Techniques for user authentication

US 9,178,866 B2
Filed: 12/01/2014
Issued: 11/03/2015
Est. Priority Date: 12/30/2011
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

receiving, by a configured computing system, an authentication request to access a network resource on behalf of an indicated user;

determining, by the configured computing system, whether an attribute associated with the authentication request matches stored information previously associated with the indicated user;

generating, by the configured computing system and based at least in part on the determining, an authorization code that is based on a defined security credential for the indicated user, wherein the generating includes determining to use a higher level of strength for the generated authorization code if the attribute does not match the stored information and otherwise to use a lower level of strength for the generated authorization code by selecting a subset of the security credential that is less than all of the security credential to use as the generated authorization code;

providing, by the configured computing system, instructions to the indicated user regarding supplying the generated authorization code to obtain access to the network resource;

receiving, by the configured computing system, the generated authorization code from the indicated user in response to the provided instructions; and

authorizing the access to the network resource based at least in part on the received generated authorization code.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for user authentication are disclosed. In some situations, the techniques include receiving, from a client device, an authentication request to access a network resource, the request including a user identifier, obtaining a security credential associated with the user identifier contained in the received request, generating an authorization code based on the obtained security credential, providing to the client device instructions to obtain first information corresponding to the generated authorization code, receiving, from the client device, the first information provided in response to the provided instructions, and, when the first information received from the client device corresponds to at least a portion of the generated authorization code, authorizing the client device to access the network resource.

Citations

22 Claims

1. A computer-implemented method comprising:
- receiving, by a configured computing system, an authentication request to access a network resource on behalf of an indicated user;
  
  determining, by the configured computing system, whether an attribute associated with the authentication request matches stored information previously associated with the indicated user;
  
  generating, by the configured computing system and based at least in part on the determining, an authorization code that is based on a defined security credential for the indicated user, wherein the generating includes determining to use a higher level of strength for the generated authorization code if the attribute does not match the stored information and otherwise to use a lower level of strength for the generated authorization code by selecting a subset of the security credential that is less than all of the security credential to use as the generated authorization code;
  
  providing, by the configured computing system, instructions to the indicated user regarding supplying the generated authorization code to obtain access to the network resource;
  
  receiving, by the configured computing system, the generated authorization code from the indicated user in response to the provided instructions; and
  
  authorizing the access to the network resource based at least in part on the received generated authorization code.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The computer-implemented method of claim 1 wherein the attribute is a network being used by a client device of the indicated user, and wherein the determining is whether the network is an internal network associated with the configured computing system.
  - 3. The computer-implemented method of claim 1 wherein the attribute is a geographical location of the indicated user, and wherein the determining is whether the geographical location is within a defined geographical area previously associated with the indicated user.
  - 4. The computer-implemented method of claim 1 wherein the attribute is information about a client device being used by the indicated user, wherein the stored information previously associated with the indicated user is a user profile from previous registration activities of the indicated user, and wherein the determining is whether the information about the client device matches device information included in the user profile.
  - 5. The computer-implemented method of claim 1 wherein the stored information previously associated with the indicated user includes information about one or more client devices previously used by the indicated user to access the network resource, wherein the attribute is information about a current client device of the indicated user, and wherein the determining includes determining whether the current client device matches one of the previously used one or more client devices.
  - 6. The computer-implemented method of claim 1 wherein the stored information previously associated with the indicated user includes information about one or more time of day periods during which the indicated user previously accessed the network resource, wherein the attribute is a current time of day, and wherein the determining includes determining whether the current time of day matches one of the one or more time of day periods.
  - 7. The computer-implemented method of claim 1 wherein the stored information previously associated with the indicated user includes a user profile that has information previously supplied by the indicated user.
  - 8. The computer-implemented method of claim 1 wherein the determining includes determining that the attribute does match the stored information, and wherein the generating of the authorization code includes selecting the generated authorization code to be the subset of the security credential.
  - 9. The computer-implemented method of claim 8 wherein the security credential includes a plurality of characters, and wherein the selected generated authorized code includes one or more characters of the plurality and excludes at least one character of the plurality.
  - 10. The computer-implemented method of claim 8 wherein the security credential includes a plurality of numerical digits, and wherein the selected generated authorized code includes one or more numerical digits of the plurality and excludes at least one numerical digit of the plurality.
  - 11. The computer-implemented method of claim 8 wherein the security credential includes a plurality of words, wherein the selected generated authorized code is selected to be at a weak strength that includes one or more words of the plurality and excludes at least one word of the plurality, and wherein the authorizing of the access includes providing the indicated user with the access to the network resource.
  - 12. The computer-implemented method of claim 8 wherein the providing of the instructions includes providing information to enable the indicated user to identify a portion of the security credential that is selected to be the subset.
  - 13. The computer-implemented method of claim 8 wherein the receiving of the generated authorization code from the indicated user includes receiving the subset of the security credential but not receiving all of the security credential.
  - 14. The computer-implemented method of claim 1 wherein the determining includes determining that the attribute does not match the stored information, and wherein the generating of the authorization code includes the using the higher level of strength by selecting the generated authorization code to include some or all of the security credential.
  - 15. The computer-implemented method of claim 14 wherein the selecting of the generated authorization code to include some or all of the security credential includes selecting the generated authorization code to be at a strong strength level that includes all of the security credential.
  - 16. The computer-implemented method of claim 14 wherein the security credential is defined for the user before the receiving of the authentication request, wherein the selecting of the generated authorization code to include some or all of the security credential includes selecting, to be the generated authorization code, a second subset of the security credential that is a different length than the subset of the security credential for the lower level of strength.
  - 17. The computer-implemented method of claim 1 further comprising determining, by the configured computing system, whether the authentication request is part of a specified type of task, and wherein the generating of the authorization code further includes determining whether to use the higher level of strength or the lower level of strength based in part on whether the authentication request is determined to be part of the specified type of task.
  - 18. The computer-implemented method of claim 1 wherein the stored information is part of a stored user profile for the indicated user, wherein the method further comprising determining, by the configured computing system, a quantity of multiple attributes associated with the authentication request to match to the stored user profile, and wherein the generating of the authorization code further includes determining whether to use the higher level of strength or the lower level of strength based in part on whether the determined quantity of multiple attributes associated with the authentication request are determined to match the stored user profile.

19. A computer system comprising:
- at least one processor; and
  
  at least one memory having computer-executable instructions that, when executed on the at least one processor, cause the at least one processor to;
  
  receive, from a client device of a user, an authentication request to access a network resource on behalf of the user;
  
  determine that an attribute associated with the authentication request matches information associated with the user;
  
  generate, based at least in part on the determining, an authorization code for the user using a security credential, wherein the generating includes selecting one of multiple levels of strength to use for the generated authorization code based on the attribute being determined to match the information and further includes selecting, based on the selected one level of strength, a subset of the security credential that is less than all of the security credential to use for the generated authorization code;
  
  provide, to the client device, instructions regarding the user supplying the generated authorization code;
  
  receive, from the client device, the generated authorization code; and
  
  authorize the access to the network resource based at least in part on the received generated authorization code.
- View Dependent Claims (20)
- - 20. The computer system of claim 19 wherein the selected one level of strength is weaker than a second strength level of the multiple levels of strength that applies if the attribute associated with the authentication request does not match the information associated with the user, and wherein the computer-executable instructions further cause the at least one processor to:
    - receive, from a second client device of a second user, a second authentication request to access the network resource on behalf of the second user;
      
      determine that a second attribute associated with the second authentication request does not match information previously associated with the second user;
      
      generate, based at least in part on the determining, a second authorization code using a second security credential that is defined for the second user before the receiving of the second authentication request, wherein the generating includes selecting the second strength level to use for the generated second authorization code based on the second attribute being determined to not match the information previously associated with the second user and further includes selecting, based on the selected second strength level, to use all of the second security credential for the generated second authorization code;
      
      provide, to the second client device, instructions regarding the second user supplying the generated second authorization code;
      
      receive, from the second client device, the generated second authorization code; and
      
      authorize and provide the access to the network resource for the second user based at least in part on the received generated second authorization code.

21. A non-transitory computer-readable medium having computer-executable instructions stored thereon that, when executed by a computer, configure the computer to:
- determine, by the configured computer and for a request for a user to access a network resource, that an attribute associated with the request matches information associated with the user;
  
  generate, by the configured computer and based at least in part on the determining, an authorization code for the user using a security credential, wherein the generating includes selecting one of multiple levels of strength to use for the generated authorization code based on the attribute being determined to match the information and further includes selecting, based on the selected one level of strength, a subset of the security credential that is less than all of the security credential to use for the generated authorization code;
  
  provide, by the configured computer, instructions to the user regarding supplying the generated authorization code;
  
  receive, by the configured computer, the generated authorization code from the user; and
  
  authorize the access to the network resource based at least in part on the received generated authorization code.
- View Dependent Claims (22)
- - 22. The non-transitory computer-readable medium of claim 21 wherein the selected one level of strength is lower than a second strength level of the multiple levels of strength that applies if the attribute associated with the request does not match the information associated with the user, and wherein the computer-executable instructions further configure the computer to:
    - receive a second request for a second user to access a second network resource;
      
      determine, by the configured computer, that a second attribute associated with the second request does not match information previously associated with the second user;
      
      generate, by the configured computer and based at least in part on the determining, a second authorization code using a second security credential that is defined for the second user before the receiving of the second request, wherein the generating includes selecting the second strength level to use for the generated second authorization code based on the second attribute being determined to not match the information previously associated with the second user and further includes selecting, based on the selected second strength level, to use all of the second security credential for the generated second authorization code;
      
      provide, by the configured computer to a client device of the second user, instructions to the second user regarding supplying the generated second authorization code;
      
      receive, by the configured computer, the generated second authorization code from the client device of the second user; and
      
      authorize and provide, by the configured computer, the access to the second network resource for the second user based at least in part on the received generated second authorization code.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Brezinski, Dominique I., Kirzhner, Benjamin S., Buneci, Emilia S., O'Reilly, Martin M., Durgin, Cyrus J., LaRue, Lane R.
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
Tran, Tongoc

Application Number

US14/557,222
Publication Number

US 20150089616A1
Time in Patent Office

337 Days
Field of Search

726/2, 726/5, 726/7, 713/168, 713/183, 713/184
US Class Current

1/1
CPC Class Codes

G06F 21/31   User authentication

G06F 21/32   using biometric data, e.g. ...

G06F 21/42   using separate channels for...

G06F 2221/2103   Challenge-response

G07C 9/38   with central registration

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

Techniques for user authentication

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Techniques for user authentication

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links