Protection from data security threats
First Claim
Patent Images
1. A computer-implemented method for authentication, comprising:
- under the control of one or more computer systems configured with executable instructions,obtaining an electronic claim of access to a password, the claim comprising;
a first component comprising first information based at least in part on an electronic signature, the electronic signature based at least in part on a first key and a time-dependent value, the first key derived based at least in part on the password; and
a second component comprising second information based at least in part on a second key, the second key being at least;
different from the first key;
derived based at least in part on a derivation function utilizing the password and a second salt value as inputs, where the second salt value is stored by a computing resource service provider; and
the second key being unavailable to the one or more computer systems until at least obtaining the electronic claim of access to the password;
computing, based at least in part on the first key, a first reference component;
computing, based at least in part on the second key from the electronic claim, a second reference component; and
enabling access to at least one computing resource as a result of both the first reference component matching the first component and the second component matching the second reference component.
1 Assignment
0 Petitions
Accused Products
Abstract
A credential, such as a password, for an entity is used to generate multiple keys. The generated keys are distributed to credential verification systems to enable the credential verification systems to perform authentication operations. The keys are generated such that access to a generated key allows for authentication with a proper subset of the credential verification systems. Thus, unauthorized access to information used by one authentication system does not, by itself, allow for successful authentication with other authentication systems.
216 Citations
30 Claims
-
1. A computer-implemented method for authentication, comprising:
-
under the control of one or more computer systems configured with executable instructions, obtaining an electronic claim of access to a password, the claim comprising; a first component comprising first information based at least in part on an electronic signature, the electronic signature based at least in part on a first key and a time-dependent value, the first key derived based at least in part on the password; and a second component comprising second information based at least in part on a second key, the second key being at least;
different from the first key;
derived based at least in part on a derivation function utilizing the password and a second salt value as inputs, where the second salt value is stored by a computing resource service provider; and
the second key being unavailable to the one or more computer systems until at least obtaining the electronic claim of access to the password;computing, based at least in part on the first key, a first reference component; computing, based at least in part on the second key from the electronic claim, a second reference component; and enabling access to at least one computing resource as a result of both the first reference component matching the first component and the second component matching the second reference component. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A computer-implemented method for authentication, comprising:
under the control of one or more computer systems configured with executable instructions, obtaining information from a computing device attempting authentication; determining whether the obtained information is valid based at least in part on; first information accessed from data storage accessible to the one or more computer systems and based at least in part on a first key, the first key based at least in part on a derivation function including a first salt value and a password, where the password is provided by the computing device attempting authentication; and second information based at least in part on at least a second key different from the first key and a second salt value, where the second salt value is stored in the data storage accessible to the one or more computer systems, and the second key is unavailable to the one or more computer systems until at least obtaining the information from the computing device attempting authentication; wherein neither the first information nor the second information is alone sufficient for authentication; and taking one or more actions that are dependent on a determination that the obtained information is valid. - View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15, 16)
-
17. A computer system, comprising:
-
one or more processors; and memory including instructions that, when executed by the one or more processors, cause the computer system to at least; obtain information from computing devices attempting authentication; for each party of a plurality of parties, access information specific to the party from a data store to determine whether the party is authentic, where determining whether the party is authentic requires at least that; first reference information, computed based at least in part on an electronic signature, the electronic signature based at least in part on a first key and a time-dependent value, the first key computed based at least in part on a first result of a derivation function utilizing a password and a first salt value, matches the obtained information; and second reference information, different from the first reference information and computed based at least in part on a second result of the derivation function utilizing the password and a second salt value, where the second salt value is stored in the data store, matches the information specific to the party, maintained by a computing resource service provider, and the second reference information is unavailable until obtained from the party; and take one or more actions that are dependent on a determination that the party is authentic. - View Dependent Claims (18, 19, 20, 21, 22)
-
-
23. A non-transitory computer-readable storage medium having stored thereon instructions that, when executed by one or more processors of a computer system, cause the computer system to at least:
-
in connection with an electronic request involving access to one or more computing resources, generate a secret information claim comprising at least; a first component based at least in part on a cryptographic operation involving a first key, the first key determined based at least in part on a result of providing secret information and a first salt value as inputs to a derivation function, and information about the electronic request; and an encoding of a second key that is different from the first key, the second key being derived based at least in part on secret information and a second salt value, the second key being unavailable to an authentication computer system until receiving the secret information claim; and transmit the generated secret information claim to the authentication computer system to obtain access to the one or more computing resources for which successful authentication is required. - View Dependent Claims (24, 25, 26, 27, 28, 29, 30)
-
Specification