Peer to peer enterprise file sharing
US-9998463-B2 · Jun 12, 2018 · US
Brokered authentication with risk sharing
US10652282B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10652282-B2 |
| Application number | US-201715433997-A |
| Country | US |
| Kind code | B2 |
| Filing date | Feb 15, 2017 |
| Priority date | Feb 15, 2017 |
| Publication date | May 12, 2020 |
| Grant date | May 12, 2020 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Embodiments described herein are implemented in authentication brokering systems where an authentication broker issues security tokens that represent its authentications of users. Client devices operated by the users store the security tokens and send them to resource providers. The resource providers authenticate and grant access to the users based on validation of the security tokens. Authentication related messages exchanged between the resource providers and the authentication broker are used to exchange authentication risk data that is obtained or derived by the resource providers and the authentication broker. The resource providers obtain authentication risk data directly from the authentication broker and indirectly, via the authentication broker, from each other. As security tokens are used or managed, authentication risk data is shared among the participants in the authentication brokering system. The participants are able to modify their authentication procedures or make authentication decisions based on shared authentication risk data.
First claim
Opening claim text (preview).
The invention claimed is: 1. A method performed by an authentication brokering service comprising one or more computing devices comprising processing hardware and storage hardware configured with instructions to enable the processing hardware to perform the method, the method performed by the authentication brokering service comprising: receiving, by the authentication brokering service, an authentication request via a network from a client device operated by a user to authenticate a user identity that corresponds to the user, the authentication request generated by the client device, the authentication request received in a first message, the first message comprising a message conforming to an application-layer protocol, the authentication request comprising a request to authenticate the user identity that corresponds to the user; based on the authentication request, performing, by the authentication brokering service, a first authentication procedure to authenticate the user identity, the authenticating by the first authentication procedure comprising: validating that an authentication factor provided by the client device via the network matches a stored authentication factor pre-associated with the user identity, obtaining first authentication risk factors; obtaining a risk score computed based on the first authentication risk factors; and authenticating the user identity based on the validating of the authentication factor and based on the risk score; based on the authenticating of the user identity by the authentication brokering service: generating a security token associated with the user identity, storing an indication of the security token, generating a second message conforming to the application-layer protocol, the second message comprising the security token, and transmitting the second message to the client device via the network; storing, by the authentication brokering service, the first authentication risk factors in association with an indication of the security token that is stored by the authentication brokering service; receiving, by the authentication brokering service, a validation request via the network, the validation request generated and transmitted by a first resource provider incorporating the security token into the validation request based on having received the security token from the client, the validation request generated by the first resource provider in association with a second authentication procedure performed by the first resource provider, the first resource provider comprising an application-layer network service executed by one or more computing devices that requires authentication of clients to serve resources to the clients via the network, the validation request comprising a third message conforming to the application-layer protocol, the validation request comprising the security token, the security token having been provided to the first resource provider by the client, the validation request further comprising second authentication risk factors obtained by the first resource provider in association with the second authentication procedure; storing the received second authentication risk factors in association with the indication of the token; based on the validation request, validating the received security token, and based on the validation generating a validation confirmation message conforming to the application-layer protocol, the generating the validation confirmation message comprising incorporating the first authentication risk factors in the validation message based on first authentication risk factors being stored in association with the indication of the security token; and transmitting the validation confirmation message to the first resource provider via the network. 2. A method according to claim 1 , wherein the first resource provider performs the second authentication procedure based on the first authentication risk factors being received in the validation confirmation message and based on the second authentication risk factors. 3. A method according to claim 1 , further comprising: receiving a second validation request from a second resource provider, the second validation request comprising the security token; based on the second validation request, validating the security token from the second validation request and generating a second validation confirmation message by incorporating therein the first authentication risk factors and the second authentication risk factors; and transmitting the second validation confirmation message via the network to the second resource provider. 4. A method according to claim 3 , wherein the second resource provider authorizes the client device to access a resource provided thereby by authenticating the client device based on the first authentication risk factors and based on the second authentication risk factors. 5. A method according to claim 1 , wherein the first authentication risk factors comprise context information describing context of the authentication request. 6. A method according to claim 1 , wherein the first authentication procedure comprises computing a risk score or risk probability according to context history of past authentication contexts stored in association with prior authentication requests for the user identity. 7. A method according to claim 1 , wherein the authentication broker validates the token based on the second authentication risk factors. 8. A method according to claim 1 , wherein the validating the received security token is performed according to the stored indication of the security token. 9. A method performed by an authentication brokering service comprising a first computing device, the method comprising: receiving, by the authentication brokering service, an authentication request via a network from a client application to authenticate a user, the authentication request originated by the client application, the authentication request received in a first message, the first message comprising a message conforming to an application-layer messaging protocol, the authentication request comprising a request to authenticate the user and comprising information associating the authentication request with the user; based on the authentication request, performing, by the authentication brokering service, a first authentication procedure to authenticate the user, the first authentication procedure comprising validating an authentication factor provided by the client application via the network with a stored authentication factor associated with the user identity, wherein the first authentication procedure authenticates the user identity; based on the authentication of the user identity by the authentication brokering service, generating a token associated with the user identity, storing an indication of the token, generating a second message conforming to the application-layer protocol, the second message comprising the security token, and transmitting the second message to the client device via the network, wherein the client application is configured to receive and store the token and to provide the token via the network to resource providers; receiving a first application-layer message from a first resource provider via the network, the first resource provider comprising a second computing device providing application-layer resources via the network, the first application-layer message comprising first authentication risk data derived or obtained by the first resource provider to compute a first risk scored used when performing a second authentication procedure to authenticate the user, wherein the second authentication procedure uses the token and the first risk score to determine whether to authen
Assignees
Inventors
Classifications
using tickets or tokens, e.g. Kerberos (network architectures or network communication protocols for entities authentication using tickets in a packet data network H04L63/0807) · CPC title
- H04L63/205Primary
involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved (negotiation of communication capabilities H04L69/24) · CPC title
Biological data, e.g. fingerprint, voice or retina (network architectures or network communication protocols for supporting authentication of entities using biometrical features in a packet data network H04L63/0861) · CPC title
using tickets, e.g. Kerberos (cryptographic mechanisms or cryptographic arrangements for entity authentication using tickets or tokens H04L9/3213) · CPC title
involving digital signatures · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10652282B2 cover?
- Embodiments described herein are implemented in authentication brokering systems where an authentication broker issues security tokens that represent its authentications of users. Client devices operated by the users store the security tokens and send them to resource providers. The resource providers authenticate and grant access to the users based on validation of the security tokens. Authent…
- Who is the assignee on this patent?
- Microsoft Technology Licensing Llc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/205. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue May 12 2020 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 6 related publications on this page (citations in our corpus or others sharing the same primary CPC).