WO2016122441A1 - Authentification d'un utilisateur - Google Patents

Authentification d'un utilisateur Download PDF

Info

Publication number
WO2016122441A1
WO2016122441A1 PCT/US2015/012895 US2015012895W WO2016122441A1 WO 2016122441 A1 WO2016122441 A1 WO 2016122441A1 US 2015012895 W US2015012895 W US 2015012895W WO 2016122441 A1 WO2016122441 A1 WO 2016122441A1
Authority
WO
WIPO (PCT)
Prior art keywords
user
questions
data
risk level
answers
Prior art date
Application number
PCT/US2015/012895
Other languages
English (en)
Inventor
Jian John WEI
Satwant Kaur
Original Assignee
Hewlett Packard Enterprise Development Lp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hewlett Packard Enterprise Development Lp filed Critical Hewlett Packard Enterprise Development Lp
Priority to PCT/US2015/012895 priority Critical patent/WO2016122441A1/fr
Publication of WO2016122441A1 publication Critical patent/WO2016122441A1/fr

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/40User authentication by quorum, i.e. whereby two or more security principals are required
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/082Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying multi-factor authentication

Definitions

  • Passwords are often used to authenticate a user prior to allowing the user access to a system, such as a computer network, a bank account, an email account, etc.
  • a system such as a computer network, a bank account, an email account, etc.
  • passwords to comply with increasingly complex password schemas, such as requiring a password to be at least eight characters long, using a combination of upper and lower case letters, avoiding words used in past passwords or common expressions, and including special characters.
  • These password schemas degrade the ability of users to remember truly unique passwords in large numbers.
  • Figure 1 is a block diagram illustrating one example of a system.
  • Figure 2 is a sequence diagram illustrating one example of the operation of the system of Figure 1 .
  • FIG. 3 is a block diagram illustrating one example of a processing system for implementing an authentication system.
  • Figure 4 is a flow diagram illustrating one example of a method for authenticating a user.
  • the authentication mechanism can improve the end user experience and confidence in the authentication mechanism without users having to remember increasingly complex and different passwords.
  • the authentication mechanism authenticates a user based on correlating user responses to a set of questions randomly generated based on dynamic information.
  • the dynamic information is naturally generated by the user in their daily interactions and stored as user data records.
  • the dynamic information can be broadly grouped into three categories including:
  • the disclosed authentication mechanism is natural, constantly changing, and self-healing.
  • FIG. 1 is a block diagram illustrating one example of a system 100.
  • System 100 includes a user 102, an authentication system 108, information sources 136I-136N, where "N" is any suitable number of information sources, and customer identity and event sources 140.
  • Authentication system 108 includes a natural chat interface 1 10, a risk engine 1 12, an automated chat agent 120, a randomizer 124, a repository 128, and a connector framework 132.
  • User 102 is communicatively coupled to natural chat interface 1 10 through a communication path 104 (e.g., a computer network, a cellular telephone network, the Internet) and to customer identity and event sources 140 through a link 106 (e.g., interactions).
  • a communication path 104 e.g., a computer network, a cellular telephone network, the Internet
  • customer identity and event sources 140 e.g., interactions
  • link 106 e.g., interactions
  • Risk engine 1 12 is commutatively coupled to automated chat agent 120 through a communication path 1 18.
  • Automated chat agent 120 is communicatively coupled to randomizer 124 through a communication path 122 and to repository 128 through a communication path 126.
  • Repository 128 is communicatively coupled to connector framework 132 through a communication path 130.
  • Connector framework 132 is communicatively coupled to information sources 136I-136N through communication paths 134i-134 N , respectively.
  • Information sources 136i-136 N are communicatively coupled to customer identity and event sources 140 through links 138I-138N (e.g., interactions with user 102), respectively.
  • information sources 136I-136N include a web service 136i , an email system 136 2 , an Open Database Connectivity (ODBC) and/or Java Database Connectivity (JDBC) system 136 3 , Extensible Markup Language (XML) and/or Comma-Separated Values (CSV) data sources 136 4 , a social media Application Programming Interface (API) 136 5 , and other suitable data sources such as indicated at 136N. While specific examples of information sources are illustrated in Figure 1 , any other suitable information sources may be used, such as building access systems, climate control systems, etc.
  • Natural chat interface 1 10 provides a user interface for interacting with user 102 via a user device (e.g., computer, smart phone, tablet), such as through a browser installed on the user device.
  • a user device e.g., computer, smart phone, tablet
  • natural chat interface 1 10 captures user profile data from the user device, such as the operating system (OS) of the user device, the browser being used by the user, the geo-location of the user device, and/or the user device type.
  • the user profile data is included in the authentication request.
  • Natural chat interface 1 10 sends the user profile data to risk engine 1 12 for evaluation and ultimately presents to the user a set of questions generated by automated chat agent 120 based on the evaluated risk.
  • Natural chat interface 1 10 captures the user's answers to the questions for evaluation by automated chat agent 120.
  • Risk engine 1 12 compares the user profile data received from the user device to historical user profile data previously captured by authentication system 108 during previous requests for access and determines a risk level. For example, for a user that usually accesses the system from Michigan, using an HP Slate 7 Extreme, on Android 4.4.2., if the user conforms to this pattern, risk engine 1 12 would deem the access request to be low risk. In this case, low risk will lead to automated chat agent 120 generating a smaller number of questions covering events over a more recent span of time.
  • risk engine 1 12 would deem the access request as high risk based on the degree of deviation to the usual pattern. In this case, high risk will lead to automated chat agent 120 generating a larger number of questions covering events over a greater span of time.
  • the total deviation of the user profile data from the historical user profile data may be calculated by summing the Relative Standard Deviation (RSD) for each risk factor (e.g., OS, browser, geo-location, device type).
  • RSD Relative Standard Deviation
  • the risk threshold may then be grouped for example into the following risk categories:
  • the threshold in sigma for each risk category may be configured based on a configuration file, table, or other suitable method.
  • risk engine 1 12 determines the number and difficultly of the questions to be asked.
  • a configurable mapping based on the sigma value of the user access request dictates the number of questions to ask, how far to go back in time with events, the mix of question types, and the threshold of correct answers for authentication.
  • a low sigma value signifies that the user access request is similar to past user access requests in terms of OS, browser, geo-location, and device type.
  • a sample configuration based on the sigma value is illustrated in the following table:
  • risk engine 1 12 determines the sigma value
  • risk engine 1 12 uses the configuration table to set the question count, question time span, question mix, and threshold of correct answers based on the sigma value.
  • Risk engine 1 12 sends the question count, question time span, question mix, and threshold of correct answers to automated chat agent 120.
  • Automated chat agent 120 generates a number of questions as indicated by the question count, question time span, and question mix from risk engine 1 12. Automated chat agent 120 generates questions and evaluates the match between the answers and the corresponding event information. The degree of match between the answers and the corresponding event information may be configured to result in authorization of access to the system, more questions being presented to the user before access to the system is granted, or blocking of access to the system.
  • Automated chat agent 120 may generate questions based on information about what the user has, what the user knows, and what the user is. These three general categories are further divided by event types, such as by the source of the information (e.g., each information source 136I-136N provides a different event type). Example information for each category is as follows:
  • Serial number of the company issued device e.g. laptop
  • Model of cell phone that was last used to access company network e.g. HTC One
  • automated chat agent 120 implements two loops, a first loop by event type and a second loop by question count.
  • randomizer 124 For each pass through the first loop, randomizer 124 generates a number between 0 and 1 , which is multiplied by the question mix count. The resulting number is rounded up and used as an index to randomly select an event type.
  • randomizer 124 For the second loop, which is a sub-loop of the first loop, randomizer 124 generates a number between 0 and 1 , which is multiplied by the question count. The resulting number is rounded up and used as an index to randomly select a particular event from the event type randomly selected in the first loop.
  • a question is generated for presentation to the user with the particular event data providing the correct answer to the question for comparison to the user's answer to the question.
  • Randomizer 124 generates random numbers to be used to randomly select past event information as the basis for questions to be generated by automated chat agent 120. Therefore, even if a hacker gains access to some confidential information of the user, the hacker will still be unable to gain guaranteed access to the system since the hacker will not know which event information will be selected for each access request.
  • Repository 128 is a knowledge base where the event information data of the users is stored. The data stored in repository 128 is normalized, indexed, and classified by type for selection by automated chat agent 120. In one example, repository 128 is implemented by a Storage Area Network (SAN) or other suitable data storage system.
  • SAN Storage Area Network
  • Connector framework 132 enables information from customer identity and event sources 140 to flow into repository 128 through information sources 136i-136N- The data may flow into repository 128 synchronously and/or asynchronously. Connector framework 132 receives, normalizes, and indexes the data for storage in repository 128. As a user interacts with information sources 136i-136 N , repository 128 is updated with new user records such that repository 128 provides a dynamic knowledge base.
  • FIG. 2 is a sequence diagram illustrating one example of the operation 200 of authentication system 100 of Figure 1 .
  • the operation of system 100 involves user 102, natural chat interface 1 10, risk engine 1 12, randomizer 124, repository 128, and automated chat agent 120.
  • user 102 logs on (i.e., requests access) to natural chat interface 1 10 as indicated by LOGON() at 202.
  • Natural chat interface 1 10 initiates a user device dump to capture user profile data such as the OS, geo-location, device type, and browser information as indicated by DEVICE_DUMP() at 204.
  • Natural chat interface 1 10 sends the user profile data to risk engine 1 12 for analysis as indicated by
  • Risk engine 1 12 determines a risk profile based on a comparison of the user profile data to the historical user profile data and informs automated chat agent 120 on the number of questions and degree of difficulty of the questions to generate as indicated by START_CHAT() at 208.
  • Automated chat agent 120 calls upon randomizer 124 to generate a random number as indicated by GET_RNDM#() at 210. Based on the random number, automated chat agent 120 randomly selects a set of event information from repository 128 as indicated by RTRVJ N FO(RN DM_#) at 212. Automated chat agent 120 selects a particular event from the event information as indicated by GET_INFO_TYPE() at 214 and generates a question as indicated by
  • Automated chat agent 120 sends the generated questions to natural chat interface 1 10 as indicated by ASK_QUESTION() at 218.
  • Natural chat interface 1 10 presents the questions to user 102, who reads the questions as indicated by RD_QUESTION() at 220. User 102 provides answers to the questions that are captured by natural chat interface 120 as indicated by CPTR_ANSWER() at 222. Natural chat interface 1 10 passes the answers to automated chat agent 120 for evaluation as indicated by
  • Automated chat agent 120 evaluates the match between the user's answers and the underlying event information to grant authorization as indicated by AUTHORIZE() as 226, to ask additional questions prior to granting access to the system, or to block access to the system.
  • FIG 3 is a block diagram illustrating one example of a processing system 300 for implementing an authentication system.
  • processing system 300 is used to implement system 100 previously described and illustrated with reference to Figure 1 .
  • Processing system 300 includes a processor 302, a memory 306, input devices 320, and output devices 322.
  • Processor 302, memory 306, input devices 320, and output devices 322 are communicatively coupled to each other through a communication path 304 (e.g., a bus).
  • a communication path 304 e.g., a bus
  • Processor 302 includes a Central Processing Unit (CPU) or another suitable processor.
  • memory 306 stores machine readable instructions executed by processor 302 for operating processing system 300.
  • Memory 306 includes any suitable combination of volatile and/or non-volatile memory, such as combinations of Random Access Memory (RAM), Read-Only Memory (ROM), flash memory, and/or other suitable memory.
  • Memory 306 stores repository 314 for use by processing system 300. Memory 306 also stores instructions to be executed by processor 302 including instructions for a natural chat interface 308, a risk engine 310, a randomizer 312, an automated chat agent 316, and a connector framework 318.
  • Processor 302 executes instructions of natural chat interface 308 to implement natural chat interface 1 10 previously described and illustrated with reference to Figures 1 and 2.
  • Processor 302 executes instructions of risk engine 310 to implement risk engine 1 12 previously described and illustrated with reference to Figures 1 and 2.
  • Processor 302 executes instructions of randomizer 312 to implement randomizer 124 previously described and illustrated with reference to Figures 1 and 2.
  • Processor 302 executes instructions of automated chat agent 316 to implement automated chat agent 120 previously described and illustrated with reference to Figures 1 and 2.
  • Processor 302 executes instructions of connector framework 318 to implement connector framework 132 previously described and illustrated with reference to Figure 1 .
  • Input devices 320 may include a keyboard, mouse, data ports, network adapters, and/or other suitable devices for inputting information into processing system 300. Input devices 320 may also be used to receive the data to be stored in repository 314 and to receive data from a user such as the user profile data and the user's answers to questions. Output devices 322 may include a monitor, speakers, data ports, network adapters, and/or other suitable devices for outputting information from processing system 300. In one example, output devices 316 are used to provide data to a user, such as the questions
  • FIG. 4 is a flow diagram illustrating one example of a method 400 for authenticating a user.
  • an authentication request is received from a user from a user device.
  • device data about the user device is retrieved.
  • Retrieving the device data may include retrieving a geolocation, a device type, and an operating system version of the user device.
  • a risk level of the user is determined based on the device data.
  • user records are randomly selected from a repository based on the risk level.
  • one or more questions are generated based on the selected user records. In one example, a greater number of questions are generated in response to a higher risk level and a lesser number of questions are generated in response to a lower risk level.
  • the user is asked the one or more questions.
  • answers to the one or more questions are received from the user.
  • the received answers are evaluated to determine a degree of match to the correct answer to each of the one or more questions.
  • the user is authenticated in response to receiving a correct answer to each of the one or more questions.
  • the user is authenticated in response to the degree of match for each of the one or more questions exceeding a threshold value.
  • the method may also include collecting user data from a plurality of different sources of different types, normalizing the collected user data, and storing the normalized user data in the repository.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

L'invention concerne, selon un exemple, un système d'authentification d'utilisateur qui reçoit une demande d'authentification en provenance d'un utilisateur. La demande d'authentification comprend des données de dispositif utilisateur. Le système détermine un niveau de risque de l'utilisateur sur la base des données de dispositif utilisateur et génère une ou plusieurs question(s) sur la base du niveau de risque et d'enregistrements de données aléatoirement sélectionnés de l'utilisateur. Le système présente la ou les question(s) à l'utilisateur et reçoit des réponses de l'utilisateur à la ou aux question(s). Le système authentifie l'utilisateur en réponse à la réception d'une réponse correcte à chacune de la ou des question(s).
PCT/US2015/012895 2015-01-26 2015-01-26 Authentification d'un utilisateur WO2016122441A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/US2015/012895 WO2016122441A1 (fr) 2015-01-26 2015-01-26 Authentification d'un utilisateur

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/US2015/012895 WO2016122441A1 (fr) 2015-01-26 2015-01-26 Authentification d'un utilisateur

Publications (1)

Publication Number Publication Date
WO2016122441A1 true WO2016122441A1 (fr) 2016-08-04

Family

ID=56543873

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2015/012895 WO2016122441A1 (fr) 2015-01-26 2015-01-26 Authentification d'un utilisateur

Country Status (1)

Country Link
WO (1) WO2016122441A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018040942A1 (fr) * 2016-08-31 2018-03-08 阿里巴巴集团控股有限公司 Procédé et dispositif de vérification

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080086759A1 (en) * 2006-10-10 2008-04-10 Colson Christen J Verification and authentication systems and methods
EP2369523A1 (fr) * 2010-03-22 2011-09-28 Daon Holdings Limited Procédés et systèmes d'authentification d'utilisateurs
US20140189835A1 (en) * 2012-12-28 2014-07-03 Pitney Bowes Inc. Systems and methods for efficient authentication of users
US20140282977A1 (en) * 2013-03-15 2014-09-18 Socure Inc. Risk assessment using social networking data
US8856894B1 (en) * 2012-11-28 2014-10-07 Consumerinfo.Com, Inc. Always on authentication

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080086759A1 (en) * 2006-10-10 2008-04-10 Colson Christen J Verification and authentication systems and methods
EP2369523A1 (fr) * 2010-03-22 2011-09-28 Daon Holdings Limited Procédés et systèmes d'authentification d'utilisateurs
US8856894B1 (en) * 2012-11-28 2014-10-07 Consumerinfo.Com, Inc. Always on authentication
US20140189835A1 (en) * 2012-12-28 2014-07-03 Pitney Bowes Inc. Systems and methods for efficient authentication of users
US20140282977A1 (en) * 2013-03-15 2014-09-18 Socure Inc. Risk assessment using social networking data

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018040942A1 (fr) * 2016-08-31 2018-03-08 阿里巴巴集团控股有限公司 Procédé et dispositif de vérification
US11301556B2 (en) 2016-08-31 2022-04-12 Advanced New Technologies Co., Ltd. Verification method and device

Similar Documents

Publication Publication Date Title
US11138300B2 (en) Multi-factor profile and security fingerprint analysis
US11847199B2 (en) Remote usage of locally stored biometric authentication data
EP3120282B1 (fr) Authentification d'utilisateur
US20210294890A1 (en) Methods, mediums, and systems for establishing and using security questions
US20210084052A1 (en) Identity verification and login methods, apparatuses, and computer devices
US20160371438A1 (en) System and method for biometric-based authentication of a user for a secure event carried out via a portable electronic device
CA2681810C (fr) Methodes et systemes d'authentification d'utilisateurs
US10673851B2 (en) Method and device for verifying a trusted terminal
US20170093851A1 (en) Biometric authentication system
US20100169219A1 (en) Pluggable health-related data user experience
US10679211B1 (en) Intelligent authentication
CN113542288A (zh) 业务授权方法、装置、设备及系统
US20140053251A1 (en) User account recovery
CN109034816A (zh) 用户信息验证方法、装置、计算机设备及存储介质
Bakar et al. Adaptive authentication based on analysis of user behavior
US8856954B1 (en) Authenticating using organization based information
US10939291B1 (en) Systems and methods for photo recognition-based identity authentication
US10861017B2 (en) Biometric index linking and processing
KR101763275B1 (ko) Cb 정보를 이용한 본인 인증 방법, 그 시스템 및 그 프로그램을 기록한 컴퓨터 판독 가능한 기록매체
Karegar et al. Fingerprint recognition on mobile devices: widely deployed, rarely understood
WO2014043360A1 (fr) Analyse de profil et d'empreinte digitale de sécurité à facteurs multiples
CN104601532B (zh) 一种登录账户的方法及装置
CN108717635B (zh) 基于多生物特征鉴权或标识的方法及系统
WO2016122441A1 (fr) Authentification d'un utilisateur
JP6279643B2 (ja) ログイン管理システム、ログイン管理方法及びログイン管理プログラム

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15880345

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15880345

Country of ref document: EP

Kind code of ref document: A1