KR-102962552-B1 - METHOD AND APPARATUS OF CONTROLLING ACCOUNT LOCKOUT

Abstract

A method and apparatus for controlling account locking are disclosed. A method for controlling an account in response to an authentication attempt by an authentication client at an authentication server according to at least one of various embodiments of the present invention may include: receiving a password for authentication; generating a first hash value corresponding to the password when the IP address that transmitted the password is not blocked; obtaining a second hash value corresponding to the password from a database; and determining whether the login is successful based on whether the first hash value and the second hash value match, thereby controlling whether the account is locked.

Inventors

• 차영욱
• 정진호

Assignees

• 국립경국대학교 산학협력단

Dates

Publication Date

20260508

Application Date

20230307

Claims (8)

1. In a method for controlling accounts based on authentication attempts by authentication clients on an authentication server, A step of receiving a password for authentication for the above account; If the first IP address that transmitted the password is not blocked, a step of generating a first hash value corresponding to the password; A step of obtaining a second hash value corresponding to the password from a database; and The method includes a step of determining whether the login is successful based on whether the first hash value and the second hash value match, and controlling whether the account is locked. The step of controlling whether the above account is locked is, It includes a step of determining whether the first hash value and the second hash value match, and If the first hash value and the second hash value do not match, the account of the authentication client is determined to have failed to log in, the number of authentication failures is increased, and if the number of authentication failures exceeds a preset threshold, the first IP address is blocked. If the first hash value and the second hash value corresponding to the password received through the first IP address match, or if the first hash value and the second hash value corresponding to the password received from the second IP address for authentication of the account match, the login for the account is determined to be successful, the number of authentication failures is reset, and all IP addresses including the first IP address blocked for the account are unblocked, or information regarding a list of IP addresses that can be unblocked among all previously blocked IP addresses for the account is provided so that the authentication client can selectively unblock them. Account control methods.
2. In claim 1, A step further comprising determining whether to block the first IP address that transmitted the above password, Account control methods.
3. In claim 2, Based on the result of determining whether the first IP address is blocked, if the IP address is blocked, the received password is ignored. Account control methods.
4. delete
5. delete
6. delete
7. delete
8. Memory; and It includes a processor that communicates with the above memory to exchange data, The above processor is, When a password for account authentication is received from an authentication client, If the first IP address of the authentication client that transmitted the above password is not blocked, a first hash value corresponding to the above password is generated, and a second hash value corresponding to the above password is obtained from the database, and the login success is determined based on whether the first hash value and the second hash value match, thereby controlling whether to lock the account. The above processor is, Determining whether the above first hash value and second hash value match, If the first hash value and the second hash value do not match, the account of the authentication client is determined to have failed to log in, the number of authentication failures is increased, and if the number of authentication failures exceeds a preset threshold, the first IP address is blocked. If the first hash value and the second hash value corresponding to the password received through the first IP address match, or if the first hash value and the second hash value corresponding to the password received from the second IP address for authentication of the account match, the login for the account is determined to be successful, the number of authentication failures is reset, and all IP addresses including the first IP address blocked for the account are unblocked, or information regarding a list of IP addresses that can be unblocked among all previously blocked IP addresses for the account is provided so that the authentication client can selectively unblock them. Account control device.

Description

Method and apparatus of controlling account lockout The present invention relates to account lock control, and more specifically, to a method and apparatus for account lock control following intentional consecutive authentication failures. In Korea, authentication is performed using joint certificates, one-time password generators, and biometric authentication for important websites and personal financial activities. For instance, depending on the issuer's policy, the security of authentication is ensured by locking or revoking accounts if password or biometric authentication fails multiple times. Various websites around the world also use such authentication methods. However, malicious attackers exploit loopholes in these conventional authentication methods to intentionally induce authentication failures, causing users' accounts to be locked or revoked. In this regard, the National Institute of Standards and Technology (NIST) Digital Identity Guidelines introduce methods to prevent intentional authentication failure attacks through CAPTCHA, prohibiting retries for 30 seconds to 1 hour, authentication limited to the requested IP address, and methods to identify user behavior such as location information or the time of the request pattern. However, the conventional methods presented by the aforementioned National Institute of Standards and Technology (NIST) not only have vulnerabilities that prevent attacks resulting from consecutive authentication failures, but also suffer from the problem of being unable to perform authentication due to their inability to properly identify users, thereby degrading user availability. FIG. 1 is a drawing illustrating an authentication system according to an embodiment of the present invention. Figure 2 is a configuration block diagram of the authentication server of Figure 1. FIG. 3 is a flowchart illustrating a method for controlling account locking in response to an authentication attempt by an authentication client in an authentication server according to an embodiment of the present invention. FIG. 4 is a drawing illustrating a function available for use in an account control locking method according to an embodiment of the present invention. The advantages and features of the present invention and the methods for achieving them will become clear by referring to the embodiments described below in detail together with the accompanying drawings. However, the present invention is not limited to the embodiments disclosed below but may be implemented in various different forms. These embodiments are provided merely to ensure that the disclosure of the present invention is complete and to fully inform those skilled in the art of the scope of the present invention, and the present invention is defined only by the scope of the claims. The terms used in this specification are for describing embodiments and are not intended to limit the invention. In this specification, the singular form includes the plural form unless specifically stated otherwise. The terms “comprises” and/or “comprising” as used in this specification do not exclude the presence or addition of one or more other components in addition to the components mentioned. Throughout the specification, the same reference numerals refer to the same components, and “and/or” includes each of the mentioned components and all combinations of one or more. Although terms such as “first,” “second,” etc., are used to describe various components, these components are not limited by these terms. These terms are used merely to distinguish one component from another. Accordingly, the first component mentioned below may be the second component within the technical scope of the invention. Unless otherwise defined, all terms used herein (including technical and scientific terms) may be used in a meaning commonly understood by those skilled in the art to which the present invention pertains. Additionally, terms defined in commonly used dictionaries are not to be interpreted ideally or excessively unless explicitly and specifically defined otherwise. In the present specification, a method and apparatus for controlling account locking are disclosed according to the present invention, which include a new authentication method that is secure by blocking intentional consecutive authentication failures by an attacker, and enhances user convenience by controlling account locking so that the user's account is not locked out or revoked, while securely protecting passwords from password cracking. In this specification, the account lock control device according to the present invention may include all of various devices capable of performing computational processing and providing results to a client. For example, the device according to the present invention may include at least one computer or computing device, server device, terminal, etc., or may be in any one form. In the above, the computer may include, for example, a notebook, desktop, laptop,