Efficiently throttling user authentication

US 9,098,689 B2
Filed: 11/12/2014
Issued: 08/04/2015
Est. Priority Date: 02/01/2012
Status: Active Grant

First Claim

Patent Images

1. At a computer system including at least one processor, a computer-implemented method for efficiently authenticating users while preventing enumeration attacks, the method comprising:

an act of receiving one or more login credentials at a specified time;

an act of dynamically generating a variable delay for the login attempt based on the time the login credentials were received, the length of the variable delay being variable and dynamically generated to ensure that login access responses are sent after the same amount of time has elapsed since the login credentials were received regardless of which login access determination is made, the generated delay accounting for the amount of time taken by the processor to make at least one login access determination, the generated delay ensuring that each response message is returned at substantially the same elapsed time since the login credentials were received; and

upon application of the dynamically generated variable delay, an act of returning the same response message regardless of which login access determination is made, the response message indicating that the login credentials are invalid.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In an embodiment, an administrative computer system receives user login credentials from a user and makes at least one of the following determinations: that the user identifier does not match any existing user account, that the user identifier matches at least one existing user account, but that the user'"'"'s account is in a locked state, or that the user identifier matches at least one existing user account, but the user'"'"'s password does not match the user identifier. The administrative computer system then returns to the user the same response message regardless of which determination is made. The response indicates that the user'"'"'s login credentials are invalid. The response also prevents the user from determining which of the credentials was invalid, as the response message is the same for each determination and is sent to the user after a measured response time that is the same for each determination.

17 Citations

View as Search Results

20 Claims

1. At a computer system including at least one processor, a computer-implemented method for efficiently authenticating users while preventing enumeration attacks, the method comprising:
- an act of receiving one or more login credentials at a specified time;
  
  an act of dynamically generating a variable delay for the login attempt based on the time the login credentials were received, the length of the variable delay being variable and dynamically generated to ensure that login access responses are sent after the same amount of time has elapsed since the login credentials were received regardless of which login access determination is made, the generated delay accounting for the amount of time taken by the processor to make at least one login access determination, the generated delay ensuring that each response message is returned at substantially the same elapsed time since the login credentials were received; and
  
  upon application of the dynamically generated variable delay, an act of returning the same response message regardless of which login access determination is made, the response message indicating that the login credentials are invalid.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the response messages are stored without storing state information for non-existing accounts.
  - 3. The method of claim 1, further comprising tracking the number of failed login attempts for each user.
  - 4. The method of claim 3, further comprising:
    - an act of determining that the number of failed login attempts is greater than a predefined maximum number; and
      
      an act of placing the user'"'"'s account in a locked state for a specified amount of time, wherein the user is prevented from logging in while the user'"'"'s account is in the locked state.
  - 5. The method of claim 3, further comprising:
    - an act of determining that the number of failed login attempts is not greater than a predefined maximum number; and
      
      an act of incrementing a failed login attempt counter associated with the user by one, wherein the user is not informed of the incremented counter and wherein the user'"'"'s account is locked upon the failed login attempt counter reaching a predefined maximum value.
  - 6. The method of claim 1, further comprising:
    - an act of the processor making at least one of the following determinations;
      
      determining that a user identifier that is part of the login credentials does not match any existing user account;
      
      determining that the user identifier matches at least one existing user account, but the user'"'"'s account is in a locked state; and
      
      determining that the user identifier matches at least one existing user account, but that a password that is part of the login credentials does not match the user identifier.
  - 7. The method of claim 1, wherein the response message prevents a determination of which of the credentials was invalid, as the response message is the same for each login access determination and is sent after a measured response time that is the same for each determination.

8. A computer program product for implementing a method for providing login error messages while preventing enumeration attacks, the computer program product comprising one or more computer-readable storage media having stored thereon computer-executable instructions that, when executed by one or more processors of a computing system, cause the computing system to perform the method, the method comprising:
- an act of sending login credentials to an authentication server at a specified time; and
  
  an act of receiving a response message from the authentication server indicating that the login credentials are invalid, the authentication server having dynamically generated a variable delay for the login attempt based on the time the login credentials were received at the authentication server, the length of the variable delay being variable and dynamically generated to ensure that login access responses are sent after the same amount of time has elapsed since the login credentials were received regardless of which determination is made, the generated delay accounting for the amount of time taken by the authentication server to make at least one login access determination, the generated delay ensuring that each response message is returned at substantially the same elapsed time since the login credentials were received.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16)
- - 9. The computer program product of claim 8, wherein a cookie is created on the client computer system to track one or more portions of information associated with the user'"'"'s login attempts.
  - 10. The computer program product of claim 9, wherein at least one of the portions of information associated with the user'"'"'s login attempts comprises a failed login attempt counter.
  - 11. The computer program product of claim 10, further comprising:
    - an act of accessing the cookie on the client computer system to determine whether the number of failed login attempts is greater than a predefined maximum number; and
      
      upon determining that the number of failed login attempts is not greater than a predefined maximum number, an act of incrementing the failed login attempt counter by one.
  - 12. The computer program product of claim 11, wherein the processing of the cookie on the client computer system prevents the user from gaining knowledge that the account has been locked out by looking at the cookie in the response message.
  - 13. The computer program product of claim 10, further comprising:
    - an act of accessing the cookie on the client computer system to determine whether the number of failed login attempts is greater than a predefined maximum number; and
      
      upon determining that the number of failed login attempts is greater than a predefined maximum number, an act of displaying a message to the user indicating that the user'"'"'s account has been locked out.
  - 14. The computer program product of claim 8, wherein a failed login attempt counter is stored in hypertext markup language (HTML) local storage on the client computer system.
  - 15. The computer program product of claim 14, further comprising:
    - an act of accessing the failed login attempt counter in the HTML local storage to determine whether the number of failed login attempts is greater than a predefined maximum number; and
      
      upon determining that the number of failed login attempts is not greater than a predefined maximum number, an act of incrementing the failed login attempt counter in the HTML local storage by one.
  - 16. The computer program product of claim 14, further comprising:
    - an act of accessing the failed login attempt counter in the HTML local storage to determine whether the number of failed login attempts is greater than a predefined maximum number; and
      
      upon determining that the number of failed login attempts is greater than a predefined maximum number, an act of displaying a message to the user indicating that the user'"'"'s account has been locked out.

17. A computer system comprising the following:
- one or more processors;
  
  one or more computer-readable storage media having stored thereon computer-executable instructions that, when executed by the one or more processors, causes the computing system to efficiently authenticate users while preventing enumeration attacks, the computing system caused to;
  
  receive one or more login credentials at a specified time;
  
  dynamically generate a variable delay for the login attempt based on the time the login credentials were received, the length of the variable delay being variable and dynamically generated to ensure that login access responses are sent after the same amount of time has elapsed since the login credentials were received regardless of which login access determination is made, the generated delay accounting for the amount of time taken by the processor to make at least one login access determination, the generated delay ensuring that each response message is returned at substantially the same elapsed time since the login credentials were received; and
  
  in response to application of the dynamically generated variable delay, return the same response message regardless of which login access determination is made, the response message indicating that the login credentials are invalid.
- View Dependent Claims (18, 19, 20)
- - 18. The computer system of claim 17, further being caused to:
    - track the number of failed login attempts for each user;
      
      determine that the number of failed login attempts is greater than a predefined maximum number; and
      
      place the user'"'"'s account in a locked state for a specified amount of time, wherein the user is prevented from logging in while the user'"'"'s account is in the locked state.
  - 19. The computer system of claim 17, further comprising:
    - track the number of failed login attempts for each user;
      
      determine that the number of failed login attempts is not greater than a predefined maximum number; and
      
      increment a failed login attempt counter associated with the user by one.
  - 20. The computer system of claim 17, further comprising:
    - make at least one of the following determinations;
      
      determine that a user identifier that is part of the login credentials does not match any existing user account;
      
      determine that the user identifier matches at least one existing user account, but the user'"'"'s account is in a locked state; and
      
      determine that the user identifier matches at least one existing user account, but that a password that is part of the login credentials does not match the user identifier.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Gordon, Ariel, Lundeen, Richard Allen
Primary Examiner(s)
Najjar, Saleh
Assistant Examiner(s)
Plotkin, Jason

Application Number

US14/539,004
Publication Number

US 20150058959A1
Time in Patent Office

265 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06F 21/31   User authentication

G06F 21/45   Structures or tools for the...

G06F 21/56   Computer malware detection ...

G06F 2221/2135   Metering

H04L 63/08   for authentication of entit...

H04L 63/083   using passwords cryptograph...

H04L 63/10   for controlling access to d...

H04L 63/1425   Traffic logging, e.g. anoma...

H04W 12/06   Authentication

H04W 12/082   using revocation of authori...

Efficiently throttling user authentication

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

17 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Efficiently throttling user authentication

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

17 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links