FORM 2
THE PATENTS ACT, 1970
(39 of 1970)
&
THE PATENT RULES, 2003
COMPLETE SPECIFICATION (See Section 10 and Rule 13)
Title of invention:
METHOD AND SYSTEM FOR SECURED ACCESSING OF RESOURCES BASED ON USER’S ASSURANCE LEVEL
Applicant
Tata Consultancy Services Limited A company Incorporated in India under the Companies Act, 1956
Having address:
Nirmal Building, 9th floor,
Nariman point, Mumbai 400021,
Maharashtra, India
Preamble to the description
The following specification particularly describes the invention and the manner in which it is to be performed.

TECHNICAL FIELD
[001] The disclosure herein generally relates to the field of cyber security and, more particularly, to a method and system for secured accessing of resources based on user's assurance level.
BACKGROUND
[002] Enterprise systems use security controls to protect their resources from attackers. Authentication is the process of verifying the legitimacy of an entity. Enterprise systems use a single-factor or multi-factor authentication mechanism to verify the user identity. The inherent vulnerabilities in the authentication methods or in the deployment of authentication methods allow attackers to compromise a user’s identity and subsequently gain access to sensitive resources. Attackers employ various methods such as stealing passwords, guessing passwords, and phishing to compromise a user’s identity. Once the identity is compromised, the attacker can gain access to sensitive resources and can compromise the system.
[003] Some of the conventional approaches consider the use of user context details to enhance the security and usability of the authentication mechanism and to identify the user’s preferred secondary authentication method. However, conventional approaches fail to use context details sufficiently and completely to provide secure authentication to protect sensitive resources and restrict access based on the user’s assurance level.
SUMMARY
[004] Embodiments of the present disclosure present technological improvements as solutions to one or more of the above-mentioned technical problems recognized by the inventors in conventional systems. For example, in one embodiment, a method for secured accessing of resources based on user's assurance

level is provided. The method includes receiving by one or more hardware processors of a server machine, an access request from a user for accessing an application via a user device, wherein a primary authentication is performed using a plurality of credentials provided by the user while accessing the application; extracting by the one or more hardware processors of the server machine, a plurality of contextual parameters from the user device used for generating the access request using a pattern matching technique; validating by the one or more hardware processors of the server machine, the plurality of contextual parameters based on a comparison between the plurality of contextual parameters and the plurality of historical contextual parameters pertaining to the user; assigning by the one or more hardware processors of the server machine, a first percentage score to the user based on the comparison between the plurality of contextual parameters and the plurality of historical contextual parameters pertaining to the user as per the pattern matching technique; assigning by the one or more hardware processors of the server machine, a second percentage score to the user based on at least one of a device type and a network type, wherein the device type and the network type are associated with the user device; validating by the one or more hardware processors of the server machine, a change in selecting a secondary authentication by the user for accessing the application via the user device; assigning by the one or more hardware processors of the server machine, a third percentage score to the user based on the change in selecting the secondary authentication; calculating by the one or more hardware processors of the server machine an assurance level specific to the user, based on the first percentage score, the second percentage score and the third percentage score; and providing by the one or more hardware processors of the server machine, one or more privileges to the user for accessing the application via the user device, based on the calculated assurance level.
[005] In another aspect, there is provided a system for secured accessing of resources based on user's assurance level. The system comprises: a memory storing instructions; one or more communication interfaces; and one or more hardware processors coupled to the memory via the one or more communication interfaces, wherein the one or more hardware processors are configured by the

instructions to: receive an access request from a user for accessing an application via a user device, wherein a primary authentication is performed using a plurality of credentials provided by the user while accessing the application. The system further comprises extracting a plurality of contextual parameters from the user device used for generating the access request using a pattern matching technique; validating the plurality of contextual parameters based on a comparison between the plurality of contextual parameters and the plurality of historical contextual parameters pertaining to the user; assigning a first percentage score to the user based on the comparison between the plurality of contextual parameters and the plurality of historical contextual parameters pertaining to the user as per the pattern matching technique; assigning a second percentage score to the user based on at least one of a device type and a network type, wherein the device type and the network type are associated with the user device; validating a change in selecting a secondary authentication by the user for accessing the application via the user device; assigning a third percentage score to the user based on the change in selecting the secondary authentication; calculating an assurance level specific to the user, based on the first percentage score, the second percentage score and the third percentage score; and providing one or more privileges to the user for accessing the application via the user device, based on the calculated assurance level.
[006] In yet another aspect, there are provided one or more non-transitory machine-readable information storage mediums comprising one or more instructions which when executed by one or more hardware processors cause receiving an access request from a user for accessing an application via a user device, wherein a primary authentication is performed using a plurality of credentials provided by the user while accessing the application; extracting a plurality of contextual parameters from the user device used for generating the access request using a pattern matching technique; validating the plurality of contextual parameters based on a comparison between the plurality of contextual parameters and the plurality of historical contextual parameters pertaining to the user; assigning a first percentage score to the user based on the comparison between the plurality of contextual parameters and the plurality of historical contextual

parameters pertaining to the user as per the pattern matching technique; assigning a second percentage score to the user based on at least one of a device type and a network type, wherein the device type and the network type are associated with the user device; validating a change in selecting a secondary authentication by the user for accessing the application via the user device; assigning a third percentage score to the user based on the change in selecting the secondary authentication; calculating an assurance level specific to the user, based on the first percentage score, the second percentage score and the third percentage score; and providing one or more privileges to the user for accessing the application via the user device, based on the calculated assurance level.
[007] It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the invention, as claimed.
BRIEF DESCRIPTION OF THE DRAWINGS
[008] The accompanying drawings, which are incorporated in and constitute a part of this disclosure, illustrate exemplary embodiments and, together with the description, serve to explain the disclosed principles:
[009] FIG. 1 is an overall architecture of a system for secured accessing of resources based on user's assurance level, in accordance with some embodiments of the present disclosure.
[010] FIG. 2 is a functional block diagram of the server (FIG. 1) of the system for secured accessing of resources based on user's assurance level, in accordance with some embodiments of the present disclosure.
[011] FIG. 3 illustrates a functional architecture of the server machine of the system of FIG. 1, for secured accessing of resources based on user's assurance level, in accordance with some embodiments of the present disclosure.
[012] FIGS. 4A and 4B are an exemplary flow diagram illustrating a processor implemented method for secured accessing of resources based on user's

assurance level implemented by the system of FIG. 1 according to some embodiments of the present disclosure.
DETAILED DESCRIPTION OF EMBODIMENTS
[013] Exemplary embodiments are described with reference to the accompanying drawings. In the figures, the left-most digit(s) of a reference number identifies the figure in which the reference number first appears. Wherever convenient, the same reference numbers are used throughout the drawings to refer to the same or like parts. While examples and features of disclosed principles are described herein, modifications, adaptations, and other implementations are possible without departing from the scope of the disclosed embodiments.
[014] To overcome the challenges of the conventional approaches, embodiments herein provide a method and system for secured accessing of resources based on user's assurance level. The present disclosure performs a primary authentication of a user accessing an application through a user device. The present disclosure provides a method which extracts contextual parameters of the user device and compares the extracted contextual parameters with the user’s historical contextual parameters. If the contextual parameters are anomalous, a first percentage score is assigned based on the result of the comparison as per the pattern matching technique. Further, a second percentage score is assigned based on a device type and a network type. Furthermore, a secondary authentication is performed for accessing the application using the user device and any change in use of a device type and a network type. A third percentage score is assigned based on the change in selecting the secondary authentication. Finally, an assurance level specific to the user is calculated based on the first percentage score, the second percentage score and the third percentage score.
[015] Referring now to the drawings, and more particularly to FIG. 1 through FIG.4B, where similar reference characters denote corresponding features consistently throughout the figures, there are shown preferred embodiments, and

these embodiments are described in the context of the following exemplary system and/or method.
[016] FIG. 1 is an overall architecture of a system for secured accessing of resources based on user's assurance level, in accordance with some embodiments of the present disclosure. The architecture 100 includes a user device 102, and a server machine 104. The user device 102 (for example, any computing device like desktop, laptop and the like) and the server machine 104 are connected via a network connection 104A. In an embodiment, the network connection 104A is either a wired communication network or a wireless communication network.
[017] FIG. 2 is a functional block diagram 200 of server 104 of FIG. 1 for secured accessing of resources based on user's assurance level, in accordance with some embodiments of the present disclosure. The system 200 includes or is otherwise in communication with hardware processors 202, at least one memory such as a memory 204, and an I/O interface 212. The hardware processors 202, memory 204, and the Input /Output (I/O) interface 212 may be coupled by a system bus such as a system bus 208 or a similar mechanism. In an embodiment, the hardware processors 102 can be one or more hardware processors.
[018] The I/O interface 212 may include a variety of software and hardware interfaces, for example, a web interface, a graphical user interface, and the like. The I/O interface 212 may include a variety of software and hardware interfaces, for example, interfaces for peripheral device(s), such as a keyboard, a mouse, an external memory, a printer and the like. Further, the I/O interface 212 may enable the system 200 to communicate with other devices, such as web servers, and external databases.
[019] The I/O interface 212 can facilitate multiple communications within a wide variety of networks and protocol types, including wired networks, for example, local area network (LAN), cable, etc., and wireless networks, such as Wireless LAN (WLAN), cellular, or satellite. For the purpose, the I/O interface 212 may include one or more ports for connecting several computing systems with one another or to another server computer. The I/O interface 212 may include one or more ports for connecting several devices to one another or to another server.

[020] The one or more hardware processors 202 may be implemented as one or more microprocessors, microcomputers, microcontrollers, digital signal processors, central processing units, node machines, logic circuitries, and/or any devices that manipulate signals based on operational instructions. Among other capabilities, the one or more hardware processors 202 is configured to fetch and execute computer-readable instructions stored in memory 204.
[021] The memory 204 may include any computer-readable medium known in the art including, for example, volatile memory, such as static random-access memory (SRAM) and dynamic random-access memory (DRAM), and/or non-volatile memory, such as read only memory (ROM), erasable programmable ROM, flash memories, hard disks, optical disks, and magnetic tapes. In an embodiment, the memory 204 includes a plurality of modules 206. The memory 204 also includes a data repository (or repository) 210 for storing data processed, received, and generated by the plurality of modules 206.
[022] The plurality of modules 206 include programs or coded instructions that supplement applications or functions performed by the system 200 for secured accessing of resources based on user's assurance level. The plurality of modules 206, amongst other things, can include routines, programs, objects, components, and data structures, which perform particular tasks or implement particular abstract data types. The plurality of modules 206 may also be used as, signal processor(s), node machine(s), logic circuitries, and/or any other device or component that manipulates signals based on operational instructions. Further, the plurality of modules 206 can be used by hardware, by computer-readable instructions executed by the one or more hardware processors 202, or by a combination thereof. The plurality of modules 206 can include various sub-modules (not shown). The plurality of modules 206 may include computer-readable instructions that supplement applications or functions performed by the system 200 for secured accessing of resources based on user's assurance level. In an embodiment, the modules 206 include a contextual parameters extraction module 302 (shown in FIG. 3), a contextual parameters validation module 304 (shown in FIG. 3), a first percentage score assignment module 306 (shown in FIG. 3), a device type and

network type identification module 308 (shown in FIG. 3), a second percentage score assignment module 310 (shown in FIG. 3), a secondary authentication validation module 312 (shown in FIG. 3), a third percentage score assignment module 314 (shown in FIG. 3) and an assurance level calculation module 316 (shown in FIG. 3). It is to be understood by a person having ordinary skill in the art or person skilled in the art that the method and system of the present disclosure may employ one or more score assignment modules (e.g., either a single percentage score assignment module, or multiple percentage score assignment modules) that computes/estimates and/or assigns the first percentage score, the second percentage score, and the third percentage score, respectively, and such an implementation of the percentage score assignment shall not be construed as limiting the scope of the present disclosure. In an embodiment, FIG. 3 illustrates a functional architecture of system 100 of FIG. 1, for secured accessing of resources based on user's assurance level, in accordance with some embodiments of the present disclosure.
[023] The data repository (or repository) 210 may include a plurality of abstracted pieces of code for refinement and data that is processed, received, or generated as a result of the execution of the plurality of modules in the module(s) 206.
[024] Although the data repository 210 is shown internal to the system 200, it will be noted that, in alternate embodiments, the data repository 210 can also be implemented external to the system 200, where the data repository 210 may be stored within a database (repository 210) communicatively coupled to the system 200. The data contained within such an external database may be periodically updated. For example, new data may be added into the database (not shown in FIG. 2) and/or existing data may be modified and/or non-useful data may be deleted from the database. In one example, the data may be stored in an external system, such as a Lightweight Directory Access Protocol (LDAP) directory and a Relational Database Management System (RDBMS).
[025] FIG. 4 is an exemplary flow diagram illustrating a method 400 for secured accessing of resources based on user's assurance level implemented by the system of FIG. 1 according to some embodiments of the present disclosure. In an

embodiment, the system 200 includes one or more data storage devices or the memory 204 operatively coupled to the one or more hardware processor(s) 202 and is configured to store instructions for execution of steps of the method 400 by the one or more hardware processors 202. The steps of method 400 of the present disclosure will now be explained with reference to the components or blocks of the system 200 as depicted in FIG. 2 and the steps of flow diagram as depicted in FIG. 4. The method 400 may be described in the general context of computer executable instructions. Generally, computer executable instructions can include routines, programs, objects, components, data structures, procedures, modules, functions, etc., that perform particular functions or implement particular abstract data types. The method 400 may also be practiced in a distributed computing environment where functions are performed by remote processing devices that are linked through a communication network. The order in which the method 400 is described is not intended to be construed as a limitation, and any number of the described method blocks can be combined in any order to implement the method 400, or an alternative method. Furthermore, the method 400 can be implemented in any suitable hardware, software, firmware, or combination thereof.
[026] At step 402 of the method 400, the one or more hardware processors 202 of the server machine 104 are configured by the programmed instructions to receive an access request from a user for accessing an application via a user device. A primary authentication is performed using a plurality of credentials provided by the user while accessing the application. The plurality of credentials includes a username and a password. In an embodiment of the present disclosure, the user needs to provide the username and the password for performing the primary authentication for accessing the application using the user device.
[027] At step 404 of the method 400, the contextual parameters extraction module 302 executed by one or more hardware processors 202 of the server machine 104 is configured by the programmed instructions to extract a plurality of contextual parameters from the user device used for generating the access request using a pattern matching technique. The system 100 captures the plurality of context parameters specific to the user. For example, the plurality of contextual parameters

includes a device ID (Identification), a device type, an Internet Protocol (IP)
address, location details, browser details, timing details and Operating System (OS)
version. The device ID indicates an identification number for each user device. The
device type includes mobile device, laptop, and the like. The mobile device is
represented with a number ‘1’ and the laptop with ‘2’ and the like. The location
details include latitudes and longitudes. The browser details include browser type,
for example, based on the starting character of the browser name, the browsers are
numbered accordingly. For example, Chrome®→1, Explorer®→3 and
Firefox®→2. The timing details are represented as time slots, for example, time slot between 9 AM and 6 PM are considered as slot 1 and the time slot between 6 PM and 9 AM are considered as slot 2. Similarly, Operating System (OS) details are represented as ‘1’ for Windows®, ‘2’ for Linux®, ‘3’ for Mac® and the like.
[028] At step 406 of the method 400, the contextual parameters validation module 304 executed by the one or more hardware processors 202 of the server machine 104 is configured by the programmed instructions to validate the plurality of contextual parameters based on a comparison between the plurality of contextual parameters and the plurality of historical contextual parameters pertaining to the user. In an embodiment of the present disclosure, after successful primary authentication, the received plurality of context parameters are validated with the user’s past context parameters to check whether the authenticating user is legitimate or not.
[029] At step 408 of the method 400, the first percentage score assignment module 306 executed by the one or more hardware processors 202 of the server machine 104 is configured by the programmed instructions to assign a first percentage score to the user based on the comparison between the plurality of contextual parameters and the plurality of historical contextual parameters pertaining to the user as per the pattern matching technique. In an embodiment of the present disclosure, if the received plurality of context parameters does not match with the user’s past context parameters, the user is identified as illegitimate user, and the first percentage score is assigned to the user. The first percentage score can include positive and negative percentage scores.

For example: If the user current context parameters including a time of login, one or more location details, one or more device details, use of the operating system or the browser type does not match with the user’s past context parameters, the first percentage score of -25% is assigned to the user.
[030] In an alternate embodiment of the present disclosure, if the received plurality of context parameters matches with the user’s past context parameters, the user is identified as a legitimate user, and the first percentage score is assigned to the user.
For example: If the user current context parameters, including a time of login, one or more location details, one or more device details, use of the operating system or the browser type matches with the user’s past context parameters, the first percentage score of 0% is assigned to the user. In an embodiment of the present disclosure the terms “user” and “legitimate user” are interchangeably used. Further, in an embodiment of the present disclosure the terms “attacker” and “illegitimate user” are interchangeably used.
[031] In an embodiment of the present disclosure, the device type and network type identification module 308 is configured to check whether the device type used by the user is a personal device or an enterprise-provided device. Further the device type or network type identification module 308 is configured to check whether the network type used by the user is an enterprise-connected internet network or a personal WI-FI network which is explained in the later sections. For example, if the device type is personal or/and the network type is personal/public WI-FI, a percentage score of -25% is assigned to the user.
[032] At step 410 of the method 400, the second percentage score assignment module 310 executed by the one or more hardware processors 202 of the server machine 104 is configured by the programmed instructions to assign a second percentage score to the user based on at least one of a device type and a network type, wherein the device type and the network type are associated with the user device. The user is validated using the user device details including the device type and the network type used by the user. The device type can include an enterprise allocated device or a personal device. The network type can include a

public network or an enterprise network. Based on the device type and the network type of the user device, the second percentage score is assigned to the user. For example: The user may use an enterprise allocated device or personal device and use a public Wi-Fi or an enterprise network to access the application. If the user uses a personal device or the public network like Wi-Fi to access the application, the second percentage score of -25% is assigned to the user. If the user uses the enterprise allocated device or the enterprise network to access the application, the second percentage score of 0% is assigned to the user.
[033] At step 412 of the method 400, the secondary authentication validation module 312 executed by the one or more hardware processors 202 of the server machine 104 is configured by the programmed instructions to validate a change in selecting a secondary authentication by the user for accessing the application via the user device.
For example, some of the applications allow the user to select the secondary factor authentication. In this scenario, the system 100 checks if there is any change in the selection of secondary factor authentication as per the past selection of secondary factor authentication by the user.
[034] At step 414 of the method 400, the third percentage score assignment module 314 executed by the one or more hardware processors 202 of the server machine 104 is configured by the programmed instructions to assign a third percentage score based on the change in selecting the secondary authentication.
[035] In an embodiment of the present disclosure, after successful primary authentication, the user may select any of the secondary factor authentication. The secondary factor authentication is nothing but a multifactor authentication. The secondary authentication includes a one-time password, one or more secret questions, a fingerprint and a biometric. The system 100 checks if there is any change in the secondary factor authentication as per the user’s past data specific to the secondary factor authentication or when the user selects an easy secondary factor authentication type that attacker or the illegitimate user can easily answer the questions with the selected secondary factor authentication. For example, if some of the secondary authentications request additional information related to the

legitimate user, the illegitimate user can easily respond to that request with the available social media information about the legitimate user. If there is a change in the selection of secondary factor authentication, the system 100 assigns the third percentage score of -25% to the user. If there is no change in the selection of secondary factor authentication, the system 100 assigns the third percentage score of 0% to the user.
For example: An attacker or the illegitimate user selects secret questions for secondary factor authentication, but in general, the user selects a one-time password for secondary factor authentication every time. As there is a change in the selection of secondary factor authentication selected by the user, the third percentage score of -25% is assigned to the user.
[036] At step 416 of the method 400, the assurance level calculation module 316 executed by the one or more hardware processors 202 of the server machine 104 is configured by the programmed instructions to calculate an assurance level specific to the user, based on the first percentage score, the second percentage score and the third percentage score. After the successful primary authentication and the secondary authentication, the user’s assurance level is calculated using the first percentage score, the second percentage score and the third percentage score. The first percentage score, the second percentage score and the third percentage score are assigned based on a plurality of values mentioned in a configuration file. The system takes the percentage scores from the configuration file. For example, first configuration value -25% 0%, second configuration value -25% 0%, third configuration value -25% 0% and the like. Further, when the user accesses the resource, along with the user’s assurance level and the resource-applicable policies are used to evaluate resource access. The resource-applicable policies include one or more document access policies, one or more module access policies and the like. Based on the calculated assurance level and the resource-applicable policies, the user is provided one or more privileges to access the application.
User Assurance level = 100% - (first percentage score+ second percentage score + third percentage score).

[037] At step 418 of the method 400, the one or more hardware processors 202 of the server machine 104 is configured by the programmed instructions to provide one or more privileges to the user for accessing the application via the user device, based on the calculated assurance level.
[038] In general, if an illegitimate user compromises a legitimate user, then the illegitimate user gains access to all the resources of the compromised user. In an embodiment of the present disclosure, the system 100 calculates the assurance level for every authenticated user. According to the present disclosure, if the illegitimate user’s context details (parameters), the device type and the network type do not match with the legitimate user’s context details (parameters), the device type and the network type an exceptionally low assurance level is calculated and assigned to the illegitimate user. Further, the calculated assurance level of the illegitimate user restricts access to some of the critical resources and reduces the one or more privileges on some of the confidential resources.
For example: The user (illegitimate or legitimate) is assigned the first percentage score of -25% for no match in context parameters and the second percentage score of -25% for use of the personal device instead of enterprise assigned device. So, the calculated assurance level for the user is 100%-(25%+25%) = 50%.
[039] As explained in the above example, the illegitimate user’s assurance level is below 50% and the illegitimate user gets access to some of the user’s accessible resources with minimal privileges that were previously accessed by the legitimate user. In some cases, the illegitimate user may get the assurance level 75% and get access to the confidential resources with minimal privileges.
For example: If the illegitimate user attempts to view and download the project document, the system allows the illegitimate user to view it but denies downloading the project document due to the low assurance level. In contrast, the legitimate user has view, edit, and download privileges on project documents.
[040] In an embodiment of the present disclosure, if the illegitimate user gets a low assurance level (for example: 25%), the system 100 provides access to some of the user’s accessible resources that were previously accessed by the user.

For example: If the illegitimate user attempts to access the pay slips, the system denies access due to a low assurance level.
[041] In some cases, legitimate users can access the application from a new or different context, and it affects access to some of the user’s accessible resources based on the calculated user’s assurance level. Herein, the new or different context details include accessing the application from different location using different device. The legitimate user can raise the assurance level by answering the questions requested by the system. The system generates questions from previously accessed resources by the user. The system generates two or three questions for the user to answer and based on the answers, the user’s assurance level will be increased. The user gets eligible access privileges that are not given due to a low assurance level.
For example: On which date did you access last month’s pay slip? Or have you accessed last month’s pay slip using the enterprise or office network?
[042] The written description describes the subject matter herein to enable any person skilled in the art to make and use the embodiments. The scope of the subject matter embodiments is defined by the claims and may include other modifications that occur to those skilled in the art. Such other modifications are intended to be within the scope of the claims if they have similar elements that do not differ from the literal language of the claims or if they include equivalent elements with insubstantial differences from the literal language of the claims.
[043] The present disclosure calculates the user assurance level based on the user context parameters during the primary and the secondary authentication. Further, the present disclosure protects the user resources when the attackers (illegitimate users) access the application with the stolen credentials. Further, when the attackers access the application, the assurance level will be low, and the access to some of the user’s critical resources is denied and access privileges on some of the confidential resources are also reduced.
[044] It is to be understood that the scope of the protection is extended to such a program and in addition to a computer-readable means having a message therein; such computer-readable storage means contain program-code means for

implementation of one or more steps of the method, when the program runs on a server or mobile device or any suitable programmable device. The hardware device can be any kind of device which can be programmed including e.g., any kind of computer like a server or a personal computer, or the like, or any combination thereof. The device may also include means which could be e.g., hardware means like e.g., an application-specific integrated circuit (ASIC), a field-programmable gate array (FPGA), or a combination of hardware and software means, e.g., an ASIC and an FPGA, or at least one microprocessor and at least one memory with software processing components located therein. Thus, the means can include both hardware means and software means. The method embodiments described herein could be implemented in hardware and software. The device may also include software means. Alternatively, the embodiments may be implemented on different hardware devices, e.g., using a plurality of CPUs.
[045] The embodiments herein can comprise hardware and software elements. The embodiments that are implemented in software include but are not limited to, firmware, resident software, microcode, etc. The functions performed by various components described herein may be implemented in other components or combinations of other components. For the purposes of this description, a computer-usable or computer readable medium can be any apparatus that can comprise, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device.
[046] The illustrated steps are set out to explain the exemplary embodiments shown, and it should be anticipated that ongoing technological development will change the manner in which particular functions are performed. These examples are presented herein for purposes of illustration, and not limitation. Further, the boundaries of the functional building blocks have been arbitrarily defined herein for the convenience of the description. Alternative boundaries can be defined so long as the specified functions and relationships thereof are appropriately performed. Alternatives (including equivalents, extensions, variations, deviations, etc., of those described herein) will be apparent to persons skilled in the relevant art(s) based on the teachings contained herein. Such

alternatives fall within the scope of the disclosed embodiments. Also, the words “comprising,” “having,” “containing,” and “including,” and other similar forms are intended to be equivalent in meaning and be open ended in that an item or items following any one of these words is not meant to be an exhaustive listing of such item or items, or meant to be limited to only the listed item or items. It must also be noted that as used herein and in the appended claims, the singular forms “a,” “an,” and “the” include plural references unless the context clearly dictates otherwise.
[047] Furthermore, one or more computer-readable storage media may be utilized in implementing embodiments consistent with the present disclosure. A computer-readable storage medium refers to any type of physical memory on which information or data readable by a processor may be stored. Thus, a computer-readable storage medium may store instructions for execution by one or more processors, including instructions for causing the processor(s) to perform steps or stages consistent with the embodiments described herein. The term “computer-readable medium” should be understood to include tangible items and exclude carrier waves and transient signals, i.e., be non-transitory. Examples include random access memory (RAM), read-only memory (ROM), volatile memory, nonvolatile memory, hard drives, CD ROMs, DVDs, flash drives, disks, and any other known physical storage media.
[048] It is intended that the disclosure and examples be considered as exemplary only, with a true scope of disclosed embodiments being indicated by the following claims.

We Claim:
1. A processor implemented method (400), the method comprising:
receiving (402), by one or more hardware processors of a server machine, an access request from a user for accessing an application via a user device, wherein a primary authentication is performed using a plurality of credentials provided by the user while accessing the application;
extracting (404), by the one or more hardware processors of the server machine, a plurality of contextual parameters from the user device used for generating the access request using a pattern matching technique;
validating (406), by the one or more hardware processors of the server machine, the plurality of contextual parameters based on a comparison between the plurality of contextual parameters and the plurality of historical contextual parameters pertaining to the user;
assigning (408), by the one or more hardware processors of the server machine, a first percentage score to the user based on the comparison between the plurality of contextual parameters and the plurality of historical contextual parameters pertaining to the user as per the pattern matching technique;
assigning (410), by the one or more hardware processors of the server machine, a second percentage score to the user based on at least one of a device type and a network type, wherein the device type and the network type are associated with the user device;
validating (412), by the one or more hardware processors of the server machine, a change in selecting a secondary authentication by the user for accessing the application via the user device;
assigning (414), by the one or more hardware processors of the server machine, a third percentage score to the user based on the change in selecting the secondary authentication;

calculating (416), by the one or more hardware processors of the server machine, an assurance level specific to the user, based on the first percentage score, the second percentage score and the third percentage score; and
providing (418), by the one or more hardware processors of the server machine, one or more privileges to the user for accessing the application via the user device, based on the calculated assurance level.
2. The processor implemented method as claimed in claim 1, wherein the plurality of contextual parameters comprises a device ID, a device type, an Internet Protocol (IP) address, location details, browser details, timing details and Operating System (OS) version.
3. The processor implemented method as claimed in claim 1, the first percentage score, the second percentage score and the third percentage score are assigned based on a plurality of values mentioned in a configuration file.
4. The processor implemented method as claimed in claim 1, wherein the device type includes at least one of an enterprise device and a personal device.
5. The processor implemented method as claimed in claim 1, wherein the network type includes at least one of a public network and an enterprise network.
6. The processor implemented method as claimed in claim 1, wherein the secondary authentication includes a one-time password, one or more secret questions, a fingerprint and a biometric.
7. The processor implemented method as claimed in claim 1, wherein the step of calculating an assurance level specific to the user comprises evaluating

the access request to the application by the user based on a plurality of applicable policies.
8. A system (100), comprising:
a user device (102) connected to a server machine (104), wherein the server machine (104) comprises at least one memory (204) storing programmed instructions; one or more Input /Output (I/O) interfaces (212); and one or more hardware processors (202) operatively coupled to the at least one memory (204), wherein the one or more hardware processors (202) are configured by the programmed instructions to:
receive an access request from a user for accessing an application via a user device, wherein a primary authentication is performed using a plurality of credentials provided by the user while accessing the application;
extract a plurality of contextual parameters from the user device used for generating the access request using a pattern matching technique;
validate the plurality of contextual parameters based on a comparison between the plurality of contextual parameters and the plurality of historical contextual parameters pertaining to the user;
assign a first percentage score to the user based on the comparison between the plurality of contextual parameters and the plurality of historical contextual parameters pertaining to the user as per the pattern matching technique;
assign a second percentage score to the user based on at least one of a device type and a network type, wherein the device type and the network type are associated with the user device;
validate a change in selecting a secondary authentication by the user for accessing the application via the user device;
assign a third percentage score to the user based on the change in selecting the secondary authentication;

calculate an assurance level specific to the user, based on the first percentage score, the second percentage score and the third percentage score; and
provide one or more privileges to the user for accessing the application via the user device, based on the calculated assurance level.
9. The system as claimed in claim 8, wherein the plurality of contextual parameters comprises a device ID, a device type, an Internet Protocol (IP) address, location details, browser details, timing details and Operating System (OS) version.
10. The system as claimed in claim 8, the first percentage score, the second percentage score and the third percentage score are assigned based on a plurality of values mentioned in a configuration file.
11. The system as claimed in claim 8, wherein the device type includes at least one of an enterprise device and a personal device.
12. The system as claimed in claim 8, wherein the network type includes at least one of a public network and an enterprise network.
13. The system as claimed in claim 8, wherein the secondary authentication includes a one-time password, one or more secret questions, a fingerprint and a biometric.
14. The system as claimed in claim 8, wherein the step of calculating an assurance level specific to the user comprises evaluating the access request to the application by the user based on a plurality of applicable policies.