Safe auto-login links in notification emails
First Claim
1. A method to authenticate a user of an application executing on a computing machine from a notification message that includes a resource locator, comprising:
- providing a first data string from which first data about the user can be obtained and verified by the application, the first data string including the first data and its digital signature;
providing the notification message that includes the resource locator, the resource locator including a second data string from which second data about the user can be obtained and verified by the application, wherein the first data and the second data are each shares of a secret defined by a secret sharing scheme;
receiving, as an authentication request and as a result of the user having selected the resource locator in the notification message, the first data string and the second data string; and
determining, without additional user input, whether the first data and the second data can be verified, wherein a determination regarding the first data includes verifying the digital signature;
when the first data and the second data are verified, authenticating the user to the application executing on the computing machine.
2 Assignments
0 Petitions
Accused Products
Abstract
A web application user is authenticated directly upon selecting a link in a notification email. In this approach, the user'"'"'s web browser stores a first data string provided by the web application (e.g., in a cookie) during a prior session. The first data string encodes first data about the user that can be verified by the application. Later, the user receives the notification email that includes the link. The link encodes a second data string from which second data about the user can be verified by the application. When the end user selects the link, an authentication request is transmitted to the application. The authentication request includes both the first and second data strings. If both the first data and the second data (as obtained from their respective data strings) can be verified, the user is authenticated without having to perform any additional steps (e.g., manual entry of credentials).
-
Citations
20 Claims
-
1. A method to authenticate a user of an application executing on a computing machine from a notification message that includes a resource locator, comprising:
-
providing a first data string from which first data about the user can be obtained and verified by the application, the first data string including the first data and its digital signature; providing the notification message that includes the resource locator, the resource locator including a second data string from which second data about the user can be obtained and verified by the application, wherein the first data and the second data are each shares of a secret defined by a secret sharing scheme; receiving, as an authentication request and as a result of the user having selected the resource locator in the notification message, the first data string and the second data string; and determining, without additional user input, whether the first data and the second data can be verified, wherein a determination regarding the first data includes verifying the digital signature; when the first data and the second data are verified, authenticating the user to the application executing on the computing machine. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. Apparatus, comprising:
-
a processor; a data store; non-transitory computer memory holding computer program instructions executed by the processor to authenticate a user of an application executing on a computing machine from a notification message that includes a resource locator by; providing a first data string from which first data about the user can be obtained and verified by the application, the first data string including the first data and its digital signature; providing the notification message that includes the resource locator, the resource locator including a second data string from which second data about the user can be obtained and verified by the application, wherein the first data and the second data are each shares of a secret defined by a secret sharing scheme; receiving, as an authentication request and as a result of the user having selected the resource locator in the notification message, the first data string and the second data string; and determining, without additional user input, whether the first data and the second data can be verified, wherein a determination regarding the first data includes verifying the digital signature; when the first data and the second data are verified, authenticating the user to the application executing on the computing machine. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A computer program product in a non-transitory computer readable storage medium for use in a data processing system, the computer program product holding computer program instructions which, when executed by the data processing system, perform a method to authenticate a user of an application executing on a computing machine from a notification message that includes a resource locator, the method comprising:
-
providing a first data string from which first data about the user can be obtained and verified by the application, the first data string including the first data and its digital signature; providing the notification message that includes the resource locator, the resource locator including a second data string from which second data about the user can be obtained and verified by the application, wherein the first data and the second data are each shares of a secret defined by a secret sharing scheme; receiving, as an authentication request and as a result of the user having selected the resource locator in the notification message, the first data string and the second data string; and determining, without additional user input, whether the first data and the second data can be verified, wherein a determination regarding the first data includes verifying the digital signature; when the first data and the second data are verified, authenticating the user to the application executing on the computing machine. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification