Recovery of managed security credentials
First Claim
1. A non-transitory computer-readable medium embodying a program executable in at least one computing device, the program, when executed, causing the at least one computing device to at least:
- store account data including a plurality of security credentials associated with a plurality of network sites for a user, the account data being stored in an encrypted form;
obtain a request for the account data from a client, the request specifying a security credential for accessing the account data;
determine whether the client corresponds to a preauthorized client based at least in part on a network address of the client or a client-identifying token included in the request;
send, responsive to the client corresponding to the preauthorized client and responsive to the security credential being valid, the account data to the client;
obtain, responsive to the client not corresponding to the preauthorized client, a supplemental credential from the client;
send, responsive to the supplemental credential being valid and responsive to the security credential being valid, the account data to the client;
obtain a second request to use one of a plurality of account data recovery mechanisms from the client;
determine, on a per-client basis, a subset of the plurality of account recovery mechanisms available to the client;
enable use of the subset of the account recovery mechanisms available to the client; and
disable use of those of the plurality of account recovery mechanisms excluded from the subset of the account recovery mechanisms.
1 Assignment
0 Petitions
Accused Products
Abstract
Disclosed are various embodiments for recovery and other management functions relating to security credentials which may be centrally managed. Account data, which includes multiple security credentials for multiple network sites for a user, is stored by a service in an encrypted form. A request for the account data is obtained from a client. The request specifies a security credential for accessing the account data. The account data is sent to the client in response to determining that the client corresponds to a preauthorized client and in response to determining that the security credential for accessing the account data is valid.
62 Citations
20 Claims
-
1. A non-transitory computer-readable medium embodying a program executable in at least one computing device, the program, when executed, causing the at least one computing device to at least:
-
store account data including a plurality of security credentials associated with a plurality of network sites for a user, the account data being stored in an encrypted form; obtain a request for the account data from a client, the request specifying a security credential for accessing the account data; determine whether the client corresponds to a preauthorized client based at least in part on a network address of the client or a client-identifying token included in the request; send, responsive to the client corresponding to the preauthorized client and responsive to the security credential being valid, the account data to the client; obtain, responsive to the client not corresponding to the preauthorized client, a supplemental credential from the client; send, responsive to the supplemental credential being valid and responsive to the security credential being valid, the account data to the client; obtain a second request to use one of a plurality of account data recovery mechanisms from the client; determine, on a per-client basis, a subset of the plurality of account recovery mechanisms available to the client; enable use of the subset of the account recovery mechanisms available to the client; and disable use of those of the plurality of account recovery mechanisms excluded from the subset of the account recovery mechanisms. - View Dependent Claims (2, 3, 4)
-
-
5. A system, comprising:
at least one computing device configured to at least; store account data including a plurality of security credentials associated with a plurality of network sites for a user, the account data being stored in an encrypted form; obtain a request for the account data from a client, the request specifying a security credential for accessing the account data; send the account data to the client in response to determining that the client corresponds to a preauthorized client and in response to determining that the security credential for accessing the account data is valid; and obtain, in response to the client not corresponding to the preauthorized client, a supplemental credential from the client; and send the account data to the client in response to determining that the security credential and the supplemental credential are valid; obtain a second request to use one of a plurality of account data recovery mechanisms from the client; determine, on a per-client basis, a subset of the plurality of account recovery mechanisms available to the client; enable use of the subset of the account recovery mechanisms available to the client; and disable use of those of the plurality of account recovery mechanisms excluded from the subset of the account recovery mechanisms. - View Dependent Claims (6, 7, 8, 9, 10, 11, 12)
-
13. A method, comprising:
-
storing, by at least one computing device, account data including a plurality of security credentials associated with a plurality of network sites for a user, the account data being stored in an encrypted form; obtaining, by the at least one computing device, a request for the account data from a client, the request specifying a security credential for accessing the account data; sending, by the at least one computing device, the account data to the client in response to determining that the client corresponds to a preauthorized client and in response to determining that the security credential for accessing the account data is valid; and obtaining, by the at least one computing device, in response to the client not corresponding to the preauthorized client, obtains a supplemental credential from the client; sending, by the at least one computing device, the account data to the client in response to determining that the supplemental credential is valid; obtaining, by the at least one computing device, a second request to use one of a plurality of account data recovery mechanisms from the client; determining, by the at least one computing device, on a per-client basis, a subset of the plurality of account recovery mechanisms available to the client; enabling, by the at least one computing device, use of the subset of the account recovery mechanisms available to the client; and disabling, by the at least one computing device, use of those of the plurality of account recovery mechanisms excluded from the subset of the account recovery mechanisms. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
-
Specification