Protecting against malicious discovery of account existence
First Claim
1. A computing device comprising:
- a memory connected to at least one processor, the at least one processor configured to provide a sign-in service that;
dynamically calculates a risk value based on a combination of factors associated with a username including a frequency of valid requests for a domain portion of the username from a requestor'"'"'s IP address within a particular time period, and, a quantity of valid requests for the domain portion of the username in UPN format from the requestor'"'"'s IP address within the particular time period;
in response to determining that the risk value associated with the username in UPN format is exceeded by a threshold value, displays an unambiguous message regarding existence/non-existence of the username, wherein the threshold value is specified based on a particular user, a type of user, a size of an enterprise, sensitivity of information, the domain portion, characteristics of a type of the domain portion, or sensitivity of information the domain portion holds;
in response to determining that the risk value associated with the username in UPN format exceeds the threshold value, displays an ambiguous message regarding existence/non-existence of the username; and
always allows access to an application utilizing the sign-in service when a valid username and authenticating credential pair is received by the sign-in service, wherein user level discovery is performed when the risk value is less than the threshold value and wherein domain level discovery is performed when the threshold value is greater than or equal to the risk value.
1 Assignment
0 Petitions
Accused Products
Abstract
A sign-in system can be protected against enumeration attacks while providing an improved sign-in experience for legitimate users by disclosing whether or not an account exists. An account within a specified domain can be identified by an account identifier such as a username. Before a threshold throttling value is reached, account existence/non-existence information can be provided in response to an access request. In response to reaching or exceeding a specified threshold throttling value, account existence/non-existence information can cease to be provided. Entering a valid account identifier/authenticating credential credentials pair provides access to the computer system regardless of whether or not the threshold was reached or exceeded or not reached.
-
Citations
16 Claims
-
1. A computing device comprising:
-
a memory connected to at least one processor, the at least one processor configured to provide a sign-in service that; dynamically calculates a risk value based on a combination of factors associated with a username including a frequency of valid requests for a domain portion of the username from a requestor'"'"'s IP address within a particular time period, and, a quantity of valid requests for the domain portion of the username in UPN format from the requestor'"'"'s IP address within the particular time period; in response to determining that the risk value associated with the username in UPN format is exceeded by a threshold value, displays an unambiguous message regarding existence/non-existence of the username, wherein the threshold value is specified based on a particular user, a type of user, a size of an enterprise, sensitivity of information, the domain portion, characteristics of a type of the domain portion, or sensitivity of information the domain portion holds; in response to determining that the risk value associated with the username in UPN format exceeds the threshold value, displays an ambiguous message regarding existence/non-existence of the username; and always allows access to an application utilizing the sign-in service when a valid username and authenticating credential pair is received by the sign-in service, wherein user level discovery is performed when the risk value is less than the threshold value and wherein domain level discovery is performed when the threshold value is greater than or equal to the risk value. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A method of providing an enhanced sign-in service that protects against enumeration attacks, the method comprising:
-
dynamically calculating a risk value based on a combination of factors associated with a username including a frequency of valid requests for a domain portion of the username from a requestor'"'"'s IP address within a particular time period, and, a quantity of valid requests for the domain portion of the username in UPN format from the requestor'"'"'s IP address within the particular time period; in response to determining, by a processor of a computing device, the risk value associated with the username in UPN format is exceeded by a threshold value, displaying an unambiguous message regarding existence/non-existence of the username, wherein the threshold value is specified based on a particular user, a type of user, a size of an enterprise, sensitivity of information, the domain portion, characteristics of a type of the domain portion, or sensitivity of information the domain portion holds; in response to determining that the risk value exceeds the threshold value, displaying an ambiguous message regarding existence/non-existence of the username; and always allowing access to an application utilizing the sign-in service when a valid username and authenticating credential pair is received by the sign-in service, wherein user level discovery is performed when the risk value is less than the threshold value and wherein domain level discovery is performed when the threshold value is greater than or equal to the risk value. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. A sign-in system protected from enumeration attacks, the sign-in system comprising:
-
a memory connected to at least one processor, the at least one processor configured to; determine a threshold value for providing an enhanced sign-in experience from a sign-in service; dynamically calculate a risk value based on a combination of factors associated with a username including a frequency of valid requests for a domain portion of the username from a requestor'"'"'s IP address within a particular time period, and, a quantity of valid requests for the domain portion of the username in UPN format from the requestor'"'"'s IP address within the particular time period; in response to determining that the risk value associated with the username in UPN format is exceeded by the threshold value, display an unambiguous message regarding existence/non-existence of the username, wherein the threshold value is specified based on a particular user, a type of user, a size of an enterprise, sensitivity of information, the domain portion, characteristics of a type of the domain portion, or sensitivity of information the domain portion holds; in response to determining that the risk value exceeds the threshold value, display an ambiguous message regarding existence/non-existence of the username; and always allow access to an application utilizing the sign-in service when a valid username and authenticating credential pair is received by the sign-in service, wherein user level discovery is performed when the risk value is less than the threshold value and wherein domain level discovery is performed when the threshold value is greater than or equal to the risk value. - View Dependent Claims (14, 15, 16)
-
Specification