US010367797B2 (12 ) United States Patent ( 10 ) Patent No. : US 10 , 367, 797 B2 Keromytis et al. ( 45 ) Date of Patent: Jul. 30 , 2019 (54 ) METHODS , SYSTEMS, AND MEDIA FOR (51 ) Int. CI. AUTHENTICATING USERS USING H04L 29 /06 ( 2006 .01 ) H04L 9 /32 ( 2006 .01 ) MULTIPLE SERVICES (52 ) U . S . CI. (71 ) Applicants :Angelos D . Keromytis , Annandale , VA CPC ...... H04L 63 /08 ( 2013 . 01 ) ; H04L 9 / 321 (US ); Elias Athanasopoulos, New (2013 . 01 ) ; H04L 9 / 3247 (2013 . 01 ) ; York , NY (US ) ; Georgios Kontaxis, (Continued ) New York , NY (US ) ; Georgios (58 ) Field of Classification Search CPC .. .. . HO4L 63/ 08 ; H04L 9 /321 ; H04L 63/ 0807 ; Portokalidis , New York , NY (US ) H04L 63 /0823 ; HO4L 9 /3247 ; HO4L ( 72 ) Inventors : Angelos D . Keromytis , Annandale , VA 9/ 3271 (US ); Elias Athanasopoulos, New See application file for complete search history. York , NY (US ) ; Georgios Kontaxis, New York , NY (US ); Georgios (56 ) References Cited Portokalidis , New York , NY (US ) U . S. PATENT DOCUMENTS 6 ,609 ,198 B1 * 8 / 2003 Wood ...... G06F 21/ 31 ( 73 ) Assignee : The Trustees of Columbia University 713 / 155 in the City of New York , New York , 7 ,296 ,290 B2 * 11/ 2007 Barriga ...... GO6F 21 /33 NY (US ) 726 / 8 ( * ) Notice : Subject to any disclaimer , the term of this (Continued ) patent is extended or adjusted under 35 U . S . C . 154 (b ) by 0 days. OTHER PUBLICATIONS Adida , B . , " BeamAuth : Two - Factor Web Authentication with a ( 21 ) Appl. No. : 15 /032 , 940 Bookmark” , In Proceedings of the 18th ACM Conference on Computer and Communications Security, Chicago , IL , US, Oct. (22 ) PCT Filed : Aug. 7 , 2014 17 - 21, 2011 , pp . 1 - 10 . ( 86 ) PCT No. : PCT/ US2014 / 050205 (Continued ) $ 371 ( c ) ( 1 ) , Primary Examiner — Oleg Korsak ( 2 ) Date : Apr. 28 , 2016 Assistant Examiner — Devin E Almeida (74 ) Attorney , Agent, or Firm — Byrne Poh LLP (87 ) PCT Pub . No. : WO2015 / 047555 PCT Pub. Date : Apr. 2 , 2015 (57 ) ABSTRACT Methods, systems, and media for automatically authenticat (65 ) Prior Publication Data ing a user account using multiple services are provided. In accordance with some embodiments of the disclosed subject US 2016 /0255067 A1 Sep . 1 , 2016 matter , methods for authenticating a user using multiple services are provided , the methods comprising: receiving , from a client device , first credentials for a target service Related U . S . Application Data account; authenticating the target service account based on (60 ) Provisional application No . 61/ 896 , 481, filed on Oct. the first credentials ; issuing a redirecting request that directs 28 , 2013 . ( Continued )

300 Target Service Client Device Vouching Service ( s ) 108 A Request to Authenticate a Target Service Account 310 305 A Redirection Request. 315 320 A Voaching Request

A Request for Authentication 340 335 Authentication Credentials for a Vouching Service Account Associated with the Vouching Servicedeter m inate 350 A Redirection Request 360 355 370 prosessenen A Vouching Response me nse 365 An Authentication Response 375 380 US 10 ,367 ,797 B2 Page 2 the client device to at least one vouching service in response Bowen et al ., “ A System for Generating and Injecting Indistinguish to authenticating the target service account; receiving a able Network Decoys” , In Journal of Computer Security , Mar. 2012 , pp . 1 - 20 . vouching response indicating that the client device has Bowen et al. , “ Tamper Resistant Injection of Believable Decoys in authenticated a vouching service account with the at least VM -based Hosts for Crimeware Detection ” , In Proceedings of the one vouching service, wherein the vouching response 13th International Conference on Recent Advances in Intrusion includes a vouching token ; and providing the client device Detection , Ottawa, ON , CA , Sep . 2010 , pp . 1 -21 . with access to the target service account in response to Burr et al. , “ Electronic Authentication Guideline ” , In US Depart determining that the vouching service account is associated ment of Commerce , Technology Administration , National Insitute with the target service account. of Standards and Technology , Aug . 2013 , pp . 1 - 10 . Camenisch et al ., “ Practical Yet Universally Composable Two 24 Claims, 9 Drawing Sheets Server Password Authenticated Secret Sharing ” , In Proceedings of the 2012 ACM Conference on Computer and Communication Security , Raleigh , NC , US , Oct . 2012 , pp . 1 - 27 . Cheswick W ., “ Rethinking Passwords ” , In Communications of the (52 ) U .S . CI. ACM , Feb . 2013 , pp . 1- 113 . Clair et al. , “ Password Exhaustion : Predicting the End of Password CPC ...... H04L 9 /3271 (2013 .01 ) ; H04L 63 / 0807 Usefulness ” , In Proceedings of the 2nd International Conference on (2013 .01 ) ; H04L 63 / 0823 (2013 .01 ) Information Systems Security , Kolkota , IN , Dec . 2006 , pp . 1 - 18 . CloudCracker, “ Online Hash Cracker” , available at: https: / /web . (56 ) References Cited archive .org / web /20160319080738 /https : // www . cloudcracker. com / , last accessed Oct. 20 , 2016 , pp . 1 -2 . U .S . PATENT DOCUMENTS Crescenzo et al ., “ Perfectly Secure Password Protocols in the 2003 /0145224 A1* 7 /2003 Bailey ...... H04L 63 / 083 Bounded Retrieval Model ” , In Theory ofCryptography Conference , 726 / 5 New York , NY , US, Mar. 4 - 7 , 2006 , pp . 1 -20 . 2003/ 0149781 Al* 8 / 2003 Yared ...... G06F 21/ 41 Dey et al ., “ Enhancing Privacy in Federated Login ” , In Hot Topics 709 / 229 in Privacy Enhancing Technologies , Berlin , DE , Jul. 21 - 23, 2010 , 2003/ 0217288 A1* 11/ 2003 Guo ...... G06F 21 /33 726 / 10 pp . 1 -13 . 2005/ 0289341 A1 * 12 / 2005 Ritola ...... H04L 63/ 0815 Dhamija et al. , “ Deja Vu : A User Study Using Images for Authen 713 / 168 tication ” , In Proceedings of the 9th USENIX Security Symposium , 2008/ 0021997 A1* 1/ 2008 Hinton ...... H04L 63 /0815 Berkeley , CA , US, Aug. 2000 , pp . 1 - 14 . 709 /225 Dhamija et al ., “ The Battle Against Phishing : Dynamic Security 2008 / 0221997 AL 9 / 2008 Wolfe Skins” , In Proceedings of the Symposioum on Usable Privacy and 2010 /0125906 A1* 5 / 2010 Golle ...... G06F 21/ 31 Security , New York , NY , US , Jul. 2005 , pp . 77 - 88 . 726 / 18 Dierks, T ., “ TLS 1 . 2 ” , available at: https: // tools . ietf. org / html/ 2013 /0086670 A1 * 4 / 2013 Vangpat ...... H04L 9/ 3213 rfc5246 , last updated : Aug . 2008 , pp . 1 - 105 . 726 / 8 Fielding et al. , “ HTTP /1 .1 " , available at https: / / tools .ietf . org / html / 2013 /0298215 A1* 11/ 2013 Kuznetsov ...... H04L 9 / 3263 rfc2616 , last accessed Oct . 17 , 2016 , pp . 1 - 177 . 726 / 8 Florencio et al. , “ A Large -Scale Study of the Web Password Habit ” , 2014 /0282940 A1* 9/ 2014 Williams ...... H04L 63/ 0815 In Proceedings of the International Conference on World Wide Web , 726 / 6 Banff , AB , CA , May 2007 , pp . 1 - 9 . 2014 /0351910 Al * 11/ 2014 Tenenboym ...... H04L 63 /0823 Gaw et al. , “ Password Management Strategies for Online Accounts ” , 726 / 7 In Proceedings of the Symposium on Usable Privacy and Security , New York , NY , Jul. 2006 , pp . 44 - 55 . OTHER PUBLICATIONS Goodin , D . ,“ Twitter Detects and Shuts Down Password Data Hack in Progress” , available at : http : // arstechnica . com /security / 2013 /02 / Bagherzandi et al. , “ Password -Protected Secret Sharing” , In Pro twitter- detects - and - shuts -down -password -data -hack - in -progress / , last ceedings of the 18th ACM Conference on Computer and Commu updated : Feb . 1 , 2013 , pp . 1 - 4 . nications Security , Chicago , IL , US, Oct . 17 - 21, 2011, pp . 1 - 11. Grosse , E ., “ Gmail Account Security in Iran ” , available at: https: / / Barrett, M ., “ PayPal Leads Industry Efforts to Move Beyond security. googleblog .com / 2011/ 09 /gmail - account- security - in - iran . Passwords ” , available at https : / /www .paypal .com / stories / us/ paypal html, last updated Sep . 8 , 2011 , pp . 1 - 3 . leads- industry -effort - to -move -beyond -passwords , last accessed Oct . Hale , C ., “ How to Safely Store a Password ” , available at : https :/ / 17 , 2016 , pp . 1 - 2 . codahale .com /how - to -safely - store - a - password /, last updated Jan . 31, Berners - Lee et al. , “Uniform Resource Identifiers (URI ): Generic 2010 , pp . 1 -4 . Syntax ” , Available at : http :/ / www .ietf .org / rfc / rfc2396 . txt , Last Updated Hardt D ., “ The OAuth 2 . 0 Authorization Framework ” , available at: Aug. 2008 , pp . 1 - 35 . https: / / tools . ietf. org /html /rfc6749 , last updated Oct. 2012 , pp . 1 -77 . Biddle el al. , “ Learning From the First Twelve Years ” , In ACM Honan , M ., “ How Apple and Amazon Security Flaws Let to My Computing Surveys , Sep . 2012 , pp . 1 -25 . Epic Hacking " , available at: https: / / www .wired .com /2012 / 08 /apple Blashki et al. , “ Game Geek 's Goss : Linguistic Creativity in Young amazon -mat - honan -hacking , last updated Aug . 6 , 2012 , pp . 1 - 13 . Males Within an Online Forum ” , In Australian Journal of Emerging Huang et al ., “ Parallel Browsing Behavior on the Web ” , In Pro Technologies and Societies, Nov . 2005 , pp . 1 - 10 . ceedings of the 21st ACM Conference on Hypertext and Hyperme Bojinov et al ., “ Kamouflage: Loss -Resistant Password Manage dia , Toronto , ON , CA , Jun . 2010 , pp . 13 - 18 . ment” , In Proceedings of the 15th European Symposium on Research International Search Report and Written Opinion in International in Computer Security , Athens, GR , Sep . 2010 , pp . 1 - 18 . Patent Application No. PCT/ US2014 /050205 , filed Jul. 8 , 2014 . Bonneau et al ., “ The Quest to Replace Passwords: A Framework for Juels et al ., “Making Password - Cracking Detectable ” , In Proceed Comparative Evaluation of Web Authentication Schemes ” , In Pro ings of the 2013 ACM SIGSAC Conference on Computer & ceedings of the 33rd IEEE Symposium on Security and Privacy , San Communications Security , Berlin , DE , Nov . 2013 , pp . 145 - 160 . Francisco , CA , US , Mar. 2012 , pp . 1- 15 . Kelley et al. , " Guess Again (and Again and Again ) Measuring Bonneau , J ., “ Statistical Metrics for Individual Password Strength ” , Password Strength by Simulating Password -Cracking Algorithms” , In Proceedings of the 20th International Conference on Security In Proccedings of the 33rd IEEE Symposium on Security and Protocols, Washington D .C ., US, Apr. 12 - 13 , 2012 , pp . 1 - 11. Privacy, San Francisco , CA , US, May 2012, pp . 523 - 537. US 10 , 367, 797 B2 Page 3

References Cited Schwartz , M . , “ Sony Hacked Again , 1 Million Paswords Exposed ” , ( 56 ) available at : http : / /www .darkreading .com /attacks -and -breaches / sony OTHER PUBLICATIONS hacked - again - 1 -million - passwords - exposed / d / d - id / 1098113 ? , last updated Jun . 3 , 2011, pp . 1 - 2 . Liebowitz M . , “ Hacker Posts 6 . 4 Million LinkedIn Passwords” , Shamir, A . , “ How to Share a Secret” , In Communications of the ACM , vol. 22 issue 11, Nov. 1979, pp . 612 -613 . available at: https: / / web .archive . org / web /20131215145617 /http :/ / Shay et al. , “ Encountering Stronger Password Requirements : User www .technewsdaily . com / 7839 - linked -passwords - hack .html , last updated Attitudes and Behavior ” , In Proceedings of the Symposium on Jun . 6 , 2012 , pp . 1 - 3 . Usable Privacy and Security , Redmond , WA , US, Jul . 2010 , pp . Manning et al. , “ Foundations of Statistical Natural Language Pro 1 - 20 . cessing” , MIT Press , May 1999 , pp . 1 -704 . Sun et al. , “ A Billion Keys, But Few Locks : The Crisis of Web McIntyre, S ., “ E -mail Discussion at Debian about the wiki. debian . Single Sign -on ” , In Proceedings of the New Security Paradigms org Security Breach ” , available at https: / /web .archive .org /web / Workshop , Concord , MA, US, Sep . 21 - 23 , 2010 , pp . 61 -72 . 20160806022021 /https : // lwn .net / Articles/ 531727 , last updated Jan . The Security Ledger , “ New 25 GPU Monster Devours Passwords in 7, 2013 , pp . 1- 2 . Seconds” , available at https: // securityledger . com /2012 / 12 /new - 25 gpu -monster - devours -passwords - in -seconds / , last updated : Dec . 14 , McMillan , “Google Declares War on the Password ” , available at: 2012 , pp . 1 - 12 . https: / /www .wired .com / 2013 / 01/ google -password / , last updated Jan . Wang et al ., “ SigningMe onto Your Accounts through Facebook and 16 , 2013, pp . 1 -6 . Google : a Traffic -Guided Security Study of Commercially Deployed Miculan et al. , “ Formal Analysis of Facebook Connect Single Single - Sign -On Web Services” , In Proceedings of the 33rd IEEE Sign - On Authentication Protocol, ” In Proceedings of the 37th Symposium on Security and Privacy , San Francisco , CA , US, May International Conference on Current Trends in Theory and Practice 2012 , pp . 1- 15 . of Computer Science , Nový Smokovec , SK , Jan . 2011, pp . 1 - 19 . Weir et al. , “ Password Cracking Using Probabilistic Context- Free Needham S ., “ The Domino Effect of the Password Leak at Gawker” , Grammars” , In Procceedings of the 30th IEEE Symposium on available at : http : // the - domino -effect - password -leak - gawker - 10566853 . Security and Privacy, Oakland , CA , US , May 2009 , pp . 391 - 405 . Williams, O . , “ IEEE Data Breach : 100K Passwords Leak in Plain html, last updated Dec. 2 , 2011, pp . 1- 3 . Text” , available at : https: / /www .neowin .net / news/ ieee -data -breach Percival, C ., " Stronger Key Derivation via Sequential Memory 100k -passwords -leak - in -plain - text, last updated Sep . 26 , 2012 , pp . Hard Functions " , In the Proceedings of the BSD Conference , 1 - 4 . Ottawa, ON , CA , May 6 - 7 , 2009 , pp . 1 - 16 . Wimberly et al. , “ Using Fingerprint Authentication to Reduce Perez , S . , “ 117 Million Linkedin Emails and Passwords from a 2012 System Security : An Empirical Study ” , In Proceedings of the 32nd Hack Just Got Posted Online " , available at : https: / / techcrunch . com / IEEE Symposium on Security and Privacy, Oakland , CA , US , May 2016 /05 / 18 / 117- million - linkedin -emails - and -passwords - from -a -2012 22 - 25 , 2011 , pp . 32 - 46 . hack - just - got- posted -online / , last updated : May 18 , 2016 , pp . 1 - 6 . Wu et al ., “ Do Security Toolbars Actually Prevent Phishing Plain Text Offenders , “ Directory of Web Sites Storing Passwords in Attacks ? ” , In Proceedings of the SIGCHI Conference on Human Plain Text” , available at http :/ / plaintextoffenders . com /, last accessed Factors in Computing Systems, Montreal, QC , CN , Apr . 22 -27 , Oct . 17 , 2016 , pp . 1 -8 . 2006 , pp . 1 - 10 . Provos et al . , “ A Future - Adaptable Password Scheme” , In Proceed Zhang et al. , “ The Security of Modern Password Expiration : An ings of the USENIX Annual Techinical Conference, Monterey, CA , Algorithmic Framework and Empirical Analysis” , In Proceedings of US, Jun . 6 - 11, 1999, pp . 1 - 13 . the 17th ACM Conference on Computer and Communications Recordon et al. , “ Openid 2 . 0 : A Platform for User - Centric Indentity Security, Chicago , IL , US , Oct . 4 - 8 , 2010 , pp . 1 - 11 . Management ” , In Proceedings of the ACM Workshop on Digital Benevenuto et al. , “ Characterizing User Behavior in Online Social Indentity Management , Nov. 2006 , pp . 11 - 15 . Networks” , In the Proceedings of the 9th ACM SIGCOMM con Ross et al. , " Stronger Password Authentication Using Browser ference on Internet Measurement, Chicago IL , US , Nov . 4 -6 , 2009 , Extensions” , In Proceedings of the 14th USENIX Security Sympo pp . 1 - 14 . sium , Baltimore , MD , US, Aug. 2005 , pp . 1 - 15 . Berners -Lee , T ., “ Uniform Resource Identifiers ( URI): Generic Schechter et al . , “ It ' s No Secret . Measuring the Security and Syntax ” , The Internet Engineering Task Force Network Working Reliability of Authentication via ' Secret ' Questions ” , In Proceed Group , Aug. 1998 , pp . 1 - 35 . ings of the 30th IEEE Symposium on Security and Privacy , Wash ington D . C ., US , May 2009 , pp . 1 - 16 . * cited by examiner U . S . Patent Jul. 30 , 2019 Sheet 1 of 9 US 10 , 367 ,797 B2

VIC

+

. Es ????????????????????????????+

.

.

.

.

. * 104 Amma

. www atI

100 ???????????????????????????????????????????????????????????????????? FIG.1 wy COMMUNICATION NETWORK COMPUTINGDEVICE

TARGETSERVICE ???????

COMPUTINGDEVICE PEPE ???????????????????????????????????? U . S . Patent Jul . 30 , 2019 Sheet 2 of 9 US 10 .367 , 797 B2

: : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : LITAL P LA LATIALITAL LA LA ALL ALL ALL LA LIHK / IMAKI LIHK

Airit 24 Communication 917

Air? 24 Memoryand/or FIG.2 ”“ Storage Display/Audio Drivers Display/Audio Output

rrr 807 22 Hardware Processor 206|it InputDevice Controller InputDevice(s)

Auth Huntu Lululus. ht the Linut the nurs huuuuuuuuuuuuuuuuuuuuuuuuuuuun U . S . Patent Jul. 30 , 2019 Sheet 3 of 9 US 10 , 367, 797 B2

VouchingService(s) NO

CH

7. AuthenticationCredentialsforaVouchingServiceAccount AVouchingRequest ARequestforAuthentication AssociatedwiththeVouchingService ARedirectionRequest

300 4305 320 FIG.3 ClientDevice 345 360

ARequesttoAuthenticateaTargetServiceAccount ARedirectionRequest AVouchingResponse AnAuthenticationResponse

TargetService U . S . Patent Jul. 30 , 2019 Sheet 4 of 9 US 10 , 367, 797 B2

VouchingService(6)

voor vooroorden WWW

ARequesttoRegisteraUserAccountor AuthenticatoaUserAccount . AVouchingRequest . ARequestforAuthenticationCredentials ARedirectionRequest .

465 FIG.4 . ???????????? ???????????????? FR 13 G OSSINGGASSE 400 ClientDevice 445 MADAWS-SALLESSUR

A

W

D

. ARequesttoAssociateaUserAccountwithVouchingService ÀRedirectionRequest www AContirationMessage SZALAGASACALAdd

TargetService * * * 470 U . S . Patent Jul. 30 , 2019 Sheet 5 of 9 US 10 , 367 ,797 B2

500

RECEIVE ONE OR MORE AUTHENTICATION CREDENTIALS FOR A USER ACCOUNT

VALIDATE THE RECEIVED AUTHENTICATION CREDENTIALS

GENERATE ONE OR MORE DECOY CREDENTIALS FOR THE USER ACCOUNT

WASSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS

WEDNODULINNAAAAAAAAA

OR USER ACCOUNT

GENERATE AN ALIAS FOR THE USER ACCOUNT

IDENTIFY A VOUCHING SERVICE TO BE ASSOCIATED WITH THE USER ACCOUNT

TRANSMIT A VOUCHING REQUEST TO THE IDENTIFIED VOUCHING SERVICE DISABILISASIDICOL A ANUSIA

RECEIVE A VOUCHING RESPONSE

AUTHENTICATED ? 11. M

11 1 TRANSMIT A RESPONSE WITH THE USER ACCOUNT

FIG . 5 U . S . Patent Jul. 30 , 2019 Sheet 6 of 9 US 10 , 367, 797 B2

111111111111WN1 U NNNNNN NNNNNNNNNNNNNNNNNNN 11111111111 RECEIVE ONE OR MORE AUTHENTICATION CREDENTIALS FOR A TARGET SERVICE ACCOUNT

DENTIFY ONE OR MORE VOUCHING SERVICES

TRANSMIT AT LEAST ONE VOUCHING REQUEST TO THE VOUCHING SERVICE ( S )

RECEIVE ONE OR MORE VOUCHING RESPONSES FROM THE VOUCHING

HAS THE USER YES AUTHENTICATED A VOUCHING VOUCHING SERVICE (S )Srpen

AN INDICATION SERVICE ACCOUNT( S ) THAT THE TARGET SERVICE ASSOCIATED WITH THE TARGET ACCOUNT HAS BEEN SERVICE ACCOUNT COMPROMISED ?

TRANSMIT AN AUTHENTICATION GENERATE A WARNING TRANSMIT A RESPONSE MESSAGE RESPONSE MESSAGE

FIG . 6 U . S . Patent Jul. 30 , 2019 Sheet 7 of 9 US 10 , 367, 797 B2

RESPONSEINCLUDINGA $31 TRANSMITAVOUCHING WARNINGMESSAGE

HASTHEFIRST USERACCOUNTBEEN COMPROMISED? 0€L re-r 0000 -0000 -0SDAASUSSALACSASSSSSSSSSSSSSSSSSS CCCCCCCCCCCCCCCCCCCCCCCCCCCCCC w INDICATINGTHATTHEUSERHASNOT www TRANSMITAVOUCHINGRESPONSE - BEENAUTHENTICATED FIG.7 OOL - BIBSONIHONOAVHO:SIVIIN300100NOLLYOUNGHINYBA3OJN RECEIVEAVOUCHINGREQUESTTOAUTHENTICATEUSERASSOCIATED 22-12 INNODOV WITHATARGETSERVICEACCOUNT 20 TRANSMITAREQUESTFORAUTHENTICATIONCREDENTIALS 14NNNNN CCCCCCCCCCCCCCCCCCC

NNNNNNN -ALLSLLASCrossALOSASSASALLAVASSASALALARASPASOLAPSDeCCarDescrarcoseccare INDICATINGTHATTHEUSERHAS 1LIPITOLULIITTIILIPILIPILITYILLARRILLIPIIIIIIIIIIIIIIIIIIIIIIIIIIIIII TRANSMITAVOUCHINGRESPONSE BEENAUTHENTICATED U . S . Patent Jul. 30 , 2019 Sheet 8 of 9 US 10 , 367, 797 B2

820 830 850

1

AL YE

11.

W Si.Ule TARGETSERVICES,nonce-NONCEsignaturesignedfields"actionalias SCIVICC.action,

1 WN

1 nonce=NONCE,signaturesignedfields"actionaliasservice] action="commit,service-VOUCHINGSERVICEValiasFOREIGNALIAS 1 FIG,8 (action="vouch,service-TARGETSERVICESnonceNONCEsignature A W henticat 832[action="verify”,alias-FOREIGNALIASserviceVOUCHINGSERVICEV C (action=“REGISTER_ALIAS”,aliasFOREIGNservice-

pro

password.VouchingService signedfields-action,servicenonce"] r. N (username,passwordvouchingservice) 2014 23

1 me, schema:/TARGETSERVICESregistration service,nonce') schema:/TARGET_SERVICESregistration ROE schema:/TARGETSERVICESauthentication M

pole ma: for 852 862 U . S . Patent Jul. 30 , 2019 Sheet 9 of 9 US 10 , 367, 797 B2

920

1fieldsaction%2Cservice2Cnonce

1

Frrr.

1 ignatures, FIG.9 login?action=vouch&serviceexample.comnoncesiganaturesfields%2Cservice2Cnonce

+-75

1

1

16 (AuthenticationResponsefromexample.com] (AuthenticationRequesttoexample.comV)] lesttoexan11 20

. 3 Location:httpswww.exampleorg HTTP1./loginPOST 7 Host:www.examplecom GET/loginHTTP1. Host:www.exampleorg? 1 HTTP/1.303Seeother actionVouch&servicere US 10 , 367 ,797 B2 METHODS , SYSTEMS, AND MEDIA FOR device has authenticated a vouching service account with the AUTHENTICATING USERS USING at least one vouching service , wherein the vouching MULTIPLE SERVICES response includes a vouching token ; determining , using a hardware processor , whether the vouching service account is CROSS -REFERENCE TO RELATED associated with the target service account based on the APPLICATION vouching token ; and providing the client device with access to the target service account in response to determining that This application claims the benefit of U . S . Provisional the vouching service account is associated with the target Patent Application No . 61 /896 ,481 , filed Oct. 28 , 2013 , service account. which is hereby incorporated by reference herein in its 10 In accordance with some embodiments of the disclosed entirety . subject matter , systems for authenticating a user using This invention was made with government support under multiple services , the systems comprising: at least one grant FA8650 - 11 - C -7190 awarded by the Air Force Materiel hardware processor that is configured to : receive , from a Command Legal Office . The government has certain rights client device , first credentials for a target service account ; in the invention . 15 authenticate the target service account based on the first credentials ; issue a redirecting request that directs the client TECHNICAL FIELD device to at least one vouching service in response to authenticating the target service account; receive a vouching The disclosed subject matter relates to methods, systems, response indicating that the client device has authenticated and media for authenticating a user using multiple services . 20 a vouching service account with the at least one vouching service , wherein the vouching response includes a vouching BACKGROUND token ; determine whether the vouching service account is associated with the target service account based on the Password -based authentication is a common form of vouching token ; and provide the client device with access to access control in Web services. For example , a Web service 25 the target service account in response to determining that the implementing a conventional password -based authentica - vouching service account is associated with the target ser tion scheme may require a user to provide a user name and vice account. password when the user registers a user account with the In accordance with some embodiments of the disclosed Web service . The Web site can then generate a hash value subject matter, non -transitory media containing computer based on the password ( e . g . , using a one -way hash function ) 30 executable instructions that, when executed by a processor, and can store the user name, the hash value , etc . in asso cause the processor to perform a method for authenticating ciation with the user account. In response to receiving a user a user using multiple services are provided . In some embodi request to access the user account, the Web service may m ents , the method comprising: receiving , from a client require the user to provide the user name and password to device , first credentials for a target service account; authen access the user account . 35 ticating the target service account based on the first creden However , conventional password - based authentication tials ; issuing a redirecting request that directs the client schemes may not provide a user with adequate protection device to at least one vouching service in response to For example , even if users choose long and complex pass authenticating the target service account ; receiving a vouch words , an attacker can still compromise user accounts pro - ing response indicating that the client device has authenti tected by passwords using a brute - force approach , a pre - 40 cated a vouching service account with the at least one constructed dictionary of potential passwords, etc . As vouching service , wherein the vouching response includes a another example , authentication schemes using one - way vouching token ; determining whether the vouching service hash functions can be countered by the evolution of hard - account is associated with the target service account based ware which enables powerful password -cracking platforms. on the vouching token ; and providing the client device with As yet another example , since users frequently reuse pass - 45 access to the target service account in response to determin words for different services , an attacker that compromises a ing that the vouching service account is associated with the user password in one service ( e .g . , by breaking into the target service account. service and cracking all user passwords stored on the service ) can use the user password to impersonate the user BRIEF DESCRIPTION OF THE DRAWINGS into a second service . 50 Therefore , new mechanisms for authenticating a user are Various objects , features , and advantages of the disclosed desirable . subject matter can be more fully appreciated with reference to the following detailed description of the disclosed subject SUMMARY matter when considered in connection with the following 55 drawings, in which like reference numerals identify like In accordance with some embodiments of the disclosed elements . subject matter, methods , systems, and media for authenti - FIG . 1 shows a generalized block diagram of an example cating a user using multiple services are provided . of a system for authenticating a user using multiple services In accordance with some embodiments of the disclosed in accordance with some embodiments of the disclosed subject matter, methods for authenticating a user using 60 subject matter. multiple services are provided , the methods comprising : FIG . 2 shows an example of hardware that can be used in receiving , from a client device , first credentials for a target a client device , a target service , and/ or a vouching service in service account; authenticating the target service account accordance with some embodiments of the disclosed subject based on the first credentials ; issuing a redirecting request matter. that directs the client device to at least one vouching service 65 FIG . 3 shows an example of a process for authenticating in response to authenticating the target service account; a user using multiple services in accordance with some receiving a vouching response indicating that the client embodiments of the disclosed subject matter . US 10 , 367, 797 B2 FIG . 4 shows an example of a process for associating a user account on the target service (e . g ., a target service user account on a target service with a user account on a account ) . In some embodiments , upon authenticating the vouching service in accordance with some embodiments of target service account, the target service can issue a redi the disclosed subject matter. rection request to direct the client device to one or more FIG . 5 shows an example of a process for associating a 5 vouching services ( e . g ., a credit card service , a banking vouching service with a user account in accordance with service , an electronic commerce service , an email service , a some embodiments of the disclosed subject matter. social networking service , a messaging service , a Web page FIG . 6 shows an example of a process for authenticating service , a video streaming service, and / or any other suitable a user using a vouching service in accordance with some service ) . In some embodiments , the redirection request can embodiments of the disclosed subject matter. 10 include one or more parameters that can direct the client FIG . 7 shows an example of a process for vouching for a device to the vouching service ( s) ( e. g ., such as an HTTP 3XX user in accordance with some embodiments of the disclosed code ) . In some embodiments , the redirection request can subject matter . include one or more parameters instructing the vouching FIG . 8 shows an example of a set ofmessage schemas that service ( s ) to authenticate the client device . can be used to authenticate a user using multiple services in 15 In some embodiments, upon receiving the redirection accordance with some embodiments of the disclosed subject request , the client device can transmit one or more vouching matter . requests to the vouching service( s ). In some embodiments , FIG . 9 shows an example of a list of messages that can be the vouching request( s ) can include the parameter ( s ) used to authenticate a user using multiple services in accor - instructing the vouching service ( s ) to authenticate the client dance with some embodiments of the disclosed subject 20 device . matter. In some embodiments , in response to receiving a vouch ing request , a vouching service can require the client device DETAILED DESCRIPTION to provide authentication credentials for a user account on the vouching service ( e . g . , a vouching service account ) . In In accordance with various embodiments , as described in 25 some embodiments , in response to receiving the authenti more detail below , mechanisms, which can include systems, cation credentials for the vouching service account and / or methods , and computer -readable media , for authenticating a authenticating the vouching service account, the vouching user using multiple services are provided . service can transmit a vouching response to the target In some embodiments , the mechanisms disclosed herein service . In some embodiments , the redirection request can can be implemented using a target service , a client device , 30 include information indicating that the vouching service has and one or more vouching services. In some embodiments , authenticated the vouching service account for the client a vouching service can be and/ or include any suitable device , a vouching token (e . g. , an alias associated with the service , such as a dedicated vouching service that provides vouching service account) , a persistent token ( e . g ., an HTTP vouching services, a credit card service, a banking service , cookie ), and / or any other suitable information . In some an electronic commerce service , an email service , a social 35 embodiments , the vouching response can be transmitted to networking service , a messaging service , a Web page ser - the target service using one or more suitable redirection vice , a video streaming service , and /or any other suitable requests that can direct a client device to the vouching service . service and / or to relay the vouching response to the vouch In some embodiments , a user account on a target service ing service . In some embodiments, the vouching service can ( e . g . , a target service account ) can be associated with one or 40 transmit one or more cookies ( e . g . , HTTP cookies ) to the more vouching services and /or user accounts on the vouch - client device upon authenticating the vouching service ing services for authentication . For example , a target service account . In some embodiments , subsequent authentication account of a user can be associated with one or more requests from the client device can be bypassed in response services that are frequently used by the user associated with to detecting the cookie ( s ) . In some embodiments , in the target service account, such as a social networking 45 response to receiving information about a user action ( e . g . , service , a messaging service , a credit card service, a banking information about items that the user wants to purchase from service , and / or any other suitable service that is frequently the target service or any other suitable service ) from the used by the user. target service and / or the client device , the vouching service In some embodiments , a target service account can be can transmit a message indicating that the user has been associated with multiple vouching services and / or user 50 authenticated based on the cookie ( s ) to the target service . accounts on the vouching services ( e. g ., vouching service Alternatively , the vouching service can initiate a re -authen accounts ) for authentication . In such embodiments , a user tication process and can authenticate the user and /or the associated with the target service account can be granted vouching service account associated with the user as access to the target service account upon successfully described above . authenticating the associated vouching service accounts 55 In some embodiments , in response to receiving the vouch with the vouching services ( e . g . , by authenticating all of the ing response , the target service can determine whether the vouching service accounts associated with the target service vouching service account is associated with the target ser account, a threshold number of vouching service accounts vice account. For example , the target service can determine associated with the target service account, a predetermined that the vouching service account is associated with the percentage of vouching service accounts associated with the 60 target service account in response to determining that the target service account, and / or any other suitable number of vouching token ( e . g . , the alias associated with the vouching vouching service accounts ) . service account) matches a token associated with the target In some embodiments , in response to receiving a request service account ( e . g . , an alias that is stored in association to access the target service ( e . g . , a request for a Web page with the target service account ) . and / or any other suitable Web content hosted by the target 65 In some embodiments in which the target service account service ) from the client device , the target service can request is associated with multiple vouching service accounts and / or the client device to provide authentication credentials for a vouching services, each of the associated vouching services US 10 ,367 ,797 B2 can require the client device to provide authentication cre answers to the security questions, the mechanisms can grant dentials for a vouching service account in response to the user access to the user account. receiving a vouching request . In some embodiments , each of Turning to FIG . 1 , a generalized block diagram of an the vouching services can transmit a vouching response example 100 of a system for authenticating a user account in upon authenticating a vouching service account . In some 5 accordance with some embodiments of the disclosed subject embodiments , upon receiving multiple vouching responses matter is shown . As illustrated , system 100 can include a from the vouching services , the target service can determine target service 102 , one or more vouching services 104 , a whether each of the vouching service accounts is associated communication network 106 , one or more client devices 108 , communication links 110 , 112 , and 114 , and 116 , and / or with the target service account as described above . 10 any other suitable components . In some embodiments , the target service can provide the Target service 102 can include any suitable device that client device with access to the target service in response to can associate a user account with one or more vouching determining that a predetermined number of vouching ser services, authenticate a user account using one or more vice accounts are associated with the target service account vouching services, generate , transmit , receive, and /or pro ( e . g . , all of the vouching service accounts that are associated 15 cess redirection requests , and /or perform any other suitable with the target service, a threshold number of vouching functions, such as a hardware processor, a computer , a data service accounts that are associated with the target service , processing device , or a combination of such devices . a predetermined percentage of vouching service accounts Vouching service ( s ) 104 can include any suitable device that are associated with the target service , and /or any other that can receive and/ or process a vouching request, authen suitable number of vouching service accounts ) . For 20 ticate a user account based on the vouching request, generate example , the target service can transmit the Web content a vouching response responsive to the vouching request , requested by the client device . As another example , the generate , transmit , receive, and / or process redirection target service can transmit an authentication token to the requests , and / or perform any other suitable functions, such client device to provide the client device with access to the as a hardware processor, a computer , a data processing requested Web content and / or the target service account . In 25 device , or a combination of such devices . some embodiments , the authentication token can be a per - In some embodiments , each of target service 102 and sistent authentication token ( e . g . , an HTTP cookie ) that can vouching service ( s ) 104 can provide any suitable service , be used in multiple communication sessions . In some such as a vouching service , an email service , a messaging embodiments , the authentication of subsequent HTTP service , a social networking service , a video streaming requests from the client device can be bypassed in response 30 service , a Web page service , a credit card service , a banking to detecting the persistent authentication token . In some service , an electronic commerce service , and /or any other embodiments , the mechanisms can generate a set of decoy suitable service . credentials and can associate the decoy credentials with the Client device ( s ) 108 can include any suitable device that target service account. In some implementations, the decoy can receive user inputs , generate , transmit, receive , and /or credentials can be indistinguishable from the actual creden - 35 process redirection requests , and / or perform any other suit tials . In some embodiments , the decoy credentials can be able functions , such as a mobile phone , a tablet computer , a considered legitimate credentials by the target service to wearable computer, a laptop computer, a desktop computer, protect the actual authentication credentials associated with a personal data assistant (PDA ) , a portable email device , the target service account. For example , in response to and /or any other suitable device . receiving a decoy credential associated with the target 40 In some embodiments , each of target service 102 , vouch service account, the target service can authenticate the target i ng service ( s ) 104 , and client device ( s ) 108 can be imple service account based on the received decoy credential . In mented as a stand - alone device or integrated with other such an example , the vouching service would not authenti - components of system 100 . cate the vouching service account associated with the target In some embodiments , each of target service 102 , vouch service account in response to receiving the decoy creden - 45 ing service ( s ) 104 , and client device ( s ) 108 can implement tial . any suitable communication protocol, such as the Hypertext These mechanisms can perform a variety of functions. For Transfer Protocol, the Session Initiation Protocol, and /or any example , the mechanisms can implement a warning system other suitable communication protocol. In some embodi that can issue a warning to a service upon detecting that the ments , each of target service 102 , vouching service ( s ) 104 , service has been compromised . In a more particular 50 and client device( s ) 108 can implement a communication example , the vouching service can transmit a message to the protocol that can support endpoint redirections . In some target service indicating that the target service account has embodiments , each of target service 102 , vouching been compromised in response to detecting multiple unsuc service ( s ) 104 , and client device ( s ) 108 can implement a cessful authentication attempts in association with the communication protocol that utilizes a cryptographic pro vouching service account. 55 tocol, such as Security Sockets Layer (SSL ), Transport As another example , the mechanisms can provide access Layer Security ( TLS ) , and / or any other suitable crypto control when a user requests to reset a password with a graphic protocol . service . In a more particular example , in response to receiv In some embodiments , each of target service 102 , vouch ing a user request to reset a password for a user account, the ing service ( s ) 104 , and client device ( s ) 108 can transmit mechanisms can request that the user be authenticated by 60 and / or receive a message including one or more parameters one or more vouching services . Upon receiving a vouching that can be used to verify the authenticity of a sender device response from the vouching service ( s ) indicating that the that generates and / or transmits the message . For example , user has been authenticated by the vouching service ( s ), the the message can include a parameter ( e. g ., such as a param mechanisms can prompt the user to answer one or more eter " service ” as illustrated in message schemas 820 , 830 , security questions ( e . g . , the name of the user ' s pet ) that were 65 850 , and 860 of FIG . 8 ) that can be used to identify a domain selected by the user when the user account was registered . name , a uniform resource identifier (URI ) , an alias , and / or In some embodiments , in response to receiving correct any other suitable information relating to a sender device US 10 , 367 , 797 B2 ( e . g . , a target service, a vouching service , and / or any other and / or any other suitable communication network , or any suitable service that can send a message ) . combination of any of such networks . As another example , the message can include a crypto - In some embodiments , target service 102 , vouching ser graphic signature generated by the sender device . In some vice (s ) 104 , and client device ( s ) 108 can be connected to embodiments , the cryptographic signature can be generated 5 communication network 106 through communication links using any suitable cryptographic scheme . For example the 112 , 114 , and 116 , respectively . In some embodiments , target cryptographic signature can be generated using RSA key service 102 can be connected to vouching service ( s ) 108 pairs and /or the SHA - 1 digest algorithm . In some embodi through communication link 110 . In some embodiments , ments , the cryptographic signature can be generated based communication links 110 , 112 , 114 , and 116 can be any on any suitable parameter or parameters . For example , the suitable communication links, such as network links, dial- up cryptographic signature can be generated by signing one or links, wireless links, hard -wired links, any other suitable more parameters included in themessage using a private key communication links, or a combination of such links . of the sender device . In some embodiments , the message can Each of target service 102 , vouching service ( s ) 104 , and include a parameter ( e . g . , a parameter " signed _ fields ” of client device ( s ) 108 can include and / or be any of a general message schemas 820 , 830 , 850 , and 860 of FIG . 8 ) that can purpose device such as a computer or a special purpose identify the parameters based on which cryptographic sig device such as a client , a server , and / or any other suitable nature is generated and /or the order in which the parameters device . Any such general purpose computer or special have been signed . purpose computer can include any suitable hardware . For As yet another example , the message can include a nonce , 20 example , as illustrated in example hardware 200 of FIG . 2 , such as a timestamp, a counter, a random number , a hash such hardware can include a hardware processor 202 , value , and / or any other suitable value . In some embodi- memory and / or storage 204 , an input device controller 206 , ments, a nonce can be generated for a particular message an input device 208 , display /audio drivers 210 , display and and/ or a particular device that generates and /or transmits the audio output circuitry 212 , communication interface ( s ) 214 , message . In some embodiments, the nonce can expire upon 25 an antenna 216 , and a bus 218 . the termination of a user session . In some embodiments , the Hardware processor 202 can include any suitable hard nonce can be used to generate a cryptographic signature . ware processor, such as a microprocessor, a micro - control In some embodiments , upon receiving the message , a ler, digital signal processor, dedicated logic , and / or any other receiver device ( e . g . , a target service , a vouching service , a suitable circuitry for controlling the functioning of a general client device , and / or any other suitable device that can 30 purpose computer or special purpose computer in some receive themessage ) can identify the sender device based on embodiments . the message (e .g ., by parsing the message and extracting the Memory and /or storage 204 can be any suitable memory parameter “ service ” ) . The receiver device can then retrieve and /or storage for storing programs, data , media content, a public key certification associated with the sender device and / or any other suitable content in some embodiments . For ( e . g . , an X . 509 certificate ) and validate the retrieved certifi - 35 example , memory and / or storage 204 can include random cate . Additionally or alternatively , the receiver device can access memory , read only memory , flash memory , hard disk verify the cryptographic signature generated by the sender storage , optical media , and/ or any other suitable storage device in some embodiments . For example , the receiver device . device can identify the parameters based on which the Input device controller 206 can be any suitable circuitry cryptographic signature was generated ( e . g . , by parsing the 40 for controlling and receiving input from one or more input " signed _ fields” parameter ) and can then verify the crypto - devices 208 in some embodiments . For example , input graphic signature based on the identified parameters and a device controller 206 can be circuitry for receiving input public key associated with the sender device . In some from a touch screen , from one or more buttons, from a voice embodiments , upon successfully verifying the cryptographic recognition circuit , from a microphone, from a camera , from signature , the receiver device can use the parameters asso - 45 an optical sensor, from an accelerometer, from a temperature ciated with the cryptographic signature in the current user sensor, from a near field sensor, and/ or any other suitable session . circuitry for receiving user input. In some embodiments , target service 102 and vouching Display /audio drivers 210 can be any suitable circuitry for service ( s ) 104 can exchange Web addresses ( e . g . , endpoints ) controlling and driving output to one or more display and associated with target service 102 and vouching service ( s ) 50 audio output circuitries 212 in some embodiments . For 104 in a suitable manner. For example , the Web addresses example , display / audio drivers 210 can be circuitry for can be exchanged offline upon prior agreement. As another driving an LCD display, a speaker, an LED , and / or any other example , the Web addresses can be retrieved automatically display / audio device . from an XML file that is hosted under the domain of each Communication interface ( s ) 214 can be any suitable cir service and can be transmitted via a communication protocol 55 cuitry for interfacing with one or more communication utilizing a cryptographic protocol (e . g ., the SSL ) . In such an networks , such as communication network 106 in some example , a vouching service can be identified in response to embodiments . For example , interface (s ) 214 can include receiving a user input of a domain name of the vouching network interface card circuitry , wireless communication service . circuitry , and /or any other suitable circuitry for interfacing Communication network 106 can be any suitable com - 60 with one or more communication networks . puter network such as the Internet, an intranet , a wide - area Antenna 216 can be any suitable one or more antennas for network (“ WAN ” ) , a local area network (“ LAN ” ) , a wireless wirelessly communicating with a communication network in network , a digital subscriber line (“ DSL ” ) network , a frame some embodiments . In some embodiments, antenna 216 can relay network , an asynchronous transfer mode (“ ATM ” ) be omitted when not needed . network , a virtual private network (“ VPN ” ) , a satellite 65 Bus 218 can be any suitable mechanism for communi network , a mobile phone network , a mobile data network , a cating between two or more of components 202 , 204 , 206 , cable network , a telephone network , a fiber optic network , 210 , and 214 in some embodiments . US 10 , 367 ,797 B2 10 Any other suitable components can be included in hard tication credentials are valid in response to determining that ware 200 in accordance with some embodiments . the received authentication credentials match the stored In some embodiments , any suitable computer readable authentication credentials . media can be used for storing instructions for performing the In some embodiments, the target service can transmit a processes described herein . For example , in some embodi- 5 redirection request to the client device at 315 . In some ments , computer readable media can be transitory or non - embodiments , the redirection request can include any suit transitory . For example , non - transitory computer readable able information . For example , the redirection request can media can include media such as magnetic media (such as include one or more instructions that can direct the client hard disks , floppy disks , and / or any other suitable media ), device to one or more vouching services ( e . g . , the vouching optical media ( such as compact discs , digital video discs , 10 service identified in the authentication request received at Blu - ray discs , and /or any other suitable optical media ) , 310 ) . In a more particular example , the redirection request semiconductor media ( such as flash memory , electrically can include an HTTP 3xx status code , such as an HTTP 303 programmable read only memory (EPROM ) , electrically “ see other ” status code . In another more particular example , erasable programmable read only memory (EEPROM ) , and the redirection request can include one or more URIS, or any other suitable semiconductor media ) , any suitable 15 domain names , and / or any other suitable information relat media that is not fleeting or devoid of any semblance of ing to the vouching service ( s ) and / or a suitable endpoint of permanence during transmission , and /or any suitable tan - the vouching service ( s ). gible media . As another example , transitory computer read - As another example, the redirection request can include able media can include signals on networks, in wires, one or more parameters that can instruct the vouching conductors , optical fibers , circuits , any suitable media that is 20 service ( s ) to authenticate the client device . In a more par fleeting and devoid of any semblance of permanence during ticular example , a parameter " action " 822 of FIG . 8 and /or transmission , and / or any suitable intangible media . a parameter " action " 922 of FIG . 9 can be set to “ vouch ” to Turning to FIG . 3, an example 300 of a process for instruct the vouching service to authenticate the client authenticating a user using multiple services in accordance device in some embodiments . with some embodiments of the disclosed subject matter is 25 As yet another example , the redirection request can shown . In some embodiments , process 300 can be imple - include a cryptographic signature generated by the target mented using a target service , a client device , and one or service and / or one or more parameters that can be used to more vouching services , each of which can include a hard - verify the cryptographic signature . In a more particular ware processor. For example , as shown in FIG . 3 , process example , the redirection request can include a parameter that 300 can be implemented using a target service 102 of FIG . 30 can identify the target service, such as a domain name, a 1 , one or more vouching services 104 of FIG . 1 , and / or a URI, and / or any other suitable parameter that can identify client device 108 of FIG . 1. In some implementations, one the target service . In another more particular example , the or more portions of process 300 can be implemented utiliz - redirection request can include one or more parameters ing code embedded in one or more Web pages ( e . g ., such as based on which cryptographic signature was generated . In Web pages provided by a target service , a vouching service , 35 yet another more particular example , the redirection request and / or any other suitable service ) . can include information that identifies the parameters that As illustrated , process 300 can begin by a client device were used to generate the cryptographic signature and /or the transmitting an authentication request to a target service at order in which the parameter ( s ) were signed . 305 . In some embodiments , the authentication request can In some embodiments , the redirection request can be include any suitable information . For example , the authen - 40 transmitted in any suitable manner. For example , the redi tication request can include one or more authentication rection request can be transmitted using a message that is credentials for a user account on the target service ( e . g ., a generated based on a message schema 820 as shown in FIG . target service account ) . In a more particular example , the 8 . As another example , the redirection request can be authentication credentials can include a user name, a pass transmitted using a message 920 as illustrated in FIG . 9 in word , and / or any other suitable authentication credential for 45 some embodiments . the target service account. In some embodiments , in response to receiving the redi As another example , the authentication request can rection request at 320 , the client device can transmit a include any suitable information relating to a vouching vouching request to the vouching service ( s ) at 325 . In some service that can authenticate the client device . In a more embodiments , the vouching request can include any suitable particular example , the request can include a domain name 50 information . For example , the vouching request can include associated with the vouching service , a URI associated with any suitable information contained in the received redirec the vouching service, and / or any other suitable information tion request , such as the parameter ( s ) that instruct the relating to the vouching service. vouching service ( s ) to authenticate the client device , the In some embodiments , the authentication request can be cryptographic signature generated by the target service , the generated and/ or transmitted in any suitable manner. For 55 parameter ( s ) that can be used to verify the cryptographic example , the authentication request can be transmitted using signature , and / or any other suitable information . In some a message generated based on a message schema 810 as embodiments , a message 930 as shown in FIG . 9 can be used shown in FIG . 8 . As another example , the authentication to transmit a vouching request. request can be transmitted using a message 910 as illustrated In some embodiments , in response to receiving the vouch in FIG . 9 in some embodiments . 60 ing request at 330 , the vouching service ( s ) can verify the In some embodiments , upon receiving the authentication authenticity of the vouching request. For example , the request at 310 , the target service can validate the authenti- vouching service ( s ) can verify the cryptographic signature cation credentials for the target service account. For generated by the target service . As another example , the example , the target service can compare the received authen - vouching service ( s ) can validate a public -key certificate tication credentials with authentication credentials that are 65 associated with the target service . stored in association with the target service account. The In some embodiments , at 335 , the vouching service ( s ) can target service can then determine that the received authen - transmit a request for authentication credentials to the client US 10 ,367 ,797 B2 11 12 device . In some embodiments , in response to receiving the the vouching service . In another more particular example , request at 340 , the client device can obtain one or more the redirection request can include one or more parameters authentication credentials for a user account on the vouching based on which cryptographic signature was generated . In service ( e . g ., a vouching service account) . In some embodi yet another example , the redirection request can include ments , these authentication credentials can include a user 5 information that can identify the parameter ( s ) that were used name, a password , and/ or any other suitable authentication to generate the cryptographic signature and / or the order in credential for the vouching service account. In some which the parameter ( s ) were signed . embodiments , these authentication credentials can be In some embodiments , the redirection request can be obtained in any suitable manner. For example , the authen - transmitted in any suitable manner . For example , the redi tication credentials can be obtained by prompting a user to 10 rection request can be transmitted using a message that is provide the authentication credentials using an HTML form , generated based on a message schema 830 as shown in FIG . a dialog box , and / or any other suitable mechanism . As another example , the client device can retrieve an authen - In some embodiments , upon receiving the redirection tication token , a password , a user name, and /or any other request at 360 , the client device can transmit a vouching suitable authentication credential that have been stored using 15 response to the target service at 365 . In some embodiments , a browser cookie and /or any other suitable mechanism . the vouching response can include any suitable information . At 345 , the client device can transmit the authentication For example , the vouching response can include any suitable credentials for the vouching service account to the vouching information contained in the redirection request , such as the service . In some embodiments , in response to receiving the parameter ( s ) indicating that the client device has been authentication credentials at 350 , the vouching service can 20 authenticated by the vouching service , the vouching token , authenticate the vouching service account. The vouching the cryptographic signature generated by the vouching ser service account can be authenticated in any suitable manner. vice , the parameter ( s ) that can be used to verify the cryp For example , the vouching service can authenticate the tographic signature , and/ or any other suitable information . received authentication credentials by comparing the In some embodiments, in response to receiving the vouch received authentication credentials with authentication cre - 25 ing response at 370 , the target service can verify the infor dentials that are stored in association with the vouching mation contained in the vouching response . The information service account and can determine whether the received can be verified in any suitable manner. For example , the authentication credentials match the stored authentication target service can verify the vouching token contained in the credentials. Additionally or alternatively, the vouching ser vouching response . In a more particular example, the target vice account can be authenticated using another vouching 30 service can compare the vouching token ( e . g . , including the service that can authenticate the client device . anonymous alias associated with the vouching service In some embodiments , in response to authenticating the account) with a token associated with the target service vouching service account, the vouching service ( s ) can trans - account ( e . g ., an anonymous alias associated with the target mit a redirection request at 355 . In some embodiments, the service account ) . The target service can then verify the redirection request can include any suitable information . For 35 vouching token in response to determining that the vouching example , the redirection request can include one or more token matches the token associated with the target service instructions that can direct the client device to the target account. device . In a more particular example , the redirection request As another example , the target service can verify the can include an HTTP 3xx status code, such as an HTTP 303 cryptographic signature generated by the vouching “ see other ” status code. In another more particular example , 40 service( s ) . Additionally or alternatively, the target service the redirection request can include one or more URIS, can retrieve a public -key certificate associated with the domain names, and / or any other suitable information that vouching service ( e. g . , an X .509 certificate ) based on the can identify the target service and / or a suitable endpoint of information associated with the target service and can then the target service . validate the public -key certificate . As another example , the redirection request can include 45 In some embodiments , upon verifying the information one or more parameters indicating that the client device has contained in the vouching response , the target service can been authenticated by the vouching service . In a more transmit an authentication response at 375 . In some embodi particular example, a parameter " action ” 832 as shown in ments , the authentication response can include any suitable FIG . 8 can be set to " verify ” to indicate that a user account information that can provide the client device with access to on the vouching service ( e . g . , the vouching service account ) 50 the target service account. For example , the authentication has been authenticated for the client device . response can include any suitable Web content ( e . g . , a Web As yet another example , the redirection request can page ) hosted by the target service . As another example , the include a vouching token . In a more particular example , the authentication response can include an authentication token vouching token can include an alias associated with the that can be used to access the target service. In some vouching service account. In some embodiments, the alias 55 embodiments , the authentication token can be a persistent can include any suitable combination of letters , number, authentication token that can be used in multiple commu characters , and /or any other suitable component . In some nication sessions, such as an HTTP cookie . In some embodi embodiments , the alias can be associated with the vouching ments , subsequent authentication of the client device asso service account using process 400 of FIG . 4 , process 500 of ciated with the target service account can be bypassed in FIG . 5 , and /or in any other suitable manner. 60 response to detecting the persistent authentication token . As still another example , the redirection request can While the disclosed subject matter generally relates to include a cryptographic signature generated by the vouching authenticating a target service account on a target service service and/ or one or more parameters that can be used to using a vouching service account on a vouching service , this verify the cryptographic signature . In a more particular is merely illustrative . For example , the target service example , the redirection request can include a parameter that 65 account can be authenticated using multiple vouching ser can identify the vouching service , such as a domain name, vices and / or multiple vouching service accounts on one or a URI, and /or any other suitable parameter that can identify more vouching services. In such an example , the client US 10 ,367 ,797 B2 13 14 device can be granted access to the target service account domain names, and /or any other suitable information that upon successfully authenticating a predetermined number of can identify the vouching service and / or a suitable endpoint vouching service accounts ( e . g . , all of the vouching service of the vouching service . accounts associated with the target service account, a thresh - As another example , the redirection request can include old number of vouching service accounts associated with the 5 an alias that is generated for the target service account. In target service account, a predetermined percentage of some embodiments , the alias can include any suitable com vouching service accounts associated with the target service bination of letters , numbers , characters , and / or any other account, and /or any other suitable number of vouching suitable component. service accounts ) . As yet another example , the redirection request can Turning to FIG . 4 , a flow chart of an example 400 of a " include one or more parameters that can instruct the vouch process for associating a target service account on a target i ng service to authenticate the client device . In a more service with a vouching service account on a vouching particular example , as illustrated in FIG . 8 , a redirection service in accordance with some embodiments of the dis - request can be generated based on a message schema 850 closed subject matter is shown . In some embodiments , and can include a parameter " action " 852 that can instruct process 400 can be implemented using a target service , a the vouching service to authenticate an existing account client device, and a vouching service, each of which can and /or to register a new account for the client device. include a hardware processor. For example , as shown in In some embodiments , upon receiving the redirection FIG . 4 , process 400 can be implemented using a target request at 420 , the client device can transmit a vouching service 102 of FIG . 1 , a vouching service 104 of FIG . 1 , 20 request to the vouching service at 425 . In some embodi and / or a client device 108 of FIG . 1 . In some implementa ments , the vouching request can include any suitable infor tions , one or more portions of process 400 can be imple mation . For example , the vouching request can include any mented utilizing code embedded in one or more Web pages suitable information contained in the redirection request, ( e . g . , such as Web pages provided by a target service , a such as the alias, the parameter( s ) that can instruct the vouching service , and /or any other suitable service ) . 25 vouching service to authenticate the client device and /or to As illustrated , process 400 can begin by a client device register the alias, and / or any other suitable information . transmitting a request to associate a vouching service with a In some embodiments , upon receiving the vouching target service account at 405 . In some embodiments , the request at 435 , the vouching service can transmit a request request can include any suitable information . For example , for authentication credentials to the client device . In some the request can include one or more authentication creden -* 330 embodiments , in response to receiving the vouching request tials for the target service account. In a more particular at 440 , the client device can obtain one or more authenti cation credentials for a vouching service account on the example , the authentication credentials can include a user vouching service . In some embodiments, these authentica name, a password , and /or any other suitable authentication tion credentials can include a user name, a password , and /or credential. As another example , the request can include any 35 any other suitable authentication credential. In some suitable information relating to the vouching service. In a embodiment, these authentication credentials can be more particular example , the request can include a URI obtained in any suitable manner . For example , the authen associated with the vouching service, a domain name of the tication credentials can be obtained in response to receiving vouching service , and /or any other suitable information one or more suitable user inputs of the authentication relating to the vouching service. 40 credentials . As another example , the client device can In some embodiments , the request can be transmitted in retrieve the authentication credentials for the vouching ser any suitable manner. For example , the request can be vice account that have been stored by the client device ( e. g. , transmitted using a message that is generated based on a using one or more browser cookies that can store user message schema 840 of FIG . 8 . names , passwords, authentication tokens and /or any other In some embodiments , upon receiving the request at 410 , 45 suitable authentication credentials ) . a target service can authenticate the target service account. At 445 , the client device can transmit the authentication The target service account can be authenticated in any credentials for the vouching service account to the vouching suitable manner. For example , the target service account can service . In some embodiments , at 450 , the vouching service be authenticated by comparing the received authentication can authenticate the vouching service account based on the credentials and a set of authentication credentials stored in 50 received authentication credentials . For example , the vouch association with the user account. As another example , the ing service can create a new user account and associate the user account can be authenticated using one or more vouch received authentication credentials with the created user ing services that have been previously associated with the account. As another example , the vouching service can user account ( e . g . , using process 300 of FIG . 3 ) . As yet authenticate the vouching service account by comparing the another example , the target service can authenticate the user 55 received authentication credentials with authentication cre account by creating a new user account and associating the dentials that are stored in association with the vouching received authentication credentials with the new user service account and can determine whether the received account. authentication credentials match the stored authentication At 415 , the target service can transmit a redirection credentials . Additionally or alternatively , the vouching ser request to the client device . In some embodiments , the 60 vice can authenticate the vouching service account using redirection request can include any suitable information . For multiple services in some embodiments ( e . g ., using process example , the redirection request can include one or more 300 of FIG . 3 and /or process 600 of FIG . 6 ). instructions that can direct the client device to the vouching I n some embodiments , upon authenticating the existing device . In a more particular example , the redirection request account and / or creating the new user account, the vouching can include an HTTP 3xx status code , such as an HTTP 303 65 service can associate the target service account with the “ see other” status code. In another more particular example , vouching service account ( e . g ., by storing the alias in the redirection request can include one or more URIS , association with the vouching service account) . US 10 , 367, 797 B2 15 16 At 455 , the vouching service can transmit a redirection As illustrated , process 500 can begin by receiving one or request to the client device . In some embodiments , the more authentication credentials for a user account at 505 . In redirection request can include any suitable information . For some embodiments , the authentication credentials can example, the redirection request can include an instruction include a user name, a password , and /or any other suitable that can direct the client device to the target service . In a 5 authentication credential. more particular example , the redirection request can include At 510 , process 500 can validate the received authenti an HTTP 3xx status code , such as an HTTP 303 " see other” cation credentials . The authentication credentials can be validated in any suitable manner. For example , process 500 status code . In another more particular example , the redi can validate the authentication credentials by comparing the rection request can include one or more URIs , domain 10 authentication credentials with authentication credentials names , and / or any other suitable information that can iden that are stored in association with an existing user account tify the vouching service and / or a suitable endpoint of the and determining that the received authentication credentials target service . As another example, the redirection request match the stored authentication credentials . As another can include information indicating that the client device has example , process 500 can validate the authentication cre successfully authenticated a user account with the vouching1118 15 dentialsdentials usingus one or more vouching services. In a more service (e . g ., a parameter “ action ” 862 of FIG . 8 ) . Addition particular example , process 300 of FIG . 3 can be used to ally or alternatively, the redirection request can including validate the authentication credentials in some embodi information indicating that the target service account has ments . As yet another example , process 500 can validate the been associated with the vouching service account. As yet received authentication credentials by creating a new user another example , the redirection can include a vouching 20 account and associating the received authentication creden token . In a more particular example , the vouching token can tials with the created user account . include the alias that was generated for the target service At 515 , process 500 can generate one or more decoy account. credentials for the user account. The decoy credentials can In some embodiments, the redirection request can be be generated in any suitable manner . For example , the decoy transmitted in any suitable manner. For example , the redi- 25 credentials can be generated using any suitable pseudoran rection request can be transmitted using a message that is dom function and / or random function . generated based on a message schema 860 as illustrated in As another example , process 500 can identify one or more FIG . 8 . portions of the received authentication credential( s ) ( e . g ., by In some embodiments, upon receiving the redirection grammatically decomposing the received authentication cre request , the client device can transmit a confirmation mes - 30 dential ( s ) using any suitable natural language processing sage to the target service at 465 . In some embodiments , the technique ) . Process 500 can then generate one or more confirmation message can include any suitable information . decoy credentials by transforming the identified portions in For example , the confirmation message can include the a suitable manner . In a more particular example , one or more vouching token , the information indicating that the client of the identified portions can be transformed into similar device has successfully authenticated a user account with the 35 portions of a decoy credential by replacing letters of the vouching service , and /or any other suitable information identified portions with characters and / or symbols ( e . g ., by contained in the redirection request received at 460 . replacing " leetspeak ” with “ ! 337 $ p34k ” ) . In another more In some embodiments, in response to receiving the con particular example , one or more of the identified portions firmation message at 470 , the target service can associate the can be transformed by producing random permutations that vouching service with the target service account . For 40 are grammatically similar to the identified components . example , the target service can associate the vouching token More particularly , for example , a decoy credential including with the target service account ( e . g ., by binding the alias to the phrase of “ she plays carefully ” and / or the phrase of “ she the target service account ) . In some embodiments , the target speaks loudly ” can be generated for an authentication cre service can store any suitable information relating to the dential that includes a portion comprising a pronoun , a verb , vouching service in association with the target service 45 and an adverb ( e . g ., an authentication credential including account. In some embodiments, in response to receiving a the phrase of “ she runs fast” ) . subsequent request to authenticate the target service As yet another example , process 500 can designate one or account, the target service can identify the vouching service more suitable portions of an authentication credential asso based on the stored information and can authenticate the ciated with the user account as a random string and can target service account by issuing a vouching request to the 50 identify one or more statistical properties of the designated vouching service ( e . g . , using process 300 of FIG . 3 ) . random string . Process 500 can then generate one or more While the disclosed subject matter generally relates to decoy credentials for the user account by producing one or associating a target service account on a target service with more random strings having the identified statistical prop a vouching service account on a vouching service , this is erties. In a more particular example , a decoy credential merely illustrative. For example , the target service account 55 containing a digit , a lowercase letter, and an uppercase letter can be associated with multiple vouching services and / or ( e . g ., “ OxB , ” “ 50M , " and or any other suitable decoy cre multiple user accounts on one or more vouching services. In dential) can be generated for an authentication credential such an example, an alias can be generated for each user including the same statistic properties ( e . g . , an authentica account on a vouching service and can be associated with the tion credential of “ rX ” ) . target service account by the target service . 60 At 520 , process 500 can associate the generated decoy Turning to FIG . 5 , a flow chart of an example 500 of a credentials with the user account. In some embodiments, this process for associating a vouching service with a user association can be made in any suitable manner . For account on a target service in accordance with some embodi - example , the decoy credentials can be stored in association ments of the disclosed subject matter is shown . In some with other authentication credentials of the user account. In embodiments , process 500 can be implemented using one or 65 a more particular example , process 500 can generate a hash more hardware processors, such as a hardware processor of for each of the decoy credentials and one or more of the a target service 102 of FIG . 1 . authentication credentials received at 505 ( e . g ., using any US 10 , 367 , 797 B2 17 18 suitable hash function ) . Process 500 can then generate a with the user account in response to determining that the password vector by encapsulating the hashes and can store user has failed to authenticate a user account with the the password vector in association with the user account . Vouching service . At 525 , process 500 can generate an alias for the user Alternatively , at 555 , process 500 can associate the account. In some embodiments , the alias can include any 5 vouching service with the user account in response to suitable combination of letters, number, characters , and / or determining that the user has been authenticated by the any other suitable component that can be used to uniquely vouching service . In some embodiments , this association identify the user account. In some embodiments , the alias can be made in any suitable manner . For example , process can be generated using a suitable random function , pseudo - 500 can associate the vouching token with the user account . random function , and / or any other suitable mechanism . 10 In a more particular example , process 500 can store the alias At 530 , process 500 can identify a vouching service to be included in the vouching token in association with the user associated with the user account. The vouching service can account and can bind the alias to the user account . In some be identified in any suitable manner. For example , process embodiments , process 500 can store a domain name of the 500 can cause a list of vouching services to be presented to vouching service , a URI associated with the vouching ser the user and can then identify a vouching service in response 15 vice , and /or any suitable information relating to the vouch to receiving a user selection of the vouching service . As ing service in association with the user account . another example , process 500 can identify a vouching ser - While the disclosed subject matter generally relates to vice in response to receiving a user input of a domain name , associating a vouching service with a user account on a a URI, and / or any other suitable information that can be used target service , this is merely illustrative. For example, mul to identify the vouching service . 20 tiple vouching services and/ or vouching service accounts At 535 , process 500 can transmit a vouching request to the can be associated with a target service account and / or a user . identified vouching service . In some embodiments , the In such an example , each of the vouching services and/ or vouching request can include any suitable information . For Vouching service accounts can be associated with the target example , the vouching request can include the alias gener - service account and /or user using one or more suitable ated for the user account. For example , the vouching request 25 portions of process 500 of FIG . 5 in some embodiments . can include information that can instruct the vouching Turning to FIG . 6 , a flow chart of an example 600 of a service to authenticate the user . In a more particular process for authenticating a user account using one or more example , the vouching request can include one or more vouching services in accordance with some embodiments of parameters that can instruct the vouching service to authen the disclosed subject matter is shown . In some embodi ticate an existing account and / or to register a new account 30 ments , one or more portions of process 600 can be imple for the user ( e . g ., a parameter “ action ” 852 of FIG . 8 ) for the mented using one or more hardware processors , such as a user . Additionally or alternatively , the parameter( s ) can hardware processor of a target service 102 of FIG . 1 . instruct the vouching service to associate the alias with the As illustrated , process 600 can begin by receiving one or authenticated existing account and /or the new account in more authentication credentials for a target service account some embodiments . 35 at 605 . In some embodiments , the authentication credentials In some embodiments , the vouching request can be trans- can include a password , a user name, and /or any other mitted in any suitable manner. For example , the vouching suitable credential associated with the target service request can be transmitted through a client device using one account. or more redirection requests . In a more particular example , At 610 , process 600 can determine whether the received a message 920 as illustrated in FIG . 9 can be used to direct 40 authentication credentials are valid . This determination can a client device to the vouching service and / or to relay the be made in any suitable manner . For example , process 600 vouching request to the vouching service. As another can compare the received authentication credentials with example , the vouching request can be transmitted to the authentication credentials stored in associated with the target identified vouching service using one or more suitable service account. Process 600 can then determine that the messages ( e. g ., one or more HTTP messages ). 45 received credentials are valid in response to determining that At 540 , process 500 can receive a vouching response from the received authentication credentials match the stored the vouching service . In some embodiments , the vouching authentication credentials . In some embodiments , the stored response can include any suitable information . For example , authentication credentials can include one or more authen the vouching response can include information indicating tication credentials provided by a user upon establishing the whether the user has been successfully authenticated by the 50 target service account , one or more decoy credentials asso vouching service . In a more particular example , the vouch - ciated with the target service account ( e .g ., such as one or ing response can include a parameter ( e . g . , a parameter more decoy credentials described in connection with steps " action " 862 of FIG . 8 ) indicating that the user has been 505 -510 of FIG . 5 ), and /or any other suitable authentication successfully authenticated by the vouching service . As credential that can be considered a valid authentication another example , the vouching response can include a 55 credential. vouching token . In a more particular example , the vouching In some embodiments , in response to determining that token can include the alias generated at 525 . As yet another one or more of the received credentials are invalid , process example , the vouching response can include information 600 can transmit a response message indicating that autho indicating that the user account has been compromised ( e . g ., rization has been refused for the received authentication an indication that the user has failed to authenticate a user 60 credentials at 655 . account with the vouching service for a threshold number of Alternatively process 600 can identify one or more vouch times) ing services at 615 . The vouching service ( s ) can be identi At 545 , process 500 can determine whether the user has fied in any suitable manner . For example , the vouching been successfully authenticated by the vouching service service ( s ) can be identified in response to receiving a user based on the received vouching response . In some embodi- 65 input of one or more domain names , URIs , and / or any other ments , at 550 , process 500 can transmit a response message suitable information that can identify the vouching indicating that the vouching service will not be associated service ( s ). As another example , process 600 can present a US 10 , 367 ,797 B2 20 list of vouching services and can identify the vouching service accounts with the vouching service ( s ) , process 600 service ( s ) in response to receiving a user selection of one or can determine whether each of the vouching service more vouching services from the list . In some embodiments, accounts is associated with the target service account at 635 . the list of vouching services can include one or more In some embodiments , this determination can be made in vouching services that have been associated with the user 5 any suitable manner. For example , process 600 can extract account ( e . g ., using process 400 of FIG . 4 and / or process a vouching token from a vouching response corresponding 500 of FIG . 5 ). Alternatively or additionally , the list of to a given vouching service account ( e . g ., by parsing the vouching services can include any suitable service that can vouching response and / or processing the vouching response authenticate the user, such as a social networking service , an email service , a messaging service , a credit card service , a 10 in any other suitable manner ) and can compare the vouching banking service , an electronic commerce service , and /or any token with a token associated with the target service account other suitable service . In some embodiments , the list of ( e . g . , such as a token including an alias that is associated vouching services can include one or more services that are with the target service account using process 400 of FIG . 4 , frequently used by the user. process 500 of FIG . 5 , and /or any other suitable mecha At 620, process 600 can transmit one or more vouchinguching 15 nismNisi ). Process 600 can then determine that the vouching requests to the identified vouching service ( s ). In some service account is associated with the target service account embodiments , the vouching request ( s ) can include any suit in response to determining that the vouching token matches able information . For example , the vouching request ( s ) can the token associated with the target service account. include any suitable information that can instruct the vouch - In some embodiments , in response to determining that the ing service ( s ) to authenticate the user . As another example , 20 vouching service account( s ) are associated with the target the vouching request( s ) can include a cryptographic signa- service account, process 600 can transmit an authentication ture generated by a service that generates and / or transmits response at 640 . In some embodiments , the authentication the vouching request( S ) . As yet another example , the vouch response can include any suitable information that can ing request( s ) can include one or more suitable parameters provide the user with access to the target service account . that can be used to verify the cryptographic signature . 25 For example , the authentication response can include any In some embodiments , the vouching request can be trans - suitable Web content ( e . g . , a Web page ) associated with the mitted in any suitable manner . For example , the vouching target service account. As another example, the authentica request ( s ) can be transmitted through a client device using tion response can include an authentication token that can be one or more suitable redirection requests. In a more particu used to access the target service account . In some embodi lar example , as described above in connection with FIG . 3 30 ments , the authentication token can be a persistent authen ( e . g ., steps 315 - 335 ) , a redirection request can be issued to tication token that can be used in multiple communication direct the client device to a vouching service and to relay a sessions , such as an HTTP cookie . vouching request to the vouching service . In some embodi- In some embodiments , in response to determining that the ments, a message 920 as illustrated in FIG . 9 can be used to user has failed to authenticate a user account with the transmit the vouching request ( s ) . As another example , pro - 35 vouching service ( s ) ( e . g . , “ NO ” at 630 ) and/ or that the cess 600 can transmit the vouching request to the vouching second user is not associated with the target service account service ( s ) using one or more suitable messages , such as one ( e . g . , “ NO ” at 635 ) , process 600 can determine whether the or more HTTP messages . target service account has been compromised at 645 . This At 625 , process 600 can receive one or more vouching determination can be made in any suitable manner . For response ( s ) from the vouching service ( s ) . In some embodi - 40 example , process 600 can determine that the target service ments , a vouching response can be received from each the account has been compromised in response to detecting the vouching services . In some embodiments , a vouching information in the vouching response indicating that the user response can include any suitable information . For example , has failed to authenticate a user account with the vouching the vouching response can include information indicating service for a threshold number of time. As another example , that whether the user has successfully authenticated a user 45 process 600 can determine that the target service account has account with a vouching service . In a more particular been compromised in response to detecting a predetermined example , the vouching response can include one or more number of unsuccessful authentication attempts in associa parameters (e .g . , a parameter “ action ” 832 of FIG . 8 ) indi tion with the target service account with one or more cating that the user has successfully authenticated a vouch - vouching services ( e . g . , one or more services implementing ing service account with a vouching service . As another 50 process 700 of FIG . 7 , and /or any other suitable vouching example , the vouching response can include a vouching service ). As yet another example , process 600 can determine token . In some embodiments , the vouching token can that the target service account has been compromised in include an alias associated with a vouching service account. response to detecting unsuccessful authentication attempts As yet another example , the vouching response can include in association with a predetermined number of vouching information indicating that the target service account has 55 services ( e . g . " one" or any other suitable number ) . been compromised ( e . g ., by indicating that the user has In some embodiments , in response to determining that the failed to authenticate a vouching service account with the target service account has been compromised , process 600 vouching service for a threshold number of times ) . can generate a warning message indicating such determina At 630 , process 600 can determine whether the user has tion at 650 . Alternatively , at 655 , process 600 can transmit successfully authenticated a vouching service account with 60 a response message indicating that authorization has been the vouching service ( s ). For example , process 600 can parse refused for the authentication credentials received at 605 . the vouching response (s ) and can make this determination Turning to FIG . 7 , a flow chart of an example 700 of a based on the information indicating thatwhether the user has process for vouching for a user in accordance with some successfully authenticated a vouching service account with embodiments of the disclosed subject matter is shown . In the vouching service (s ). 65 some embodiments , process 700 can be implemented using In some embodiments , in response to determining that the one or more hardware processors, such as a hardware user has successfully authenticated one or more vouching processor of a vouching service 104 of FIG . 1 . US 10 , 367, 797 B2 21 22 As illustrated , process 700 can begin by receiving a In some embodiments , in response to determining that the vouching request to authenticate a user associated with a received authentication credentials are valid at 720 , process target service account at 705 . In some embodiments, the 700 can transmit a vouching response indicating that the vouching request can include any suitable information . For vouching service account has been authenticated at 740 . In example , the vouching request can include one or more 5 some embodiments , the vouching response can include any parameters that can instruct process 700 to authenticate the suitable information . For example , the vouching response user . As another example , the vouching request can include can include a vouching token . In some embodiments , the information that can identify a service that initiated the vouching token can include an alias associated with the request. In a more particular example , such information can vouching service account. As another example , the vouching include a domain name of the service , a URI associated with 10 response can include information indicating that the vouch the service , and /or any other suitable relating to the service . ing service account has been authenticated for the user ( e . g . , As yet another example , the request can include a crypto such as a parameter " action ” 832 or a parameter " action " graphic signature generated by a service that initiated the 862 of FIG . 8 ) . As yet another example , the vouching request and /or any other suitable parameters that can be used response can include one or more cookies ( e . g ., HTTP to verify the cryptographic signature . 15 cookies) . In some embodiments , subsequent authentication At 710 , process 700 can transmit a request for authenti - requests for the vouching service account can be bypassed in cation credentials. In some embodiments , the request for response to detecting the cookie ( s ). In some embodiments , authentication credentials can be generated and / or transmit in response to receiving information about a user action ted using any suitable communication protocol, such as the ( e . g ., information about items that the user wants to purchase Hypertext Transfer Protocol Secure (HTTPS ) and / or any 20 from the target service or any other suitable service ) from a other suitable communication protocol that utilizes a cryp - target service and / or any other suitable service and /or tographic protocol, such as Security Sockets Layer (SSL ) , device , a vouching service can transmit a message indicating Transport Layer Security ( TLS ) , and / or any other suitable that the user has been authenticated based on the cookie ( s ) . cryptographic protocol. Alternatively , the vouching service can initiate a re - authen At 715 , process 700 can receive authentication credentials 25 tication process and can authenticate the user and/ or the for a vouching service account. In some embodiments, the vouching service account associated with the user ( e . g . , authentication credentials can include a user name, a pass - using process 700 of FIG . 7 ). word , and / or any other suitable authentication credential. In While the disclosed subject matter generally relates to some embodiments , the authentication credentials can be authenticating a target service account on a target service received in any suitable manner. For example , the authen - 30 using a vouching service account on a vouching service , this tication credentials can be received via one or more suitable is merely illustrative . For example , the target service messages , such as one or more HTTPS messages . account can be authenticated using multiple vouching ser At 720 , process 700 can determine whether the received vices and /or multiple vouching service accounts . In such an authentication credentials are valid . This determination can example , the client device can be granted access to the target be made in any suitable manner. For example , process 700 35 service account upon successfully authenticating a prede can determine that the received authentication credentials termined number of vouching service accounts ( e . g . , all of are valid in response to determining that the received the vouching service accounts associated with the target authentication credentials match a set of authentication service account, a threshold number of vouching service credentials stored in association with the vouching service accounts associated with the target service account, a pre account. 40 determined percentage of vouching service accounts asso As another example, process 700 can authenticate the ciated with the target service account, and /or any other vouching service account using one or more vouching suitable number of vouching service accounts ) . In some services that have been associated with the vouching service embodiments , each of the vouching service accounts can be account ( e . g . , using process 300 of FIG . 3 and / or process authenticated using one ormore suitable portions of process 600 of FIG . 6 ) and can then determine that the received 45 700 of FIG . 7 . authentication credentials are valid in response to success . It should be noted that the above steps of the flow fully authenticating the vouching service account. diagrams of FIGS . 3 - 7 can be executed or performed in any In some embodiments , in response to determining that order or sequence not limited to the order and sequence one or more of the received authentication credentials are shown and described in the figures . Also , someof the above invalid , process 700 can determine whether the target ser - 50 steps of the flow diagrams of FIGS . 3 - 7 can be executed or vice account has been compromised at 725 . This determi- performed substantially simultaneously where appropriate nation can be made in any suitable manner . For example , or in parallel to reduce latency and processing times . Fur process 700 can determine that the target service account has thermore , it should be noted that FIGS . 3 - 7 are provided as been compromised in response to detecting a threshold examples only . At least some of the steps shown in these number of unsuccessful authentication attempts associated 55 figures may be performed in a different order than repre with the vouching service account during a particular time sented , performed concurrently , or altogether omitted . period . As another example , process 700 can determine that The provision of the examples described herein ( as well the target service account has been compromised in response as clauses phrased as such as, " " e . g ., ” “ including , ” and the to detecting a threshold number of repeated unsuccessful like ) should not be interpreted as limiting the claimed authentication attempts associated with the vouching service 60 subject matter to the specific examples ; rather , the examples account. are intended to illustrate only some of many possible In some embodiments , in response to determining that the aspects . target service account has been compromised , process 700 Accordingly , methods, systems, and media for authenti can transmit a vouching response indicating such determi- cating a user using multiple services are provided . nation at 730 . Alternatively , process 700 can transmit a 65 Although the disclosed subject matter has been described vouching response indicating that the user has failed to and illustrated in the foregoing illustrative embodiments , it authenticate the vouching service account at 735 . is understood that the present disclosure has been made only US 10 , 367 , 797 B2 23 24 by way of example , and that numerous changes in the details 6 . The method of claim 1 , further comprising : of implementation of the disclosed subject matter can be generating a plurality of decoy credentials based on the made without departing from the spirit and scope of the first user - entered credentials ; and disclosed subject matter, which is limited only by the claims associating the plurality of decoy credentials with the that follow . Features of the disclosed embodiments can be 5 target service account. combined and rearranged in various ways . 7 . The method of claim 6 , further comprising authenti cating the target service account in response to receiving at What is claimed is : least one of the plurality of decoy credentials . 1 . A method for authenticating a user using multiple 10 8 . The method of claim 1 , further comprising determining services, the method comprising : that the target service account has been compromised in receiving , from a client device , first user- entered creden response to detecting a threshold number of unsuccessful tials for a target service account ; authentication attempts in association with the vouching authenticating the target service account based on the first service account. user -entered credentials ; is 9 . A system for authenticating a user using multiple issuing a redirecting request that directs the client device services, the system comprising : to at least one vouching service in response to authen - at least one hardware processor that is configured to : ticating the target service account; receive , from a client device , first user - entered credentials receiving a vouching response indicating that the client for a target service account; device has authenticated a vouching service account 20 authenticate the target service account based on the first with the at least one vouching service by providing user- entered credentials ; second user - entered credentials to the vouching ser issue a redirecting request that directs the client device to vice , wherein the vouching response includes a vouch at least one vouching service in response to authenti ing token , and wherein the second user -entered creden cating the target service account ; tials are different from the first user - entered credentials ; 25 receive a vouching response indicating that the client determining , using a hardware processor, whether the device has authenticated a vouching service account vouching service account is associated with the target with the at least one vouching service by providing service account based on the vouching token ; and second user - entered credentials to the vouching ser providing the client device with access to the target vice , wherein the vouching response includes a vouch service account in response to ( 1 ) authenticating the 30 i ng token , and wherein the second user - entered creden target service account based on the first user- entered tials are different from the first user - entered credentials ; credentials , ( 2 ) receiving the vouching response indi determine whether the vouching service account is asso cating that the client device has authenticated the ciated with the target service account based on the vouching service account with the at least one vouching vouching token ; and service , and ( 3 ) determining that the vouching service 35 provide the client device with access to the target service account is associated with the target service account. account in response to ( 1 ) authenticating the target 2 . The method of claim 1 , further comprising : service account based on the first user - entered creden identifying a plurality of vouching services associated tials, ( 2 ) receiving the vouching response indicating with the target service account ; that the client device has authenticated the vouching transmitting a plurality of vouching requests to the plu - 40 service account with the at least one vouching service , rality of vouching services; and (3 ) determining that the vouching service account receiving a plurality of vouching responses from at least is associated with the target service account. a set of the plurality of vouching services; 10 . The system of claim 9 , wherein the hardware proces extracting a plurality of vouching tokens from the plural- sor is further configured to : ity of vouching responses ; and authenticating the target 45 identify a plurality of vouching services associated with user account based on the plurality of vouching tokens. the target service account; 3. The method of claim 1 , further comprising: transmit a plurality of vouching requests to the plurality of comparing a first alias associated with the target service vouching services ; account with a second alias associated with the vouch receive a plurality of vouching responses from at least a ing service account; and 50 set of the plurality of vouching services; determining that the vouching service account is associ extract a plurality of vouching tokens from the plurality of ated with the target service account in response to vouching responses ; and determining that the first alias matches the second alias, authenticate the target user account based on the plurality wherein the vouching token includes the second alias . of vouching tokens . 4 . The method of claim 3 , further comprising : 55 11 . The system of claim 9 , wherein the hardware proces receiving a request to associate the target service account sor is further configured to : with the vouching service ; compare a first alias associated with the target service transmitting , to the vouching service , a vouching response account with a second alias associated with the vouch including the first alias; ing service account; and receiving a vouching response indicating that the vouch - 60 determine that the vouching service account is associated ing service account has been authenticated ; and with the target service account in response to deter associating the first alias with the target service account in mining that the first alias matches the second alias , response to receiving the vouching response. wherein the vouching token includes the second alias. 5 . The method of claim 1 , further comprising transmitting 12 . The system of claim 11 , wherein the hardware pro a persistent token to the client device in response to deter- 65 cessor is further configured to : mining that the vouching service account is associated with receive a request to associate the target service account the target service account. with the vouching service ; US 10 , 367 ,797 B2 25 26 transmit , to the vouching service , a vouching response 18 . The non - transitory computer- readable medium of including the first alias ; claim 17 , wherein the method further comprises : receive a vouching response indicating that the vouching identifying a plurality of vouching services associated service account has been authenticated ; and with the target service account ; associate the first alias with the target service account in 5 transmitting a plurality of vouching requests to the plu response to receiving the vouching response. rality of vouching services; 13 . The system of claim 9 , wherein the hardware proces receiving a plurality of vouching responses from at least sor is further configured to transmit a persistent token to the client device in response to determining that the vouching a set of the plurality of vouching services; service account is associated with the target service account . 10 extracting a plurality of vouching tokens from the plural 14 . The system of claim 9 , wherein the hardware proces ity of vouching responses ; and sor is further configured to : authenticating the target user account based on the plu generate a plurality of decoy credentials based on the first rality of vouching tokens. user - entered credentials ; and 19 . The non - transitory computer - readable medium of associate the plurality of decoy credentials with the targetget 15 claimClaim 17 , wherein the method further comprises : service account. comparing a first alias associated with the target service 15 . The system of claim 14 , wherein the hardware pro account with a second alias associated with the vouch cessor is further configured to authenticate the target service ing service account ; and account in response to receiving at least one of the plurality determining that the vouching service account is associ of decoy credentials . 20 ated with the target service account in response to 16 . The system of claim 9 , wherein the hardware proces determining that the first alias matches the second alias, sor is further configured to determine that the target service wherein the vouching token includes the second alias . account has been compromised in response to detecting a 20 . The non - transitory computer -readable medium of threshold number of unsuccessful authentication attempts in claim 19 , wherein the method further comprises : association with the vouching service account. 25 receiving a request to associate the target service account 17 . A non - transitory computer- readable medium contain with the vouching service ; ing computer -executable instructions that , when executed by transmitting , to the vouching service, a vouching response a processor, cause the processor to perform a method for including the first alias; authenticating a user using multiple services , the method receiving a vouching response indicating that the vouch comprising : 30 receiving, from a client device , first user- entered creden ing service account has been authenticated ; and tials for a target service account; associating the first alias with the target service account in authenticating the target service account based on the first response to receiving the vouching response. user -entered credentials ; 21 . The non - transitory computer- readable medium of issuing a redirecting request that directs the client device z35 claimChain 17 , wherein the method further comprises transmitting to at least one vouching service in response to authenthen - aa persistent token to the client device in response to deter ticating the target service account ; mining that the vouching service account is associated with receiving a vouching response indicating that the client the target service account. device has authenticated a vouching service account 22 . The non - transitory computer- readable medium of with the at least one vouching service by providing 40 claim 17 , wherein the method further comprises : second user - entered credentials to the vouching ser generating a plurality of decoy credentials based on the vice , wherein the vouching response includes a vouch first user- entered credentials ; and ing token , and wherein the second user- entered creden associating the plurality of decoy credentials with the tials are different from the first user- entered credentials ; target service account. determining whether the vouching service account is 45 23 . The non - transitory computer -readable medium of associated with the target service account based on the claim 22 , wherein the method further comprises authenti vouching token ; and cating the target service account in response to receiving at providing the client device with access to the target least one of the plurality of decoy credentials . service account in response to ( 1 ) authenticating the 24 . The non - transitory computer -readable medium of target service account based on the first user- entered 50 claim 17, wherein the method further comprises determining credentials , ( 2 ) receiving the vouching response indi that the target service account has been compromised in cating that the client device has authenticated the response to detecting a threshold number of unsuccessful vouching service account with the at least one vouching authentication attempts in association with the vouching service , and ( 3 ) determining that the vouching service service account. account is associated with the target service account.