`(12) Patent Application Publication (10) Pub. No.: US 2006/0020816 A1
`Campbell
`(43) Pub. Date:
`Jan. 26, 2006
`
`US 20060020816A1
`
`(54) METHOD AND SYSTEM FOR MANAGING
`AUTHENTICATION ATTEMPTS
`
`(76) Inventor: John Robertson Campbell, Ottawa
`(CA)
`Correspondence AddreSSI
`TORYS LLP
`79 WELLINGTON ST. WEST
`SUITE 3000
`TORONTO, ON M5K 1N2 (CA)
`
`(21) Appl. No.:
`
`11/172,899
`
`(22) Filed:
`
`Jul. 5, 2005
`
`Related US. Application Data
`
`(60) Provisional app1iCaii0n N0- 60/585,845, ?led 0H Jill-
`8, 2004.
`
`Publication Classi?cation
`
`(51) Int. Cl.
`(2006.01)
`H04L 9/00
`(52) US. Cl. ............................................................ .. 713/182
`(57)
`ABSTRACT
`The present invention provides, in certain embodiments,
`identi?cation and management of authentication attempts
`using having a real time communication channel With the
`end user that is separate from the channel being used for
`authentication. An example is Where Internet users are a)
`identi?ed by their cell phone numbers and may b) access the
`internet from many different physical locations. Aspects of
`the invention alloW for authentication issue detection to be
`extended, utilizing the separate communication channel to
`communicate directly With the user. This can alloW the
`authenticating authority to take proactive action on a more
`automatic basis With the ability to distinguish fraud or abuse
`attempts from user problems aided by the separate commu
`nication channel.
`
`60
`
`Cell
`Phone
`
`55
`
`Cell
`Network
`
`1 5
`
`lntemet
`.
`Device
`
`20
`
`-'-—"'-—-> lntemet
`
`30
`
`35
`
`v 25
`
`.
`.
`Application
`
`Authentication
`<—-—
`Server
`
`Location
`Database
`
`Event
`Database
`
`40
`
`User
`Database
`
`TWILIO, INC. EX. 1004
`Page 1
`
`
`
`Patent Application Publication Jan. 26, 2006 Sheet 1 0f 3
`
`US 2006/0020816 A1
`
`Figure 1
`
`6O
`
`Cell
`Phone
`
`55
`
`Cell
`
`Network
`
`15
`
`lntemet
`Device
`
`30
`
`‘
`
`.
`
`.
`
`Application
`
`Location
`Database
`
`Event
`Database
`
`20
`
`‘ntemet
`
`35
`
`v 25
`
`Authentication
`
`Server
`
`1 40
`
`User
`Database
`
`TWILIO, INC. EX. 1004
`Page 2
`
`
`
`Patent Application Publication Jan. 26, 2006 Sheet 2 0f 3
`
`US 2006/0020816 A1
`
`105
`
`110
`
`Figure 2
`
`Authentication
`
`agempt at
`“355
`location
`
`User on
`Block List?
`
`Authentication
`Reject
`
`pgsssevzgrd
`0K?
`
`Location and
`interval OK.
`
`'7
`
`'
`
`.
`
`.
`
`Authenticatlon
`’ request sent to
`Server
`
`130
`
`Authentication
`Accept
`
`145
`
`Authentication
`.
`Reject
`
`More ma."
`attempts in x”
`time,’
`
`Put User ID on
`.
`block Inst
`
`J,
`
`150
`
`Send message
`to cellular
`phone
`
`TWILIO, INC. EX. 1004
`Page 3
`
`
`
`Patent Application Publication Jan. 26, 2006 Sheet 3 0f 3
`
`US 2006/0020816 A1
`
`Figure 3
`
`More than "m"
`attempts in "y"
`time?
`
`Send current
`PW to
`cellular phone
`
`315
`
`310
`
`Authentication
`Change PW ‘- Reject
`
`320
`
`Send message
`to cellular
`phone
`
`TWILIO, INC. EX. 1004
`Page 4
`
`
`
`US 2006/0020816 A1
`
`Jan. 26, 2006
`
`METHOD AND SYSTEM FOR MANAGING
`AUTHENTICATION ATTEMPTS
`
`[0010] FIG. 3 is a How chart of a method for managing
`attempted illegitimate authentication attempts in accordance
`With another embodiment of the invention.
`
`PRIORITY CLAIM
`
`[0001] The present application claims priority from US.
`Provisional Patent Application No. 60/585,845, ?led Jul. 8,
`2004, the contents of Which are incorporated herein by
`reference.
`
`FIELD OF THE INVENTION
`
`[0002] The present invention relates generally to computer
`authentication and more particularly relates to a method and
`system for managing authentication attempts.
`
`BACKGROUND OF THE INVENTION
`
`[0003] Authentication of users and the like in computing
`environments is an important aspect of providing secure
`computing environments. Such authentication should be
`rigid enough to provide reasonable assurance that only
`authoriZed users can access the computing environment, and
`yet should not be so onerous that the user ?nds it impractical
`to actually gain access to the computing environment.
`
`SUMMARY OF THE INVENTION
`
`[0004] Aspects of the present of this invention take effec
`tive action to manage invalid authentication attempts
`through pattern analysis and the use of a separate commu
`nication channel to communicate With Users in real time.
`Such invalid authentication attempts could include fraudu
`lent or abusive situations as Well as a lack of User knoWl
`edge.
`[0005] The identi?cation and management of authentica
`tion attempts can be improved in a unique Way by having a
`real time communication channel With the end user that is
`separate from the channel being used for authentication. An
`eXample of this is Where Internet users are a) identi?ed by
`their cell phone numbers and may b) access the internet from
`many different physical locations. Aspects of the invention
`alloW for authentication issue detection to be extended With
`superior action compared to prior art, utiliZing the separate
`communication channel to communicate directly With the
`user. This can alloW the authenticating authority to take
`more proactive action on a more automatic basis With the
`ability to distinguish fraud or abuse attempts from user
`problems aided by the separate communication channel.
`[0006] Aspects of the invention involve managing access
`to the internet, or a netWork. Another aspects involve
`managing access to an application, such as an internet
`connected Web application.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`[0007] Embodiments of the present invention Will noW be
`described by Way of eXample only With reference to the
`attached ?gures herein.
`
`[0008] FIG. 1 is a system block diagram of a system for
`managing attempted illegitimate authentication attempts in
`accordance With another embodiment of the invention;
`
`[0009] FIG. 2 is a How chart of a method for managing
`attempted illegitimate authentication attempts in accordance
`With another embodiment of the invention; and,
`
`DETAILED DESCRIPTION OF THE
`INVENTION
`
`[0011] Referring to FIG. 1, the system for managing
`authentication attempts is generally located at 35. The
`System 35 includes an authentication application or Authen
`tication Server 25, Which, for eXample, could be imple
`mented With a RADIUS server. The System also includes a
`User Database 40, Which could be many different standards
`and products. The System also includes an Event Database
`45 Which is used to store information about authentication
`events such as User ID, location of authentication attempt,
`time of attempt, if passWord matched User ID. The Location
`Database 50 stores information about the geographic coor
`dinates of access locations and the type of access location
`(eg airport). The System also contains an Application 30
`Which can interface With the databases, the Authentication
`Server and the Cellular NetWork 55. The System may be
`contained in any kind of computer that has suitable process
`ing poWer, RAM, Disc capacity and communications ports.
`The computer may run any OS that is compatible With the
`applications 25, 30, 40, 45, 50.
`[0012] Users requiring authentication are equipped With
`internet devices such as a computer, a notebook computer, a
`PDA or a WLAN enabled cell phone 15. Such devices
`support internet communication protocols.
`
`[0013] These devices are attempting to access the internet
`from various locations. The access could be via Wireless or
`Wired netWork. The internet equipment 20 at the location is
`able to block access to the internet until the device 15 has
`been authenticated. The Internet equipment communicates
`With the Authentication Server 25 to pass information about
`the User to the Authentication Server 25. The Internet
`equipment Will not permit the Device to access the netWork
`until it has been advised to do so by the Authentication
`Server. This often takes the form of an “authentication
`accept” message.
`[0014] The Authentication Server interfaces to the User
`Database 40 to compare the User ID and passWord offered
`by the Internet Device 15 With that stored in the User
`Database 40. The Authentication Server passes information
`about the authentication attempt to the Application and
`receives a message back from the application indicating if
`Authentication can proceed. If the authentication may pro
`ceed, the Authentication Server Will communicate With the
`Internet equipment to inform the equipment that access may
`be permitted. This often takes the form of an “authentication
`accept” message.
`[0015] The Application 30 receives information about
`authentication attempts, referred hereafter as “events”, from
`the Authentication Server 25.
`
`[0016] The Application 30 may:
`
`[0017] a) Record the event in Even Database (45).
`
`[0018] b) Retrieve and analyse information about
`events When a neW event occurs. The Application
`searches the database and compares the event to crite
`ria. The criteria may include:
`
`TWILIO, INC. EX. 1004
`Page 5
`
`
`
`US 2006/0020816 A1
`
`Jan. 26, 2006
`
`[0019] 1) Authentication attempt When the same User
`ID has been used to successfully authenticate an
`internet access, and said internet access is still active.
`[0020] 2) Authentication attempt When an attempt
`using the same User ID occurred from a different
`location, and the time betWeen the attempts Would
`not alloW a legitimate Internet user to travel from the
`?rst location to the second. When locations are
`established, the geographic coordinates (such as
`UMT coordinates) must be determined. The geo
`graphic coordinates are stored in the Location data
`base (50). When an authentication attempt occurs,
`the Application Will search the Location database to
`determine the geographic location of the current
`attempt and the geographic location of the most
`recent successful attempt. The time of most recent
`successful attempt Will be obtained by searching the
`Event database. Other preferred embodiments may
`not include location information and the Location
`database (50).
`[0021] 3) Multiple authentication attempts using a
`cellular number (irrespective of location of attempts)
`Within a time period, Where the number of attempts
`and the duration of the time period indicate atypical
`use.
`
`[0022] 4) Multiple authentication attempts from a
`given location (irrespective of cellular number)
`Within a time period, Where the number of attempts
`and the duration of the time period indicate atypical
`use.
`
`[0023] The Application 30 may make use of a separate
`communications channel, in this case a cellular netWork 55,
`to communicate With a legitimate user via a device they
`possess, in this case a cellular phone 60.
`
`[0024] The Application 30 may perform one or more of
`the folloWing actions depending upon criteria that may be
`established in the Application.
`[0025] 1) Automatic action to change the passWord and
`inform the legitimate user of the neW passWord. The Appli
`cation 30 Would generate a neW passWord and then a) store
`the neW passWord in the User Database 40 and b) send the
`neW passWord to the cellular phone via the Cellular Network
`55 using SMS or IVR methods, along With a message
`explaining the reason a neW passWord is being sent.
`
`[0026] 2) Automatic action to suspend the account and
`distribution of passWords. The Application 30 Would place
`the User ID on a Block List in the User database. The Block
`List Would over-ride other Authentication server functions to
`authenticate, create a neW account, or create and distribute
`neW passWord to the cellular phone 60.
`
`[0027] 3) In the case of 2) above, or otherWise, automatic
`action to contact the Internet user via their cellular phone
`and request them to take/not take action, including request
`ing them to initiate contact With the service provider. Such
`contact could be via the Cellular Network 55 using SMS or
`IVR methods to the legitimate User’s cellular phone 60.
`
`[0028] 4) Noti?cation to personnel so that they may
`initiate manual action to contact the Internet user via a
`phone call or SMS message to their cellular number. If
`contact cannot be made betWeen personnel and the
`
`User, and a suitable explanation given by the User, then
`the account may be suspended or laW enforcement
`agency contacted. If there is a suitable explanation,
`assistance may be offered to the legitimate user.
`
`[0029] Some or all of the functions of the Application may
`be distributed and be associated With the Authentication
`Server or other applications such as a Web server not
`necessarily part of this system.
`[0030] The Event database functions maybe provided in a
`separate database or combined With other databases that may
`be part of a system.
`[0031] The Location database functions maybe provided
`in a separate database or combined With other databases that
`may be part of a system.
`
`[0032] The implementation of the invention could have a
`logical flow as depicted in FIG. 2 and FIG. 3. This is an
`example of hoW a system could function, and others are
`possible, considering other factors and combinations of
`these factors in the decisions.
`
`[0033] The method starts With an attempt to access the
`internet at a location (105). Equipment at the location Will
`capture the request and forWard it to a centraliZed Server
`(110) making use of an authentication protocol such as
`RADIUS, referred to hereafter as “the authentication pro
`tocol”.
`
`[0034] The Server Will verify if the User ID is on a Block
`List (112). If the User ID is on the Block list then the Server
`Will proceed With authentication reject using the authenti
`cation protocol.
`[0035] The Server Will verify if the User ID and passWord
`constitute a valid authentication attempt (115). If it does, the
`server Will then retrieve the geographic coordinates of the
`current authentication attempt and then retrieve the geo
`graphic coordinates and time of the most recent previous
`valid authentication attempt and calculate the physical dis
`tance betWeen the current and most recent previous authen
`tications as Well as the time interval betWeen the current and
`most recent previous authentications. The Server Will then
`apply rules (120) With determine if the implied velocity is
`reasonable. The rules may include factors such as the
`distance (such as short vs. long) and type of location (such
`as airport).
`
`[0036] If the Server determines that the implied velocity is
`acceptable (120) then the Server Will proceed With authen
`tication accept (130) using the authentication protocol,
`alloWing the User to gain access to the internet.
`
`[0037] If the Server determines that the implied velocity is
`unacceptable (120) then the Server Will then proceed With
`authentication reject using the authentication protocol pre
`venting internet access associated With this attempt (310).
`The Server Will then create and a neW random passWord for
`the User and store this neW passWord in the User database,
`replacing the current passWord (315).
`
`[0038] The Server Will then send a message to the valid
`User (320) by Way of an SMS message the User’s cellular
`phone. The cellular phone number may be determined either
`by searching the User database or, if the service is so
`designed, the User ID may be the cellular number of the
`User. Thus the User ID Would be the required cellular
`
`TWILIO, INC. EX. 1004
`Page 6
`
`
`
`US 2006/0020816 A1
`
`Jan. 26, 2006
`
`number. This above approach may be used in any of the
`following instances Where the cellular number of the User is
`required.
`[0039] The SMS message sent in step (320) Would indi
`cate that the password has been changed and the reason. An
`example message could read “Your passWord has been
`changed to XXXXXXX due to a risk that your old passWord
`has been compromised”. Thus the valid user is automatically
`equipped With and informed of a change in passWord.
`[0040] Going back to step (115), if the Server determines
`that the User ID and passWord do not constitute a valid pair,
`the Server Will proceed With authentication reject using the
`authentication protocol preventing internet access associated
`With this attempt (135).
`[0041] The Server Will then search a database of recent
`authentication attempts (successful and unsuccessful) and
`determine (140), as an example, if more than 10 attempts
`have been made to authenticate in the past 1 hour. This
`Would have the generic form of more than “n” attempts
`Within “x” time interval. If the threshold had been exceeded,
`then the system Would put the User ID on a Block list (145).
`The Server Will then send a message to the valid User (150)
`by Way of an SMS message the User’s cellular phone. The
`SMS message Would indicate that the User account has been
`suspended and request the User to contact the authentication
`authority. The authentication authority could be a service
`provider or company that is granting access to, in this case,
`the internet. An example SMS message could read “Your
`account has been suspended due to a risk that your passWord
`has been compromised. Please contact 800-555-5555 for
`further information”. Thus the valid user is informed of the
`issue and can contact the authentication authority.
`
`[0042] Returning to step 140, if the threshold had not been
`exceeded, then the Server Would determine (305), as an
`example, if more than 5 attempts have been made to
`authenticate in the past 1 hour. This Would have the generic
`form of more than “n” attempts Within “x” time interval, but
`Would have a loWer threshold than in step 140. If the
`threshold had been exceeded, then the system Would pro
`ceed as described above in step 315 and 320.
`
`[0043] If at step 305, the threshold had not been exceeded,
`then the Server Would retrieve the current passWord from the
`User database and send the current passWord to valid User
`(325) by Way of an SMS message the User’s cellular phone.
`
`[0044] The above-described embodiments of the invention
`are intended to be examples of the present invention and
`alterations and modi?cations may be effected thereto, by
`those of skill in the art, Without departing from the scope of
`the invention Which is de?ned solely by the claims appended
`hereto.
`
`1) A computer-based system for managing illegitimate
`authentication attempts comprising:
`
`a ?rst application for receiving an authentication attempt
`from a device connected to said system; said attempt
`having been entered into said device by a user; said user
`being one of a legitimate user and an illegitimate user;
`
`a second application for capturing and recording said
`authentication attempt;
`
`a third application for performing an analysis of said
`authentication attempt and for performing a determi
`nation of Whether said authentication attempt is poten
`tially from said illegitimate user;
`
`a fourth application for modifying an authentication sys
`tem database based on results from said third applica
`tion; and
`a communication channel to another device associated
`With said legitimate user and operable to send messages
`based on results from said third application to said
`another device for presentation to said legitimate user.
`2) The system according to claim 1 Wherein said ?rst
`application is based on RADIUS protocols.
`3) The system according to claim 1 Wherein an authen
`tication attempt includes a User ID that is based on a
`non-internet communications system.
`4) The system according to claim 3 Where the non-internet
`communications system is a cellular phone, and Wherein
`said User ID is a cellular phone number.
`5) The system according to claim 3 Where the non-internet
`communications system is a pager and Wherein the User ID
`is a pager number.
`6) The system according to claim 3 Wherein the User ID
`contains the non-internet communications address for the
`user.
`7) The system according to claim 3 Wherein the User ID
`is cross referenced to the non-internet communications
`address for the User.
`8) The system according to claim 1 Where said applica
`tions are embedded in one or more centraliZed servers.
`9) The system according to claim 1 Where said applica
`tions are embedded in a self contained authentication device.
`10) The system according to claim 4 Where said messages
`are by SMS (Short Message Service).
`11) The system according to claim 4 Where said messages
`are by voice.
`12) The system according to claim 10 Where the SMS is
`generated by a sixth application.
`13) The system according to claim 10 Where the SMS is
`generated by a human.
`14) The system according to claim 11 Where said voice is
`generated by an interactive voice response application.
`15) The system according to claim 11 Where the voice is
`generated by a human.
`16) The system according to claim 1 Where the analysis
`identi?es said authentication attempt as having a valid User
`ID and passWord While a previously authenticated session is
`still active and the determination concludes that said authen
`tication attempt Was potentially from an illegitimate user.
`17) The system according to claim 1 Where the analysis
`identi?es an authentication attempt With valid User ID and
`passWord While a previously authenticated session is still
`active.
`18) The system according to claim 1 Wherein the third
`application includes permitted geographic coordinates for
`the locations Where said user may authenticate and Wherein
`the analysis identi?es actual geographic coordinates of said
`authentication attempt; and Wherein said determination con
`cludes that said authentication attempt Was potentially from
`an illegitimate user if said actual geographic coordinates are
`outside said permitted geographic coordinates.
`19) The system according to claim 1 Where the analysis
`identi?es actual geographic coordinates of said authentica
`
`TWILIO, INC. EX. 1004
`Page 7
`
`
`
`US 2006/0020816 A1
`
`Jan. 26, 2006
`
`tion attempt and said third application is operable to deter
`mine a distance travelled and an elapsed time betWeen said
`actual geographic coordinates and a previous set of geo
`graphic coordinates and a previously successful authentica
`tion; and Wherein said determination concludes that authen
`tication is potentially from an illegitimate user if at least one
`of said distance and said elapsed time exceed a prede?ned
`threshold.
`20) The system according to claim 1 Where the analysis
`includes determining a number of number of previous
`authentication attempts prior to using a particular User ID
`prior to said authentication attempt Within a time period and
`the determination concludes said authentication attempt is
`potentially from an illegitimate user if said time period does
`not fall Within a prede?ned range.
`21) The system according to claim 1 Where the analysis
`includes determining the number of authentication attempts
`from a particular location Within a time period.
`
`22) The system according to claim 3 further comprising a
`?fth application Wherein a passWord associated With said
`User ID can be modi?ed and said User noti?ed.
`23) The system according to claim 1 Wherein any future
`authentication attempts associated With said user are ?agged
`as illegitimate in said database if said authentication attempt
`is from a potentially illegitimate user.
`24) The system according to claim 1 Where the Authen
`tication server may proceed With authentication if the Appli
`cation has not responded Within a de?ned time and the User
`ID and passWord are valid.
`25) The system according to claim 1 Wherein the authen
`tication system is based on other internet protocols, such as
`DIAMETER.
`
`TWILIO, INC. EX. 1004
`Page 8