US20190268323A1

Movatterモバイル変換

Info

Publication number: US20190268323A1
Application number: US16/405,792
Authority: US
Inventors: Arnold Neil Blinn
Original assignee: Go Daddy Operating Co LLC
Current assignee: Go Daddy Operating Co LLC
Priority date: 2017-05-31
Filing date: 2019-05-07
Publication date: 2019-08-29
Also published as: US10341322B1

Abstract

A domain name registrar may suggest and/or allow a user to select one or more domain names registered to the user for on demand multifactor authentication. The user may select one or more protected activities that trigger the enhanced security for the selected domain name(s). The user may also enter a plurality of authenticatees, contact information for the authenticatees and a minimum number of authenticatees required to approve the one or more protected activities. The user and/or authenticatees may also enter at least two authentication methods for each authenticatee and corresponding correct responses. The selected domain names are thus protected from the protected activities until approved by a minimum number of authenticatees using at least a first authentication method and a second authentication method selected from different groups of “what you know,” what you have” and “what you are” authentication methods.

Description

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. Application No. 15/610,455 entitled “ON DEMAND MULTIFACTOR AUTHENTICATION” and filed on May 31, 2017.

FIELD OF THE INVENTION

The present invention generally relates to methods of enhancing the security of Internet assets, such as domain names, websites and web services (such as email accounts), using on demand multifactor authentication.

SUMMARY OF THE INVENTION

In an example embodiment, a domain name registrar may receive from a client device operated by a user a selection of one or more domain names requiring a successful multifactor authentication prior to performing one or more protected activities. The domain name registrar may also automatically monitor one or more risk factors for the domain name and its associated website, comprising: 1) the value of the domain name, 2) the value of the website pointed to by the domain name, 3) the rate of Internet traffic for the domain name/website, 4) the type of use of the website, i.e., commercial or personal and/or 5) the risk of loss as determined by a quantity and/or an access of the website to financial records, health records and/or customer personal information. One or more of these risk factors may be used to recommend to the user that enhanced security should be used and an appropriate level of enhanced security for the user's domain name.

The one or more protected activities may be any desired activities that may be performed on an Internet asset. As non-limiting examples, the protected activities may be: 1) removing the one or more domain names from a current user account, 2) transferring the domain name to a different domain name registrar, 3) changing a domain name system (DNS) record for the one or more domain names, 4) editing the website pointed to by the one or more domain names and/or 5) changing access to an email account based on the first domain name. The one or more protected activities may be selected by the user or the domain name registrar may select or recommend one or more protected activities based on the one or more risk factors. More risk factors would indicate that more activities should be protected.

The domain name registrar may receive from the client device operated by the user, i.e., the owner of the asset, a selection of one or more authenticatees and contact information. Alternatively, or in addition, the domain name registrar may automatically determine one or more authenticatees and contact information by: 1) parsing the website to determine VPs, President, Officers, and/or board of directors of the legal entity associated with the website, 2) parsing the website to determine its associated legal entity and then parsing corporate filings and/or public records of the legal entity to determine VPs, President, Officers, and/or board of directors and/or 3) parsing the WHOIS database for one or more listed contacts. The user is preferably given the option to select and/or approve the authenticatees automatically discovered by the domain name registrar. The plurality of authenticatees are the people who have the authority to approve the one or more protected activities on the one or more domain names.

The domain name registrar may receive from the user via a client device a minimum number of authenticatees in the plurality of authenticatees that must be authenticated for a successful multifactor authentication. In some embodiments, the minimum number of authenticatees that must be authenticated for the successful multifactor authentication is less than the total number of authenticatees in the plurality of authenticatees. This allows protected activities to be performed on the one or more domain names even if one or more of the authenticatees are unable to perform an authentication, possibly due to unavailability, vacation or sickness. In other embodiments, the domain name registrar may determine or recommend a minimum number of authenticatees that must be authenticated for a successful multifactor authentication based on the previously determined risk factors for the domain name and/or associated website. In some embodiments, one or more authenticatees may be a factor owned by an individual. As non-limiting examples, a factor may be an email account or a text message service, such as a Short Message Service (SMS).

The domain name registrar may receive for each selected authenticatee two or more authentication methods. The authentication methods and correct responses may be entered by either the user or each authenticatee may enter their own authentication methods and correct responses. The two authentication methods for each selected authenticatee are preferably from different groups, where the groups are 1) what you know based authentication, 2) what you are based authentication and 3) what you have based authentication. If the authenticatees have been used in the past for the same or for different domain names, the domain name registrar may use the authenticatees' identity, the authenticatees' contact information, the authenticatees' authentication methods and/or the authenticatees' correct responses as suggestions to either the user or corresponding authenticatee to simplify the entry of this data by the user or by the authenticatees.

The domain name registrar may receive a contact method for each selected authenticatee in the plurality of authenticatees. The information collected from the user and/or the authenticatees may be stored in a database and the user and/or authenticatees may be notified using their corresponding contact methods, such as by text messages and/or email messages, when the one or more protected domain names and the one or more protected activities have enhanced security.

The domain name registrar may monitor requested activities looking for a protected activity being requested on a domain name with enhanced security, thereby providing enhanced security for the domain names in regard to the protected activities.

The domain name registrar may receive a command from a user for a protected activity on the domain name. The domain name registrar may read from the database the plurality of authenticatees, the contact method(s) for each authenticatee, the minimum number of authenticatees that must be authenticated for a successful multifactor authentication, two correct responses and two authentication methods for each authenticatee in the plurality of authenticatees. As previously mentioned, the two authentication methods preferably correspond to two different members selected from the group consisting of what you know based authentication, what you are based authentication and what you have based authentication.

The domain name registrar may transmit a request for each of the two different authentication methods to each authenticatee in the pluralities of authenticatees using the corresponding contact method for the authenticatee.

If the minimum number of authenticatees are not authenticated by receiving two correct responses from the authenticatee in an allowed time period, the protected activity is not performed on the domain name. On the other hand, upon receiving two correct responses, from different groups of authentication methods, within the allowed time period from at least the minimum number of authenticatees that must be authenticated for the successful multifactor authentication, the domain name registrar performs the protected activity on the domain name.

In another embodiment, the domain name registrar may receive a command from a user for a protected activity on the domain name. The domain name registrar may read from the database one or more authenticatees, the contact method(s) for each authenticatee, the minimum number of authenticatees that must be authenticated for a successful multifactor authentication, one, two or more correct responses and one, two or more authentication methods for each authenticatee in the plurality of authenticatees.

The domain name registrar may transmit a request for one or more authentication methods to the one or more authenticatees using the corresponding contact method for each authenticatee.

If the minimum number of authenticatees are not authenticated by receiving one, two or more correct responses from the authenticatee in an allowed time period, the protected activity is not performed on the domain name. On the other hand, upon receiving one, two or more correct responses within the allowed time period from at least the minimum number of authenticatees that must be authenticated for the successful multifactor authentication, the domain name registrar performs the protected activity on the domain name.

In some embodiments, the domain name registrar may receive a request for the user for enhanced security or the domain name registrar may determine that one or more domain names have a value and/or an Internet traffic above a predetermined threshold. The domain name registrar may recommend to the user that the domain name(s) having the high value and/or Internet traffic should receive enhanced protection, possibly through the use of multifactor authentication as described in any of the above embodiments. Upon receiving a request from the user, the domain name registrar may use any of the above described methods for enhancing the security of the domain name or a website pointed to by the domain name. In another embodiment, the value and/or Internet traffic of the domain name may be checked periodically, and as the value and/or traffic to the website increases (possibly exceeding a predetermined threshold), the domain name registrar may suggest additional protection appropriate for the increased value and/or website traffic of the domain name to the user.

The above features and advantages of the present invention will be better understood from the following detailed description taken in conjunction with the accompanying drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram of a system for protecting domain names and websites. The system comprises a computer network, such as the Internet, a domain name registrar running on one or more hardware servers and having customer accounts and one or more users and authenticatees in electronic communication with the domain name registrar via client devices and the computer network.

FIG. 2 is an illustration of a whole or a partial screenshot of an interface that may be displayed on a client device and viewed by a user. The interface may be, as non-limiting examples, either a webpage or an application screen. The interface may display a list of domain names registered to the user and be configured to allow the user, via the client device, to select one or more registered domain names for enhanced security. The interface may also be configured to allow the domain name registrar to receive, via the client device, the one or more domain names selected by the user.

FIG. 3 is an illustration of a whole or a partial screenshot of an interface that may be displayed on a client device and viewed by a user. The interface may be, as non-limiting examples, either a webpage or an application screen. The interface may display a list of protected activities, i.e., activities that if requested trigger enhanced security prior to processing, to the user and be configured to allow the user, via the client device, to select one or more protected activities for the previously selected domain names for enhanced security.

FIG. 4 is an illustration of a whole or a partial screenshot of an interface that may be displayed on a client device and viewed by a user. The interface may be, as non-limiting examples, either a webpage or an application screen. The interface may display a list of authenticatees to the user and be configured to allow the user, via the client device, to select, remove, edit and/or add one or more authenticatees. The interface may also allow the user to enter one or more authenticatees. The interface may also allow the user to enter a minimum number of authenticatees that must be authenticated by two different methods to approve the protected activity before the protected activity may be performed.

FIG. 5 is an illustration of a whole or a partial screenshot of an interface that may be displayed on a client device and viewed by a user or displayed on a different client device and viewed by an authenticatee. The interface may be, as non-limiting examples, either a webpage or an application screen. The interface may display a list of authentication methods and be configured to allow the user or the authenticatee, via a client device, to select two or more authentication methods selected from different groups, and enter correct responses, of 1) what you know, 2) what you are and 3) what you have. The Interface also allows the user to enter a correct response (possibly by following a link), e.g., a password, biometric data and/or a cell phone number, for each authentication method.

FIGS. 6-9 are illustrations of a possible storage format used by a domain name registrar in storing data that may have been collected by the interface illustrated inFIGS. 2-5.

FIG. 10 is a flowchart illustrating a possible embodiment of a method for setting up enhanced security for one or more selected domain names.

FIGS. 11-13 are flowcharts illustrating possible embodiments of methods for requesting and authenticating a minimum number of authenticatees for performing protected activities on selected domain names.

DETAILED DESCRIPTION

The present inventions will now be discussed in detail with regard to the attached drawing figures that were briefly described above. In the following description, numerous specific details are set forth illustrating Applicant's best mode for practicing the invention and enabling one of ordinary skill in the art to make and use the invention. It will be obvious, however, to one skilled in the art that the present invention may be practiced without many of these specific details. In other instances, well-known machines, structures, and method steps have not been described in particular detail in order to avoid unnecessarily obscuring the present invention. Unless otherwise indicated, like parts and method steps are referred to with like reference numerals.

FIG. 1 is a block diagram of a system for protectingInternet120 assets, such as domain names, websites and/or web services. The system comprises acomputer network120, such as the Internet, adomain name registrar130 having customer accounts140 and a user100 and one or more authenticatee(s)170 in electronic communication with thedomain name registrar130 viaclient devices110 and thecomputer network120. The arrows between thedomain name registrar130, computer network (such as the Internet)120 and client device(s)110 represent one or more communication paths and/or computer networks. Communications and transmissions over the arrows may use any currently known or developed in the future methods or protocols of electronic communications.

Acomputer network120 is a collection of links and nodes (e.g., multiple computers and/or other devices connected together) arranged so that information may be passed from one part of the computer network to another over multiple links and through various nodes. Non-limiting examples ofcomputer networks120 include the Internet, public switched telephone networks, global Telex networks, intranet(s), extranet(s), local-area network(s), wide-area network(s), wired networks, wireless networks and cell phone networks.

TheInternet120 is a worldwide network of computers and computer networks arranged to allow for the easy and robust exchange of information between a computer user100 via aclient device110 and one or more websites hosted on hardware servers. Hundreds of millions of users (people) around the world have access toclient devices110 connected to theInternet120 via an Internet Service Provider (ISP). Content providers place multimedia information (e.g., text, graphics, audio, video, animation, and/or other forms of data) at specific locations on theInternet120 referred to as websites. The combination of all the websites and their corresponding web pages on theInternet120 is generally known as the World Wide Web (WWW) or simply the Web.

Websites may consist of a single webpage, but typically consist of multiple interconnected and related webpages. The webpages may be consideredinterfaces200 that display information to the user100 and also allow the user100 to enter information. Websites may reside on one or more hardware servers and are typically prepared and maintained by a single individual or entity. Menus, links, tabs, etc. may be used to move between different webpages within the website or to move to a different webpage on an entirely different website.

Websites may be created using software or code to program the website to appear and operate as desired by the user100. As a non-limiting example, HyperText Markup Language (HTML) may be used to generate a standard set of tags that define how the webpages for the website are to be displayed. A user100 of theInternet120 may access websites using software known as an Internet browser, such as MICROSOFT INTERNET EXPLORER®, GOOGLE CHROME® or MOZILLA FIREFOX®. After the browser has located the desired webpage, the browser requests and receives information concerning the webpage, i.e., software or computer code, typically in the form of an HTML document, and then the browser displays the webpage content for the user100 on theclient device110 operated by the user100. The user100 then may see the displayed information, e.g., text, pictures and/or graphics, hear any transmitted sounds, enter information into fields on the webpage configured for this purpose, view other webpages at the same website and/or move to an entirely different website using the browser.

The user100 may use aclient device110, such as, as non-limiting examples, a cell phone, PDA, tablet, laptop computer or desktop computer to access aninterface200 on an application or a website running on one or more servers via a computer network. Theclient device110 may have a unique telephone number from which the user100 can verify that the user100 has control over theclient device110. The client device100 may also be able to measure/record, store and transmit biometric measurements, such as one or more fingerprints of the user100, the voice of the user, possibly saying a particular phrase and/or measuring an iris scan of the user100. In other embodiments, a biometric recording device may be attached to the client device110 (at which time the biometric recording device and theclient device110 may both be considered the client device110) to enable theclient device110 to perform one or more biometric measurements and/or recordings.

Each website on the Internet may have a plurality of webpages and be hosted or operated from one or more hardware servers. The application may also be running or operated from one or more hardware servers of any desired make or model. The hardware servers for the websites and the applications may be, as a non-limiting example, one or more Dell PowerEdge(s) rack server(s), HP Blade Servers, IBM Rack or Tower servers, although other types of hardware servers and/or combinations of one or more hardware servers may also be used. Thedomain name registrar130 is hereby defined to comprise at least one or more hardware servers and may also comprise software to automate the various processes described as part of this invention.

Browsers are able to locate specific websites because each website, resource, and computer on theInternet120 has a unique Internet Protocol (IP) address. Presently, there are two standards for IP addresses. The older IP address standard, often called IP Version 4 (IPv4), is a 32-bit binary number, which is typically shown in dotted decimal notation, where four 8-bit bytes are separated by a dot from each other (e.g., 64.202.167.32). The newer IP address standard, often called IP Version 6 (IPv6), is a 128-bit binary number. The standard human readable notation for IPv6 addresses presents the address as eight 16-bit hexadecimal words, each separated by a colon (e.g., 2EDC:BA98:0332:0000:CF8A:000C:2154:7313). These notations are used to improve human readability.

IP addresses, however, even in human readable notation, are difficult for people to remember and use. A Uniform Resource Locator (URL) is much easier to remember and may be used to point to any computer, directory, or file on theInternet120. A browser is able to access a website on theInternet120 through the use of a URL. The URL may include a Hypertext Transfer Protocol (HTTP) request combined with the website's Internet address, also known as the website's domain name. An example of a URL with a HTTP request and domain name is: http://www.companyname.com. In this example, the “http” portion identifies the URL as a HTTP request and the “companyname.com” portion is the domain name.

Domain names are much easier to remember and use than their corresponding IP addresses. The Internet Corporation for Assigned Names and Numbers (ICANN) and the Internet Assigned Numbers Authority (IANA) create rules and coordinate the use of over 1,000 Top-Level Domains (TLDs). Each TLD is typically assigned a single registry to be an authoritative source of information (the particular data stored by the registry may vary depending on the TLD). One or more domain name registrars may register domain names to domain name registrants (users100, customers and/or domain name registrants) on behalf of a registry controlling the TLD of the registered domain names.

The process for registering a domain name with .com, .net, .org, and some other TLDs allows an Internet user100 to use an ICANN-accrediteddomain name registrar130 to register a domain name. For example, if a potential domain name registrant, John Doe, wishes to register the domain name “Abc-company.com,” John Doe may initially determine whether the desired domain name is available by contacting adomain name registrar130. As a non-limiting example, the potential domain name registrant (user100 or customer) may make this contact using the registrar's webpage and typing the desired domain name into a field on the registrar's website created for this purpose. If the domain name is available, theregistrar130 may register via the domain name registry the domain name to the user100 (officially the domain name registrant at this point). In this manner, the user100 may register any number of different domain names and may point each registered domain name through the domain name system (DNS) to any desired website.

Domain names may point, i.e., direct Internet traffic, to a website through the use of the DNS. The DNS comprises one or more nameservers that are able to receive a domain name from a browser and then return an IP address for the domain name to the browser. In this manner, the browser may find the IP address for any website through the use of the DNS.

Referring toFIG. 10, a method will be described for allowing a user100 to set up and enable enhanced security for one or more Internet assets, such as domain names, websites and/or web services (such as an email account). The method allows for protecting the Internet assets from unauthorized protected activities without first receiving approval from a minimum number of authenticated authenticatee(s)170. In some embodiments, the user may only select asingle authenticatee170 to be authenticated using one or more authentication methods. In these embodiments, the protected activity will be performed after thesingle authenticatee170 has been authenticated. In other embodiments offering increased security, two or more authenticatee(s)170 are authenticated using at least two methods, each method being from a different group of 1) what you know, 2) what you are and 3) what you have.

FIG. 2 is an illustration of a whole or a partial screenshot of aninterface200 that may be displayed on aclient device110 and viewed by a user100. Theinterface200 may be, as non-limiting examples, either a webpage or an application screen as illustrated inFIGS. 2-5. Thedomain name registrar130 may review the customer account150 of the user100 to determine which domain names (or other Internet assets, such as websites and web services) are registered to the user100.

Theinterface200 may then display a list of the domain names registered to the user100. Theinterface200 may also be configured to allow the user100, via theclient device110, to select one or more of the registered domain names (or other Internet assets) for enhanced security. As a specific example,FIG. 2 illustrates aninterface200 that displays the domain names of “Abc-company.com,” “Abc-co.com,” “Abc-company.org,” “JohnDoe.com” and “JohnHenryDoe.com” that have been determined to be registered to the user100. The user100 may select one or more of the displayed domain names using any desired technique. (Step1000)

In the embodiment illustrated inFIG. 2, a box next to each domain name may be selected so that the user100 may indicate which domain names registered to the user100 are to receive enhanced security. In other embodiments, the user100 may click on or directly select any desired one or more domain names. As an example, inFIG. 2 the domain names of “Abc-company.com” and “Abc-company.org” have been selected to receive enhanced security. The user is preferably given options to define the type and level of enhanced security the asset(s) receive.

FIG. 3 is an illustration of a whole or a partial screenshot of aninterface200 that may be displayed on theclient device110 and viewed by the user100. Theinterface200 may display a list of protected activities to the user100 and be configured to allow the user100, via theclient device110, to select one or more protected activities for the previously selected domain names (or other Internet assets) for enhanced security. (Step1010)

The protected activities may be any desired activity performed on any asset accessible online. As non-limiting examples, the protected activities could by changing settings on a music subscription, online news clippings, reading or changing billing, payment and/or banking information, etc. As another non-limiting example, the protected activities may be any desired activity performed by thedomain name registrar130 on the domain names. As non-limiting examples, the protected activities may be removing a domain name from a current account150, changing a domain name system (DNS) record for the domain name, editing a website pointed to by the domain name and/or changing access to an email account based on the domain name. In the embodiment illustrated inFIG. 3, the protected activities of 1) removing selected domain name(s) from your account150 and 2) editing a website pointed to by the selected domain name(s) are selected.

FIG. 4 is an illustration of a whole or a partial screenshot of aninterface200 that may be displayed on aclient device110 and viewed by a user100. Theinterface200 may display a list ofauthenticatees170 to the user100 and be configured to allow the user100, via theclient device110, to select one or more authenticatees170. InFIG. 4, theauthenticatees170 of John Doe and Jane Smith have been selected.

Theinterface200 as illustrated inFIG. 4 may also allow the user100 to enter one or more authenticatees170. As an example,FIG. 4 illustrates that theauthenticatee170 of Bob Jones has been entered by the user100. If desired, theauthenticatee170 of Bob Jones and Bob Jones' contact information may be saved in adatabase160 so that future requests for enhanced security by the user100 may automatically list Bob Jones and Bob Jones' contact information without this information having to be reentered by the user100. While not specifically illustrated inFIG. 4, theinterface200 may also be configured to allow the user100 to delete or edit information regarding one or more of the authenticatee(s)170.

Theinterface200 as illustrated inFIG. 4 may also be used to select one or more contact methods (as illustrated forauthenticatees170 John Doe and Jane Smith) and/or enter one or more contact methods (as illustrated forauthenticatee170 Bob Jones). In some embodiments, the user100 may select an order or preference of contact methods for one or more of theauthenticatees170. As an example,FIG. 4 illustrates a preference of “1” for the contact method of the telephone number of (123) 456-7890 and a preference of “2” for the email address of email@johndoe.com for theauthenticatee170 of John Doe. Thus, in verifying the identity of “John Doe,” thedomain name registrar130 may first try to use the contact method of the telephone number and then the contact method of the email address in contacting theauthenticatee170 of “John Doe.” (Step1020)

Theinterface200 may also allow the user100 to enter a minimum number ofauthenticatees170 that must be authenticated by one, two or more selected methods to approve the protected activity before the protected activity may be performed. The minimum number may be entered by any desired means. As an example,FIG. 4 has an entry field configured for this purpose. In this example, the user100 has entered “2” as the minimum number ofauthenticatees170 needed to be authenticated before performing any of the one or more protected activities. (Step1030)

In some embodiments, theinterface200 may also be configured to allow the user100 to select a time period in which the minimum number ofauthenticatees170 must be authenticated in order to perform the one or more protected activities. If the minimum number of authenticatee(s) is not authenticated within the selected time period, the requested protected activity is not performed on the domain name. The selected time period may be measured from any desired starting time to any desired ending time. As a non-limiting example, the starting time may start upon receiving the first authentication and stops upon receiving the last authentication necessary to perform the protected activity.

The minimum number ofauthenticatees170 may be either the total number ofauthenticatees170 or a number less than the total number ofauthenticatees170. Using less than the total number ofauthenticatees170 has the advantage of allowing protected activities to be performed even when one or more (the difference between the total number ofauthenticatees170 and the minimum number required to perform protected activities) of theauthenticatees170 are not authenticated, possibly because one or more of theauthenticatees170 are on vacation, sick or otherwise unavailable.

FIG. 5 is an illustration of a whole or a partial screenshot of aninterface200 that may be displayed on aclient device110 and viewed by a user100 or displayed on adifferent client device110 and viewed by anauthenticatee170. Theinterface200 may display a list of authentication methods and be configured to allow the user100 or each of theauthenticatees170, via aclient device110, to select two or more authentication methods selected from different groups of 1) what you know, 2) what you are and 3) what you have.

Theinterface200 as illustrated inFIG. 5 may be used for or by each authenticatee170 selected by the user100. Thus, each authenticatee170 may select the same or a different combination of groups of authentication methods. Even whenauthenticatees170 select the same group, theauthenticatees170 may select a different authentication method within the group. As an example, if the group “what you are” is selected by afirst authenticatee170 and asecond authenticatee170, thefirst authenticatee170 may select an iris scan while thesecond authenticatee170 may select to use a fingerprint method of authentication within the group of “what you are.” This flexibility has the advantage of allowing each authenticatee170 to have a personalized method of authentication while retaining the security of the protected Internet assets.

Authentication methods from the group of “what you know” are defined to be methods that require information from theauthenticatee170 that is known by theauthenticatee170, but preferably by as few other people as possible and most preferably zero other people (not counting the domain name registrar130). Non-limiting examples from the group of “what you know” are a password (selected by either thedomain name registrar130, user100 or authenticatee170), a personal identification number (PIN) assigned by thedomain name registrar130 or a code which may be a random string of characters. As an example, the code may be generated by the domain name register and provided to theauthenticatee170. The code may comprise, as an example, 40 random characters that theauthenticatee170 may store in a safety deposit box.

Authentication methods from the group of “what you are” are defined to be methods that require biometric measurements of theauthenticatee170 and the selected biometric measurements are very unlikely to belong to any other person. Non-limiting examples from the group of “what you are” are fingerprints, handwriting samples, voice samples, DNA and/or iris scans. Theauthenticatee170 may submit fingerprints, handwriting samples, voice samples, DNA and/or iris scans as the “correct responses” during setup and then resubmit fingerprints, handwriting samples, voice samples, DNA and/or iris scans during authentication of theauthenticatee170.

Authentication methods from the group of “what you have” are defined to be methods that require theauthenticatee170 to prove that theauthenticatee170 is in possession of some physical item. Non-limiting examples from the group of “what you have” are confirmation that theauthenticatee170 is in possession of a cell phone (possibly by responding to a text message or phone call), a smart card (possibly by inserting the smart card into a smart card reader that transmits a message to the domain name registrar130) or a token. The token may be synchronized with an authentication server and display a string of characters that theauthenticatee170 may enter into aninterface200 on a website, application or on a cell phone. If the entered string of characters matches a string of characters produced by the authentication server, theauthenticatee170 may be authenticated as being in possession of the token.

Thus, the user100 or each authenticatee170 may select an authentication method of “what you know,” which could be a password and “what you are,” which could be a fingerprint scan. In preferred embodiments, the user100 would not be able to select two authentication methods in the group of “what you know,” two authentication methods in the group “what you are” or two authentication methods in the group “what you have” without also including one or more authentication methods from other groups.

Depending on the authentication methods chosen, the user100 orauthenticatee170 may need to enter a correct response for one or more of the chosen authentication method. Thus, if the user100 orauthenticatee170 selected an authentication method of “what you have,” the user100 orauthenticatee170 may enter a cell phone number of a cell phone in the procession of theauthenticatee170. For an authentication method of “what you know,” the user100 orauthenticatee170 may enter a password into a field in theinterface200 configured for the purpose of receiving the password. For an authentication method of “what you are,” theauthenticatee170 may use theclient device110, possibly with an attachment specifically created for this purpose, to take a biometric reading of the user100 and transmit the biometric reading to thedomain name registrar130. (Step1040)

Once the user100 and/orauthenticatees170 have 1) selected one or more domain names for enhanced security, 2) selected one or more protected activities, 3) selected one or more authenticatees170 with contact information, 4) selected a minimum number ofauthenticatees170 to approve the one or more protected activities, 5) selected two or more authentication methods for each authenticatee170 and 6) entered correct responses or information for each authentication method for each authenticatee170, thedomain name registrar130 may start to provide the enhanced protection of the domain name and/or other Internet assets.

Specifically, thedomain name registrar130 may prevent the one or more selected protected activities from being performed on the selected one or more domain names, until thedomain name registrar130 receives two correct responses from at least the minimum number ofauthenticatees170 that must be authenticated for the successful multifactor authentication. In some embodiments, at least twoauthenticatees170 in the plurality ofauthenticatees170 have different authentication methods that must be authenticated for a successful multifactor authentication.

FIGS. 6-9 illustrate a possible storage format that may be used by adomain name registrar130 in storing data that has been collected by theinterface200 illustrated inFIGS. 2-5. Specifically, the database(s)160 supporting on demand multifactor authentication may store the user100 name, one or more selected domain names registered to the user100, one or more selected protected activities for each selected domain name, one or more authenticatees170 for every selected protected activity, two or more authentication methods and corresponding correct responses for each authenticatee170 and contact information for eachauthenticatee170. (Step1050)

It should be appreciated that this method allows different domain names, that are also registered to the user100, to be selected that may have 1) different protected activities, 2)different authenticatees170, 3) different minimum number ofauthenticatees170 to approve protected activities, 4) different authentication methods and/or 5) any combination thereof. Thus, a user100 having a high value domain name may, as an example, require more authenticatees170 to approve one or more protected activities, while the user100 having a low value domain name, as an example, may require fewer, simpler or no authentication methods.

It should also be appreciated that even for the same domain name, different protected activities may be selected that have 1)different authenticatees170, 2) a different minimum number ofauthenticatees170 to approve the different protected activities, 3) different authentication methods and/or 4) any combination thereof. Thus, if the user100 is concerned about a domain name being transferred out of the account150 of the user100, but is less concerned about a website pointed at by the domain name being edited, the user100 may require more authenticatees170 to approve moving the domain name out of the user account150, but fewer or noauthenticatees170 to modify a website pointed to by the domain name. This customization has the advantage of allowing different levels of protection for different protected activities, even for the same domain name.

With reference toFIGS. 2-5, another method of protecting a domain name registered to a user100 from an unauthorized first protected activity will be discussed. Thedomain name registrar130 may transmit aninterface200 to aclient device110. Theinterface200 preferably displays all of the domain names registered to a user100 by thedomain name registrar130. Theinterface200 may be configured to enable the user100 to select one or more domain names registered to the user100. As a non-limiting example,FIG. 2 illustrates apossible interface200 for displaying and allowing the user100 to select one or more domain names registered to the user100. Thedomain name registrar130 may have read the registered domain names from the account150 of the user100.

Thedomain name registrar130 may transmit theinterface200 to theclient device110. Theinterface200 may display a plurality of protected activities, wherein theinterface200 is configured to enable the user100 to select one or more protected activities. As non-limiting examples, the protected activities may be 1) removing the domain name from an account150 of the user100, 2) changing a domain name system (DNS) record for the domain name(s), 3) editing a website pointed to by one of the domain name(s) and/or 4) changing access to an email account based on one or more of the domain name(s). A non-limiting example of aninterface200 is illustrated inFIG. 3.

Thedomain name registrar130 may transmit theinterface200 to theclient device110 displaying one or moreknown authenticatees170 and/or enabling the user100 to enter one or morenew authenticatees170. Theinterface200 may be configured to enable the user100 to select a plurality of selectedauthenticatees170. These are theauthenticatees170 that will be attempted to be authenticated by at least two different authentication methods during the approval process of any of the one or more selected protected activities for the one or more selected domain names.

Thedomain name registrar130 may also transmit theinterface200 to theclient device110 configured to enable the user100 to enter a contact method for each of the plurality of selectedauthenticatees170.

Thedomain name registrar130 may also transmit theinterface200 to theclient device110 of the user100 configured to receive a minimum number of the plurality of selectedauthenticatees170 in the plurality ofauthenticatees170 that must be authenticated for a successful multifactor authentication. A non-limiting example is illustrated inFIG. 4.

Thedomain name registrar130 may also transmit theinterface200 configured to receive at least two authentication methods for each selectedauthenticatee170. The at least two authentication methods correspond to two different members selected from the group consisting of 1) what you know based authentication, 2) what you are based authentication and 3) what you have based authentication. Theinterface200 is preferably configured to receive two correct responses corresponding to the two authentication methods. A non-limiting example is illustrated inFIG. 5. The data or information received via theinterface200 as illustrated inFIGS. 2-5 may be stored in adatabase160 and in any desired format, such as thedatabase160 and format illustrated inFIGS. 6-9. It should be noted that theinterfaces200 illustrated inFIGS. 2-5 are non-limiting examples. In addition, theinterfaces200 illustrated inFIGS. 2-5 may be combined and/or separated as desired in different embodiments.

Thedomain name registrar130 may lock or prevent the one or more protected activities from being performed on the one or more selected domain names until a successful multifactor authentication, as chosen and defined by the user100 and/orauthenticatees170, has been completed. Thedomain name registrar130 may monitor requests from the user100 (or possibly someone posing as the user) to determine if the request is a protected activity on a selected domain name. If a user100 make a request for a protected activity on a protected domain name, thedomain name registrar130 may perform an authentication attempt as defined by the user100 and/orauthenticatees170 as described above.

Upon receiving two correct responses from at least the minimum number ofauthenticatees170 in the plurality ofauthenticatees170 that must be authenticated for a successful multifactor authentication, thedomain name registrar130 may perform the one or more protected activities on the selected one or more domain names.

Referring toFIGS. 11-13, a method of performing a successful multifactor authentication to enable a performance of a protected activity for a domain name registered to a user100 will now be described. Thedomain name registrar130 may receive over a computer network a command or a request from the user100 for a protected activity for a protected domain name. (Step1100) The protected activity may be, as non-limiting examples, 1) removing the first domain name from a current account150, 2) changing a domain name system record for the first domain name, 3) editing a website pointed to by the first domain name and/or 4) changing access to an email account based on the first domain name.

Thedomain name registrar130 may read from thedatabase160 for the user100, the domain name and the protected activity, 1) a plurality ofauthenticatees170, 2) a contact method for each authenticatee170, 3) a first minimum number ofauthenticatees170 that must be authenticated for a successful multifactor authentication, 4) two correct responses and 5) two authentication methods for each authenticatee170 in the plurality ofauthenticatees170. (Step1110)

In preferred embodiments, the two authentication methods correspond to two different members selected from the group consisting of 1) what you know based authentication, 2) what you are based authentication and 3) what you have based authentication. As examples, the two authentication methods may be “what you know” AND “what you have” as they are different authentication methods, but should not both be in the same type, such as a fingerprint and an iris scan, as these are both in the same type of authentication method of “what you are.”

Thedomain name registrar130 may transmit an authentication request for each of the two different authentication methods to each of theauthenticatees170 in the plurality of authenticatees using the corresponding contact method for eachauthenticatee170. (Step1120) Thedomain name registrar130 may or may not receive responses back from one or more of theauthenticatees170. (Step1130)

Thedomain name registrar130 may compare the responses from theauthenticatees170 with the correct responses stored in thedatabase160 and determine whether a minimum number ofauthenticatees170 responded back with at least two correct responses (where each response is from a different group). (Step1140)

If less than the minimum number ofauthenticatees170 responded back with two correct responses, the requested protected activity is not performed on the domain name. (Step1200) The user100 may be informed that the protected activity will not be performed. (Step1210)

In some embodiments, if any one of theauthenticatees170 specifically responds back to not perform the protected activity, thedomain name registrar130 may block, i.e., not perform, the requested protected activity.

In some embodiments, each authenticatee170 (or each authentication method) may be assigned a weight (either by the user100 or by the domain name registrar130). The one or more protected activities are only performed on the selected one or more domain name(s) if the sum of all of the weights for each authenticatee170 (or authentication methods) that approves and/or is successfully authenticated is greater than a predetermined threshold selected by either the user100 or thedomain name registrar130.

In other embodiments, one or more of theauthenticatees170 may be identified as essential, and the one or more protected activities are only performed on the selected domain name(s) if all of the identifiedessential authenticatees170 are authenticated and/or approve the performance of the protected activity.

If the minimum number ofauthenticatees170 did respond back with at least two correct responses from different groups of 1) what you know, 2) what you are and 3) what you have, then the protected activity may be performed on the protected domain name. (Step1300) The user100 may be informed that the protected activity will be or has been performed. (Step1310) In other embodiments, the user100 may select one or more authenticatees170 that have to respond back with at least one, two, three or more correct responses. In other embodiments, the user100 may select that the correct responses do or do not have to come from different groups of 1) what you know, 2) what you are and 3) what you have.

Wizard for providing enhanced security for a domain name

In some embodiments, thedomain name registrar130 may determine that one or more domain names have a value and/or a rate of Internet traffic via the domain name or a website above a predetermined threshold. Thedomain name registrar130 may recommend to the user100 that the domain name(s) having the high value and/or rate of Internet traffic should receive enhanced protection through the use of multifactor authentication as described in any of the above embodiments. In preferred embodiments, the successful multifactor authentication requires thedomain name registrar130 to receive two correct responses from at least the minimum number ofauthenticatees170 before performing a protected activity on a protected domain name.

Upon receiving a request from the user100, thedomain name registrar130 may use any of the above described methods for enhancing the security of the domain name or the website pointed to by the domain name.

The value of the domain name or rate of Internet traffic may also be checked periodically (entirely without receiving a request by the user100), and as the value and/or rate of the Internet traffic to the website increases, thedomain name registrar130 may suggest additional protection appropriate for the increased value and/or website traffic.

In some embodiments, software may be used that acts as a wizard to assist a user100 in obtaining enhanced security, such as multi-factor authentication, for one or more domain names. The software preferably performs as many of the steps in the background as possible to simply the process for the user100, while still allowing the user100 to have control over the domain name and allowing thedomain name registrar130 to provide enhanced security for the domain name.

The software may be triggered upon thedomain name registrar130 receiving a request from the user100 for enhanced security for the domain name. In other embodiments, the software may receive from the user100 a requested level of protection for one or more domain names and/or one or more associated websites. The request for enhanced security from the user100 may comprise an indication of a level of protection, such as, as non-limiting examples, yes or no; low, medium or high or a request on a scale, such as from one to 10.

If a requested level of protection is received from the user100, this information may be used, as non-limiting examples, to select one or more protected activities and/or a minimum number ofauthenticatees170 that must be authenticated for a successful multifactor authentication. In other words, the higher the requested level of security requested by the user100, the more activities are protected and/or the more authenticatees170 that are required to be authenticated, i.e., the minimum number of authenticates is higher, prior to performing a protected activity.

Thedomain name registrar130 may use other methods besides receiving a requested level of protection from the user100 to determine an appropriate level of protection for the one or more domain names. As non-limiting examples, thedomain name registrar130 may, without receiving input from the user100, determine one or more risk factors of: 1) the value of the domain name, 2) the value of the website pointed to by the domain name, 3) the rate of Internet traffic for the domain name, 4) the type of use of the website, i.e., commercial or personal and/or 5) the risk of loss as determined by a quantity and an access of the website to financial records, health records and/or customer personal information. One or more of these risk factors may be used to recommend to the user100 that enhanced security should be used and a level of the enhanced security for the user's domain name.

Thedomain name registrar130 may calculate a value of the domain name. The higher the value of the domain name, the greater (more protected activities and/or more authenticatees170 that must be authenticated) the appropriate level of enhanced protection for the domain name.

Thedomain name registrar130 may determine a rate of Internet traffic to the website, such as a number of visitors to the website per day. The higher the rate of Internet traffic to the website, the greater (more protected activities and/or more authenticatees170 that must be authenticated) the appropriate level of enhanced protection for the domain name.

Thedomain name registrar130 may also determine whether the website pointed to by the domain name is a commercial website. Commercial websites generally deserve a greater (more protected activities and/or more authenticatees170 that must be authenticated) level of enhanced protection than personal websites.

Thedomain name registrar130 may also parse a software or computer code used to construct the website to determine if the website has access to financial records, health records or customer personal information to determine a risk of loss for the domain name. The greater the access, the number of financial records, the number of health records and/or the number or level of confidentiality of the customer personal information, the greater (more protected activities and/or more authenticatees170 that must be authenticated) the appropriate level of enhanced security for the domain name and/or website.

Thedomain name registrar130 may select one or more protected activities that will only be performed after a successful multifactor authentication for the domain name. The selected one or more protected activities may be at least partially based on the risk factors and directly related to a calculated value of the domain name, a determined rate of Internet traffic to the website, whether the website is determined to be a commercial website and/or a risk of loss for the domain name. The one or more protected activities may be selected from the group consisting of removing the domain name from the account140 of the user100, changing a domain name system record for the domain name, editing the website pointed to by the domain name and changing access to an email account based on the domain name.

Thedomain name registrar130 may determine or receive from the user100 for each authenticatee170 in the plurality of authenticatees, two authentication methods. The two authentication methods correspond to two different members of the group consisting of what you know based authentication, what you are based authentication and what you have based authentication. Thedomain name registrar130 may also determine or receive from the user100 orauthenticatees170 two different correct responses corresponding to the two authentication methods.

Thedomain name registrar130 may select a minimum number ofauthenticatees170 that must be authenticated for a successful multifactor authentication for the domain name. The selected minimum number ofauthenticatees170 may be at least partially based on the risk factors and are preferably directly related to the calculated value of the domain name, the determined rate of Internet traffic to the website, whether the website is determined to be a commercial website and/or a risk of loss for the domain name or website.

Thedomain name registrar130 may select a minimum number ofauthenticatees170 that must be authenticated for a successful multifactor authentication for the domain name. The minimum number ofauthenticatees170 may be higher, as non-limiting examples, if the value of the domain name is higher, the rate of Internet traffic to the website is higher, the website is determined to be a commercial website and/or the website stores or has access to health records, financial records and/or customer confidential information.

Thedomain name registrar130 may display an offer to provide enhanced security for the domain name and its associated website on aclient device110 to the user100. The displayed offer may comprise the domain name(s), the one or more protected activities, the plurality ofauthenticatees170 with one or more contact methods for each authenticatee and a minimum number ofauthenticatees170 required to be authenticated for the successful multifactor authentication. The interface displaying the offer preferably is configured to allow the user100 to modify, edit, add or delete one or more domain names, one or more protected activities, one or more authenticatees, one or more contact information for the authenticatees and the minimum number ofauthenticatees170 required to be authenticated using two authentication methods from different groups for the successful multifactor authentication.

Thedomain name registrar130 may receive changes and/or an acceptance of the offer from the user100. Thedomain name registrar130 may block one or more attempts of performing a protected activity in the one or more protected activities on the domain name prior to performing a successful multifactor authentication as stated in the original or altered offer.

It should be appreciated that theinterfaces200 inFIGS. 2-5 are exemplary only and may be presented to the user100 in a different order, be combined into one, two, three or fourdifferent interfaces200 and/or may be further separated as desired. It should be appreciated that while domain names where primarily used in the examples, other Internet resources may also be protected using the above described methods. It should also be appreciated that the invention may be used to protect any asset accessible online. It should also be appreciated that the user100, i.e., the owner of the asset, may select one or more authenticatee(s)170 and one or more required authentication methods for eachauthenticatee170.

Other embodiments and uses of the above inventions will be apparent to those having ordinary skill in the art upon consideration of the specification and practice of the invention disclosed herein. It should be understood that features listed and described in one embodiment may be used in other embodiments unless specifically stated otherwise. The specification and examples given should be considered exemplary only, and it is contemplated that the appended claims will cover any other such embodiments or modifications as fall within the true scope of the invention.

Claims

The invention claimed is:

1. A method, comprising:

receiving, using a computer network, a request to execute a first protected activity on a first domain name;

determining a first plurality of authenticatees associated with the first domain name and the first protected activity, a first minimum number of authenticatees, and an authentication method for each authenticate in the first plurality of authenticatees, wherein the first minimum number of authenticatees is less than a number of the first plurality of authenticatees; and

upon receiving authentications from at least the first minimum number of authenticatees of the first plurality of authenticatees, performing the first protected activity on the first domain name.

2. The method ofclaim 1, wherein the first protected activity includes removing the first domain name from a current account, changing a domain name system record for the first domain name, editing a website pointed to by the first domain name, or changing access to an email account associated with the first domain name.

3. The method ofclaim 1, wherein the authentication method for a first authenticatee includes is a type of authentication including what you know based authentication, what you are based authentication, or what you have based authentication.

4. The method ofclaim 1, wherein at least two authenticatees in the first plurality of authenticatees are associated with different authentication methods that must be authenticated before performing the first protected activity.

5. The method ofclaim 1, further comprising the steps of:

receiving a second protected activity for the first domain name;

receiving a selection of a second plurality of authenticatees;

receiving a second minimum number of authenticatees; and

upon receiving authentications from at least the second minimum number of authenticatees of the second plurality of authenticatees, performing the second protected activity on the first domain name.

6. The method ofclaim 5, wherein the first protected activity is different from the second protected activity.

7. The method ofclaim 5, wherein the first minimum number of authenticatees is a different number from the second minimum number of authenticatees.

8. The method ofclaim 5, wherein the first plurality of authenticatees is different from the second plurality of authenticatees.

9. A method, comprising:

encoding, into a database and in association with a first domain name, an indication of a first protected activity, a first plurality of authenticatees, an authentication method for each authenticatee in the first plurality of authenticatees, and a first minimum number of authenticatees, wherein the first minimum number of authenticatees is less than a number of the first plurality of authenticatees; and

10. The method ofclaim 9, wherein the first protected activity includes removing the first domain name from a current account, changing a domain name system record for the first domain name, editing a website pointed to by the first domain name, or changing access to an email account associated with the first domain name.

11. The method ofclaim 9, wherein the authentication method for a first authenticatee includes is a type of authentication including what you know based authentication, what you are based authentication, or what you have based authentication.

12. The method ofclaim 9, wherein at least two authenticatees in the first plurality of authenticatees have different authentication methods that must be authenticated before performing the first protected activity.

13. The method ofclaim 9, further comprising the steps of:

receiving a second protected activity for the first domain name;

receiving a selection of a second plurality of authenticatees;

receiving a second minimum number of authenticatees; and

14. The method ofclaim 13 wherein the first protected activity is different from the second protected activity.

15. The method ofclaim 13, wherein the first minimum number of authenticatees is a different number from the second minimum number of authenticatees.

16. The method ofclaim 13, wherein the first plurality of authenticatees is different from the second plurality of authenticatees.

17. A system, comprising:

a memory storing instructions that when executed by a processor cause the processor to perform the steps of:

determining a first plurality of authenticatees associated with the first domain name and the first protected activity and a first minimum number of authenticatees, wherein the first minimum number of authenticatees is less than a number of the first plurality of authenticatees; and

18. The system ofclaim 17, wherein the first protected activity includes removing the first domain name from a current account, changing a domain name system record for the first domain name, editing a website pointed to by the first domain name, or changing access to an email account associated with the first domain name.

19. The system ofclaim 17, wherein at least two authenticatees in the first plurality of authenticatees are associated with different authentication methods that must be authenticated before performing the first protected activity.

20. The system ofclaim 17, wherein the processor is configured to execute the steps of:

receiving a second protected activity for the first domain name;

receiving a selection of a second plurality of authenticatees;

receiving a second minimum number of authenticatees; and