Knowledge-based authentication for restricting access to mobile devices

US 9,131,374 B1
Filed: 03/30/2012
Issued: 09/08/2015
Est. Priority Date: 02/24/2012
Status: Active Grant

First Claim

Patent Images

1. In a mobile apparatus, a method of restricting access to resources stored in a storage device of the mobile apparatus, comprising:

generating, by a processor of the mobile apparatus, a set of knowledge-based authentication (KBA) questions based on data stored in the storage device of the mobile apparatus;

receiving, by the processor via an input device of the mobile apparatus, a request for a user to be granted access to the resources stored in the storage device of the mobile apparatus;

in response to receiving the request, presenting, by the processor via an output device of the mobile apparatus, questions of the set of KBA questions to the user;

obtaining, by the processor via the input device, answers from the user to the questions; and

performing, by the processor, a KBA operation configured to produce an authentication result from the answers, the user being granted or denied access to the resources based on the authentication result;

wherein generating the set of KBA questions includes, for each of the set of KBA questions, store a timestamp corresponding to the time at which that KBA question was generated;

wherein presenting the questions of the set of KBA questions to the user includes selecting the questions according to differences between the time at which the request was received and the timestamps corresponding to the times at which the KBA questions of the set of KBA questions were generated; and

wherein a fixed number of questions is selected.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An improved technique employs knowledge-based authentication (KBA) based on data stored in a mobile apparatus. The mobile apparatus collects data from sources including email data, web browsing data, accessed YouTube video data, and GPS location data recently stored in the mobile apparatus. From such data, the mobile apparatus builds questions and stores the questions on a database on the phone. Upon receiving a request to access a resource stored in the mobile apparatus from a user, the mobile apparatus selects questions at random and ranks them according to a policy accessible to the mobile apparatus. The mobile apparatus presents the highest-ranked questions to the user. The mobile apparatus grants or rejects access to the resource based on an authentication result that the mobile apparatus generates from answers to the questions submitted by the user.

29 Citations

View as Search Results

23 Claims

1. In a mobile apparatus, a method of restricting access to resources stored in a storage device of the mobile apparatus, comprising:
- generating, by a processor of the mobile apparatus, a set of knowledge-based authentication (KBA) questions based on data stored in the storage device of the mobile apparatus;
  
  receiving, by the processor via an input device of the mobile apparatus, a request for a user to be granted access to the resources stored in the storage device of the mobile apparatus;
  
  in response to receiving the request, presenting, by the processor via an output device of the mobile apparatus, questions of the set of KBA questions to the user;
  
  obtaining, by the processor via the input device, answers from the user to the questions; and
  
  performing, by the processor, a KBA operation configured to produce an authentication result from the answers, the user being granted or denied access to the resources based on the authentication result;
  
  wherein generating the set of KBA questions includes, for each of the set of KBA questions, store a timestamp corresponding to the time at which that KBA question was generated;
  
  wherein presenting the questions of the set of KBA questions to the user includes selecting the questions according to differences between the time at which the request was received and the timestamps corresponding to the times at which the KBA questions of the set of KBA questions were generated; and
  
  wherein a fixed number of questions is selected.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method according to claim 1,wherein the set of KBA questions is stored in the storage device of the mobile apparatus;
    - wherein each KBA question of the set of KBA questions includes a value of a Time-To-Live (TTL) parameter;
      
      wherein the method further comprises;
      
      removing a KBA question from the storage device when a value of the time elapsed since the KBA question was generated exceeds the value of the TTL parameter of the KBA question.
  - 3. The method according to claim 2,wherein presenting the questions of the set of KBA questions to the user includes:
    - storing, in a location in memory of the mobile apparatus, selected questions of the KBA apparatus, the selected questions being selected from the set of KBA questions according to a policy accessible to the mobile apparatus; and
      
      sending the selected questions to the user.
  - 4. The method according to claim 3,wherein the policy includes rules configured to control i) permissions regarding categories of KBA questions allowed to be sent to the user, and ii) a level of difficulty associated with the KBA questions sent to the user, the rules being generated by the processor of the mobile apparatus, andwherein presenting the questions of the set of KBA questions to the user further includes:
    - applying the policy to the set of KBA questions to produce the selected questions.
  - 5. The method according to claim 4,wherein the policy further includes additional rules configured to control permissions regarding additional categories of KBA questions allowed to be sent to the user, the additional rules being generated by an electronic computing system remote from the mobile apparatus, andwherein presenting the questions of the set of KBA questions to the user further includes:
    - receiving information associated with the additional rules via a network interface of the mobile apparatus.
  - 6. The method according to claim 3,wherein the mobile apparatus further includes a trigger configured to create events in the mobile apparatus,wherein the data stored in the storage device of the mobile apparatus includes event data produced upon an occurrence of an event created by the trigger, andwhere the method further comprises:
    - collecting event data upon the occurrence of the event.
  - 7. The method according to claim 6,wherein the trigger includes a global positioning system (GPS) device,wherein the event is location data derived from the GPS device corresponding to a particular location, andwherein collecting the event data upon the occurrence of the event includes:
    - receiving, as the event data, mobile apparatus location data derived from the GPS device.
  - 8. The method according to claim 7,wherein the trigger further includes a gyroscopic device,wherein the event is a speed associated with motion of the mobile apparatus detected by the gyroscope exceeding a threshold speed, andwherein collecting the event data upon the occurrence of the event further includes:
    - receiving, as the event data, mobile apparatus path data derived from the GPS device and the gyroscopic device.
  - 9. The method according to claim 6,wherein the trigger includes a web browser,wherein the event is the web browser accessing a particular website, andwherein collecting the event data upon the occurrence of the event includes:
    - receiving, as the event data, facts derived from the particular website.
  - 10. The method according to claim 3, further comprising:
    - performing a feedback operation on the answers to the selected questions, output of the feedback operation forming input data on which the policy is based.
  - 11. The method according to claim 1, further comprising,for each of the set of KBA questions, storing a ranking value in the storage device of the mobile apparatus corresponding to that KBA question, the ranking value corresponding to a KBA question indicating a likelihood that (i) the user is an authorized user of the mobile device given that the user provided a correct answer to the KBA question and (ii) the user is not an authorized user of the mobile device given that the user provided an incorrect answer to the KBA question;
    - andwherein presenting the questions of the set of KBA questions to the user includes selecting the fixed number of KBA questions of the set of KBA questions for presentation to the user, the ranking values corresponding to the fixed number of KBA questions being greater than or equal to the ranking values corresponding to other KBA questions of the set of KBA questions.
  - 12. The method according to claim 11, wherein the data stored in the storage device of the mobile apparatus includes public data and private data, the public data representing information that may be exposed to the user prior to granting the user access to the resources, the private data representing information that is not to be exposed to the user prior to granting the user access to the resources, andwherein storing the ranking value in the storage device of the mobile apparatus corresponding to each of the set of KBA questions includes:
    - storing a first ranking value corresponding to a KBA question of the set of KBA questions that was generated based on public data only, andstoring a second ranking value corresponding to a KBA question of the set of KBA questions that was generated based on private data, the second ranking value being less than the first ranking value.

13. A mobile apparatus, comprising:
- a storage device;
  
  an input device;
  
  an output device;
  
  memory; and
  
  a controller including controlling circuitry coupled to the memory, the controlling circuitry being constructed and arranged to;
  
  generate a set of knowledge-based authentication (KBA) questions based on data stored in the storage device of the mobile apparatus;
  
  receive, via the input device, a request for a user to be granted access to the resources stored in the storage device of the mobile apparatus;
  
  in response to receiving the request, present, via the output device, questions of the set of KBA questions to the user;
  
  obtain, via the input device, answers from the user to the questions; and
  
  perform a KBA operation configured to produce an authentication result from the answers, the user being granted or denied access to the resources based on the authentication result;
  
  wherein the controlling circuitry constructed and arranged to generate the set of KBA questions is further constructed and arranged to, for each of the set of KBA questions, store a timestamp corresponding to the time at which that KBA question was generated;
  
  wherein the controlling circuitry constructed and arranged to present the questions of the set of KBA questions to the user is further constructed and arranged to select the questions according to differences between the time at which the request was received and the timestamps corresponding to the times at which the KBA questions of the set of KBA questions were generated; and
  
  wherein a fixed number of questions is selected.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21)
- - 14. The mobile apparatus according to claim 13,wherein the set of KBA questions is stored in the storage device of the mobile apparatus;
    - wherein each KBA question of the set of KBA questions includes a value of a Time-To-Live (TTL) parameter;
      
      wherein the controlling circuitry is further constructed and arranged to;
      
      remove a KBA question from the storage device when a value of the time elapsed since the KBA question was generated exceeds the value of the TTL parameter of the KBA question.
  - 15. The mobile apparatus according to claim 14,wherein the controlling circuitry constructed and arranged to present the questions of the set of KBA questions to the user is further constructed and arranged to:
    - store, in a location in memory of the mobile apparatus, selected questions of the KBA apparatus, the selected questions being selected from the set of KBA questions according to a policy accessible to the mobile apparatus; and
      
      send the selected questions to the user.
  - 16. The mobile apparatus according to claim 15,wherein the policy includes rules configured to control i) permissions regarding categories of KBA questions allowed to be sent to the user, and ii) a level of difficulty associated with the KBA questions sent to the user, the rules being generated by the processor of the mobile apparatus, andwherein the controlling circuitry constructed and arranged to present the questions of the set of KBA questions to the user is further constructed and arranged to:
    - apply the policy to the set of KBA questions to produce the selected questions.
  - 17. The mobile apparatus according to claim 16,wherein the mobile apparatus further comprises:
    - a network interface,wherein the policy further includes additional rules configured to control permissions regarding additional categories of KBA questions allowed to be sent to the user, the additional rules being generated by an electronic computing system remote from the mobile apparatus, andwherein the controlling circuitry constructed and arranged to present the questions of the set of KBA questions to the user is further constructed and arranged to;
      
      receive information associated with the additional rules.
  - 18. The mobile apparatus according to claim 15,wherein the mobile apparatus further includes a trigger configured to create events in the mobile apparatus,wherein the data stored in the storage device of the mobile apparatus includes event data produced upon an occurrence of an event created by the trigger, andwhere the controlling circuitry is further constructed and arranged to:
    - collect event data upon the occurrence of the event.
  - 19. The mobile apparatus according to claim 18,wherein the trigger includes a global positioning system (GPS) device,wherein the event is location data derived from the GPS device corresponding to a particular location, andwherein the controlling circuitry constructed and arranged to collect the event data upon the occurrence of the event is further constructed and arranged to:
    - receive, as the event data, mobile apparatus location data derived from the GPS device.
  - 20. The mobile apparatus according to claim 19,wherein the trigger further includes a gyroscopic device,wherein the event is a speed associated with motion of the mobile apparatus detected by the gyroscope exceeding a threshold speed, andwherein the controlling circuitry constructed and arranged to collect the event data upon the occurrence of the event is further constructed and arranged to:
    - receive, as the event data, mobile apparatus path data derived from the GPS device and the gyroscopic device.
  - 21. The mobile apparatus according to claim 18,wherein the trigger includes a web browser,wherein the event is the web browser accessing a particular website, andwherein the controlling circuitry constructed and arranged to collect the event data upon the occurrence of the event is further constructed and arranged to:
    - receive, as the event data, facts derived from the particular website.

22. In a mobile apparatus, a computer program product having a non-transitory, computer-readable storage medium which stores code to restrict access to resources stored in a storage device of the mobile apparatus, the code including instructions to:
- generate a set of knowledge-based authentication (KBA) questions based on data stored in the storage device of the mobile apparatus;
  
  receive, via an input device of the mobile apparatus, a request for a user to be granted access to the resources stored in the storage device of the mobile apparatus;
  
  in response to receiving the request, present, via an output device of the mobile apparatus, questions of the set of KBA questions to the user;
  
  obtain, via the input device, answers from the user to the questions; and
  
  perform a KBA operation configured to produce an authentication result from the answers, the user being granted or denied access to the resources based on the authentication result;
  
  wherein generating the set of KBA questions includes, for each of the set of KBA questions, store a timestamp corresponding to the time at which that KBA question was generated; and
  
  wherein presenting the questions of the set of KBA questions to the user includes selecting the questions according to differences between the time at which the request was received and the timestamps corresponding to the times at which the KBA questions of the set of KBA questions were generated; and
  
  wherein a fixed number of questions is selected.

23. In a mobile apparatus, a method of restricting access to a resource stored in a storage device of the mobile apparatus, comprising:
- generating, by a processor of the mobile apparatus, a set of knowledge-based authentication (KBA) questions based on data stored in the storage device of the mobile apparatus;
  
  receiving, by the processor, a request for a user to be granted access to the resource;
  
  in response to receiving the request, presenting, by the processor, a question of the set of KBA questions to the user;
  
  obtaining, by the processor, an answer from the user to the question; and
  
  performing, by the processor, a KBA operation configured to produce an authentication result from the answer, the authentication result indicating whether the user is an authorized user of the mobile device;
  
  wherein generating the set of KBA questions includes storing a timestamp corresponding to a time at which a KBA question of the set of KBA questions was generated; and
  
  wherein presenting the question to the user includes selecting the KBA question according to a difference between (i) a time at which the request was received and (ii) the time at which the KBA question was generated;
  
  wherein a single question is selected.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
EMC Corporation (Dell Technologies Inc.)
Inventors
Avni, Ayelet, Levin, Ayelet, Knauss, Bryan, Dotan, Yedidya
Primary Examiner(s)
Traore, Fatoumata
Assistant Examiner(s)
LE, KHOI V

Application Number

US13/434,991
Time in Patent Office

1,257 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 2209/80   Wireless network architectu...

H04L 9/3271   using challenge-response

H04L 9/3297   involving time stamps, e.g....

H04W 12/06   Authentication

H04W 12/08   Access security

H04W 12/30   Security of mobile devices;...

H04W 12/37   Managing security policies ...

H04W 12/63   Location-dependent; Proximi...

H04W 88/02   Terminal devices

Knowledge-based authentication for restricting access to mobile devices

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

29 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Knowledge-based authentication for restricting access to mobile devices

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

29 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links