of the first computing device,a device location for a prior login made to the service by the user,an event associated with a presence of the user on a computing device other than the first computing device, orcredentials associated with the user that have become unsecure.
  - 13. The method of claim 1, wherein the first computing device is associated with a domain, the method further comprises receiving a second communication from a third computing device associated with the domain, and the evaluation comprises using data from the second communication to evaluate the configuration of the first computing device.
  - 14. The method of claim 1, further comprising:
    - in response to determining that the software component is not installed on the first computing device, sending a second communication to the first computing device requesting installation of the software component;
      
      after sending the second communication, determining that the software component is installed on the first computing device; and
      
      in response to determining that the software component is installed on the first computing device, sending a communication to cause a third computing device to grant the access to the service.

15. A non-transitory computer-readable storage medium storing computer-readable instructions, which when executed, cause a first computing device to:
- receive data in a communication from a computing device of an identity provider;
  
  subsequent to receiving the data, receive a request from a second computing device, the request for access by the second computing device to a service, wherein the access requires authorization by the computing device of the identity provider, and access to the service requires that a software component is installed on the second computing device;
  
  in response to the request, perform an evaluation of the second computing device, wherein the evaluation is based at least in part on the received data from the identity provider;
  
  perform, by at least one processor, an action based on the evaluation, the action comprising sending a first communication to the computing device of the identity provider, wherein the identity provider is of record with the first computing device to use for authorizing requests for access to the service, and wherein the identity provider is configured to authorize access to the service in response to receiving the first communication;
  
  determine whether the software component is installed on the second computing device; and
  
  in response to determining that the software component is not installed on the second computing device;
  
  create a fingerprint of the second computing device, the fingerprint including data extracted from at least one communication from the second computing device; and
  
  determine whether the fingerprint matches a fingerprint of another computing device that has previously communicated with the first computing device.
- View Dependent Claims (16)
- - 16. The non-transitory computer-readable storage medium of claim 15, wherein the instructions further cause the first computing device to receive security data from the second computing device, wherein the evaluation is performed using the security data to determine a security state of the second computing device, and wherein the action further comprises authorizing access to the service by the second computing device at an access level dependent on the determined security state.

17. A system, comprising:
- at least one processor of a first computing device; and
  
  memory storing instructions configured to instruct the at least one processor to;
  
  receive data in a communication from a computing device of an identity provider;
  
  subsequent to receiving the data, receive a request from a second computing device, the request for access by the second computing device to a service, wherein the access requires authorization by the computing device of the identity provider, and access to the service requires that a software component is installed on the second computing device;
  
  in response to the request, perform an evaluation of the second computing device, wherein the evaluation is based at least in part on the received data from the identity provider;
  
  perform an action based on the evaluation, the action comprising sending a first communication to the computing device of the identity provider, wherein the identity provider is of record with the first computing device to use for authorizing requests for access to the service, and wherein the identity provider is configured to authorize access to the service in response to receiving the first communication;
  
  determine whether the software component is installed on the second computing device; and
  
  in response to determining that the software component is not installed on the second computing device;
  
  create a fingerprint of the second computing device, the fingerprint including data extracted from at least one communication from the second computing device; and
  
  determine whether the fingerprint matches a fingerprint of another computing device that has previously communicated with the first computing device.
- View Dependent Claims (18, 19)
- - 18. The system of claim 17, wherein a third computing device provides the service.
  - 19. The system of claim 17, wherein the instructions are further configured to instruct the at least one processor to receive security state information regarding a state of the second computing device, wherein the evaluation is performed using the security state information to determine a security state of the second computing device, wherein the action further comprises authorizing access to the service by the second computing device at an access level depending on the determined security state, and wherein the security state information comprises at least one of a device identifier, a configuration, a setting, information on a security event, or a device state.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Lookout Incorporated
Original Assignee
Lookout Incorporated
Inventors
Cockerill, Aaron, Richardson, David, Thanos, Daniel, Robinson, William Neil, Buck, Brian James, Mahaffey, Kevin Patrick
Primary Examiner(s)
Cervetti, David Garcia

Application Number

US15/619,356
Publication Number

US 20180359244A1
Time in Patent Office

627 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0823   using certificates cryptogr...

H04L 63/083   using passwords cryptograph...

H04L 63/0853   using an additional device,...

H04L 63/0876   based on the identity of th...

H04L 63/105   Multiple levels of security

H04L 63/107   wherein the security polici...

H04L 63/12   Applying verification of th...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

Use of device risk evaluation to manage access to services

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

715 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Use of device risk evaluation to manage access to services

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

715 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links