Patent Application
20090217368
This invention pertains to user account management, and more particularly to using information cards for account reset and supplemental authorization.
When a user interacts with sites on the Internet (hereafter referred to as “service providers” or “relying parties”), the service provider often expects to know something about the user that is requesting the services of the provider. The typical approach for a service provider is to require the user to log into or authenticate to the service provider's computer system. But this approach, while satisfactory for the service provider, is less than ideal for the user. First, the user must remember a username and password for each service provider who expects such information. Given that different computer systems impose different requirements, and the possibility that another user might have chosen the same username, the user might be unable to use the same username/password combination on each such computer system. (There is also the related problem that if the user uses the same username/password combination on multiple computer systems, someone who hacks one such computer system would be able to access other such computer systems.) It is estimated that an average user has over 100 accounts on the Internet. For users, this is becoming an increasingly frustrating problem to deal with. Passwords and account names are too hard to remember. Second, the user has no control over how the service provider uses the information it stores. If the service provider uses the stored information in a way the user does not want, the user has relatively little ability to prevent such abuse, and essentially no recourse after the fact.
In the past year or two, the networking industry has developed the concept of information cards to tackle these problems. Information cards are a very familiar metaphor for users and the idea is gaining rapid momentum. Information cards allow users to manage their identity information and control how it is released. This gives users greater convenience in organizing their multiple personae, their preferences, and their relationships with vendors and identity providers. Interactions with on-line vendors are greatly simplified.
There are currently two kinds of information cards: 1) personal cards—or self-issued cards—and 2) managed cards—or cards that are issued by an identity provider. A personal card contains self-asserted identity information—the person issues the card and is the authority for the identity information it contains. The managed card is usually issued by an identity provider. The identity provider provides the identity information and asserts its validity.
When a user wants to release identity information to a relying party (for example, a web site that the user is interacting with), a tool known as a card selector assists the user in selecting an appropriate information card. When a managed card is selected, the card selector communicates with the identity provider to obtain a security token that contains the needed information. This interaction between the card selector and the identity provider is usually secure. The identity provider typically requests the user to authenticate himself or herself (for example, using a username/password, X.509 certificate, etc.) before it will return a security token. The security token can then be provided to the relying party.
Regardless of whether information cards are used or not, identity information requested by relying parties is typically associated with a specific account at the relying party, and often includes a username and a password. On occasion it becomes necessary for identity information associated with an account to be changed. This can occur because, for example, the user has forgotten the username or password associated with the account. To accommodate these situations, relying parties generally provide some means of account reset.
Also, on occasion, relying parties may wish to perform a supplemental authorization when a user logs into an account. This supplemental authorization can be used as part of a random check security scheme or in response to a policy, for example, a policy stating that supplemental authorization is required after a specified duration of inactivity on the account.
There are many common schemes used for account reset and supplemental authorization, but they often include asking the user a challenge question and then validating the user's response against an answer that was previously provided. The questions are usually designed so that a user can determine the appropriate response without specifically remembering what answer was given previously. Common questions include “What is your mother's maiden name?” and “What was your first pet's name?”.
Another common scheme is email-based password reset. Using this scheme, a user requests an account reset and the relying party emails the user their existing identity information, new identity information, or a credential that can be used to regain access to the account in order to change the identity information. The user can then use the information in the email to reset the account and/or regain access to the account.
Each of these account reset and supplemental authorization schemes is vulnerable, at least to some degree, to being spoofed. An attacker wishing to gain access to a user's account can simply use the account reset method to change the identity information and thereby gain access. Various sources of publicly available information, or even shoulder-surfing, can be used to aid the attacker in gaining access. If the attacker has access to the user's email account, any email-based account reset schemes are now available for the attacker to use to gain access. Consequently, conventional account reset and supplemental authorization schemes do not provide adequate security for user accounts.
Further, conventional account reset and supplemental authorization schemes are particularly susceptible to social engineering type attacks. These types of attacks are generally characterized by the fact that the attacker uses one piece of information about the victim to generate other information to aid in the attack. In an example of a social engineering attack, an attacker may know that a victim has an account at the Bank of Noplace. The attacker can then contact the victim, asserting to be from the Bank of Noplace, and convince the victim to provide account numbers and security information for the accounts. The attacker then has all of the information necessary to steal money from the accounts. This is a very rudimentary example of a social engineering attack: social engineering attacks are generally more sophisticated. However, the common characteristic with these types of attacks is that a small amount of information about the victim is used to generate enough information to attack the victim's secure accounts. Conventional account reset and supplemental authorization schemes are susceptible to this type of attack because if the attacker knows the name of the victim, the victim's mother's maiden name is not that difficult to find out from publicly available records. The same is true of other common challenge questions used in these schemes.
A need remains for a way to address these and other problems associated with the prior art.
Embodiments of the invention have to do with performing account reset and supplemental authorization using information cards. Challenge claims can be provided to relying parties at account setup, during authorizations, or at other times. The relying parties can store the challenge claims and subsequently use the challenge claims for account reset and supplemental authorization. Challenge claims can also provide relying parties with a list of supported challenge methods.
The foregoing and other features, objects, and advantages of the invention will become more readily apparent from the following detailed description, which proceeds with reference to the accompanying drawings.
Embodiments of the invention utilize information cards to perform secure account reset and/or supplemental authorization. Consequently, before explaining the invention, it is important to understand the operation of an information card system. Such a system will be explained with respect to
In
Relying party 130 is a machine managed by a party that relies in some way on the identity of the user of client 105. The operator of relying party 130 can be any type of relying party. For example, the operator of relying party 130 can be a merchant running a business on a website. Alternatively, the operator of relying party 130 can be an entity that offers assistance on some matter to registered parties. Relying party 130 is so named because it relies on establishing some identifying information about the user.
Identity provider 135, on the other hand, is managed by a party responsible for providing identity information (or other such information) about the user for consumption by the relying party 130. Depending on the type of information identity provider 135 stores for a user, a single user might store identifying information with a number of different identity providers 135, any of which might be able to satisfy the request of the relying party 130. For example, identity provider 135 might be a governmental agency, responsible for storing information generated by the government, such as a driver's license number or a social security number. Alternatively, identity provider 135 might be a third party that is in the business of managing identity information on behalf of users.
The conventional methodology of releasing identity information can be found in a number of sources. One such source is Microsoft Corporation, which has published a document entitled Introducing Windows CardSpace, which can be found on the World Wide Web at http://msdn2.microsoft.com/en-us/library/aa480189.aspx and is hereby incorporated by reference. To summarize the operation of Windows CardSpace, when a user wants to access some data from relying party 130, client 105 requests the security policy of relying party 130, as shown in communication 140, which is returned in communication 145 as security policy 150. Security policy 150 is a summary of the information relying party 130 needs, how the information should be formatted, and so on.
Once client 105 has security policy 150, client 105 can identify which information cards will satisfy security policy 150. Different security policies might result in different information cards being usable. For example, if relying party 130 simply needs a username and password combination, the information cards that will satisfy this security policy will be different from the information cards that satisfy a security policy requesting the user's full name, mailing address, and social security number. The user can then select an information card that satisfies security policy 150.
A card selector (described below with respect to
Once the user has selected an acceptable information card, client 105 uses the selected information card to transmit a request for a security token from identity provider 135, as shown in communication 155. This request can identify the data to be included in the security token, the credential that identifies the user, and other data the identity provider needs to generate the security token. Identity provider 135 returns security token 160, as shown in communication 165. Security token 160 includes a number of claims, or pieces of information, that include the data the user wants to release to the relying party. Security token 160 is usually encrypted in some manner, and perhaps signed and/or time-stamped by identity provider 135, so that relying party 130 can be certain that the security token originated with identity provider 135 (as opposed to being spoofed by someone intent on defrauding relying party 130). Client 105 then forwards security token 160 to relying party 130, as shown in communication 170.
In addition, the selected information card can be a self-issued information card (also called a personal card): that is, an information card issued not by an identity provider, but by client 105 itself. In that case, identity provider 135 effectively becomes part of client 105.
Often, the identity provider 135 takes the form of a web server, but this does not have to be the case. As an example, the identity provider 135 could be a Security Token Service (STS) that resides on the client 105, resides on the network, or even resides on a flash drive.
For the purposes of this example, the relying party 130 can use the secret challenge question method of account reset. Relying party 130 supplies the question and requests an answer from the client 105, as shown in communication 355. The question can be, for example “What is your mother's maiden name?”. Assuming the user is able to remember the answer that was previously given in response to this question; the user provides a response as shown in communication 360. Note that the answer previously supplied by the user was not necessarily the correct answer to the question, and so the user must remember whether they previously supplied the correct answer to the question or, if not, what answer the user did supply. In other words, the user might have previously supplied the answer “Smith”, which is the actual maiden name of the user's mother, or the user might have supplied “2*toil”, which is not the user's mother's actual maiden name. The latter situation can arise when a user, recognizing the security flaw inherent in supplying publicly available information, chooses to supply a false answer instead. If the answer supplied by the user matches the previously supplied answer, the user will be given access to the desired information on relying party 130. Also, relying party 130 can supply the user with the old identity information or require the user to provide new identity information as part of the account reset process.
In this example, the relying party is using a challenge question scheme for account reset. However, there are many other common schemes, and many variations of the challenge question scheme, used for account reset and supplemental authorization. For example, the challenge question scheme in its most basic form simply asks a user to supply an answer to a preset question and the user has the option of either supplying the correct answer or supplying some other answer that the user will be able to recall at a later time, if called upon to do so. More advanced challenge question schemes allow a user to pick from a list of multiple questions or even allow a user to enter their own question. However, even the advanced forms of the challenge question scheme also have problems: the questions can often be answered with information that is available to the general public (e.g., mother's maiden name) or to acquaintances of the user (e.g., first pet's name) or information that can be obtained by shoulder-surfing (i.e. standing behind the user and watching the information entered on the display). Even if the answer is not readily ascertainable, this type of scheme reduces the problem of attacking the account from one of having to guess a username and/or password (which each could be any possible combination of letters, numbers, and special characters) to one of guessing a question response (which is likely to be drawn from a much smaller set including only names or dictionary words). Therefore, the challenge question scheme reduces the security of the account.
Other common techniques are based on email. In a basic email scheme, upon request, a user is sent their username or password through email so that the user can regain access to their account. In some cases, a temporary password can be sent to the user and the user may have to provide new identity information upon using the temporary password. There are many other possible variations of the email scheme and these will not be discussed further here. The important thing to note is that email accounts are also subject to attack (often by simply obtaining a username and password). If the attacker can guess the target user's email account login and password, the attacker can force a reset of the account and define the new password. Not only is the user denied access to his or her account, but the attacker is able gain access to the account. The email technique of account reset/supplemental authorization is potentially no more secure than an individual user's email account.
According to embodiments of the invention, new claim identifiers can be used by relying parties and identity providers to exchange challenge questions, challenge responses, challenge methods, and/or expected challenge response proof. The claims can be used in tuples and different claim tuples can have different security properties. Also, a single claim can include tuples. As used here, tuples refer to claims or claim elements that form a set. For example, a simple challenge answer claim and a simple challenge question claim together form a tuple. As a further example, a challenge claim can include a tuple comprising a claim element (such as a challenge method) and associated metadata (such as seed data). Not all claims are necessarily used or supported by all relying parties. Each of the individual relying parties can decide which claims it would like to support and use.
New claim identifiers for a simple challenge question scheme could take the form:
The new claim identifiers can also be used with personal cards. As long as the card selector supports the new claim identifiers, a user can establish challenge questions and answers associated with the personal card through the card selector. These challenge questions and answers can then be provided to relying parties during authentication, similar to the case for managed cards described above.
Using these claim identifiers would be most like current implementations of challenge question schemes, in that the relying party stores the question and answer and the response is compared to the stored answer. It should be noted that the answer is also stored at the identity provider. The identity provider can store static strings and provide them to the relying party to be stored statically. In this case, if the user changes the answer at the identity provider, the new answer might not be updated at the relying party until the next time the claims are provided to the relying party, typically at authentication.
Once client 105 has security policy 450, the card selector can identify which information cards will satisfy security policy 450 and present them to the user. The user can then select an information card that satisfies security policy 450. Once the user has selected an acceptable information card, client 105 transmits a request for a security token to identity provider 135, as shown in communication 455. This request can identify that the challenge question and answer are to be included in the security token. Identity provider 135 returns security token 460, as shown in communication 465. Security token 460 includes claims containing the challenge question and the answer to the challenge question. Client 105 then forwards security token 460 to relying party 130, as shown in communication 470. Relying party 130 can then store the challenge question and answer. Relying party 130 can also store an identifier for the identity provider 135 that provided the security token. If the relying party 130 subsequently needs to issue the challenge question, for supplemental authorization or account reset, the relying party 130 has all of the information it needs to provide the challenge question, gather a response, and validate the response against the stored answer. Note that in this example, the user does not need to remember the answer to the challenge question because, when faced with the challenge question, the user can simply obtain the answer from the identity provider 135. Therefore, using these claim identifiers, the user's memory is not relied upon to secure the account. The challenge question and answer claims can be used in tuples. Also, a user might have to respond to more than one challenge from the relying party. In this case, a user can be authorized by correctly responding to only a subset of the total challenges posed.
As described above, the user can obtain the challenge answer from the identity provider in response to a challenge question from the relying party. The challenge question can be presented to the user from the relying party as a form for the user to fill in or as a request for a security token. In the case of a form, the user can request the challenge answer from the identity provider and then either type the answer into the form or copy/paste the answer into the form. In the case of a security token request, the relying party can keep track of which identity provider issued the challenge question and answer and require that the security token come from the same identity provider.
A person of ordinary skill in the art will appreciate that using these claim identifiers, the challenge questions and answers do not need to be natural language words or phrases; they can be any random string of characters. In this case, the challenge to the user might be unintelligible by the user, but the user can simply present the same challenge to the identity provider and the identity provider can then provide the user with the proper response. Note that responding to the challenge can be done automatically by the card selector without requiring interaction by the user. This approach is much more secure than conventional methods because it does not necessarily rely upon natural language questions and responses.
New claim identifiers for a generated-challenge-answer scheme could take the form:
Once client 105 has security policy 550, the card selector can identify which information cards will satisfy security policy 550 and present them to the user. The user can then select an information card that satisfies security policy 550. Once the user has selected an acceptable information card, client 105 transmits a request for a security token from identity provider 135, as shown in communication 555. This request can identify that the generated-challenge answer is to be included in the security token. Identity provider 135 returns security token 560, as shown in communication 565. Security token 560 includes a claim containing the generated-challenge answer. Client 105 then forwards security token 560 to relying party 130, as shown in communication 570. Relying party 130 can then store the generated-challenge answer. Relying party 130 can also store an identifier for the identity provider 135 that provided the security token. The claim containing the generated-challenge answer can also comprise a tuple such that several generated-challenge answers are provided to the relying party.
Note that in this embodiment, the user did not have to remember the answers to any challenge questions because the secret is shared between the relying party and the identity provider rather than between the user and the relying party. Further, the generated-challenge answer(s) can be arbitrary strings of characters so that the user's account can be more secure relative to conventional methods.
A new claim identifier for a challenge method scheme could take the form:
When it becomes necessary to do an account reset or supplemental validation, the relying party can choose one or more of the methods from the list and notify the identity provider, through the client, which method(s) are supported. As an example, the challenge method could take the form of an inquiry into information that is stored at both the relying party and the identity provider. The inquiry could be “What are the dates and times of your most recent five visits to this relying party?”. This information would generally be stored by the relying party and the identity provider would also have this information, provided an information card issued from the identity provider was used to authenticate the most recent five visits. In response to this challenge, the identity provider could provide the requested information and the relying party could use the provided information to validate the user. The relying party can validate the response against a stored answer, or the relying party can generate an answer (perhaps querying a database of user visit information) in order to validate the response. In this embodiment, the information provided is not necessarily secret, but it is also information that is not publicly known or readily ascertainable by parties other than the relying party and the identity provider. Consequently, this scheme is more secure than conventional methods. This is just one example of many possible challenge methods that could be used with this claim.
Further, using this claim, the challenge process can involve obtaining challenge responses from multiple identity providers. Under this approach, the likelihood of collusion between a relying party and any one identity provider can be reduced. The identity provider(s) used for the challenge process can also be a different identity provider than the one used to authenticate the client to the relying party. For example, when an account is created on a relying party, part of the account creation process can include entering an identifier for an identity provider, or identity providers, that will be used for account reset and supplemental authorizations.
A zero knowledge proof scheme can be implemented using the challenge method claim in which seeds are exchanged as claims. In this case, the seeds would not be the actual data requested by the relying party, but instead would be proof that the identity provider has the data. Such a zero knowledge proof method can include several interactions between the relying party and the client (which would interact with the identity provider) to establish the proof.
As an example of a zero-knowledge proof using information cards, an identity provider can provide a relying party, through the client, with a large graph, G, as seed data in a challenge method claim. The challenge method claim can include an identifier called “Hamiltonian” and this identifier may be known generally by relying parties and identity providers as referring to this type of zero-knowledge proof. Before providing G to the relying party, the identity provider calculates G and a Hamiltonian cycle for G that is not known to the relying party. The identity provider can also calculate G such that it is specific to the relying party. The relying party stores G for future use. It should be noted that G is not necessarily included in the challenge method claim. The relying party may request G from the identity provider, through the client, after receiving the challenge method claim including the Hamiltonian identifier and in response the identity provider can provide G to the relying party, through the client.
At some point, the relying party determines that it is time for an account reset or supplemental authorization. This begins a round of interaction cycles between the client and the relying party. The relying party provides a challenge to the client. The challenge can include an identifier for the identity provider that provided G to the relying party. A user selects an appropriate managed card and the card selector sends a request for a security token to the appropriate identity provider. The identity provider calculates H, which is an isomorphic graph to G. The identity provider returns H to the relying party, via the card selector. Next, the relying party randomly chooses one of two questions to ask the identity provider, through the client: prove the isomorphism between H and G; or provide a Hamiltonian cycle in H. Using known mathematical principles, the relying party can verify that the response to either of these questions is correct using only H and G. The relying party presents the selected question to the identity provider, through the card selector, and the calculated response is provided in a security token. The relying party then validates the response.
This cycle can be repeated any number of times until the relying party is convinced of the identity of the user and accepts the account reset or supplemental authorization. The number of times that the cycle will be repeated can be specified by the identity provider as part of the seed data provided with the challenge method claim. Alternatively, the number of cycles may be specified by the relying party. However, it should be noted that the relying party never learns the Hamiltonian cycle for G, which is what makes this a zero-knowledge proof.
This is just an example of a zero-knowledge proof that can be used with information cards and a person of ordinary skill in the art will recognize that other types of zero-knowledge proofs are possible. Although described above as a zero-knowledge proof between an identity provider and a relying party, zero-knowledge proofs can also be implemented between the relying party and the client in which the card selector issues the appropriate security tokens, rather than an identity provider. In other words, zero-knowledge proofs can be implemented using personal cards as well as managed cards.
Once the challenge methods are selected, the relying party presents a challenge to a client at block 1120. The challenge issued by the relying party can consist of a single challenge method or it can consist of multiple challenge methods. In other words, the relying party can seek a single claim (or set of claims) in response to a single challenge or the relying party can seek multiple claims (or sets of claims) in response to multiple challenges. At block 1125, the user at the client chooses an appropriate information card and the client sends a request for a security token to the corresponding identity provider. The identity provider generates or retrieves the necessary information for the claim(s) and generates the security token at block 1130. Depending on the challenge method(s) used, the identity provider can have the requested information for the claim(s) stored or it can generate the requested information in order to generate the security token. Also, the identity provider can obtain the requested information from another identity provider. At block 1135, the security token is transmitted to the client, which forwards the security token to the relying party.
At block 1140, the relying party validates the claim(s) in the security token against information known to the relying party. The relying party can validate the claim(s) against information that is already stored at the relying party or the relying party can generate the information before it can be validated. At block 1145, the relying party determines if the challenge process is complete. If the relying party determines that the challenge process is not complete, the process returns to block 1120 to issue the next challenge. When the relying party uses more than one challenge method, the relying party can validate the user even if the identity provider is not able to provide proper responses for every challenge method. For example, the user can be validated (i.e. the account reset is accepted or the supplemental authorization is approved) if n correct responses are provided out of m challenge methods. The values of n and m can be determined by the relying party or by the user during account setup, for example.
Generating the challenge claim can include generating more than one challenge claim and the challenge claim(s) can include a simple challenge answer, a simple challenge question, a generated-challenge answer, a challenge method, and/or challenge method seeds. Generating the challenge claim can also include generating a challenge claim that is specific to a particular relying party. Also, the challenge claim can include a random string of characters. In this case, a random string of characters includes any string of characters or symbols that may or may not form a construct found in a natural language. The challenge claim can be stored at the identity provider at block 1230. The identity provider might not store the challenge claim in the case that it already has the challenge claim stored or in the case that responding to a subsequent challenge will not require retrieval of a stored claim (i.e. the challenge claim can be re-generated by the identity provider as needed). Then, the identity provider sends the requested managed card to the card selector.
At block 1235, the identity provider receives a request for a security token from a card selector. The request can include a challenge claim request identifier. The identity provider retrieves a challenge claim responsive to the request for the security token at block 1240. Retrieving the challenge claim can include retrieving the challenge claim from a storage and it can include generating the challenge claim. Retrieving the stored challenge claim can also include generating challenge method seed data. Also, retrieving the stored challenge claim can include retrieving stored challenge method seed data. At block 1245, the identity provider generates a security token including the challenge claim. The security token can also include challenge method seed data. The security token is then sent to the card selector at block 1250.
According to some embodiments of the invention, a user can request a challenge claim directly from an identity provider. For example, a relying party may prompt the user for a response to a challenge question and the answer to the challenge question can be stored at the identity provider. Therefore, the user can request the challenge claim from the identity provider and then provide the response to the relying party by, for example, pasting the response into a field in a form provided by the relying party.
Although in the above-described procedures the challenge answers and/or methods are stored by the relying party as part of an authentication process, the challenge answers and/or methods could be obtained and stored at any other time including: during initial account setup on the relying party; during a subsequent account update; or upon request from either the user or the relying party. Also, a person of ordinary skill in the art will recognize that the procedures described above can be combined so that multiple claims are used by the relying party. For example, the relying party can obtain and store claims for a simple challenge question and answer and a claim for challenge methods. Further, the claim for challenge methods can include simple challenge question/answer as one of the supported challenge methods. Any other combination of the new claim identifiers is possible.
As described above, information cards can be used to implement account reset and supplemental authorization between users and relying parties. New claim identifiers are used to allow claims to be provided by an identity provider in response to challenges from a relying party. Using these new claim identifiers, the user is not required to remember the answers that were previously given to the challenge questions and the security of the system is not reliant upon publicly available information. Consequently, using information cards for user challenges increases the security of user accounts.
Having described and illustrated the principles of the invention with reference to illustrated embodiments, it will be recognized that the illustrated embodiments can be modified in arrangement and detail without departing from such principles, and can be combined in any desired manner. And although the foregoing discussion has focused on particular embodiments, other configurations are contemplated. In particular, even though expressions such as “according to an embodiment of the invention” or the like are used herein, these phrases are meant to generally reference embodiment possibilities, and are not intended to limit the invention to particular embodiment configurations. As used herein, these terms can reference the same or different embodiments that are combinable into other embodiments.
Consequently, in view of the wide variety of permutations to the embodiments described herein, this detailed description and accompanying material is intended to be illustrative only, and should not be taken as limiting the scope of the invention. What is claimed as the invention, therefore, is all such modifications as can come within the scope and spirit of the following claims and equivalents thereto.
This application is related to U.S. application Ser. Nos. 11/843,572; 11/843,638; 11/843,640; 11/843,608 and 11/843,591, all of which were filed Aug. 22, 2007 and claimed the benefit of U.S. application Ser. Nos. 60/895,312; 60/895,316; 60/895,325, all of which were filed Mar. 16, 2007; and is related to U.S. application Ser. No. 12/019,104, filed Jan. 24, 2008, which claimed the benefit of U.S. application Ser. No. 60/973,679 filed Sep. 19, 2007. All of the foregoing applications are herein incorporated by reference.
