Using trusted devices to augment location-based account protection

US 9,449,156 B2
Filed: 10/01/2012
Issued: 09/20/2016
Est. Priority Date: 10/01/2012
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented process performed by an authentication process for a service accessible over a computer network, comprising:

receiving information identifying a user, a first device from which the user is currently accessing the service, and a geographic location in which the first device is currently being used, into memory;

determining whether the geographic location of the first device is among a set of authorized locations, from which the user has previously accessed the service, and stored for the user for the service;

determining whether the first device has a relationship previously established with the service being accessed, the relationship being a kind of relationship in which the service communicates with a device that is known and trusted by the service;

in response to a determination that the first device has the relationship established with the service being accessed, adding the geographic location in which the first device is currently being used to the stored set of authorized locations for the user and allowing the first device to access the service from the geographic location in which the first device is currently being used;

receiving information identifying a user, a second device, different from the first device, and a geographic location in which the second device is currently being used, into memory; and

determining whether the geographic location of the second device is among the set of authorized locations stored for the user for the service being accessed as updated according to the geographic location of the first device; and

in response to a determination that the geographic location of the second device is among the set of authorized locations stored for the user as updated according to the geographic location of the first device, allowing access to the service through the second device.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An authentication process receives information identifying a user, a device used by the user and a location in which the device is being used. That authentication process determines whether the location is among a set of familiar locations stored about the user for a service being accessed. If the location is not among the set of familiar locations, then the user is not authenticated. A desirable user experience can be obtained by using information about any existing relationship, such as a synchronization relationship, between the device and the service established at a prior familiar location. Instead of challenging a user whose device is in an unfamiliar location, the authentication process determines whether the device has a relationship established with the service. If the device has a relationship established with the service, then the set of familiar locations is updated to include the location in which the device is being used.

Citations

17 Claims

1. A computer-implemented process performed by an authentication process for a service accessible over a computer network, comprising:
- receiving information identifying a user, a first device from which the user is currently accessing the service, and a geographic location in which the first device is currently being used, into memory;
  
  determining whether the geographic location of the first device is among a set of authorized locations, from which the user has previously accessed the service, and stored for the user for the service;
  
  determining whether the first device has a relationship previously established with the service being accessed, the relationship being a kind of relationship in which the service communicates with a device that is known and trusted by the service;
  
  in response to a determination that the first device has the relationship established with the service being accessed, adding the geographic location in which the first device is currently being used to the stored set of authorized locations for the user and allowing the first device to access the service from the geographic location in which the first device is currently being used;
  
  receiving information identifying a user, a second device, different from the first device, and a geographic location in which the second device is currently being used, into memory; and
  
  determining whether the geographic location of the second device is among the set of authorized locations stored for the user for the service being accessed as updated according to the geographic location of the first device; and
  
  in response to a determination that the geographic location of the second device is among the set of authorized locations stored for the user as updated according to the geographic location of the first device, allowing access to the service through the second device.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The computer-implemented process of claim 1, further comprising:
    - in response to a determination that the first device does not have the relationship established with the service being accessed, and a determination that the geographic location of the first device is not among the set of authorized locations stored for the user, signaling a security event.
  - 3. The computer-implemented process of claim 1, further comprising:
    - in response to a determination that the geographic location of the second device is not among the set of authorized locations stored for the user as updated according to the geographic location of the first device, not allowing the second device to access the service from the geographic location.
  - 4. The computer-implemented process of claim 3, further comprising:
    - in response to a determination that the geographic location of the second device is not among the set of authorized locations stored for the user as updated according to the geographic location of the first device, prompting the user of the second device for additional information to authenticate the user.
  - 5. The computer-implemented process of claim 1, further comprising:
    - receiving a request from the second device to establish the relationship with the service being accessed; and
      
      determining whether the geographic location of the second device is among the set of authorized locations stored for the user for the service being accessed; and
      
      signaling a security event in response to determinations that the second device is unsuccessful in establishing the relationship with the service from the geographic location and that the geographic location of the second device is not among the set of authorized locations stored for the user for the service.
  - 6. The computer-implemented process of claim 1, further comprising:
    - receiving a request from the second device to establish the relationship with the service being accessed; and
      
      determining whether the geographic location of the second device is among the set of authorized locations stored for the user for the service being accessed; and
      
      in response to determinations that the second device is successful in establishing the relationship with the service from the geographic location and that the geographic location is not among the set of authorized locations, adding the geographic location in which the second device is currently being used to the set of authorized locations for the user.

7. An article of manufacture comprising:
- a computer storage medium including at least one of a memory and a storage device;
  
  computer program instructions stored on the computer storage medium which, when processed by a processing device, instruct the processing device to perform an authentication process for a service accessible over a computer network, comprising;
  
  receiving information identifying a user, a first device from which the user is currently accessing the service, and a geographic location in which the first device is currently being used, into memory;
  
  determining whether the geographic location of the first device is among a set of authorized locations, from which the user has previously accessed the service, and stored for the user for the service;
  
  determining whether the first device has a relationship previously established with the service being accessed, the relationship being a kind of relationship in which the service communicates with a device that is known and trusted by the service;
  
  in response to a determination that the first device has the relationship established with the service being accessed, adding the geographic location in which the first device is currently being used to the set of authorized locations for the user and allowing the first device to access the service from the geographic location in which the first device is currently being used;
  
  receiving information identifying a user, a second device, different from the first device, and a geographic location in which the second device is currently being used, into memory; and
  
  determining whether the geographic location of the second device is among the set of authorized locations stored for the user for the service being accessed as updated according to the geographic location of the first device; and
  
  in response to a determination that the geographic location of the second device is among the set of authorized locations stored for the user as updated according to the geographic location of the first device, allowing access to the service through the second device.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The article of manufacture of claim 7, wherein the process further comprises:
    - in response to a determination that the first device does not have the relationship established with the service being accessed, and a determination that the geographic location of the first device is not among the set of authorized locations stored for the user, signaling a security event.
  - 9. The article of manufacture of claim 7, wherein the process further comprises:
    - in response to a determination that the geographic location of the second device is not among the set of authorized locations stored for the user, not allowing the second device to access the service from the geographic location.
  - 10. The article of manufacture of claim 9, wherein the process further comprises:
    - in response to a determination that the geographic location of the second device is not among the set of authorized locations stored for the user, prompting the user of the second device for additional information to authenticate the user.
  - 11. The article of manufacture of claim 7, wherein the process further comprises:
    - receiving a request from the second device to establish the relationship with the service being accessed; and
      
      determining whether the geographic location of the second device is among the set of authorized locations stored for the user for the service being accessed; and
      
      signaling a security event in response to determinations that the second device is unsuccessful in establishing the relationship with the service from the geographic location and that the geographic location of the second device is not among the set of authorized locations stored for the user for the service.
  - 12. The article of manufacture of claim 7, wherein the process further comprises:
    - receiving a request from the second device to establish the relationship with the service being accessed; and
      
      determining whether the geographic location of the second device is among the set of authorized locations stored for the user for the service being accessed; and
      
      in response to determinations that the second device is successful in establishing the relationship with the service from the geographic location and that the geographic location is not among the set of authorized locations, adding the geographic location in which the second device is currently being used to the set of authorized locations for the user.

13. A computing machine comprising:
- an authentication process, executed on the computing machine, for a service accessible over a computer network, having inputs for receiving information identifying a user, a first device from which the user is currently accessing the service and a geographic location in which the first device is currently being used, into memory;
  
  storage in which data is stored about users for the service including data describing, for each user, a set of authorized locations from which the user has previously accessed the service;
  
  storage in which data is stored describing relationships between devices and the service, the data associating devices with user accounts with the service for a relationship in which the service communicates with a device that is known and trusted by the service;
  
  the authentication process determining whether the first device has the relationship previously established with the service being accessed;
  
  in response to a determination that the first device has the relationship previously established with the service being accessed, the authentication process adding the geographic location in which the first device is currently being used to the set of authorized locations for the user and allowing the first device to access the service from the geographic location in which the first device is currently being used;
  
  the authentication process further comprising an input configured to receive information identifying a user, a second device, different from the first device, and a geographic location in which the second device is currently being used, into memory;
  
  the authentication process configured to determine whether the geographic location of the second device is among the set of authorized locations stored for the user for the service being accessed as updated according to the geographic location of the first device, and, in response to a determination that the geographic location of the second device is among the set of authorized locations stored for the user as updated according to the geographic location of the first device, to allow access to the service through the second device.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The computing machine of claim 13, wherein the authentication process determines whether the first device is accessing the service from a geographic location in the set of authorized locations.
  - 15. The computing machine of claim 13, wherein the authentication process signals a security event if the first device is unsuccessful in establishing the relationship with the service from the geographic location of the first device.
  - 16. The computing machine of claim 13, wherein the authentication process prompts the user for additional information if the geographic location of the first device is not in the set of authorized locations.
  - 17. The computing machine of claim 13, wherein the authentication process is further configured to:
    - receive a request from the second device to establish the relationship with the service being accessed;
      
      determine whether the geographic location of the second device is among the set of authorized locations stored for the user for the service being accessed; and
      
      in response to determinations that the second device is successful in establishing the relationship with the service from the geographic location and that the geographic location is not among the set of authorized locations, add the geographic location in which the second device is currently being used to the set of authorized locations for the user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Kafka, Steven, Craddock, Richard, Tewari, Ashutosh, Vitaldevara, Krish
Primary Examiner(s)
Zecher, Dede
Assistant Examiner(s)
LAKHIA, VIRAL S

Application Number

US13/632,170
Publication Number

US 20140096189A1
Time in Patent Office

1,450 Days
Field of Search

726/1, 726/4, 726/7, 726/28, 726/3, 455/418, 455/411, 709/224, 709/225, 370/310, 370/338
US Class Current

1/1
CPC Class Codes

G06F 21/31 User authentication

G06F 2221/2111 Location-sensitive, e.g. ge...

Using trusted devices to augment location-based account protection

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Using trusted devices to augment location-based account protection

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links