Efficiently throttling user authentication
First Claim
1. At a computer system including at least one processor, a computer-implemented method for efficiently authenticating users while preventing enumeration attacks, the method comprising:
- an act of receiving one or more login credentials at a specified time;
an act of dynamically generating a variable delay for the login attempt based on the time the login credentials were received, the length of the variable delay being variable and dynamically generated to ensure that login access responses are sent after the same amount of time has elapsed since the login credentials were received regardless of which login access determination is made, the generated delay accounting for the amount of time taken by the processor to make at least one login access determination, the generated delay ensuring that each response message is returned at substantially the same elapsed time since the login credentials were received; and
upon application of the dynamically generated variable delay, an act of returning the same response message regardless of which login access determination is made, the response message indicating that the login credentials are invalid.
2 Assignments
0 Petitions
Accused Products
Abstract
In an embodiment, an administrative computer system receives user login credentials from a user and makes at least one of the following determinations: that the user identifier does not match any existing user account, that the user identifier matches at least one existing user account, but that the user'"'"'s account is in a locked state, or that the user identifier matches at least one existing user account, but the user'"'"'s password does not match the user identifier. The administrative computer system then returns to the user the same response message regardless of which determination is made. The response indicates that the user'"'"'s login credentials are invalid. The response also prevents the user from determining which of the credentials was invalid, as the response message is the same for each determination and is sent to the user after a measured response time that is the same for each determination.
17 Citations
20 Claims
-
1. At a computer system including at least one processor, a computer-implemented method for efficiently authenticating users while preventing enumeration attacks, the method comprising:
-
an act of receiving one or more login credentials at a specified time; an act of dynamically generating a variable delay for the login attempt based on the time the login credentials were received, the length of the variable delay being variable and dynamically generated to ensure that login access responses are sent after the same amount of time has elapsed since the login credentials were received regardless of which login access determination is made, the generated delay accounting for the amount of time taken by the processor to make at least one login access determination, the generated delay ensuring that each response message is returned at substantially the same elapsed time since the login credentials were received; and upon application of the dynamically generated variable delay, an act of returning the same response message regardless of which login access determination is made, the response message indicating that the login credentials are invalid. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A computer program product for implementing a method for providing login error messages while preventing enumeration attacks, the computer program product comprising one or more computer-readable storage media having stored thereon computer-executable instructions that, when executed by one or more processors of a computing system, cause the computing system to perform the method, the method comprising:
-
an act of sending login credentials to an authentication server at a specified time; and an act of receiving a response message from the authentication server indicating that the login credentials are invalid, the authentication server having dynamically generated a variable delay for the login attempt based on the time the login credentials were received at the authentication server, the length of the variable delay being variable and dynamically generated to ensure that login access responses are sent after the same amount of time has elapsed since the login credentials were received regardless of which determination is made, the generated delay accounting for the amount of time taken by the authentication server to make at least one login access determination, the generated delay ensuring that each response message is returned at substantially the same elapsed time since the login credentials were received. - View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A computer system comprising the following:
-
one or more processors; one or more computer-readable storage media having stored thereon computer-executable instructions that, when executed by the one or more processors, causes the computing system to efficiently authenticate users while preventing enumeration attacks, the computing system caused to; receive one or more login credentials at a specified time; dynamically generate a variable delay for the login attempt based on the time the login credentials were received, the length of the variable delay being variable and dynamically generated to ensure that login access responses are sent after the same amount of time has elapsed since the login credentials were received regardless of which login access determination is made, the generated delay accounting for the amount of time taken by the processor to make at least one login access determination, the generated delay ensuring that each response message is returned at substantially the same elapsed time since the login credentials were received; and in response to application of the dynamically generated variable delay, return the same response message regardless of which login access determination is made, the response message indicating that the login credentials are invalid. - View Dependent Claims (18, 19, 20)
-
Specification