PASSIVE SECURITY ENFORCEMENT

US 20140223522A1
Filed: 11/22/2013
Published: 08/07/2014
Est. Priority Date: 01/23/2009
Status: Active Grant

First Claim

Patent Images

1. A method for passive authentication, the method comprising:

receiving one or more first attributes of a first user;

determining, from a set of types, corresponding types for each of the first attributes, wherein each of the types in the set of types has a corresponding weight;

comparing, based on the determined types for each of the first attributes, each of the first attributes of the first user to one or more previously stored attributes with a corresponding type, thereby selecting first applicable attributes;

passively authenticating the first user at a first confidence level, the first confidence level based on the weights for the types corresponding to each first applicable attribute;

after passively authenticating the first user at the first confidence level, receiving one or more second attributes of the first user;

determining, from the set of types, corresponding types for each of the second attributes;

comparing, based on the determined types for each of the second attributes, each of the second attributes of the first user to one or more of the previously stored attributes with a corresponding type, thereby selecting second applicable attributes; and

updating the first confidence level to a second confidence level, the second confidence level based on the weights for the types corresponding to each second applicable attribute, wherein each attribute of the first attributes and of the second attributes comprise at least one of an event associated with the first user and a physical characteristic of the first user;

wherein each previously stored attribute comprises a previously stored event associated with a second user, a previously stored physical characteristic of the second user, or one or more previously determined acceptable values for the type corresponding to that stored attribute.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Technology is described for enabling passive enforcement of security at computing systems. A component of a computing system can passively authenticate or authorize a user based on observations of the user'"'"'s interactions with the computing system. The technology may increase or decrease an authentication or authorization level based on the observations. The level can indicate what level of access the user should be granted. When the user or a component of the computing device initiates a request, an application or service can determine whether the level is sufficient to satisfy the request. If the level is insufficient, the application or service can prompt the user for credentials so that the user is actively authenticated. The technology may enable computing systems to “trust” authentication so that two proximate devices can share authentication levels.

16 Citations

View as Search Results

20 Claims

1. A method for passive authentication, the method comprising:
- receiving one or more first attributes of a first user;
  
  determining, from a set of types, corresponding types for each of the first attributes, wherein each of the types in the set of types has a corresponding weight;
  
  comparing, based on the determined types for each of the first attributes, each of the first attributes of the first user to one or more previously stored attributes with a corresponding type, thereby selecting first applicable attributes;
  
  passively authenticating the first user at a first confidence level, the first confidence level based on the weights for the types corresponding to each first applicable attribute;
  
  after passively authenticating the first user at the first confidence level, receiving one or more second attributes of the first user;
  
  determining, from the set of types, corresponding types for each of the second attributes;
  
  comparing, based on the determined types for each of the second attributes, each of the second attributes of the first user to one or more of the previously stored attributes with a corresponding type, thereby selecting second applicable attributes; and
  
  updating the first confidence level to a second confidence level, the second confidence level based on the weights for the types corresponding to each second applicable attribute, wherein each attribute of the first attributes and of the second attributes comprise at least one of an event associated with the first user and a physical characteristic of the first user;
  
  wherein each previously stored attribute comprises a previously stored event associated with a second user, a previously stored physical characteristic of the second user, or one or more previously determined acceptable values for the type corresponding to that stored attribute.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1 wherein the at least one of the determined types for the first attributes or for the second attributes comprises a location that is identifiable by the computing device.
  - 3. The method of claim 2 wherein the at least one of the determined types for the first attributes or for the second attributes comprises a captured image of surroundings and a name of a data communications network.
  - 4. The method of claim 1 wherein the second confidence level is lower than first confidence level.
  - 5. The method of claim 4 further comprising:
    - determining that the second confidence level is lower than a specified threshold; and
      
      in response to determining that the second confidence level is lower than a specified threshold, preventing the first user from accessing one or more functions of a computing device that were available to the first user when the user was authenticated at the first confidence level.
  - 6. The method of claim 1 wherein the at least one of the determined types for the first attributes or for the second attributes comprises making a telephone call.
  - 7. The method of claim 1 wherein the first confidence level and second confidence level are indications of the likelihood that the authentication is correct.
  - 8. The method of claim 1 wherein the at least one of the determined types for the first attributes or for the second attributes comprises a temperature.
  - 9. The method of claim 1 wherein the at least one of the determined types for the first attributes or for the second attributes comprises a motion.
  - 10. The method of claim 1 wherein the at least one of the determined types for the first attributes or for the second attributes comprises a pressure.
  - 11. The method of claim 1 wherein the at least one of the determined types for the first attributes or for the second attributes comprises a co-presence or absence of another device and wherein the stored attribute to which the co-presence or absence of another device is compared comprise one of the previously determined acceptable values equivalent to true and false.
  - 12. The method of claim 1 wherein the at least one of the determined types for the first attributes or for the second attributes comprises a facial pattern.
  - 13. The method of claim 1 further comprising receiving a request from the first user, the request comprising an identification of action to be performed by an application, wherein,if the second confidence level is above a security level associated with the action identified in the request, the application satisfies the request;
    - andif the security level associated with the action identified in in the request is not above the security level associated with the action in the request, the application causes a component to prompt the user for authentication credentials so that the user can be actively authenticated.

14. A computer-readable storage device storing computer-executable instructions compared, when executed by a computing device, cause the computing device to perform operations for passively authenticating a user, the operations comprising:
- receiving one or more first attributes of a first user;
  
  determining, from a set of types, corresponding types for each of the first attributes, wherein each of the types in the set of types has a corresponding weight;
  
  comparing, based on the determined types for each of the first attributes, each of the first attributes of the first user to one or more previously stored attributes with a corresponding type, thereby selecting first applicable attributes;
  
  passively authenticating the first user at a first confidence level, the first confidence level based on the weights for the types corresponding to each first applicable attribute;
  
  after passively authenticating the first user at the first confidence level, receiving one or more second attributes of the first user;
  
  determining, from the set of types, corresponding types for each of the second attributes;
  
  comparing, based on the determined types for each of the second attributes, each of the second attributes of the first user to one or more of the previously stored attributes with a corresponding type, thereby selecting second applicable attributes; and
  
  updating the first confidence level to a second confidence level, the second confidence level based on the weights for the types corresponding to each second applicable attribute, wherein each attribute of the first attributes and of the second attributes comprise at least one of;
  
  an event associated with the first user and a physical characteristic of the first user;
  
  wherein each previously stored attribute comprises a previously stored event associated with a second user, a previously stored physical characteristic of the second user, or one or more previously determined acceptable values for the type corresponding to that stored attribute.
- View Dependent Claims (15, 16, 17)
- - 15. The computer-readable storage device of claim 14 wherein the at least one of the determined types for the first attributes or for the second attributes comprise a signal from a proximate computing device that has also authenticated the user, and wherein the updating comprises increasing the confidence level upon receiving a signal from a proximate computing device that has also authenticated the user.
  - 16. The computer-readable storage device of claim 14 wherein the operations further comprise receiving a request from the first user, the request comprising an identification of action to be performed by an application, wherein,if the second confidence level is above a security level associated with the action identified in the request, the application satisfies the request;
    - andif the security level associated with the action identified in in the request is not above the security level associated with the action in the request, the application causes a component to prompt the user for authentication credentials so that the user can be actively authenticated.
  - 17. The computer-readable storage device of claim 14 wherein the operations further comprise:
    - determining that the second confidence level is lower than a specified threshold; and
      
      in response to determining that the second confidence level is lower than a specified threshold, preventing the first user from accessing one or more functions of a computing device that were available to the first user when the user was authenticated at the first confidence level.

18. A device for passively authenticating a user, the device comprising:
- a processor and memory;
  
  an input configured to receive one or more first attributes of a first user;
  
  an attribute analyzer configured to determine, from a set of types, corresponding types for each of the first attributes, wherein each of the types in the set of types has a corresponding weight;
  
  an attribute comparator configured to compare, based on the determined types for each of the first attributes, each of the first attributes of the first user to one or more previously stored attributes with a corresponding type, to thereby select first applicable attributes; and
  
  an authentication module configured to passively authenticate the first user at a first confidence level, the first confidence level based on the weights for the types corresponding to each first applicable attribute;
  
  wherein the input is further configured to, after the passive authentication of the first user at the first confidence level, receive one or more second attributes of the first user,wherein the attribute analyzer is further configured to determine, from the set of types, corresponding types for each of the second attributes,wherein the attribute comparator is further configured to compare, based on the determined types for each of the second attributes, each of the second attributes of the first user to one or more of the previously stored attributes with a corresponding type, to thereby select second applicable attributes,wherein the authentication module is further configured to update the first confidence level to a second confidence level, the second confidence level based on the weights for the types corresponding to each second applicable attribute,wherein each attribute of the first attributes and of the second attributes comprise at least one of;
  
  an event associated with the first user and a physical characteristic of the first user, andwherein each previously stored attribute comprises a previously stored event associated with a second user, a previously stored physical characteristic of the second user, or one or more previously determined acceptable values for the type corresponding to that stored attribute.
- View Dependent Claims (19, 20)
- - 19. The device of claim 18 wherein the at least one of the determined types for the first attributes or for the second attributes comprises a facial pattern.
  - 20. The device of claim 18 further comprising an interface configured to receive a request from the first user, the request comprising an identification of action to be performed by an application, wherein, if the second confidence level is above a security level associated with the action identified in the request, the application satisfies the request;
    - andif the security level associated with the action identified in in the request is not above the security level associated with the action in the request, the application causes a component to prompt the user for authentication credentials so that the user can be actively authenticated.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Steeves, David J., Cameron, Kim, Carpenter, Bradley, Foster, David, Miller, Quentin S.

Granted Patent

US 8,898,758 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/5
CPC Class Codes

G06F 21/316   by observing the pattern of...

G06F 21/32   using biometric data, e.g. ...

H04L 2463/082   applying multi-factor authe...

H04L 63/0492   by using a location-limited...

H04L 63/08   for authentication of entit...

H04L 63/0861   using biometrical features,...

H04L 67/10   in which an application is ...

H04W 12/06   Authentication

H04W 12/065   Continuous authentication

H04W 12/40   Security arrangements using...

PASSIVE SECURITY ENFORCEMENT

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

16 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

PASSIVE SECURITY ENFORCEMENT

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

16 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links