Face image candidate determination apparatus for authentication, face image candidate determination method for authentication, program, and recording medium
US-2021334520-A1 · Oct 28, 2021 · US
Security guidance for creation of multi factor authentication policy
US11477249B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-11477249-B2 |
| Application number | US-202117163084-A |
| Country | US |
| Kind code | B2 |
| Filing date | Jan 29, 2021 |
| Priority date | Jan 29, 2021 |
| Publication date | Oct 18, 2022 |
| Grant date | Oct 18, 2022 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
An identity provider (“IdP”) system maintains a framework of authentication methods and security targets that enables flexible authentication policy authoring and analysis of authentication performed by users of an organization. The IdP system generates authentication method profiles that include authentication factors and attributes, which may be further classified as required or optional. The IdP system also generates security target profiles that indicate security requirements needed to satisfy the corresponding security targets. The IdP system uses the generated profiles to determine relationships between authentication methods and security targets (e.g., a list of authentication methods that satisfy a given security target). Using these relationships, the IdP system may enable users to author policies and analyze how users' authentication behaviors comply with security targets.
First claim
Opening claim text (preview).
What is claimed is: 1. A computer-implemented method for determining an authentication policy used to authenticate a client device to an identity provider server, the method comprising: receiving security target information indicative of a mapping of a plurality of security targets to a plurality of authentication attributes; receiving authentication method information indicative of a mapping of a plurality of authentication methods to one or more of the plurality of authentication attributes; generating a plurality of security target profiles using the received security target information, a security target profile of a security target associated with a subset of the plurality of authentication attributes; generating a plurality of authentication method profiles using the received authentication method information, an authentication method profile of an authentication method associated with the subset of the plurality of authentication attributes; providing for display within a graphical user interface (GUI): a plurality of security target listings corresponding to the plurality of security targets, and a plurality of authentication method listings corresponding to the plurality of authentication methods; in response to receiving a user selection of a security target listing associated with the security target: identifying the authentication method using the security target profile and the authentication method profile, and modifying for display within the GUI an authentication method listing associated with the authentication method; and in response to receiving a user selection of the authentication method listing associated with the authentication method: identifying the security target using the authentication method profile and the security target profile, and modifying the security target listing for display within the GUI. 2. The computer-implemented method of claim 1 , further comprising assigning a plurality of utility scores to the plurality of authentication methods. 3. The computer-implemented method of claim 2 , wherein assigning the plurality of utility scores to the plurality of authentication methods comprises: determining a number of interactions made by a user to perform a given authentication method of the plurality of authentication methods; and assigning, based on the number of interactions, a utility score to the given authentication method. 4. The computer-implemented method of claim 2 , wherein assigning the plurality of utility scores to respective authentication methods comprises: receiving respective user-specified attribute security scores for a required attribute of a given authentication method and an optional attribute of the given authentication method; and calculating a utility score for the given authentication method based on the respective user-specified attribute security scores. 5. The computer-implemented method of claim 2 , wherein assigning the plurality of utility scores to respective authentication methods comprises: accessing authentication behavior records indicating that a plurality of users performed a given authentication method; determining, based on the authentication behavior records, a subset of the plurality of users performing the given authentication method; and calculating a utility score for the given authentication method based on the determined subset of the plurality of users. 6. The computer-implemented method of claim 2 , further comprising, in response to receiving the user selection of the security target listing associated with the security target: determining a subset of authentication methods that meet the security target; ranking the subset based on respective utility scores of the subset of authentication methods; and modifying, based on the ranking, for display at the GUI the plurality of authentication method listings corresponding to the plurality of authentication methods. 7. The computer-implemented method of claim 6 , wherein modifying, based on the ranking, for display at the GUI the plurality of authentication method listings corresponding to the plurality of authentication methods comprises providing for display within the GUI the plurality of authentication method listings in a plurality of sizes corresponding to the ranking. 8. The computer-implemented method of claim 1 , further comprising, in response to receiving the user selection of the security target listing associated with the security target: determining that the identified authentication method is unavailable to an organization, wherein the authentication method listing is displayed within the GUI in a manner that visually distinguishes the authentication method listing from a subset of authentication method listings corresponding to available authentication methods of the plurality of authentication methods. 9. The computer-implemented method of claim 1 , wherein generating the plurality of security target profiles comprises generating a plurality of respective security target data structures, a data structure of the plurality of respective security target data structures comprising a number corresponding to a required number of factors, a list of required attributes, and a list of attribute conditions corresponding to the list of required attributes. 10. The computer-implemented method of claim 1 , wherein generating the plurality of authentication method profiles comprises generating a plurality of respective authentication method data structures, a data structure of the plurality of respective authentication method data structures comprising an identification number, an authentication method name, an enable status, a list of required factors, a list of optional factors, a list of required attributes, and a list of optional attributes. 11. The computer-implemented method of claim 1 , wherein identifying, the authentication method using the security target profile and the authentication method profile comprises: generating a plurality of authentication method combinations using the plurality of authentication methods, wherein each combination comprises a respective set of factors and a respective set of attributes, wherein the plurality of authentication method combinations includes the authentication method; and for each combination of the plurality of authentication combinations: determining whether the set of factors of the combination satisfies a required number of factors indicated by the security target profile, determining whether the set of attributes of the combination satisfies a list of required attributes indicated by the security target profile, and responsive to determining that both the required number of factors and the list of required attributes are not satisfied by the combination, removing the combination from the plurality of authentication method combinations; and determining that a plurality of remaining authentication combinations satisfy both the required number of factors and the list of required attributes are satisfied, the plurality of remaining authentication combinations including the authentication method. 12. The computer-implemented method of claim 1 , wherein identifying, the authentication method using the security target profile and the authentication method profile comprises: generating a plurality of authentication method combinations using the plurality of authentication methods, wherein each combination comprises respective sets of required factors, optional factors, required attributes, and optional attributes, wherein the plurality of authentication method combinations includes the authentication method; for each combination of the plurality of authent
Assignees
Inventors
Classifications
Interaction with lists of selectable items, e.g. menus · CPC title
Interaction techniques to control parameter settings, e.g. interaction with sliders or dials · CPC title
- H04L63/205Primary
involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved (negotiation of communication capabilities H04L69/24) · CPC title
applying multi-factor authentication · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US11477249B2 cover?
- An identity provider (“IdP”) system maintains a framework of authentication methods and security targets that enables flexible authentication policy authoring and analysis of authentication performed by users of an organization. The IdP system generates authentication method profiles that include authentication factors and attributes, which may be further classified as required or optional. The…
- Who is the assignee on this patent?
- Okta Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/205. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Oct 18 2022 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 5 related publications on this page (citations in our corpus or others sharing the same primary CPC).