USABLE SECURITY OF ONLINE PASSWORD MANAGEMENT WITH SENSOR-BASED AUTHENTICATION

US 20120297190A1
Filed: 05/19/2011
Published: 11/22/2012
Est. Priority Date: 05/19/2011
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented security system, comprising:

a security management component of a device that processes a request for access to a secure destination, generates biometric data of a user of the device in response to the request, and encrypts the biometric data as encrypted credentials;

a cloud framework that performs authentication of the encrypted credentials received from the device, and sends authenticated encrypted credentials to the device;

a decryption component of the device 104 decrypts the authenticated encrypted credentials to provide access information to access the secure destination; and

a processor that executes computer-executable instructions associated with at least one of the security management component, cloud framework, or decryption component.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A multi-party security protocol that incorporates biometric-based authentication and withstands attacks against any single party (e.g., mobile phone, cloud, or the user). The protocol involves the function split between mobile and cloud and the mechanisms to chain-hold the secrets. A key generation mechanisms binds secrets to a specific device or URL (uniform resource locator) by adding salt to a master credential. An inline CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) handling mechanism uses the same sensor modality as the authentication process, which not only improves the usability, but also facilitates the authentication process. This architecture further enhances existing overall system security (e.g., handling untrusted or compromised cloud service, phone being lost, impersonation, etc.) and also improves the usability by automatically handling the CAPTCHA.

Citations

20 Claims

1. A computer-implemented security system, comprising:
- a security management component of a device that processes a request for access to a secure destination, generates biometric data of a user of the device in response to the request, and encrypts the biometric data as encrypted credentials;
  
  a cloud framework that performs authentication of the encrypted credentials received from the device, and sends authenticated encrypted credentials to the device;
  
  a decryption component of the device 104 decrypts the authenticated encrypted credentials to provide access information to access the secure destination; and
  
  a processor that executes computer-executable instructions associated with at least one of the security management component, cloud framework, or decryption component.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The system of claim 1, wherein the biometric data is stored only on the cloud framework, the encrypted credentials are stored only on the cloud framework, and a decryption key for decrypting the authenticated encrypted credentials is stored only on the device.
  - 3. The system of claim 1, wherein the request is received in response to access to a secure webpage, and the access information includes a username and a password that are automatically input to access the secure destination.
  - 4. The system of claim 1, wherein the encrypted credentials are encrypted using a key created based on a master credential and domain information of the secure destination, the key correlated to the device.
  - 5. The system of claim 1, wherein the cloud framework includes an inline CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) handling component that concurrently presents a random challenge and the CAPTCHA to the user.
  - 6. The system of claim 5, wherein response to both the random challenge and the CAPTCHA is via a single sensor type.
  - 7. The system of claim 1, wherein the cloud framework includes a credential database that stores credentials, a model database of biometric models, and a layout database that stores parsed webpage login element information.
  - 8. The system of claim 1, wherein the device includes a browser plug-in that intercepts a login process to the secure destination, analyzes webpage content to obtain a code input field, renders an authentication interface, and performs automatic form filling.
  - 9. The system of claim 1, further comprising a sensor component that includes local sensors which sense user biometrics related to at least one of face, voice, iris, or vein, and output sensor data as the biometric data.
  - 10. The system of claim 9, wherein the sensor component performs recognition of a user interaction, and the security management component prompts further user input related to a type of the user interaction.

11. A computer-implemented security method, comprising acts of:
- requesting biometric data of a user via a mobile device in response to accessing a secure website;
  
  sensing the biometric data via sensors of the mobile device;
  
  encrypting the biometric data as credentials at the mobile device;
  
  authenticating the credentials at a cloud service to create authenticated credentials;
  
  sending the authenticated credentials from the cloud service to the mobile device;
  
  decrypting the authenticated credentials at the mobile device;
  
  processing access to the secure website using the decrypted authenticated credentials; and
  
  utilizing a processor that executes instructions stored in memory to perform at least one of the acts of requesting, sensing, encrypting, authenticating, sending, decrypting, or processing.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The method of claim 11, further comprising generating an encryption and decryption key in the mobile device based on a master credential and a domain name of the secure website.
  - 13. The method of claim 11, further comprising generating a registration and unregistration key at the cloud service based on a master credential and mobile device identifier.
  - 14. The method of claim 11, further comprising processing a CAPTCHA input and a random challenge as part of the authenticating the credentials using one modality of sensor input.
  - 15. The method of claim 11, further comprising presenting a user interface in response to the request and, processing CAPTCHA and random challenges to create a secure login page to the secure website.
  - 16. The method of claim 11, further comprising storing the biometric data only on a cloud framework, storing the encrypted credentials only on the cloud framework, and storing an encryption/decryption key only on the mobile device.

17. A computer-implemented security method, comprising acts of:
- initiating access to a secure website via a device;
  
  collecting biometric data of a user via sensors of the device;
  
  encrypting the biometric data as credentials at the device using a key;
  
  sending the credentials to a cloud framework;
  
  presenting an authentication user interface in response to the access;
  
  initiating authentication of the credentials at the cloud framework;
  
  presenting a random challenge and CAPTCHA via the user interface;
  
  processing the challenge and CAPTCHA to create authenticated credentials;
  
  sending the authenticated credentials from the cloud framework to the device;
  
  decrypting the authenticated credentials at the device; and
  
  processing access to the secure website using the decrypted authenticated credentials.
- View Dependent Claims (18, 19, 20)
- - 18. The method of claim 17, further comprising generating the key based on a user identifier, a passcode, and domain name of the secure website.
  - 19. The method of claim 17, further comprising checking co-presence of the cloud framework and the device based on content encryption.
  - 20. The method of claim 17, further comprising registering the device for secure biometric authentication processing using a register key generated from a device identifier of the device and a master credential.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Yang, Fan, Zhou, Lidong, Shen, Guobin

Granted Patent

US 9,141,779 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/168
CPC Class Codes

G06F 21/32   using biometric data, e.g. ...

H04L 2209/805   Lightweight hardware, e.g. ...

H04L 2463/082   applying multi-factor authe...

H04L 63/0815   providing single-sign-on or...

H04L 63/0861   using biometrical features,...

H04L 9/0866   involving user or device id...

H04L 9/32   including means for verifyi...

H04L 9/3231   Biological data, e.g. finge...

H04L 9/3271   using challenge-response

USABLE SECURITY OF ONLINE PASSWORD MANAGEMENT WITH SENSOR-BASED AUTHENTICATION

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

USABLE SECURITY OF ONLINE PASSWORD MANAGEMENT WITH SENSOR-BASED AUTHENTICATION

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links