Passive security enforcement

US 9,641,502 B2
Filed: 09/25/2014
Issued: 05/02/2017
Est. Priority Date: 01/23/2009
Status: Active Grant

First Claim

Patent Images

1. A method for passive authentication by a computing system, the method comprising:

receiving, by the computing system, a first subset of attributes comprising one or more attributes;

determining by the computing system, from a set of types, a corresponding first type for each attribute of the first subset of attributes;

passively authenticating, by the computing system, a user at a first authentication level by comparing each attribute of the first subset of attributes to one or more first previously stored attributes each having an assigned first type matching the corresponding first type determined for each attribute of the first subset of attributes;

receiving, by the computing system, a second subset of attributes comprising at least one attribute;

determining, from the set of types, corresponding second types for each attribute of the second subset of attributes; and

passively updating, by the computing system, the first authentication level to a second authentication level by comparing each attribute of the second subset of attributes to one or more second previously stored attributes each having an assigned second type matching the corresponding second type determined for each attribute of the second subset of attributes;

wherein each attribute of the first subset of attributes and of the second subset of attributes is an event indicative of the user or is a physical characteristic of the user; and

wherein each previously stored attribute comprises a previously stored event, a previously stored physical characteristic, or one or more previously determined acceptable values for the type corresponding to the stored attribute for one or more users.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Technology is described for enabling passive enforcement of security at computing systems. A component of a computing system can passively authenticate or authorize a user based on observations of the user'"'"'s interactions with the computing system. The technology may increase or decrease an authentication or authorization level based on the observations. The level can indicate what level of access the user should be granted. When the user or a component of the computing device initiates a request, an application or service can determine whether the level is sufficient to satisfy the request. If the level is insufficient, the application or service can prompt the user for credentials so that the user is actively authenticated. The technology may enable computing systems to “trust” authentication so that two proximate devices can share authentication levels.

Citations

20 Claims

1. A method for passive authentication by a computing system, the method comprising:
- receiving, by the computing system, a first subset of attributes comprising one or more attributes;
  
  determining by the computing system, from a set of types, a corresponding first type for each attribute of the first subset of attributes;
  
  passively authenticating, by the computing system, a user at a first authentication level by comparing each attribute of the first subset of attributes to one or more first previously stored attributes each having an assigned first type matching the corresponding first type determined for each attribute of the first subset of attributes;
  
  receiving, by the computing system, a second subset of attributes comprising at least one attribute;
  
  determining, from the set of types, corresponding second types for each attribute of the second subset of attributes; and
  
  passively updating, by the computing system, the first authentication level to a second authentication level by comparing each attribute of the second subset of attributes to one or more second previously stored attributes each having an assigned second type matching the corresponding second type determined for each attribute of the second subset of attributes;
  
  wherein each attribute of the first subset of attributes and of the second subset of attributes is an event indicative of the user or is a physical characteristic of the user; and
  
  wherein each previously stored attribute comprises a previously stored event, a previously stored physical characteristic, or one or more previously determined acceptable values for the type corresponding to the stored attribute for one or more users.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein various functions of the computing system are associated with a corresponding minimum authentication level required to perform the function.
  - 3. The method of claim 1, wherein the at least one of the determined types for the second subset of attributes includes a type for a signal from a proximate computing device that has authenticated the user, and wherein the updating comprises increasing the authentication level upon receiving the signal from the proximate computing device that has authenticated the user.
  - 4. The method of claim 1 further comprising:
    - receiving a first command to enable passive authentication to access one or more functions or to enable passive authentication at one or more defined times; and
      
      receiving a second command to disable passive authentication to access the one or more functions or to disable passive authentication at the one or more defined times.
  - 5. The method of claim 1, wherein the at least one of the determined types for the first subset of attributes or for the second subset of attributes comprises at least one of:
    - a location that is identifiable by the computing device;
      
      a captured image;
      
      an identifier of a data communications network;
      
      a telephone call;
      
      a temperature;
      
      a motion;
      
      ora pressure.
  - 6. The method of claim 1 further comprising:
    - determining that the second authentication level is lower than a specified threshold; and
      
      in response to determining that the second authentication level is lower than the specified threshold, preventing the user from accessing one or more functions of the computing device that were available to the user when the user was authenticated at the first authentication level.
  - 7. The method of claim 1, wherein the first authentication level and second authentication level are indications of the likelihood that the authentication is correct.
  - 8. The method of claim 1, wherein:
    - the at least one of the determined types for the first subset of attributes or for the second subset of attributes comprises a co-presence or absence of another device; and
      
      the previously stored attribute to which the co-presence or absence of another device is compared comprises one of the previously determined acceptable values which is equivalent to true or false.
  - 9. The method of claim 1, wherein the at least one of the determined types for the first subset of attributes or for the second subset of attributes comprises a facial pattern.
  - 10. The method of claim 1 further comprising receiving, after the updating, a request from the user, the request comprising an identification of an action to be performed by an application, wherein,when the second authentication level is above a security level associated with the action identified in the request, the application performs the identified action;
    - andwhen the second authentication level is not above the security level associated with the action identified in the request, the application causes a prompt to be provided to the user for authentication credentials so that the user can be actively authenticated.

11. A computer-readable storage device having computer-executable instructions stored thereon that, when executed by a computing system, cause the computing system to perform operations for passive authentication, the operations comprising:
- receiving, by the computing system, a first subset of attributes comprising one or more attributes;
  
  determining by the computing system, from a set of types, a corresponding first type for each attribute of the first subset of attributes;
  
  passively authenticating, by the computing system, a user at a first authentication level by comparing each attribute of the first subset of attributes to one or more first previously stored attributes each having an assigned first type matching the corresponding first type determined for each attribute of the first subset of attributes;
  
  receiving, by the computing system, a second subset of attributes comprising at least one attribute;
  
  determining, from the set of types, corresponding second types for each attribute of the second subset of attributes; and
  
  passively updating, by the computing system, the first authentication level to a second authentication level by comparing each attribute of the second subset of attributes to one or more second previously stored attributes each having an assigned second type matching the corresponding second type determined for each attribute of the second subset of attributes;
  
  wherein each attribute of the first subset of attributes and of the second subset of attributes is an event indicative of the user or is a physical characteristic of the user; and
  
  wherein each previously stored attribute comprises a previously stored event, a previously stored physical characteristic, or one or more previously determined acceptable values for the type corresponding to the stored attribute for one or more users.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The computer-readable storage device of claim 11, wherein the operations further comprise receiving, after the updating, a request from the user, the request comprising an identification of an action to be performed by an application, wherein,when the second authentication level is above a security level associated with the action identified in the request, the application performs the identified action;
    - andwhen the second authentication level is not above the security level associated with the action identified in the request, the application causes a prompt to be provided to the user for authentication credentials so that the user can be actively authenticated.
  - 13. The computer-readable storage device of claim 11, wherein the at least one of the determined types for the second subset of attributes includes a type for a signal from a proximate computing device that has authenticated the user, and wherein the updating comprises increasing the authentication level upon receiving the signal from the proximate computing device that has authenticated the user.
  - 14. The computer-readable storage device of claim 11, wherein the operations further comprise:
    - receiving a first command to enable passive authentication for one or more functions or to enable passive authentication at one or more defined times; and
      
      receiving a second command to disable passive authentication for the one or more functions or to disable passive authentication at the one or more defined times.
  - 15. The computer-readable storage device of claim 11, wherein the at least one of the determined types for the first subset of attributes or for the second subset of attributes comprises at least one of:
    - a location that is identifiable by the computing device;
      
      a captured image;
      
      an identifier of a data communications network;
      
      a telephone call;
      
      a temperature;
      
      a motion;
      
      ora pressure.
  - 16. The computer-readable storage device of claim 11, wherein the operations further comprise:
    - determining that the second authentication level is lower than a specified threshold; and
      
      in response to determining that the second authentication level is lower than the specified threshold, preventing the user from accessing one or more functions of the computing device that were available to the user when the user was authenticated at the first authentication level.

17. A computing system configured to passively authenticate a user, the computing system comprising:
- one or more processors;
  
  a memory storing;
  
  an input component configured to receive at least two subsets of attributes including a first subset and a second subset, each comprising at least one attribute; and
  
  an authorization component configured to;
  
  determine, from a set of types, a corresponding first type for each attribute of the first subset of attributes;
  
  passively authenticate the user at a first authentication level based on the attributes in the first subset of attributes by comparing each attribute of the first subset of attributes to one or more first previously stored attributes each having an assigned first type matching the corresponding first type determined for each attribute of the first subset of attributes;
  
  determining, from the set of types, corresponding second types for each attribute of the second subset of attributes; and
  
  passively update the first authentication level to a second authentication level by comparing each attribute of the second subset of attributes to one or more previously stored attributes, each compared previously stored attribute having an assigned second type matching the corresponding second type determined for each attribute of the second subset of attributes;
  
  wherein each attribute of the first subset of attributes and each attribute of the second subset of attributes is an event indicative of the user or is a physical characteristic of the user, and wherein each previously stored attribute comprises a previously stored event, a previously stored physical characteristic, or one or more previously determined acceptable values for the type corresponding to the stored attribute for one or more users.
- View Dependent Claims (18, 19, 20)
- - 18. The system of claim 17, wherein:
    - the at least one of the determined types for the second subset of attributes comprises a co-presence or absence of another device; and
      
      wherein the previously stored attribute to which the co-presence or absence of another device is compared comprises one of the previously determined acceptable values which is equivalent to true or false.
  - 19. The system of claim 17, wherein the at least one of the determined types for the second subset of attributes comprises a facial pattern.
  - 20. The system of claim 17, wherein various functions of the computing system are associated with a corresponding minimum authentication level required to perform the function.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Steeves, David J., Cameron, Kim, Carpenter, Todd L., Foster, David, Miller, Quentin S.
Primary Examiner(s)
ABYANEH, ALI S

Application Number

US14/497,122
Publication Number

US 20150281200A1
Time in Patent Office

950 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/316   by observing the pattern of...

G06F 21/32   using biometric data, e.g. ...

H04L 2463/082   applying multi-factor authe...

H04L 63/0492   by using a location-limited...

H04L 63/08   for authentication of entit...

H04L 63/0861   using biometrical features,...

H04L 67/10   in which an application is ...

H04W 12/06   Authentication

H04W 12/065   Continuous authentication

H04W 12/40   Security arrangements using...

Passive security enforcement

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Passive security enforcement

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links