US20210073373A1 - Automating password change management - Google Patents

Automating password change management Download PDF

Info

Publication number
US20210073373A1
US20210073373A1 US17/029,008 US202017029008A US2021073373A1 US 20210073373 A1 US20210073373 A1 US 20210073373A1 US 202017029008 A US202017029008 A US 202017029008A US 2021073373 A1 US2021073373 A1 US 2021073373A1
Authority
US
United States
Prior art keywords
password
user
password reset
sites
data mining
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US17/029,008
Inventor
Joseph Siegrist
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Lastpass Us Lp
GoTo Technologies USA Inc
Original Assignee
LogMeIn Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by LogMeIn Inc filed Critical LogMeIn Inc
Priority to US17/029,008 priority Critical patent/US20210073373A1/en
Publication of US20210073373A1 publication Critical patent/US20210073373A1/en
Assigned to BARCLAYS BANK PLC reassignment BARCLAYS BANK PLC FIRST LIEN PATENT SECURITY AGREEMENT Assignors: LASTPASS US LP
Assigned to LOGMEIN, INC. reassignment LOGMEIN, INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: SIEGRIST, JOSEPH
Assigned to LASTPASS US LP reassignment LASTPASS US LP ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: LOGMEIN USA, INC.
Assigned to LOGMEIN USA, INC. reassignment LOGMEIN USA, INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: LOGMEIN, INC.
Assigned to BARCLAYS BANK PLC, AS COLLATERAL AGENT reassignment BARCLAYS BANK PLC, AS COLLATERAL AGENT SECURITY INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: GOTO COMMUNICATIONS, INC., GOTO GROUP, INC.,, LASTPASS US LP
Assigned to U.S. BANK TRUST COMPANY, NATIONAL ASSOCIATION, AS THE NOTES COLLATERAL AGENT reassignment U.S. BANK TRUST COMPANY, NATIONAL ASSOCIATION, AS THE NOTES COLLATERAL AGENT SECURITY INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: GOTO COMMUNICATIONS, INC.,, GOTO GROUP, INC., A, LASTPASS US LP,
Assigned to U.S. BANK TRUST COMPANY, NATIONAL ASSOCIATION, AS THE NOTES COLLATERAL AGENT reassignment U.S. BANK TRUST COMPANY, NATIONAL ASSOCIATION, AS THE NOTES COLLATERAL AGENT SECURITY INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: GOTO COMMUNICATIONS, INC., GOTO GROUP, INC., LASTPASS US LP
Assigned to LASTPASS US LP reassignment LASTPASS US LP TERMINATION AND RELEASE OF SECURITY INTEREST IN PATENTS (REEL/FRAME 058708/0615) Assignors: BARCLAYS BANK PLC, AS COLLATERAL AGENT
Abandoned legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication
    • G06F21/46Structures or tools for the administration of authentication by designing passwords or checking the strength of passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • H04L63/0846Network architectures or network communication protocols for network security for authentication of entities using passwords using time-dependent-passwords, e.g. periodically changing passwords
    • H04W12/0608
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/068Authentication using credential vaults, e.g. password manager applications or one time password [OTP] applications
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2131Lost password, e.g. recovery of lost or forgotten passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/062Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying encryption of the keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/062Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party

Definitions

  • This disclosure relates generally to security technologies, products and services.
  • Password management is a well-developed art.
  • Password management products and services (such as LastPass®) provide Internet users with a single sign-on and access management service by which users can secure their passwords and simplify their online life.
  • LastPass® provides Internet users with a single sign-on and access management service by which users can secure their passwords and simplify their online life.
  • an end user downloads LastPass and installs a local client on the user's computer or mobile device.
  • the LastPass client runs a browser plug-in (or other add-on).
  • the user then creates an account with the service, typically by providing the user's email address and selecting a strong master password.
  • the user signs-in to browser extension (or app), and then starts saving and auto-filling passwords for websites and web applications that the user commonly visits.
  • the LastPass service provides a vault where the user can add, view, manage and delete items saved to the service.
  • the user's passwords are stored in the vault as an encrypted blob at the server, and thus the service provider has zero knowledge of the user's actual passwords.
  • the password vault (the encrypted blob) is retrieved to the client and decrypted with the user's master password.
  • a password management service provides automated password management.
  • a method for automating password changes begins in response to a determination that automated password changes are authorized.
  • a data mining session is initiated.
  • a set of third party applications or sites are identified.
  • a password reset flow to one or more of the third party applications or sites is initiated by the service.
  • a determination is made whether a password reset confirmation link has been received by the service.
  • the service uses the password reset confirmation link to perform an automated password reset and thereby obtain a new user password for the application or site.
  • the set of third party applications or sites are identified from one of: a user e-mail in-box, a browser history, and a list of common or popular third party applications or sites.
  • the technique for automating password changes may be carried out directly by the service, or in association with the user. In the latter case, the password reset itself may be initiated from a user browser plug-in or add-in such that the new user passwords are then collected at the plug-in/add-in.
  • One application of the above-described technique provides a low-touch method of enabling a user to be on-boarded to the password management service.
  • This technique is sometimes referred to herein as “1-minute” user signup because very little effort is required of a new user beyond downloading the client and creating an account with the service.
  • FIG. 1 depicts the user signup technique of this disclosure.
  • a client 100 having a web browser (or the like), one or more email providers 102 , a service provider having an easy on-boarding application programming interface (API) 104 , and a provider site 106 (sometimes referred to herein as a third party “app” or “resource”).
  • the client typically is a laptop or desktop running a web browser, or a comparable mobile device (e.g., iPhone) enabled with a mobile app.
  • An email provider is an entity such as Google Gmail, Yahoo, Office365, or any other IMAP-compliant server.
  • the on-boarding API 104 is a service provider-based functionality that, as will be described, automatically searches the user's e-mail in-box (at a particular email provider 102 ) for known accounts and password reset URLs.
  • the service provider site 106 provide password management services.
  • a representative (but non-limiting) service provider is LastPass, which stores the user's password management vault encrypted.
  • step ( 1 ) the end user authorizes himself or herself at the email provider and, in return, receives a token with which the API is able to read the user's in-box at the email provider. This operation is repeated for each of the other email providers.
  • the client e.g., the Last Pass client browser plug-in
  • the client starts a session at the service provider API by sending the API one of the received token(s).
  • the API responds by queueing a message to a web job, which then starts scanning the user's in-box (at the particular email provider associated with the token) for known accounts. These are the user's accounts that require user credentials for access. Typically, the user will have a large number of accounts, presumably many of which are accessed with different passwords. LastPass provides the user a way to organize those passwords into the password management vault, but as noted that on-boarding process is time-consuming, especially for mobile first-users.
  • the email scanning of the e-mail account is run as a background task, as it may take some time depending on the size of the user's in-box.
  • the API returns a session ID to the client plug-in, and that session ID is then used by the client to check on the status of the scanning operation.
  • the client begins polling the API for the scanning status.
  • the API returns to the client a list of the accounts that have been found by the scanning process. Accounts preferably are returned to the client plug-in as they are discovered, although this is not required (they may be provided in batch at the end of the scan).
  • this list of accounts is displayed to the user and, in response, he or she can select those items that he or she would like to reset and thus save to the user's password management vault that is protected by the user's master password.
  • a password reset request script is then executed, one-by-one, for each of the selections made by the user. (As an alternative, the password reset request script may be executed for all returned accounts unless the user opts-out with respect to one of his or her accounts).
  • the client plug-in sends requests to the API to check whether reset URLs (confirmation links) have arrived in the user's email in-box at the email service provider (for each of the selected accounts).
  • the client plug-in is able to do so because the API-email service provider session (represented by the token) is still open. If a confirmation link has been received in the user's in-box, the API retrieves it and passes it to the plug-in. The routine continues at step ( 8 ) with the client plug-in follows the confirmation link and executes the password reset script for the particular third party application or site. At step ( 9 ), the newly-generated password (for that application or site) is then saved to the password management vault 108 . As noted above, this vault is later saved as an encrypted blob at the service provider; it can only be decrypted locally by the user entering his or her master password.
  • the service provider API closes the session.
  • the API revokes the token and clears it from its cache to complete the process. Once the token is cleared, it cannot be reused, thereby providing the user an assurance that the service provider cannot access the user's in-box for any other purpose.
  • the service provider API establishes a secure session to an email service provider of the user (or each of them).
  • the API scans the user's in-box at the email service provider and mines the browser history, searching for accounts (or, more generally, prior activities of the user) that the user has accessed previously. These are typically accounts with which the user has an existing credential and that are candidates for an automated password reset flow. As the API identifies the candidates, they are identified to the user. The user then selects which of the identified accounts that are to be subjected to password reset flow. After the user makes this selection, his or her involvement is complete.
  • an automated password reset flow is initiated.
  • the password reset flow includes delivery of a password reset confirmation link (e.g., “forgotten password? Click here”) being sent to the user's email in-box.
  • a password reset confirmation link e.g., “forgotten password? Click here”
  • the service provider provides the link (from the confirmation) to the client browser plug-in (or add-on), which then initiates the reset from the browser (or other add-on).
  • the resulting password is then saved in the user's vault. The same functionality is carried out concurrently for the other accounts and, as a result, the vault is populated.
  • the password management service may provide the automated user password changes (for which it is responsible) without direct interaction with the user.
  • the password management service may initiate the data mining session(s) (e.g., to the user's email providers) to collect the information identifying accounts of the user associated with third party applications or sites.
  • the approach herein may also be used by the password management service to obtain for the user passwords for one or more third party applications or sites for which the user does not then have an existing account.
  • an end user need not be involved in the process flow, e.g., by providing the password reset flow authorization with respect to a particular third party application or site. Rather, the end user can merely provide a general authorization to the password management service to perform the automatic user password changes.
  • a password management service provides automated password management.
  • a method for automating password changes begins in response to a determination that automated password changes are authorized.
  • a data mining session is initiated.
  • a set of third party applications or sites are identified.
  • a password reset flow is initiated by the service.
  • the service uses the password reset confirmation link to perform an automated password reset and thereby obtain a new user password for the application or site.
  • the set of third party applications or sites are identified from one of: a user e-mail in-box, a browser history, and a list of common or popular third party applications or sites.
  • the technique for automating password changes may be carried out directly by the service, or in association with the user. In the latter case, the password reset itself may be initiated from a user browser plug-in or add-in such that the new user passwords are then collected at the plug-in/add-in.
  • a password “change” as provided for herein typically involves change of an existing user password to a new user password, but this is not a limitation.
  • a password “change” may also refer to the instantiation of a user password in the first instance, e.g., with respect to a third party application or site that the user does not then have a password.
  • a password “change” may also refer to the creation of a user password at a time following expiration of a prior password.
  • the password management service is provided by a cloud service provider, such as LogMeIn LastPass.
  • the cloud service provider provides the password management described herein as a cloud service, together with the browser plug-in (which, for example, the user may obtain by way of a download).
  • a user registers with the service to obtain the described automated password change management service, and the service typically provides the user with various service configuration options (e.g., how often to change passwords, the source(s) of the data mining, and so forth).
  • the technique herein may even be used as a generic login mechanism, wherein a user uses the password reset flow every time to login.
  • a user uses the password reset flow every time to login.
  • the approach herein may be used to essentially automate that flow.
  • every time the user goes to login a password reset is done, the email collected, and a new random password is used to log the user in.
  • storage of the changed password is then unnecessary, and thus this approach may have value to such users, as the system would never store their passwords.
  • the cloud service is a technology platform that may comprise co-located hardware and software resources, or resources that are physically, logically, virtually and/or geographically distinct.
  • Communication networks used to communicate to and from the platform services may be packet-based, non-packet based, and secure or non-secure, or some combination thereof.
  • the cloud service comprises a set of one or more computing-related entities (systems, machines, processes, programs, libraries, functions, or the like) that together facilitate or provide the described functionality described above.
  • a representative machine on which the software executes comprises commodity hardware, an operating system, an application runtime environment, and a set of applications or processes and associated data, that provide the functionality of a given system or subsystem.
  • the functionality may be implemented in a standalone machine, or across a distributed set of machines.
  • Representative client entities include laptops, desktops, workstations, other mobile devices or machines associated with such other mobile devices, and the like.
  • the service provider is a password management service such as LastPass® that has been augmented with the functions described.
  • the cloud service is a technology platform that may comprise co-located hardware and software resources, or resources that are physically, logically, virtually and/or geographically distinct.
  • Communication networks used to communicate to and from the platform services may be packet-based, non-packet based, and secure or non-secure, or some combination thereof.
  • the cloud service comprises a set of one or more computing-related entities (systems, machines, processes, programs, libraries, functions, or the like) that together facilitate or provide the described functionality described above.
  • a representative machine on which the software executes comprises commodity hardware, an operating system, an application runtime environment, and a set of applications or processes and associated data, that provide the functionality of a given system or subsystem.
  • the functionality may be implemented in a standalone machine, or across a distributed set of machines.
  • the computing entity on which the browser and its associated browser plug-in run may be any network-accessible computing entity that is other than the mobile device that runs the authenticator app itself.
  • Representative entities includes laptops, desktops, workstations, other mobile devices or machines associated with such other mobile devices, and the like.
  • This apparatus may be specially constructed for the required purposes, or it may comprise a general-purpose computer selectively activated or reconfigured by a computer program stored in the computer.
  • a computer program may be stored in a computer readable storage medium, such as, but is not limited to, any type of disk including an optical disk, a CD-ROM, and a magnetic-optical disk, a read-only memory (ROM), a random access memory (RAM), a magnetic or optical card, or any type of media suitable for storing electronic instructions, and each coupled to a computer system bus.
  • the techniques herein provide for improvements to technology or technical field, namely, cloud-based access control, as well as improvements to various technologies such as password management mechanisms, all as described.

Abstract

A password management service provides automated password management. In one embodiment, a method for automating password changes begins in response to a determination that automated password changes are authorized. In response, a data mining session is initiated. Within the data mining session, a set of third party applications or sites are identified. Then, and responsive to receipt of a password reset flow authorization, a password reset flow to one or more of the third party applications or sites is initiated by the service. Thereafter, and still within the data mining session, and for each of the one or more third party applications or sites, a determination is made whether a password reset confirmation link has been received by the service. In response to a determination that a password reset confirmation link has been received for a given third party application or site, the service uses the password reset confirmation link to perform an automated password reset and thereby obtain a new user password for the application or site.

Description

    BACKGROUND Technical Field
  • This disclosure relates generally to security technologies, products and services.
    • Background of the Related Art
  • Password management is a well-developed art. Password management products and services (such as LastPass®) provide Internet users with a single sign-on and access management service by which users can secure their passwords and simplify their online life. To use the service, an end user downloads LastPass and installs a local client on the user's computer or mobile device. Typically, the LastPass client runs a browser plug-in (or other add-on). The user then creates an account with the service, typically by providing the user's email address and selecting a strong master password. The user then signs-in to browser extension (or app), and then starts saving and auto-filling passwords for websites and web applications that the user commonly visits. The LastPass service provides a vault where the user can add, view, manage and delete items saved to the service. The user's passwords are stored in the vault as an encrypted blob at the server, and thus the service provider has zero knowledge of the user's actual passwords. The password vault (the encrypted blob) is retrieved to the client and decrypted with the user's master password.
  • While the service provides significant advantages, on-boarding new users sometimes is time-consuming, especially for mobile-first users that do not want to have to repeatedly enter information required to save the user's passwords. The on-boarding difficulties are exacerbated when the user has a large number of accounts.
    • BRIEF SUMMARY
  • A password management service provides automated password management. In one embodiment, a method for automating password changes begins in response to a determination that automated password changes are authorized. In response, a data mining session is initiated. Within the data mining session, a set of third party applications or sites are identified. Then, and responsive to receipt of a password reset flow authorization, a password reset flow to one or more of the third party applications or sites is initiated by the service. Thereafter, and still within the data mining session, and for each of the one or more third party applications or sites, a determination is made whether a password reset confirmation link has been received by the service. In response to a determination that a password reset confirmation link has been received for a given third party application or site, the service uses the password reset confirmation link to perform an automated password reset and thereby obtain a new user password for the application or site. Typically, the set of third party applications or sites are identified from one of: a user e-mail in-box, a browser history, and a list of common or popular third party applications or sites. The technique for automating password changes may be carried out directly by the service, or in association with the user. In the latter case, the password reset itself may be initiated from a user browser plug-in or add-in such that the new user passwords are then collected at the plug-in/add-in.
  • One application of the above-described technique provides a low-touch method of enabling a user to be on-boarded to the password management service. This technique is sometimes referred to herein as “1-minute” user signup because very little effort is required of a new user beyond downloading the client and creating an account with the service.
  • The foregoing has outlined some of the more pertinent features of the subject disclosure. These features should be construed to be merely illustrative. Many other beneficial results can be attained by applying the disclosed subject matter in a different manner or by modifying the subject matter as will be described.
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • For a more complete understanding of the disclosed subject matter and the advantages thereof, reference is now made to the following descriptions taken in conjunction with the accompanying drawings, in which:
  • FIG. 1 depicts the user signup technique of this disclosure.
    •  DETAILED DESCRIPTION OF AN ILLUSTRATIVE EMBODIMENT
  • Typically, and in one use case as seen in the FIGURE, there are four (4) participants, namely, a client 100 having a web browser (or the like), one or more email providers 102, a service provider having an easy on-boarding application programming interface (API) 104, and a provider site 106 (sometimes referred to herein as a third party “app” or “resource”). The client typically is a laptop or desktop running a web browser, or a comparable mobile device (e.g., iPhone) enabled with a mobile app. An email provider is an entity such as Google Gmail, Yahoo, Office365, or any other IMAP-compliant server. The on-boarding API 104 is a service provider-based functionality that, as will be described, automatically searches the user's e-mail in-box (at a particular email provider 102) for known accounts and password reset URLs. The service provider site 106 provide password management services. A representative (but non-limiting) service provider is LastPass, which stores the user's password management vault encrypted.
  • The following provides a detailed explanation of a preferred flow for the 1-minute signup service of this disclosure. At step (1), the end user authorizes himself or herself at the email provider and, in return, receives a token with which the API is able to read the user's in-box at the email provider. This operation is repeated for each of the other email providers. (Different email providers may have different authentication requirements; thus, for example, in the Gmail case the user can authorize himself/herself by a simple OAuth flow, whereas with IMAP-based email the user has to pass credentials to each IMAP server). At step (2), the client (e.g., the Last Pass client browser plug-in) starts a session at the service provider API by sending the API one of the received token(s). For each such token, the API responds by queueing a message to a web job, which then starts scanning the user's in-box (at the particular email provider associated with the token) for known accounts. These are the user's accounts that require user credentials for access. Typically, the user will have a large number of accounts, presumably many of which are accessed with different passwords. LastPass provides the user a way to organize those passwords into the password management vault, but as noted that on-boarding process is time-consuming, especially for mobile first-users.
  • Preferably, the email scanning of the e-mail account is run as a background task, as it may take some time depending on the size of the user's in-box. To this end, the API returns a session ID to the client plug-in, and that session ID is then used by the client to check on the status of the scanning operation. Thus, for example, at step (3), the client begins polling the API for the scanning status. At the end of the scanning process, and at step (4), the API returns to the client a list of the accounts that have been found by the scanning process. Accounts preferably are returned to the client plug-in as they are discovered, although this is not required (they may be provided in batch at the end of the scan). At step (5), this list of accounts is displayed to the user and, in response, he or she can select those items that he or she would like to reset and thus save to the user's password management vault that is protected by the user's master password. At step (6), a password reset request script is then executed, one-by-one, for each of the selections made by the user. (As an alternative, the password reset request script may be executed for all returned accounts unless the user opts-out with respect to one of his or her accounts). At step (7), the client plug-in sends requests to the API to check whether reset URLs (confirmation links) have arrived in the user's email in-box at the email service provider (for each of the selected accounts). The client plug-in is able to do so because the API-email service provider session (represented by the token) is still open. If a confirmation link has been received in the user's in-box, the API retrieves it and passes it to the plug-in. The routine continues at step (8) with the client plug-in follows the confirmation link and executes the password reset script for the particular third party application or site. At step (9), the newly-generated password (for that application or site) is then saved to the password management vault 108. As noted above, this vault is later saved as an encrypted blob at the service provider; it can only be decrypted locally by the user entering his or her master password. At step (10), and after all the password reset(s) have been executed, the service provider API closes the session. At step (11), the API revokes the token and clears it from its cache to complete the process. Once the token is cleared, it cannot be reused, thereby providing the user an assurance that the service provider cannot access the user's in-box for any other purpose.
  • Thus, according to the technique, and with the user's permission, the service provider API establishes a secure session to an email service provider of the user (or each of them). The API scans the user's in-box at the email service provider and mines the browser history, searching for accounts (or, more generally, prior activities of the user) that the user has accessed previously. These are typically accounts with which the user has an existing credential and that are candidates for an automated password reset flow. As the API identifies the candidates, they are identified to the user. The user then selects which of the identified accounts that are to be subjected to password reset flow. After the user makes this selection, his or her involvement is complete. In response to receipt by the service provider API of a password reset flow authorization from the user (having made a selection in the plug-in (or add-on), an automated password reset flow is initiated. The password reset flow includes delivery of a password reset confirmation link (e.g., “forgotten password? Click here”) being sent to the user's email in-box. Because the service provider session (as represented by the token) is still on-going and open, the service provider API sees that password reset confirmation link has arrived. The service provider provides the link (from the confirmation) to the client browser plug-in (or add-on), which then initiates the reset from the browser (or other add-on). The resulting password is then saved in the user's vault. The same functionality is carried out concurrently for the other accounts and, as a result, the vault is populated.
  • The above-described scenario is merely representative of one use case. The basic technique may be generalized in many respects, as is now described.
  • There is no requirement that the technique be implemented by the password management service interacting directly with the end user's browser plug-in or add-on, although that will be a typical implementation. Rather, in the more general case, the password management service may provide the automated user password changes (for which it is responsible) without direct interaction with the user. Thus, for example, provided the automated password changes are authorized (e.g., by the user in advance, or by some other authorization), the password management service may initiate the data mining session(s) (e.g., to the user's email providers) to collect the information identifying accounts of the user associated with third party applications or sites. More generally, it is not even required that the data mining session search for accounts of the user that exist presently; indeed, the approach herein may also be used by the password management service to obtain for the user passwords for one or more third party applications or sites for which the user does not then have an existing account. Further, an end user need not be involved in the process flow, e.g., by providing the password reset flow authorization with respect to a particular third party application or site. Rather, the end user can merely provide a general authorization to the password management service to perform the automatic user password changes. This general authorization may be provided to the management service when the user registers for the service, thereafter upon the user's specified request, or in response to a user authorization following some particular event or occurrence (e.g., receipt of a notification that the third party application or site has been subjected to a potential compromise). Thus, according to a more generalized scheme of this disclosure, a password management service provides automated password management. In one embodiment, a method for automating password changes begins in response to a determination that automated password changes are authorized. In response, a data mining session is initiated. Within the data mining session, a set of third party applications or sites are identified. Then, and responsive to receipt of a password reset flow authorization, a password reset flow to one or more of the third party applications or sites is initiated by the service. Thereafter, and still within the data mining session, and for each of the one or more third party applications or sites, a determination is made whether a password reset confirmation link has been received by the service. In response to a determination that a password reset confirmation link has been received for a given third party application or site, the service uses the password reset confirmation link to perform an automated password reset and thereby obtain a new user password for the application or site. Typically, the set of third party applications or sites are identified from one of: a user e-mail in-box, a browser history, and a list of common or popular third party applications or sites. The technique for automating password changes may be carried out directly by the service, or in association with the user. In the latter case, the password reset itself may be initiated from a user browser plug-in or add-in such that the new user passwords are then collected at the plug-in/add-in.
  • A password “change” as provided for herein typically involves change of an existing user password to a new user password, but this is not a limitation. A password “change” may also refer to the instantiation of a user password in the first instance, e.g., with respect to a third party application or site that the user does not then have a password. A password “change” may also refer to the creation of a user password at a time following expiration of a prior password. Typically, the password management service is provided by a cloud service provider, such as LogMeIn LastPass. The cloud service provider provides the password management described herein as a cloud service, together with the browser plug-in (which, for example, the user may obtain by way of a download). A user registers with the service to obtain the described automated password change management service, and the service typically provides the user with various service configuration options (e.g., how often to change passwords, the source(s) of the data mining, and so forth).
  • As another use case, the technique herein may even be used as a generic login mechanism, wherein a user uses the password reset flow every time to login. In particular, there are users that (for various reasons) go through the password reset flow every time they login, and the approach herein may be used to essentially automate that flow. Thus, every time the user goes to login, a password reset is done, the email collected, and a new random password is used to log the user in. In this variant, storage of the changed password is then unnecessary, and thus this approach may have value to such users, as the system would never store their passwords.
  • Generalizing, the cloud service is a technology platform that may comprise co-located hardware and software resources, or resources that are physically, logically, virtually and/or geographically distinct. Communication networks used to communicate to and from the platform services may be packet-based, non-packet based, and secure or non-secure, or some combination thereof.
  • More generally, the cloud service comprises a set of one or more computing-related entities (systems, machines, processes, programs, libraries, functions, or the like) that together facilitate or provide the described functionality described above. In a typical implementation, a representative machine on which the software executes comprises commodity hardware, an operating system, an application runtime environment, and a set of applications or processes and associated data, that provide the functionality of a given system or subsystem. As described, the functionality may be implemented in a standalone machine, or across a distributed set of machines.
    • Other Enabling Technologies
  • Representative client entities include laptops, desktops, workstations, other mobile devices or machines associated with such other mobile devices, and the like. The service provider is a password management service such as LastPass® that has been augmented with the functions described.
  • The cloud service is a technology platform that may comprise co-located hardware and software resources, or resources that are physically, logically, virtually and/or geographically distinct. Communication networks used to communicate to and from the platform services may be packet-based, non-packet based, and secure or non-secure, or some combination thereof.
  • More generally, the cloud service comprises a set of one or more computing-related entities (systems, machines, processes, programs, libraries, functions, or the like) that together facilitate or provide the described functionality described above. In a typical implementation, a representative machine on which the software executes comprises commodity hardware, an operating system, an application runtime environment, and a set of applications or processes and associated data, that provide the functionality of a given system or subsystem. As described, the functionality may be implemented in a standalone machine, or across a distributed set of machines.
  • The computing entity on which the browser and its associated browser plug-in run may be any network-accessible computing entity that is other than the mobile device that runs the authenticator app itself. Representative entities includes laptops, desktops, workstations, other mobile devices or machines associated with such other mobile devices, and the like.
  • While the above describes a particular order of operations performed by certain embodiments of the invention, it should be understood that such order is exemplary, as alternative embodiments may perform the operations in a different order, combine certain operations, overlap certain operations, or the like. References in the specification to a given embodiment indicate that the embodiment described may include a particular feature, structure, or characteristic, but every embodiment may not necessarily include the particular feature, structure, or characteristic.
  • While the disclosed subject matter has been described in the context of a method or process, the subject disclosure also relates to apparatus for performing the operations herein. This apparatus may be specially constructed for the required purposes, or it may comprise a general-purpose computer selectively activated or reconfigured by a computer program stored in the computer. Such a computer program may be stored in a computer readable storage medium, such as, but is not limited to, any type of disk including an optical disk, a CD-ROM, and a magnetic-optical disk, a read-only memory (ROM), a random access memory (RAM), a magnetic or optical card, or any type of media suitable for storing electronic instructions, and each coupled to a computer system bus.
  • While given components of the system have been described separately, one of ordinary skill will appreciate that some of the functions may be combined or shared in given instructions, program sequences, code portions, and the like.
  • The described commercial products, systems and services are provided for illustrative purposes only and are not intended to limit the scope of this disclosure.
  • The techniques herein provide for improvements to technology or technical field, namely, cloud-based access control, as well as improvements to various technologies such as password management mechanisms, all as described.

Claims (22)

Having described my invention, what I claim is as follows:
1. A method to automate password changes in a password management service, comprising:
responsive to a determination that automated password changes are authorized, initiating a data mining session;
within the data mining session, identifying a set of third party applications or sites;
responsive to receipt of a password reset flow authorization, automatically initiating a password reset flow to one or more of the third party applications or sites;
within the data mining session, and for each of the one or more third party applications or sites, determining whether a password reset confirmation link has been received; and
responsive to a determination that a password reset confirmation link has been received for a given third party application or site, using the password reset confirmation link to perform an automated password reset and thereby obtain a new user password.
2. The method as described in claim 1 wherein the set of third party applications or sites are identified from one of: a user e-mail in-box, a browser history, and a list of common or popular third party applications or sites.
3. The method as described in claim 1 wherein a data mining session is initiated with at least one email provider associated with the user.
4. The method as described in claim 1 wherein the password reset confirmation link is provided to a browser plug-in or add-on to facilitate the automated password reset from the browser plug-in or add-on.
5. The method as described in claim 1 further including storing the new user passwords in a password management vault associated with the user.
6. The method as described in claim 1 further including:
exposing at least one third party application or site to a user as a potential candidate for password reset; and
receiving the password reset flow authorization from the user.
7. The method as described in claim 6 further including closing the data mining session upon completing of the automated password reset for each of the third party application or sites for which the user has provided a password reset flow authorization.
8. The method as described in claim 6 wherein the third party application or site is exposed to the user as it is discovered during the data mining session.
9. The method as described in claim 5 further including storing the password management vault as an encrypted blob at the password management service.
10. The method as described in claim 1 wherein the user is a mobile device user.
11. Apparatus, comprising:
a hardware processor;
computer memory holding computer program instructions to provide automated password management, the computer program instructions operative:
in response to a determination that automated password changes are authorized, to initiate a data mining session;
within the data mining session, to identify a set of third party applications or sites;
in response to receipt of a password reset flow authorization, to initiate a password reset flow to one or more of the third party applications or sites; within the data mining session, and for each of the one or more third party applications or sites, to determine whether a password reset confirmation link has been received; and
in response to a determination that a password reset confirmation link has been received for a given third party application or site, to obtain a new user password for the application or site using the password reset confirmation link to perform an automated password reset.
12. The apparatus as described in claim 11 wherein the set of third party applications or sites are identified from one of: a user e-mail in-box, a browser history, and a list of common or popular third party applications or sites.
13. The apparatus as described in claim 11 wherein a data mining session is initiated with at least one email provider associated with the user.
14. The apparatus as described in claim 11 wherein the computer program instructions are further operative to provide the password reset confirmation link to a browser plug-in or add-on to facilitate the automated password reset from the browser plug-in or add-on.
15. The apparatus as described in claim 11 wherein the computer program instructions are further operative to store the new user passwords in a password management vault associated with the user.
16. The method as described in claim 11 wherein the computer program instructions are further operative to:
expose at least one third party application or site to a user as a potential candidate for password reset; and
receive the password reset flow authorization from the user.
17. The apparatus as described in claim 16 wherein the computer program instructions are further operative to close the data mining session upon completing of the automated password reset for each of the third party application or sites for which the user has provided a password reset flow authorization.
18. The apparatus as described in claim 16 wherein the third party application or site is exposed to the user as it is discovered during the data mining session.
19. The apparatus as described in claim 15 wherein the computer program instructions are operative to store the password management vault as an encrypted blob.
20. Software-as-a-service system for password change management, comprising:
a network-accessible cloud service having a data repository; and
a browser plug-in or add-in configured to be executed in an end user computing system distinct from the network-accessible cloud service;
the network-accessible cloud service operative in response to a determination that automated password changes are authorized:
to initiate a data mining session;
within the data mining session, to identify a set of third party applications or sites;
in response to receipt of a password receipt flow authorization, to initiate a password reset flow to one or more of the third party applications or sites;
within the data mining session, and for each of the one or more third party applications or sites, to determine whether a password reset confirmation link has been received; and
in response to a determination that a password reset confirmation link has been received for a given third party application or site, providing the password reset confirmation link to the browser plug-in or add-in.
21. The system as described in claim 20 wherein the browser plug-in or add-in uses the password reset confirmation link to obtain a new user password for the application or site.
22. The system as described in claim 20 wherein the data repository stores passwords of a user, the passwords being stored as an encrypted blob.
US17/029,008 2016-06-30 2020-09-22 Automating password change management Abandoned US20210073373A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US17/029,008 US20210073373A1 (en) 2016-06-30 2020-09-22 Automating password change management

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US201662356948P 2016-06-30 2016-06-30
US15/637,391 US10783238B2 (en) 2016-06-30 2017-06-29 Automating password change management
US17/029,008 US20210073373A1 (en) 2016-06-30 2020-09-22 Automating password change management

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
US15/637,391 Continuation US10783238B2 (en) 2016-06-30 2017-06-29 Automating password change management

Publications (1)

Publication Number Publication Date
US20210073373A1 true US20210073373A1 (en) 2021-03-11

Family

ID=60807428

Family Applications (2)

Application Number Title Priority Date Filing Date
US15/637,391 Active 2037-09-30 US10783238B2 (en) 2016-06-30 2017-06-29 Automating password change management
US17/029,008 Abandoned US20210073373A1 (en) 2016-06-30 2020-09-22 Automating password change management

Family Applications Before (1)

Application Number Title Priority Date Filing Date
US15/637,391 Active 2037-09-30 US10783238B2 (en) 2016-06-30 2017-06-29 Automating password change management

Country Status (1)

Country Link
US (2) US10783238B2 (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10614208B1 (en) 2019-02-21 2020-04-07 Capital One Services, Llc Management of login information affected by a data breach
US11030299B1 (en) * 2020-01-27 2021-06-08 Capital One Services, Llc Systems and methods for password managers
CN111984964B (en) * 2020-08-20 2024-02-02 成都安恒信息技术有限公司 Selenium-based web application decryption method

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9195834B1 (en) * 2007-03-19 2015-11-24 Ravenwhite Inc. Cloud authentication

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8078881B1 (en) * 2004-11-12 2011-12-13 Liu Gary G Password resetting method
US9424552B2 (en) * 2012-08-06 2016-08-23 International Business Machines Corporation Managing website registrations
US10230736B2 (en) * 2015-01-21 2019-03-12 Onion ID Inc. Invisible password reset protocol
US9824208B2 (en) * 2015-07-06 2017-11-21 Unisys Corporation Cloud-based active password manager

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9195834B1 (en) * 2007-03-19 2015-11-24 Ravenwhite Inc. Cloud authentication

Also Published As

Publication number Publication date
US20180004935A1 (en) 2018-01-04
US10783238B2 (en) 2020-09-22

Similar Documents

Publication Publication Date Title
US10075429B2 (en) Policy-based compliance management and remediation of devices in an enterprise system
US10666643B2 (en) End user initiated access server authenticity check
US10643149B2 (en) Whitelist construction
US11962593B2 (en) Identity management connecting principal identities to alias identities having authorization scopes
US9882885B2 (en) Systems and methods for login and authorization
US20210073373A1 (en) Automating password change management
US8544072B1 (en) Single sign-on service
US10587697B2 (en) Application-specific session authentication
US20210081524A1 (en) Systems and methods of establishing secure passwords using real-time dynamic feedback.
US11762979B2 (en) Management of login information affected by a data breach
WO2018035002A1 (en) Protection feature for data stored at storage service
US20170357799A1 (en) Tracking and managing multiple time-based one-time password (TOTP) accounts
US9165207B2 (en) Screenshot orientation detection
US20210168140A1 (en) System and Method for Automatically Registering a Verified Identity in an On-Line Environment
US20190372959A1 (en) Techniques for authentication using push notifications
EP3827362A1 (en) Web browser incorporating social and community features
WO2023272419A1 (en) Virtual machine provisioning and directory service management
US11343242B2 (en) Dynamic connection across systems in real-time
US20150007292A1 (en) User authentication utilizing patterns
US20240146737A1 (en) Authentication service for automated distribution and revocation of shared credentials
CN115834252A (en) Service access method and system

Legal Events

Date Code Title Description
STPP Information on status: patent application and granting procedure in general

Free format text: APPLICATION DISPATCHED FROM PREEXAM, NOT YET DOCKETED

STPP Information on status: patent application and granting procedure in general

Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION

AS Assignment

Owner name: BARCLAYS BANK PLC, NEW YORK

Free format text: FIRST LIEN PATENT SECURITY AGREEMENT;ASSIGNOR:LASTPASS US LP;REEL/FRAME:058708/0615

Effective date: 20211231

AS Assignment

Owner name: LOGMEIN, INC., MASSACHUSETTS

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:SIEGRIST, JOSEPH;REEL/FRAME:058787/0356

Effective date: 20170629

AS Assignment

Owner name: LASTPASS US LP, MASSACHUSETTS

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:LOGMEIN USA, INC.;REEL/FRAME:058848/0235

Effective date: 20220201

Owner name: LOGMEIN USA, INC., MASSACHUSETTS

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:LOGMEIN, INC.;REEL/FRAME:058847/0907

Effective date: 20220201

STPP Information on status: patent application and granting procedure in general

Free format text: NON FINAL ACTION MAILED

STPP Information on status: patent application and granting procedure in general

Free format text: RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER

STPP Information on status: patent application and granting procedure in general

Free format text: FINAL REJECTION MAILED

STPP Information on status: patent application and granting procedure in general

Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION

STPP Information on status: patent application and granting procedure in general

Free format text: NON FINAL ACTION MAILED

AS Assignment

Owner name: BARCLAYS BANK PLC, AS COLLATERAL AGENT, UNITED KINGDOM

Free format text: SECURITY INTEREST;ASSIGNORS:GOTO GROUP, INC.,;GOTO COMMUNICATIONS, INC.;LASTPASS US LP;REEL/FRAME:066508/0443

Effective date: 20240205

AS Assignment

Owner name: U.S. BANK TRUST COMPANY, NATIONAL ASSOCIATION, AS THE NOTES COLLATERAL AGENT, MINNESOTA

Free format text: SECURITY INTEREST;ASSIGNORS:GOTO COMMUNICATIONS, INC.,;GOTO GROUP, INC., A;LASTPASS US LP,;REEL/FRAME:066614/0402

Effective date: 20240205

Owner name: U.S. BANK TRUST COMPANY, NATIONAL ASSOCIATION, AS THE NOTES COLLATERAL AGENT, MINNESOTA

Free format text: SECURITY INTEREST;ASSIGNORS:GOTO COMMUNICATIONS, INC.;GOTO GROUP, INC.;LASTPASS US LP;REEL/FRAME:066614/0355

Effective date: 20240205

STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION

AS Assignment

Owner name: LASTPASS US LP, MASSACHUSETTS

Free format text: TERMINATION AND RELEASE OF SECURITY INTEREST IN PATENTS (REEL/FRAME 058708/0615);ASSIGNOR:BARCLAYS BANK PLC, AS COLLATERAL AGENT;REEL/FRAME:066800/0140

Effective date: 20240313