EFFICIENTLY THROTTLING USER AUTHENTICATION
First Claim
1. At an authentication server computer system including at least one processor and a memory, in a computer networking environment including a plurality of computing systems, a computer-implemented method for efficiently authenticating users while preventing enumeration attacks, the method comprising:
- an act of receiving user login credentials from a user, the user login credentials including a user identifier and a password;
an act of making at least one of the following determinations;
determining that the user identifier does not match any existing user account;
determining that the user identifier matches at least one existing user account, but the user'"'"'s account is in a locked state; and
determining that the user identifier matches at least one existing user account, but the user'"'"'s password does not match the user identifier; and
an act of returning to the user the same response message regardless of which determination is made, the response message indicating that the user'"'"'s login credentials are invalid, wherein the response message prevents the user from determining which of the credentials was invalid, as the response message is the same for each determination and is sent to the user after a measured response time that is the same for each determination.
2 Assignments
0 Petitions
Accused Products
Abstract
In an embodiment, an administrative computer system receives user login credentials from a user and makes at least one of the following determinations: that the user identifier does not match any existing user account, that the user identifier matches at least one existing user account, but that the user'"'"'s account is in a locked state, or that the user identifier matches at least one existing user account, but the user'"'"'s password does not match the user identifier. The administrative computer system then returns to the user the same response message regardless of which determination is made. The response indicates that the user'"'"'s login credentials are invalid. The response also prevents the user from determining which of the credentials was invalid, as the response message is the same for each determination and is sent to the user after a measured response time that is the same for each determination.
23 Citations
20 Claims
-
1. At an authentication server computer system including at least one processor and a memory, in a computer networking environment including a plurality of computing systems, a computer-implemented method for efficiently authenticating users while preventing enumeration attacks, the method comprising:
-
an act of receiving user login credentials from a user, the user login credentials including a user identifier and a password; an act of making at least one of the following determinations; determining that the user identifier does not match any existing user account; determining that the user identifier matches at least one existing user account, but the user'"'"'s account is in a locked state; and determining that the user identifier matches at least one existing user account, but the user'"'"'s password does not match the user identifier; and an act of returning to the user the same response message regardless of which determination is made, the response message indicating that the user'"'"'s login credentials are invalid, wherein the response message prevents the user from determining which of the credentials was invalid, as the response message is the same for each determination and is sent to the user after a measured response time that is the same for each determination. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. At a client computer system including at least one processor and a memory, in a computer networking environment including a plurality of computing systems, a computer-implemented method for providing login error messages while preventing enumeration attacks, the method comprising:
-
an act of sending user login credentials from a user to an authentication server, the user login credentials including a user identifier and a password, the authentication server making at least one of the following determinations; determining that the user identifier does not match any existing user account; determining that the user identifier matches at least one existing user account, but the user'"'"'s account is in a locked state; and determining that the user identifier matches at least one existing user account, but the user'"'"'s password does not match the user identifier; and an act of receiving a response message from the authentication server indicating that the user'"'"'s credentials are invalid, wherein the response message prevents the user from determining which of the credentials was invalid as the response message is the same for each determination and is received by the user after a measured response time that is the same for each determination. - View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A computer system comprising the following:
-
one or more processors; system memory; one or more computer-readable storage media having stored thereon computer-executable instructions that, when executed by the one or more processors, causes the computing system to perform a method for efficiently authenticating users while preventing enumeration attacks, the method comprising the following; an act of receiving user login credentials from a user, the user login credentials including a user identifier and a password; an act of making at least one of the following determinations; determining that the user identifier does not match any existing user account; determining that the user identifier matches at least one existing user account, but the user'"'"'s account is in a locked state; and determining that the user identifier matches at least one existing user account, but the user'"'"'s password does not match the user identifier; and an act of returning to the user the same response message regardless of which determination is made, the response indicating that the user'"'"'s login credentials are invalid, wherein the response message prevents the user from determining which of the credentials was invalid as the response message is the same for each determination and is sent to the user after a measured response time that is the same for each determination. - View Dependent Claims (18, 19)
-
-
20. The computer system of 18, wherein a dynamically generated, variable delay is applied to each login attempt to ensure that each response is sent after the same amount of time has elapsed since the user'"'"'s login credentials were received.
Specification