Systems and methods for managing credentials used to authenticate access in data processing systems

US 10,462,152 B2
Filed: 11/15/2016
Issued: 10/29/2019
Est. Priority Date: 11/15/2016
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a processor and memory; and

machine readable instructions stored in the memory and executed by the processor, configured to;

receive a first request to replace a first credential used to access one or more resources with a second credential that is to be subsequently used to access the one or more resources;

in response to receiving the first request, perform a transitional secret procedure by replacing the first credential with the second credential and by allowing temporary subsequent use of the first credential to access the one or more resources for a predetermined period, wherein a length of the predetermined period is based on a determined level of access associated with a requesting device that is using the first credential to request access to the one or more resources during the predetermined period, such that the predetermined period is different for different levels of access;

as a part of performing the transitional secret procedure, cause the transitional secret procedure to be transparent to the requesting device such that only the system, which operates as a central authentication system for granting or denying requests to access the one or more resources, is knowledgeable that both the first credential and the second credential are usable to access the one or more resources during the predetermined period; and

in response to receiving a second request to access the one or more resources using the first credential after replacing the first credential with the second credential, where the second request is received from the requesting device;

allow the requesting device to access the one or more resources using the first credential during the predetermined period, wherein both the first credential and the second credential are usable to access the one or more resources during the predetermined period, which is based on the determined level of access of the requesting device; and

generate an indication for a system administrator that the first credential was used to access the one or more resources.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system receives a first request to replace a first credential used by an entity to access one or more resources with a second credential to be used by the entity to access the one or more resources. In response to receiving the first request, the system replaces the first credential with the second credential and allows use of the first credential for a predetermined period. In response to receiving a second request from the entity to access the one or more resources using the first credential after replacing the first credential with the second credential, the system allows the entity to access the one or more resources using the first credential during the predetermined period, and generates an indication that the entity used the first credential to access the one or more resources and that the entity is to be updated with the second credential within the predetermined period.

21 Citations

View as Search Results

20 Claims

1. A system comprising:
- a processor and memory; and
  
  machine readable instructions stored in the memory and executed by the processor, configured to;
  
  receive a first request to replace a first credential used to access one or more resources with a second credential that is to be subsequently used to access the one or more resources;
  
  in response to receiving the first request, perform a transitional secret procedure by replacing the first credential with the second credential and by allowing temporary subsequent use of the first credential to access the one or more resources for a predetermined period, wherein a length of the predetermined period is based on a determined level of access associated with a requesting device that is using the first credential to request access to the one or more resources during the predetermined period, such that the predetermined period is different for different levels of access;
  
  as a part of performing the transitional secret procedure, cause the transitional secret procedure to be transparent to the requesting device such that only the system, which operates as a central authentication system for granting or denying requests to access the one or more resources, is knowledgeable that both the first credential and the second credential are usable to access the one or more resources during the predetermined period; and
  
  in response to receiving a second request to access the one or more resources using the first credential after replacing the first credential with the second credential, where the second request is received from the requesting device;
  
  allow the requesting device to access the one or more resources using the first credential during the predetermined period, wherein both the first credential and the second credential are usable to access the one or more resources during the predetermined period, which is based on the determined level of access of the requesting device; and
  
  generate an indication for a system administrator that the first credential was used to access the one or more resources.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The system of claim 1, wherein resetting the second credential is available only when the second credential is used to access the one or more resources such that the first credential cannot be used to reset the second credential.
  - 3. The system of claim 1, wherein the machine readable instructions are further configured to:
    - invalidate the first credential after the predetermined period expires; and
      
      deny access to the one or more resources when the first credential is used after the predetermined period expires.
  - 4. The system of claim 1, wherein the machine readable instructions are further configured to indicate to the system administrator an attempt by a particular device that is attempting to access the one or more resources using the first credential after the predetermined period expires.
  - 5. The system of claim 1, wherein the machine readable instructions are further configured to identify a particular device that is making an unauthorized attempt to access the one or more resources by detecting an attempt by the particular device to access the one or more resources using the first credential after the predetermined period expires.
  - 6. The system of claim 1, wherein, after replacing the first credential with the second credential, an operation of allowing a particular device to use the first credential to access the one or more resources during the predetermined period is performed and operates to prevent the replacement from causing a failure due to the use of the first credential by the particular device during the predetermined period.
  - 7. The system of claim 1, wherein, after replacing the first credential with the second credential, an operation of allowing a particular device to use the first credential to access the one or more resources during the predetermined period is performed and operates to provide time within the predetermined period for the system administrator to update the particular device with the second credential.
  - 8. The system of claim 1, wherein the machine readable instructions are further configured to discover an attempt by a particular device to access the one or more resources using the first credential.

9. A method comprising:
- receiving a first request to replace a first credential used to access one or more resources with a second credential that is to be subsequently used to access the one or more resources;
  
  in response to receiving the first request, perform a transitional secret procedure by replacing the first credential with the second credential and by allowing temporary subsequent use of the first credential to access the one or more resources for a predetermined period, wherein a length of the predetermined period is based on a determined level of access associated a requesting device that is using the first credential to request access to the one or more resources during the predetermined period, such that the predetermined period is different for different levels of access;
  
  as a part of performing the transitional secret procedure, causing the transitional secret procedure to be transparent to the requesting device such that only a central authentication system, which grants or denies requests to access the one or more resources, is knowledgeable that both the first credential and the second credential are usable to access the one or more resources during the predetermined period; and
  
  in response to receiving a second request to access the one or more resources using the first credential after replacing the first credential with the second credential, where the second request is received from the requesting device;
  
  allowing to access the one or more resources using the first credential during the predetermined period, wherein both the first credential and the second credential are usable to access the one or more resources during the predetermined period, which is based on the determined level of access of the requesting device; and
  
  indicating to a system administrator that the first credential was used to access the one or more resources.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The method of claim 9, wherein resetting the second credential is available only when the second credential is used to access the one or more resources such that the first credential cannot be used to reset the second credential.
  - 11. The method of claim 9, further comprising:
    - invalidating the first credential after the predetermined period expires; and
      
      denying access to the one or more resources when the first credential is used after the predetermined period expires.
  - 12. The method of claim 9, wherein the method further comprises indicating to the system administrator an attempt by a particular device to access the one or more resources using the first credential after the predetermined period expires.
  - 13. The method of claim 9, wherein the method further comprises identifying a particular device that is making an unauthorized attempt to access the one or more resources by detecting an attempt by the particular device to access the one or more resources using the first credential after the predetermined period expires.
  - 14. The method of claim 9, wherein, after replacing the first credential with the second credential, an operation of allowing a particular device to use the first credential to access the one or more resources during the predetermined period is performed and operates to prevent the replacement from causing a failure due to the use of the first credential by the particular device during the predetermined period.
  - 15. The method of claim 9, wherein, after replacing the first credential with the second credential, an operation of allowing a particular device to use the first credential to access the one or more resources during the predetermined period is performed and operates to provide time within the predetermined period for the system administrator to update the particular device with the second credential.
  - 16. The method of claim 9, wherein the method further comprises discovering an attempt by a particular device to access the one or more resources using the first credential.

17. One or more hardware storage device(s) having stored thereon computer-executable instructions that are executable by one or more processor(s) of a computer system to cause the computer system to:
- receive a first request to replace a first credential used to access one or more resources with a second credential that is to be subsequently used to access the one or more resources;
  
  in response to receiving the first request, perform a transitional secret procedure by replacing the first credential with the second credential and by allowing temporary subsequent use of the first credential to access the one or more resources for a predetermined period, wherein a length of the predetermined period is based on a determined level of access associated with a requesting device that is using the first credential to request access to the one or more resources during the predetermined period, such that the predetermined period is different for different levels of access;
  
  as a part of performing the transitional secret procedure, cause the transitional secret procedure to be transparent to the requesting device such that only the computer system, which operates as a central authentication system for granting or denying requests to access the one or more resources, is knowledgeable that both the first credential and the second credential are usable to access the one or more resources during the predetermined period; and
  
  in response to receiving a second request to access the one or more resources using the first credential after replacing the first credential with the second credential, where the second request is received from the requesting device;
  
  allow the requesting device to access the one or more resources using the first credential during the predetermined period, wherein both the first credential and the second credential are usable to access the one or more resources during the predetermined period, which is based on the determined level of access of the requesting device; and
  
  generate an indication for a system administrator that the first credential was used to access the one or more resources.
- View Dependent Claims (18, 19, 20)
- - 18. The one or more hardware storage device(s) of claim 17, wherein, as another part of the transitional secret procedure, the first credential is moved to a new location within a directory services of the computer system, which operates as the central authentication system.
  - 19. The one or more hardware storage device(s) of claim 18, wherein the new location is a transitional password field.
  - 20. The one or more hardware storage device(s) of claim 17, wherein, when the requesting device, which used the first credential, is allowed access to the one or more resources during the predetermined period, access to the one or more resources is provided in accordance with a safe mode such that only limited access is provided to the requesting device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Edwards, Daniel
Primary Examiner(s)
Wang, Harris C

Application Number

US15/351,928
Publication Number

US 20180139193A1
Time in Patent Office

1,078 Days
Field of Search

726 4
US Class Current
CPC Class Codes

H04L 63/0815 providing single-sign-on or...

H04L 63/108 when the policy decisions a...

Systems and methods for managing credentials used to authenticate access in data processing systems

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

21 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for managing credentials used to authenticate access in data processing systems

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

21 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links