Managing credentials

US 9,026,788 B2
Filed: 04/25/2013
Issued: 05/05/2015
Est. Priority Date: 08/06/2008
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

storing, within a vault account at a vault system, at least one encrypted website credential that is encrypted using an encryption key that is not available to the vault system, wherein the encrypted website credential is for authenticating a user to a third party website;

sending executable code to a client device that, upon execution by a processor at the client device, is to;

store the encryption key at the client device, andobfuscate the stored encryption key;

receiving, from the client device, at least one first vault credential to authenticate the user with the vault account;

authenticating the first vault credential;

determining that the first vault credential is not authentic, comprising;

assessing a risk that the first vault credential is not authentic, wherein assessing the risk comprises quantifying the risk; and

comparing the quantified risk to a threshold to determine that the quantified risk is greater than the threshold;

requesting, from the client device and in response to determining that the first vault credential is not authentic, at least one second vault credential to authenticate the user with the vault account, wherein the second vault credential is distinct from the first vault credential;

authenticating the second vault credential;

receiving, from the client device, a request for the encrypted website credential;

retrieving the requested encrypted website credential from the vault account at the vault system; and

sending, to the client device, the requested encrypted website credential and at least one form fill parameter in response to successfully authenticating the first vault credential and the second vault credential, wherein the executable code is further to;

decrypt the requested encrypted website credential into a decrypted website credential using the obfuscated stored encryption key, anduse the form fill parameter to inject the decrypted website credential into at least one form field in an authentication page of the third party website.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In a centralized credential management system, website credentials are stored in a vault storage at a vault. The website credentials are encrypted based upon a key not available to the vault and are for authenticating a user to a third party website. Through a client, a user authenticates to the vault and retrieves the encrypted website credentials and parameters and code for properly injecting the credentials into a website authentication form. The website credentials are decrypted at the client and injected into the authentication form using the parameters and code.

32 Citations

View as Search Results

18 Claims

1. A method comprising:
- storing, within a vault account at a vault system, at least one encrypted website credential that is encrypted using an encryption key that is not available to the vault system, wherein the encrypted website credential is for authenticating a user to a third party website;
  
  sending executable code to a client device that, upon execution by a processor at the client device, is to;
  
  store the encryption key at the client device, andobfuscate the stored encryption key;
  
  receiving, from the client device, at least one first vault credential to authenticate the user with the vault account;
  
  authenticating the first vault credential;
  
  determining that the first vault credential is not authentic, comprising;
  
  assessing a risk that the first vault credential is not authentic, wherein assessing the risk comprises quantifying the risk; and
  
  comparing the quantified risk to a threshold to determine that the quantified risk is greater than the threshold;
  
  requesting, from the client device and in response to determining that the first vault credential is not authentic, at least one second vault credential to authenticate the user with the vault account, wherein the second vault credential is distinct from the first vault credential;
  
  authenticating the second vault credential;
  
  receiving, from the client device, a request for the encrypted website credential;
  
  retrieving the requested encrypted website credential from the vault account at the vault system; and
  
  sending, to the client device, the requested encrypted website credential and at least one form fill parameter in response to successfully authenticating the first vault credential and the second vault credential, wherein the executable code is further to;
  
  decrypt the requested encrypted website credential into a decrypted website credential using the obfuscated stored encryption key, anduse the form fill parameter to inject the decrypted website credential into at least one form field in an authentication page of the third party website.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the executable code is further to store the encryption key in a bookmarklet link at the client device.
  - 3. The method of claim 2, wherein receiving the request is a result of a user selection of the bookmarklet link at the client device.
  - 4. The method of claim 1, wherein the executable code is further to store a unique value at the client device, wherein the request includes the unique value, wherein the method further comprises authenticating the unique value from the request, and wherein sending the requested encrypted website credential and the form fill parameter is further in response to successfully authenticating the unique value.
  - 5. The method of claim 1, wherein the first vault credential includes a username and a password.
  - 6. The method of claim 1, wherein determining that the first vault credential is not authentic is based on one or more of a name of an Internet service provider of the client device, a hostname of the client device, a geographic location of the client device, a number of authentication requests per unit time from the client device, an identity of the third party website, or a type of the third party website.
  - 7. The method of claim 6, wherein requesting the second vault credential comprises requesting a one-time password from the client device.
  - 8. The method of claim 7, wherein authenticating the second vault credential comprises sending the one-time password to a networked resource to be verified and receiving results from the networked resource indicating that the one-time password is verified.
  - 9. The method of claim 1, wherein requesting the second vault credential comprises sending, to the client device, a challenge question and requesting from the client device a response that is based upon the challenge question.

10. A system comprising:
- a memory to store, within a vault account at a vault system, at least one encrypted website credential that is encrypted using an encryption key that is not available to the vault system, wherein the encrypted website credential is for authenticating a user to a third party website;
  
  a server processor coupled to the memory to;
  
  send executable code to a client device that, upon execution by a client processor at the client device, is to;
  
  store the encryption key at the client device, andobfuscate the stored encryption key;
  
  receive, from the client device, at least one first vault credential to authenticate the user with the vault account;
  
  authenticate the first vault credential;
  
  determine that the first vault credential is not authentic by;
  
  assessing a risk that the first vault credential is not authentic, wherein the assessment of the risk comprises quantifying the risk; and
  
  comparing the quantified risk to a threshold to determine that the quantified risk is greater than the threshold;
  
  request, from the client device and in response to the determination that the first vault credential is not authentic, at least one second vault credential to authenticate the user with the vault account, wherein the second vault credential is distinct from the first vault credential;
  
  authenticate the second vault credential;
  
  receive, from the client device, a request for the encrypted website credential;
  
  retrieve the requested encrypted website credential from the vault account at the vault system; and
  
  send, to the client device, the requested encrypted website credential and at least one form fill parameter in response to successful authentication of the first vault credential and the second vault credential, wherein the executable code is further to;
  
  decrypt the requested encrypted website credential into a decrypted website credential using the obfuscated stored encryption key, anduse the form fill parameter to inject the decrypted website credential into at least one form field in an authentication page of the third party website.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The system of claim 10, wherein the executable code is further to store the encryption key in a bookmarklet link at the client device.
  - 12. The system of claim 11, wherein receipt of the request is a result of a user selection of the bookmarklet link at the client device.
  - 13. The system of claim 10, wherein the executable code is further to store a unique value at the client device, wherein the request includes the unique value, wherein the server processor is further to authenticate the unique value from the request, and wherein the server processor sends the requested encrypted website credential and the form fill parameter further in response to successful authentication of the unique value.
  - 14. The system of claim 10, wherein the first vault credential includes a username and a password.
  - 15. The system of claim 10, wherein the determination that the first vault credential is not authentic is based on one or more of a name of an Internet service provider of the client device, a hostname of the client device, a geographic location of the client device, a number of authentication requests per unit time from the client device, an identity of the third party website, or a type of the third party website.
  - 16. The system of claim 10, wherein the server processor requests the second vault credential by requesting a one-time password from the client device.

17. A method comprising:
- sending, to a vault system, at least one encrypted website credential that is encrypted using an encryption key that is not available to the vault system, wherein the encrypted website credential is for authenticating a user to a third party website, and wherein the vault system stores the encrypted website credential within a vault account;
  
  receiving, at a client device from the vault system, executable code for storing the encryption key at the client device, wherein the executable code obfuscates the stored encryption key;
  
  executing, by a processor at the client device, the executable code to store the obfuscated encryption key at the client device;
  
  receiving, at the client device, an indication to provide the encrypted website credential;
  
  sending, from the client device to the vault system, at least one first vault credential to authenticate the user with the vault account;
  
  sending, from the client device to the vault system, at least one second vault credential to authenticate the user with the vault account in response to a determination that the first vault credential is not authentic, wherein the second vault credential is distinct from the first vault credential, and wherein the determination comprises;
  
  assessing a risk that the first vault credential is not authentic, wherein the assessment of the risk comprises quantifying the risk; and
  
  comparing the quantified risk to a threshold to determine that the quantified risk is greater than the threshold;
  
  sending, from the client device to the vault system, a request for the encrypted website credential;
  
  receiving, at the client device from the vault system, the requested encrypted website credential and at least one form fill parameter in response to a successful authentication of the first vault credential and the second vault credential;
  
  executing, by the processor at the client device, the executable code to decrypt the received encrypted website credential into a decrypted website credential using the obfuscated stored encryption key; and
  
  executing, by the processor at the client device, the executable code to inject the decrypted website credential into at least one form field of an authentication page of the third party website using the form fill parameter.

18. A non-transitory computer-readable medium comprising computer-readable instructions for causing a processor to perform operations comprising:
- sending, to a vault system, at least one encrypted website credential that is encrypted using an encryption key that is not available to the vault system, wherein the encrypted website credential is for authenticating a user to a third party website, and wherein the vault system stores the encrypted website credential within a vault account;
  
  receiving, at a client device from the vault system, executable code for storing the encryption key at the client device, wherein the executable code obfuscates the stored encryption key;
  
  executing, by the processor at the client device, the executable code to store the obfuscated encryption key at the client device;
  
  receiving, at the client device, an indication to provide the encrypted website credential;
  
  sending, from the client device to the vault system, at least one first vault credential to authenticate the user with the vault account;
  
  sending, from the client device to the vault system, at least one second vault credential to authenticate the user with the vault account in response to a determination that the first vault credential is not authentic, wherein the second vault credential is distinct from the first vault credential, and wherein the determination comprises;
  
  assessing a risk that the first vault credential is not authentic, wherein the assessment of the risk comprises quantifying the risk; and
  
  comparing the quantified risk to a threshold to determine that the quantified risk is greater than the threshold;
  
  sending, from the client device to the vault system, a request for the encrypted website credential;
  
  receiving, at the client device from the vault system, the requested encrypted website credential and at least one form fill parameter in response to a successful authentication of the first vault credential and the second vault credential;
  
  executing, by the processor at the client device, the executable code to decrypt the received encrypted website credential into a decrypted website credential using the obfuscated stored encryption key; and
  
  executing, by the processor at the client device, the executable code to inject the decrypted website credential into at least one form field of an authentication page of the third party website using the form fill parameter.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Symantec Corporation (NortonLifeLock Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Ferg, Barry, Krall, Gary, M'Raihi, David, Popp, Nicolas
Primary Examiner(s)
Rashid, Harunur

Application Number

US13/870,438
Publication Number

US 20130238894A1
Time in Patent Office

740 Days
Field of Search

713/155, 713/168, 713/193, 380/255, 726/6, 726/12, 726/35
US Class Current

713/155
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 9/321   involving a third party or ...

H04L 9/3271   using challenge-response

Managing credentials

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

32 Citations

18 Claims

Specification

Use Cases

Quick Links

Others

Managing credentials

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

32 Citations

18 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others