Safe auto-login links in notification emails

US 9,298,896 B2
Filed: 01/02/2013
Issued: 03/29/2016
Est. Priority Date: 01/02/2013
Status: Active Grant

First Claim

Patent Images

1. A method to authenticate a user of an application executing on a computing machine from a notification message that includes a resource locator, comprising:

providing a first data string from which first data about the user can be obtained and verified by the application, the first data string including the first data and its digital signature;

providing the notification message that includes the resource locator, the resource locator including a second data string from which second data about the user can be obtained and verified by the application, wherein the first data and the second data are each shares of a secret defined by a secret sharing scheme;

receiving, as an authentication request and as a result of the user having selected the resource locator in the notification message, the first data string and the second data string; and

determining, without additional user input, whether the first data and the second data can be verified, wherein a determination regarding the first data includes verifying the digital signature;

when the first data and the second data are verified, authenticating the user to the application executing on the computing machine.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A web application user is authenticated directly upon selecting a link in a notification email. In this approach, the user'"'"'s web browser stores a first data string provided by the web application (e.g., in a cookie) during a prior session. The first data string encodes first data about the user that can be verified by the application. Later, the user receives the notification email that includes the link. The link encodes a second data string from which second data about the user can be verified by the application. When the end user selects the link, an authentication request is transmitted to the application. The authentication request includes both the first and second data strings. If both the first data and the second data (as obtained from their respective data strings) can be verified, the user is authenticated without having to perform any additional steps (e.g., manual entry of credentials).

23 Citations

View as Search Results

20 Claims

1. A method to authenticate a user of an application executing on a computing machine from a notification message that includes a resource locator, comprising:
- providing a first data string from which first data about the user can be obtained and verified by the application, the first data string including the first data and its digital signature;
  
  providing the notification message that includes the resource locator, the resource locator including a second data string from which second data about the user can be obtained and verified by the application, wherein the first data and the second data are each shares of a secret defined by a secret sharing scheme;
  
  receiving, as an authentication request and as a result of the user having selected the resource locator in the notification message, the first data string and the second data string; and
  
  determining, without additional user input, whether the first data and the second data can be verified, wherein a determination regarding the first data includes verifying the digital signature;
  
  when the first data and the second data are verified, authenticating the user to the application executing on the computing machine.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method as described in claim 1 wherein the first data string includes an HTTP cookie and is provided to a user agent associated with the user at a first time.
  - 3. The method as described in claim 2 wherein the notification message is an email that is provided to the user at a second time.
  - 4. The method as described in claim 1 further including:
    - providing a login page to request a user credential when either the first data or the second data cannot be verified.
  - 5. The method as described in claim 1 wherein the secret defined by the secret sharing scheme also includes third data held by the application.
  - 6. The method as described in claim 1 wherein the first data string is encrypted with a public key of a public key cryptosystem that includes a private key held by the application, wherein the determination regarding the first data also includes applying the private key.
  - 7. The method as described in claim 1 wherein at least one of the respective first and second data have an expiry time associated therewith.

8. Apparatus, comprising:
- a processor;
  
  a data store;
  
  non-transitory computer memory holding computer program instructions executed by the processor to authenticate a user of an application executing on a computing machine from a notification message that includes a resource locator by;
  
  providing a first data string from which first data about the user can be obtained and verified by the application, the first data string including the first data and its digital signature;
  
  providing the notification message that includes the resource locator, the resource locator including a second data string from which second data about the user can be obtained and verified by the application, wherein the first data and the second data are each shares of a secret defined by a secret sharing scheme;
  
  receiving, as an authentication request and as a result of the user having selected the resource locator in the notification message, the first data string and the second data string; and
  
  determining, without additional user input, whether the first data and the second data can be verified, wherein a determination regarding the first data includes verifying the digital signature;
  
  when the first data and the second data are verified, authenticating the user to the application executing on the computing machine.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The apparatus as described in claim 8 wherein the first data string includes an HTTP cookie and is provided to a user agent associated with the user at a first time.
  - 10. The apparatus as described in claim 9 wherein the notification message is an email that is provided to the user at a second time.
  - 11. The apparatus as described in claim 8 wherein the method further includes:
    - providing a login page to request a user credential when either the first data or the second data cannot be verified.
  - 12. The apparatus as described in claim 8 wherein the secret defined by the secret sharing scheme also includes third data held by the application.
  - 13. The apparatus as described in claim 8 wherein the first data string is encrypted with a public key of a public key cryptosystem that includes a private key held by the application, wherein the determination regarding the first data also includes applying the private key.
  - 14. The apparatus as described in claim 8 wherein at least one of the respective first and second data have an expiry time associated therewith.

15. A computer program product in a non-transitory computer readable storage medium for use in a data processing system, the computer program product holding computer program instructions which, when executed by the data processing system, perform a method to authenticate a user of an application executing on a computing machine from a notification message that includes a resource locator, the method comprising:
- providing a first data string from which first data about the user can be obtained and verified by the application, the first data string including the first data and its digital signature;
  
  providing the notification message that includes the resource locator, the resource locator including a second data string from which second data about the user can be obtained and verified by the application, wherein the first data and the second data are each shares of a secret defined by a secret sharing scheme;
  
  receiving, as an authentication request and as a result of the user having selected the resource locator in the notification message, the first data string and the second data string; and
  
  determining, without additional user input, whether the first data and the second data can be verified, wherein a determination regarding the first data includes verifying the digital signature;
  
  when the first data and the second data are verified, authenticating the user to the application executing on the computing machine.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The computer program product as described in claim 15 wherein the first data string includes an HTTP cookie and is provided to a user agent associated with the user at a first time.
  - 17. The computer program product as described in claim 16 wherein the notification message is an email that is provided to the user at a second time.
  - 18. The computer program product as described in claim 15 wherein the method further includes:
    - providing a login page to request a user credential when either the first data or the second data cannot be verified.
  - 19. The computer program product as described in claim 15 wherein the secret defined by the secret sharing scheme also includes third data held by the application.
  - 20. The computer program product as described in claim 15 wherein the first data string is encrypted with a public key of a public key cryptosystem that includes a private key held by the application, wherein the determination regarding the first data also includes applying the private key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
HCL Technologies Limited
Original Assignee
International Business Machines Corporation
Inventors
Pieczul, Olgierd S., McGloin, Mark A., Zurko, Mary E.
Primary Examiner(s)
Schwartz, Darren B

Application Number

US13/732,822
Publication Number

US 20140189820A1
Time in Patent Office

1,182 Days
Field of Search

726 5- 9
US Class Current

1/1
CPC Class Codes

G06F 21/31   User authentication

H04L 63/08   for authentication of entit...

H04L 63/168   above the transport layer

H04L 67/02   based on web technology, e....

Safe auto-login links in notification emails

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

23 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Safe auto-login links in notification emails

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

23 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links