System and method for using a separate device to facilitate authentication

Abstract

A system that incorporates the subject disclosure may perform, for example, operations including receiving a request from a first device to access information content of a second device. The process further includes determining that the first device is authorized to access the information content according to authorization credentials, and determining a token associated with the request in response to determining that the first device is authorized to access the information content. The token is forwarded to the first device, and it is confirmed that the token was received at the first device. Access to the information content of the second device is authorized in response to confirming that the token was received at the first device. Other embodiments are disclosed.

Description

PRIOR APPLICATIONS[0001]The present application claims the benefit of priority to U.S. Provisional Application No. 61 / 729,598, filed on Nov. 25, 2012, entitled “System and Method for Using Smartphones and Other Mobile Devices to Improve User Experience and Security for Remote Logins,” the entire contents of which are incorporated herein by reference in their entirety.RELATED APPLICATIONS[0002]The present disclosure is related to U.S. Provisional Patent Application No. 61 / 671,673, entitled “Secure Control Logic for Computing Environments,” filed Jul. 13, 2012; U.S. Provisional Patent Application No. 61 / 671,676, entitled “Audit of Remote Computing Environments,” filed Jul. 13, 2012; U.S. Provisional Patent Application No. 61 / 701,714 filed Sep. 16, 2012 entitled “System and Method for Obtaining Keys to Access Protected Information”; U.S. patent application Ser. No. 13 / 410,287 Entitled “Controlling User Access to Electronic Resources Without Password,” filed Mar. 1, 2012, which claims t...

AI Technical Summary

Benefits of technology

The patent text describes a system and method for improving user experience and security for remote logins by using a separate device to facilitate authentication. The system uses encryption keys to decrypt authentication information and access sensitive data, which can be stored on an encrypted file system. The technical effects of this system include improved security, ease of use, and protection of user information.

Problems solved by technology

An ID and password can be stolen or otherwise compromised by sophisticated adversaries utilizing techniques such password sniffing, secretly photographing a login session, using various methods of social engineering to obtain the ID and the password.

Currently technology is also vulnerable to rogue employees who voluntarily provide a password and ID to adversaries.

To the extent that such a password or encryption key is stored on a device, it would be subject to discovery by an adversary if the device were stolen.

The passwords are typically long and complicated.

A challenge is that a user has difficulty remembering the IDs and passwords, and typically maintains lists of these IDs and passwords elsewhere, such as in a “secret” notebook, which the user employs when a login is required.

The IDs and passwords are changed periodically by the site administrator, further compounding the difficulty for the user in maintaining complex IDs and passwords, even when maintained in a secret notebook.

As the number of required IDs and passwords grows, the task of maintaining the secret notebook becomes more difficult for the user.

Furthermore, the user must suffer the inconvenience of period lockout from his or her account and the risk that an adversary will discover the secret ID and password and steal valuable information.

When the file system is no longer needed, the key generated by the software agent chain can be destroyed preventing access to the file system's unencrypted data.

These credentials can be difficult to detect, or “sniff” and would not be visible to an adversary watching the screen.

Thus the user cannot allow unauthorized access to data encrypted by the key.

Again the user will not be able to allow unauthorized access to data encrypted by the application.

Such indications might indicate unauthorized activity such as the presence of a debugger or an attempt to execute the software in an unauthorized environment or an attempt to execute individual software agents when the entire network of software agents is not running.

Such an approach complicates attempts at reverse engineering and / or unauthorized attempts to access features of the system, such as sensitive information.

Sensitive technologies, sometimes referred to as sensitive or critical technologies, e.g., depending upon a particular mission or application, can be made very difficult to obtain by encryption with appropriate algorithms and keys.

If a system safety state changes from safe to unsafe as defined by the embedded policy, any unencrypted, e.g., “clear text” instances of the sensitive technology are deleted and / or otherwise destroyed.

In some embodiments, this penalty can be covertly imposed, so that an adversary attempting to reverse engineer the system does not immediately realize that the task of obtaining a correct key has been rendered impossible.

If the change in system state is discovered before an adversary has been able to copy the entire system to a virtualized environment, the penalty can be imposed on cryptographic material that is stored in a non-volatile medium on the system hardware.

If the adversary has successfully copied the system to another medium, the penalty can be imposed within the copied artifacts.

Images