公开(公告)号：US10033731B2

公开(公告)日：2018-07-24

申请号：US15664399

申请日：2017-07-31

Applicant: Microsoft Technology Licensing, LLC

Inventor： David Steeves ,  Luke Abrams ,  Hersh Dangayach ,  Eric Fleischman ,  Prabu Raju ,  Krishna Vitaldevara ,  Niyantha Shekar ,  Payoj Baral ,  Meenakshi Ramaswamy ,  Winfred Wong ,  Yordan Rouskov ,  Ramesh Manne

IPC: H04L29/06 ,  G06F21/31 ,  H04L29/12 ,  H04L29/08 ,  H04W4/029

Abstract: In one embodiment, a user authentication server may use geo-location tracking to determine whether to present an enhanced identity challenge. A communication interface 180 may receive a user login attempt by a user and a current location of the user login attempt. A data storage 150 may store a user location profile of the user. A processor 120 may execute a comparison of the current location to the user location profile. The communication interface 180 may present the user with an enhanced identity challenge before allowing user access based on the comparison.

公开(公告)号：US20170331811A1

公开(公告)日：2017-11-16

申请号：US15664399

申请日：2017-07-31

Applicant: Microsoft Technology Licensing, LLC

Inventor： David Steeves ,  Luke Abrams ,  Hersh Dangayach ,  Eric Fleischman ,  Prabu Raju ,  Krishna Vitaldevara ,  Niyantha Shekar ,  Payoj Baral ,  Meenakshi Ramaswamy ,  Winfred Wong ,  Yordan Rouskov ,  Ramesh Manne

IPC: H04L29/06 ,  H04L29/08 ,  G06F21/31 ,  H04L29/12 ,  H04W4/02

CPC classification number: H04L63/083 ,  G06F21/31 ,  G06F21/316 ,  G06F2221/2111 ,  H04L61/609 ,  H04L63/08 ,  H04L67/22 ,  H04L67/306 ,  H04W4/029

Abstract: In one embodiment, a user authentication server may use geo-location tracking to determine whether to present an enhanced identity challenge. A communication interface 180 may receive a user login attempt by a user and a current location of the user login attempt. A data storage 150 may store a user location profile of the user. A processor 120 may execute a comparison of the current location to the user location profile. The communication interface 180 may present the user with an enhanced identity challenge before allowing user access based on the comparison.

公开(公告)号：US20170295166A1

公开(公告)日：2017-10-12

申请号：US15634899

申请日：2017-06-27

Applicant: MICROSOFT TECHNOLOGY LICENSING, LLC

Inventor： Wei-Qiang Guo ,  Lynn Ayres ,  Rui Chen ,  Sarah Faulkner ,  Yordan Rouskov

IPC: H04L29/06 ,  G06F17/30

CPC classification number: H04L63/0815 ,  G06F17/30864 ,  G06F21/41 ,  G06F21/606 ,  G06F21/6209 ,  H04L9/3234 ,  H04L63/08 ,  H04L63/0853 ,  H04L63/101

Abstract: A federated realm discovery system within a federation determines a “home” realm associated with a portion of the user's credentials before the user's secret information (such as a password) is passed to a non-home realm. A login user interface accepts a user identifier and, based on the user identifier, can use various methods to identify an account authority service within the federation that can authenticate the user. In one method, a realm list of the user device can be used to direct the login to the appropriate home realm of the user. In another method, an account authority service in a non-home realm can look up the user's home realm and provide realm information directing the user device to login at the home realm.

公开(公告)号：US20170195121A1

公开(公告)日：2017-07-06

申请号：US14986388

申请日：2015-12-31

Applicant: Microsoft Technology Licensing, LLC.

Inventor： Adrian Frei ,  Tarek B. Kamel ,  Guruprasad B. Aphale ,  Sankara Narayanan Venkataraman ,  Xiaohong Su ,  Yordan Rouskov ,  Vijay G. Bharadwaj

IPC: H04L9/32 ,  H04L9/08 ,  H04L29/06

CPC classification number: H04L9/3213 ,  H04L9/0825 ,  H04L9/0841 ,  H04L9/0869 ,  H04L9/3242 ,  H04L63/0428 ,  H04L63/0435 ,  H04L63/0807 ,  H04L2463/061

Abstract: Binding a security token to a client token binder, such as a trusted platform module, is provided. A bound security token can only be used on the client on which it was obtained. A secret binding key (kbind) is established between the client and an STS. The client derives a key (kmac) from kbind, signs a security token request with kmac, and instructs the STS to bind the requested security token to kbind. The STS validates the request by deriving kmac using a client-provided nonce and kbind to MAC the message and compare the MAC values. If the request is validated, the STS generates a response comprising the requested security token, derives two keys from kbind: one to sign the response and one to encrypt the response, and sends the response to the client. Only a device comprising kbind is enabled to use the bound security token, providing increased security.

公开(公告)号：US20170085553A1

公开(公告)日：2017-03-23

申请号：US15365726

申请日：2016-11-30

Applicant: Microsoft Technology Licensing, LLC

Inventor： Ariel Gordon ,  Samuel Devasahayam ,  Lu Zhao ,  Yordan Rouskov ,  Parmeshwar Miguel Sequeira Arewar ,  Venkatesh Gopalakrishnan ,  Sarat Chandra Subramaniam ,  Titus Constantin Miron

IPC: H04L29/06

CPC classification number: H04L63/083 ,  H04L63/08 ,  H04L63/102 ,  H04L63/1416 ,  H04L67/02 ,  H04L67/14 ,  H04L69/28

Abstract: Embodiments are directed to revoking user sessions using signaling. In one scenario, an identity platform operating on a computer system receives an indication indicating that a user's login account has been compromised, where the user's login account has an associated login session and corresponding session artifact that is valid for a specified amount of time. The identity platform generates a signal indicating that the login session is no longer trusted and that the user is to be re-directed to the identity platform to re-authenticate and renew the session artifact and provides the generated signal to various relying parties including at least one relying party that is hosting the login session for the user.

公开(公告)号：US10965667B2

公开(公告)日：2021-03-30

申请号：US16708270

申请日：2019-12-09

Applicant: Microsoft Technology Licensing, LLC

Inventor： David Steeves ,  Luke Abrams ,  Hersh Dangayach ,  Eric Fleischman ,  Prabu Raju ,  Krishna Vitaldevara ,  Niyantha Shekar ,  Payoj Baral ,  Meenakshi Ramaswamy ,  Winfred Wong ,  Yordan Rouskov ,  Ramesh Manne

IPC: H04L29/06 ,  G06F21/31 ,  H04W4/029 ,  H04L29/12 ,  H04L29/08

Abstract: In one embodiment, a user authentication server may use geo-location tracking to determine whether to present an enhanced identity challenge. A communication interface 180 may receive a user login attempt by a user and a current location of the user login attempt. A data storage 150 may store a user location profile of the user. A processor 120 may execute a comparison of the current location to the user location profile. The communication interface 180 may present the user with an enhanced identity challenge before allowing user access based on the comparison.

公开(公告)号：US10142107B2

公开(公告)日：2018-11-27

申请号：US14986388

申请日：2015-12-31

Applicant: Microsoft Technology Licensing, LLC.

Inventor： Adrian Frei ,  Tarek B. Kamel ,  Guruprasad B. Aphale ,  Sankara Narayanan Venkataraman ,  Xiaohong Su ,  Yordan Rouskov ,  Vijay G. Bharadwaj

IPC: H04L29/06 ,  H04L9/32 ,  H04L9/08

Abstract: Binding a security token to a client token binder, such as a trusted platform module, is provided. A bound security token can only be used on the client on which it was obtained. A secret binding key (kbind) is established between the client and an STS. The client derives a key (kmac) from kbind, signs a security token request with kmac, and instructs the STS to bind the requested security token to kbind. The STS validates the request by deriving kmac using a client-provided nonce and kbind to MAC the message and compare the MAC values. If the request is validated, the STS generates a response comprising the requested security token, derives two keys from kbind: one to sign the response and one to encrypt the response, and sends the response to the client. Only a device comprising kbind is enabled to use the bound security token, providing increased security.

公开(公告)号：US20180139200A1

公开(公告)日：2018-05-17

申请号：US15825523

申请日：2017-11-29

Applicant: Microsoft Technology Licensing, LLC

Inventor： Ariel Gordon ,  Samuel Devasahayam ,  Lu Zhao ,  Yordan Rouskov ,  Parmeshwar Miguel Sequeira Arewar ,  Venkatesh Gopalakrishnan ,  Sarat Chandra Subramaniam ,  Titus Constantin Miron

IPC: H04L29/06

CPC classification number: H04L63/083 ,  H04L63/08 ,  H04L63/102 ,  H04L63/1416 ,  H04L67/02 ,  H04L67/14 ,  H04L69/28

Abstract: Embodiments are directed to revoking user sessions using signaling. In one scenario, an identity platform operating on a computer system receives an indication indicating that a user's login account has been compromised, where the user's login account has an associated login session and corresponding session artifact that is valid for a specified amount of time. The identity platform generates a signal indicating that the login session is no longer trusted and that the user is to be re-directed to the identity platform to re-authenticate and renew the session artifact and provides the generated signal to various relying parties including at least one relying party that is hosting the login session for the user.

公开(公告)号：US20170054712A1

公开(公告)日：2017-02-23

申请号：US15219994

申请日：2016-07-26

Applicant: MICROSOFT TECHNOLOGY LICENSING, LLC

Inventor： Allan Edwin Wetter ,  Adrian Frei ,  Peter M. Tsang ,  Yordan Rouskov

IPC: H04L29/06

CPC classification number: H04L63/0853 ,  G06F21/335 ,  G06F21/41 ,  G06F2221/2115 ,  H04L63/0807 ,  H04L63/083 ,  H04L63/0861

Abstract: One or more techniques and/or systems are provided for obtaining access to a cloud service. In particular, a user may log into a client device using an operating system (OS) cloud login ID. The user may access cloud services (e.g., a music streaming service, a data storage service, etc.) through applications executing on the client device using merely the OS cloud login ID without providing additional login credentials specific to the cloud services. A client side application may request a token to access a cloud service. The token may be generated by an identity provider based upon the identity provider verifying an application ID identifying the application, a cloud service ID identifying the cloud service and/or OS cloud credentials. In this way, the application may present the token to a cloud service provider for verification to gain access to the cloud service hosted by the cloud service provider.

Abstract translation: 提供一个或多个技术和/或系统以获得对云服务的访问。 特别地，用户可以使用操作系统（OS）云登录ID登录到客户端设备。 用户可以通过仅使用OS云登录ID在客户端设备上执行的应用来访问云服务（例如，音乐流服务，数据存储服务等），而不提供特定于云服务的附加登录凭证。 客户端应用程序可以请求令牌来访问云服务。 令牌可以由身份提供者基于身份提供者生成，该身份提供者验证识别应用的应用ID，识别云服务的云服务ID和/或OS云凭证。 以这种方式，应用程序可以将令牌呈现给云服务提供商以进行验证以获得对由云服务提供商托管的云服务的访问。

公开(公告)号：US09537851B2

公开(公告)日：2017-01-03

申请号：US14452726

申请日：2014-08-06

Applicant: Microsoft Technology Licensing, LLC

Inventor： Ariel Gordon ,  Samuel Devasahayam ,  Lu Zhao ,  Yordan Rouskov ,  Parmeshwar Arewar ,  Venkatesh Gopalakrishnan ,  Sarat Chandra Subramaniam ,  Titus Constantin Miron

IPC: H04L29/06 ,  H04L29/08

CPC classification number: H04L63/083 ,  H04L63/08 ,  H04L63/102 ,  H04L63/1416 ,  H04L67/02 ,  H04L67/14 ,  H04L69/28

Abstract: Embodiments are directed to revoking user sessions using signaling. In one scenario, an identity platform operating on a computer system receives an indication indicating that a user's login account has been compromised, where the user's login account has an associated login session and corresponding session artifact that is valid for a specified amount of time. The identity platform generates a signal indicating that the login session is no longer trusted and that the user is to be re-directed to the identity platform to re-authenticate and renew the session artifact and provides the generated signal to various relying parties including at least one relying party that is hosting the login session for the user.

Abstract translation: 实施例旨在使用信令撤销用户会话。 在一种情况下，在计算机系统上操作的身份平台接收指示用户的登录帐户已经被泄密的指示，其中用户的登录帐户具有相关联的登录会话以及在指定的时间量内有效的对应的会话伪像。 身份平台产生指示登录会话不再被信任的信号，并且用户将被重定向到身份平台以重新认证和更新会话伪像，并将生成的信号提供给各种依赖方，包括至少 一个为用户托管登录会话的依赖方。