Selectively enabling multi-factor authentication for managed devices

US 10,432,608 B2
Filed: 01/09/2018
Issued: 10/01/2019
Est. Priority Date: 10/29/2015
Status: Active Grant

First Claim

Patent Images

1. A non-transitory computer-readable medium containing instructions that, when executed by the at least one computing device, cause the at least one computing device to perform stages comprising:

receiving an authentication request from a client device, the authentication request including a first authentication factor corresponding to a single sign-on (“

SSO”

) credential, wherein the SSO credential is downloaded to the client device, wherein the authentication request originates at a first client application executing on the client device;

determining, at an identity provider service separate from the client device, whether at least one second authentication factor should be requested, including determining that the at least one second authentication factor should be requested based on a version of an application executing on the client device; and

in response to determining that the at least one second authentication factor should be requested;

requesting the at least one second authentication factor from the client device, including determining the first client application does not natively support the at least one second authentication factor and, as a result, requesting the at least one second authentication factor from a second client application;

receiving the at least one second authentication factor from the client device;

after confirming the at least one second authentication factor from the second client application, sending, from the identity provider service, an identity assertion to the first client application, wherein the first client application provides the identity assertion to a service provider that is separate from the identity provider service; and

authenticating the client device in response to verifying the first authentication factor and the at least one second authentication factor.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed are various examples of selectively enabling multi-factor authentication for applications on managed devices. An identity provider receives an authentication request for a first client application executed in a managed client device. The authentication request includes a first authentication factor corresponding to a management credential. The identity provider then determines whether one or more second authentication factors should be requested. If so, the identity provider then requests the second authentication factor(s) from a second client application. The identity provider receives the second authentication factor(s) from the second client application. The identity provider then authenticates the first client application in response to verifying the first authentication factor and the second authentication factor(s).

70 Citations

17 Claims

1. A non-transitory computer-readable medium containing instructions that, when executed by the at least one computing device, cause the at least one computing device to perform stages comprising:
- receiving an authentication request from a client device, the authentication request including a first authentication factor corresponding to a single sign-on (“
  
  SSO”
  
  ) credential, wherein the SSO credential is downloaded to the client device, wherein the authentication request originates at a first client application executing on the client device;
  
  determining, at an identity provider service separate from the client device, whether at least one second authentication factor should be requested, including determining that the at least one second authentication factor should be requested based on a version of an application executing on the client device; and
  
  in response to determining that the at least one second authentication factor should be requested;
  
  requesting the at least one second authentication factor from the client device, including determining the first client application does not natively support the at least one second authentication factor and, as a result, requesting the at least one second authentication factor from a second client application;
  
  receiving the at least one second authentication factor from the client device;
  
  after confirming the at least one second authentication factor from the second client application, sending, from the identity provider service, an identity assertion to the first client application, wherein the first client application provides the identity assertion to a service provider that is separate from the identity provider service; and
  
  authenticating the client device in response to verifying the first authentication factor and the at least one second authentication factor.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The non-transitory computer-readable medium of claim 1, the stages further comprising:
    - determining a location of the client device; and
      
      determining a risk score based at least in part on the location,wherein determining whether the at least one second authentication factor should be requested is based at least in part on the risk score.
  - 3. The non-transitory computer-readable medium of claim 1, wherein the application executing on the client device is the first client application.
  - 4. The non-transitory computer-readable medium of claim 1, the stages further comprising:
    - determining a version of an operating system of the client device; and
      
      determining that the at least one second authentication factor should be requested when the version of the operating system corresponds to a particular operating system version.
  - 5. The non-transitory computer-readable medium of claim 1, wherein the stages further comprise determining that the at least one second authentication factor should be requested in response to verifying the first authentication factor.
  - 6. The non-transitory computer-readable medium of claim 1, wherein the first authentication factor corresponds to data generated by a secure certificate or a Kerberos profile.

7. A computing device that executes an identity provider service configured to cause the computing device to perform stages comprising:
- receiving an authentication request from a client device, the authentication request including a first authentication factor corresponding to a single sign-on (“
  
  SSO”
  
  ) credential, wherein the SSO credential is downloaded to the client device, wherein the authentication request originates at a first client application executing on the client device;
  
  determining, at an identity provider service separate from the client device, whether at least one second authentication factor should be requested, including determining that the at least one second authentication factor should be requested based on a version of an application executing on the client device; and
  
  in response to determining that the at least one second authentication factor should be requested;
  
  requesting the at least one second authentication factor from the client device, including determining the first client application does not natively support the at least one second authentication factor and, as a result, requesting the at least one second authentication factor from a second application;
  
  receiving the at least one second authentication factor from the client device;
  
  after confirming the at least one second authentication factor, sending, from the identity provider service, an identity assertion to the first client application, wherein the first client application provides the identity assertion to a service provider that is separate from the identity provider service; and
  
  authenticating the client device in response to verifying the first authentication factor and the at least one second authentication factor.
- View Dependent Claims (8, 9, 10, 11)
- - 8. The computing device of claim 7, the stages further comprising:
    - determining a location of the client device; and
      
      determining a risk score based at least in part on the location,wherein determining whether the at least one second authentication factor should be requested is based at least in part on the risk score.
  - 9. The computing device of claim 7, the stages further comprising:
    - determining a version of an operating system of the client device; and
      
      determining that the at least one second authentication factor should be requested when the version of the operating system corresponds to a particular operating system version.
  - 10. The computing device of claim 7, wherein the stages further comprise determining that the at least one second authentication factor should be requested in response to verifying the first authentication factor.
  - 11. The computing device of claim 7, wherein the first authentication factor corresponds to data generated by a secure certificate or a Kerberos profile.

12. A method, comprising:
- receiving an authentication request from a client device, the authentication request including a first authentication factor corresponding to a single sign-on (“
  
  SSO”
  
  ) credential, wherein the SSO credential is downloaded to the client device, wherein the authentication request originates at a first client application executing on the client device;
  
  determining, at an identity provider service separate from the client device, whether at least one second authentication factor should be requested, including determining that the at least one second authentication factor should be requested based on a version of an application executing on the client device; and
  
  in response to determining that the at least one second authentication factor should be requested;
  
  requesting the at least one second authentication factor from the client device, including determining the first client application does not natively support the at least one second authentication factor and, as a result, requesting the at least one second authentication factor from a second client application;
  
  receiving the at least one second authentication factor from the client device;
  
  after confirming the at least one second authentication factor, sending, from the identity provider service, an identity assertion to the first client application, wherein the first client application provides the identity assertion to a service provider that is separate from the identity provider service; and
  
  authenticating the client device in response to verifying the first authentication factor and the at least one second authentication factor.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The method of claim 12, further comprising:
    - determining a location of the client device; and
      
      determining a risk score based at least in part on the location,wherein determining whether the at least one second authentication factor should be requested is based at least in part on the risk score.
  - 14. The method of claim 12, wherein the application executing on the client device is the first client application.
  - 15. The method of claim 12, further comprising:
    - determining a version of an operating system of the client device; and
      
      determining that the at least one second authentication factor should be requested when the version of the operating system corresponds to a particular operating system version.
  - 16. The method of claim 12, further comprising determining that the at least one second authentication factor should be requested in response to verifying the first authentication factor.
  - 17. The method of claim 12, wherein the first authentication factor corresponds to data generated by a secure certificate or a Kerberos profile.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
AirWatch LLC (Broadcom, Inc.)
Original Assignee
AirWatch LLC (Broadcom, Inc.)
Inventors
Brannon, Jonathan Blake
Primary Examiner(s)
Pham, Luu T
Assistant Examiner(s)
Jackson, Jenise E

Application Number

US15/865,254
Publication Number

US 20180131686A1
Time in Patent Office

630 Days
Field of Search

726 6
US Class Current
CPC Class Codes

H04L 2463/082   applying multi-factor authe...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0815   providing single-sign-on or...

H04L 63/0823   using certificates cryptogr...

H04L 63/12   Applying verification of th...

Selectively enabling multi-factor authentication for managed devices

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

70 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Selectively enabling multi-factor authentication for managed devices

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

70 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links