EVIDENCE-BASED DYNAMIC SCORING TO LIMIT GUESSES IN KNOWLEDGE-BASED AUTHENTICATION

US 20100293608A1
Filed: 05/14/2009
Published: 11/18/2010
Est. Priority Date: 05/14/2009
Status: Active Grant

First Claim

Patent Images

1. A method of providing access to a restricted resource during a session upon receipt of an input that matches a stored answer, the method comprising:

receiving an input from a user in response to a personal question, the input being different than a stored answer of the personal question;

determining whether the input is a lexicon or semantically similar to a previous input by the user;

assigning a score to the session based on a popularity of the input;

reducing the score when the input is determined to be the lexicon or semantically similar to the previous input; and

transmitting another request for a correct input when a sum of the score and any previous scores of the session is less than a threshold.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques to provide evidence-based dynamic scoring to limit guesses in knowledge based authentication are disclosed herein. In some aspects, an authenticator may receive an input from a user in response to a presentation of a personal question that enables user access to a restricted resource. The authenticator may determine that the input is not equivalent to a stored value, and thus is an incorrect input. The authenticator may then determine whether the input is similar to a previous input received from the user. A score may be assigned to the input. When the input is determined to be similar to the previous input, the score may be reduced. Another request for an input may be transmitted by the authenticator when a sum of the score and any previous scores of the session is less than a threshold.

159 Citations

20 Claims

1. A method of providing access to a restricted resource during a session upon receipt of an input that matches a stored answer, the method comprising:
- receiving an input from a user in response to a personal question, the input being different than a stored answer of the personal question;
  
  determining whether the input is a lexicon or semantically similar to a previous input by the user;
  
  assigning a score to the session based on a popularity of the input;
  
  reducing the score when the input is determined to be the lexicon or semantically similar to the previous input; and
  
  transmitting another request for a correct input when a sum of the score and any previous scores of the session is less than a threshold.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method as recited in claim 1, wherein the determining whether the input is the lexicon includes:
    - calculating an edit distance between the received input and the previous input;
      
      comparing the edit distance to an edit distance threshold; and
      
      designating the received input as the lexicon when the edit distance is less than the edit distance threshold.
  - 3. The method as recited in claim 1, wherein determining whether the input is semantically similar includes:
    - searching a semantic database using the received input to generate a search output;
      
      determining whether the previous input is included in the search output; and
      
      designating the received input as semantically similar to the previous input when the previous input is included in the search output.
  - 4. The method as recited in claim 1, wherein the determining whether the input is a lexicon or semantically similar to the previous input also includes determining whether the input is the lexicon or semantically similar to the stored answer, and reducing the score when the input is determined to be the lexicon or semantically similar to the stored answer.
  - 5. The method as recited in claim 1, wherein the score is assigned in part based on the popularity of the received input.
  - 6. The method as recited in claim 1, wherein the input is a user login password.

7. One or more computer-readable media storing computer-executable instructions that, when executed on one or more processors, causes the one or more processors to perform acts comprising:
- receiving an input from a user in response to a knowledge based personal authentication question;
  
  comparing the input to a stored answer of the authentication question;
  
  assigning a score based on the input, the score summed with any previous scores to create a total score;
  
  determining whether the received input is at least one of a lexicon match or a semantic match with a previous input by the user;
  
  reducing the score when the received input is determined to be at least one of the lexicon match or the semantic match; and
  
  transmitting an additional request for an input to the user when the total score is less than a threshold value.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14)
- - 8. The method as recited in claim 7, wherein the score is based on the popularity of the input as compared to a distribution of inputs received from other users.
  - 9. The method as recited in claim 7, wherein the score includes a previous input score associated with the previous input and a received input score associated with the received input, and wherein the reducing the score includes reducing the score of a lower of the previous input score and the received input score.
  - 10. The method as recited in claim 7, wherein the determining of the lexicon match includes:
    - calculating an edit distance;
      
      comparing the edit distance to a threshold, anddesignating the input as the lexicon match when the edit distance is less than the threshold.
  - 11. The method as recited in claim 10, wherein the reducing the score is based on the edit distance.
  - 12. The method as recited in claim 7, wherein the determining of the semantic match includes:
    - searching a semantic database using the received input to generate a search output;
      
      determining whether the previous input is included in the search output; and
      
      designating the received input as the semantic match to the previous input when the previous input is included in the search output.
  - 13. The method as recited in claim 11, wherein the semantic database includes at least one of a thesaurus, a geographical database, or a user input database.
  - 14. The method as recited in claim 7, wherein the previous input is restricted to a previous login attempt.

15. A method of analyzing answers to personal questions, the method comprising:
- receiving a new answer to a personal question;
  
  analyzing a collection of received answers to the personal question to create a distribution of the received answers;
  
  comparing the new answer to the distribution of received answers; and
  
  designating the new answer as a popular answer when an occurrence of the new answer in the distribution of received answers exceeds a popularity threshold.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The method as recited in claim 15, further comprising:
    - rejecting the new answer; and
      
      transmitting a request for another new answer.
  - 17. The method as recited in claim 16, wherein the request for the another new answer includes a request for a more specific answer.
  - 18. The method as recited in claim 15, wherein the distribution of received answers includes answers used to establish the new answer to the personal question.
  - 19. The method as recited in claim 15, further comprising discontinuing use of the personal question when the new answer is designated as a popular answer.
  - 20. The method as recited in claim 19, wherein discontinuing use of the personal question includes removing the personal question from a list of selectable personal questions.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Kaufman, Charles William, Herley, Cormac E., Schechter, Stuart, Rouskov, Yordan I.

Granted Patent

US 9,124,431 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/8
CPC Class Codes

G06F 21/31   User authentication

G06F 40/247   Thesauruses; Synonyms

G06F 40/30   Semantic analysis

H04L 45/028   Dynamic adaptation of the u...

H04L 9/3218   using proof of knowledge, e...

H04L 9/3226   using a predetermined code,...

EVIDENCE-BASED DYNAMIC SCORING TO LIMIT GUESSES IN KNOWLEDGE-BASED AUTHENTICATION

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

159 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

EVIDENCE-BASED DYNAMIC SCORING TO LIMIT GUESSES IN KNOWLEDGE-BASED AUTHENTICATION

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

159 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links