1. The Field of the Invention
The present invention relates to network security. More specifically, the present invention relates to systems, methods, and computer program products for granting and dynamically modifying access to network resources where access may correspond to the trustworthiness of authentication methods and devices associated with a user session.
2. Background and Relevant Art
Today it is very difficult, if not impossible, for network administrators to give mobile users appropriate access to network resources. Conventional methods for granting access to network resources are binary for the most part. That is, either a user is “logged on,” and may access network resources or the user is “logged off,” and cannot access network resources. This binary approach is followed even though the use of different devices and different authentication methods results in different levels of trustworthiness.
For example, by entering a dual tone multi-frequency (“DTMF”) personal identification number (“PIN”) from a pay phone, a user may be granted the same access to network resources as compared to entering a password at a computer directly coupled to a corporate intranet. Entering a password from a computer directly coupled to a corporate intranet may be considered more secure than entering a DTMF PIN from a pay phone. Yet both authentication methods may result in the same access to network resources. Binary approaches are often problematic for mobile user sessions due to the wide variety of devices and corresponding authentication methods used in a mobile environment.
In some cases, network managers may implement secondary domains, secondary user accounts, and various other means to try to give appropriate access to mobile users. For example, a user may have a local user account and a mobile user account. The local user account may be configured to operate only on trusted computing devices. This allows different access rights to be assigned to users depending on their location. Thus, a local user account may be given more access to network resources than a mobile user account. However, this is still a binary approach, as any conventional access method would grant the mobile user account the same access to network resources. For example, a mobile user calling from a pay phone that logs on using a DTMF PIN and a mobile user calling from a secure mobile phone, who speaks a complex challenge response password may both receive the same access to network resources. In other words, when a mobile user account is granted access to network resources, no consideration is given to the trustworthiness of authentication methods or devices. Furthermore, this method requires additional effort to establish and maintain the mobile user account.
Another approach is to assign certain mobile access methods as trustworthy. For example, a network may be configured to allow mobile access from a secure caller line ID or for users who are voiceprinted. However, this approach also results in binary access to network resources and does not consider the trustworthiness of methods or devices associated with the mobile user session. For example, a mobile user voiceprinted from a public telephone or a secure mobile phone may receive the same access, while a mobile user requesting access via any non-trusted access method is completely denied access to network resources. This approach is often ineffective due to environmental factors as well. For example, a user may roam out of their local calling area and the secure nature of a mobile phone cannot be verified or a user may have a cold and not be able to use voiceprint. In these cases, trustworthiness of methods and devices requesting access may still be relatively high but access to network resources is denied.
Considering the trustworthiness of devices associated with a user session is especially important when some access methods are predetermined as being secure. During a request for access to network resources, a mobile user may present a user ID and a password. In some cases, DTMF tones may facilitate entry of these credentials. Conventional authentication methods may grant the same access to network resources whether these credentials are entered from a public pay phone or from a secure mobile phone. This may not grant appropriate access, as a secure mobile phone may be considered more trustworthy than a public pay phone.
Therefore, what is desired are systems, methods, and computer program products for granting or dynamically modifying access to network resources in a manner that may correspond access to the trustworthiness of authentication methods and devices associated with a user session.