+

US20160285851A1 - Systems and methods for authenticating a user and device - Google Patents

Systems and methods for authenticating a user and device Download PDF

Info

Publication number
US20160285851A1
US20160285851A1 US15/178,963 US201615178963A US2016285851A1 US 20160285851 A1 US20160285851 A1 US 20160285851A1 US 201615178963 A US201615178963 A US 201615178963A US 2016285851 A1 US2016285851 A1 US 2016285851A1
Authority
US
United States
Prior art keywords
information received
computing device
authentication information
user
user account
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US15/178,963
Inventor
Bjorn Markus Jakobsson
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
PayPal Inc
Original Assignee
PayPal Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by PayPal Inc filed Critical PayPal Inc
Priority to US15/178,963 priority Critical patent/US20160285851A1/en
Publication of US20160285851A1 publication Critical patent/US20160285851A1/en
Assigned to EBAY INC. reassignment EBAY INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: JAKOBSSON, BJORN MARKUS
Assigned to PAYPAL, INC. reassignment PAYPAL, INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: EBAY INC.
Abandoned legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/33User authentication using certificates
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/316User authentication by observing the pattern of computer usage, e.g. typical user behaviour
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/401Transaction verification
    • G06Q20/4014Identity check for transactions
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/401Transaction verification
    • G06Q20/4016Transaction verification involving fraud or risk level assessment in transaction processing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0861Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/082Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying multi-factor authentication

Definitions

  • Embodiments disclosed herein are related to systems and methods for authenticating a user and device with information in addition to a username and password.
  • embodiments disclosed herein are related to a system and method for authenticating a user and a device with low-quality or low-entropy information supplied in addition to a username and password.
  • attackers may know a user's login or password, but not both.
  • an attacker may try a brute force attack by entering common passwords with a known username, or common or user-identifiable (i.e., jdoel) usernames with known or common passwords.
  • Passwords with few characters such as a common four-character personal identification number (PIN)
  • PIN personal identification number
  • One method to stop brute force attacks is to limit the rate at which an attacker can make password guesses, such that the account is disabled after a certain number of incorrect guesses.
  • this method disables the account associated with a particular username, and cannot prevent attacks that enter a common password with many different usernames, which is referred to as a “vertical attack”. For example, in many cases a PIN number of 2580 is very common because it is simply the center row of numbers on a keypad. An attacker having a list of usernames can try that PIN number (or other common PIN numbers) on each of the usernames, and may have some moderate level of success.
  • an authentication device includes a network interface component coupled to a network and configured to receive at least one data packet having authentication information, the authentication information including at least a username of a user and user credentials.
  • the device also includes a memory coupled to the network interface component and configured to store the received authentication information, one or more instructions for authenticating the user based on the received authentication information, and account information of the user.
  • the device further includes one or more processors configured to, analyze the received information, calculate a score based on the received information, determine a threshold, compare the calculated score with the determined threshold, authenticate the user and a device from which the data packet is received if the calculated score is greater than or equal to the determined threshold, and request low-quality information if the calculated score is less than the determined threshold.
  • a method for authenticating a user request for authentication includes receiving, by an authentication device coupled to a network, the user request for authentication, computing, by the authentication device, a score based on information included in the user request, and determining, by the authentication device, a threshold.
  • the method further includes determining, by the authentication device, if the computed score is greater than or equal to the determined threshold, and authenticating, by the authentication device, a user making the user request and a user device on which the user request was made if the computed score is greater than or equal to the determined threshold, and requesting, by the authentication device, low-quality information if the computed score is not greater than or equal to the determined threshold.
  • a non-transitory computer-readable medium having instructions for execution by one or more processors that, when executed, cause the one or more processors to perform a method for authenticating a request for authenticating a user and a device received over a network by a network interface component coupled to the one or more processors.
  • the method includes receiving the user request for authentication, computing a score based on information included in the user request, and determining a threshold.
  • the method further includes determining if the computed score is greater than or equal to the determined threshold, authenticating the user and the device if the computed score is greater than or equal to the determined threshold and requesting low-quality information if the computed score is not greater than or equal to the determined threshold.
  • FIG. 1 is a block diagram of a networked system, consistent with some embodiments.
  • FIG. 2 is a diagram illustrating a computing system, consistent with some embodiments.
  • FIG. 3 is a figure illustrating a login screen, consistent with some embodiments.
  • FIG. 4 is a flowchart illustrating a method for authenticating a user or device, consistent with some embodiments.
  • FIG. 1 is a block diagram of a networked system 100 , consistent with some embodiments.
  • System 100 includes a client mobile device 102 , a client computing device 104 , and a payment service provider server 106 in communication over a network 108 .
  • Payment service provider server 106 may be maintained by a payment provider, such as PayPal, Inc. of San Jose, Calif. Server 106 may be maintained by other service providers in different embodiments.
  • Payment service provider may be more generally a web site, an online content manager, a service provider, such as a bank, or other entity who provides content to a user requiring user authentication or login.
  • Network 108 may be implemented as a single network or a combination of multiple networks.
  • network 108 may include the Internet and/or one or more intranets, landline networks, wireless networks, and/or other appropriate types of communication networks.
  • the network may comprise a wireless telecommunications network (e.g., cellular phone network) adapted to communicate with other communication networks, such as the Internet, as well as various cellular phone carriers, such as carrier 110 having a subscriber database 111 .
  • a wireless telecommunications network e.g., cellular phone network
  • Client mobile device 102 may be implemented using any appropriate combination of hardware and/or software configured for wired and/or wireless communication over network 108 .
  • client mobile device 102 may be implemented as a wireless telephone (e.g., smart phone), tablet, personal digital assistant (PDA), notebook computer, and/or various other generally known types of wired and/or wireless mobile computing devices.
  • client mobile device 102 may include any appropriate combination of hardware and/or software having one or more processors and capable of reading instructions stored on a non-transitory machine-readable medium for execution by the one or more processors.
  • client mobile device 102 includes a machine-readable medium, such as a memory (not shown) that includes instructions for execution by one or more processors (not shown) for causing client mobile device 102 to perform specific tasks.
  • a machine-readable medium such as a memory (not shown) that includes instructions for execution by one or more processors (not shown) for causing client mobile device 102 to perform specific tasks.
  • such instructions may include displaying content, such as a web page or a user interface using a browser 112 .
  • content may be content displayed by particular applications or “apps” 114 stored in a memory of client mobile device 102 and executed by one or more processors executing in client mobile device 102 .
  • machine-readable media includes, for example, floppy disk, flexible disk, hard disk, magnetic tape, any other magnetic medium, CD-ROM, any other optical medium, punch cards, paper tape, any other physical medium with patterns of holes, RAM, PROM, EPROM, FLASH-EPROM, any other memory chip or cartridge, and/or any other medium from which one or more processors or computer is adapted to read.
  • client mobile device 102 may be a mobile device such as a smartphone such as an iPhoneTM or other mobile device running the iOSTM operating system, the AndroidTM operating system, a BlackBerryTM operating system, Windows® Phone operating system, or webOSTM.
  • Client mobile device 102 may also be a tablet computer, such as an iPadTM or other tablet computer running one of the aforementioned operating systems. It should be appreciated that, in various embodiments, client mobile device 102 may be referred to as a user device or a customer/client device without departing from the scope of the present disclosure.
  • browser 112 may be a mobile browser app, which may be used to provide a user interface to permit a user 116 to browse information available over network 108 .
  • browser application 112 may be implemented as a web browser to view information available over network 108 .
  • Browser application 112 may include a software program, such as a graphical user interface (GUI), executable by one or more processors that is configured to interface and communicate with the payment service provider server 106 or other servers managed by content providers or merchants via network 108 .
  • GUI graphical user interface
  • user 116 is able to access websites to find and purchase items, as well as access user account information or web content.
  • User 116 through client mobile device 102 , may also communicate with payment service provider server 106 to create an account, authenticate and/or log in to the account, and make a payment to a merchant or another individual connected to network 108 .
  • Client mobile device 102 may include other applications 114 as may be desired in one or more embodiments to provide additional features available to user 116 , including accessing a user account with payment provider server 106 .
  • applications 114 may include interfaces and communication protocols that allow the user to receive and transmit information through payment service provider server 106 and other online sites.
  • Applications 114 may also include security applications for implementing client-side security features, programmatic client applications for interfacing with appropriate application programming interfaces (APIs) over network 108 or various other types of generally known programs and/or applications.
  • Applications 114 may include mobile apps downloaded and resident on client mobile device 102 that enables user 116 to access content through the apps.
  • Client computing device 104 which can be similar to client mobile device 102 , may be a separate device, such as a PC or laptop or netbook, or may be omitted if the user will be using only client mobile device 102 . Both user devices may be used to access content with the payment service provider server 106 or other content provider.
  • Client computing device 104 may include a browser application 118 and other applications 120 , similar to browser application 112 and applications 114 in client mobile device 102 .
  • Browser application 118 and applications 120 enable user 116 to access a payment provider web site and communicate with payment service provider server 106 , as well as other online sites.
  • Payment service provider server 106 may be maintained by an online payment provider, which may provide processing for online financial and information transactions on behalf of user 116 .
  • Payment service provider server 106 may include at least one authentication application 122 , which may be adapted to interact with client mobile device 102 and/or client computing device 104 over network 108 to authenticate requests to access accounts and purchase items, products and/or services by user 116 .
  • Payment service provider server 106 may be configured to maintain a plurality of user accounts in an account database 124 , each of which may include or be separate from an account information 126 associated with individual users, including user 116 .
  • account information 126 may include identity information of user 116 , such as one or more full names, business names, street addresses, email addresses and phone numbers, website addresses, or other types of financial information, which may be used to facilitate online transactions for user 116 , as well as user credentials such as user passwords and/or PINs. Further account information 126 may further include additional low-quality or low-entropy information about user 116 and client mobile device 102 and/or client computing device 104 that is collected by payment service provider server 106 when user 116 is authenticated by authentication app 122 .
  • Such low-quality or low-entropy information includes a location of user 116 when authenticated, an internet protocol (IP) address of client mobile device 102 or client computing device 104 , carrier 110 that client mobile device 102 uses, a user agent or device identification (device ID) of client mobile device 102 or client computing device 104 , and behavioral characteristics of user 116 as user interacts with client mobile device 102 and/or client computing device 104 .
  • authentication application 122 may be configured to interact with a user 116 to authenticate the user through user credentials such as a password or PIN and automatically store the PIN and/or password and/or additional low-quality or low-entropy information about user 116 and client mobile device 102 and/or client computing device 104 .
  • system 100 may also include satellite 128 which may be in communication with any or all of client mobile device 102 , client computing device 104 , payment service provider server 106 , and carrier 110 .
  • satellite 128 may be a global positioning system (GPS) satellite in communication with client mobile device 102 for determining a location of client mobile device 102 .
  • GPS global positioning system
  • FIG. 2 is a diagram illustrating computing system 200 , which may correspond to any of client mobile device 102 , client computing device 104 , or payment service provider server 106 , consistent with some embodiments.
  • Computing system 200 may be a mobile device such as a smartphone such as an iPhoneTM or other mobile device running the iOSTM operating system, the AndroidTM operating system, a BlackBerryTM operating system, or webOSTM, as would be consistent with client mobile device 102 .
  • Computing system 200 may also be a tablet computer such as the iPadTM or other similar device running the aforementioned operating systems.
  • Computing system 200 may also be personal computer, laptop computer, netbook, or tablet computer as would be consistent with client computing device 104 .
  • computing system 200 may also be a server or one server amongst a plurality of servers, as would be consistent with payment service provider server 106 .
  • computing system 200 includes a network interface component (NIC) 202 configured for communication with a network such as network 108 shown in FIG. 1 .
  • NIC 202 includes a wireless communication component, such as a wireless broadband component, a wireless satellite component, or various other types of wireless communication components including radio frequency (RF), microwave frequency (MWF), and/or infrared (IR) components configured for communication with network 108 .
  • RF radio frequency
  • MMF microwave frequency
  • IR infrared
  • NIC 202 may be configured to interface with a coaxial cable, a fiber optic cable, a digital subscriber line (DSL) modem, a public switched telephone network (PSTN) modem, an Ethernet device, and/or various other types of wired and/or wireless network communication devices adapted for communication with network 108 .
  • DSL digital subscriber line
  • PSTN public switched telephone network
  • computing system 200 includes a system bus 204 for interconnecting various components within computing system 200 and communication information between the various components.
  • Such components include a processing component 206 , which may be one or more processors, micro-controllers, or digital signal processors (DSP), a system memory component 208 , which may correspond to random access memory (RAM), an internal memory component 210 , which may correspond to read-only memory (ROM), and a external or static memory 212 , which may correspond to optical, magnetic, or solid-state memories.
  • processing component 206 may be one or more processors, micro-controllers, or digital signal processors (DSP)
  • system memory component 208 which may correspond to random access memory (RAM)
  • RAM random access memory
  • ROM read-only memory
  • external or static memory 212 which may correspond to optical, magnetic, or solid-state memories.
  • computing system 200 further includes a display component 214 for displaying information to a user 116 of computing system 200 .
  • Display component 214 may be an liquid crystal display (LCD) screen, an organic light emitting diode (OLED) screen (including active matrix AMOLED screens), an LED screen, a plasma display, or a cathode ray tube (CRT) display.
  • Computing system 200 may also include an input component 216 , allowing for a user 116 of computing system 200 to input information to computing system 200 . Such information could include payment information such as an amount required to complete a transaction, account information, authentication information, or identification information.
  • An input component 216 may include, for example, a keyboard or key pad, whether physical or virtual.
  • Computing system 200 may further include a navigation control component 218 , configured to allow a user to navigate along display component 214 .
  • navigation control component 218 may be a mouse, a trackball, or other such device. Moreover, if device 200 includes a touch screen, display component 214 , input component 216 , and navigation control 218 may be a single integrated component, such as a capacitive sensor-based touch screen.
  • computing system 200 may include a location component 220 for determining a location of computing system 220 .
  • location component 220 may correspond to a GPS transceiver that is in communication with satellite 128 .
  • location component 220 may be configured to determine a location of computing system by using an internet protocol (IP) address lookup, or by triangulating a position based on nearby mobile communications towers.
  • IP internet protocol
  • Location component 220 may be further configured to store a user-defined location in any of system memory 208 , internal memory 210 , and/or external memory 212 that can be transmitted to a third party for the purpose of identifying a location of computing system 200 .
  • Computing system 200 may perform specific operations by processing component 206 executing one or more sequences of instructions contained in system memory component 208 , internal memory component 210 , and/or external or static memory 212 .
  • processing component 206 executing one or more sequences of instructions contained in system memory component 208 , internal memory component 210 , and/or external or static memory 212 .
  • hard-wired circuitry may be used in place of or in combination with software instructions to implement the present disclosure.
  • Non-volatile media include optical or magnetic disks
  • volatile media includes dynamic memory
  • transmission media includes coaxial cables, copper wire, and fiber optics, including wires that comprise system bus 204 .
  • transmission media may take the form of acoustic or light waves, such as those generated during radio wave and infrared data communications.
  • Computer readable media include, for example, floppy disk, flexible disk, hard disk, magnetic tape, any other magnetic medium, CD-ROM, any other optical medium, punch cards, paper tape, any other physical medium with patterns of holes, RAM, PROM, EPROM, FLASH-EPROM, any other memory chip or cartridge, carrier wave, or any other medium from which a computer is adapted to read.
  • execution of instruction sequences to practice the present disclosure may be performed by computing system 200 .
  • a plurality of computing systems 200 coupled by a communication link 222 to network 108 may perform instruction sequences to practice the present disclosure in coordination with one another.
  • Computing system 200 may transmit and receive messages, data and one or more data packets, information and instructions, including one or more programs (i.e., application code) through communication link 222 and network interface component 202 .
  • Communication link 222 may be wireless through a wireless data protocol such as Wi-FiTM, 3G, 4G, HDSPA, LTE, RF, NFC, or through a wired connection.
  • Network interface component 202 may include an antenna, either separate or integrated, to enable transmission and reception via communication link 222 .
  • Received program code may be executed by processing component 206 as received and/or stored in memory 208 , 210 , or 212 .
  • FIG. 3 is a figure illustrating a login screen, consistent with some embodiments.
  • device 300 has a display 302 that may be configured to display a login screen 304 , consistent with some embodiments.
  • Device 300 may correspond to client mobile device 102 , but also may correspond to client computing device 104 .
  • device 300 may also correspond to computing system 200 shown in FIG. 2 .
  • Login screen 304 may request a user name 306 and credentials such as a personal identification number (PIN) 308 .
  • PIN 308 may be an N-digit number that is known by the user and is associated with the user's account.
  • PIN 308 may be a PIN generated based on a password, as described in U.S. patent application Ser. No. 13/281,273, filed on Oct. 25, 2011, which is assigned to the same entity as this application and is incorporated by reference herein in its entirety.
  • login screen 304 may request an alphanumeric password.
  • username 306 may be remembered by device 300 and may be automatically filled upon accessing login screen 304 .
  • Login screen 304 may require additional information, consistent with some embodiments.
  • Login screen 304 may be a login screen provided by a payment service provider such as PayPal, Inc. of San Jose, Calif.
  • Login screen 310 may further include a “submit” button 310 which, when selected, posts username 306 and PIN 308 to network 108 .
  • submit button 310 may be selected by touch the displayed submit button 310 on a touch screen device, such as client mobile device 102 .
  • submit button 310 may be activated by navigating to button 310 with navigation control 218 , such as a trackball, mouse, or cursor-moving device and then pressing a physical button on client mobile device 102 or client computing device 104 .
  • additional information may be posted to network 108 by selecting submit button 310 .
  • the additional information may include high-quality information such as a cookie, or a local object such as a FlashObject.
  • the additional information may also include low-quality or low-entropy information such as an IP address of device 300 , a device identification (ID) of device 300 , or a location of device 300 .
  • the posted username 306 , PIN 308 , and additional information may collectively be considered as at least one data packet 312 that is posted to network 108 .
  • at least one data packet 312 may be posted to network using secure sockets layer (SSL) transmission.
  • SSL secure sockets layer
  • At least one data packet 312 may be posted to network 108 to log in to payment service provider server 106 or to otherwise provide authentication credentials to payment service provider server 106 in order to make a payment, receive a payment, or otherwise authorize a transaction or other action to be made in accordance with user's 116 account with the payment service provider. Further, at least one data packet 312 may be a single data packet including username 306 , PIN 308 , and additional information, or may be multiple data packets including this and other information.
  • payment service provider server 106 requires the additional information in order to authenticate user 116 and device 300 , as the additional information provides an additional layer of security, which may be nothing more than a deterrent, over a simple username and PIN authentication.
  • PIN 308 is simply an arrangement of 4 numbers chosen by user 116 or assigned by payment service provider server 106
  • an attacker may be able to try the same PIN with many different usernames in the hope that one will work, in a so-called “vertical attack” as described above.
  • an attacker that has obtained a username and password of user 116 may try to authenticate user's 116 account with the payment service provider from the attacker's device.
  • This required additional information may be the cookie and/or local object stored on device 300 , discussed above. Consistent with some embodiments, the cookie and/or local object may be stored in a memory of device 300 upon an initial successful authentication with payment service provider server 106 . The cookie and/or local object will provide evidence to payment service provider server 106 that user 116 and device 300 have been previously authenticated and, in most cases, performing a permitted authentication with payment service provider server 106 . Consistent with some embodiments, the cookie and/or local object may have an associated time stamp that payment service provider server 106 checks so that the cookie and/or local object are periodically refreshed/replaced.
  • User 116 may wish to authenticate to payment service provider server 106 via multiple devices 300 , such as both a client mobile device 102 and client computing device 104 .
  • user 116 may purchase a new device or wish to authenticate to payment service provider server from a friend's or relative's device.
  • the devices will not have the cookie and/or local object stored therein, making it difficult for user 116 to authenticate to payment service provider server 106 .
  • a user may be able to provide low-quality or low-entropy information in lieu of the cookie and/or local object in order to authenticate with payment service provider server 106 , as described in FIG. 4 , below.
  • FIG. 4 is a flowchart illustrating a method for authenticating a user or device, consistent with some embodiments.
  • the method shown in FIG. 4 will be described with reference to FIGS. 1-3 .
  • the method shown in FIG. 4 may be implemented by authentication application 122 running on payment service provider server 106 .
  • the method shown in FIG. 4 may correspond to computer-readable instructions stored in a memory of payment service provider server 106 that, when executed by one or more processors of payment service provider server 106 causes the one or more processors to perform the method.
  • the method begins by receiving a request for authentication ( 402 ).
  • the request for authentication may be transmitted by a device such as client mobile device 102 or client computing device 104 , each of which may correspond to computing system 200 or device 300 .
  • the request for authentication may be transmitted to network 108 and received by payment service provider server 106 .
  • the request for authentication may correspond to at least one data packet 312 sent by device 300 that includes user and device information that may include at least a username 306 and user credentials such as a PIN 308 as well as additional information.
  • the received user and device information is then analyzed ( 404 ).
  • payment service provider server 106 performs the information analysis.
  • additional processing devices coupled to payment service provider server 106 may perform the information analysis.
  • the analysis of the received user and device information may include reviewing the type of information received, filtering out redundant or unnecessary information, or analyzing the received user and device information to determine the presence or absence of a particular kind of information.
  • the analysis of the user device and information may include determining if the received username 306 and user credentials match a username 306 and user credentials for a particular account in account information 126 of payment service provider server 106 .
  • the method shown in FIG. 4 may terminate when username 306 and user credentials do not match with the username 306 and credentials in account information 126 of payment service provider server 106 .
  • a score is computed based on the received user and device information ( 406 ). Consistent with some embodiments, the score is computed by payment service provider server 106 but, in some other embodiments, the score may be computed by additional processing devices coupled to payment service provider server 106 (not shown). The score may be computed by assigning a weight or number to the additional information received in at least one data packet 312 . For example, if at least one data packet 312 includes a cookie indicating that user 116 and device 300 have previously been authenticated by payment service provider server 106 , the cookie may be assigned a relatively high score. Similarly, if at least one data packet 312 includes a local object such as a FlashObject previously assigned by payment service provider server 106 upon a successful authentication, the local object may also be assigned a relatively high score.
  • a threshold is determined ( 408 ). Consistent with some embodiments, the threshold is dependent on user 116 . For example, if user 116 has interacted with the payment service provider that maintains server 106 in the past, these past interactions, stored in account information 126 , may be consulted in order to determine the threshold. If user 116 has previously had fraudulent activity on their account, the threshold may be higher than that for a user having no fraudulent activity. Other factors that may be used in order to determine the user-dependent threshold include credit scores, current location of user in comparison to known home location or previous location, recent successful or failed interactions with the payment service provider, and complaints lodged against user 116 with the payment service provider.
  • the factors that may be used to determine the user-dependent threshold may also include contextual-based factors that factor in the context in which user 116 is currently attempting to authenticate with payment service provider server 106 . For example, if user 116 is attempting to authenticate with payment service provider server 106 in order to send a payment to an individual with whom user 116 has previously performed a transaction with, the user-dependent threshold may be lower than it would be if the authentication is to send a payment to an individual with whom user 116 has not previously performed a transaction with.
  • additional factors that may be considered in determining the user-dependent threshold include the trustworthiness of the payer and payer, and the user history, stored in account information 126 , of both payer and payee.
  • account information may include volume of transactions, complaints, how long the payer or payee has been active.
  • the computed score is compared with the determined threshold ( 410 ). If the computed score is determined to be less than the threshold, payment service provider server 106 may request additional low-quality or low-entropy information ( 412 ). Consistent with some embodiments, the request for low-quality information requires, in response, the user to enter low-quality information, or the user to perform additional authentication, or the user to perform a specified action, or the user to execute a specific program on the device such as a anti-virus or anti-malware application, or a response from a third party, or a scan of a device performed by a third party or payment service provider server 106 .
  • Low-quality or low-entropy information includes information that when taken alone would be insecure authentication information but, when taken in combination with more high-quality or high-entropy authentication information, can add security to an authentication request. At the very least, the additional low-quality or low-entropy information requested by payment service provider server may act as a deterrent to would be attackers.
  • the low-quality or low-entropy information may include information that is provided by user 116 , client mobile device 102 or client computing device 104 , from payment service provider 106 , or from carrier 110 .
  • low-quality or low-entropy information that may be provided by user 116 include a time-stamped photo of user 116 taken by, for example, client mobile device 102 .
  • Low-quality or low-entropy information that may be provided by client mobile device 102 may further include an internet protocol (IP) address, a user agent or device identification (device ID), the service provider (e.g., carrier 110 ) that client mobile device 102 is currently operating on, a current location determined by location component 220 , biometric information of user 116 , a short password or recovery PIN entered by user 116 , or behavioral characteristics of user 116 .
  • Behavioral characteristics may include information related to how user 116 interacts with client mobile device 102 , such as how user 116 accesses data from client mobile device 102 , how user 116 swipes the screen of client mobile device 102 , or accelerometer data captured by client mobile device 102 .
  • Low-quality or low-entropy information that may be provided by carrier 110 may include an International Mobile Equipment Identity (IMEI) number of client mobile device 102 , an International Mobile Subscriber Identity (IMSI) number associated with client mobile device 102 , a Mobile Equipment Identifier (MEID) number associated with client mobile device 102 , the IP address of client mobile device 102 , a location of client mobile device 102 , or personal information stored in subscribe database 126 of user 116 .
  • IMEI International Mobile Equipment Identity
  • IMSI International Mobile Subscriber Identity
  • MEID Mobile Equipment Identifier
  • Low-quality or low-entropy information that may be provided by, or in this case retrieved by, payment service provider server 106 includes information concerning user 116 that may be stored in account information 126 and, in some embodiments, may be compared with low-quality or low-entropy information provided from client mobile device 102 (or client computing device 104 ) or carrier 110 to determine if the provided low-quality or low-entropy information is indicative of information that would be provided by user 116 .
  • payment service provider server 106 may retrieve an e-mail address associated with user 116 stored in account information 126 and send an e-mail to the listed e-mail address containing a hyperlink for user 116 to follow to enter additional low-quality or low-entropy information or that will allow payment service provider server 106 to automatically collect low-quality or low-entropy information about user 116 and device 300 .
  • the additional low-quality or low-entropy information that is collected by payment service provider server 106 may be stored in account information 126 for future use.
  • the score will again be computed based on the additional information ( 406 ), the threshold will be determined ( 408 ), and the computed score will be compared against the determined threshold ( 410 ). If the computed score is greater than or equal to the threshold, user 116 and device 300 is authenticated ( 414 ). Authentication of user 116 and device 300 may include the transmission of a cookie or a local object such as a FlashObject from payment service provider server 306 to device 300 (which may correspond to client mobile device 102 or client computing device 104 ).
  • the presence of a cookie or local object in data packet 312 may provide a sufficient score to authenticate user 116 and device 300 so that they do not need to provide additional low-quality or low-entropy information when attempting a successive authentication.
  • a computed score is not greater than or equal to a determined threshold ( 410 ) even after receiving additional low-quality or low-entropy information
  • user 116 and device 300 may be authenticated but flagged as having limited authentication.
  • having limited authentication may allow only certain actions to be performed when interacting with payment service provider server 106 .
  • various embodiments provided by the present disclosure may be implemented using hardware, software, or combinations of hardware and software.
  • the various hardware components and/or software components set forth herein may be combined into composite components comprising software, hardware, and/or both without departing from the spirit of the present disclosure.
  • the various hardware components and/or software components set forth herein may be separated into sub-components comprising software, hardware, or both without departing from the scope of the present disclosure.
  • software components may be implemented as hardware components and vice versa.
  • Software in accordance with the present disclosure, such as program code and/or data, may be stored on one or more computer readable mediums. It is also contemplated that software identified herein may be implemented using one or more general purpose or specific purpose computers and/or computer systems, networked and/or otherwise. Where applicable, the ordering of various steps described herein may be changed, combined into composite steps, and/or separated into sub-steps to provide features described herein.
  • embodiments as described herein may provide systems and methods for authenticating a user by determining if the request includes sufficient information to meet or surpass a user-based threshold and, if the request does not include sufficient information, requesting additional low-quality or low-entropy information from the user until the user-based threshold is met.
  • Such systems and methods may provide an additional security for users by providing a deterrent to would-be attackers using brute-force attacks.
  • the examples provided above are exemplary only and are not intended to be limiting.
  • One skilled in the art may readily devise other systems consistent with the disclosed embodiments which are intended to be within the scope of this disclosure. As such, the application is limited only by the following claims.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Accounting & Taxation (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Strategic Management (AREA)
  • Finance (AREA)
  • General Business, Economics & Management (AREA)
  • Software Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Power Engineering (AREA)
  • Social Psychology (AREA)
  • Biomedical Technology (AREA)
  • Information Transfer Between Computers (AREA)
  • Telephonic Communication Services (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)

Abstract

Systems and methods for authenticating a user request for authentication are provided. An authentication device that may be part of such a system includes a network interface component coupled to a network and configured to receive at least one data packet having authentication information including at least a username of a user and user credentials. The device also includes a memory coupled to the network interface component and configured to store the received authentication information, one or more instructions for authenticating the user, and account information of the user. The device further includes one or more processors configured to analyze the received information, calculate a score based on the received information, determine a threshold, compare the calculated score with the determined threshold, and authenticate the user and a device from which the data packet is received if the calculated score is greater than or equal to the determined threshold.

Description

    CROSS REFERENCE TO RELATED APPLICATIONS
  • The present application is a continuation of U.S. patent application Ser. No. 14/597,172, filed on Jan. 14, 2015, which is a continuation of U.S. patent application Ser. No. 13/523,425, filed on Jun. 14, 2012, the disclosures of which are hereby incorporated by reference in its entirety.
    • BACKGROUND
  • 1. Technical Field
  • Embodiments disclosed herein are related to systems and methods for authenticating a user and device with information in addition to a username and password. In particular, embodiments disclosed herein are related to a system and method for authenticating a user and a device with low-quality or low-entropy information supplied in addition to a username and password.
  • 2. Related Art
  • As people use the internet for more and more reasons, scammers and so-called “black-hat” hackers increasingly look to the internet as a new frontier of illicit opportunity. People who use the internet to conduct financial transactions, such as making purchases and banking, can be attacked by the scammers and hackers, and attackers can gain access to the online financial accounts of these people. The attackers can use this access for their financial gain, which can hurt the financial standing and credit rating of the people. Moreover, access to one account of a person may result in access to additional accounts because of the exploitable personal information viewable in the accessed account.
  • In some cases, attackers may know a user's login or password, but not both. As a result, an attacker may try a brute force attack by entering common passwords with a known username, or common or user-identifiable (i.e., jdoel) usernames with known or common passwords. Passwords with few characters, such as a common four-character personal identification number (PIN), may be particularly vulnerable to brute force attacks because there are few permutations, and many common PINs are used by users for their convenience. One method to stop brute force attacks is to limit the rate at which an attacker can make password guesses, such that the account is disabled after a certain number of incorrect guesses. However, this method disables the account associated with a particular username, and cannot prevent attacks that enter a common password with many different usernames, which is referred to as a “vertical attack”. For example, in many cases a PIN number of 2580 is very common because it is simply the center row of numbers on a keypad. An attacker having a list of usernames can try that PIN number (or other common PIN numbers) on each of the usernames, and may have some moderate level of success.
  • The variety and portability of internet-capable devices have resulted in not only users being capable of performing internet communications and transactions more frequently, but also in the opportunity for attackers to attempt attacks on unsuspecting users. The lucrative potential that these attacks present the attackers encourages attackers to try and stay one or more steps ahead of the security. When a countermeasure or other security provision is put into place to stop or otherwise limit the effect of an attack, the attackers develop ways to overcome the countermeasure, or find additional ways to exploit the operating system, browser or other executable software to launch another, possibly more effective attack.
  • Accordingly, there is a need for a system and method for authenticating a user using low-quality or low-entropy information supplied in addition to a username and password.
    • SUMMARY
  • Consistent with some embodiments, there is provided an authentication device. The device includes a network interface component coupled to a network and configured to receive at least one data packet having authentication information, the authentication information including at least a username of a user and user credentials. The device also includes a memory coupled to the network interface component and configured to store the received authentication information, one or more instructions for authenticating the user based on the received authentication information, and account information of the user. The device further includes one or more processors configured to, analyze the received information, calculate a score based on the received information, determine a threshold, compare the calculated score with the determined threshold, authenticate the user and a device from which the data packet is received if the calculated score is greater than or equal to the determined threshold, and request low-quality information if the calculated score is less than the determined threshold.
  • Consistent with some embodiments, there is also provided a method for authenticating a user request for authentication. The method includes receiving, by an authentication device coupled to a network, the user request for authentication, computing, by the authentication device, a score based on information included in the user request, and determining, by the authentication device, a threshold. The method further includes determining, by the authentication device, if the computed score is greater than or equal to the determined threshold, and authenticating, by the authentication device, a user making the user request and a user device on which the user request was made if the computed score is greater than or equal to the determined threshold, and requesting, by the authentication device, low-quality information if the computed score is not greater than or equal to the determined threshold.
  • Consistent with some embodiments, there is further provided a non-transitory computer-readable medium having instructions for execution by one or more processors that, when executed, cause the one or more processors to perform a method for authenticating a request for authenticating a user and a device received over a network by a network interface component coupled to the one or more processors. The method includes receiving the user request for authentication, computing a score based on information included in the user request, and determining a threshold. The method further includes determining if the computed score is greater than or equal to the determined threshold, authenticating the user and the device if the computed score is greater than or equal to the determined threshold and requesting low-quality information if the computed score is not greater than or equal to the determined threshold.
  • These and other embodiments will be described in further detail below with respect to the following figures.
    • BRIEF DESCRIPTION OF THE FIGURES
  • FIG. 1 is a block diagram of a networked system, consistent with some embodiments.
  • FIG. 2 is a diagram illustrating a computing system, consistent with some embodiments.
  • FIG. 3 is a figure illustrating a login screen, consistent with some embodiments.
  • FIG. 4 is a flowchart illustrating a method for authenticating a user or device, consistent with some embodiments.
    •
  • In the drawings, elements having the same designation have the same or similar functions.
    • DETAILED DESCRIPTION
  • In the following description specific details are set forth describing certain embodiments. It will be apparent, however, to one skilled in the art that the disclosed embodiments may be practiced without some or all of these specific details. The specific embodiments presented are meant to be illustrative, but not limiting. One skilled in the art may realize other material that, although not specifically described herein, is within the scope and spirit of this disclosure.
  • FIG. 1 is a block diagram of a networked system 100, consistent with some embodiments. System 100 includes a client mobile device 102, a client computing device 104, and a payment service provider server 106 in communication over a network 108. Payment service provider server 106 may be maintained by a payment provider, such as PayPal, Inc. of San Jose, Calif. Server 106 may be maintained by other service providers in different embodiments. Payment service provider may be more generally a web site, an online content manager, a service provider, such as a bank, or other entity who provides content to a user requiring user authentication or login.
  • Network 108, in one embodiment, may be implemented as a single network or a combination of multiple networks. For example, in various embodiments, network 108 may include the Internet and/or one or more intranets, landline networks, wireless networks, and/or other appropriate types of communication networks. In another example, the network may comprise a wireless telecommunications network (e.g., cellular phone network) adapted to communicate with other communication networks, such as the Internet, as well as various cellular phone carriers, such as carrier 110 having a subscriber database 111.
  • Client mobile device 102, in one embodiment, may be implemented using any appropriate combination of hardware and/or software configured for wired and/or wireless communication over network 108. For example, client mobile device 102 may be implemented as a wireless telephone (e.g., smart phone), tablet, personal digital assistant (PDA), notebook computer, and/or various other generally known types of wired and/or wireless mobile computing devices. Consistent with some embodiments, client mobile device 102 may include any appropriate combination of hardware and/or software having one or more processors and capable of reading instructions stored on a non-transitory machine-readable medium for execution by the one or more processors. Consistent with some embodiments, client mobile device 102 includes a machine-readable medium, such as a memory (not shown) that includes instructions for execution by one or more processors (not shown) for causing client mobile device 102 to perform specific tasks. For example, such instructions may include displaying content, such as a web page or a user interface using a browser 112. Further, content may be content displayed by particular applications or “apps” 114 stored in a memory of client mobile device 102 and executed by one or more processors executing in client mobile device 102. Some common forms of machine-readable media includes, for example, floppy disk, flexible disk, hard disk, magnetic tape, any other magnetic medium, CD-ROM, any other optical medium, punch cards, paper tape, any other physical medium with patterns of holes, RAM, PROM, EPROM, FLASH-EPROM, any other memory chip or cartridge, and/or any other medium from which one or more processors or computer is adapted to read.
  • As discussed above, client mobile device 102 may be a mobile device such as a smartphone such as an iPhone™ or other mobile device running the iOS™ operating system, the Android™ operating system, a BlackBerry™ operating system, Windows® Phone operating system, or webOS™. Client mobile device 102 may also be a tablet computer, such as an iPad™ or other tablet computer running one of the aforementioned operating systems. It should be appreciated that, in various embodiments, client mobile device 102 may be referred to as a user device or a customer/client device without departing from the scope of the present disclosure.
  • Consistent with some embodiments, browser 112 may be a mobile browser app, which may be used to provide a user interface to permit a user 116 to browse information available over network 108. For example, browser application 112 may be implemented as a web browser to view information available over network 108. Browser application 112 may include a software program, such as a graphical user interface (GUI), executable by one or more processors that is configured to interface and communicate with the payment service provider server 106 or other servers managed by content providers or merchants via network 108. For example, user 116 is able to access websites to find and purchase items, as well as access user account information or web content. User 116, through client mobile device 102, may also communicate with payment service provider server 106 to create an account, authenticate and/or log in to the account, and make a payment to a merchant or another individual connected to network 108.
  • Client mobile device 102, in one embodiment, may include other applications 114 as may be desired in one or more embodiments to provide additional features available to user 116, including accessing a user account with payment provider server 106. For example, applications 114 may include interfaces and communication protocols that allow the user to receive and transmit information through payment service provider server 106 and other online sites. Applications 114 may also include security applications for implementing client-side security features, programmatic client applications for interfacing with appropriate application programming interfaces (APIs) over network 108 or various other types of generally known programs and/or applications. Applications 114 may include mobile apps downloaded and resident on client mobile device 102 that enables user 116 to access content through the apps.
  • Client computing device 104, which can be similar to client mobile device 102, may be a separate device, such as a PC or laptop or netbook, or may be omitted if the user will be using only client mobile device 102. Both user devices may be used to access content with the payment service provider server 106 or other content provider. Client computing device 104, in one embodiment, may include a browser application 118 and other applications 120, similar to browser application 112 and applications 114 in client mobile device 102. Browser application 118 and applications 120 enable user 116 to access a payment provider web site and communicate with payment service provider server 106, as well as other online sites.
  • Payment service provider server 106 according to some embodiments, may be maintained by an online payment provider, which may provide processing for online financial and information transactions on behalf of user 116. Payment service provider server 106 may include at least one authentication application 122, which may be adapted to interact with client mobile device 102 and/or client computing device 104 over network 108 to authenticate requests to access accounts and purchase items, products and/or services by user 116. Payment service provider server 106 may be configured to maintain a plurality of user accounts in an account database 124, each of which may include or be separate from an account information 126 associated with individual users, including user 116. For example, account information 126 may include identity information of user 116, such as one or more full names, business names, street addresses, email addresses and phone numbers, website addresses, or other types of financial information, which may be used to facilitate online transactions for user 116, as well as user credentials such as user passwords and/or PINs. Further account information 126 may further include additional low-quality or low-entropy information about user 116 and client mobile device 102 and/or client computing device 104 that is collected by payment service provider server 106 when user 116 is authenticated by authentication app 122. Such low-quality or low-entropy information includes a location of user 116 when authenticated, an internet protocol (IP) address of client mobile device 102 or client computing device 104, carrier 110 that client mobile device 102 uses, a user agent or device identification (device ID) of client mobile device 102 or client computing device 104, and behavioral characteristics of user 116 as user interacts with client mobile device 102 and/or client computing device 104. As such, authentication application 122 may be configured to interact with a user 116 to authenticate the user through user credentials such as a password or PIN and automatically store the PIN and/or password and/or additional low-quality or low-entropy information about user 116 and client mobile device 102 and/or client computing device 104.
  • As shown in FIG. 1, system 100 may also include satellite 128 which may be in communication with any or all of client mobile device 102, client computing device 104, payment service provider server 106, and carrier 110. Consistent with some embodiments, satellite 128 may be a global positioning system (GPS) satellite in communication with client mobile device 102 for determining a location of client mobile device 102.
  • FIG. 2 is a diagram illustrating computing system 200, which may correspond to any of client mobile device 102, client computing device 104, or payment service provider server 106, consistent with some embodiments. Computing system 200 may be a mobile device such as a smartphone such as an iPhone™ or other mobile device running the iOS™ operating system, the Android™ operating system, a BlackBerry™ operating system, or webOS™, as would be consistent with client mobile device 102. Computing system 200 may also be a tablet computer such as the iPad™ or other similar device running the aforementioned operating systems. Computing system 200 may also be personal computer, laptop computer, netbook, or tablet computer as would be consistent with client computing device 104. Further, computing system 200 may also be a server or one server amongst a plurality of servers, as would be consistent with payment service provider server 106. As shown in FIG. 2, computing system 200 includes a network interface component (NIC) 202 configured for communication with a network such as network 108 shown in FIG. 1. Consistent with some embodiments, NIC 202 includes a wireless communication component, such as a wireless broadband component, a wireless satellite component, or various other types of wireless communication components including radio frequency (RF), microwave frequency (MWF), and/or infrared (IR) components configured for communication with network 108. Consistent with other embodiments, NIC 202 may be configured to interface with a coaxial cable, a fiber optic cable, a digital subscriber line (DSL) modem, a public switched telephone network (PSTN) modem, an Ethernet device, and/or various other types of wired and/or wireless network communication devices adapted for communication with network 108.
  • Consistent with some embodiments, computing system 200 includes a system bus 204 for interconnecting various components within computing system 200 and communication information between the various components. Such components include a processing component 206, which may be one or more processors, micro-controllers, or digital signal processors (DSP), a system memory component 208, which may correspond to random access memory (RAM), an internal memory component 210, which may correspond to read-only memory (ROM), and a external or static memory 212, which may correspond to optical, magnetic, or solid-state memories. Consistent with some embodiments, computing system 200 further includes a display component 214 for displaying information to a user 116 of computing system 200. Display component 214 may be an liquid crystal display (LCD) screen, an organic light emitting diode (OLED) screen (including active matrix AMOLED screens), an LED screen, a plasma display, or a cathode ray tube (CRT) display. Computing system 200 may also include an input component 216, allowing for a user 116 of computing system 200 to input information to computing system 200. Such information could include payment information such as an amount required to complete a transaction, account information, authentication information, or identification information. An input component 216 may include, for example, a keyboard or key pad, whether physical or virtual. Computing system 200 may further include a navigation control component 218, configured to allow a user to navigate along display component 214. Consistent with some embodiments, navigation control component 218 may be a mouse, a trackball, or other such device. Moreover, if device 200 includes a touch screen, display component 214, input component 216, and navigation control 218 may be a single integrated component, such as a capacitive sensor-based touch screen.
  • Consistent with some embodiments, computing system 200 may include a location component 220 for determining a location of computing system 220. In some embodiments, location component 220 may correspond to a GPS transceiver that is in communication with satellite 128. In other embodiments, location component 220 may be configured to determine a location of computing system by using an internet protocol (IP) address lookup, or by triangulating a position based on nearby mobile communications towers. Location component 220 may be further configured to store a user-defined location in any of system memory 208, internal memory 210, and/or external memory 212 that can be transmitted to a third party for the purpose of identifying a location of computing system 200.
  • Computing system 200 may perform specific operations by processing component 206 executing one or more sequences of instructions contained in system memory component 208, internal memory component 210, and/or external or static memory 212. In other embodiments, hard-wired circuitry may be used in place of or in combination with software instructions to implement the present disclosure.
  • Logic may be encoded in a computer readable medium, which may refer to any medium that participates in providing instructions to processing component 206 for execution. Such a medium may take many forms, including but not limited to, non-volatile media, volatile media, and transmission media. The medium may correspond to any of system memory 208, internal memory 210 and/or external or static memory 212. Consistent with some embodiments, the computer readable medium is non-transitory. In various implementations, non-volatile media include optical or magnetic disks, volatile media includes dynamic memory, and transmission media includes coaxial cables, copper wire, and fiber optics, including wires that comprise system bus 204. According to some embodiments, transmission media may take the form of acoustic or light waves, such as those generated during radio wave and infrared data communications.
  • Some common forms of computer readable media include, for example, floppy disk, flexible disk, hard disk, magnetic tape, any other magnetic medium, CD-ROM, any other optical medium, punch cards, paper tape, any other physical medium with patterns of holes, RAM, PROM, EPROM, FLASH-EPROM, any other memory chip or cartridge, carrier wave, or any other medium from which a computer is adapted to read.
  • In various embodiments of the present disclosure, execution of instruction sequences to practice the present disclosure may be performed by computing system 200. In various other embodiments of the present disclosure, a plurality of computing systems 200 coupled by a communication link 222 to network 108 (e.g., such as a LAN, WLAN, PTSN, and/or various other wired or wireless networks, including telecommunications, mobile, and cellular phone networks) may perform instruction sequences to practice the present disclosure in coordination with one another.
  • Computing system 200 may transmit and receive messages, data and one or more data packets, information and instructions, including one or more programs (i.e., application code) through communication link 222 and network interface component 202. Communication link 222 may be wireless through a wireless data protocol such as Wi-Fi™, 3G, 4G, HDSPA, LTE, RF, NFC, or through a wired connection. Network interface component 202 may include an antenna, either separate or integrated, to enable transmission and reception via communication link 222. Received program code may be executed by processing component 206 as received and/or stored in memory 208, 210, or 212.
  • FIG. 3 is a figure illustrating a login screen, consistent with some embodiments. As shown in FIG. 3, device 300 has a display 302 that may be configured to display a login screen 304, consistent with some embodiments. Device 300 may correspond to client mobile device 102, but also may correspond to client computing device 104. Moreover, device 300 may also correspond to computing system 200 shown in FIG. 2. Login screen 304 may request a user name 306 and credentials such as a personal identification number (PIN) 308. Consistent with some embodiments, PIN 308 may be an N-digit number that is known by the user and is associated with the user's account. In some embodiments, PIN 308 may be a PIN generated based on a password, as described in U.S. patent application Ser. No. 13/281,273, filed on Oct. 25, 2011, which is assigned to the same entity as this application and is incorporated by reference herein in its entirety. Alternatively, login screen 304 may request an alphanumeric password. Consistent with some embodiments, username 306 may be remembered by device 300 and may be automatically filled upon accessing login screen 304.
  • Login screen 304 may require additional information, consistent with some embodiments. Login screen 304 may be a login screen provided by a payment service provider such as PayPal, Inc. of San Jose, Calif. Login screen 310 may further include a “submit” button 310 which, when selected, posts username 306 and PIN 308 to network 108. According to some embodiments, submit button 310 may be selected by touch the displayed submit button 310 on a touch screen device, such as client mobile device 102. In other embodiments, submit button 310 may be activated by navigating to button 310 with navigation control 218, such as a trackball, mouse, or cursor-moving device and then pressing a physical button on client mobile device 102 or client computing device 104.
  • Consistent with some embodiments, additional information may be posted to network 108 by selecting submit button 310. For example, the additional information may include high-quality information such as a cookie, or a local object such as a FlashObject. The additional information may also include low-quality or low-entropy information such as an IP address of device 300, a device identification (ID) of device 300, or a location of device 300. The posted username 306, PIN 308, and additional information may collectively be considered as at least one data packet 312 that is posted to network 108. Consistent with some embodiments, at least one data packet 312 may be posted to network using secure sockets layer (SSL) transmission. According to some embodiments, at least one data packet 312 may be posted to network 108 to log in to payment service provider server 106 or to otherwise provide authentication credentials to payment service provider server 106 in order to make a payment, receive a payment, or otherwise authorize a transaction or other action to be made in accordance with user's 116 account with the payment service provider. Further, at least one data packet 312 may be a single data packet including username 306, PIN 308, and additional information, or may be multiple data packets including this and other information.
  • Consistent with some embodiments, payment service provider server 106 requires the additional information in order to authenticate user 116 and device 300, as the additional information provides an additional layer of security, which may be nothing more than a deterrent, over a simple username and PIN authentication. For example, if PIN 308 is simply an arrangement of 4 numbers chosen by user 116 or assigned by payment service provider server 106, an attacker may be able to try the same PIN with many different usernames in the hope that one will work, in a so-called “vertical attack” as described above. Alternatively, an attacker that has obtained a username and password of user 116 may try to authenticate user's 116 account with the payment service provider from the attacker's device. Requiring additional information about user 116 and/or device 300 can limit and/or deter both of these types of attacks. This required additional information may be the cookie and/or local object stored on device 300, discussed above. Consistent with some embodiments, the cookie and/or local object may be stored in a memory of device 300 upon an initial successful authentication with payment service provider server 106. The cookie and/or local object will provide evidence to payment service provider server 106 that user 116 and device 300 have been previously authenticated and, in most cases, performing a permitted authentication with payment service provider server 106. Consistent with some embodiments, the cookie and/or local object may have an associated time stamp that payment service provider server 106 checks so that the cookie and/or local object are periodically refreshed/replaced.
  • User 116, however, may wish to authenticate to payment service provider server 106 via multiple devices 300, such as both a client mobile device 102 and client computing device 104. Alternatively, user 116 may purchase a new device or wish to authenticate to payment service provider server from a friend's or relative's device. In each of these instances, the devices will not have the cookie and/or local object stored therein, making it difficult for user 116 to authenticate to payment service provider server 106. In such cases, a user may be able to provide low-quality or low-entropy information in lieu of the cookie and/or local object in order to authenticate with payment service provider server 106, as described in FIG. 4, below.
  • FIG. 4 is a flowchart illustrating a method for authenticating a user or device, consistent with some embodiments. For the purpose of illustration, the method shown in FIG. 4 will be described with reference to FIGS. 1-3. The method shown in FIG. 4 may be implemented by authentication application 122 running on payment service provider server 106. In particular, the method shown in FIG. 4, may correspond to computer-readable instructions stored in a memory of payment service provider server 106 that, when executed by one or more processors of payment service provider server 106 causes the one or more processors to perform the method. In general, however, the method shown in FIG. 4 may be performed on any device capable of authenticating a user request for authentication, generally referred to as an authentication device, that includes the hardware and computer-readable instructions for performing the method shown in FIG. 4. As shown in FIG. 4, the method begins by receiving a request for authentication (402). Consistent with some embodiments, the request for authentication may be transmitted by a device such as client mobile device 102 or client computing device 104, each of which may correspond to computing system 200 or device 300. The request for authentication may be transmitted to network 108 and received by payment service provider server 106. Consistent with some embodiments, the request for authentication may correspond to at least one data packet 312 sent by device 300 that includes user and device information that may include at least a username 306 and user credentials such as a PIN 308 as well as additional information. The received user and device information is then analyzed (404). In some embodiments, payment service provider server 106 performs the information analysis. In other embodiments, additional processing devices coupled to payment service provider server 106 (not shown) may perform the information analysis. The analysis of the received user and device information may include reviewing the type of information received, filtering out redundant or unnecessary information, or analyzing the received user and device information to determine the presence or absence of a particular kind of information. In some embodiments, the analysis of the user device and information may include determining if the received username 306 and user credentials match a username 306 and user credentials for a particular account in account information 126 of payment service provider server 106. In such embodiments, the method shown in FIG. 4 may terminate when username 306 and user credentials do not match with the username 306 and credentials in account information 126 of payment service provider server 106.
  • After analyzing the received user and device information, a score is computed based on the received user and device information (406). Consistent with some embodiments, the score is computed by payment service provider server 106 but, in some other embodiments, the score may be computed by additional processing devices coupled to payment service provider server 106 (not shown). The score may be computed by assigning a weight or number to the additional information received in at least one data packet 312. For example, if at least one data packet 312 includes a cookie indicating that user 116 and device 300 have previously been authenticated by payment service provider server 106, the cookie may be assigned a relatively high score. Similarly, if at least one data packet 312 includes a local object such as a FlashObject previously assigned by payment service provider server 106 upon a successful authentication, the local object may also be assigned a relatively high score.
  • After the score has been computed, a threshold is determined (408). Consistent with some embodiments, the threshold is dependent on user 116. For example, if user 116 has interacted with the payment service provider that maintains server 106 in the past, these past interactions, stored in account information 126, may be consulted in order to determine the threshold. If user 116 has previously had fraudulent activity on their account, the threshold may be higher than that for a user having no fraudulent activity. Other factors that may be used in order to determine the user-dependent threshold include credit scores, current location of user in comparison to known home location or previous location, recent successful or failed interactions with the payment service provider, and complaints lodged against user 116 with the payment service provider. The factors that may be used to determine the user-dependent threshold may also include contextual-based factors that factor in the context in which user 116 is currently attempting to authenticate with payment service provider server 106. For example, if user 116 is attempting to authenticate with payment service provider server 106 in order to send a payment to an individual with whom user 116 has previously performed a transaction with, the user-dependent threshold may be lower than it would be if the authentication is to send a payment to an individual with whom user 116 has not previously performed a transaction with. For authorization requests for performing a transaction between a payer and a payee using payment service provider server 106, additional factors that may be considered in determining the user-dependent threshold include the trustworthiness of the payer and payer, and the user history, stored in account information 126, of both payer and payee. Such account information may include volume of transactions, complaints, how long the payer or payee has been active.
  • After the threshold is determined, the computed score is compared with the determined threshold (410). If the computed score is determined to be less than the threshold, payment service provider server 106 may request additional low-quality or low-entropy information (412). Consistent with some embodiments, the request for low-quality information requires, in response, the user to enter low-quality information, or the user to perform additional authentication, or the user to perform a specified action, or the user to execute a specific program on the device such as a anti-virus or anti-malware application, or a response from a third party, or a scan of a device performed by a third party or payment service provider server 106. Low-quality or low-entropy information includes information that when taken alone would be insecure authentication information but, when taken in combination with more high-quality or high-entropy authentication information, can add security to an authentication request. At the very least, the additional low-quality or low-entropy information requested by payment service provider server may act as a deterrent to would be attackers. The low-quality or low-entropy information may include information that is provided by user 116, client mobile device 102 or client computing device 104, from payment service provider 106, or from carrier 110. For example, low-quality or low-entropy information that may be provided by user 116 include a time-stamped photo of user 116 taken by, for example, client mobile device 102. Low-quality or low-entropy information that may be provided by client mobile device 102 (or client computing device 104) may further include an internet protocol (IP) address, a user agent or device identification (device ID), the service provider (e.g., carrier 110) that client mobile device 102 is currently operating on, a current location determined by location component 220, biometric information of user 116, a short password or recovery PIN entered by user 116, or behavioral characteristics of user 116. Behavioral characteristics may include information related to how user 116 interacts with client mobile device 102, such as how user 116 accesses data from client mobile device 102, how user 116 swipes the screen of client mobile device 102, or accelerometer data captured by client mobile device 102. Low-quality or low-entropy information that may be provided by carrier 110 may include an International Mobile Equipment Identity (IMEI) number of client mobile device 102, an International Mobile Subscriber Identity (IMSI) number associated with client mobile device 102, a Mobile Equipment Identifier (MEID) number associated with client mobile device 102, the IP address of client mobile device 102, a location of client mobile device 102, or personal information stored in subscribe database 126 of user 116. Low-quality or low-entropy information that may be provided by, or in this case retrieved by, payment service provider server 106 includes information concerning user 116 that may be stored in account information 126 and, in some embodiments, may be compared with low-quality or low-entropy information provided from client mobile device 102 (or client computing device 104) or carrier 110 to determine if the provided low-quality or low-entropy information is indicative of information that would be provided by user 116. For example, in one embodiment, payment service provider server 106 may retrieve an e-mail address associated with user 116 stored in account information 126 and send an e-mail to the listed e-mail address containing a hyperlink for user 116 to follow to enter additional low-quality or low-entropy information or that will allow payment service provider server 106 to automatically collect low-quality or low-entropy information about user 116 and device 300. The additional low-quality or low-entropy information that is collected by payment service provider server 106 may be stored in account information 126 for future use.
  • After receiving the additional low-quality or low-entropy information, the score will again be computed based on the additional information (406), the threshold will be determined (408), and the computed score will be compared against the determined threshold (410). If the computed score is greater than or equal to the threshold, user 116 and device 300 is authenticated (414). Authentication of user 116 and device 300 may include the transmission of a cookie or a local object such as a FlashObject from payment service provider server 306 to device 300 (which may correspond to client mobile device 102 or client computing device 104). Consistent with some embodiments, the presence of a cookie or local object in data packet 312 may provide a sufficient score to authenticate user 116 and device 300 so that they do not need to provide additional low-quality or low-entropy information when attempting a successive authentication.
  • According to some embodiments, if a computed score is not greater than or equal to a determined threshold (410) even after receiving additional low-quality or low-entropy information, user 116 and device 300 may be authenticated but flagged as having limited authentication. In such embodiments, having limited authentication may allow only certain actions to be performed when interacting with payment service provider server 106.
  • Where applicable, various embodiments provided by the present disclosure may be implemented using hardware, software, or combinations of hardware and software. Also, where applicable, the various hardware components and/or software components set forth herein may be combined into composite components comprising software, hardware, and/or both without departing from the spirit of the present disclosure. Where applicable, the various hardware components and/or software components set forth herein may be separated into sub-components comprising software, hardware, or both without departing from the scope of the present disclosure. In addition, where applicable, it is contemplated that software components may be implemented as hardware components and vice versa.
  • Software, in accordance with the present disclosure, such as program code and/or data, may be stored on one or more computer readable mediums. It is also contemplated that software identified herein may be implemented using one or more general purpose or specific purpose computers and/or computer systems, networked and/or otherwise. Where applicable, the ordering of various steps described herein may be changed, combined into composite steps, and/or separated into sub-steps to provide features described herein.
  • Consequently, embodiments as described herein may provide systems and methods for authenticating a user by determining if the request includes sufficient information to meet or surpass a user-based threshold and, if the request does not include sufficient information, requesting additional low-quality or low-entropy information from the user until the user-based threshold is met. Such systems and methods may provide an additional security for users by providing a deterrent to would-be attackers using brute-force attacks. The examples provided above are exemplary only and are not intended to be limiting. One skilled in the art may readily devise other systems consistent with the disclosed embodiments which are intended to be within the scope of this disclosure. As such, the application is limited only by the following claims.

Claims (20)

What is claimed is:
1. A system comprising:
a non-transitory memory; and
one or more hardware processors coupled to the non-transitory memory and configured to read instructions from the non-transitory memory to cause the system to perform operations comprising:
determining first authentication information received by a computing device,
wherein the first authentication information is associated with a user account;
determining additional information is required to provide the computing device with access to the user account based at least on the first authentication information received, wherein the system is configured to provide the computing device with the access to the user account based at least on the first authentication information received;
receiving second authentication information by the computing device based on the additional information required to provide the computing device with the access to the user account;
comparing the additional information required with the second authentication information received; and
providing the computing device with access to the user account based at least on the comparison of the additional information required with the second authentication information received.
2. The system of claim 1, wherein:
the first authentication information received comprises biometric information received by the computing device at a first time;
the additional information required is determined based at least on the biometric information received at the first time; and
the system is configured to provide the computing device with the access to the user account based at least on the biometric information received at a second time different than the first time.
3. The system of claim 1, wherein:
the first authentication information received comprises biometric information received by the computing device on one or more prior occasions; and
the additional information required is determined based at least on a number of the one or more prior occasions.
4. The system of claim 1, wherein the operations further comprise providing the computing device with a uniform resource locator (URL) associated with a web page configured to receive the additional information.
5. The system of claim 4, wherein the second authentication information received comprises a cookie and/or a flash object associated with the web page.
6. The system of claim 1, wherein the second authentication information received comprises a device identification of the computing device.
7. The system of claim 1, wherein the second authentication information received comprises a PIN or password.
8. A method comprising:
determining first authentication information received by a computing device, wherein the first authentication information is associated with a user account;
determining additional information is required to provide the computing device with access to the user account based at least on the first authentication information received;
providing the computing device with the access to the user account based at least on the first authentication information received;
receiving second authentication information by the computing device based on the additional information required to provide the computing device with the access to the user account;
comparing the additional information required with the second authentication information received; and
providing the computing device with access to the user account based at least on the comparison of the additional information required with the second authentication information received.
9. The method of claim 8, wherein:
the first authentication information received comprises biometric information received by the computing device at a first time;
the additional information required is determined based at least on the biometric information received at the first time; and
the method further comprises providing the computing device with the access to the user account based at least on the biometric information received at a second time different than the first time.
10. The method of claim 8, wherein:
the first authentication information received comprises biometric information received by the computing device on one or more prior occasions; and
the additional information required is determined based at least on a number of the one or more prior occasions.
11. The method of claim 8, further comprising providing the computing device with a uniform resource locator (URL) associated with a web page configured to receive the additional information.
12. The method of claim 11, wherein the second authentication information received comprises a cookie and/or a flash object associated with the web page.
13. The method of claim 8, wherein the second authentication information received comprises a device identification of the computing device.
14. The method of claim 8, wherein the second authentication information received comprises a PIN or password.
15. A non-transitory machine-readable medium having stored thereon machine-readable instructions executable to cause a machine to perform operations comprising:
determining first authentication information received by a computing device, wherein the first authentication information is associated with a user account;
determining additional information is required to provide the computing device with access to the user account based at least on the first authentication information received, wherein the machine is configured to provide the computing device with the access to the user account based at least on the first authentication information received;
receiving second authentication information by the computing device based on the additional information required to provide the computing device with the access to the user account;
comparing the additional information required with the second authentication information received; and
providing the computing device with access to the user account based at least on the comparison of the additional information required with the second authentication information received.
16. The non-transitory machine-readable medium of claim 15, wherein:
the first authentication information received comprises biometric information received by the computing device at a first time;
the additional information required is determined based at least on the biometric information received at the first time; and
the machine is configured to provide the computing device with the access to the user account based at least on the biometric information received at a second time different than the first time.
17. The non-transitory machine-readable medium of claim 15, wherein:
the first authentication information received comprises biometric information received by the computing device on one or more prior occasions; and
the additional information required is determined based at least on a number of the one or more prior occasions.
18. The non-transitory machine-readable medium of claim 15, wherein the operations further comprise providing the computing device with a uniform resource locator (URL) associated with a web page configured to receive the additional information.
19. The non-transitory machine-readable medium of claim 18, wherein the second authentication information received comprises a cookie and/or a flash object associated with the web page.
20. The non-transitory machine-readable medium of claim 15, wherein the second authentication information received comprises a device identification of the computing device.
US15/178,963 2012-06-14 2016-06-10 Systems and methods for authenticating a user and device Abandoned US20160285851A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US15/178,963 US20160285851A1 (en) 2012-06-14 2016-06-10 Systems and methods for authenticating a user and device

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US13/523,425 US8973102B2 (en) 2012-06-14 2012-06-14 Systems and methods for authenticating a user and device
US14/597,172 US9396317B2 (en) 2012-06-14 2015-01-14 Systems and methods for authenticating a user and device
US15/178,963 US20160285851A1 (en) 2012-06-14 2016-06-10 Systems and methods for authenticating a user and device

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
US14/597,172 Continuation US9396317B2 (en) 2012-06-14 2015-01-14 Systems and methods for authenticating a user and device

Publications (1)

Publication Number Publication Date
US20160285851A1 true US20160285851A1 (en) 2016-09-29

Family

ID=49757243

Family Applications (3)

Application Number Title Priority Date Filing Date
US13/523,425 Active 2032-06-18 US8973102B2 (en) 2012-06-14 2012-06-14 Systems and methods for authenticating a user and device
US14/597,172 Active US9396317B2 (en) 2012-06-14 2015-01-14 Systems and methods for authenticating a user and device
US15/178,963 Abandoned US20160285851A1 (en) 2012-06-14 2016-06-10 Systems and methods for authenticating a user and device

Family Applications Before (2)

Application Number Title Priority Date Filing Date
US13/523,425 Active 2032-06-18 US8973102B2 (en) 2012-06-14 2012-06-14 Systems and methods for authenticating a user and device
US14/597,172 Active US9396317B2 (en) 2012-06-14 2015-01-14 Systems and methods for authenticating a user and device

Country Status (1)

Country Link
US (3) US8973102B2 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109587143A (en) * 2018-12-10 2019-04-05 北京芯盾时代科技有限公司 Secondary authentication method and system based on main road

Families Citing this family (88)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9501882B2 (en) 2010-11-23 2016-11-22 Morphotrust Usa, Llc System and method to streamline identity verification at airports and beyond
US8817984B2 (en) 2011-02-03 2014-08-26 mSignia, Inc. Cryptographic security functions based on anticipated changes in dynamic minutiae
US11063920B2 (en) 2011-02-03 2021-07-13 mSignia, Inc. Cryptographic security functions based on anticipated changes in dynamic minutiae
US20140165173A1 (en) * 2011-07-27 2014-06-12 Telefonaktiebolaget L M Ericsson (Publ) Mediation Server, Control Method Therefor, Subscription Information Managing Apparatus, Control Method Therefor, Subscription Management Server, and Control Method Therefor
US20140089195A1 (en) * 2012-09-25 2014-03-27 Laura Ward Person to person photo payments
US9774446B1 (en) * 2012-12-31 2017-09-26 EMC IP Holding Company LLC Managing use of security keys
US10217108B1 (en) 2013-03-29 2019-02-26 Wells Fargo Bank, N.A. Systems and methods for assisted transactions using an information wallet
US10055732B1 (en) 2013-03-29 2018-08-21 Wells Fargo Bank, N.A. User and entity authentication through an information storage and communication system
US10387928B1 (en) 2013-03-29 2019-08-20 Wells Fargo Bank, N.A. Systems and methods for transferring a gift using an information storage and communication system
US10037561B1 (en) 2013-03-29 2018-07-31 Wells Fargo Bank, N.A. Systems and methods for managing lists using an information storage and communication system
US10530646B1 (en) 2013-03-29 2020-01-07 Wells Fargo Bank, N.A. Systems and methods for providing user preferences for a connected device
MY175911A (en) * 2013-06-20 2020-07-15 Entrust Datacard Denmark As Method and system protecting against identity theft or replication abuse
US9407620B2 (en) * 2013-08-23 2016-08-02 Morphotrust Usa, Llc System and method for identity management
US9536065B2 (en) 2013-08-23 2017-01-03 Morphotrust Usa, Llc System and method for identity management
EP3036675B1 (en) * 2013-08-23 2021-03-10 IDEMIA Identity & Security USA LLC Method for identity management
US10282802B2 (en) 2013-08-27 2019-05-07 Morphotrust Usa, Llc Digital identification document
US10320778B2 (en) 2013-08-27 2019-06-11 Morphotrust Usa, Llc Digital identification document
US9497349B2 (en) 2013-08-28 2016-11-15 Morphotrust Usa, Llc Dynamic digital watermark
US10249015B2 (en) 2013-08-28 2019-04-02 Morphotrust Usa, Llc System and method for digitally watermarking digital facial portraits
US9426328B2 (en) 2013-08-28 2016-08-23 Morphotrust Usa, Llc Dynamic digital watermark
US9305149B2 (en) 2014-02-07 2016-04-05 Bank Of America Corporation Sorting mobile banking functions into authentication buckets
US9286450B2 (en) 2014-02-07 2016-03-15 Bank Of America Corporation Self-selected user access based on specific authentication types
US9317673B2 (en) * 2014-02-07 2016-04-19 Bank Of America Corporation Providing authentication using previously-validated authentication credentials
US9223951B2 (en) 2014-02-07 2015-12-29 Bank Of America Corporation User authentication based on other applications
US9390242B2 (en) 2014-02-07 2016-07-12 Bank Of America Corporation Determining user authentication requirements based on the current location of the user being within a predetermined area requiring altered authentication requirements
US9213974B2 (en) 2014-02-07 2015-12-15 Bank Of America Corporation Remote revocation of application access based on non-co-location of a transaction vehicle and a mobile device
US9313190B2 (en) 2014-02-07 2016-04-12 Bank Of America Corporation Shutting down access to all user accounts
US9208301B2 (en) 2014-02-07 2015-12-08 Bank Of America Corporation Determining user authentication requirements based on the current location of the user in comparison to the users's normal boundary of location
US9965606B2 (en) 2014-02-07 2018-05-08 Bank Of America Corporation Determining user authentication based on user/device interaction
US9331994B2 (en) 2014-02-07 2016-05-03 Bank Of America Corporation User authentication based on historical transaction data
US9647999B2 (en) 2014-02-07 2017-05-09 Bank Of America Corporation Authentication level of function bucket based on circumstances
US9317674B2 (en) 2014-02-07 2016-04-19 Bank Of America Corporation User authentication based on fob/indicia scan
US10129251B1 (en) 2014-02-11 2018-11-13 Morphotrust Usa, Llc System and method for verifying liveliness
AU2015219267A1 (en) 2014-02-18 2016-09-22 Secureauth Corporation Fingerprint based authentication for single sign on
US9600817B2 (en) 2014-03-04 2017-03-21 Bank Of America Corporation Foreign exchange token
US9600844B2 (en) 2014-03-04 2017-03-21 Bank Of America Corporation Foreign cross-issued token
US9424572B2 (en) 2014-03-04 2016-08-23 Bank Of America Corporation Online banking digital wallet management
US9721248B2 (en) 2014-03-04 2017-08-01 Bank Of America Corporation ATM token cash withdrawal
US9830597B2 (en) 2014-03-04 2017-11-28 Bank Of America Corporation Formation and funding of a shared token
US9721268B2 (en) 2014-03-04 2017-08-01 Bank Of America Corporation Providing offers associated with payment credentials authenticated in a specific digital wallet
US9858405B2 (en) 2014-06-16 2018-01-02 Paypal, Inc. Systems and methods for authenticating a user based on a computing device
US20160048831A1 (en) * 2014-08-14 2016-02-18 Uber Technologies, Inc. Verifying user accounts based on information received in a predetermined manner
US9836510B2 (en) * 2014-12-22 2017-12-05 Early Warning Services, Llc Identity confidence scoring system and method
US9576120B2 (en) * 2014-12-29 2017-02-21 Paypal, Inc. Authenticating activities of accounts
US20160196558A1 (en) * 2015-01-05 2016-07-07 Ebay Inc. Risk assessment based on connected wearable devices
EP3248360B1 (en) 2015-01-19 2020-05-06 Inauth, Inc. Systems and methods for trusted path secure communication
US20160337353A1 (en) * 2015-05-11 2016-11-17 Interactive Intelligence Group, Inc. System and method for multi-factor authentication
US9866543B2 (en) * 2015-06-03 2018-01-09 Paypal, Inc. Authentication through multiple pathways based on device capabilities and user requests
US9736169B2 (en) 2015-07-02 2017-08-15 International Business Machines Corporation Managing user authentication in association with application access
US9477825B1 (en) * 2015-07-10 2016-10-25 Trusted Mobile, Llc System for transparent authentication across installed applications
US9774587B2 (en) 2015-09-14 2017-09-26 Yodlee, Inc. Mobile application based account aggregation
US10021565B2 (en) 2015-10-30 2018-07-10 Bank Of America Corporation Integrated full and partial shutdown application programming interface
US9820148B2 (en) 2015-10-30 2017-11-14 Bank Of America Corporation Permanently affixed un-decryptable identifier associated with mobile device
US9729536B2 (en) 2015-10-30 2017-08-08 Bank Of America Corporation Tiered identification federated authentication network system
US9641539B1 (en) 2015-10-30 2017-05-02 Bank Of America Corporation Passive based security escalation to shut off of application based on rules event triggering
WO2017091672A1 (en) 2015-11-25 2017-06-01 InAuth, Inc. Systems and methods for cross-channel device binding
US10334062B2 (en) 2016-02-25 2019-06-25 InAuth, Inc. Systems and methods for recognizing a device
US9503452B1 (en) 2016-04-07 2016-11-22 Automiti Llc System and method for identity recognition and affiliation of a user in a service transaction
US10460367B2 (en) 2016-04-29 2019-10-29 Bank Of America Corporation System for user authentication based on linking a randomly generated number to the user and a physical item
US20170316415A1 (en) * 2016-04-29 2017-11-02 Mastercard International Incorporated Systems and methods for extracting browser-obtained device information for authenticating user devices
US10268635B2 (en) 2016-06-17 2019-04-23 Bank Of America Corporation System for data rotation through tokenization
US10924479B2 (en) * 2016-07-20 2021-02-16 Aetna Inc. System and methods to establish user profile using multiple channels
US10891617B2 (en) * 2016-09-30 2021-01-12 Mastercard International Incorporated Systems and methods for biometric identity authentication
US11403563B2 (en) 2016-10-19 2022-08-02 Accertify, Inc. Systems and methods for facilitating recognition of a device and/or an instance of an app invoked on a device
US11093852B2 (en) 2016-10-19 2021-08-17 Accertify, Inc. Systems and methods for recognizing a device and/or an instance of an app invoked on a device
US11074325B1 (en) * 2016-11-09 2021-07-27 Wells Fargo Bank, N.A. Systems and methods for dynamic bio-behavioral authentication
US10320800B2 (en) * 2017-03-13 2019-06-11 International Business Machines Corporation Fraud detection mechanism
US10885165B2 (en) * 2017-05-17 2021-01-05 Forescout Technologies, Inc. Account monitoring
US10554649B1 (en) * 2017-05-22 2020-02-04 State Farm Mutual Automobile Insurance Company Systems and methods for blockchain validation of user identity and authority
US10524165B2 (en) 2017-06-22 2019-12-31 Bank Of America Corporation Dynamic utilization of alternative resources based on token association
US10511692B2 (en) 2017-06-22 2019-12-17 Bank Of America Corporation Data transmission to a networked resource based on contextual information
US10313480B2 (en) 2017-06-22 2019-06-04 Bank Of America Corporation Data transmission between networked resources
US20230106418A1 (en) * 2017-07-21 2023-04-06 Wells Fargo Bank, N.A. Systems and methods for facilitating financial transactions
US11182394B2 (en) 2017-10-30 2021-11-23 Bank Of America Corporation Performing database file management using statistics maintenance and column similarity
US10559211B2 (en) 2017-11-27 2020-02-11 Uber Technologies, Inc. Real-time service provider progress monitoring
US10942959B1 (en) 2018-02-06 2021-03-09 Wells Fargo Bank, N.A. Authenticated form completion using data from a networked data repository
US11343260B2 (en) * 2018-03-01 2022-05-24 Google Llc Gradual credential disablement
US10915354B2 (en) * 2018-07-20 2021-02-09 BillGO, Inc. Transaction scheduling for a user data cache by assessing update criteria
US20200043005A1 (en) * 2018-08-03 2020-02-06 IBS Software Services FZ-LLC System and a method for detecting fraudulent activity of a user
US10733473B2 (en) 2018-09-20 2020-08-04 Uber Technologies Inc. Object verification for a network-based service
US10999299B2 (en) * 2018-10-09 2021-05-04 Uber Technologies, Inc. Location-spoofing detection system for a network service
US11823198B1 (en) 2019-02-18 2023-11-21 Wells Fargo Bank, N.A. Contextually escalated authentication by system directed customization of user supplied image
US11509642B2 (en) * 2019-08-21 2022-11-22 Truist Bank Location-based mobile device authentication
US11528267B2 (en) * 2019-12-06 2022-12-13 Bank Of America Corporation System for automated image authentication and external database verification
US11870801B2 (en) * 2021-01-27 2024-01-09 Paypal, Inc. Protecting computer system end-points using activators
CN113849779B (en) * 2021-08-02 2024-09-06 统信软件技术有限公司 Authorization method for client application, computing device and storage medium
US20230275889A1 (en) * 2022-02-25 2023-08-31 Capital One Services, Llc Authentication using brain-machine interfaces
US11695772B1 (en) * 2022-05-03 2023-07-04 Capital One Services, Llc System and method for enabling multiple auxiliary use of an access token of a user by another entity to facilitate an action of the user

Citations (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040083394A1 (en) * 2002-02-22 2004-04-29 Gavin Brebner Dynamic user authentication
US20040103310A1 (en) * 2002-11-27 2004-05-27 Sobel William E. Enforcement of compliance with network security policies
US20050097320A1 (en) * 2003-09-12 2005-05-05 Lior Golan System and method for risk based authentication
US20070180505A1 (en) * 2006-02-01 2007-08-02 Xerox Corporation Dynamic collation of domain for user authentication on existing devices
US20070240230A1 (en) * 2006-04-10 2007-10-11 O'connell Brian M User-browser interaction analysis authentication system
US20110179271A1 (en) * 1999-09-20 2011-07-21 Security First Corporation Secure data parser method and system
US20110209200A2 (en) * 2009-08-05 2011-08-25 Daon Holdings Limited Methods and systems for authenticating users
US20120185916A1 (en) * 2011-01-14 2012-07-19 Chae Seung-Chul Apparatus and method for statisical user authentication using incremental user behavior
US20130036458A1 (en) * 2011-08-05 2013-02-07 Safefaces LLC Methods and systems for identity verification
US20130125211A1 (en) * 2011-11-16 2013-05-16 Hartford Fire Insurance Company System and method for providing dynamic insurance portal transaction authentication and authorization
US20130198832A1 (en) * 2012-01-31 2013-08-01 Dell Products L.P. Multilevel passcode authentication
US20130239206A1 (en) * 2012-03-09 2013-09-12 Dell Products L.P. Authentication using physical interaction characteristics
US8739278B2 (en) * 2006-04-28 2014-05-27 Oracle International Corporation Techniques for fraud monitoring and detection using application fingerprinting
US8793776B1 (en) * 2011-09-12 2014-07-29 Google Inc. Location as a second factor for authentication

Family Cites Families (64)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6609198B1 (en) * 1999-08-05 2003-08-19 Sun Microsystems, Inc. Log-on service providing credential level change without loss of session continuity
US7260724B1 (en) * 1999-09-20 2007-08-21 Security First Corporation Context sensitive dynamic authentication in a cryptographic system
US7086085B1 (en) * 2000-04-11 2006-08-01 Bruce E Brown Variable trust levels for authentication
US7039951B1 (en) * 2000-06-06 2006-05-02 International Business Machines Corporation System and method for confidence based incremental access authentication
US20040107360A1 (en) * 2002-12-02 2004-06-03 Zone Labs, Inc. System and Methodology for Policy Enforcement
US7562222B2 (en) * 2002-05-10 2009-07-14 Rsa Security Inc. System and method for authenticating entities to users
EP1527550A4 (en) * 2002-07-25 2008-10-01 Bio Key Int Inc Trusted biometric device
US20040103317A1 (en) * 2002-11-22 2004-05-27 Burns William D. Method and apparatus for protecting secure credentials on an untrusted computer platform
US7853250B2 (en) * 2003-04-03 2010-12-14 Network Security Technologies, Inc. Wireless intrusion detection system and method
US7437763B2 (en) * 2003-06-05 2008-10-14 Microsoft Corporation In-context security advisor in a computing environment
US20050039057A1 (en) * 2003-07-24 2005-02-17 Amit Bagga Method and apparatus for authenticating a user using query directed passwords
US7373669B2 (en) 2003-08-13 2008-05-13 The 41St Parameter, Inc. Method and system for determining presence of probable error or fraud in a data set by linking common data values or elements
GB0322876D0 (en) * 2003-09-30 2003-10-29 British Telecomm Method and system for authenticating a user
US8065227B1 (en) * 2003-12-31 2011-11-22 Bank Of America Corporation Method and system for producing custom behavior scores for use in credit decisioning
US20050177724A1 (en) * 2004-01-16 2005-08-11 Valiuddin Ali Authentication system and method
US10999298B2 (en) 2004-03-02 2021-05-04 The 41St Parameter, Inc. Method and system for identifying users and detecting fraud by use of the internet
US7539862B2 (en) * 2004-04-08 2009-05-26 Ipass Inc. Method and system for verifying and updating the configuration of an access device during authentication
WO2005107137A2 (en) * 2004-04-23 2005-11-10 Passmark Security, Inc. Method and apparatus for authenticating users using two or more factors
US8528078B2 (en) * 2004-07-15 2013-09-03 Anakam, Inc. System and method for blocking unauthorized network log in using stolen password
US8533791B2 (en) * 2004-07-15 2013-09-10 Anakam, Inc. System and method for second factor authentication services
US20080010678A1 (en) * 2004-09-17 2008-01-10 Jeff Burdette Authentication Proxy
US8024488B2 (en) * 2005-03-02 2011-09-20 Cisco Technology, Inc. Methods and apparatus to validate configuration of computerized devices
EP1708527A1 (en) * 2005-03-31 2006-10-04 BRITISH TELECOMMUNICATIONS public limited company Location based authentication
WO2007008860A2 (en) * 2005-07-11 2007-01-18 Conrad Sheehan Secure electronic transactions between a mobile device and other mobile, fixed or virtual devices
US8661262B2 (en) * 2005-08-18 2014-02-25 Nec Corporation User authentication system, terminal used in the same, authentication verification device, and program
US20070055752A1 (en) * 2005-09-08 2007-03-08 Fiberlink Dynamic network connection based on compliance
US20070130473A1 (en) * 2005-12-02 2007-06-07 Mazotas James S System and method for access control
US20070136792A1 (en) * 2005-12-05 2007-06-14 Ting David M Accelerating biometric login procedures
US7545961B2 (en) * 2005-12-22 2009-06-09 Daon Holdings Limited Biometric authentication system
WO2007089503A2 (en) * 2006-01-26 2007-08-09 Imprivata, Inc. Systems and methods for multi-factor authentication
US8151327B2 (en) 2006-03-31 2012-04-03 The 41St Parameter, Inc. Systems and methods for detection of session tampering and fraud prevention
US8788419B2 (en) * 2006-12-30 2014-07-22 First Data Corporation Method and system for mitigating risk of fraud in internet banking
US7766223B1 (en) * 2007-11-08 2010-08-03 Mello Steven M Method and system for mobile services
US7930264B2 (en) * 2007-12-06 2011-04-19 First Data Corporation Multi-module authentication platform
US8635662B2 (en) * 2008-01-31 2014-01-21 Intuit Inc. Dynamic trust model for authenticating a user
US8024775B2 (en) * 2008-02-20 2011-09-20 Microsoft Corporation Sketch-based password authentication
US20090327131A1 (en) * 2008-04-29 2009-12-31 American Express Travel Related Services Company, Inc. Dynamic account authentication using a mobile device
US8312540B1 (en) * 2008-06-13 2012-11-13 Juniper Networks, Inc. System for slowing password attacks
KR20100004570A (en) * 2008-07-04 2010-01-13 삼성전자주식회사 User authentication device and method thereof
US8438382B2 (en) * 2008-08-06 2013-05-07 Symantec Corporation Credential management system and method
CA2734975C (en) * 2008-08-26 2017-06-20 Adaptive Payments, Inc. System and method of secure payment transactions
JP5325974B2 (en) * 2008-10-10 2013-10-23 テレフオンアクチーボラゲット エル エム エリクソン(パブル) Gateway device, authentication server, control method thereof, and computer program
US8941466B2 (en) * 2009-01-05 2015-01-27 Polytechnic Institute Of New York University User authentication for devices with touch sensitive elements, such as touch sensitive display screens
US8590021B2 (en) * 2009-01-23 2013-11-19 Microsoft Corporation Passive security enforcement
WO2010094331A1 (en) * 2009-02-19 2010-08-26 Nokia Siemens Networks Oy Authentication to an identity provider
US8312157B2 (en) * 2009-07-16 2012-11-13 Palo Alto Research Center Incorporated Implicit authentication
US8437742B2 (en) * 2009-10-16 2013-05-07 At&T Intellectual Property I, L.P. Systems and methods for providing location-based application authentication using a location token service
TWI514896B (en) * 2010-02-09 2015-12-21 Interdigital Patent Holdings Method and apparatus for trusted federated identity
US8756650B2 (en) * 2010-03-15 2014-06-17 Broadcom Corporation Dynamic authentication of a user
NL1037813C2 (en) * 2010-03-18 2011-09-20 Stichting Bioxs System and method for checking the authenticity of the identity of a person logging into a computer network.
US8880425B2 (en) * 2010-04-07 2014-11-04 The Western Union Company Mobile agent point-of-sale (POS)
US20110314558A1 (en) * 2010-06-16 2011-12-22 Fujitsu Limited Method and apparatus for context-aware authentication
US20110314549A1 (en) * 2010-06-16 2011-12-22 Fujitsu Limited Method and apparatus for periodic context-aware authentication
US8474017B2 (en) * 2010-07-23 2013-06-25 Verizon Patent And Licensing Inc. Identity management and single sign-on in a heterogeneous composite service scenario
US9800716B2 (en) * 2010-09-21 2017-10-24 Cellepathy Inc. Restricting mobile device usage
US8910246B2 (en) * 2010-11-18 2014-12-09 The Boeing Company Contextual-based virtual data boundaries
US20120137340A1 (en) * 2010-11-29 2012-05-31 Palo Alto Research Center Incorporated Implicit authentication
US9075979B1 (en) * 2011-08-11 2015-07-07 Google Inc. Authentication based on proximity to mobile device
US8800056B2 (en) * 2011-08-12 2014-08-05 Palo Alto Research Center Incorporated Guided implicit authentication
US8661144B2 (en) * 2011-08-15 2014-02-25 Verizon Patent And Licensing Inc. Method and system for automated user authentication for a priority communication session
US8863258B2 (en) * 2011-08-24 2014-10-14 International Business Machines Corporation Security for future log-on location
US8832798B2 (en) * 2011-09-08 2014-09-09 International Business Machines Corporation Transaction authentication management including authentication confidence testing
US8595808B2 (en) * 2011-12-16 2013-11-26 Daon Holdings Limited Methods and systems for increasing the security of network-based transactions
US20130185552A1 (en) * 2012-01-13 2013-07-18 Research In Motion Limited Device Verification for Dynamic Re-Certificating

Patent Citations (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110179271A1 (en) * 1999-09-20 2011-07-21 Security First Corporation Secure data parser method and system
US20040083394A1 (en) * 2002-02-22 2004-04-29 Gavin Brebner Dynamic user authentication
US20040103310A1 (en) * 2002-11-27 2004-05-27 Sobel William E. Enforcement of compliance with network security policies
US20050097320A1 (en) * 2003-09-12 2005-05-05 Lior Golan System and method for risk based authentication
US20070180505A1 (en) * 2006-02-01 2007-08-02 Xerox Corporation Dynamic collation of domain for user authentication on existing devices
US20070240230A1 (en) * 2006-04-10 2007-10-11 O'connell Brian M User-browser interaction analysis authentication system
US8739278B2 (en) * 2006-04-28 2014-05-27 Oracle International Corporation Techniques for fraud monitoring and detection using application fingerprinting
US20110209200A2 (en) * 2009-08-05 2011-08-25 Daon Holdings Limited Methods and systems for authenticating users
US20120185916A1 (en) * 2011-01-14 2012-07-19 Chae Seung-Chul Apparatus and method for statisical user authentication using incremental user behavior
US20130036458A1 (en) * 2011-08-05 2013-02-07 Safefaces LLC Methods and systems for identity verification
US8793776B1 (en) * 2011-09-12 2014-07-29 Google Inc. Location as a second factor for authentication
US20130125211A1 (en) * 2011-11-16 2013-05-16 Hartford Fire Insurance Company System and method for providing dynamic insurance portal transaction authentication and authorization
US20130198832A1 (en) * 2012-01-31 2013-08-01 Dell Products L.P. Multilevel passcode authentication
US20130239206A1 (en) * 2012-03-09 2013-09-12 Dell Products L.P. Authentication using physical interaction characteristics

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109587143A (en) * 2018-12-10 2019-04-05 北京芯盾时代科技有限公司 Secondary authentication method and system based on main road

Also Published As

Publication number Publication date
US9396317B2 (en) 2016-07-19
US20130340052A1 (en) 2013-12-19
US8973102B2 (en) 2015-03-03
US20150128241A1 (en) 2015-05-07

Similar Documents

Publication Publication Date Title
US9396317B2 (en) Systems and methods for authenticating a user and device
US11159501B2 (en) Device identification scoring
US10791126B2 (en) System and methods for protecting users from malicious content
EP3044987B1 (en) Method and system for verifying an account operation
JP5719871B2 (en) Method and apparatus for preventing phishing attacks
US10666656B2 (en) Systems and methods for protecting users from malicious content
US10367799B2 (en) Systems and methods for determining an authentication attempt threshold
US11563740B2 (en) Methods and systems for blocking malware attacks
US10013545B2 (en) Systems and methods for creating a user credential and authentication using the created user credential
US20230086281A1 (en) Computing system defenses to rotating ip addresses during computing attacks
US20140130126A1 (en) Systems and methods for automatically identifying and removing weak stimuli used in stimulus-based authentication
US20240388580A1 (en) Method and System for Detecting Two-Factor Authentication
Varshney et al. Push notification based login using BLE devices
Russell Bypassing multi-factor authentication
US20160366172A1 (en) Prevention of cross site request forgery attacks
US20140215592A1 (en) Method, apparatus and system for user authentication
US11870801B2 (en) Protecting computer system end-points using activators
Tolbert et al. Exploring Phone-Based Authentication Vulnerabilities in Single Sign-On Systems
US9516004B2 (en) Detecting horizontal attacks
KR20150104667A (en) Authentication method

Legal Events

Date Code Title Description
AS Assignment

Owner name: EBAY INC., CALIFORNIA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:JAKOBSSON, BJORN MARKUS;REEL/FRAME:039913/0110

Effective date: 20120613

AS Assignment

Owner name: PAYPAL, INC., CALIFORNIA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:EBAY INC.;REEL/FRAME:039926/0038

Effective date: 20150717

STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION

点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载