Account hijacking counter-measures
First Claim
1. A method for authenticating a user prior to providing access to a user'"'"'s account, the user'"'"'s account being accessible via a sign-in page upon verifying a user'"'"'s credentials, comprising:
- determining that a device is accessing the sign-in page;
obtaining an identifier associated with the device accessing the sign-in page;
determining that the identifier associated with the device accessing the sign-in page is not associated with a trusted device;
identifying personal information data of at least one person other than the user contained in the user'"'"'s account wherein the personal information data of the at least one person other than the user contained in the user'"'"'s account includes at least one of the following;
a sender email address for at least one person other than the user as a sender, a recipient email address for at least one person other than the user as a recipient, contact information for at least one person other than the user stored in an address book, and a calendar invitee associated with a calendar event;
upon verifying the user'"'"'s credentials, generating at least one security question based on the personal information data of the at least one person other than the user randomly selected from the user'"'"'s account wherein the step of generating at least one security question comprises the steps of;
accessing the address book;
selecting at least one contact name for at least one person other than the user from the address book;
generating at least one fictitious contact name;
presenting the at least one contact name for at least one person other than the user selected from the address book and the at least one fictitious contact name to the user via an interface; and
requesting the user to select only the at least one contact name for at least one person other than the user selected from the address book; and
providing the at least one security question to the user via a user interface, wherein the user is required to correctly answer the at least one security question in order to access the user'"'"'s account.
2 Assignments
0 Petitions
Accused Products
Abstract
A method for providing an additional layer of authentication prior to accessing a user'"'"'s account even though the user'"'"'s credentials have previously been verified. User accounts are often accessed via a sign-in page that verifies the user'"'"'s credentials. Upon detecting a device accessing the sign-in page, an identifier associated with the device is obtained. One such type of identifier is the IP address assigned to the device. Based on the identifier, it is determined whether the device is trusted or not. Even thought the user'"'"'s credentials are verified via the sign-in page, if the device is not trusted, a second authentication page is presented to the user prior to proceeding to the account. The second authentication page presents at least one security question. The security question is based on information contained in the user'"'"'s account (e.g., contact information, event information, electronic messages, etc.). The user is required to correctly answer the security question in order to access the account.
-
Citations
11 Claims
-
1. A method for authenticating a user prior to providing access to a user'"'"'s account, the user'"'"'s account being accessible via a sign-in page upon verifying a user'"'"'s credentials, comprising:
-
determining that a device is accessing the sign-in page; obtaining an identifier associated with the device accessing the sign-in page; determining that the identifier associated with the device accessing the sign-in page is not associated with a trusted device; identifying personal information data of at least one person other than the user contained in the user'"'"'s account wherein the personal information data of the at least one person other than the user contained in the user'"'"'s account includes at least one of the following;
a sender email address for at least one person other than the user as a sender, a recipient email address for at least one person other than the user as a recipient, contact information for at least one person other than the user stored in an address book, and a calendar invitee associated with a calendar event;upon verifying the user'"'"'s credentials, generating at least one security question based on the personal information data of the at least one person other than the user randomly selected from the user'"'"'s account wherein the step of generating at least one security question comprises the steps of; accessing the address book; selecting at least one contact name for at least one person other than the user from the address book; generating at least one fictitious contact name; presenting the at least one contact name for at least one person other than the user selected from the address book and the at least one fictitious contact name to the user via an interface; and requesting the user to select only the at least one contact name for at least one person other than the user selected from the address book; and providing the at least one security question to the user via a user interface, wherein the user is required to correctly answer the at least one security question in order to access the user'"'"'s account. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A method for authenticating a user prior to providing access to a user'"'"'s account, the user'"'"'s account being accessible via a sign-in page upon verifying a user'"'"'s credentials, comprising:
-
determining that a device is accessing the sign-in page; obtaining an identifier associated with the device accessing the sign-in page; determining that the identifier associated with the device accessing the sign-in page is not associated with a trusted device; identifying personal information data of at least one person other than the user contained in the user'"'"'s account wherein the personal information data of the at least one person other than the user contained in the user'"'"'s account includes at least one of the following;
a sender email address for at least one person other than the user as a sender, a recipient email address for at least one person other than the user as a recipient, contact information for at least one person other than the user stored in an address book, and a calendar invitee associated with a calendar event;upon verifying the user'"'"'s credentials, generating at least one security question based on the personal information data of the at least one person other than the user randomly selected from the user'"'"'s account wherein the step of generating at least one security question comprises the steps of; accessing electronic messages received by the user, wherein each electronic message received by the user includes a header containing a sender name of at least one person other than the user and a subject line; selecting at least one electronic message received by the user; obtaining the subject line from the header of each of the at least one selected electronic messages; generating at least one fictitious subject line; presenting the subject line obtained from the header of each of the selected electronic messages and the subject line from each one of the at least one fictitious subject lines to the user; and requesting the user to select only the subject lines from electronic message actually received by the user; and providing the at least one security question to the user via a user interface, wherein the user is required to correctly answer the at least one security question in order to access the user'"'"'s account. - View Dependent Claims (10, 11)
-
Specification