A method implemented by computer to prevent attacks against user authentication and software products thereof

摘要

A computer implemented method to avoid attacks against user authentication, the method comprising: - receiving, through a first server (300), from a user, a request to log in to a service of said first server (300); said request including the provision of identification information that validates the identity of the user on the first server (300); and - authenticating by means of said first server (300), said identification information of said user to authorize said request for service session initiation, characterized in that the method comprises - using a second server (200), in connection with a computing device ( 100) of the user through a specialized program (101) installed in the user's computing device (100), to manage a status of the accounts that the user has on the first server (300), in which said status of accounts it is set as valid or invalid by the user through the specialized program (101) and stores in a memory of the second server (200), after a secure channel is defined between the second server (200) and the computing device (100), and wherein said secure channel is defined after a credential exchange is made between the second server (200) and the user; - receiving, through the second server (200), from said first server (300) a request about a status regarding a user account on the first server (300); - in response to receiving the request, initializing, through the second server (200), an exchange of credentials with the first server (300) to provide mutual authentication, the exchange of credentials being performed through an authentication procedure based on exchange of certificates between the first server (300) and the second server (200); - verify, through the second server (200), said account statement; and - sending, through the second server (200), said account statement to the first server (300), using this the account statement received to authorize said service login request if said account statement is set as valid or reject said service login request if said account status is set to invalid.