Patent Issued for Digital credentials for primary factor authentication (USPTO 11716320): Workday Inc.

2023 AUG 17 (NewsRx) -- By a News Reporter-Staff News Editor at Insurance Daily News -- A patent by the inventors Hamel, Bjorn (Dublin, CA, US), Ruggiero, Jonathan David (Danville, CA, US), filed on March 26, 2019, was published online on August 1, 2023, according to news reporting originating from Alexandria, Virginia, by NewsRx correspondents.

Patent number 11716320 is assigned to Workday Inc. (Pleasanton, California, United States).

The following quote was obtained by the news editors from the background information supplied by the inventors: “A database system distributes cryptographic digital credentials to a user to allow the user to prove qualifications (e.g., a degree, employment experience, health insurance coverage, etc.). Credentials can be assigned to a user by a trusted third party client of the database system (e.g., a university, an insurer). Digital credentials can be used to authenticate a user login to an application system, however, using credentials for authentication requires a system designed to use the credentials securely.”

In addition to the background information obtained for this patent, NewsRx journalists also obtained the inventors’ summary information for this patent: “The invention can be implemented in numerous ways, including as a process; an apparatus; a system; a composition of matter; a computer program product embodied on a computer readable storage medium; and/or a processor, such as a processor configured to execute instructions stored on and/or provided by a memory coupled to the processor. In this specification, these implementations, or any other form that the invention may take, may be referred to as techniques. In general, the order of the steps of disclosed processes may be altered within the scope of the invention. Unless stated otherwise, a component such as a processor or a memory described as being configured to perform a task may be implemented as a general component that is temporarily configured to perform the task at a given time or a specific component that is manufactured to perform the task. As used herein, the term ‘processor’ refers to one or more devices, circuits, and/or processing cores configured to process data, such as computer program instructions.

“A detailed description of one or more embodiments of the invention is provided below along with accompanying figures that illustrate the principles of the invention. The invention is described in connection with such embodiments, but the invention is not limited to any embodiment. The scope of the invention is limited only by the claims and the invention encompasses numerous alternatives, modifications and equivalents. Numerous specific details are set forth in the following description in order to provide a thorough understanding of the invention. These details are provided for the purpose of example and the invention may be practiced according to the claims without some or all of these specific details. For the purpose of clarity, technical material that is known in the technical fields related to the invention has not been described in detail so that the invention is not unnecessarily obscured.

“The system for digital credentialing is designed to empower individual users to own their verifiable professional identity and to be able to enable this identity to be useable in scenarios where a verified identity allows access by providing proof of identity. An application might use the system to prove the identity or verify a user’s access ability to something. The application queries the system regarding a proof of identity and the user provides the proof using a credential to the system that is ultimately passed to the application to prove identity of the user. The system allows an application developer to pick attributes that an application challenges for and the sources that will satisfy any given challenge. The proof of identity is embodied in a digital credential that is able to be secured using a combination of cryptography and a distributed ledger (e.g., a decentralized ledger, a permissioned ledger, a public ledger, etc.) to assure legitimacy of the proof of identity.

“A system for digital credentialing receives the digital credential from a credential issuing system. The system for digital credentialing stores user information for the user. The system for digital credentialing further determines a set of credentials available to the user based on the user information as well as stores a record of previously issued credentials. The credentials comprise categories satisfied by the user information at differing levels of specificity (e.g., greater than an amount, in a range of amounts, less than an amount, etc.). For example, in the case where the user comprises an employee earning $95,000 per year, the system for digital credentialing could determine credentials available to the user indicating that the user earns more than $60,000 per year, that the user earns more than $80,000 per year, that the user earns in the range of $90,000-$100,000 per year, etc. When the user interacts with the system for digital credentialing using a credential requesting app or application, the system determines the set of credentials available to the user and provides the list of credentials to the credential requesting app or application. The user can then provide (e.g., from a storage on a user device) one or more available credentials to the credential requesting app or application.

“In various embodiments, a credential comprises data that is validated or verified to be authentic-for example, data verifying academic diplomas, academic degrees, certifications, security clearances, identification documents, badges, passwords, user names, keys, powers of attorney, human resource data, personal information, or any other relevant information.”

The claims supplied by the inventors are:

“1. A system for credential authentication, comprising: an interface configured to: receive a request for authorization to access from an application stored on an authentication device; and a processor configured to: determine a set of credentials that enable the authorization to access the application; generate a proof request challenge; determine whether the request for the authorization to access comprises a secure cookie; in response to determining that the request for the authorization to access includes the secure cookie, determine a uniform record identifier using the secure cookie; in response to determining that the request for the authorization to access does not include the secure cookie, determine the uniform record identifier from an authorization QR code; provide the proof request challenge to the authentication device, wherein the proof request challenge comprises the uniform record identifier, and wherein the authentication device uses the uniform record identifier to pull down the proof request challenge from a server associated with the uniform record identifier; receive a proof response from the authentication device, wherein the proof response comprises a credential, wherein the credential is selected from credentials of a set of credentials stored on the authentication device, and wherein the credential indicates at least one of 1) a user of the authentication device is a current employee of a company, 2) the user of the authentication device is employed in an organization of the company, 3) the user of the authentication device is employed in a location of the company, 4) the user of the authentication device has required training, and 5) the user of the authentication device has an outside credential issued by an outside credential issuer; determine that the proof response is valid based at least in part on determining that the credential is in the set of credentials that enable authorization to access the application and that a decentralized identifier of the credential registered in a distributed ledger matches a key holder associated with the request for the authorization to access; and in response to determining that the proof response is valid: generate a token; and provide the token to the application, wherein the token authorizes the user of the authentication device to access the application.

“2. The system of claim 1, wherein generating the proof request challenge is based upon a configured set of proof request challenge rules, wherein the configured set of proof request challenge rules comprise one or more criteria which determine the set of credentials that enable the authorization to access.

“3. The system of claim 1, wherein the proof request challenge is provided to a digital identity app.

“4. The system of claim 3, wherein the proof request challenge is provided to the digital identity app using a URI that points to the proof request challenge.

“5. The system of claim 3, wherein the digital identity app is on a mobile device.

“6. The system of claim 5, wherein the proof request challenge is provided to the mobile device using a push notification.

“7. The system of claim 6, wherein the mobile device is identified for the push notification using the secure cookie stored during a previous execution.

“8. The system of claim 5, wherein the proof request challenge is provided to the mobile device using an access QR code, which comprises a URI that points to the proof request challenge.

“9. The system of claim 8, wherein the access QR code is scanned by the mobile device to access the proof request challenge.

“10. The system of claim 1, wherein the proof response is signed using a private key of an identity key pair.

“11. The system of claim 10, wherein the private key is decrypted using a mobile encryption key.

“12. The system of claim 11, wherein the mobile encryption key is accessed using a biometric.

“13. The system of claim 1, wherein the proof response is encrypted using a per channel key.

“14. The system of claim 1, wherein determining that the proof response is valid comprises one or more of: determining that the credential has not expired and determining that the credential includes a valid signature.

“15. The system of claim 1, wherein determining that the proof response is valid comprises determining that the credential is not revoked.

“16. The system of claim 15, wherein determining that the credential is not revoked comprises querying a revocation registry of the distributed ledger.

“17. The system of claim 1, wherein the processor is further configured to provide the secure cookie for device identification during a future execution.

“18. A method for credential authentication, comprising: receiving a request for authorization to access from an application stored on an authentication device; determining, using a processor, a set of credentials that enable authorization to access the application; generating a proof request challenge; determining whether the request for authorization comprises a secure cookie; in response to determining that the request for the authorization to access includes the secure cookie, determining a uniform record identifier using the secure cookie; in response to determining that the request for the authorization to access does not include the secure cookie, determining the uniform record identifier from an authorization QR code; providing the proof request challenge to the authentication device, wherein the proof request challenge comprises the uniform record identifier, and wherein the authentication device uses the uniform record identifier to pull down the proof request challenge from a server associated with the uniform record identifier; receiving a proof response from the authentication device, wherein the proof response comprises a credential, wherein the credential is selected from credentials of a set of credentials stored on the authentication device, and wherein the credential indicates at least one of 1) a user of the authentication device is a current employee of a company, 2) the user of the authentication device is employed in an organization of the company, 3) the user of the authentication device is employed in a location of the company, 4) the user of the authentication device has required training, and 5) the user of the authentication device has an outside credential issued by an outside credential issuer; determining that the proof response is valid based at least in part on determining that the credential is in the set of credentials that enable the authorization to access the application and that a decentralized identifier of the credential registered in a distributed ledger matches a key holder associated with the request for the authorization to access; and in response to determining that the proof response is valid: generating a token; and providing the token to the application, wherein the token authorizes the user of the authentication device to access the application.

“19. A computer program product for credential authentication, the computer program product being embodied in a non-transitory computer readable storage medium and comprising computer instructions for: receiving a request for authorization to access from an application stored on an authentication device; determining a set of credentials that enable authorization to access the application; generating a proof request challenge; determining whether the request for authorization comprises a secure cookie; in response to determining that the request for the authorization to access includes the secure cookie, determining a uniform record identifier using the secure cookie; in response to determining that the request for the authorization to access does not include the secure cookie, determining the uniform record identifier from an authorization QR code; providing the proof request challenge to the authentication device, wherein the proof request challenge comprises the uniform record identifier, and wherein the authentication device uses the uniform record identifier to pull down the proof request challenge from a server associated with the uniform record identifier; receiving a proof response from the authentication device, wherein the proof response comprises a credential, wherein the credential is selected from credentials of a set of credentials stored on the authentication device, and wherein the credential indicates at least one of 1) a user of the authentication device is a current employee of a company, 2) the user of the authentication device is employed in an organization of the company, 3) the user of the authentication device is employed in a location of the company, 4) the user of the authentication device has required training, and 5) the user of the authentication device has an outside credential issued by an outside credential issuer; determining that the proof response is valid based at least in part on determining that the credential is in the set of credentials that enable the authorization to access the application and that a decentralized identifier of the credential registered in a distributed ledger matches a key holder associated with the request for the authorization to access; and in response to determining that the proof response is valid: generating a token; and providing the token to the application, wherein the token authorizes the user of the authentication device to access the application.”

URL and more information on this patent, see: Hamel, Bjorn. Digital credentials for primary factor authentication. U.S. Patent Number 11716320, filed March 26, 2019, and published online on August 1, 2023. Patent URL (for desktop use only): https://ppubs.uspto.gov/pubwebapp/external.html?q=(11716320)&db=USPAT&type=ids

(Our reports deliver fact-based news of research and discoveries from around the world.)