Evidence-based dynamic scoring to limit guesses in knowledge-based authentication

US 9,124,431 B2
Filed: 05/14/2009
Issued: 09/01/2015
Est. Priority Date: 05/14/2009
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

memoryone or more processors;

one or more modules stored in the memory and executable by the one or more processors to perform operations comprising;

receiving an input from a user in response to a personal question, the input being different than a stored answer of the personal question;

determining, by a computing device including one or more processors, whether the input is a lexicon or semantically similar to a previous input by the user;

assigning a score to the input based on a comparison between the input and previously stored inputs from other users in response to questions related to the personal question;

reducing the score if the input is determined to be the lexicon or semantically similar to the previous input;

summing the score with previous scores of the session to create a total score for the session; and

transmitting another request for a correct input in response to a determination that the total score for the session satisfies a threshold, wherein a number of times that the user is allowed to attempt a correct input to the personal question is dynamically adjusted based at least in part on the total score for the session.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques to provide evidence-based dynamic scoring to limit guesses in knowledge based authentication are disclosed herein. In some aspects, an authenticator may receive an input from a user in response to a presentation of a personal question that enables user access to a restricted resource. The authenticator may determine that the input is not equivalent to a stored value, and thus is an incorrect input. The authenticator may then determine whether the input is similar to a previous input received from the user. A score may be assigned to the input. When the input is determined to be similar to the previous input, the score may be reduced. Another request for an input may be transmitted by the authenticator when a sum of the score and any previous scores of the session is less than a threshold.

178 Citations

20 Claims

1. A system comprising:
- memoryone or more processors;
  
  one or more modules stored in the memory and executable by the one or more processors to perform operations comprising;
  
  receiving an input from a user in response to a personal question, the input being different than a stored answer of the personal question;
  
  determining, by a computing device including one or more processors, whether the input is a lexicon or semantically similar to a previous input by the user;
  
  assigning a score to the input based on a comparison between the input and previously stored inputs from other users in response to questions related to the personal question;
  
  reducing the score if the input is determined to be the lexicon or semantically similar to the previous input;
  
  summing the score with previous scores of the session to create a total score for the session; and
  
  transmitting another request for a correct input in response to a determination that the total score for the session satisfies a threshold, wherein a number of times that the user is allowed to attempt a correct input to the personal question is dynamically adjusted based at least in part on the total score for the session.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The system as recited in claim 1, wherein the determining whether the input is the lexicon includes:
    - calculating an edit distance between the input and the previous input;
      
      comparing the edit distance to an edit distance threshold; and
      
      designating the input as the lexicon if the edit distance satisfies the edit distance threshold.
  - 3. The system as recited in claim 1, wherein determining whether the input is semantically similar includes:
    - searching a semantic database using the input to generate a search output;
      
      determining whether the previous input is included in the search output; and
      
      designating the input as semantically similar to the previous input if the previous input is included in the search output.
  - 4. The system as recited in claim 1, wherein the determining whether the input is the lexicon or semantically similar to the previous input also includes determining whether the input is the lexicon or semantically similar to the stored answer, and reducing the score if the input is determined to be the lexicon or semantically similar to the stored answer.
  - 5. The system as recited in claim 1, wherein the score is assigned to the session in part based on a popularity of the input.
  - 6. The system as recited in claim 1, wherein the input is a user login password.

7. One or more storage devices storing computer-executable instructions that, when executed on one or more processors, causes the one or more processors to perform acts comprising:
- receiving an input from a user during a session in response to an authentication question;
  
  comparing the input to a stored answer of the authentication question;
  
  assigning, based on the comparing, a score to the input;
  
  determining whether the input is at least one of a lexicon match or a semantic match with a previous input by the user;
  
  reducing the score if the input is determined to be at least one of the lexicon match or the semantic match;
  
  after reducing the score, summing the score with one or more previous scores to create a total score for the session; and
  
  transmitting an additional request for an additional input to a user device in response to a determination that the total score for the session satisfies a threshold value, wherein a number of times that the user is allowed to attempt a correct input to the authentication question is dynamically adjusted based at least in part on the total score for the session.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14)
- - 8. The one or more storage devices as recited in claim 7, wherein the assigning the score to the input comprises assigning the score based on a popularity of the input as compared to a distribution of inputs received from other users in response to questions associated with the authentication question.
  - 9. The one or more storage devices as recited in claim 7, wherein the score includes a previous input score associated with the previous input and a received input score associated with the input, and wherein the reducing the score includes reducing the score of a lower of the previous input score and the received input score.
  - 10. The one or more storage devices as recited in claim 7, wherein the determining whether the input is the lexicon match includes:
    - calculating an edit distance;
      
      comparing the edit distance to a threshold; and
      
      designating the input as the lexicon match if the edit distance satisfies the threshold.
  - 11. The one or more storage devices as recited in claim 10, wherein the reducing the score is based on the edit distance.
  - 12. The one or more storage devices as recited in claim 7, wherein the determining whether the input is the semantic match includes:
    - searching a semantic database using the input to generate a search output;
      
      determining whether the previous input is included in the search output; and
      
      designating the received input as the semantic match to the previous input if the previous input is included in the search output.
  - 13. The one or more storage devices as recited in claim 12, wherein the semantic database includes at least one of a thesaurus, a geographical database, or a user input database.
  - 14. The one or more storage devices as recited in claim 7, wherein the previous input is restricted to a previous login attempt.

15. A method comprising:
- receiving, by one or more servers, a new answer to a personal question;
  
  analyzing, using the one or more servers, received answers to the personal question to create an answer distribution of received answers;
  
  dynamically updating, using the one or more servers, a question list by removing the personal question from the question list in response to determining that the answer distribution of the received answers is less than a predetermined value.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The method as recited in claim 15, further comprising:
    - comparing, using the one or more servers, the new answer to the answer distribution of received answers;
      
      designating, using the one or more servers, the new answer as a popular answer in response to determining that an occurrence of the new answer in the answer distribution satisfies a popularity threshold;
      
      rejecting, using the one or more servers, the new answer; and
      
      transmitting, using the one or more servers, a request for another new answer.
  - 17. The method as recited in claim 16, wherein the request for the another new answer includes a request for a more specific answer than the new answer.
  - 18. The method as recited in claim 15, wherein the answer distribution of received answers includes answers used to establish the new answer to the personal question.
  - 19. The method as recited in claim 15, further comprising discontinuing use of the personal question if the new answer is designated as a popular answer.
  - 20. The method as recited in claim 19, wherein discontinuing use of the personal question includes removing the personal question from a list of selectable personal questions.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Schechter, Stuart, Rouskov, Yordan I., Herley, Cormac E., Kaufman, Charles William
Primary Examiner(s)
Vostal, O. C.

Application Number

US12/466,257
Publication Number

US 20100293608A1
Time in Patent Office

2,301 Days
Field of Search

726/5
US Class Current

1/1
CPC Class Codes

G06F 21/31   User authentication

G06F 40/247   Thesauruses; Synonyms

G06F 40/30   Semantic analysis

H04L 45/028   Dynamic adaptation of the u...

H04L 9/3218   using proof of knowledge, e...

H04L 9/3226   using a predetermined code,...

Evidence-based dynamic scoring to limit guesses in knowledge-based authentication

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

178 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Evidence-based dynamic scoring to limit guesses in knowledge-based authentication

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

178 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others