Anyone with a suitable Internet appliance, such as a personal computer with a standard Internet connection, may access (or go on-line) and navigate web pages stored on Internet-connected servers for the purpose of obtaining information and initiating transactions with hosts of such servers and pages. Companies offer various subscription services accessible via the Internet. For example, it is common for people to bank, trade stocks, shop, etc., from the comfort of their own homes via Internet access. Typically, a user, through subscription, has access to personalized and secure web pages for such functions. By typing in a user name and a password or other personal identification code, a user may obtain information, initiate transactions, buy stock, and accomplish a myriad of other tasks.
Unfortunately, one problem that is encountered by an individual who has several or many such subscriptions to Internet-brokered services is that there are invariably many passwords and/or log-in codes to be used and it is not advisable to utilize the same password or code for every service as this poses an increased security risk. Furthermore, using different login identifiers and passwords for each on-line account presents numerous problems; not the least of which is remembering each login identifier and password. This secure access problem also manifests itself in an enterprise context. For example, employees must regularly access system servers. However, despite the security risks, passwords and/or other credential information are not regularly modified because such regular changes are often overly burdensome.
Overall, the examples herein of some prior or related systems and their associated limitations are intended to be illustrative and not exclusive. Upon reading the following, other limitations of existing or prior systems will become apparent to those of skill in the art.
Overview
Provided herein are systems, methods, and software that facilitate secure credential-free access to resources. In some embodiments, a cloud-based credential management apparatus is disclosed having one or more computer readable storage media with program instructions stored thereon, which when executed by the one or more processors, direct the one or more processors to perform various functions. In some embodiments, the functions include processing a protected resource access request initiated by a resource access system to identify a user and a protected resource that the user is attempting to access. The functions further include identifying a predetermined authentication policy associated with the protected resource, generating a request for authentication information based on the authentication policy associated with the protected resource, and sending the request for authentication information for delivery to a mobile device associated with the user. The functions further include processing a response to the authentication request sent by the mobile device to determine that the authentication policy is satisfied and, in response to determining that the policy is satisfied, generating a response to the protected resource access request including login credentials to access the protected resource.
In some embodiments, a computer-readable storage medium having a browser extension for operating with a web browser on an electronic computing device is disclosed. The browser extension includes program instructions, which when executed by the one or more processors of the electronic computing device, cause the electronic computing device to perform various functions. The functions can include detecting an attempt initiated by a user of the electronic device to access a resource, determining that the resource is a protected resource, and responsive to determining that the resource is a protected resource, generating a protected resource access request, the protected resource access request identifying the user and the protected resource that the user is attempting to access. The functions can further include receiving processing login credentials for accessing the resource, and populating a login form for the resource with the received login credentials without storing the login credentials.
In some embodiments, a method of operating a credential management system to provide a user with secure access to a resource without user-provided credentials is provided. The method includes receiving a protected resource access request initiated by a resource access system to identify a user and a protected resource that the user is attempting to access, identifying a predetermined authentication policy associated with the protected resource, and generating a request for authentication information for delivery to a mobile device associated with the user. In this example, the requested authentication information is determined based on the authentication policy associated with the protected resource. The method can further include receiving a response to the authentication request sent by the mobile device, determining if the authentication policy is satisfied, wherein the authentication policy comprises a progressive multi-factor authentication, and if the authentication policy is satisfied, generating a response to the protected resource access request including login credentials to access the protected resource.
This Overview is provided to introduce a selection of concepts in a simplified form that are further described below in the Technical Disclosure. It may be understood that this Overview is not intended to identify key features or essential features of the claimed subject matter, nor is it intended to be used to limit the scope of the claimed subject matter.