Patent Issued for Digital credential authentication (USPTO 11641278): Workday Inc.

2023 MAY 23 (NewsRx) -- By a News Reporter-Staff News Editor at Insurance Daily News -- From Alexandria, Virginia, NewsRx journalists report that a patent by the inventors Hamel, Bjorn (Dublin, CA, US), Ruggiero, Jonathan David (Danville, CA, US), filed on March 26, 2019, was published online on May 2, 2023.

The patent’s assignee for patent number 11641278 is Workday Inc. (Pleasanton, California, United States).

News editors obtained the following quote from the background information supplied by the inventors: “A database system distributes cryptographic digital credentials to a user to allow the user to prove qualifications (e.g., a degree, employment experience, health insurance coverage, etc.). Credentials can be assigned to a user by a trusted third party client of the database system (e.g., a university, an insurer). In order for the user to securely take advantage of the credential system, the user must possess an authentication device for storing and providing the credentials. This creates a problem of how to register with the database system a trusted authentication device associated with the user.”

As a supplement to the background information on this patent, NewsRx correspondents also obtained the inventors’ summary information for this patent: “The invention can be implemented in numerous ways, including as a process; an apparatus; a system; a composition of matter; a computer program product embodied on a computer readable storage medium; and/or a processor, such as a processor configured to execute instructions stored on and/or provided by a memory coupled to the processor. In this specification, these implementations, or any other form that the invention may take, may be referred to as techniques. In general, the order of the steps of disclosed processes may be altered within the scope of the invention. Unless stated otherwise, a component such as a processor or a memory described as being configured to perform a task may be implemented as a general component that is temporarily configured to perform the task at a given time or a specific component that is manufactured to perform the task. As used herein, the term ‘processor’ refers to one or more devices, circuits, and/or processing cores configured to process data, such as computer program instructions.

“A detailed description of one or more embodiments of the invention is provided below along with accompanying figures that illustrate the principles of the invention. The invention is described in connection with such embodiments, but the invention is not limited to any embodiment. The scope of the invention is limited only by the claims and the invention encompasses numerous alternatives, modifications and equivalents. Numerous specific details are set forth in the following description in order to provide a thorough understanding of the invention. These details are provided for the purpose of example and the invention may be practiced according to the claims without some or all of these specific details. For the purpose of clarity, technical material that is known in the technical fields related to the invention has not been described in detail so that the invention is not unnecessarily obscured.

“The system for digital credentialing is designed to empower individual users to own their verifiable professional identity and to be able to enable this identity to be useable in scenarios where a verified identity allows access by providing proof of identity. An application might use the system to prove the identity or verify a user’s access ability to something. The application queries the system regarding a proof of identity and the user provides the proof using a credential to the system that is ultimately passed to the application to prove identity of the user. The system allows an application developer to pick attributes that an application challenges for and the sources that will satisfy any given challenge. The proof of identity is embodied in a digital credential that is able to be secured using a combination of cryptography and a distributed ledger (e.g., a decentralized ledger, a permissioned ledger, a public ledger, etc.) to assure legitimacy of the proof of identity.

“A system for digital credentialing receives the digital credential from a credential issuing system. The system for digital credentialing stores user information for the user. The system for digital credentialing further determines a set of credentials available to the user based on the user information as well as stores a record of previously issued credentials. The credentials comprise categories satisfied by the user information at differing levels of specificity (e.g., greater than an amount, in a range of amounts, less than an amount, etc.). For example, in the case where the user comprises an employee earning $95,000 per year, the system for digital credentialing could determine credentials available to the user indicating that the user earns more than $60,000 per year, that the user earns more than $80,000 per year, that the user earns in the range of $90,000-$100,000 per year, etc. When the user interacts with the system for digital credentialing using a credential requesting app or application, the system determines the set of credentials available to the user and provides the list of credentials to the credential requesting app or application. The user can then provide (e.g., from a storage on a user device) one or more available credentials to the credential requesting app or application.

“In various embodiments, a credential comprises data that is validated or verified to be authentic-for example, data verifying academic diplomas, academic degrees, certifications, security clearances, identification documents, badges, passwords, user names, keys, powers of attorney, human resource data, personal information, or any other relevant information,”

The claims supplied by the inventors are:

“1. A system for creating an identity mapping on a distributed ledger, comprising: an interface configured to: receive a request to create an identity mapping on a distributed ledger, wherein the distributed ledger comprises a blockchain; a hardware processor configured to: generate an identity key pair; generate a mobile encryption key; encrypt a private identity key of the identity key pair using the mobile encryption key to create an encrypted private key; store the encrypted private key; create a mapping document, wherein the mapping document maps a user identifier of a user to a public identity key of the identity key pair; sign the mapping document with the private identity key of the identity key pair; provide the signed mapping document, wherein the signed mapping document is added to the blockchain in response to a determination that the signed mapping document is valid; receive a proof request challenge comprising a request for one or more digital credentials; and in response to receiving the proof request challenge: determine a subset of stored digital credentials corresponding to the one or more digital credentials and that satisfy the proof request challenge; provide a user interface allowing the user to select from the subset of stored digital credentials; receive from the user a selection of a digital credential from the subset of stored digital credentials; and provide a proof response comprising a signed verifiable form of the selected digital credential of the subset of stored digital credentials, wherein the signed verifiable form of the selected digital credential is signed with the private identity key.

“2. The system of claim 1, wherein the processor is further configured to install a digital identity application.

“3. The system of claim 1, wherein the identity key pair comprises an identity key pair generated using an RSA algorithm or an ed25519 algorithm.

“4. The system of claim 1, wherein the mobile encryption key is stored in a secure enclave.

“5. The system of claim 1, wherein the mobile encryption key is access limited using a biometric.

“6. The system of claim 1, wherein the encrypted private key is stored on a user device.

“7. The system of claim 6, wherein the user device comprises a mobile device.

“8. The system of claim 1, wherein the mapping document comprises a decentralized identifier.

“9. The system of claim 1, wherein the mapping document conforms to a World Wide Web Consortium decentralized identifier document specification.

“10. The system of claim 1, wherein the processor is further configured to receive an indication that the signed mapping document was validated.

“11. The system of claim 1, wherein the signed mapping document is provided to a permissioned writer for the distributed ledger.

“12. The system of claim 1, wherein the system further comprises a storage for storing a digital credential for proving a user qualification.

“13. The system of claim 1, wherein the one or more digital credentials are determined according to rules.

“14. The system of claim 13, wherein the rules are associated with a credential schema, a credential organization, a credential issuer, a credential location, a credential class identifier, a credential class name, an identification number associated with the credential, or a license associated with the credential.

“15. The system of claim 13, wherein the rules are applied selectively.

“16. The system of claim 15, wherein the rules are applied based at least in part on a user identifier.

“17. A method for creating an identity mapping on a distributed ledger, comprising: receiving a request to create an identity mapping on a distributed ledger, wherein the distributed ledger comprises a blockchain; generating, using a processor, an identity key pair; generating a mobile encryption key; encrypting a private identity key of the identity key pair using the mobile encryption key to create an encrypted private key; storing the encrypted private key; creating a mapping document, wherein the mapping document maps a user identifier of a user to a public identity key of the identity key pair; signing the mapping document with the private identity key of the identity key pair; providing the signed mapping document, wherein the signed mapping document is added to the blockchain in response to a determination that the signed mapping document is valid; receiving a proof request challenge comprising a request for one or more digital credentials; and in response to receiving the proof request challenge: determining a subset of stored digital credentials corresponding to the one or more digital credentials and that satisfy the proof request challenge; providing a user interface allowing the user to select from the subset of stored digital credentials; receiving from the user a selection of a digital credential from the subset of stored digital credentials; and providing a proof response comprising a signed verifiable form of the selected digital credential of the subset of stored digital credentials, wherein the signed verifiable form of the selected digital credential is signed with the private identity key.

“18. A computer program product for creating an identity mapping on a distributed ledger, the computer program product being embodied in a non-transitory computer readable storage medium and comprising computer instructions for: receiving a request to create an identity mapping on a distributed ledger, wherein the distributed ledger comprises a blockchain; generating an identity key pair; generating a mobile encryption key; encrypting a private identity key of the identity key pair using the mobile encryption key to create an encrypted private key; storing the encrypted private key; creating a mapping document, wherein the mapping document maps a user identifier of a user to a public identity key of the identity key pair; signing the mapping document with the private identity key of the identity key pair; providing the signed mapping document, wherein the signed mapping document is added to the blockchain in response to a determination that the signed mapping document is valid; receiving a proof request challenge comprising a request for one or more digital credentials; and in response to receiving the proof request challenge: determining a subset of stored digital credentials corresponding to the one or more digital credentials and that satisfy the proof request challenge; providing a user interface allowing the user to select from the subset of stored digital credentials; receiving from the user a selection of a digital credential from the subset of stored digital credentials; and providing a proof response comprising a signed verifiable form of the selected digital credential of the subset of stored digital credentials, wherein the signed verifiable form of the selected digital credential is signed with the private identity key.”

For additional information on this patent, see: Hamel, Bjorn. Digital credential authentication. U.S. Patent Number 11641278, filed March 26, 2019, and published online on May 2, 2023. Patent URL (for desktop use only): https://ppubs.uspto.gov/pubwebapp/external.html?q=(11641278)&db=USPAT&type=ids

(Our reports deliver fact-based news of research and discoveries from around the world.)