ACCESS CONTROL BY TESTING FOR SHARED KNOWLEDGE
First Claim
1. A method for using a computing device to control access to a resource, wherein the access includes one or more of perceiving, modifying, creating, adding to, or deleting the resource, comprising the steps of:
- (a) enabling a user desiring to provide access to the resource by a specific group of one or more persons who can interact with the computing device, to specify a shared knowledge question and to indicate one or more acceptable answers to the shared knowledge question, wherein the user creates the shared knowledge question so that only the specific group of one or more persons are likely to know an acceptable answer to the shared knowledge question;
(b) enabling a person desiring to access the resource to be presented with the shared knowledge question and to respond by entering a proposed answer to the shared knowledge question;
(c) using the computing device to automatically employ an inexact matching procedure to determine if the proposed answer at least inexactly matches any of the one or more acceptable answers sufficiently to enable the person to access the resource; and
(i) if so, enabling the person to access the resource;
else,(ii) if not, denying the person access to the resource.
1 Assignment
0 Petitions
Accused Products
Abstract
Access to resource(s) intended to be shared with specific groups of individuals is controlled using concise tests of shared knowledge instead of (or in addition) to accounts and access control lists. Users can readily learn the concept and choose questions that will control the access by the desired group with little effort. Such questions can be relatively secure to guesses by those not intended to have access, particularly if the number of allowed guesses is relatively limited. Users can generally predict the security of their questions, but sometimes underestimate the ability of attackers to use Web searching or enumeration to discover answers. In such cases, the system can automatically discover weak questions and then suggest alternatives. By lowering the threshold to access control, shared knowledge tests can enable more types of information to acquire collaborative value on the Internet and on other types of networks.
145 Citations
41 Claims
-
1. A method for using a computing device to control access to a resource, wherein the access includes one or more of perceiving, modifying, creating, adding to, or deleting the resource, comprising the steps of:
-
(a) enabling a user desiring to provide access to the resource by a specific group of one or more persons who can interact with the computing device, to specify a shared knowledge question and to indicate one or more acceptable answers to the shared knowledge question, wherein the user creates the shared knowledge question so that only the specific group of one or more persons are likely to know an acceptable answer to the shared knowledge question; (b) enabling a person desiring to access the resource to be presented with the shared knowledge question and to respond by entering a proposed answer to the shared knowledge question; (c) using the computing device to automatically employ an inexact matching procedure to determine if the proposed answer at least inexactly matches any of the one or more acceptable answers sufficiently to enable the person to access the resource; and (i) if so, enabling the person to access the resource;
else,(ii) if not, denying the person access to the resource. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A memory medium storing machine readable and executable instructions for use in controlling access to a resource, by carrying out a plurality of functions when the machine readable and executable instructions are executed on a computing device, wherein the access includes one or more of perceiving, modifying, creating, adding to, or deleting the resource, the plurality of functions including:
-
(a) enabling a user desiring to provide access to the resource by a specific group of one or more persons, to specify a shared knowledge question and to indicate one or more acceptable answers to the shared knowledge question, wherein the user creates the shared knowledge question so that only the specific group of one or more persons are likely to know an acceptable answer to the shared knowledge question; (b) enabling a person desiring to access the resource to be presented with the shared knowledge question and to respond by entering a proposed answer to the shared knowledge question; (c) automatically employing an inexact matching procedure to determine if the proposed answer at least inexactly matches any of the one or more acceptable answers sufficiently to enable the person access to the resource; and (i) if so, enabling the person access to the resource;
else,(ii) if not, denying the person access to the resource.
-
-
22. A method for using a computing device for controlling access to resources, wherein the access includes one or more of perceiving, modifying, creating, adding to, or deleting the resource, and in connection therewith, determining a degree of relation between parties accessing the resources, comprising the steps of:
-
(a) specifying shared knowledge questions and specifying one or more acceptable answers to each shared knowledge question, where each shared knowledge question is associated with a resource and is selected so that a group of one or more parties who are intended to be able to access the resource are likely to have knowledge of an acceptable answer to the shared knowledge question; (b) enabling parties to enter proposed answers to shared knowledge questions that are each associated with specific resources; (c) using the computing device for determining if the proposed answers that are entered by the parties are acceptable answers, and if so, granting access to the resources with which the shared knowledge questions answered by the parties are associated; and (d) determining a degree of relation function between the user and a specific party who has attempted to access one or more resources by entering a proposed answer to each of one or more shared knowledge questions of the user, where the degree of relation function is at least in part based upon a number of successful attempts by a party to access the one or more resources of the user, by correctly answering the one or more shared knowledge questions. - View Dependent Claims (23, 24, 25, 26, 27, 28, 29)
-
-
30. A method for using a computing device for controlling access to resources over a network, wherein the access includes one or more of perceiving, modifying, creating, adding to, or deleting a resource, comprising the steps of:
-
(a) enabling one or more shared knowledge questions to be specified and specifying one or more acceptable answers to each shared knowledge question, where each shared knowledge question is associated with a first resource and is selected so that a specific group of one or more parties who are intended to be able to access the first resource are likely to have knowledge of an acceptable answer to the one or more shared knowledge questions; (b) using the computing device for enabling a party attempting to access a second resource that is controlled by a different entity than that controlling the first resource to enter a proposed answer to one or more of the shared knowledge questions that are associated with the first resource, thereby reusing the one or more shared knowledge questions to control access to the second resource; (c) using the computing device for determining if the one or more proposed answers that are entered by the party attempting to access the second resource are acceptable; and (i) if so, granting the party access to the second resource;
else,(ii) if not, denying the party access to the second resource. - View Dependent Claims (31, 32, 33, 34, 35)
-
-
36. A method for using a computing device for controlling access to a plurality of resources, wherein the access includes one or more of perceiving, modifying, creating, adding to, or deleting a resource, comprising the steps of:
-
(a) enabling a plurality of different shared knowledge questions to be specified, wherein specific subsets of the plurality of shared knowledge questions are associated with specific subsets of the plurality of resources and are selected to enable specific groups of one or more parties to access specific resources with which the specific subsets of shared knowledge questions are associated; (b) using the computing device for storing one or more acceptable answers to each of the plurality of shared knowledge questions that were specified; (c) presenting a subset of the plurality of shared knowledge questions to a person communicating with the computing device, wherein an existence of the resources with which one or more subsets of the plurality of shared knowledge questions are associated, is hidden from the person; (d) enabling the person to enter a proposed answer to any of the plurality of shared knowledge questions presented to the person; (e) using the computing device for determining whether each proposed answer entered by the person is an acceptable answer to the shared knowledge questions for which the proposed answer was entered; and (i) enabling the person access to the resource associated with any of the plurality of shared knowledge questions that the person successfully correctly answered, so that after being granted access, the existence of each resource to which the person has been granted access then becomes evident to the person;
else,(ii) denying the person access to the resources associated with any shared knowledge questions that the person failed to successfully correctly answer, so that the resources remain hidden from the person.
-
-
37. A method for using a computing device to assist in controlling access to a resource, wherein the access includes one or more of perceiving, modifying, creating, adding to, or deleting the resource, comprising the steps of:
-
(a) using the computing device to suggest a shared knowledge question that will be used to control access to the resource; (b) enabling one or more acceptable answers to the shared knowledge question to be specified; and (c) presenting the shared knowledge question to a person desiring to access the resource, to control access to the resource based upon the answer provided by the person to the shared knowledge question.
-
-
38. A system for controlling access to a resource, wherein the access includes one or more of perceiving, modifying, creating, adding to, or deleting a resource, comprising:
-
(a) a memory in which information related to the resource or for accessing it, and machine executable instructions are stored; (b) an interface for enabling bi-directional communication with a computing device used by a party attempting to access the resource; and (c) a processor that is coupled to the memory and to the interface, the processor executing the machine executable instructions stored in the memory to carry out a plurality of functions, including; (i) facilitating a user specifying a shared knowledge question with which one or more acceptable answers are associated, the shared knowledge question being specified so that only a specific group of one or more persons is likely to know an acceptable answer to the shared knowledge question; (ii) presenting the shared knowledge question to a person desiring to access the resource; (iii) accepting entry of a proposed answer to the shared knowledge question by the person; (iv) employing an inexact matching procedure to determine if the proposed answer at least inexactly matches any of the one or more acceptable answers sufficiently to enable the person access to the resource; and (A) if so, enabling the person access to the resource via the interface;
else(B) if not, denying the person access to the resource.
-
-
39. A system for controlling access to resources, wherein the access includes one or more of perceiving, modifying, creating, adding to, or deleting a resource, and in connection therewith, determining a degree of relationship between parties accessing the resources, comprising:
-
(a) a memory in which information related to the resources or information for accessing the resources, and machine executable instructions are stored; (b) an interface for enabling bi-directional communication with computing devices used by parties to attempt to access the resources; and (c) a processor in communication with the memory and with the interface, the processor executing the machine executable instructions to carry out a plurality of functions, including; (i) facilitating specification of shared knowledge questions, and association of one or more acceptable answers to each shared knowledge question, where each shared knowledge question is also associated with a resource and is specified so that a specific group of one or more parties who are intended to be able to access the resources are likely to have knowledge of acceptable answers to the shared knowledge question; (ii) presenting shared knowledge questions to parties desiring to access specific resources; (iii) accepting entry of proposed answers to shared knowledge questions that are associated with specific resources; (iv) determining if the proposed answers that are entered by the parties are acceptable answers, and if so, granting access to the resources with which the shared knowledge questions answered by the parties are associated; and (v) determining a degree of relation function between a user and a specific party who has attempted to access one or more resources of the user by entering a proposed answer to each of one or more shared knowledge questions, where the degree of relation function is at least in part based upon a number of successful attempts by the specific party to access the one or more resources by correctly answering the one or more shared knowledge questions.
-
-
40. A system for reusing shared knowledge questions originally created for controlling access to a first resource to be used for controlling access to a second resource, wherein the access includes one or more of perceiving, modifying, creating, adding to, or deleting a resource, comprising:
-
(a) a memory in which information related to the second resource or for accessing it, and machine executable instructions are stored; (b) an interface for enabling bi-directional communication with computing devices used by parties to attempt to access the second resource; and (c) a processor that is coupled to the memory and to the interface, the processor executing the machine executable instructions stored in the memory to carry out a plurality of functions, including; (i) using the interface to access data at a different site, where the data at the different site were produced as a result of a first user specifying one or more shared knowledge questions that are each associated with one or more acceptable answers, wherein each shared knowledge question is associated with a first resource and is selected so that specific groups of one or more of the parties who are intended to be able to access the first resource are likely to have knowledge of an acceptable answer to the one or more shared knowledge questions; (ii) enabling a party attempting to access the second resource to enter a proposed answer to each of the one or more shared knowledge questions that are associated with the first resource, thereby reusing the one or more shared knowledge questions to control access to the second resource; (iii) determining if the one or more proposed answers that are entered by the party attempting to access the second resource are acceptable; and (A) if so, granting the party access to the second resource;
else,(B) if not, denying the party access to the second resource.
-
-
41. A system for controlling access to a plurality of resources, wherein the access includes one or more of perceiving, modifying, creating, adding to, or deleting a resource, comprising:
-
(a) a memory in which information related to the plurality of resources or information for accessing the plurality of resources, and machine executable instructions are stored; (b) an interface for enabling bi-directional communication with computing devices used by parties to attempt to access the plurality of resources; and (c) a processor in communication with the memory and with the interface, the processor executing the machine executable instructions to carry out a plurality of functions, including; (i) facilitating specification of a plurality of different shared knowledge questions, wherein specific subsets of the shared knowledge questions are associated with specific subsets of the plurality of resources and are selected to enable specific groups of one or more parties to access the resources with which subsets of the shared knowledge questions are associated, wherein each shared knowledge question is associated with one or more acceptable answers; (ii) presenting a subset of the plurality of shared knowledge questions to a person communicating with the processor through the interface, wherein an existence of the specific resource with which subset of the plurality of shared knowledge questions is associated, is hidden from the person; (iii) accepting entry by the person of a proposed answer to any of the plurality of shared knowledge questions that have been presented to the person; (iv) determining whether each proposed answer entered by the person is an acceptable answer to the shared knowledge questions for which the proposed answer was entered; and (A) enabling the person access to the resource associated with each of the plurality of shared knowledge questions that the person successfully answered, so that after being granted access, the existence of each resource to which the person has been granted access becomes evident to the person;
else,(B) denying the person access to the resource associated with any shared knowledge questions that the person failed to successfully answer, so that the resource remains hidden from the person.
-
Specification