ACCOUNT HIJACKING COUNTER-MEASURES
First Claim
1. A method for authenticating a user prior to providing access to the user'"'"'s account, the user'"'"'s account being accessible via a sign-in page upon verifying the user'"'"'s credentials, comprising:
- determining that a device is accessing the sign-in page;
obtaining an identifier associated with the device accessing the sign-in page;
determining that the identifier associated with the device accessing the sign-in page is not associated with a trusted device;
identifying data contained in the user'"'"'s account;
upon verifying the user'"'"'s credentials, generating at least one security question based on the data randomly selected from the user'"'"'s account; and
providing the at least one security question to the user via a user interface, wherein the user is required to correctly answer the at least one security question in order to access the user'"'"'s account.
2 Assignments
0 Petitions
Accused Products
Abstract
A method for providing an additional layer of authentication prior to accessing a user'"'"'s account even though the user'"'"'s credentials have previously been verified. User accounts are often accessed via a sign-in page that verifies the user'"'"'s credentials. Upon detecting a device accessing the sign-in page, an identifier associated with the device is obtained. One such type of identifier is the IP address assigned to the device. Based on the identifier, it is determined whether the device is trusted or not. Even thought the user'"'"'s credentials are verified via the sign-in page, if the device is not trusted, a second authentication page is presented to the user prior to proceeding to the account. The second authentication page presents at least one security question. The security question is based on information contained in the user'"'"'s account (e.g., contact information, event information, electronic messages, etc.). The user is required to correctly answer the security question in order to access the account.
108 Citations
20 Claims
-
1. A method for authenticating a user prior to providing access to the user'"'"'s account, the user'"'"'s account being accessible via a sign-in page upon verifying the user'"'"'s credentials, comprising:
-
determining that a device is accessing the sign-in page; obtaining an identifier associated with the device accessing the sign-in page; determining that the identifier associated with the device accessing the sign-in page is not associated with a trusted device; identifying data contained in the user'"'"'s account; upon verifying the user'"'"'s credentials, generating at least one security question based on the data randomly selected from the user'"'"'s account; and providing the at least one security question to the user via a user interface, wherein the user is required to correctly answer the at least one security question in order to access the user'"'"'s account. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A method for authenticating a user prior to proceeding to a landing page that has access to an account storing the user'"'"'s data, comprising:
-
obtaining an identifier associated with a device accessing a sign-in page, the sign-in page requires entry of credentials associated with the user before proceeding to the landing page; designating the device as not trusted based on the identifier associated with the device accessing the sign-in page; identifying categories of user data stored in the account; selecting a first category of user data stored in the account; generating a first security question using user data from the first category of data; selecting a second category of user data stored in the account; generating a second security question using user data from the second category of data; and after successful authentication of the user by verifying the credentials entered in the sign-in page, providing the first and second security questions to the user via a user interface, wherein the user is required to correctly answer the first and second security questions in order to proceed to the landing page. - View Dependent Claims (13, 14, 15, 16)
-
-
17. A method for providing account hijacking countermeasures in an online communications service environment, comprising:
-
providing a sign-in page requiring verification of a user'"'"'s credentials prior to proceeding to the user'"'"'s account, wherein the user'"'"'s credentials include a unique user identification and a password; determining that a device accessing the sign-in page is not a trusted device; after the user'"'"'s credentials have been verified via the sign-in page, providing an authentication page containing at least two security questions, wherein each security question is based on information obtained from the user'"'"'s account; and proceeding to the user'"'"'s account if each of the at least two security questions provided in the authentication page are answered correctly. - View Dependent Claims (18, 19, 20)
-
Specification