US 12,273,382 B2
Multi-factor authentication
Karl Ackerman, Topsfield, MA (US); John Edward Tyrone Shaw, Oxford (GB); Craig Paradis, Bolton, MA (US); Andrew J. Thomas, Oxfordshire (GB); and Kenneth D. Ray, Seattle, WA (US)
Assigned to Sophos Limited, Abingdon (GB)
Filed by Sophos Limited, Abingdon (GB)
Filed on Dec. 18, 2018, as Appl. No. 16/224,398.
Application 16/224,398 is a continuation of application No. PCT/US2016/040397, filed on Jun. 30, 2016.
Prior Publication US 2019/0123904 A1, Apr. 25, 2019
Int. Cl. G06F 21/00 (2013.01); G06F 11/00 (2006.01); G06F 21/40 (2013.01); G06F 21/43 (2013.01); G06F 21/44 (2013.01); G06F 21/45 (2013.01); G06F 21/55 (2013.01); G06F 21/56 (2013.01); G06F 21/57 (2013.01); G06F 21/64 (2013.01); H04L 9/32 (2006.01); H04L 9/40 (2022.01); H04L 41/0631 (2022.01); H04L 41/142 (2022.01); H04L 43/10 (2022.01); H04L 51/212 (2022.01); H04L 67/104 (2022.01)
CPC H04L 63/1483 (2013.01) [G06F 11/00 (2013.01); G06F 21/40 (2013.01); G06F 21/43 (2013.01); G06F 21/44 (2013.01); G06F 21/45 (2013.01); G06F 21/554 (2013.01); G06F 21/566 (2013.01); G06F 21/57 (2013.01); G06F 21/64 (2013.01); H04L 9/3213 (2013.01); H04L 41/0631 (2013.01); H04L 41/142 (2013.01); H04L 43/10 (2013.01); H04L 51/212 (2022.05); H04L 63/02 (2013.01); H04L 63/0209 (2013.01); H04L 63/0227 (2013.01); H04L 63/0236 (2013.01); H04L 63/0254 (2013.01); H04L 63/0428 (2013.01); H04L 63/08 (2013.01); H04L 63/0807 (2013.01); H04L 63/10 (2013.01); H04L 63/14 (2013.01); H04L 63/1408 (2013.01); H04L 63/1416 (2013.01); H04L 63/1425 (2013.01); H04L 63/1441 (2013.01); H04L 63/1466 (2013.01); H04L 63/1491 (2013.01); H04L 63/164 (2013.01); H04L 63/20 (2013.01); H04L 67/104 (2013.01)] 20 Claims
OG exemplary drawing
 
1. A computer program product comprising a non-transitory computer-readable medium embodying computer-executable code that, when executing on an authentication service accessible through a data network, causes the authentication service to perform steps comprising:
receiving a heartbeat from an endpoint through a data network, wherein the heartbeat indicates compliance of the endpoint with a security policy for an enterprise network associated with the endpoint, and wherein the heartbeat is cryptographically secured by the endpoint to permit verification of a source of the heartbeat with reference to a trusted third party;
receiving a request from the endpoint for an authentication token suitable for authenticating a user of the endpoint to a secure service accessible by the endpoint through the data network;
requesting a verification of the compliance of the endpoint with the security policy by verifying the heartbeat from the endpoint with reference to the trusted third party;
in response to receiving the request from the endpoint, and in response to using the compliance of the endpoint with the security policy as a security factor by verifying the heartbeat with reference to the trusted third party, providing the authentication token requested by the endpoint for authenticating to a remote service by performing steps comprising:
generating the authentication token requested by the endpoint;
generating verification information for use by an access control system in verifying the authentication token;
transmitting the verification information for verifying the authentication token to the access control system for accessing the secure service; and
returning the authentication token to the endpoint, wherein the authentication token is one of a plurality of authentication factors used in authenticating the user of the endpoint to the secure service with a multi-factor authentication system based at least in part on compliance of the endpoint with the security policy; and
in response to receiving the request from the endpoint, and in response to the endpoint not being in compliance with the security policy, not providing the authentication token to the remote service.