Passive security enforcement
First Claim
1. A method for passive authentication by a computing system, the method comprising:
- receiving, by the computing system, multiple attributes of a first user, the attributes comprising a first subset of attributes comprising one or more attributes and a second subset of attributes comprising one or more attributes;
determining by the computing system, from a set of types, corresponding types for each attribute of the first subset of attributes, wherein each of the types in the set of types has a corresponding weight;
comparing by the computing system, based on the determined types for each attribute of the first subset of attributes, each attribute of the first subset of attributes to one or more previously stored attributes with a corresponding type, thereby selecting a first applicable attribute;
passively authenticating, by the computing system, the first user at a first confidence level, the first confidence level based on the weights for the types corresponding to the first applicable attribute;
determining, from the set of types, corresponding types for each attribute of the second subset of attributes;
comparing, based on the determined types for each attribute of the second subset of attributes, each attribute of the second subset of attributes to one or more of the previously stored attributes with a corresponding type, thereby selecting a second applicable attribute; and
updating, by the computing system, the first confidence level to a second confidence level, the second confidence level based on the weights for the types corresponding to the second applicable attribute;
wherein each attribute of the first subset of attributes and of the second subset of attributes comprises at least one of;
an event associated with the first user and a physical characteristic of the first user; and
wherein each previously stored attribute comprises a previously stored user event, a previously stored user physical characteristic, or one or more previously determined acceptable values for the type corresponding to that stored attribute.
3 Assignments
0 Petitions
Accused Products
Abstract
Technology is described for enabling passive enforcement of security at computing systems. A component of a computing system can passively authenticate or authorize a user based on observations of the user'"'"'s interactions with the computing system. The technology may increase or decrease an authentication or authorization level based on the observations. The level can indicate what level of access the user should be granted. When the user or a component of the computing device initiates a request, an application or service can determine whether the level is sufficient to satisfy the request. If the level is insufficient, the application or service can prompt the user for credentials so that the user is actively authenticated. The technology may enable computing systems to “trust” authentication so that two proximate devices can share authentication levels.
31 Citations
20 Claims
-
1. A method for passive authentication by a computing system, the method comprising:
-
receiving, by the computing system, multiple attributes of a first user, the attributes comprising a first subset of attributes comprising one or more attributes and a second subset of attributes comprising one or more attributes; determining by the computing system, from a set of types, corresponding types for each attribute of the first subset of attributes, wherein each of the types in the set of types has a corresponding weight; comparing by the computing system, based on the determined types for each attribute of the first subset of attributes, each attribute of the first subset of attributes to one or more previously stored attributes with a corresponding type, thereby selecting a first applicable attribute; passively authenticating, by the computing system, the first user at a first confidence level, the first confidence level based on the weights for the types corresponding to the first applicable attribute; determining, from the set of types, corresponding types for each attribute of the second subset of attributes; comparing, based on the determined types for each attribute of the second subset of attributes, each attribute of the second subset of attributes to one or more of the previously stored attributes with a corresponding type, thereby selecting a second applicable attribute; and updating, by the computing system, the first confidence level to a second confidence level, the second confidence level based on the weights for the types corresponding to the second applicable attribute; wherein each attribute of the first subset of attributes and of the second subset of attributes comprises at least one of;
an event associated with the first user and a physical characteristic of the first user; andwherein each previously stored attribute comprises a previously stored user event, a previously stored user physical characteristic, or one or more previously determined acceptable values for the type corresponding to that stored attribute. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
if the second confidence level is not above the security level associated with the action identified in the request, the application causes a component to prompt the user for authentication credentials so that the user can be actively authenticated.
-
-
14. A computer-readable storage device storing computer-executable instructions that, when executed by a computing device, cause the computing device to perform operations for passively authenticating a user, the operations comprising:
-
receiving multiple attributes of a first user, the attributes comprising a first subset of attributes comprising one or more attributes and a second subset of attributes comprising one or more attributes; determining, from a set of types, corresponding types for each attribute of the first subset of attributes, wherein each of the types in the set of types has a corresponding weight; comparing, based on the determined types for each attribute of the first subset of attributes, each attribute of the first subset of attributes of the first user to one or more previously stored attributes with a corresponding type, thereby selecting a first applicable attribute; passively authenticating the first user at a first confidence level, the first confidence level based on the weights for the types corresponding to the first applicable attribute; determining, from the set of types, corresponding types for each attribute of the second subset of attributes; comparing, based on the determined types for each attribute of the second subset of attributes, each attribute of the second subset of attributes of the first user to one or more of the previously stored attributes with a corresponding type, thereby selecting a second applicable attribute; and updating the first confidence level to a second confidence level, the second confidence level based on the weights for the types corresponding to the second applicable attribute; wherein each attribute of the first subset of attributes and of the second subset of attributes comprises at least one of;
an event associated with the first user and a physical characteristic of the first user; andwherein each previously stored attribute comprises a previously stored user event, a previously stored user physical characteristic, or one or more previously determined acceptable values for the type corresponding to that stored attribute. - View Dependent Claims (15, 16, 17)
if the second confidence level is not above the security level associated with the action identified in the request, the application causes a component to prompt the user for authentication credentials so that the user can be actively authenticated.
-
-
17. The computer-readable storage device of claim 14 wherein the operations further comprise:
-
determining that the second confidence level is lower than a specified threshold; and in response to determining that the second confidence level is lower than a specified threshold, preventing the first user from accessing one or more functions of a computing device that were available to the first user when the user was authenticated at the first confidence level.
-
-
18. A device for passively authenticating a user, the device comprising:
-
a processor and memory; an input configured to receive multiple attributes of a first user, the attributes comprising a first subset of attributes comprising one or more attributes and a second subset of attributes comprising one or more attributes; an attribute analyzer configured to determine, from a set of types, corresponding types for each attribute of the first subset of attributes, wherein each attribute of the types in the set of types has a corresponding weight; an attribute comparator configured to compare, based on the determined types for each attribute of the first subset of attributes, each attribute of the first subset of attributes to one or more previously stored attributes with a corresponding type, to thereby select a first applicable attribute; and an authentication module configured to passively authenticate the first user at a first confidence level, the first confidence level based on the weights for the types corresponding to the first applicable attribute, wherein the authentication module is stored in the memory; wherein the attribute analyzer is further configured to determine, from the set of types, corresponding types for each attribute of the second subset of attributes, wherein the attribute comparator is further configured to compare, based on the determined types for each attribute of the second subset of attributes, each attribute of the second subset of attributes of the first user to one or more of the previously stored attributes with a corresponding type, to thereby select a second applicable attribute, wherein the authentication module is further configured to update the first confidence level to a second confidence level, the second confidence level based on the weights for the types corresponding to the second applicable attribute, wherein each attribute of the first subset of attributes and of the second subset of attributes comprises at least one of;
an event associated with the first user and a physical characteristic of the first user, andwherein each previously stored attribute comprises a previously stored user event, a previously stored user physical characteristic, or one or more previously determined acceptable values for the type corresponding to that stored attribute. - View Dependent Claims (19, 20)
if the second confidence level is not above the security level associated with the action identified in the request, the application causes a component to prompt the user for authentication credentials so that the user can be actively authenticated.
-
Specification