Search

US-12627663-B2 - Factor health assessment and selection for login at an identity provider

US12627663B2US 12627663 B2US12627663 B2US 12627663B2US-12627663-B2

Abstract

Users of an identity provider system may be authorized to use a variety of different types of factors from a variety of different factor providers. The identity provider system monitors and analyzes the “health” of the different possible factors available to a user, e.g., their availability relative to error rate. Using the results of the analysis, the identity provider can assess which factors are the most appropriate for a given user seeking authentication and can improve the user experience for the user by emphasizing those most appropriate factors to the user.

Inventors

  • Daniel Jeffrey Post

Assignees

  • Okta, Inc.

Dates

Publication Date
20260512
Application Date
20240422

Claims (20)

  1. 1 . A computer-implemented method performed by a computing device associated with an identity provider system, the computer-implemented method comprising: receiving a request to authenticate an identity of a first user; identifying, from a plurality of authentication factors associated with the first user, a first authentication factor as a default authentication factor for the first user; selecting, based at least in part on a health of the first authentication factor being below a threshold degree of health and a health of a second authentication factor of the plurality of authentication factors being above the threshold degree of health, the second authentication factor as an updated default authentication factor for the first user, wherein the health of the first authentication factor is based at least in part on a quantity of successful identity verifications using the first authentication factor relative to a quantity of unsuccessful identity verifications using the first authentication factor; generating, based at least in part on a health of each authentication factor of the plurality of authentication factors, a ranked listing of the plurality of authentication factors, wherein the updated default authentication factor is indicated as a highest ranking authentication factor in the ranked listing of the plurality of authentication factors; and transmitting, to a second computing device, the ranked listing of the plurality of authentication factors.
  2. 2 . The computer-implemented method of claim 1 , wherein the ranked listing of the plurality of authentication factors is based at least in part on a history of usage by the first user of one or more authentication factors of the plurality of authentication factors, a user preference of the first user, an organizational preference of an organization associated with the first user, one or more rules, or a combination thereof.
  3. 3 . The computer-implemented method of claim 1 , further comprising: calculating, based at least in part on the health of each authentication factor of the plurality of authentication factors, a factor health score for each authentication factor of the plurality of authentication factors, wherein the ranked listing of the plurality of authentication factors is further based at least in part on the factor health score for each authentication factor of the plurality of authentication factors.
  4. 4 . The computer-implemented method of claim 1 , wherein the health of the first authentication factor is based at least in part on a quantity of errors encountered when using the first authentication factor to authenticate identities of one or more users.
  5. 5 . The computer-implemented method of claim 1 , wherein the health of the first authentication factor is based at least in part on metadata associated with at least one of the first user or the identity provider system.
  6. 6 . The computer-implemented method of claim 5 , wherein the metadata comprises at least one of: a version of an application of the identity provider system that is installed on a client device of the first user, a version of an operating system of the client device of the first user, an internet protocol (IP) address of the client device of the first user, or a geographical location of the client device of the first user.
  7. 7 . The computer-implemented method of claim 1 , wherein the plurality of authentication factors comprise one or more of: a biometric reading, a push notification, an email, a voice message, or a one-time password provided over short message service (SMS).
  8. 8 . The computer-implemented method of claim 1 , further comprising: identifying electronic services to which the first user has been granted access; identifying credentials of the first user for the identified electronic services; and signing the first user in to the identified electronic services using the credentials.
  9. 9 . The computer-implemented method of claim 1 , further comprising: omitting, based at least in part on the first authentication factor being below the threshold degree of health, the first authentication factor from inclusion in the ranked listing of the plurality of authentication factors.
  10. 10 . The computer-implemented method of claim 1 , wherein selecting the second authentication factor as the updated default authentication factor comprises replacing the default authentication factor with the updated default authentication factor.
  11. 11 . A computing device associated with an identity provider system, the computing device comprising: a processor; and memory storing instructions that, when executed by the processor, cause the computing device to: receive a request to authenticate an identity of a first user; identify, from a plurality of authentication factors associated with the first user, a first authentication factor as a default authentication factor for the first user; select, based at least in part on a health of the first authentication factor being below a threshold degree of health and a health of a second authentication factor of the plurality of authentication factors being above the threshold degree of health, the second authentication factor as an updated default authentication factor for the first user, wherein the health of the first authentication factor is based at least in part on a quantity of successful identity verifications using the first authentication factor relative to a quantity of unsuccessful identity verifications using the first authentication factor; generate, based at least in part on a health of each authentication factor of the plurality of authentication factors, a ranked listing of the plurality of authentication factors, wherein the updated default authentication factor is indicated as a highest ranking authentication factor in the ranked listing of the plurality of authentication factors; and transmit, to a second computing device, the ranked listing of the plurality of authentication factors.
  12. 12 . The computing device of claim 11 , wherein the ranked listing of the plurality of authentication factors is based at least in part on a history of usage by the first user of one or more authentication factors of the plurality of authentication factors, a user preference of the first user, an organizational preference of an organization associated with the first user, one or more rules, or a combination thereof.
  13. 13 . The computing device of claim 11 , wherein the instructions, when executed by the processor, further cause the computing device to: calculate, based at least in part on the health of each authentication factor of the plurality of authentication factors, a factor health score for each authentication factor of the plurality of authentication factors, wherein the ranked listing of the plurality of authentication factors is further based at least in part on the factor health score for each authentication factor of the plurality of authentication factors.
  14. 14 . The computing device of claim 11 , wherein the health of the first authentication factor is based at least in part on a quantity of errors encountered when using the first authentication factor to authenticate identities of one or more users.
  15. 15 . The computing device of claim 11 , wherein the health of the first authentication factor is based at least in part on metadata associated with at least one of the first user or the identity provider system, and wherein the metadata comprises at least one of: a version of an application of the identity provider system that is installed on a client device of the first user, a version of an operating system of the client device of the first user, an internet protocol (IP) address of the client device of the first user, or a geographical location of the client device of the first user.
  16. 16 . The computing device of claim 11 , wherein the instructions, when executed by the processor, further cause the computing device to: omit, based at least in part on the first authentication factor being below the threshold degree of health, the first authentication factor from inclusion in the ranked listing of the plurality of authentication factors.
  17. 17 . The computing device of claim 11 , wherein, to select the second authentication factor as the updated default authentication factor, the instructions, when executed by the processor, cause the computing device to: replace the default authentication factor with the updated default authentication factor.
  18. 18 . A non-transitory, computer-readable medium storing instructions that, when executed by a processor of a computing device associated with an identity provider system, perform actions comprising: receiving a request to authenticate an identity of a first user; identifying, from a plurality of authentication factors associated with the first user, a first authentication factor as a default authentication factor for the first user; selecting, based at least in part on a health of the first authentication factor being below a threshold degree of health and a health of a second authentication factor of the plurality of authentication factors being above the threshold degree of health, the second authentication factor as an updated default authentication factor for the first user, wherein the health of the first authentication factor is based at least in part on a quantity of successful identity verifications using the first authentication factor relative to a quantity of unsuccessful identity verifications using the first authentication factor; generating, based at least in part on a health of each authentication factor of the plurality of authentication factors, a ranked listing of the plurality of authentication factors, wherein the updated default authentication factor is indicated as a highest ranking authentication factor in the ranked listing of the plurality of authentication factors; and transmitting, to a second computing device, the ranked listing of the plurality of authentication factors.
  19. 19 . The non-transitory, computer-readable medium of claim 18 , wherein the ranked listing of the plurality of authentication factors is based at least in part on a history of usage by the first user of one or more authentication factors of the plurality of authentication factors, a user preference of the first user, an organizational preference of an organization associated with the first user, one or more rules, or a combination thereof.
  20. 20 . The non-transitory, computer-readable medium of claim 18 , wherein the instructions, when executed by the processor, further perform actions comprising: calculating, based at least in part on the health of each authentication factor of the plurality of authentication factors, a factor health score for each authentication factor of the plurality of authentication factors, wherein the ranked listing of the plurality of authentication factors is further based at least in part on the factor health score for each authentication factor of the plurality of authentication factors.

Description

CROSS-REFERENCES TO RELATED APPLICATIONS This application is a continuation of U.S. patent application Ser. No. 18/310,444, filed May 1, 2023, and entitled “FACTOR HEALTH ASSESSMENT AND SELECTION FOR LOGIN AT AN IDENTITY PROVIDER,” which is a continuation of and claims priority to U.S. patent application Ser. No. 17/098,313, now U.S. Pat. No. 11,677,750, filed on Nov. 13, 2020, and entitled “FACTOR HEALTH ASSESSMENT AND SELECTION FOR LOGIN AT AN IDENTITY PROVIDER,” the content of each which is incorporated herein by reference in its entirety. FIELD OF ART The present invention generally relates to the field of software systems, and more specifically, to facilitating user login for identity provider systems that authenticate user identities. BACKGROUND Identity provider (IdP) systems establish an identity of a user wishing to gain access to resources. For example, an electronic mail service typically requires users wishing to access an account on the service to authenticate their identities using one or more types of information (hereinafter referred to as “authentication factors”, or simply “factors”). Examples of various types of factors include credentials such as usernames and passwords, one-time passwords (OTPs), hardware tokens, biometrics, and the like. The different factors may be provided by different entities (hereinafter referred to as “factor providers”). The different types of factors may have different levels of availability. For example, one type of factor (such as an OTP) might be delivered by a third-party service, and over a computer network, either of which could be unavailable for certain periods of time, e.g., due to network problems, to rate limiting, to failure of hardware of the third-party service, or to misconfiguration of software used to interface with the third-party service, as just some examples. If a particular type of factor is unavailable to an IdP system at the time that a user is attempting to use the IdP system to establish its identity, the user's attempt to authenticate will fail. This results in a poor user experience and frustration of the user with the IdP system, and (if frequent) may also violate any availability guarantees (e.g., a guarantee of 99.99% availability) promised by an IdP to its customers or other users. Although a particular user might have a number of different factor types of available to her for use with the IdP system, she may not realize that the other factor types are options, resulting in additional work for I.T. staff who must respond to her requests for assistance. Even if she does realize that other factors are options, choosing the appropriate one requires additional knowledge and decision-making that tends to reduce her satisfaction with the IdP. SUMMARY An identity provider system analyzes the “health” of the various factor types and providers available to users, identifying which factors are likely to be presently available and which factors are currently frequently failing. The identity provider system leverages the data obtained from this analysis to provide particular users wishing to be authenticated by the identity provider with factor options. The factors options may be presented to the users in ranked order, according at least in part to their determined probabilities of availability. The features and advantages described in the specification are not all inclusive and, in particular, many additional features and advantages will be apparent to one of ordinary skill in the art in view of the drawings, specification, and claims. Moreover, it should be noted that the language used in the specification has been principally selected for readability and instructional purposes, and may not have been selected to delineate or circumscribe the inventive subject matter. BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 illustrates one embodiment of a computing environment in which an identity provider (IdP) system compensates for the possible unavailability of certain types of factors by tracking factor health and intelligently and transparently selecting factors appropriate for use with a particular user at a particular moment. FIG. 2 illustrates steps performed by the identity provider system of FIG. 1 when assessing factor health and applying the resulting information during user authentication, according to some embodiments. FIG. 3 is a high-level block diagram illustrating physical components of a computer used as part or all of the identity provider, client device of a user, or system providing third-party factors, according to one embodiment. The figures depict embodiments of the present invention for purposes of illustration only. One skilled in the art will readily recognize from the following description that alternative embodiments of the structures and methods illustrated herein may be employed without departing from the principles of the invention described herein. DETAILED DESCRIPTION FIG. 1 illustrates one embodiment of a computing envi