What technology area does this patent fall under?

Primary CPC classification H04L63/20. Mapped technology areas include Electricity.

When was this patent published?

Publication date Thu Feb 26 2026 00:00:00 GMT+0000 (Coordinated Universal Time) (A1). Legal status and post-grant events are not shown on this page.

What related patents are in patentsdb?

We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).

Dynamic policy and network security zone generation

US2026058998A1 · US · A1

Patent metadata
Field	Value
Publication number	US-2026058998-A1
Application number	US-202519371890-A
Country	US
Kind code	A1
Filing date	Oct 28, 2025
Priority date	Apr 30, 2024
Publication date	Feb 26, 2026
Grant date	—

How to read this patent

A practical reading order for non-experts. Skip the full description unless you need deep technical detail.

Title
What the patent document calls the invention.
Abstract
A short plain-language summary of the technical disclosure.
Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
Key dates
Filing, priority, publication, and grant dates set the timeline.
First independent claim
The legal scope of protection — read this for what is actually claimed.
CPC / IPC classifications
Technology tags used to group this patent with similar filings.
Citations and related patents
Prior art links and similar publications in this corpus.

Abstract

Official abstract text for this publication.

An authentication server of an identity management system may establish an authentication policy for a tenant of a multi-tenant system and receive device access signals from one or more network identifiers. In some examples, the authentication server may receive an indication from machine learning (ML) models to update the authentication policy of a tenant based on a set of authentication rules of one or more second tenants that are for one or more applications common between the tenant and the one or more second tenants. In some other examples, the ML model may monitor a set of device access signals received at the authentication server to obtain a set of assurance scores for associated network identifiers. The authentication server may then update the authentication policy for a tenant, generate a set of network zones, or both based on the ML model outputs.

First claim

Opening claim text (preview).

What is claimed is: 1 . A method for network zone management, comprising: receiving, from a first device associated with a first user, a first device access signal associated with a first network identifier that corresponds to the first device; receiving, from a second device associated with a second user, a second device access signal associated with a second network identifier that corresponds to the second device; monitoring, via a machine learning model, the first device access signal and the second device access signal to obtain a first assurance score for the first network identifier associated with the first device access signal and to obtain a second assurance score for the second network identifier associated with the second device access signal, wherein the first assurance score and the second assurance score are obtained based at least in part on a first set of data that is associated with one or more tenants of a multi-tenant system; and generating, for a first tenant of the multi-tenant system via the machine learning model, a first set of network zones comprising the first network identifier and the second network identifier based at least in part on the first assurance score associated with the first network identifier and the second assurance score associated with the second network identifier each satisfying a first threshold. 2 . The method of claim 1 , further comprising: receiving, via one or more user inputs, an indication of a second set of network zones prior to receiving the first device access signal and the second device access signal, wherein the second set of network zones are updated based at least in part on monitoring the first device access signal and the second device access signal. 3 . The method of claim 1 , further comprising: storing, at a multi-tenant database of the multi-tenant system, a second set of data comprising the first network identifier, the first assurance score associated with the first network identifier, the second network identifier, the second assurance score associated with the second network identifier, or any combination thereof, the multi-tenant database comprising the first set of data associated with the one or more tenants of the multi-tenant system, wherein the first set of network zones are generated based at least in part on storing the second set of data within the multi-tenant database, .wherein storing data in the multi-tenant database of the multi-tenant system comprises updating data within the multi-tenant database. 4 . The method of claim 1 , further comprising: transmitting, to a third user associated with a tenant of the multi-tenant system, an indication of the first set of network zones generated and a recommendation to establish the first set of network zones; and receiving, via a user input from the third user, an indication to establish the first set of network zones or an indication to refuse establishing the first set of network zones, the indication being based at least in part on the recommendation being transmitted to the third user. 5 . The method of claim 1 , wherein the first device access signal comprises data associated with the first device and the first user, and the second device access signal comprises data associated with the second device and the second user, and monitoring the first device access signal and the second device access signal comprises: monitoring, via the machine learning model, the data of a respective device access signal to obtain a respective assurance score for a respective network identifier associated the respective device access signal. 6 . The method of claim 1 , wherein the first device access signal, the second device access signal, or both are associated with a phishing-resistant platform, data that is associated with a respective tenant of the multi-tenant system, a network identifier that is associated with the respective tenant, a respective device that is managed by the respective tenant, or any combination thereof. 7 . The method of claim 1 , wherein a respective network identifier of a respective device access signal comprises an internet protocol address, a geographical location, or both. 8 . The method of claim 1 , wherein a respective network zone of the first set of network zones provides one or more users access or restricts one or more users access to a network associated with a tenant, one or more applications associated with the tenant, or a combination thereof while the one or more users are within the respective network zone. 9 . The method of claim 1 , wherein the first device access signal indicates a first set of data associated with the first device and the first user and the second device access signal indicates a second set of data associated with the second device and the second user. 10 . An apparatus for network zone management, comprising: one or more memories storing processor-executable code; and one or more processors coupled with the one or more memories and individually or collectively operable to execute the code to cause the apparatus to: receive, from a first device associated with a first user, a first device access signal associated with a first network identifier that corresponds to the first device; receive, from a second device associated with a second user, a second device access signal associated with a second network identifier that corresponds to the second device; monitor, via a machine learning model, the first device access signal and the second device access signal to obtain a first assurance score for the first network identifier associated with the first device access signal and to obtain a second assurance score for the second network identifier associated with the second device access signal, wherein the first assurance score and the second assurance score are obtained based at least in part on a first set of data that is associated with one or more tenants of a multi-tenant system; and generate, for a first tenant of the multi-tenant system via the machine learning model, a first set of network zones comprising the first network identifier and the second network identifier based at least in part on the first assurance score associated with the first network identifier and the second assurance score associated with the second network identifier each satisfying a first threshold. 11 . The apparatus of claim 10 , wherein the one or more processors are individually or collectively further operable to execute the code to cause the apparatus to: receive, via one or more user inputs, an indication of a second set of network zones prior to receiving the first device access signal and the second device access signal, wherein the second set of network zones are updated based at least in part on monitoring the first device access signal and the second device access signal. 12 . The apparatus of claim 10 , wherein the one or more processors are individually or collectively further operable to execute the code to cause the apparatus to: store, at a multi-tenant database of the multi-tenant system, a second set of data comprising the first network identifier, the first assurance score associated with the first network identifier, the second network identifier, the second assurance score associated with the second network identifier, or any combination thereof, the multi-tenant database comprising the first set of data associated with the one or more tenants of the multi-tenant system, wherein the first set of network zones are generated based at least in part on storing the second set of data within the multi-tenant database, .wherein storing data in the multi-tenant database of

Assignees

Okta Inc

Inventors

Classifications

H04L63/20Primary
for managing network security; network security policies in general (filtering policies H04L63/0227) · CPC title

Patent family

Related publications grouped by family.

View patent family 97449213

External sources

Frequently asked questions

Answers are generated from the same data shown on this page.

What does patent US2026058998A1 cover?: An authentication server of an identity management system may establish an authentication policy for a tenant of a multi-tenant system and receive device access signals from one or more network identifiers. In some examples, the authentication server may receive an indication from machine learning (ML) models to update the authentication policy of a tenant based on a set of authentication rules…
Who is the assignee on this patent?: Okta Inc
What technology area does this patent fall under?: Primary CPC classification H04L63/20. Mapped technology areas include Electricity.
When was this patent published?: Publication date Thu Feb 26 2026 00:00:00 GMT+0000 (Coordinated Universal Time) (A1). Legal status and post-grant events are not shown on this page.
What related patents are in patentsdb?: We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).