| 发明名称 |
Safe auto-login links in notification emails |
| 摘要 |
A web application user is authenticated directly upon selecting a link in a notification email. In this approach, the user's web browser stores a first data string provided by the web application (e.g., in a cookie) during a prior session. The first data string encodes first data about the user that can be verified by the application. Later, the user receives the notification email that includes the link. The link encodes a second data string from which second data about the user can be verified by the application. When the end user selects the link, an authentication request is transmitted to the application. The authentication request includes both the first and second data strings. If both the first data and the second data (as obtained from their respective data strings) can be verified, the user is authenticated without having to perform any additional steps (e.g., manual entry of credentials). |
| 申请公布号 |
US9298896(B2) |
申请公布日期 |
2016.03.29 |
| 申请号 |
US201313732822 |
申请日期 |
2013.01.02 |
| 申请人 |
International Business Machines Corporation |
发明人 |
Pieczul Olgierd S.;McGloin Mark A.;Zurko Mary E. |
| 分类号 |
G06F21/31;H04L29/06;H04L29/08 |
主分类号 |
G06F21/31 |
| 代理机构 |
|
代理人 |
LaBaw Jeffrey S.;Judson David H. |
| 主权项 |
1. A method to authenticate a user of an application executing on a computing machine from a notification message that includes a resource locator, comprising:
providing a first data string from which first data about the user can be obtained and verified by the application, the first data string including the first data and its digital signature; providing the notification message that includes the resource locator, the resource locator including a second data string from which second data about the user can be obtained and verified by the application, wherein the first data and the second data are each shares of a secret defined by a secret sharing scheme; receiving, as an authentication request and as a result of the user having selected the resource locator in the notification message, the first data string and the second data string; and determining, without additional user input, whether the first data and the second data can be verified, wherein a determination regarding the first data includes verifying the digital signature; when the first data and the second data are verified, authenticating the user to the application executing on the computing machine. |
| 地址 |
Armonk NY US |
