Secure authentication systems and methods

US 9,306,938 B2
Filed: 02/25/2014
Issued: 04/05/2016
Est. Priority Date: 04/25/2002
Status: Active Grant

First Claim

Patent Images

1. A method for user authentication performed by a system comprising a processor and a non-transitory computer-readable storage medium storing instructions that, when executed by the processor, cause the system to perform the method, the method comprising:

receiving a login request from a user attempting to access a resource;

determining whether the user possesses a cookie indicating that the user has been previously authenticated;

if the user possesses the cookie;

receiving a username/password pair associated with the user,determining whether the username/password pair is valid, andselectively granting the user access to the resource if the username/password pair is valid; and

if the user does not possess the cookie;

receiving a username/password pair associated with the user,determining whether the username/password pair is valid, andrequesting one or more responses to a first Reverse Turing Test (RTT) regardless of whether the username/password pair is valid.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are provided for authentication by combining a Reverse Turing Test (RTT) with password-based user authentication protocols to provide improved resistance to brute force attacks. In accordance with one embodiment of the invention, a method is provided for user authentication, the method including receiving a username/password pair associated with a user; requesting one or more responses to a first Reverse Turing Test (RTT); and granting access to the user if a valid response to the first RTT is received and the username/password pair is valid.

15 Citations

View as Search Results

18 Claims

1. A method for user authentication performed by a system comprising a processor and a non-transitory computer-readable storage medium storing instructions that, when executed by the processor, cause the system to perform the method, the method comprising:
- receiving a login request from a user attempting to access a resource;
  
  determining whether the user possesses a cookie indicating that the user has been previously authenticated;
  
  if the user possesses the cookie;
  
  receiving a username/password pair associated with the user,determining whether the username/password pair is valid, andselectively granting the user access to the resource if the username/password pair is valid; and
  
  if the user does not possess the cookie;
  
  receiving a username/password pair associated with the user,determining whether the username/password pair is valid, andrequesting one or more responses to a first Reverse Turing Test (RTT) regardless of whether the username/password pair is valid.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, further comprising:
    - if the user does not possess the cookie;
      
      receiving one or more responses to the first RTT, andselectively granting the user access to the resource if the username/password pair is valid and the one or more responses to the first RTT are valid.
  - 3. The method of claim 1, wherein a time between performing the step of receiving a username/password pair and performing the step of requesting one or more responses to a first RTT is substantially the same regardless of whether the username/password pair is valid.
  - 4. The method of claim 1, wherein the first RTT comprises at least one of:
    - a deterministic function of the valid username/pas sword pair;
      
      a non-deterministic function of the valid username/pas sword pair; and
      
      a random function.
  - 5. The method of claim 1, further comprising preventing the user from accessing the resource for a predetermined period of time after receiving an invalid response to the first RTT.
  - 6. The method of claim 1, further comprising receiving one or more responses to the first RTT from the user, wherein the one or more responses to the first RTT are provided by the user using a touch screen.
  - 7. The method of claim 1, further comprising increasing the difficulty of the first RTT based on the number of received invalid username/password pairs.
  - 8. The method of claim 1, wherein determining whether the user possesses the cookie comprises retrieving the cookie from a server.
  - 9. The method of claim 1, wherein determining whether the user possesses the cookie comprises determining whether the cookie is stored on a device associated with the user.

10. A method for authenticating a user for access to a resource performed by a system comprising a processor and a non-transitory computer-readable storage medium storing instructions that, when executed by the processor, cause the system to perform the method, the method comprising:
- obtaining personal information associated with a user attempting to access the resource;
  
  determining whether the personal information is valid;
  
  requesting one or more responses to a first Reverse Turing Test (RTT), regardless of whether the personal information is valid; and
  
  selectively granting the user access to the resource only if the personal information is valid and one or more responses to the first RTT are valid.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The method of claim 10, wherein the personal information is entered manually by the user.
  - 12. The method of claim 10, wherein the personal information is obtained from a cookie associated with the user.
  - 13. The method of claim 10, wherein the first RTT comprises at least one of:
    - a deterministic function of the personal information;
      
      a non-deterministic function of the personal information; and
      
      a random function.
  - 14. The method of claim 10, wherein the system comprises at least one of:
    - an Internet-enabled personal digital assistant (PDA);
      
      a cellular telephone;
      
      a personal computer;
      
      a server-side computer;
      
      a web-browser;
      
      a client-side computer; and
      
      a television set-top box.
  - 15. The method of claim 10, wherein the method further comprises notifying the user if the user gives an invalid response to the first RTT.
  - 16. The method of claim 10, wherein the method further comprises preventing the user from accessing the resource for a predetermined period of time after receiving an invalid response to the first RTT.
  - 17. The method of claim 10, wherein the first RTT comprises an image on which the user is instructed to locate certain characters.
  - 18. The method of claim 17, wherein the user is instructed to locate the certain characters using a touch screen display.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intertrust Technologies Corporation (Fidelio Acquisition Co LLC)
Original Assignee
Intertrust Technologies Corporation (Fidelio Acquisition Co LLC)
Inventors
Pinkas, Binyamin, Sander, Tomas
Primary Examiner(s)
Kim, Tae
Assistant Examiner(s)
Gao, Shu Chun

Application Number

US14/189,152
Publication Number

US 20140196135A1
Time in Patent Office

770 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/34   involving the use of extern...

G06F 21/36   by graphic or iconic repres...

G06F 21/6218   to a system of files or obj...

H04L 63/0815   providing single-sign-on or...

H04L 63/083   using passwords cryptograph...

H04L 63/105   Multiple levels of security

H04L 63/12   Applying verification of th...

H04L 63/1458   Denial of Service

Secure authentication systems and methods

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

15 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Secure authentication systems and methods

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

15 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links