Aspects of the disclosure relate generally to assisting users in authenticating to services.
For most computer users, managing multiple sets of authentication credentials is difficult. Some users use applications that may assist with storing their separate sets of authentication credentials. An issue created by the use of credentials management applications is that users, who use those credentials management applications, may more easily lock themselves out of their accounts based on the simplicity of repeatedly requesting the credentials management applications to resend their credentials to the service providers, regardless of whether those service providers are able to grant authentication requests.
Aspects described herein may address these and other problems, and generally improve how users authenticate to services using their credentials (e.g., username, password, or other credentials). The following presents a simplified summary of various aspects described herein. This summary is not an extensive overview, and is not intended to identify key or critical elements or to delineate the scope of the claims. The following summary merely presents some concepts in a simplified form as an introductory prelude to the more detailed description provided below.
Aspects described herein may allow for a credentials manager to assist multiple users authenticate to each of the users' separate accounts from various services while notifying them when a given service is not accepting credentials. This may have the effect of improving users' experiences with authenticating to the services as well as improving the consistency by which users authenticate to those services, thus reducing or eliminating user time consumed in making repeated ineffective requests as well as reducing the number of authentication attempts using incorrect user credentials. According to some aspects, these and other benefits may be achieved by a credentials manager storing results of previous authentication attempts, storing known authentication credentials for test accounts for the services that are not associated with a specific user, and determining, based on one or more of results of the previous authentication attempts or on a result of a new authentication attempt using the test account's credentials, whether the service is currently granting access to accounts. In implementation, the ability to assist users authenticate to services may be effected by using a credentials manager that, using software on a user's device to determine when a user interface is displayed on a user's device with regards to entering user specific information (e.g., payment information), separately obtains the authentication information for the user, authenticates to the service (e.g., a credit institution) using the user's credentials, obtains information, and populates the user interface with the information from the service. Where the service fails to authenticate the user based on the supplied credentials, the credentials manager determines an authentication capability of the service and, if the service is not authenticating users, reports the status to the user, thereby permitting the user to select another service while not further attempting to authenticate to the identified service.
According to some aspects, these and other benefits may be achieved by using a computer-implemented method that may comprise causing, by a credentials management system, display of a list of selectable services; receiving, from a user, a selection of a service from the list of selectable services; retrieving, from a storage associated with the credentials management system, user credentials corresponding to a user account associated with the selected service; sending, to a remote computer system associated with the selected service, a request to authenticate to the user account using the user credentials; determining a failure to authenticate, based on the request to authenticate using the user credentials, with the user account of the selected service; determining an authentication capability of the remote computer system to authenticate at least one other account associated with the selected service. The method may further comprise removing, based on determining that the remote computer system is not able to authenticate the at least one other account, the selected service from the list of selectable services to generate a modified list of selectable services.
A system of one or more computers may be configured to perform particular operations or actions by virtue of having software, firmware, hardware, or a combination of them installed on the system that in operation causes or cause the system to perform the actions. One or more computer programs may be configured to perform particular operations or actions by virtue of including instructions that, when executed by data processing apparatus, cause the apparatus to perform the actions. As such, corresponding apparatus, systems, and computer-readable media are also within the scope of the disclosure.
These features, along with many others, are discussed in greater detail below.
The present disclosure is illustrated by way of example and not limited in the accompanying figures in which like reference numerals indicate similar elements and in which:
In the following description of the various embodiments, reference is made to the accompanying drawings, which form a part hereof, and in which is shown by way of illustration various embodiments in which aspects of the disclosure may be practiced. It is to be understood that other embodiments may be utilized and structural and functional modifications may be made without departing from the scope of the present disclosure. Aspects of the disclosure are capable of other embodiments and of being practiced or being carried out in various ways. Also, it is to be understood that the phraseology and terminology used herein are for the purpose of description and should not be regarded as limiting. Rather, the phrases and terms used herein are to be given their broadest interpretation and meaning. The use of “including” and “comprising” and variations thereof is meant to encompass the items listed thereafter and equivalents thereof as well as additional items and equivalents thereof.
By way of introduction, aspects discussed herein may relate to methods and techniques for improving user authentication to a service by checking whether the service is capable of authenticating users to user accounts. As discussed further herein, this combination of features may allow for improved interactions between a user and a computing device and reduced network traffic for redundant authentication requests where no authentication capability exists. One or more aspects of this description comprise a credentials manager configured to store a user's authentication credentials for various accounts associated with service providers. Further, the credentials manager may keep a log when other users have attempted to authenticate to the same service and may store known credentials for accessing test accounts associated with the service providers. Using the known credentials may be relevant in situations where the credentials manager needs to verify that that a given service is accepting authentications where the log of recent authorization attempts by other users is either incomplete or older than a threshold (e.g., a few minutes or hours) to reliably indicate that a specific service is currently accepting or not accepting authentications.
For example, one or more aspects attempt to address situations including the following failed login attempts by a user. Some months ago, the user may have willingly permitted a friend to login to that user's account with a specific service (e.g., a movie streaming service) by providing that friend with the user's password to the service. While that friend was watching a movie provided by the service (or otherwise accessing the specific service), the specific service prompted for an updated password. To keep watching the movie, the friend updated the password but failed to alert the user that the user's password has changed. Later, the user attempted to access the service using the old password and the authentication attempt failed. The user, believing the old password was still valid and that the issue must have been a temporary issue with the service, continued to attempt to authenticate to the service, only to be locked out of the account after a given number of attempts. Eventually, the user needed to call the service's assistance line and request the account be unlocked and a new password set.
Using the credentials manager as described herein, the credentials manager may have been able to prevent the user's account from being locked by attempting to verify whether the service is, in fact, currently authenticating users to the service. The verification may be independent of a path between any entity and the service or the verification may comprise comparing paths between the entity attempting to authenticate and one or more authentication servers of the service. The verification may comprise checking a log of other attempted authentications to that service and/or independently attempting to authenticate to that service using credentials known by the credentials manager to be current for accessing a test account of the service. The credentials manager may check for actual authentications, not only the ability to submit authorization credentials. At times, even though a service may provide a user interface by which a user may input and submit authentication credentials, that service may be not actually be able at that time to permit authentication to the user's account. The result is that the user is not authenticated to the service and the user's login attempt and subsequent login attempts may be interpreted by the service as someone other than the user attempting to login to the user's account by guessing the user's password. The credentials manager may reduce or eliminate situations where the users are locked out of their accounts based on multiple failed login attempts. Before discussing these concepts in greater detail, however, several examples of a computing device that may be used in implementing and/or otherwise providing various aspects of the disclosure will first be discussed with respect to
The computing device 101 may, in some embodiments, operate in a standalone environment. In others, the computing device 101 may operate in a networked environment. As shown in
As seen in
Devices 105, 107, 109 may have similar or different architecture as described with respect to the computing device 101. Those of skill in the art will appreciate that the functionality of the computing device 101 (or device 105, 107, 109) as described herein may be spread across multiple data processing devices, for example, to distribute processing load across multiple computers, to segregate transactions based on geographic location, user access level, quality of service (QoS), etc. For example, devices 101, 105, 107, 109, and others may operate in concert to provide parallel computing features in support of the operation of control logic 125 and/or software 127.
One or more aspects discussed herein may be embodied in computer-usable or readable data and/or computer-executable instructions, such as in one or more program modules, executed by one or more computers or other devices as described herein. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types when executed by a processor in a computer or other device. The modules may be written in a source code programming language that is subsequently compiled for execution, or may be written in a scripting language such as (but not limited to) Python or JavaScript. The computer executable instructions may be stored on a computer readable medium such as a hard disk, optical disk, removable storage media, solid-state memory, RAM, etc. As will be appreciated by one of skill in the art, the functionality of the program modules may be combined or distributed as desired in various embodiments. In addition, the functionality may be embodied in whole or in part in firmware or hardware equivalents such as integrated circuits, field programmable gate arrays (FPGA), and the like. Particular data structures may be used to more effectively implement one or more aspects discussed herein, and such data structures are contemplated within the scope of computer executable instructions and computer-usable data described herein. Various aspects discussed herein may be embodied as a method, a computing device, a data processing system, or a computer program product. Having discussed several examples of computing devices which may be used to implement some aspects as discussed further below, discussion will now turn to a method for verifying an authentication capability for a service.
The client device 201 may include a web browser 202 and a browser extension 203. Additionally or alternatively, the client device 201 may include an application 204 providing access to a service, for example, a merchant, employer, or service provider. The access may be via the Internet (for instance, over the World Wide Web, over an API, or other known network or combinations thereof). An application plug-in 205 is configured to work with the application 204 and provides features to the user in addition to the features of the application 204. Additionally or alternatively, the client device 201 may include a separate application 206 that interacts with one or more of the web browser 202 and/or the application 204. For instance, the browser extension 203, the application plug-in 205, and/or the separate application 206 may monitor what is displayed on a display screen of the client device 201 (e.g., displayed by the web browser 202 and/or the application 204) and, based on what is displayed, provide the user with one or more options and/or one or more services.
Client device 201 may comprise a device that supports web browsing. For example, client device 201 may include a computer (e.g., a desktop computer, a laptop computer, a tablet computer, a handheld computer, and/or the like), a mobile phone (e.g., a smart phone and/or the like), a television (e.g., a smart television), an interactive display screen, and/or a similar type of device. Client device 201 may host the web browser 202 and/or the browser extension 203 installed on and/or executing on the client device 201.
The web browser 202 may be used to access information on the World Wide Web, such as web pages, images, videos, and/or other web resources. The web browser 202 may access such web resources using a uniform resource identifier (URI), such as a uniform resource locator (URL), a uniform resource name (URN), and/or the like. Web browser 202 may enable the client device 201 to retrieve and present, for display, content of a web page.
The browser extension 203 may include an application, executing on the client device 201, capable of extending or enhancing functionality of the web browser 202. For example, the browser extension 203 may be a plug-in application for the web browser 202. The browser extension 203 may be capable of executing one or more scripts (e.g., code, which may be written in a scripting language, such as JavaScript and/or C++ or the like) to perform an operation in association with the web browser 202.
The web server 209 may include a device capable of serving web content (e.g., web documents, HTML, documents, web resources, images, style sheets, scripts, text, and/or the like). For example, the web server 209 may include a server and/or computing resources of a server, which may be included in a data center, a cloud computing environment, and/or the like. The web server 209 may process incoming network requests (e.g., from client device 201) using HTTP and/or another protocol. The web server 209 may store, process, and/or deliver web pages to the client device 201. In some implementations, communication between the web server 209 and the client device 201 may take place using HTTP.
The extension server 210 includes a device capable of communicating with client device 201 to support operations of browser extension 203. For example, extension server 210 may store and/or process information for use by browser extension 203. As an example, extension server 210 may store a list of domains applicable to a script to be executed by browser extension 203. In some implementations, client device 201 may obtain the list (e.g., periodically, based on a trigger, and/or the like), and may store a cached list locally on client device 201 for use by browser extension 203.
The network 207 may include one or more wired and/or wireless networks. For example, network 207 may include a cellular network (e.g., a long-term evolution (LTE) network, a code division multiple access (CDMA) network, a 3G network, a 4G network, a 5G network, another type of next generation network, etc.), a public land mobile network (PLMN), a local area network (LAN), a wide area network (WAN), a metropolitan area network (MAN), a telephone network (e.g., the Public Switched Telephone Network (PSTN)), a private network, an ad hoc network, an intranet, the Internet, a fiber optic-based network, a cloud computing network, or the like, and/or a combination of these or other types of networks.
The number and arrangement of devices and networks shown in
In addition to the user authentication credentials for users' accounts, the table or tables 215 may further comprise known credentials for one or more test accounts of the credential manager 211 associated with the services. The known credentials may be maintained by the credentials manager 211 for test accounts with the services. The test accounts may be used by the credentials manager 211 to check whether a service (e.g., provided by service provider server 208) is accepting authentications. If the credential manager 211 attempts to login to one or more test accounts associated with of the credential manager 211's test accounts and the login attempt is not successful, the credential manager 211 may determine that the service is not accepting authentications at a current time. Because the known credentials are known to be correct for a service (either as managed by the credentials manager 211 or some other entity or even the service itself), the failure of the credential manager 211 to login using correct credentials must mean that the service is unavailable. The table or tables 215 may be one table or sets of tables partitioned for instance, by each service, the user, the username or password or other factor or combination of factors.
Table or tables 216 in storage 214 may comprise a log of when users' accounts or test accounts were attempted to be authenticated with for the various services along with timestamps and authentication results. The table or tables 216 may be one table or sets of tables partitioned for instance, by each service, time, result or other factor or combination of factors. The table or tables 216 may comprise all login attempts for the accounts (user and test accounts) or comprise one or more of only successful logins, only unsuccessful logins, only attempted logins over an interval (e.g., over the past hour, past 24 hours, past week, etc.), or a combination thereof. The table or tables 216 may be used to determine when and how many login attempts were successful (or not successful) for a specific service. The credentials manager 211 may, based on recent results from the table or tables 216, be able to identify that a specific service is or is not currently capable of accepting authentication requests. If the table or tables 216 do not have recent information for a specific service, the credentials manager may obtain known authentication credentials from table or tables 215 for a test account associated with that service and attempt to authenticate to that test account. The result of that authentication attempt may be subsequently stored in table 216. The table or tables 216 may comprise the results regardless of a path between the credentials manager 211 and authentication servers associated with a specific service (e.g., the service provider server 208). Alternatively, for some or all of the stored results in the table or tables 216, the path for that specific authentication attempt may be stored. For instance, if all authentication attempts are made by the credentials manager 211 using the same IP path to the network 207 and/or through the network 207 to a given service, the paths may be identical and not stored. Alternatively or additionally, the path may be stored to at least provide an indication of how far along a given path each authentication request progressed until a network connection to an authentication server of the service was no longer available. This storing of partial path information may permit a determination, by the credentials manager 211, that the authentication request never reached the authentication server of the service. Additionally or alternatively, the path information may be stored and useful where the client device 201 itself makes the authentication request to the service. In this example, after the user selects specific service, the credentials manager 211 may provide the authentication information from the table or tables 215 for that user for that service to the client device 201 for the client device 201 to attempt to authenticate to the selected service. In this example, the result of the authentication attempt may be forwarded by the client device 201 to the credentials manager 211 for storing that result in table or tables 216 with the path between the client device 201 and the service (e.g., the authentication server of the service). In some situations, the client device may not be able to determine the path or the client device may not forward the path to the credentials manager. This may result in the table or tables 216 including path information for only some of the authentication attempts.
When the browser extension 303 observes, through monitoring web browser 302, the display of the payment information user interface 306, the browser extension 303 displays a user interface 307 that prompts the user to select a service relating to the payment information user interface 306. For example, service A may relate to a first credit card issuer providing a first credit card (e.g., using the MasterCard/Visa clearinghouse), service B may relate to a second credit card issuer providing a second credit card using a different clearinghouse, and service C may relate to a debit card provided by a financial institution. These services are merely examples and others may be used as well or in place of any of these identified services.
Once the user selects one of the services in user interface 307, the browser extension 303 provides that selection to credentials manager server 304. The credentials manager server 304 obtains user credentials (e.g., from storage 214) relating to the user to access a specific account of the user provided by the selected service. For purposes herein, the user credentials are also referred to as authentication information for the user account. The authentication information 308 is sent from the credentials manager server to a system handling authentication requests for that particular service. In
If the authentication information 308 properly authenticates the user to the user's account on the selected service, requested information 310 from the selected service is provided to the user interface 306 (e.g., from the selected service to the credentials manager server 304, to the browser extension 303, and then to the web browser 302, for subsequent processing by the merchant's website). Where user interface 306 was to receive payment information, the requested information 310 may comprise payment information to complete the transaction with the merchant. The requested information 310 may comprise a static credit card number, expiration date, and credit card verification value or may provide, for instance, single-use payment information, generated by the selected service or third-party (e.g., the Mastercard clearinghouse) based on instruction from the selected service.
In some situations, the user's credentials may be rejected by the selected service, either directly (as a message that the user's password is incorrect and/or a user's account does not exist for that service) or indirectly (as the service not responding to the authentication request within a given period of time—e.g., the request having timed out). In certain of those instances, the user's credentials may, in fact, be incorrect as the user may have unknowingly changed the password and that information was not subsequently pushed to the credentials manager server 304. In other instances, the user's credentials may, in fact, be correct but the communication links between the user's device and the respective authentication server for the selected service may be unavailable.
In some instances, authentication servers for services may provide an operable user interface or API, permitting users' credentials to be received (and increment a count of authorization requests based on the receipts of the credentials) while being unavailable to authenticate the users with valid credentials. Users with valid credentials may continue to attempt to authenticate to those servers and continue to receive rejections. Those rejections may accumulate and the users be locked out of their own accounts, not for having incorrect credentials, but for repeatedly trying to use a service having authentication servers that are unable to properly authenticate them to the service.
One or more aspects relate to determining whether those communication links are, in fact, unavailable before modifying the list of selectable services or prompting the user to change his password.
In step 405, the system determines whether the authentication request has failed. If the authentication was successful, the system continues with the authenticated service as shown in step 406. The use of the authenticated service in step 406 may comprise the authenticated service providing the payment information 310 for population in the payment information user interface 306. If there was an authentication failure in step 405, the system sends, in step 407, a request to authenticate to the selected service using other credentials. If it is determined in step 408 that the authentication using the other credentials has also failed, the selected service may be removed from the list of selectable services in step 409 and a modified list of selectable services is displayed to the user in step 410, to await the user selection of one of those services in step 402. Further, if available, the determination in step 405 may comprise reading returned information regarding the rejection of the request to authenticate including, but not limited to, information in the header of the rejection message from the authentication server. That information may be used to skip one or more steps as that information may provide a reason why the authentication failed.
If the authentication using the other credentials was determined in step 408 to not have failed (e.g., to have been successful), then in step 411 the system alerts the user that the user's credentials are invalid. In step 412, the user may be provided with an option to update the user credentials or select another service from the list of services. If the user updates the user credentials, the browser extension 303 may prompt and/or monitor the user's interaction with the selected service and record the new credentials for the user account associated with that service. Next, those updated credentials may be used in step 404. If the user selects another service, the selection may be received in step 402 and credentials for that other service retrieved (in step 403) and then sent (in step 404) to that newly selected service for authentication.
In step 503, the system determines the relevance of other recent results. The determination may comprise step 504 in which the time between the user's failed login attempt and other users' login attempts are compared to each other. The comparisons may be relative to the time (comparisons 504) of the user's failed login attempt (if other users are successfully logging into the same selected service, the authentication server for that service must be available) and/or based on a threshold or ratio (if 50% or more users are able to authenticate), then the authentication server for that service may be determined in step 506 to be generally available. If most recent login attempts resulted in failures and only older login attempts were successful, then in step 506 then the service may be determined to be generally unavailable.
The comparisons may also be relative to the path between the devices requesting login and the authentication server for the service (e.g., step 505). If, for instance, the successful authentications for the selected service followed a generally similar IP path from the requesting devices (e.g., same cell phone network or same geographic vicinity) to the authenticating server, then the service may be determined in step 509 to be generally available. If the successful authentications for the selected service had distinctly different pathways (e.g., all from a different cell phone network or all from a different region of the country or world), then the service may be determined in step 509 to be generally unavailable.
If the recent login attempts have been of other users and if those attempts were not generally successful (e.g., more than 50% success rate), then the system may attempt to log into the selected service using known credentials of the test account (step 507). If the recent login attempts had a distinct pathway, not in common with that of the current user, then the system may attempt to log into the selected service using known credentials and a pathway similar to that used by the user (step 510).
With respect to the pathway analysis, the pathways may be dependent on whether the client device 301 is sending the login request directly to the selected service's authentication server or via the credentials manager server 304. Where sent directly, the credentials manager server 304 may have previously forwarded the retrieve users credentials for the user of the selected service to the user's account.
If the credentials manager 211 determines that others have successfully authenticated to the server (e.g., based on a relevant time in step 506 or based on a relevant pathway 509 or both), then the credentials manager 211 may determine that the failure to authenticate is based on incorrect authentication credentials. The user maybe alerted in step 508 that the authentication attempt failed and that the user's credentials are incorrect. Additionally or alternatively, the user may be presented with a password reset user interface to permit the user to reset the user's password. The password reset user interface may be generated by the service itself, by the credentials manager 211, and/or the browser extension 303 as a user interface provided by browser 302 or as an overlay by browser extension 303. Once the user resets the password for that service, the new password may be captured by the browser extension 303 and forwarded to credentials manager 211 for storage in the authentication credentials table or tables 215.
In step 703, the result of the authentication attempt (either of steps 701 or 702 or both 701 and 702) is received (step 704). In step 705, the result of the authentication attempt is stored with the time of the authentication attempt. Additionally or alternatively, in step 706, the result of the authentication attempt is stored with the pathway of the authentication attempt. Additionally or alternatively, in step 707, the result of the authentication attempt is stored with both the time and the pathway of the authentication attempt. In each of steps 705, 706, and 707, the results may be stored in table 215 of storage 214 of the credentials manager 211.
Thus, a computer-implemented method may comprise causing, by a credentials management system, display of a list of selectable services; receiving, from a user, a selection of a service from the list of selectable services; retrieving, from a storage associated with the credentials management system, user credentials corresponding to a user account associated with the selected service; sending, to a remote computer system associated with the selected service, a request to authenticate to the user account using the user credentials; determining a failure to authenticate, based on the request to authenticate using the user credentials, with the user account of the selected service; determining an authentication capability of the remote computer system to authenticate at least one other account associated with the selected service. The method may further comprise removing, based on determining that the remote computer system is not able to authenticate the at least one other account, the selected service from the list of selectable services to generate a modified list of selectable services.
Further, the method may comprise receiving a request to authenticate a user device of the user to the selected service. The method's determining the authentication capability of the remote computer system may comprise retrieving, from a remote storage, a list of recent login attempts to authenticate to other user accounts of the selected service, wherein the recent login attempts were based on other user credentials; and determining attempted authentication results associated with the list of recent login attempts. The attempted authentication results may comprise one or more of a recent successful login, a recent unsuccessful login, or a ratio between recent successful logins and recent unsuccessful logins. The attempted authentication results may comprise times at which the recent login attempts were initiated.
The authentication capability of the remote computer system may comprise obtaining known credentials for a test account of the selected service; sending, to the remote computer system associated with the selected service, a request to authenticate to the test account using the known credentials; and receiving information identifying whether authenticating, using the known credentials, was successful. The method may further comprise storing, in a list of recent login attempts, the received information that authenticating using the known credentials was successful. The method may further comprise determining a user connection pathway associated with the sending the request to authenticate to the user account using the user credentials; determining a test connection pathway associated with the sending the request to authenticate, using the known credentials, to the test account; comparing the user connection pathway and the test connection pathway; and determining, based on the comparison of the user connection pathway and the test connection pathway, whether to inform the user of a result of authenticating using the known credentials. The method may further comprise causing, based on the determination of the authentication capability, display of a credentials update user interface; receiving, based on interaction with the credentials update user interface, updated user credentials; and storing, for the user account of the selected service, the received updated user credentials. The causing display of the credentials update user interface may be based on monitoring for display of a first user interface of the selected service, wherein the first user interface is configured to receiving updated user credentials. The causing display of the credentials update user interface may comprise causing display of a credentials management user interface configured to receive the updated user credentials. The method may further comprise causing population, based on the received updated user credentials, the first user interface of the selected service with the received updated user credentials.
The method may further comprise monitoring, via a first application executing on a user device, user interactions with a second application of the user device; identifying, in the second application as displayed to the user, a user interface for authenticating to a card issuer; generating, for display on the user device, a selection user interface including the list of selectable services; and causing display of the selection user interface, wherein receiving the selection of the service may include receiving, from the user device, the selection of the service from the displayed list of selectable services. The method may further comprise determining, for the selected service, whether one or more subsequent authentication attempts will lock the user account of the selected service, generating an alert that one or more subsequent authentication attempts will lock the user account of the selected service; and causing display of the alert. The method may comprise determining, based on the determining the failure to authenticate to the user account of the selected service, content in an application programing interface response, and wherein application programing interface response was received after the sending of the user credentials. The method may further comprise reading content of a failure message from the service; determining the read content identifies the user credentials comprise an incorrect password; and determining a time elapsed since a successful login to a second user account of a second user.
The method may further comprise retrieving an elapsed time threshold; determining a time elapsed between since a successful login to a second user account of a second user and a current time; determining whether the time elapsed satisfies the elapsed time threshold; obtaining, based on the determination that the elapsed time threshold has been satisfied, known credentials for a test account of the selected service; sending, to the remote computer system associated with the selected service, the known credentials; and receiving information identifying whether authenticating, to the test account of the selected service using the known credentials, was successful.
An apparatus may comprise one or more processors; and memory storing instructions that, when executed by the one or more processors, cause the apparatus to display of a list of selectable services; receive, from a user, a selection of a service from the list of selectable services; retrieve, from a credentials management system, user credentials corresponding to a user account, of the user, associated with the selected service; send, to a remote computer system associated with the selected service, a request to authenticate to the user account using the user credentials; determine a failure to authenticate, based on the request to authenticate using the user credentials, with the user account of the selected service; determine an authentication capability of the remote computer system to authenticate at least one other account associated with the selected service; remove, based on determining that the remote computer system is not able to authenticate the at least one other account, the selected service from the list of selectable services to generate a modified list of selectable services; and cause display of the list of the modified list of selectable services.
The apparatus may include additional instructions that cause the apparatus to retrieve, from a remote storage, a list of recent login attempts to authenticate to other user accounts of the selected service, wherein the recent login attempts were based on other user credentials; and determine attempted authentication results associated with the list of recent login attempts. Additional instructions may cause the apparatus to obtain known credentials for test account of the selected service; send, to the remote computer system associated with the selected service, the known credentials; and receive information identifying whether authenticating, using the known credentials, was successful. Additional instructions may cause the apparatus to store, in a list of recent login attempts, the received information that authenticating using the known credentials was successful.
One more non-transitory media storing instructions that, when executed by one or more processors, may cause the one or more processors to perform steps comprising monitoring, via a credentials management application executing on a user device, user interactions with one or more other applications executing on the user device; identifying, from the one or more other applications and as displayed to the user, a user interface for authenticating to a card issuer; generating, via the credentials management application and for display on the user device, a selection user interface including a list of selectable services; and causing display of the selection user interface; and receiving, from the user device, the selection of a service from the displayed selection user interface. The instructions may further cause retrieving, from a remote storage associated with the credentials management application, user credentials corresponding to a user account associated with the selected service; sending, to a remote computer system associated with the selected service, a request to authenticate to the user account using the user credentials; determining a failure to authenticate, based on the request to authenticate using the user credentials, with the user account of the selected service; determining an authentication capability of the remote computer system to authenticate at least one other account associated with the selected service; and removing, based on determining that the remote computer system is not able to authenticate the at least one other account, the selected service from the list of selectable services to generate a modified list of selectable services.
Although the subject matter has been described in language specific to structural features and/or methodological acts, it is to be understood that the subject matter defined in the appended claims is not necessarily limited to the specific features or acts described above. Rather, the specific features and acts described above are disclosed as example forms of implementing the claims.