Our growing intellectual property portfolio currently comprises several patent applications and the following issued patents:
US patent 7,975,292 provides a solution to the problem of securely resetting a user’s password without resorting to security questions that compromise the user’s privacy. A temporary password is sent to the user over a potentially unsecure channel such as unencrypted email. The temporary password allows the user to set a permanent password, but a security hold prevents further access to the user’s account. An administrator lifts the security hold upon a request made by the user in person, by phone, or through some channel that allows the administrator to verify the user’s identity.
US patent 8,046,827 describes a method of protecting a password against online guessing attacks by keeping two counters of password match failures: a first count of consecutive failures, and a second count of total, not necessarily consecutive, failures. When the first counter reaches a low limit, the account is locked. But a careful attacker may be able to make an unlimited number of guesses by timing them so that intervening successful matches by the legitimate user always reset the first counter before the limit is reached. The attack is thwarted by asking the user to reset the password when the second counter reaches a higher threshold.
Many Web applications have a file-sharing feature that allows Web users to share files by uploading them to, and downloading them from, a Web-accessible file repository. Shared files may include HTML files and other files containing scripts that are executed by the browser in the security context of the application user who downloads the file. This opens the door to a range of cross-user attacks, including cross-site scripting (XSS) attacks by a user of an application instance against a different instance of the same application. The usual defenses against XSS are not available, because shared files cannot be sanitized. US patent 8,341,200 provides a countermeasure against such attacks that leverages the web’s same origin policy by serving a shared-file using a hostname specific to the collection of shared files of a particular application instance.
Real-time search results change frequently because new results appear and because existing results may go up in rank, displacing other results. Such changes may cause the user to get confused and miss results. For example, the user is likely to miss a result that goes up in rank from position 11, belonging to the second page of results, to position 10, belonging to the first page, as the user navigates from page 1 to page 2. To help the user keep track of changes in the result set, US patent 8,452,749 provides a method of browsing search results where results that have not been seen yet by the user are highlighted in each page of results, and buttons of pages containing such results are highlighted in the page menu.