Improved Method for Resetting Online Credentials
Original Publication Date: 2009-Dec-03
Included in the Prior Art Database: 2009-Dec-03
Disclosed is an improved method for resetting online credentials. A more secure solution for resetting credentials is achieved through autonomic analysis of mined data and connections in the social Web, and by employing efficacy policies.
The main problem being addressed by this invention deals with the ways in which online credentials (e.g., user IDs and passwords) are typically reset. It is extremely common for a user to need credentials when online. For example, user IDs and passwords are required to access email, bank accounts, social networks, retail stores, etc. Because from time to time a user might forget their credentials, websites provide a way to reset the user's credentials. Most password reset schemes ask the user one or more "security" questions that presumably only the user knows the answers to. For example, "What is your mother's maiden name?", or "What is the name of your favorite pet?". If the user answers these questions correctly, then their credentials can be reset. This is a useful feature if the user really did forget their password. However, hackers are exploiting this capability. Because so much information is shared on the Internet today, a hacker can come up with the answers to some of these common questions with very little work.
There has been a lot of discussion on the issue, mostly dealing with how to tighten the security questions so that a user's answers are more personal/secure than any "public" information a hacker could find on the web. However, with the proliferation of information on social networks and personal blogs, the definition of "public" is no longer the same. Information that a user offers themselves or that someone else unwittingly offers about them could potentially be dangerous in the wrong hands. Proposed solutions to this problem include:
Allow the user to define their own security questions . By doing so, the user can make
them as secure/obscure as they wish.
The Blue Moon Authentication System  is an approach that strengthens the current
challenge schemes by asking the user several questions about their interests. The thought behind this approach is that a user will not typically reveal all of their interests publically. Combined with the use of several varied questions, they propose that this scheme will provide a better chance that it is the real user who is authenticating.
The vouching/buddy system  is an approach that leverages defined relationships so that
another human ("helper") can be contacted when the user's credentials need to be reset. The thought is that this other human can verify that the user truly wants to reset their credentials. The helper can obtain a token or other temporary credential from the server which he/she can pass on to the user.
Voice recognition password reset . The idea is that a user first records his voice so that the
voice response system knows what he sounds like. Then the user has to answer random questions, and the system determines if it's really that user based on his prerecorded voice.
However, we feel that current solutions are still lacking.
Point A above is:
More work for the user. Users tend to be lazy...