Social authentication for account recovery

US 8,856,879 B2
Filed: 05/14/2009
Issued: 10/07/2014
Est. Priority Date: 05/14/2009
Status: Active Grant

First Claim

Patent Images

1. One or more computer-readable storage devices storing computer-executable instructions that, when executed, configure one or more devices associated with a service to perform operations comprising:

receiving, by the one or more devices associated with the service, a request from at least one trustee of a plurality of trustees for a respective account recovery code, the respective account recovery code for use by an account holder in conjunction with other account recovery codes sent to other trustees of the plurality of trustees during an account recovery process to recover access to an account of the account holder with the service, the plurality of trustees being designated by the account holder as trustees for the account recovery process, the account having initial access information for accessing the account and the account recovery process not recovering the initial access information;

transmitting a query to the at least one trustee, the query related to a manner in which the account holder requested the at least one trustee obtain the respective account recovery code;

receiving a response to the query from the at least one trustee;

sending, by the one or more devices associated with the service, a warning message to the at least one trustee to enhance security based at least in part on at least one answer provided in response to the query, wherein the warning message is configured to provide the at least one trustee with information to assist at least in part in determining whether or not to proceed with the acquisition of the respective account recovery code.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A backup account recovery authentication of last resort using social authentication is described. The account holder requests trustees who have been previously identified to obtain an account recovery code. The account recovery system sends a communication to the trustee for information to verify the trustee as one of the previously identified trustees. The account recovery system then may transmit a link and code with instructions for the trustee to return the link. The account recovery system then transmits a situational query to the trustee to provide additional security. Finally, if all the communications have been completed for the required level of security, the account recovery code is transmitted to the trustee. The trustee sends the account recovery code to the account holder for access to an account.

175 Citations

28 Claims

1. One or more computer-readable storage devices storing computer-executable instructions that, when executed, configure one or more devices associated with a service to perform operations comprising:
- receiving, by the one or more devices associated with the service, a request from at least one trustee of a plurality of trustees for a respective account recovery code, the respective account recovery code for use by an account holder in conjunction with other account recovery codes sent to other trustees of the plurality of trustees during an account recovery process to recover access to an account of the account holder with the service, the plurality of trustees being designated by the account holder as trustees for the account recovery process, the account having initial access information for accessing the account and the account recovery process not recovering the initial access information;
  
  transmitting a query to the at least one trustee, the query related to a manner in which the account holder requested the at least one trustee obtain the respective account recovery code;
  
  receiving a response to the query from the at least one trustee;
  
  sending, by the one or more devices associated with the service, a warning message to the at least one trustee to enhance security based at least in part on at least one answer provided in response to the query, wherein the warning message is configured to provide the at least one trustee with information to assist at least in part in determining whether or not to proceed with the acquisition of the respective account recovery code.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The one or more computer-readable storage devices of claim 1, wherein if the account holder discovers an unauthorized attempt to obtain a first account recovery code before all of the account recovery codes have been received, the account holder aborts the acquisition of the remaining account recovery codes.
  - 3. The one or more computer-readable storage devices of claim 1, wherein if the at least trustee decides to proceed with the acquisition of the respective account recovery codes after receiving the warning message, the at least one trustee electronically signs the warning message and transmits the signed warning message providing authorization to proceed.
  - 4. The one or more computer-readable storage devices of claim 1, wherein if the at least one trustee decides not to proceed with the acquisition of the respective account recovery code after receiving the warning message, the at least one trustee aborts the acquisition of the respective account recovery code.
  - 5. The one or more computer-readable storage devices of claim 1, the acts further comprising:
    - transmitting, by the one or more devices associated with the service, the respective account recovery code to each of the at least two trustees, the respective account recovery codes being distinct from one another;
      
      receiving, from the account holder over a network, at least two of the distinct account recovery codes, andverifying, by the one or more devices associated with the service, the account holder at least in part in response to the receiving of the at least two of the distinct account recovery codes from the account holder.
  - 6. The one or more computer-readable storage devices of claim 1, the operations further comprising:
    - prior to transmitting the query,transmitting a verification form to the at least one trustee for authentication;
      
      receiving the verification form from the at least one trustee after the verification form is completed by the at least one trustee;
      
      transmitting a code to authenticate the at least one trustee to a pre-identified contact destination;
      
      receiving the code from the at least one trustee to authenticate the at least one trustee.
  - 7. The one or more computer-readable storage devices of claim 6, wherein receiving a code to authenticate the at least one of the trustees further comprises checking the code against a database record created to track the at least one of the trustees.
  - 8. The one or more computer-readable storage devices of claim 6, wherein the pre-identified contact destination includes one of the following:
    - telephone;
      
      e-mail;
      
      ortext message.
  - 9. The one or more computer-readable storage devices of claim 6, the operations further comprising:
    - subsequent to sending the warning, determining a probability that the at least one trustee is operating on behalf of the account holder; and
      
      using a processor of the one or more devices associated with the service executing processor-executable instructions to determine whether to send the respective account recovery code to the trustee based at least in part on the determined probability.

10. A method, comprising:
- under control of one or more processors of one or more devices associated with a first entity specifically configured with executable instructions,receiving, from an account holder of an account with the first entity, identification of a plurality of second entities as trustees for an account recovery process, the account having initial access information for accessing the account, the account recovery process for recovering access to the account;
  
  subsequent to the initiation of the account recovery process, transmitting, by the one or more devices associated with the first entity, a respective account recovery code to at least two of the plurality of second entities identified as trustees for the account, the respective account recovery codes being distinct from one another;
  
  receiving, from the account holder over a network, at least a predefined number of distinct account recovery codes of the account recovery codes, andverifying, by the one or more devices associated with the first entity, the account holder at least in part in response to the receiving of at least the predefined number of distinct account recovery codes of the account recovery codes from the account holder, the predefined number of the distinct account recovery codes being at least two, the account recovery process not recovering the initial access information.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. The method of claim 10, wherein verifying the account holder based at least in part on receipt of at least the predefined number of the distinct account recovery codes from the account holder comprises receiving at least three of the distinct account recovery codes from the account holder, each of the at least three account recovery codes having been transmitted to a respective one of at least three separate trustees for the account.
  - 12. The method of claim 10, wherein receiving, from the account holder of the account, identification of the plurality of second entities as trustees for the account recovery process comprises receiving identification of at least three second entities as trustees for the account recovery process.
  - 13. The method of claim 10, further comprising transmitting a notification with the account recovery codes that the trustees are to deliver the account recovery codes to the account holder by using one or more specified communication mediums, the one or more specified communication mediums including at least a telephone call.
  - 14. The method of claim 10, further comprising transmitting a notification with the account recovery codes that the trustees are not to deliver the account recovery codes to the account holder by using one or more specified communication mediums, the one or more specified communication mediums including at least electronic mail.
  - 15. The method of claim 10, further comprising,during the account recovery process, receiving a request from each of at least two of the plurality of second entities identified as a trustee for the account for a respective account recovery code;
    - andfor each trustee requesting an account recovery code;
      
      transmitting a verification form to the trustee for authentication;
      
      receiving the verification form from the trustee after the verification form is completed by the trustee;
      
      identifying the trustee by comparing the verification form as completed by the trustee with information stored in a database;
      
      transmitting a code to authenticate the trustee to a pre-identified contact destination;
      
      receiving the code from the trustee to authenticate the trustee;
      
      transmitting a query to the trustee;
      
      receiving a response to the query from the trustee; and
      
      transmitting the respective account recovery code to the trustee for delivery to the account holder.
  - 16. The method of claim 10, wherein the respective account recovery codes are generated by the one or more devices associated with the first entity.
  - 17. The method of claim 10, wherein the receiving, from the account holder over the network, at least the predefined number of distinct account recovery codes of the account recovery codes comprises:
    - providing a user interface by which to receive at least the predefined number of distinct account recovery codes; and
      
      receiving, over the network, the distinct account recovery codes received by the user interface.

18. One or more computer-readable storage devices storing computer-executable instructions that, when executed, configure a computer to perform acts comprising:
- receiving, from an account holder of an account with a remote service, identification of a plurality of entities as trustees for an account recovery process, the account having initial access information for accessing the account, the account recovery process for recovering access to the account with the remote service;
  
  subsequent to the initiation of the account recovery process, transmitting, by one or more devices associated with the remote service, a respective account recovery code to each of at least two of the plurality of entities identified as trustees for the account, the respective account recovery codes being distinct from one another;
  
  receiving, by the one or more devices associated with the remote service, at least a predefined number of distinct account recovery codes from the account holder over a network, andverifying, by the one or more devices associated with the remote service, the account holder at least in part in response to the receiving of at least the predefined number of distinct account recovery codes of the account recovery codes from the account holder, the predefined number of the distinct account recovery codes being at least two;
  
  based at least in part on the verifying the account holder, providing account recovery information to the account holder, the account recovery process not recovering the initial access information and the account recovery information being different from the initial access information.
- View Dependent Claims (19, 20, 21)
- - 19. The one or more computer-readable storage devices of claim 18, wherein the respective account recovery codes are generated by one or more devices associated with the entity.
  - 20. The one or more computer-readable storage devices of claim 18, wherein the receiving at least the predefined number of distinct account recovery codes of the account recovery codes comprises:
    - providing a user interface by which to receive at least the predefined number of distinct account recovery codes; and
      
      receiving, by the one or more devices associated with the remote service over the network, the distinct account recovery codes received by the user interface.
  - 21. The one or more computer-readable storage devices of claim 18, wherein the remote service comprises an online service.

22. A method comprising:
- under control of one or more processors of one or more devices associated with a service specifically configured with executable instructions,receiving, by the one or more devices associated with the service, a request from at least one trustee of a plurality of trustees for a respective account recovery code, the respective account recovery code for use by an account holder in conjunction with other account recovery codes sent to other trustees of the plurality of trustees during an account recovery process to recover access to an account of the account holder with the service, the plurality of trustees being designated by the account holder as trustees for the account recovery process, the account having initial access information for accessing the account and the account recovery process not recovering the initial access information;
  
  transmitting a query to the at least one trustee, the query related to a manner in which the account holder requested the at least one trustee obtain the respective account recovery code;
  
  receiving a response to the query from the at least one trustee; and
  
  sending, by the one or more devices associated with the service, a warning message to the at least one trustee to enhance security based at least in part on at least one answer provided in the response to the query, wherein the warning message is configured to provide the at least one trustee with information to assist at least in part in determining whether or not to proceed with the acquisition of the respective account recovery code.
- View Dependent Claims (23, 24, 25, 26, 27, 28)
- - 23. The method of claim 22, the acts further comprising:
    - prior to transmitting the query,transmitting a verification form to the at least one trustee for authentication;
      
      receiving the verification form from the at least one trustee after the verification form is completed by the at least one trustee;
      
      transmitting a code to authenticate the at least one trustee to a pre-identified contact destination;
      
      receiving the code from the at least one trustee to authenticate the at least one trustee.
  - 24. The method of claim 23, the acts further comprising:
    - subsequent to sending the warning, determining a probability that the at least one trustee is operating on behalf of the account holder; and
      
      using a processor of the one or more devices associated with the service executing processor-executable instructions to determine whether to send the respective account recovery code to the trustee based at least in part on the determined probability.
  - 25. The method of claim 22, wherein if the account holder discovers an unauthorized attempt to obtain a first account recovery code before all of the account recovery codes have been received, the account holder aborts the acquisition of the remaining account recovery codes.
  - 26. The method of claim 22, wherein if the at least trustee decides to proceed with the acquisition of the respective account recovery code after receiving the warning message, the at least one trustee electronically signs the warning message and transmits the signed warning message providing authorization to proceed.
  - 27. The method of claim 22, wherein if the at least one trustee decides not to proceed with the acquisition of the respective account recovery code after receiving the warning message, the at least one trustee aborts the acquisition of the respective account recovery code.
  - 28. The method of claim 23, wherein receiving a code to authenticate the at least one of the trustees further comprises checking the code against a database record created to track the at least one of the trustees.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Schechter, Stuart, Reeder, Robert Wilson
Primary Examiner(s)
VOSTAL, ONDREJ C

Application Number

US12/466,246
Publication Number

US 20100293600A1
Time in Patent Office

1,972 Days
Field of Search

726/4, 726/26, 726/27, 709/229, 709/230
US Class Current

726/4
CPC Class Codes

G06F 16/00   Information retrieval; Data...

G06F 21/31   User authentication

G06F 21/41   where a single sign-on prov...

G06F 2221/2131   Lost password, e.g. recover...

G06Q 10/00   Administration; Management

G06Q 50/265   Personal security, identity...

H04L 15/06   with a restricted number of...

H04L 51/18   Commands or executable codes

H04L 63/08   for authentication of entit...

H04L 63/083   using passwords cryptograph...

H04L 63/10   for controlling access to d...

H04L 9/321   involving a third party or ...

H04L 9/3226   using a predetermined code,...

H04L 9/40   Network security protocols

H04M 1/665   by checking the validity of...

H04M 1/673   the user being required to ...

H04M 1/675   the user being required to ...

H04M 1/727   Identification code transfe...

H04M 2215/0156   Secure and trusted billing,...

H04M 3/382   using authorisation codes o...

H04N 5/9208 : involving the use of subcodes

H04W 12/06 : Authentication

View All

Social authentication for account recovery

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

175 Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Social authentication for account recovery

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

175 Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links