Microsoft · Filed Feb 19, 2026 · Published Jul 2, 2026 · verified — real USPTO data

Microsoft Patent Would Use Cryptographic Identity Checks to Gate File Access

Imagine a file that can only be opened if you are who you say you are, in the right place, at the right time, and a third-party server agrees with all three. That's the system Microsoft just filed a patent for.

Microsoft Patent: Location-Aware Encrypted Access Control — figure from US 2026/0189370 A1
Figure from the official USPTO publication.
Publication number US 2026/0189370 A1
Applicant Microsoft Technology Licensing, LLC
Filing date Feb 19, 2026
Publication date Jul 2, 2026
Inventors Ramarathnam VENKATESAN, Nishanth CHANDRAN, Ganesh ANANTHANARAYANAN, Panagiotis ANTONOPOULOS, Srinath T.V. SETTY, Daniel John CARROLL JR., Kiran MUTHABATULLA, Yuanchao SHU, Sanjeev MEHROTRA
CPC classification 713/171
Grant likelihood Medium
Examiner CENTRAL, DOCKET (Art Unit OPAP)
Status Docketed New Case - Ready for Examination (Mar 25, 2026)
Parent application is a Continuation of 18045335 (filed 2022-10-10)
Document 20 claims

What Microsoft's location-gated file access actually does

Think about a sensitive document your company stores in the cloud. Today, access usually comes down to a password or a login code texted to your phone. Microsoft's patent describes something more layered: a file that stays encrypted until a dedicated server checks several things about you at once, things like your job role, your device, and where you are physically located.

The clever part is that neither side holds the complete key. You have one piece stored on your device, and the server holds another piece that it only hands over after verifying you meet the requirements. Only when both pieces are combined does the file actually unlock. If something is wrong, say you're logging in from an unexpected country, the server's piece never arrives and the file stays locked.

This approach means even if someone steals your device or your credentials, they still can't open the file without also satisfying whatever real-time conditions the policy demands. The verification happens through cryptographic proofs, meaning you can prove you have the right attributes without revealing the underlying details.

How the LAP server splits and reassembles the decryption key

The system centers on a Location Attribute Policy (LAP) server, a dedicated service that sits between you and any encrypted resource you want to open.

When you request access, the server consults a resource policy attached to that file. That policy lists two kinds of requirements:

  • Static attributes: fixed facts about you, like your employee role or security clearance, that don't change moment to moment.
  • Dynamic attributes: real-time conditions, like your current GPS coordinates or the time of day, that the server checks fresh each time.

To prove you meet the static requirements, your device sends a cryptographic proof (a mathematical demonstration that lets you confirm a fact without exposing the raw data behind it). The server checks that proof against a trusted ledger (a tamper-resistant record, similar in concept to a blockchain, that anchors the validity of the proof).

If the static proof checks out, the server supplies its own secret corresponding to the dynamic attribute. Your device then feeds both secrets, its stored one and the server's freshly issued one, into a decryption algorithm that combines them into the final key. Neither secret alone is enough; the file only opens when both halves arrive and the math works out.

What this means for enterprise data security and compliance

For enterprise IT and compliance teams, this is a meaningful step beyond traditional role-based access controls. Right now, most systems grant access once and trust the session to stay valid. Microsoft's design keeps checking conditions dynamically, so a valid login from London doesn't help an attacker who's actually in a data center in another country.

The split-key design also reduces the blast radius of a breach. If the LAP server is compromised, attackers still can't decrypt files without the secrets stored on each user's device. If a device is stolen, files still require the server's dynamic-condition approval. You get two independent failure points instead of one, which matters a lot for industries like finance, healthcare, and government contracting where data residency and access auditing are tightly regulated.

Editorial take

This is a genuinely thoughtful approach to a real problem: static access credentials that grant permanent access are a huge liability once compromised. The split-key, condition-aware design addresses that directly, and the use of a trusted ledger for proof verification adds an auditable trail that compliance-heavy industries will appreciate. Whether Microsoft ships this as a standalone Azure feature or folds it into something like Entra ID, it's the kind of infrastructure work that actually changes security posture.

Which company should we read for you?

We track 17 companies here. Pro is the same weekly breakdown for any company you choose, delivered privately. Type a name and we'll scope it and send you a quote.

Get one Big Tech patent every Sunday

Plain English, intelligent commentary, no hype. Free.

Source. Full patent text and figures from the official USPTO publication PDF.

Editorial commentary on a publicly published patent application. Not legal advice.