公开(公告)号：US09514407B1

公开(公告)日：2016-12-06

申请号：US13628630

申请日：2012-09-27

Applicant: EMC Corporation

Inventor： Yedidya Dotan ,  Ayelet Levin ,  Ayelet Avni ,  Ayelet Eliezer

IPC: G06F17/00 ,  G06N5/02

CPC classification number: G06N5/022 ,  G06F17/2765

Abstract: An improved technique involves generating KBA questions based on facts from fact sources pointed to by an activity log. A KBA system obtains an activity log from a computer of a user in an organization. For example, the computer records the user's web browsing history. The KBA system then considers each entry in the activity log as a source of facts for deriving KBA questions. In the case of a web browsing history, the KBA system generates facts from web pages that the user visited. The KBA system then derives new KBA questions from the facts so derived.

Abstract translation: 一种改进的技术涉及根据活动日志指向的事实来源的事实生成KBA问题。 KBA系统从组织中的用户的计算机获取活动日志。 例如，计算机记录用户的网络浏览历史记录。 然后，KBA系统将活动日志中的每个条目视为导出KBA问题的事实来源。 在Web浏览历史的情况下，KBA系统从用户访问的网页生成事实。 然后，KBA系统从所得的事实中导出新的KBA问题。

公开(公告)号：US09332434B1

公开(公告)日：2016-05-03

申请号：US14144940

申请日：2013-12-31

Applicant: EMC Corporation

Inventor： Yedidya Dotan ,  Lawrence N. Friedman ,  Shane Rice

IPC: G06F15/16 ,  H04W12/06 ,  H04W64/00

CPC classification number: H04W12/06 ,  H04L63/107 ,  H04L63/108

Abstract: Improved techniques are directed to a method performed by a computing device of authenticating a mobile client device to a resource using location services. The method includes (a) receiving authentication requests from the mobile client device, the authentication requests each including a location freshness value indicating a respective amount of time that has passed since the mobile client device last determined its location, (b) testing the location freshness value received in each authentication request against a location freshness policy to generate a freshness result indicating whether the location freshness value complies with the location freshness policy, (c) generating an authentication response for each authentication request based at least in part on the location freshness result for that authentication request, and (d) directing the authentication response to be sent to the resource. A computerized apparatus and a computer program product for performing methods similar to that described above are also provided.

Abstract translation: 改进的技术涉及由计算设备执行的使用位置服务将移动客户端设备认证到资源的方法。 该方法包括：（a）接收来自移动客户端设备的认证请求，认证请求各自包括表示自移动客户端设备最后确定其位置以来经过的相应时间量的位置新鲜度值，（b）测试位置新鲜度 在每个认证请求中接收的值与位置新鲜度策略相关联，以生成指示位置新鲜度值是否符合位置新鲜度策略的新鲜度结果，（c）至少部分地基于位置新鲜度结果生成每个认证请求的认证响应 对于该认证请求，以及（d）指示认证响应被发送到资源。 还提供了一种用于执行类似于上述方法的计算机化设备和计算机程序产品。

公开(公告)号：US09225700B1

公开(公告)日：2015-12-29

申请号：US13837675

申请日：2013-03-15

Applicant: EMC Corporation

Inventor： Yedidya Dotan ,  Lawrence N. Friedman ,  Karl Kowalski ,  Piers Bowness

IPC: H04L29/06 ,  H04W4/02

CPC classification number: H04L63/08 ,  H04L63/0492 ,  H04L63/107 ,  H04W4/023

Abstract: A method performed by a client access device includes (1) receiving, at the client access device, a signal from a client authorizing device, the signal including an environmental detection instruction, the environmental detection instruction instructing the client access device to detect an aspect of a local environment, (2) detecting, at the client access device, the aspect of the environment indicated by the environmental detection instruction to yield a first environmental detection result, (3) sending the first environmental detection result from the client access device to a remote server, and (4) in response to sending the environmental detection result to the remote server, receiving a proximity signal from the remote server indicating whether or not proximity between the client access device and the client authorizing device has been established by comparing the first environmental detection result to a second environmental detection result sent from the client authorizing device to the server.

Abstract translation: 客户接入装置执行的方法包括：（1）在客户接入装置接收来自客户端授权装置的信号，该信号包括环境检测指令，环境检测指令指示客户端接入装置检测到 （2）在客户接入设备处检测由环境检测指令指示的环境的方面，以产生第一环境检测结果，（3）将第一环境检测结果从客户接入设备发送到 远程服务器，以及（4）响应于将所述环境检测结果发送到所述远程服务器，从所述远程服务器接收指示是否通过比较所述客户端访问设备与所述客户端授权设备之间的接近度来建立接近信号 环境检测结果发送到客户端授权的第二个环境检测结果 ce到服务器。

公开(公告)号：US09202035B1

公开(公告)日：2015-12-01

申请号：US14132730

申请日：2013-12-18

Applicant: EMC Corporation

Inventor： Yuri Manusov ,  Yedidya Dotan ,  Oleg Freylafert ,  Anton Khitrenovich

IPC: G06F21/00 ,  G06F21/32 ,  G06F21/36

CPC classification number: G06F21/32

Abstract: A technique authenticates a user. The technique involves receiving, by processing circuitry, a handwritten code. The technique further involves performing, by the processing circuitry, a set of assessment operations which includes (i) a handwriting evaluation to analyze a set of biometric handwriting aspects of the handwritten code and (ii) a code evaluation to analyze code accuracy of the handwritten code. The technique further involves providing, by the processing circuitry, an authentication result based on the set of assessment operations. Such a technique strengthens security by including a “who you are” factor (i.e., handwriting biometrics uniquely identify the genuine user).

Abstract translation: 技术验证用户。 该技术涉及通过处理电路来接收手写代码。 该技术还包括由处理电路执行一组评估操作，其包括（i）手写评估以分析手写代码的一组生物特征手写方面，以及（ii）代码评估以分析手写的代码精度 码。 该技术还涉及由处理电路提供基于该组评估操作的认证结果。 这种技术通过包括“你是谁”的因素（即手写生物特征唯一地标识真实用户）来加强安全性。

公开(公告)号：US08955076B1

公开(公告)日：2015-02-10

申请号：US13729996

申请日：2012-12-28

Applicant: EMC Corporation

Inventor： Sorin Faibish ,  Yedidya Dotan ,  John A. Murray ,  Lawrence N. Friedman

IPC: G06F7/04 ,  H04L29/06

CPC classification number: H04L63/08 ,  H04L63/0853 ,  H04L63/108

Abstract: A technique controls access to a protected resource residing on a protected resource server. The technique involves conveying, in response to a user request to access the protected resource residing on the protected resource server, a challenge from a resource accessing device to an access control device. The technique further involves transmitting an answer to the challenge from the access control device to the resource accessing device. The technique further involves completing an authentication operation based on the answer to the challenge. The resource accessing device obtains electronic access to the protected resource residing on the protected resource server when the authentication operation results in successful authentication. The resource accessing device does not obtain electronic access to the protected resource residing on the protected resource server when the authentication operation results in unsuccessful authentication.

Abstract translation: 一种技术控制对受保护资源服务器上驻留的受保护资源的访问。 该技术涉及响应于用户访问驻留在受保护的资源服务器上的受保护资源的请求来传送从资源访问设备到访问控制设备的挑战。 该技术还包括从访问控制设备向资源访问设备发送对挑战的答案。 该技术还涉及基于挑战的答案完成认证操作。 当验证操作导致成功认证时，资源访问设备获得对被保护资源服务器上的受保护资源的电子访问。 当认证操作导致认证失败时，资源访问设备不能获得对受保护资源服务器上的受保护资源的电子访问。

公开(公告)号：US10015153B1

公开(公告)日：2018-07-03

申请号：US14138622

申请日：2013-12-23

Applicant: EMC Corporation

Inventor： Yedidya Dotan ,  Lakshmi Suresh ,  John Watts ,  Marcelo Blatt

IPC: H04L29/06

CPC classification number: H04L63/083 ,  G06F21/316

Abstract: A technique performs authentication. The technique involves performing, by processing circuitry, a set of authentication operations in response to a set of authentication requests, and updating a set of velocity metrics which identifies authentication performance for a set of authentication request sources that originated the set of authentication requests. The technique further involves, after updating the set of velocity metrics, receiving, by the processing circuitry, an authentication request from an authentication request source. The technique further involves providing, by the processing circuitry, an authentication result in response to the authentication request from the authentication request source. The authentication result (i) is based on the set of velocity metrics and (ii) indicates whether the authentication request is considered to be legitimate. Such a technique can detect malicious activity even if a person tries to authenticate just a few times to several accounts in a “touch the fence” style of attack.

公开(公告)号：US09667611B1

公开(公告)日：2017-05-30

申请号：US14230359

申请日：2014-03-31

Applicant: EMC Corporation

Inventor： Lawrence N. Friedman ,  Yedidya Dotan ,  Gareth Richards ,  Daniel V. Bailey ,  William M. Duane ,  John G. Brainard

IPC: H04L29/06

CPC classification number: H04L63/08 ,  G06F21/32 ,  G06F2221/2111 ,  H04L63/083 ,  H04L63/0861

Abstract: Improved techniques involve selecting a set of authentication factors from among multiple factors based on a current situation and information about how well the multiple authentication factors have worked in similar situations in the past. Along these lines, when an authentication system performs an authentication operation on a requesting party, the authentication system first assesses a situational environment. Based on the assessment of the situational environment, the authentication system decides that it is necessary to re-authenticate the requesting party. In some arrangements, the authentication system may determine which set of factors has the highest likelihood of successfully verifying the user's identity when compared with other authentication factors. The authentication system then carries out an authentication operation on the selected set of factors and bases a successful authentication result on whether the selected set of factors can be verified.

公开(公告)号：US09202173B1

公开(公告)日：2015-12-01

申请号：US13628642

申请日：2012-09-27

Applicant: EMC Corporation

Inventor： Yedidya Dotan ,  Ayelet Eliezer ,  Lawrence N. Friedman

IPC: G06F17/00 ,  G06N5/02 ,  G06N5/04 ,  G06N99/00

CPC classification number: G06N5/04 ,  G06N5/02 ,  G06N99/005

Abstract: An improved technique involves adjusting the operation of a KBA system based on facts that may contain information known to an adversary. Along these lines, the KBA system may receive an alert concerning an adversary that may know the answers to some of the KBA questions used by the KBA system in authenticating users. In response to alert, the KBA system may alter operations in order to account for the adversary. Subsequently, when a user requests authentication, the KBA system selects KBA questions based on adjustments made to the KBA system in order to avoid presenting the adversary with KBA questions derived from facts (s)he knows.

Abstract translation: 改进的技术包括基于可能包含对手已知信息的事实来调整KBA系统的操作。 按照这些方面，KBA系统可能会收到有关可能知道KBA系统用于认证用户的一些KBA问题的答案的对手的警报。 为了响应警戒，KBA系统可能会改变操作，以便对抗对手。 随后，当用户请求身份验证时，KBA系统根据对KBA系统的调整来选择KBA问题，以避免向对手提供从他所知道的事实中得出的KBA问题。

公开(公告)号：US09154304B1

公开(公告)日：2015-10-06

申请号：US13804663

申请日：2013-03-14

Applicant: EMC Corporation

Inventor： Yedidya Dotan ,  William M. Duane

IPC: H04L29/06 ,  H04L9/32

CPC classification number: H04L9/3226 ,  H04L9/3228 ,  H04L9/3234 ,  H04L2209/80

Abstract: Methods, apparatus and articles of manufacture for using a token code to control access to data and applications in a mobile platform are provided herein. A method includes processing authentication information via a cryptographic operation to generate an output, partitioning the output into (i) a component that identifies the authentication information and (ii) an encryption key component, encrypting an item of cryptographic information via the encryption key component, and storing the component that identifies the authentication information and the encrypted item of cryptographic information.

Abstract translation: 本文提供了用于使用令牌代码来控制对移动平台中的数据和应用的访问的方法，装置和制造。 一种方法包括通过密码操作来处理认证信息以生成输出，将输出划分为（i）识别认证信息的组件，以及（ii）加密密钥组件，经由加密密钥组件加密密码信息项， 并存储识别认证信息的组件和加密的加密信息项。

公开(公告)号：US09680812B1

公开(公告)日：2017-06-13

申请号：US14227502

申请日：2014-03-27

Applicant: EMC Corporation

Inventor： Mohsen Emaminouri ,  Yedidya Dotan ,  Vadim Bruk ,  Andrew Luke

IPC: G06F21/00 ,  H04L29/06

CPC classification number: H04L63/08 ,  H04L63/0861 ,  H04L63/105 ,  H04L2463/082

Abstract: A technique is directed to operating an authentication system. The technique involves receiving an enrollment request to enroll a user in a new authentication procedure in place of an earlier-established authentication procedure. The earlier-established authentication procedure is operative to authenticate the user at a first security level within a range of security levels. The new authentication procedure is operative to authenticate the user at a second security level within the range of security levels, the first security level being at least as high as the second security level within the range of security levels. The technique further involves, in response to the enrollment request, initiating the earlier-established authentication procedure to authenticate the user. The technique further involves, in response to completion of the earlier-established authentication procedure, performing an authentication enrollment operation associated with the new authentication procedure.