Knowledge-based authentication based on tracked credential usage
First Claim
1. A method comprising:
- tracking credential usage of an end-user on one or more end-user devices by a cloud-based authentication service executing by a server computing system;
receiving, at the cloud-based authentication service over a first connection between the server computing system and a relying party website, a credential request for credentials associated with the end-user for the relying party website, wherein the end-user no long has authentication credentials for access to the relying party website;
issuing, by the cloud-based authentication service over a second connection between the server computing system and a first end-user device of the one or more end-user devices, a dynamic knowledge-based (KB) challenge to the end-user on the first end-user device, wherein the dynamic KB challenge is based on the tracked credential usage of the end user, wherein at least a portion of the dynamic KB challenge comprises information from the credential usage that is not site-centric to the relying party website;
receiving, at the cloud-based authentication service over the second connection, a response to the dynamic KB challenge from the end-user; and
sending temporary credentials over the first connection to the relying party website for the end-user when the response is validated.
2 Assignments
0 Petitions
Accused Products
Abstract
A method and apparatus for knowledge-based authentication by a cloud-based authentication service are described. A cloud-based authentication service is to track credential usage of an end-user at the cloud-based authentication service. The authentication service receives a credential request for credentials associated with the end-user from a relying party website. The end-user no longer has authentication credentials for access to the relying party website. The authentication service issues a dynamic knowledge-based (KB) challenge to the end-user, the dynamic KB challenge being based on at least some of the tracked credential usage of the end-user. The processing logic receives a response to the dynamic KB challenge from the end-user and sends temporary credentials to the relying party for the end-user when the response is validated.
34 Citations
20 Claims
-
1. A method comprising:
-
tracking credential usage of an end-user on one or more end-user devices by a cloud-based authentication service executing by a server computing system; receiving, at the cloud-based authentication service over a first connection between the server computing system and a relying party website, a credential request for credentials associated with the end-user for the relying party website, wherein the end-user no long has authentication credentials for access to the relying party website; issuing, by the cloud-based authentication service over a second connection between the server computing system and a first end-user device of the one or more end-user devices, a dynamic knowledge-based (KB) challenge to the end-user on the first end-user device, wherein the dynamic KB challenge is based on the tracked credential usage of the end user, wherein at least a portion of the dynamic KB challenge comprises information from the credential usage that is not site-centric to the relying party website; receiving, at the cloud-based authentication service over the second connection, a response to the dynamic KB challenge from the end-user; and sending temporary credentials over the first connection to the relying party website for the end-user when the response is validated. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A computing system comprising:
-
a memory; and a processor coupled with the memory to execute a cloud-based authentication service to; track credential usage of an end-user on one or more end-user devices by a cloud-based authentication service executing by a server computing system; receive, at the cloud-based authentication service over a first connection between the server computing system and a relying party website, a credential request for credentials associated with the end-user for the relying party website, wherein the end-user no long has authentication credentials for access to the relying party website; issue, by the cloud-based authentication service over a second connection between the server computing system and a first end-user device of the one or more end-user devices, a dynamic knowledge-based (KB) challenge to the end-user on the first end-user device, wherein the dynamic KB challenge is based on the tracked credential usage of the end user, wherein at least a portion of the dynamic KB challenge comprises information from the credential usage that is not site-centric to the relying party website; receive, at the cloud-based authentication service over the second connection, a response to the dynamic KB challenge from the end-user; and send temporary credentials over the first connection to the relying party website for the end-user when the response is validated. - View Dependent Claims (12, 13, 14, 15)
-
-
16. A non-transitory computer readable storage medium including instructions that, when executed by a processor, cause the processor to perform operations comprising:
-
tracking credential usage of an end-user on one or more end-user devices by a cloud-based authentication service executing by a server computing system; receiving, at the cloud-based authentication service over a first connection between the server computing system and a relying party website, a credential request for credentials associated with the end-user for the relying party website, wherein the end-user no long has authentication credentials for access to the relying party website; issuing, by the cloud-based authentication service over a second connection between the server computing system and a first end-user device of the one or more end-user devices, a dynamic knowledge-based (KB) challenge to the end-user on the first end-user device, wherein the dynamic KB challenge is based on the tracked credential usage of the end user, wherein at least a portion of the dynamic KB challenge comprises information from the credential usage that is not site-centric to the relying party website; receiving, at the cloud-based authentication service over the second connection, a response to the dynamic KB challenge from the end-user; and sending temporary credentials over the first connection to the relying party website for the end-user when the response is validated. - View Dependent Claims (17, 18, 19, 20)
-
Specification