Recovery of managed security credentials

US 9,450,941 B2
Filed: 02/06/2015
Issued: 09/20/2016
Est. Priority Date: 02/01/2012
Status: Active Grant

First Claim

Patent Images

1. A non-transitory computer-readable medium embodying a program executable in at least one computing device, the program, when executed, causing the at least one computing device to at least:

store account data including a plurality of security credentials associated with a plurality of network sites for a user, the account data being stored in an encrypted form;

obtain a request for the account data from a client, the request specifying a security credential for accessing the account data;

determine whether the client corresponds to a preauthorized client based at least in part on a network address of the client or a client-identifying token included in the request;

send, responsive to the client corresponding to the preauthorized client and responsive to the security credential being valid, the account data to the client;

obtain, responsive to the client not corresponding to the preauthorized client, a supplemental credential from the client;

send, responsive to the supplemental credential being valid and responsive to the security credential being valid, the account data to the client;

obtain a second request to use one of a plurality of account data recovery mechanisms from the client;

determine, on a per-client basis, a subset of the plurality of account recovery mechanisms available to the client;

enable use of the subset of the account recovery mechanisms available to the client; and

disable use of those of the plurality of account recovery mechanisms excluded from the subset of the account recovery mechanisms.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed are various embodiments for recovery and other management functions relating to security credentials which may be centrally managed. Account data, which includes multiple security credentials for multiple network sites for a user, is stored by a service in an encrypted form. A request for the account data is obtained from a client. The request specifies a security credential for accessing the account data. The account data is sent to the client in response to determining that the client corresponds to a preauthorized client and in response to determining that the security credential for accessing the account data is valid.

62 Citations

View as Search Results

20 Claims

1. A non-transitory computer-readable medium embodying a program executable in at least one computing device, the program, when executed, causing the at least one computing device to at least:
- store account data including a plurality of security credentials associated with a plurality of network sites for a user, the account data being stored in an encrypted form;
  
  obtain a request for the account data from a client, the request specifying a security credential for accessing the account data;
  
  determine whether the client corresponds to a preauthorized client based at least in part on a network address of the client or a client-identifying token included in the request;
  
  send, responsive to the client corresponding to the preauthorized client and responsive to the security credential being valid, the account data to the client;
  
  obtain, responsive to the client not corresponding to the preauthorized client, a supplemental credential from the client;
  
  send, responsive to the supplemental credential being valid and responsive to the security credential being valid, the account data to the client;
  
  obtain a second request to use one of a plurality of account data recovery mechanisms from the client;
  
  determine, on a per-client basis, a subset of the plurality of account recovery mechanisms available to the client;
  
  enable use of the subset of the account recovery mechanisms available to the client; and
  
  disable use of those of the plurality of account recovery mechanisms excluded from the subset of the account recovery mechanisms.
- View Dependent Claims (2, 3, 4)
- - 2. The non-transitory computer-readable medium of claim 1, wherein the supplemental credential comprises a knowledge-based question or a one-time password.
  - 3. The non-transitory computer-readable medium of claim 1, wherein the supplemental credential comprises an answer to a knowledge-based question.
  - 4. The non-transitory computer-readable medium of claim 1, wherein the program, when executed, further causes the computing device to encode for rendering an interface to selectively enable or disable one or more of the plurality of account recovery mechanisms with respect to a particular client.

5. A system, comprising:
- at least one computing device configured to at least;
  
  store account data including a plurality of security credentials associated with a plurality of network sites for a user, the account data being stored in an encrypted form;
  
  obtain a request for the account data from a client, the request specifying a security credential for accessing the account data;
  
  send the account data to the client in response to determining that the client corresponds to a preauthorized client and in response to determining that the security credential for accessing the account data is valid; and
  
  obtain, in response to the client not corresponding to the preauthorized client, a supplemental credential from the client; and
  
  send the account data to the client in response to determining that the security credential and the supplemental credential are valid;
  
  obtain a second request to use one of a plurality of account data recovery mechanisms from the client;
  
  determine, on a per-client basis, a subset of the plurality of account recovery mechanisms available to the client;
  
  enable use of the subset of the account recovery mechanisms available to the client; and
  
  disable use of those of the plurality of account recovery mechanisms excluded from the subset of the account recovery mechanisms.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12)
- - 6. The system of claim 5, wherein the security credential is stored by a removable computer-readable medium of the client.
  - 7. The system of claim 5, further comprising determining whether the client corresponds to the preauthorized client based at least in part on a source network address of the request.
  - 8. The system of claim 5, further comprising determining whether the client corresponds to the preauthorized client based at least in part on a client-identifying token presented in the request.
  - 9. The system of claim 5, wherein the account data is sent to the client in the encrypted form.
  - 10. The system of claim 5, wherein the system is operated by a third-party entity relative to the network sites.
  - 11. The system of claim 5, wherein the supplemental credential comprises at least one of a one-time password or an answer to a knowledge-based question.
  - 12. The system of claim 5, wherein the at least one computing device is further configured to at least encode for rendering an interface to selectively enable or disable one or more of the plurality of account recovery mechanisms with respect to a particular client.

13. A method, comprising:
- storing, by at least one computing device, account data including a plurality of security credentials associated with a plurality of network sites for a user, the account data being stored in an encrypted form;
  
  obtaining, by the at least one computing device, a request for the account data from a client, the request specifying a security credential for accessing the account data;
  
  sending, by the at least one computing device, the account data to the client in response to determining that the client corresponds to a preauthorized client and in response to determining that the security credential for accessing the account data is valid; and
  
  obtaining, by the at least one computing device, in response to the client not corresponding to the preauthorized client, obtains a supplemental credential from the client;
  
  sending, by the at least one computing device, the account data to the client in response to determining that the supplemental credential is valid;
  
  obtaining, by the at least one computing device, a second request to use one of a plurality of account data recovery mechanisms from the client;
  
  determining, by the at least one computing device, on a per-client basis, a subset of the plurality of account recovery mechanisms available to the client;
  
  enabling, by the at least one computing device, use of the subset of the account recovery mechanisms available to the client; and
  
  disabling, by the at least one computing device, use of those of the plurality of account recovery mechanisms excluded from the subset of the account recovery mechanisms.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The method of claim 13, wherein the security credential is stored by a removable computer-readable medium of the client.
  - 15. The method of claim 13, wherein the method further comprises determining, by the at least one computing device, whether the client corresponds to the preauthorized client based at least in part on a source network address of the request.
  - 16. The method of claim 13, wherein the method further comprises determining, by the at least one computing device, whether the client corresponds to the preauthorized client based at least in part on a client-identifying token presented in the request.
  - 17. The method of claim 13, wherein the account data is sent to the client in the encrypted form.
  - 18. The method of claim 13, wherein the supplemental credential comprises a one-time password.
  - 19. The method of claim 13, wherein the supplemental credential comprises an answer to a knowledge-based question.
  - 20. The method of claim 13, further comprising encoding for rendering an interface to selectively enable or disable one or more of the plurality of account recovery mechanisms with respect to a particular client.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Hitchcock, Daniel W., Campbell, Brad Lee
Primary Examiner(s)
ZHAO, DON GORDON

Application Number

US14/615,931
Publication Number

US 20150180852A1
Time in Patent Office

592 Days
Field of Search

726/5
US Class Current

1/1
CPC Class Codes

G06F 21/00   Security arrangements for p...

G06F 21/41   where a single sign-on prov...

G06F 21/45   Structures or tools for the...

G06F 2221/2131   Lost password, e.g. recover...

H04L 63/06   for supporting key manageme...

H04L 63/08   for authentication of entit...

H04L 63/0815   providing single-sign-on or...

H04L 63/083   using passwords cryptograph...

H04L 63/0838   using one-time-passwords

H04L 63/0876   based on the identity of th...

H04L 63/102   Entity profiles

Recovery of managed security credentials

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

62 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Recovery of managed security credentials

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

62 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links