Protecting against malicious discovery of account existence

US 10,630,676 B2
Filed: 11/24/2017
Issued: 04/21/2020
Est. Priority Date: 11/24/2017
Status: Active Grant

First Claim

Patent Images

1. A computing device comprising:

a memory connected to at least one processor, the at least one processor configured to provide a sign-in service that;

dynamically calculates a risk value based on a combination of factors associated with a username including a frequency of valid requests for a domain portion of the username from a requestor'"'"'s IP address within a particular time period, and, a quantity of valid requests for the domain portion of the username in UPN format from the requestor'"'"'s IP address within the particular time period;

in response to determining that the risk value associated with the username in UPN format is exceeded by a threshold value, displays an unambiguous message regarding existence/non-existence of the username, wherein the threshold value is specified based on a particular user, a type of user, a size of an enterprise, sensitivity of information, the domain portion, characteristics of a type of the domain portion, or sensitivity of information the domain portion holds;

in response to determining that the risk value associated with the username in UPN format exceeds the threshold value, displays an ambiguous message regarding existence/non-existence of the username; and

always allows access to an application utilizing the sign-in service when a valid username and authenticating credential pair is received by the sign-in service, wherein user level discovery is performed when the risk value is less than the threshold value and wherein domain level discovery is performed when the threshold value is greater than or equal to the risk value.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A sign-in system can be protected against enumeration attacks while providing an improved sign-in experience for legitimate users by disclosing whether or not an account exists. An account within a specified domain can be identified by an account identifier such as a username. Before a threshold throttling value is reached, account existence/non-existence information can be provided in response to an access request. In response to reaching or exceeding a specified threshold throttling value, account existence/non-existence information can cease to be provided. Entering a valid account identifier/authenticating credential credentials pair provides access to the computer system regardless of whether or not the threshold was reached or exceeded or not reached.

Citations

16 Claims

1. A computing device comprising:
- a memory connected to at least one processor, the at least one processor configured to provide a sign-in service that;
  
  dynamically calculates a risk value based on a combination of factors associated with a username including a frequency of valid requests for a domain portion of the username from a requestor'"'"'s IP address within a particular time period, and, a quantity of valid requests for the domain portion of the username in UPN format from the requestor'"'"'s IP address within the particular time period;
  
  in response to determining that the risk value associated with the username in UPN format is exceeded by a threshold value, displays an unambiguous message regarding existence/non-existence of the username, wherein the threshold value is specified based on a particular user, a type of user, a size of an enterprise, sensitivity of information, the domain portion, characteristics of a type of the domain portion, or sensitivity of information the domain portion holds;
  
  in response to determining that the risk value associated with the username in UPN format exceeds the threshold value, displays an ambiguous message regarding existence/non-existence of the username; and
  
  always allows access to an application utilizing the sign-in service when a valid username and authenticating credential pair is received by the sign-in service, wherein user level discovery is performed when the risk value is less than the threshold value and wherein domain level discovery is performed when the threshold value is greater than or equal to the risk value.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The computing device of claim 1, wherein the combination of factors associated with the username further comprises at least one of:
    - frequency of access requests for the username;
      
      quantity of access requests for the username;
      
      frequency of access requests for the domain portion of the username;
      
      quantity of access requests for the domain portion of the username;
      
      frequency of valid requests for the username;
      
      quantity of valid requests for the username;
      
      frequency of valid requests from the requestor'"'"'s IP address for the username;
      
      orquantity of valid requests from the requestor'"'"'s IP address for the username.
  - 3. The computing device of claim 1, wherein the sign-in service supports federated user accounts for which a third party identity provider performs credentials validation.
  - 4. The computing device of claim 3, wherein an access request is redirected to a location under control of an enterprise for the credentials validation.
  - 5. The computing device of claim 4, wherein in response to determining that the threshold value exceeds the risk value, an unambiguous message regarding non-existence of a username is displayed in response to receiving an invalid username.
  - 6. The computing device of claim 1, wherein the sign-in service is authoritative for validating credentials of users.

7. A method of providing an enhanced sign-in service that protects against enumeration attacks, the method comprising:
- dynamically calculating a risk value based on a combination of factors associated with a username including a frequency of valid requests for a domain portion of the username from a requestor'"'"'s IP address within a particular time period, and, a quantity of valid requests for the domain portion of the username in UPN format from the requestor'"'"'s IP address within the particular time period;
  
  in response to determining, by a processor of a computing device, the risk value associated with the username in UPN format is exceeded by a threshold value, displaying an unambiguous message regarding existence/non-existence of the username, wherein the threshold value is specified based on a particular user, a type of user, a size of an enterprise, sensitivity of information, the domain portion, characteristics of a type of the domain portion, or sensitivity of information the domain portion holds;
  
  in response to determining that the risk value exceeds the threshold value, displaying an ambiguous message regarding existence/non-existence of the username; and
  
  always allowing access to an application utilizing the sign-in service when a valid username and authenticating credential pair is received by the sign-in service, wherein user level discovery is performed when the risk value is less than the threshold value and wherein domain level discovery is performed when the threshold value is greater than or equal to the risk value.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The method of claim 7, wherein a user of the sign-in service is a consumer.
  - 9. The method of claim 7, wherein a user of the sign-in service is an enterprise.
  - 10. The method of claim 7, wherein domain level discovery results in providing ambiguous messages regarding validity/invalidity of credentials in the domain.
  - 11. The method of claim 7, wherein user level discovery results in providing unambiguous messages regarding existence/non-existence of usernames in the domain.
  - 12. The method of claim 7, further comprising:
    - in response to determining that the risk value is less than the threshold value, switching from domain level processing to user level processing.

13. A sign-in system protected from enumeration attacks, the sign-in system comprising:
- a memory connected to at least one processor, the at least one processor configured to;
  
  determine a threshold value for providing an enhanced sign-in experience from a sign-in service;
  
  dynamically calculate a risk value based on a combination of factors associated with a username including a frequency of valid requests for a domain portion of the username from a requestor'"'"'s IP address within a particular time period, and, a quantity of valid requests for the domain portion of the username in UPN format from the requestor'"'"'s IP address within the particular time period;
  
  in response to determining that the risk value associated with the username in UPN format is exceeded by the threshold value, display an unambiguous message regarding existence/non-existence of the username, wherein the threshold value is specified based on a particular user, a type of user, a size of an enterprise, sensitivity of information, the domain portion, characteristics of a type of the domain portion, or sensitivity of information the domain portion holds;
  
  in response to determining that the risk value exceeds the threshold value, display an ambiguous message regarding existence/non-existence of the username; and
  
  always allow access to an application utilizing the sign-in service when a valid username and authenticating credential pair is received by the sign-in service, wherein user level discovery is performed when the risk value is less than the threshold value and wherein domain level discovery is performed when the threshold value is greater than or equal to the risk value.
- View Dependent Claims (14, 15, 16)
- - 14. The sign-in system of claim 13, wherein the combination of factors associated with the username further comprises at least one of:
    - frequency of access requests for the username;
      
      quantity of access requests for the username;
      
      frequency of access requests for the domain portion of the username;
      
      quantity of access requests for the domain portion of the username;
      
      frequency of valid requests for the username;
      
      quantity of valid requests for the username;
      
      frequency of valid requests from the requestor'"'"'s IP address for the username;
      
      orquantity of valid requests from the requestor'"'"'s IP address for the username.
  - 15. The sign-in system of claim 13, wherein the sign-in service supports federated user accounts for which a third party identity provider performs credentials validation.
  - 16. The sign-in system of claim 13, wherein the sign-in service is authoritative for validating credentials of users.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Gordon, Ariel, Larson, Timothy Colin
Primary Examiner(s)
Zarrineh, Shahriar

Application Number

US15/822,065
Publication Number

US 20190166112A1
Time in Patent Office

879 Days
Field of Search

726 6
US Class Current
CPC Class Codes

G06F 21/31   User authentication

G06F 21/554   involving event detection a...

H04L 63/083   using passwords cryptograph...

H04L 63/102   Entity profiles

H04L 63/1441   Countermeasures against mal...

Protecting against malicious discovery of account existence

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Protecting against malicious discovery of account existence

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links