FORM 2
THE PATENTS ACT, 1970
(39 of 1970)
&
THE PATENT RULES, 2003
COMPLETE SPECIFICATION (See Section 10 and Rule 13)
Title of invention
METHOD AND SYSTEM FOR PROVENANCE BASED SUPPLEMENTARY AUTHENTICATION MECHANISM
Applicant
Tata Consultancy Services Limited A company Incorporated in India under the Companies Act, 1956
Having address:
Nirmal Building, 9th floor,
Nariman point, Mumbai 400021,
Maharashtra, India
Preamble to the description
The following specification particularly describes the invention and the manner in which it is to be performed.

TECHNICAL FIELD [001] The embodiments herein generally relate to authentication mechanisms and, more particularly, to a method and system for provenance based supplementary authentication mechanism.
BACKGROUND
[002] With the world going digital majority of tasks are executed via digital platforms, wherein the tasks vary from simple to complex and handle simple data to highly sensitive and confidential data. Thus, digital platforms such as a digital assistant along with application services are the gateways to the digital platform. Thus, authentication mechanisms for devices and/or the applications are critical requirement.
[003] Credential based access is a very commonly used authentication mechanism, as it offers a cost effective approach as compared to biometric based authentication. Thus, password based authentication mechanisms are commonly used for device access, user account validation for and application and so on. However, mere validating the credentials may not serve the purpose, as chances of the credential been stolen or shared is high, providing a loophole in the authentication process leading to possible information leak and raises security concerns. Thus, credential based authentication mechanism are generally built to provide a two level authentication, wherein the primary level may be a password based authentication, furthering triggering a set of user account specific questions to confirm an authorized.
However, rightly distinguishing between a true or registered user and a fake user using shared/stolen credentials remains a challenge. Specifically, when credentials are shared by the true user along with answers to confidential questions posed by the second level authentication. Required is generating tough and complex questions to the user during the secondary authentication and same time required is retaining the user experience of the true user by providing him/her a smooth access, without overdoing the authentication process. Thus, predicting the legitimacy of user and accordingly posing challenging question is required. Conventional

authentication mechanisms focus on question generation, while some consider confidence score of user to appropriately select the set of questions for secondary authentication. However, right consideration of factors or parameters that may be considered by such secondary authentication to generate the questions is critical to ensure difficulty of the questions is rightly set to ensures access to only the true user, without unnecessary over validating the true user and retaining the user experience.
SUMMARY
[004] Embodiments of the present disclosure present technological improvements as solutions to one or more of the above-mentioned technical problems recognized by the inventors in conventional systems. For example, in one embodiment, a method for provenance based supplementary authentication mechanism is provided.
[005] The method comprises detecting valid credentials entered by a current user for accessing a user account of a registered user of an application via a device during a primary authentication, wherein the detected valid credentials trigger an access request to the user account.
[006] Further comprises initiating a supplementary authentication mechanism in response to the access request to verify the legitimacy of the current user prior to granting access to the user account, wherein the supplementary authentication comprises: identifying the current user as one of a probable legitimate user and an illegitimate user by validating a) access details recorded in historical access details stored in a provenance database, comprising device location and time, recorded for the access request, against, b) the access details recorded for a previous access request to the user account. Wherein the current user is identified as an illegitimate user and denied access to the user account if variation between the access details recorded for the previous access request and the access request fail to satisfy a distance-time difference criteria; and the current user is identified as the probable legitimate user if variation between the access details

recorded for the previous access request and the access request satisfy the distance-time difference criteria.
[007] The supplementary authentication further comprises determining whether the probable legitimate user has a credential sharing behavior by analyzing the access details over the history of access details.
[008] The supplementary authentication further comprises determining a probability of legitimacy of the probable legitimate user as: i)a low probability, if the probable legitimate user is determined having the credential sharing behavior; and ii) one of the low probability, a high probability and a very low probability based on a value of probability of legitimacy computed, if the probable legitimate user is determined to not have the credential sharing behavior, wherein the probable legitimate user having the high probability is granted access to the user account and having the very low probability is denied access to the user account.
[009] The supplementary authentication furthermore comprises
dynamically deriving a set of questions for the probable legitimate user determined
to have the low probability, wherein the set of questions are: i)based on a
combination of a device user context and an application user context if a reason for
the low probability is determined to be the credential sharing behavior and if the
access request is triggered via the device, wherein the device is among a plurality
of allocated devices, and wherein the probable legitimate user is granted access to
the user account if user responses to the application user context based questions
are correct and the device user context based questions are incorrect; ii)based on
confidential information associated with the user account, if the reason for the low
probability is determined to be the credential sharing behavior and if the access
request is triggered via the device, wherein the device is among a plurality of non-
allocated devices. The probable legitimate user is granted access to the user account
if user responses to the confidential information based questions are correct; and
iii) based on randomly selected information associated with the user account
that has been recently accessed, if the reason for the low probability is other than the credential sharing behavior, wherein the probable legitimate user is granted

access to the user account if user responses to the random information based questions are correct.
[0010] In another aspect, a system for provenance based supplementary authentication mechanism is provided. The device comprises a memory storing instructions; one or more Input/Output (I/O) interfaces; and one or more hardware processors coupled to the memory via the one or more I/O interfaces, wherein the one or more hardware processors are configured by the instructions to detect valid credentials entered by a current user for accessing a user account of a registered user of an application via a device during a primary authentication, wherein the detected valid credentials trigger an access request to the user account.
[0011] Further comprises initiating a supplementary authentication mechanism in response to the access request to verify the current user as the registered user by validating legitimacy of the current user prior to granting access to the user account, wherein the supplementary authentication comprises: identifying the current user as one of a probable legitimate user and an illegitimate user by validating a) access details recorded in historical access details stored in a provenance database, comprising device location and time, recorded for the access request, against, b) the access details recorded for a previous access request to the user account. Wherein the current user is identified as an illegitimate user and denied access to the user account if variation between the access details recorded for the previous access request and the access request fail to satisfy a distance-time difference criteria; and the current user is identified as the probable legitimate user if variation between the access details recorded for the previous access request and the access request satisfy the distance-time difference criteria.
[0012] The supplementary authentication further comprises determining whether the probable legitimate user has a credential sharing behavior by analyzing the access details over the history of access details.
[0013] The supplementary authentication further comprises determining a probability of legitimacy of the probable legitimate user as: i) a low probability, if the probable legitimate user is determined having the credential sharing behavior; and ii) one of the low probability, a high probability and a very low probability

based on a value of probability of legitimacy computed, if the probable legitimate user is determined to not have the credential sharing behavior, wherein the probable legitimate user having the high probability is granted access to the user account and having the very low probability is denied access to the user account.
[0014] The supplementary authentication furthermore comprises
dynamically deriving a set of questions for the probable legitimate user determined
to have the low probability, wherein the set of questions are: i)based on a
combination of a device user context and an application user context if a reason for
the low probability is determined to be the credential sharing behavior and if the
access request is triggered via the device, wherein the device is among a plurality
of allocated devices, and wherein the probable legitimate user is granted access to
the user account if user responses to the application user context based questions
are correct and the device user context based questions are incorrect; ii)based on
confidential information associated with the user account, if the reason for the low
probability is determined to be the credential sharing behavior and if the access
request is triggered via the device, wherein the device is among a plurality of non-
allocated devices. The probable legitimate user is granted access to the user account
if user responses to the confidential information based questions are correct; and
iii) based on randomly selected information associated with the user account
that has been recently accessed, if the reason for the low probability is other than the credential sharing behavior, wherein the probable legitimate user is granted access to the user account if user responses to the random information based questions are correct.
[0015] In yet another aspect, there are provided one or more non-transitory machine-readable information storage mediums comprising one or more instructions, which when executed by one or more hardware processors causes a method for provenance based supplementary authentication mechanism. The method comprises detecting valid credentials entered by a current user for accessing a user account of a registered user of an application via a device during a primary authentication, wherein the detected valid credentials trigger an access request to the user account.

[0016] Further comprises initiating a supplementary authentication mechanism in response to the access request to verify the current user as the registered user by validating legitimacy of the current user prior to granting access to the user account, wherein the supplementary authentication comprises: identifying the current user as one of a probable legitimate user and an illegitimate user by validating a) access details recorded in historical access details stored in a provenance database, comprising device location and time, recorded for the access request, against, b) the access details recorded for a previous access request to the user account. Wherein the current user is identified as an illegitimate user and denied access to the user account if variation between the access details recorded for the previous access request and the access request fail to satisfy a distance-time difference criteria; and the current user is identified as the probable legitimate user if variation between the access details recorded for the previous access request and the access request satisfy the distance-time difference criteria.
[0017] The supplementary authentication further comprises determining whether the probable legitimate user has a credential sharing behavior by analyzing the access details over the history of access details.
[0018] The supplementary authentication further comprises determining a probability of legitimacy of the probable legitimate user as: i) a low probability, if the probable legitimate user is determined having the credential sharing behavior; and ii) one of the low probability, a high probability and a very low probability based on a value of probability of legitimacy computed, if the probable legitimate user is determined to not have the credential sharing behavior, wherein the probable legitimate user having the high probability is granted access to the user account and having the very low probability is denied access to the user account.
[0019] The supplementary authentication furthermore comprises
dynamically deriving a set of questions for the probable legitimate user determined to have the low probability, wherein the set of questions are: i)based on a combination of a device user context and an application user context if a reason for the low probability is determined to be the credential sharing behavior and if the access request is triggered via the device, wherein the device is among a plurality

of allocated devices, and wherein the probable legitimate user is granted access to
the user account if user responses to the application user context based questions
are correct and the device user context based questions are incorrect; ii)based on
confidential information associated with the user account, if the reason for the low
probability is determined to be the credential sharing behavior and if the access
request is triggered via the device, wherein the device is among a plurality of non-
allocated devices. The probable legitimate user is granted access to the user account
if user responses to the confidential information based questions are correct; and
iii) based on randomly selected information associated with the user account
that has been recently accessed, if the reason for the low probability is other than the credential sharing behavior, wherein the probable legitimate user is granted access to the user account if user responses to the random information based questions are correct.
[0020] It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the invention, as claimed.
BRIEF DESCRIPTION OF THE DRAWINGS
[0021] The accompanying drawings, which are incorporated in and constitute a part of this disclosure, illustrate exemplary embodiments and, together with the description, serve to explain the disclosed principles:
[0022] FIG. 1 is a functional block diagram of a system for provenance based supplementary authentication mechanism, in accordance with some embodiments of the present disclosure.
[0023] FIG. 2A through FIG. 2C are flow diagrams illustrating a method for provenance based supplementary authentication mechanism, using the system of FIG. 1, in accordance with some embodiments of the present disclosure.
[0024] FIG. 3 is a flow diagram illustrating steps for determining user memory type for generating set of questions for the supplementary authentication mechanism, using the system of FIG. 1, in accordance with some embodiments of the present disclosure.

[0025] FIG. 4 is a flow diagram illustrating steps of computing question response time for the set of questions posed during the supplementary authentication mechanism, using the system of FIG. 1, in accordance with some embodiments of the present disclosure.
[0026] It should be appreciated by those skilled in the art that any block diagrams herein represent conceptual views of illustrative systems and devices embodying the principles of the present subject matter. Similarly, it will be appreciated that any flow charts, flow diagrams, and the like represent various processes which may be substantially represented in computer readable medium and so executed by a computer or processor, whether or not such computer or processor is explicitly shown.
DETAILED DESCRIPTION OF EMBODIMENTS [0027] Exemplary embodiments are described with reference to the accompanying drawings. In the figures, the left-most digit(s) of a reference number identifies the figure in which the reference number first appears. Wherever convenient, the same reference numbers are used throughout the drawings to refer to the same or like parts. While examples and features of disclosed principles are described herein, modifications, adaptations, and other implementations are possible without departing from the scope of the disclosed embodiments. It is intended that the following detailed description be considered as exemplary only, with the true scope being indicated by the following claims.
[0028] Embodiments herein provide a method and a system for provenance based supplementary authentication mechanism. Referring now to the drawings, and more particularly to FIGS. 1 through 4, where similar reference characters denote corresponding features consistently throughout the figures, there are shown preferred embodiments and these embodiments are described in the context of the following exemplary system and/or method.
[0029] FIG. 1 is a functional block diagram of a system 100, for provenance based supplementary authentication mechanism, in accordance with some embodiments of the present disclosure.

[0030] In an embodiment, the system 100, includes a processor(s) 104, communication interface device(s), alternatively referred as input/output (I/O) interface(s) 106, and one or more data storage devices or a memory 102 operatively coupled to the processor(s) 104. The system 100 with one or more hardware processors is configured to execute functions of one or more functional blocks of the system 100. The system 100 maintains a plurality of user account in a user account module of the memory 102 for applications residing in the system 100. An application is accessed by users (such as user114a and 114b) via an user account using one or more external devices (such as device 112a through 112n) connected to the system 100 via the I/O interface 106. The user 114a is a legitimate user, who can access his user account thorough allocated devices of the system 100 or unallocated devices. The system is configured to identify the allocated and unallocated devices. An example below enables the understanding of what is referred as allocated devices and unallocated devices.
[0031] When user X access the application ( via the user account) using a device D multiple times and then, the system treats this device D is allocated to user X for that application. However, when user X accesses the application using new device D1 for first time, the D1 is treated as an unallocated device since this device is not used by any one before to access the specific application under consideration. Thus, the system in context of the application interprets that the user X has changed user context and based on that, first it validates the current access details with the previous access details. If valid, it evaluates the password/ credential sharing behavior of the user using historical access details.
[0032] On other hand, user 114b may be an illegitimate user accessing the user account through one of the devices 112a through 112n using acquired/shared credentials. The system 100 is configured to evaluate legitimacy of the user (114a or 114b) by calculating probability of user legitimacy based on historical access details stored in a provenance database (within a database 108) of the system 100 while authenticating the user when a change in user context is identified, and accordingly provides access to a requesting user to his/her user account. The system 100 is configured to provide quick access to the users with high probability of

legitimacy without requesting the additional information, deny access to the users with very low probability of legitimacy and request additional information for the users with low ( medium) probability of legitimacy.
[0033] Further, the low probability user is analyzed for credential or password sharing behavior and the questions posed are in accordance to identified user behavior. For a user identified having credential sharing behavior, the questions are generated dynamically comprising a combination of device user context (device allocated to user for accessing the user account of a corresponding application) and an application user context (user and the application details accessed) if user is accessing the user account from a device is among a plurality of allocated devices. However, if an attempt to access the user account is identified to be made from any non-allocated devices, the questions are posed from confidential information in accordance with a user memory type. Further, if the user is identified to have a non-credential sharing behavior, the set of questions are generated dynamically from randomly selected information related to the user account.
[0034] Thus, the system 100 disclosed herein, ensures that a legitimate user is provided a smooth access without over crosschecks, while rightly questioning a possible illegitimate user with various levels of tough questions before granting the access to the user account. Thus, provided is the provenance based supplementary authentication mechanism that balances between user experience and security
[0035] Referring to the components of system 100, in an embodiment, the processor(s) 104, can be one or more hardware processors 104. In an embodiment, the one or more hardware processors 104 can be implemented as one or more microprocessors, microcomputers, microcontrollers, digital signal processors, central processing units, state machines, logic circuitries, and/or any devices that manipulate signals based on operational instructions. Among other capabilities, the one or more hardware processors 104 are configured to fetch and execute computer-readable instructions stored in the memory 102. In an embodiment, the system 100 can be implemented in a variety of computing systems including laptop computers, notebooks, hand-held devices such as mobile phones, workstations, mainframe computers, servers and the like.

[0036] The I/O interface(s) 106 can include a variety of software and hardware interfaces, for example, a web interface, a graphical user interface, a touch user interface (TUI), voice interface and the like and can facilitate multiple communications within a wide variety of networks N/W and protocol types, including wired networks, for example, LAN, cable, etc., and wireless networks, such as WLAN, cellular, or satellite. In an embodiment, the I/O interface (s) 106 can include one or more ports for connecting a number of devices (112a through 112n) of the system 100 to one another or to another server or devices.
[0037] The memory 102 may include any computer-readable medium known in the art including, for example, volatile memory, such as static random access memory (SRAM) and dynamic random access memory (DRAM), and/or non-volatile memory, such as read only memory (ROM), erasable programmable ROM, flash memories, hard disks, optical disks, and magnetic tapes.
[0038] Further, the memory 102 may include the user accounts module 110 and the database 108 comprising the provenance database. The memory 102 may comprise information pertaining to input(s)/output(s) of each step performed by the processor(s) 104 of the device 100 and methods of the present disclosure. In an embodiment, the database 108 may be external (not shown) to the system 100 and coupled to the system via the I/O interface 106. Functions of the components of the system 100 are explained in conjunction with flow diagram of FIGS. 2A through 2C for provenance based supplementary authentication mechanism.
[0039] FIG. 2A through FIG. 2C are flow diagrams illustrating a method 200 for provenance based supplementary authentication mechanism, using the system 100 of FIG. 1, in accordance with some embodiments of the present disclosure. In an embodiment, the system 100 comprises one or more data storage devices or the memory 102 operatively coupled to the processor(s) 104 and is configured to store instructions for execution of steps of the method 200 by the processor(s) or one or more hardware processors 104. The steps of the method 200 of the present disclosure will now be explained with reference to the components or blocks of the system 100 as depicted in FIG. 1 and the steps of flow diagram as depicted in FIG. 2A through FIG. 2C. Although process steps, method steps,

techniques or the like may be described in a sequential order, such processes, methods and techniques may be configured to work in alternate orders. In other words, any sequence or order of steps that may be described does not necessarily indicate a requirement that the steps to be performed in that order. The steps of processes described herein may be performed in any order practical. Further, some steps may be performed simultaneously.
[0040] Referring to the steps of the method 200, at step 202, the one or more hardware processors 104 are configured to detect valid credentials entered by a current user (the legitimate user 114a or the illegitimate user 114b) for accessing a user account from among the plurality of user accounts in the user accounts module 110. The user account of interest belongs to a registered user of an application via a device (say 112b) during a primary authentication, wherein the detected valid credentials trigger an access request to the user account.
[0041] Once the primary authentication is successful and the access request is triggered, at step 204 of the method 200, the one or more hardware processors ( 104) are configured to initiate the supplementary authentication mechanism to verify the current user as the registered user by validating legitimacy of the current user prior to granting access to the user account. The supplementary authentication is explained in conjunction with steps 204a through 104c and comprises:
1. Identifying (204a) the current user as one of a probable legitimate user and an illegitimate user by validating a) access details recorded in historical access details stored in a provenance database, comprising device location and time, recorded for the access request, against, b) the access details recorded for a previous access request to the user account. The current user is identified as an illegitimate user and denied access to the user account if variation between the access details recorded for the previous access request and the access request fail to satisfy a distance-time difference criteria. Whereas, the current user is identified as the probable legitimate user if variation between the access details recorded for the previous access request and the access request satisfy the distance-time difference criteria. For example, user ALEX credentials are used by user BOB to access the application. The legitimate ALEX user accesses the application from X city and

after 30 minutes, the user BOB uses ALEX credentials and attempts to access the application from Y city around 500 Kms apart. The system 100 verifies the current context details with the previous access context details travelling 500 Kms in 30 minutes for any legitimate user seems impossible and provides an indication that user BOB is illegitimate and it denies access to the user BOB. However, when the distance criteria with time of access and distance between device locations for successive attempts is not conclusive, the method 200 further analyzes and validates the user to conclude on legitimacy of the user before grating the access to the user account.
2. After analyzing the time-distance criteria, if the analysis of legitimate user in non-conclusive (For example, when the time difference and location difference between two successive access requests/login attempts logically map) then the current user may be a legitimate or an illegitimate user and needs to be verified further. Thus, the method comprises determining (204b) whether the probable legitimate user has a credential sharing behavior by analyzing the access details over the history of access details. For the application being accessed, the method 200 captures user accessed information details, user location details, user accessed time details in provenance database recorded each time the user accessed the application via the user account. Thus, if the calculated distance and time difference is invalid with the subsequent access details user is identified to have credential sharing behavior.
3. Once the current user is categorized as either having or not having the credential sharing behavior, the current user is identified as probable legitimate user and further analyzed for determining (204c) a probability of legitimacy as provided in steps below:
i) The current user is identified to have a low probability, if the probable legitimate user is determined having the credential sharing behavior.
ii) The current user is identified to have one of the low probability, a high probability and a very low probability based on a value of probability of legitimacy computed, if the probable legitimate user is determined to not

have the credential sharing behavior. If the computed value indicates that the probable legitimate has the high probability, then the current user is granted access to the user account. Similarly, the current user if identified to have very low probability, then is denied access to the user account. The value of the probability of legitimacy is computed by:
a) obtaining an application user context, associated with total login attempts of the probability of legitimacy for the user account, based on the history of access details of the user account. When any user accesses the application from same user context for many times, then the method and corresponding application identifies this as user context of the legitimate user.
b) Detecting abnormal login attempts among the total login attempts by analyzing the application user context for subsequent login attempts among the total login attempts; and
c) Computing the value of the probability of legitimacy by dividing difference between the total login attempts and the abnormal login attempts by the total login attempts, wherein a) the computed value of the probability of legitimacy, if above a first probability threshold, indicates the high probability, b) the computed value of the probability of legitimacy, if below a second probability threshold, indicates the very low probability threshold and c) the computed value of probability of legitimacy, if between the first probability threshold the second probability threshold, indicates the low probability.
d) User Probability of Legitimacy= (Total Access Count-Abnormal Access Count)/ Total Access Count.
For example, the user ids categorized based on calculated value
as below
• User Probability of Legitimacy > 0.80,
HIGH_PROBABILITY_OF_LEGITIMACY.

• User Probability of Legitimacy > 0.1
LOW_PROBABILITY_OF_LEGITIMACY.
• User Probability of Legitimacy < 0.1 0
VERY_LOW_PROBABILITY_OF_LEGITIMACY.
4. However, the current user, if identified to have the value indicating the low probability (also referred as medium probability) then the user is further analyzed to verify or confirm his legitimacy. Thus, for the low (medium) probability user, the method comprises dynamically deriving (204d), a set of questions, wherein
i) The set of questions are based on a combination of a device user context and an application user context if a reason for the low probability is determined to be the credential sharing behavior and if the access request is triggered via the device. The device herein is among a plurality of allocated devices and device user context means device user related questions and application user context means application user related questions. The probable legitimate user is granted access to the user account if user responses to the application user context based questions are correct and the device user context based questions are incorrect.
Use Case Example 1: User “A” is accessing the Application using User “B” allocated system by using User “A” credentials. The system for the application confirms the user A legitimacy by generating 2 questions related to user “A” and 2 questions related to User “B”. If the user “A” is legitimate, the user “A” need to provide correct Answers to only User “A” related questions and incorrect answers related to User “B” questions or not attempt B related questions (It is intended that User A should not know the system/device details of user B, and if current user answers system details of B correctly means he is possibly is not user A).
Use case example 2: ( scenario exactly opposite to Use case example 1): Herein, if User B accesses the application using User B allocated device but using User “A” credentials, then user B can answer the questions related to User B (Device user context) correctly but answers wrongly or leaves

questions related to User A (Application User context). In this case user B is identified as illegitimate user and denied access and is interpreted to be credential sharing scenario.
ii) The set of questions are based on confidential information associated with the user account, if the reason for the low probability is determined to be the credential sharing behavior and if the access request is triggered via the device, wherein the device is among a plurality of non-allocated devices. The set of question derived based on the confidential information are associated with a) the confidential information that has been recently accessed if the registered user is identified as a low memory user and b) the confidential information across entire confidential data associated with the user account if the registered user is identified as a high memory user. The low memory user and the high memory user is classified in accordance with a memory score threshold computed based on rating identified for each of the set of questions prompted during previous access requests, history comprising correctness and incorrectness of responses to the prompted set of questions. FIG. 3 is a flow diagram illustrating steps for determining user memory type as the low memory user and the high memory user for generating set of questions for the supplementary authentication mechanism based on the identified memory type for the registered (true) user, using the system of FIG. 1, in accordance with some embodiments of the present disclosure. As depicted in FIG. 3, the memory score threshold (for example, is 80) decides the boundary for categorizing the user into low and high memory type. The value of memory score may be preset based on experimental observations by a subject matter expert. The memory score for a user is computed using (((sum (correct answer*rating))–Sum((Incorrect answers*rating)))/Rating of total questions*100). The rating of questions is based on strength, toughness (Rated 1 to 10, 1 being low strength, simple and 10 being high strength, tough questions).
iii) The set of questions are based on randomly selected information associated with the user account that has been recently accessed, if the

reason for the low probability is other than the credential sharing behavior. In this case, the questions are with lower levels of difficulty. The probable legitimate user is granted access to the user account if user responses to the random information based questions are correct.
[001] FIG. 4 is a flow diagram illustrating steps for computing question response time (RT) for the set of questions posed during the supplementary authentication mechanism, using the system of FIG. 1, in accordance with some embodiments of the present disclosure. For every generated question, the method calculates the question response time for user to provide answer. Thus, the question remains active to respond only for that determined time. If question is related to time related, the response time is high. The user need more time for answering this type of question. Location related questions required less time for answering. Ex: Did you visit Washington before?. Information related question required more time for answering comparing to questions related to Location type. Thus, the time constraints put by the system to respond to the questions further adds to the difficulty level for an illegitimate user. However, if it is the legitimate user, he/she can well respond within the time limit provided by the system. As depicted in FIG. 4, the time for which each of the set of questions are active for receiving response from the current user is based a) difficulty level of each of the set of questions, and b) one of a time constant, an information constant and a location constant derived based on whether the each of the set of questions is time related, information related or location related. Each of the constants are computed based on experimental results and testing over multiple use cases.
[001] The written description describes the subject matter herein to enable any person skilled in the art to make and use the embodiments. The scope of the subject matter embodiments is defined by the claims and may include other modifications that occur to those skilled in the art. Such other modifications are intended to be within the scope of the claims if they have similar elements that do not differ from the literal language of the claims or if they include equivalent elements with insubstantial differences from the literal language of the claims.

[002] It is to be understood that the scope of the protection is extended to such a program and in addition to a computer-readable means having a message therein; such computer-readable storage means contain program-code means for implementation of one or more steps of the method, when the program runs on a server or mobile device or any suitable programmable device. The hardware device can be any kind of device which can be programmed including e.g. any kind of computer like a server or a personal computer, or the like, or any combination thereof. The device may also include means which could be e.g. hardware means like e.g. an application-specific integrated circuit (ASIC), a field-programmable gate array (FPGA), or a combination of hardware and software means, e.g. an ASIC and an FPGA, or at least one microprocessor and at least one memory with software processing components located therein. Thus, the means can include both hardware means, and software means. The method embodiments described herein could be implemented in hardware and software. The device may also include software means. Alternatively, the embodiments may be implemented on different hardware devices, e.g. using a plurality of CPUs.
[003] The embodiments herein can comprise hardware and software elements. The embodiments that are implemented in software include but are not limited to, firmware, resident software, microcode, etc. The functions performed by various components described herein may be implemented in other components or combinations of other components. For the purposes of this description, a computer-usable or computer readable medium can be any apparatus that can comprise, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device.
[004] The illustrated steps are set out to explain the exemplary embodiments shown, and it should be anticipated that ongoing technological development will change the manner in which particular functions are performed. These examples are presented herein for purposes of illustration, and not limitation. Further, the boundaries of the functional building blocks have been arbitrarily defined herein for the convenience of the description. Alternative boundaries can be defined so long as the specified functions and relationships thereof are

appropriately performed. Alternatives (including equivalents, extensions, variations, deviations, etc., of those described herein) will be apparent to persons skilled in the relevant art(s) based on the teachings contained herein. Such alternatives fall within the scope of the disclosed embodiments. Also, the words “comprising,” “having,” “containing,” and “including,” and other similar forms are intended to be equivalent in meaning and be open ended in that an item or items following any one of these words is not meant to be an exhaustive listing of such item or items, or meant to be limited to only the listed item or items. It must also be noted that as used herein and in the appended claims, the singular forms “a,” “an,” and “the” include plural references unless the context clearly dictates otherwise.
[005] Furthermore, one or more computer-readable storage media may be utilized in implementing embodiments consistent with the present disclosure. A computer-readable storage medium refers to any type of physical memory on which information or data readable by a processor may be stored. Thus, a computer-readable storage medium may store instructions for execution by one or more processors, including instructions for causing the processor(s) to perform steps or stages consistent with the embodiments described herein. The term “computer-readable medium” should be understood to include tangible items and exclude carrier waves and transient signals, i.e., be non-transitory. Examples include random access memory (RAM), read-only memory (ROM), volatile memory, nonvolatile memory, hard drives, CD ROMs, DVDs, flash drives, disks, and any other known physical storage media.
[006] It is intended that the disclosure and examples be considered as exemplary only, with a true scope of disclosed embodiments being indicated by the following claims.

We Claim:
1. A method (200) for provenance based supplementary authentication mechanism, the method comprising:
detecting (202), via one or more hardware processors, valid credentials entered by a current user for accessing a user account of a registered user of an application via a device during a primary authentication, wherein the detected valid credentials trigger an access request to the user account;
initiating (204), via the one or more hardware processors, a supplementary authentication mechanism in response to the access request to verify the current user as the registered user by validating legitimacy of the current user prior to granting access to the user account, wherein the supplementary authentication comprises:
identifying (204a) the current user as one of a probable legitimate user and an illegitimate user by validating a) access details recorded in historical access details stored in a provenance database, comprising device location and time, recorded for the access request, against, b) the access details recorded for a previous access request to the user account, wherein
i) the current user is identified as an illegitimate user and
denied access to the user account if variation between the access details recorded for the previous access request and the access request fail to satisfy a distance-time difference criteria, and
ii) the current user is identified as the probable legitimate user
if variation between the access details recorded for the previous access request and the access request satisfy the distance-time difference criteria;

determining (204b) whether the probable legitimate user has a credential sharing behavior by analyzing the access details over the history of access details;
determining (204c) a probability of legitimacy of the probable legitimate user as:
i) a low probability, if the probable legitimate user is
determined having the credential sharing behavior; and
ii) one of the low probability, a high probability and a
very low probability based on a value of probability of legitimacy computed, if the probable legitimate user is determined to not have the credential sharing behavior, wherein the probable legitimate user having the high probability is granted access to the user account and having the very low probability is denied access to the user account; and
dynamically deriving (204d), a set of questions for the probable legitimate user determined to have the low probability, wherein the set of questions are:
i) based on a combination of a device user context and
an application user context if a reason for the low probability is determined to be the credential sharing behavior and if the access request is triggered via the device, wherein the device is among a plurality of allocated devices, and wherein the probable legitimate user is granted access to the user account if user responses to the application user context based questions are correct and the device user context based questions are incorrect;
ii) based on confidential information associated with the
user account, if the reason for the low probability is determined to be the credential sharing behavior and if the access request is triggered via the device, wherein the device is among a plurality of non-allocated devices, wherein the probable legitimate user is

granted access to the user account if user responses to the confidential information based questions are correct; and
iii) based on randomly selected information associated
with the user account that has been recently accessed, if the reason for the low probability is other than the credential sharing behavior, wherein the probable legitimate user is granted access to the user account if user responses to the random information based questions are correct.
2. The method as claimed in claim 1, wherein the value of the probability of
legitimacy is computed by:
obtaining the application user context, associated with total login attempts the probability of legitimacy for the user account, based on the history of access details of the user account;
detecting abnormal login attempts among the total login attempts by checking if the application user context for subsequent login attempts among the total login attempts satisfy the distance-time difference criteria; and
computing the value of the probability of legitimacy by dividing difference between the total login attempts and the abnormal login attempts by the total login attempts, wherein a) the computed value of the probability of legitimacy, if above a first probability threshold, indicates the high probability, b) the computed value of the probability of legitimacy, if below a second probability threshold, indicates the very low probability threshold and c) the computed value of probability of legitimacy, if between the first probability threshold the second probability threshold, indicates the low probability.
3. The method as claimed in claim 1, wherein the set of question derived based
on the confidential information are associated with a) the confidential
information that has been recently accessed if the registered user is

identified as a low memory user and b) the confidential information across entire confidential data associated with the user account if the registered user is identified as a high memory user.
4. The method as claimed in claim 3, wherein the low memory user and the high memory user is classified in accordance with a memory score threshold, and wherein a memory score is computed based on rating identified for each of the set of questions prompted during previous access requests, history comprising correctness and incorrectness of responses to the prompted set of questions.
5. The method as claimed in claim 1, wherein time for which each of the set of questions are active for receiving response from the current user is based difficulty level of each of the set of questions and one of a time constant, an information constant and a location constant derived based on whether the each of the set of questions is time related, information related or location related.
6. A system (100) for provenance based supplementary authentication mechanism, the system (100) comprising:
a memory (102) storing instructions;
one or more Input/Output (I/O) interfaces (106); and
one or more hardware processors (104) coupled to the memory (102) via the
one or more I/O interfaces (106), wherein the one or more hardware
processors (104) are configured by the instructions to:
detect valid credentials entered by a current user for accessing a user account of a registered user of an application via a device during a primary authentication, wherein the detected valid credentials trigger an access request to the user account;
initiate a supplementary authentication mechanism in response to the access request to verify the current user as the registered user by

validating legitimacy of the current user prior to granting access to the user account, wherein the supplementary authentication comprises:
identify the current user as one of a probable legitimate user and an illegitimate user by validating a) access details recorded in historical access details stored in a provenance database, comprising device location and time, recorded for the access request, against, b) the access details recorded for a previous access request to the user account, wherein
i) the current user is identified as an illegitimate user and
denied access to the user account if variation between the access details recorded for the previous access request and the access request fail to satisfy a distance-time difference criteria, and
ii) the current user is identified as the probable legitimate user
if variation between the access details recorded for the previous access request and the access request satisfy the distance-time difference criteria;
determining whether the probable legitimate user has a credential sharing behavior by analyzing the access details over the history of access details;
determining a probability of legitimacy of the probable legitimate user as:
i) a low probability, if the probable legitimate user is
determined having the credential sharing behavior; and
ii) one of the low probability, a high probability and a
very low probability based on a value of probability of legitimacy computed, if the probable legitimate user is determined to not have the credential sharing behavior, wherein the probable legitimate user having the high probability is granted access to the user account and

having the very low probability is denied access to the user account; and
dynamically deriving a set of questions for the probable legitimate user determined to have the low probability, wherein the set of questions are:
i) based on a combination of a device user context and
an application user context if a reason for the low probability is determined to be the credential sharing behavior and if the access request is triggered via the device, wherein the device is among a plurality of allocated devices, and wherein the probable legitimate user is granted access to the user account if user responses to the application user context based questions are correct and the device user context based questions are incorrect;
ii) based on confidential information associated with the
user account, if the reason for the low probability is determined to be the credential sharing behavior and if the access request is triggered via the device, wherein the device is among a plurality of non-allocated devices, wherein the probable legitimate user is granted access to the user account if user responses to the confidential information based questions are correct; and
iii) based on randomly selected information associated
with the user account that has been recently accessed, if the reason for the low probability is other than the credential sharing behavior, wherein the probable legitimate user is granted access to the user account if user responses to the random information based questions are correct.
7. The system (100) as claimed in claim, wherein the value of the probability of legitimacy is computed by:

obtaining the application user context, associated with total login attempts the probability of legitimacy for the user account, based on the history of access details of the user account;
detecting abnormal login attempts among the total login attempts by checking if the application user context for subsequent login attempts among the total login attempts satisfy the distance-time difference criteria; and
computing the value of the probability of legitimacy by dividing difference between the total login attempts and the abnormal login attempts by the total login attempts, wherein a) the computed value of the probability of legitimacy, if above a first probability threshold, indicates the high probability, b) the computed value of the probability of legitimacy, if below a second probability threshold, indicates the very low probability threshold and c) the computed value of probability of legitimacy, if between the first probability threshold the second probability threshold, indicates the low probability.
8. The system (100) as claimed in claim 5, wherein the set of question derived based on the confidential information are associated with a) the confidential information that has been recently accessed if the registered user is identified as a low memory user and b) the confidential information across entire confidential data associated with the user account if the registered user is identified as a high memory user.
9. The system (100) as claimed in claim 8, wherein the low memory user and the high memory user is classified in accordance with a memory score threshold, and wherein a memory score is computed based on rating identified for each of the set of questions prompted during previous access requests, history comprising correctness and incorrectness of responses to the prompted set of questions.

10. The system (100) as claimed in claim 5, wherein time for which each of the set of questions are active for receiving response from the current user is based a) difficulty level of each of the set of questions and b)one of a time constant, an information constant and a location constant derived based on whether the each of the set of questions is time related, information related or location related.