Knowledge-based authentication for restricting access to mobile devices

摘要

An improved technique involves authenticating a user requesting access to a particular mobile device using knowledge-based authentication (KBA) questions generated from data taken from a group of mobile devices to which the particular mobile device belongs. Along these lines, consider a corporation that has a group of mobile devices distributed to its employees. The mobile devices provide data to an enterprise KBA (eKBA) server regarding events on each of the mobile devices. Because an owner of a mobile device belongs to a group of employees, the owner is able to answer questions regarding fellow employees. On the other hand, a malicious user that illegitimately gains access to the owner's mobile device will not be able to answer such questions, even if the malicious user knows details about the owner.

主权项

1. A method of authenticating a user operating a particular mobile device, the method comprising:
receiving facts from a group of mobile devices, the group of mobile devices including the particular mobile device, the facts describing events involving the user; generating, at a knowledge-based authentication (KBA) server, a set of KBA questions from the facts; receiving a request from the user to access protected resources stored locally in the particular mobile device while the user operates the particular mobile device; in response to receiving the request, presenting at least one question of the set of KBA questions to the user, the at least one question challenging the user's knowledge of an event described by the facts; obtaining at least one answer from the user to the at least one question, the at least one answer signifying the user's knowledge of the event described by the facts; and generating an authentication result from the at least one answer, the user being granted or denied access to the protected resources stored locally in the particular mobile device based on the authentication result; wherein the events involving the user include a scheduling of a meeting between the user and a coworker; wherein presenting the at least one question of the set of KBA questions to the user includes sending the user a question concerning an actual time at which the meeting was scheduled; wherein obtaining the at least one answer from the user to the at least one question includes receiving a selected time at which the user may have scheduled the meeting; and wherein generating the authentication result includes comparing the selected time to the actual time; wherein presenting the at least one question of the set of KBA questions to the user further includes sending the user another question concerning an actual identity of the coworker; wherein obtaining the at least one answer from the user to the at least one question further includes receiving a selected identity of the coworker; and wherein generating the authentication result further includes comparing the selected identity to the actual identity.