A computer implemented method to improve security in authentication/authorization systems and computer programs products thereof

Abstract

A computer implemented method and computer program products to improve security in authentication / authorization systemsThe computer implemented method comprising controlling the access to different resources and actions defined for a user by a first server, reducing the exposure time at which such operations are available, establishing a dual channel verification through the use of a second server and a defining a secure channel for certificate exchange for authentication.The computer programs implement the method.

Description

FIELD OF THE ART[0001]The present invention is directed, in general, to authentication and authorization systems. In particular, the invention relates to a computer implemented method and computer program products to improve security in authentication / authorization systems in which the access to different resources and actions defined for a given user are controlled.BACKGROUND OF THE INVENTION[0002]In recent years, web fraud detection market has increased considerably, so innovation in authentication and authorization processes has become of great importance.[0003]The increasing complexity of applications has led to the adoption of many security techniques increasingly sophisticated. One of the classifications that can be proposed for the study of these security techniques allows distinguishing between authentication solutions and authorization solutions. The authentication techniques are designed to verify a person is the one who claims to be. In order to add more reliability in ve...

AI Technical Summary

Benefits of technology

The present invention provides a system for managing accounts with different servers using different criteria and allows users to be alerted of identity theft attempts or untrue user's impersonation in operation execution requests. The invention also allows users to plan a locking / unlocking policy, delegate control of their accounts to other users, and fixes schedules to automate the management of accounts. It does not propose any new authentication / authorization scheme, but aims to reduce the risk taken with the choice of any authentication / authorization mechanism by minimizing the exposure time. The invention also permits reducing the exposure of particular actions that can be taken after the login process has been accomplished and establishing a channel that allow to send critical information to assure the integrity of this action execution.

Problems solved by technology

The increasing complexity of applications has led to the adoption of many security techniques increasingly sophisticated.

However, there are threats which cannot yet be thwarted by adopting any of the existing schemes for the authentication / authorization, or this adoption is too expensive to afford it.

These threats directly affect the way the access to specific resources is performed.

For this reason, sometimes it will be difficult to provide a general authorization scheme.

If they exist, the threats should come from a deficient use of these SDK.

On the other hand, the attacker may compromise or otherwise exploit authentication tokens and may intercept all input or output communications from the device (Man-in-the-device (MitD) attacks or Man-in-the-Browser (MitB) attacks).

The attacker can do this infecting the system with malware.

Although there are alternatives to proactively protect systems from this threat, there is no adequate solution to mitigate the effects of the attack once the device from which the resource access is requested, is committed.

Although there are some tools that aid in this task [3], [6], deploys in the level 4 are difficult to evaluate correctly.

In terms of usability, the use of tampering resistant hardware tokens goes against the adoption of these solutions by users, and it has been proved that this situation leads to a misuse of the credential systems.

These tokens are expensive.

Furthermore, in terms of authorization, in [7] the authors explain that, aside from some security issues of each SDK, developers who choose to integrate with one of them make assumptions that can lead to security problems.

This is because SDKs are often not well documented and the security exploits nearly always stem from attackers who find ways to violate these assumptions system implementers relied upon.

Along with these difficulties, other problems must be considered to understand the constant increase in fraud arising from the theft of digital identities.

For instance, it is not possible to measure a homogeneous security level in all users' digital accounts.

Apart from problems derived from the authorization solutions adoption, the most extended solution for authentication, the usage of personal digital certificates, has also many problems that usually have led to a very poor adoption in most systems, especially when they have to provide services to a wide number of clients.

For instance, by the user side some of these problems are:Valid digital certificate possession.

And, in addition, this certificate may not be used in processes related to authentication.

These certificates can be stored in the computer, but this solution limits its use to a single machine.

In this case, the limitation to a single computer is beaten to reach all those computers that have a compatible smartcard reader.Latency.

The processes associated with the implementations of the authentication mechanisms cause always an overhead over the time to authenticate a user.Secure environment to execute cryptographic procedures over these digital certificates.

By the service provider side, the problems rise according with the cost of maintaining a Public Key Infrastructure (PKI) infrastructure that always add complexity to the system functionality.

Images