PASSIVE SECURITY ENFORCEMENT
2 Assignments
0 Petitions
Accused Products
Abstract
Technology is described for enabling passive enforcement of security at computing systems. A component of a computing system can passively authenticate or authorize a user based on observations of the user'"'"'s interactions with the computing system. The technology may increase or decrease an authentication or authorization level based on the observations. The level can indicate what level of access the user should be granted. When the user or a component of the computing device initiates a request, an application or service can determine whether the level is sufficient to satisfy the request. If the level is insufficient, the application or service can prompt the user for credentials so that the user is actively authenticated. The technology may enable computing systems to “trust” authentication so that two proximate devices can share authentication levels.
-
Citations
40 Claims
-
1-20. -20. (canceled)
-
21. A method for passive authentication by a computing system, the method comprising:
-
receiving, by the computing system, a first subset of attributes comprising one or more attributes; determining by the computing system, from a set of types, a corresponding first type for each attribute of the first subset of attributes; passively authenticating, by the computing system, a user at a first authentication level by comparing each attribute of the first subset of attributes to one or more first previously stored attributes each having an assigned first type matching the corresponding first type determined for each attribute of the first subset of attributes; receiving, by the computing system, a second subset of attributes comprising at least one attribute; determining, from the set of types, corresponding second types for each attribute of the second subset of attributes; and passively updating, by the computing system, the first authentication level to a second authentication level by comparing each attribute of the second subset of attributes to one or more second previously stored attributes each having an assigned second type matching the corresponding second type determined for each attribute of the second subset of attributes; wherein each attribute of the first subset of attributes and of the second subset of attributes is an event indicative of the user or is a physical characteristic of the user; and wherein each previously stored attribute comprises a previously stored event, a previously stored physical characteristic, or one or more previously determined acceptable values for the type corresponding to that stored attribute for one or more users. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
if the second authentication level is not above the security level associated with the action identified in the request, the application causes a prompt to be provided to the user for authentication credentials so that the user can be actively authenticated.
-
-
31. A computer-readable medium storing instructions that, when executed by a computing system, cause the computing system to perform operations for passive authentication, the operations comprising:
-
receiving, by the computing system, a first subset of attributes comprising one or more attributes; determining by the computing system, from a set of types, a corresponding first type for each attribute of the first subset of attributes; passively authenticating, by the computing system, a user at a first authentication level by comparing each attribute of the first subset of attributes to one or more first previously stored attributes each having an assigned first type matching the corresponding first type determined for each attribute of the first subset of attributes; receiving, by the computing system, a second subset of attributes comprising at least one attribute; determining, from the set of types, corresponding second types for each attribute of the second subset of attributes; and passively updating, by the computing system, the first authentication level to a second authentication level by comparing each attribute of the second subset of attributes to one or more second previously stored attributes each having an assigned second type matching the corresponding second type determined for each attribute of the second subset of attributes; wherein each attribute of the first subset of attributes and of the second subset of attributes is an event indicative of the user or is a physical characteristic of the user; and wherein each previously stored attribute comprises a previously stored event, a previously stored physical characteristic, or one or more previously determined acceptable values for the type corresponding to that stored attribute for one or more users. - View Dependent Claims (32, 33, 34, 35, 36)
if the second authentication level is not above the security level associated with the action identified in the request, the application causes a prompt to be provided to the user for authentication credentials so that the user can be actively authenticated.
-
-
33. The computer-readable medium of claim 31, wherein the at least one of the determined types for the second subset of attributes includes a type for a signal from a proximate computing device that has authenticated the user, and wherein the updating comprises increasing the authentication level upon receiving the signal from the proximate computing device that has authenticated the user.
-
34. The computer-readable medium of claim 31, wherein the operations further comprise:
-
receiving a first command to enable passive authentication for one or more functions or to enable passive authentication at one or more defined times; and receiving a second command to disable passive authentication for the one or more functions or to disable passive authentication at the one or more defined times.
-
-
35. The computer-readable medium of claim 31, wherein the at least one of the determined types for the first subset of attributes or for the second subset of attributes comprises at least one of:
-
a location that is identifiable by the computing device; a captured image; an identifier of a data communications network; a telephone call; a temperature; a motion;
ora pressure.
-
-
36. The computer-readable medium of claim 31, wherein the operations further comprise:
-
determining that the second authentication level is lower than a specified threshold; and in response to determining that the second authentication level is lower than the specified threshold, preventing the user from accessing one or more functions of the computing device that were available to the user when the user was authenticated at the first authentication level.
-
-
37. A computing system configured to passively authenticate a user, the computing system comprising:
-
one or more processors; a memory; an input component configured to receive at least two subsets of attributes, each comprising at least one attribute; and an authorization component configured to; passively authenticate the user at a first authentication level based on the attributes in a first of the at least two subsets of attributes; and passively update the first authentication level to a second authentication level by comparing each attribute of a second subset of attributes of the at least two subsets of attributes to one or more previously stored attributes, each compared previously stored attribute having an assigned second type matching a corresponding second type determined for each attribute of the second subset of attributes; wherein each attribute of the second subset of attributes is an event indicative of the user or is a physical characteristic of the user, and wherein each previously stored attribute comprises a previously stored event, a previously stored physical characteristic, or one or more previously determined acceptable values for the type corresponding to that stored attribute for one or more users. - View Dependent Claims (38, 39, 40)
-
Specification