Newswires
Newswires RSS Get our newsletter
Order Prints
Newswires No comments

Patent Issued for Digital credentials for step-up authentication (USPTO 11531783): Workday Inc.

2023 JAN 09 (NewsRx) -- By a News Reporter-Staff News Editor at Insurance Daily News -- According to news reporting originating from Alexandria, Virginia, by NewsRx journalists, a patent by the inventors Hamel, Bjorn (Dublin, CA, US), Ruggiero, Jonathan David (Danville, CA, US), filed on March 26, 2019, was published online on December 20, 2022.

The assignee for this patent, patent number 11531783, is Workday Inc. (Pleasanton, California, United States).

Reporters obtained the following quote from the background information supplied by the inventors: “A database system distributes cryptographic digital credentials to a user to allow the user to prove qualifications (e.g., a degree, employment experience, health insurance coverage, etc.). Credentials can be assigned to a user by a trusted third party client of the database system (e.g., a university, an insurer). Digital credentials can be used to authenticate access to a sensitive task within an application, however, using credentials for authentication requires a system designed to use the credentials securely.”

In addition to obtaining background information on this patent, NewsRx editors also obtained the inventors’ summary information for this patent: “The invention can be implemented in numerous ways, including as a process; an apparatus; a system; a composition of matter; a computer program product embodied on a computer readable storage medium; and/or a processor, such as a processor configured to execute instructions stored on and/or provided by a memory coupled to the processor. In this specification, these implementations, or any other form that the invention may take, may be referred to as techniques. In general, the order of the steps of disclosed processes may be altered within the scope of the invention. Unless stated otherwise, a component such as a processor or a memory described as being configured to perform a task may be implemented as a general component that is temporarily configured to perform the task at a given time or a specific component that is manufactured to perform the task. As used herein, the term ‘processor’ refers to one or more devices, circuits, and/or processing cores configured to process data, such as computer program instructions.

“A detailed description of one or more embodiments of the invention is provided below along with accompanying figures that illustrate the principles of the invention. The invention is described in connection with such embodiments, but the invention is not limited to any embodiment. The scope of the invention is limited only by the claims and the invention encompasses numerous alternatives, modifications and equivalents. Numerous specific details are set forth in the following description in order to provide a thorough understanding of the invention. These details are provided for the purpose of example and the invention may be practiced according to the claims without some or all of these specific details. For the purpose of clarity, technical material that is known in the technical fields related to the invention has not been described in detail so that the invention is not unnecessarily obscured.

“The system for digital credentialing is designed to empower individual users to own their verifiable professional identity and to be able to enable this identity to be useable in scenarios where a verified identity allows access by providing proof of identity. An application might use the system to prove the identity or verify a user’s access ability to something. The application queries the system regarding a proof of identity and the user provides the proof using a credential to the system that is ultimately passed to the application to prove identity of the user. The system allows an application developer to pick attributes that an application challenges for and the sources that will satisfy any given challenge. The proof of identity is embodied in a digital credential that is able to be secured using a combination of cryptography and a distributed ledger (e.g., a decentralized ledger, a permissioned ledger, a public ledger, etc.) to assure legitimacy of the proof of identity.

“A system for digital credentialing receives the digital credential from a credential issuing system. The system for digital credentialing stores user information for the user. The system for digital credentialing further determines a set of credentials available to the user based on the user information as well as stores a record of previously issued credentials. The credentials comprise categories satisfied by the user information at differing levels of specificity (e.g., greater than an amount, in a range of amounts, less than an amount, etc.). For example, in the case where the user comprises an employee earning $95,000 per year, the system for digital credentialing could determine credentials available to the user indicating that the user earns more than $60,000 per year, that the user earns more than $80,000 per year, that the user earns in the range of $90,000-$100,000 per year, etc. When the user interacts with the system for digital credentialing using a credential requesting app or application, the system determines the set of credentials available to the user and provides the list of credentials to the credential requesting app or application. The user can then provide (e.g., from a storage on a user device) one or more available credentials to the credential requesting app or application.

“In various embodiments, a credential comprises data that is validated or verified to be authentic-for example, data verifying academic diplomas, academic degrees, certifications, security clearances, identification documents, badges, passwords, user names, keys, powers of attorney, human resource data, personal information, or any other relevant information,”

The claims supplied by the inventors are:

“1. A system for credential authentication, comprising: an interface configured to: receive a request from an application for authorization to access, wherein access to the application is requested by a user; and receive a task request from the application for authorization to access a task, wherein access to the task is requested by the user; and a processor configured to: authenticate the request from the application for authorization to access; determine that the task comprises a sensitive task; determine a user authentication device; provide a challenge for a digital credential to the user authentication device, wherein the digital credential is backed by data stored in a distributed ledger, wherein the user authentication device: determines a credential request from the challenge; determines one or more credentials that match the credential request; provides a credential list including the one or more credentials to the user; and receives a selection from the user of at least one credential of the one or more credentials; receive a response from the user authentication device, wherein the response comprises the at least one credential; determine the response is valid using the distributed ledger; and provide an authorization to access the sensitive task when the response is determined to be valid.

“2. The system of claim 1, wherein the challenge for the digital credential to the user authentication device is based at least in part on rules.

“3. The system of claim 1, wherein the task request from the application for authorization to access the sensitive task is received via an encrypted JSON message.

“4. The system of claim 1, wherein the application prompts the user to confirm access to the sensitive task prior to providing the task request for authorization to access the sensitive task.

“5. The system of claim 1, wherein authenticating the request from the application for authorization to access comprises providing an access token to the application.

“6. The system of claim 1, wherein the processor is further configured to validate a signature on the task request from the application for authorization to access the task.

“7. The system of claim 1, wherein the processor is further configured to determine a user identifier based at least in part on the request from an application for authorization to access.

“8. The system of claim 7, wherein the processor is further configured to determine the user authentication device based at least in part on the user identifier.

“9. The system of claim 1, wherein the response is encrypted.

“10. The system of claim 9, wherein the response is encrypted with a per-channel key.

“11. The system of claim 1, wherein the response comprises the challenge signed with a user authentication device private key.

“12. The system of claim 11, wherein the user authentication device signs the challenge with the user authentication device private key in response to user provided biometric data.

“13. The system of claim 12, wherein determining the response is valid comprises validating the challenge signature.

“14. The system of claim 1, wherein the credential is selected from a credential wallet.

“15. The system of claim 1, wherein the challenge to the user authentication device comprises a set of credentials for satisfying the challenge.

“16. The system of claim 15, wherein the set of credentials is based at least in part on a context of the task and on rules that enable access.

“17. The system of claim 1, wherein the processor is further configured to access a public key in the distributed ledger and verify the public key corresponds to a decentralized identifier stored by the credential.

“18. The system of claim 1, wherein determining the response is valid comprises determining that the credential is not expired and that the credential comprises a valid signature associated with the user.

“19. The system of claim 1, wherein determining the response is valid comprises querying the distributed ledger to determine that the credential is not revoked.

“20. A method for credential authentication, comprising: receiving a request from an application for authorization to access, wherein access to the application is requested by a user; receiving a request from the application for authorization to access a task, wherein access to the task is requested by the user; authenticating, using a processor, the request from the application for authorization to access; determining that the task comprises a sensitive task; determining a user authentication device; providing a challenge for a digital credential to the user authentication device, wherein the digital credential is backed by data stored in a distributed ledger, wherein the user authentication device: determines a credential request from the challenge; determines one or more credentials that match the credential request; provides a credential list including the one or more credentials to the user; and receives a selection from the user of at least one credential of the one or more credentials; receiving a response from the user authentication device, wherein the response comprises the at least one credential; determining the response is valid using the distributed ledger; and providing an authorization to access the sensitive task when the response is determined to be valid.

“21. A computer program product for credential authentication, the computer program product being embodied in a non-transitory computer readable storage medium and comprising computer instructions for: receiving a request from an application for authorization to access, wherein access to the application is requested by a user; receiving a request from the application for authorization to access a task, wherein access to the task is requested by the user; authenticating the request from the application for authorization to access; determining that the task comprises a sensitive task; determining a user authentication device; providing a challenge for a digital credential to the user authentication device, wherein the digital credential is backed by data stored in a distributed ledger, wherein the user authentication device: determines a credential request from the challenge; determines one or more credentials that match the credential request; provides a credential list including the one or more credentials to the user; and receives a selection from the user of at least one credential of the one or more credentials; receiving a response from the user authentication device, wherein the response comprises the at least one credential; determining the response is valid using the distributed ledger; and providing an authorization to access the sensitive task when the response is determined to be valid.”

For more information, see this patent: Hamel, Bjorn. Digital credentials for step-up authentication. U.S. Patent Number 11531783, filed March 26, 2019, and published online on December 20, 2022. Patent URL (for desktop use only): https://ppubs.uspto.gov/pubwebapp/external.html?q=(11531783)&db=USPAT&type=ids

(Our reports deliver fact-based news of research and discoveries from around the world.)

Advisor News

More Advisor News

Annuity News

Sponsor
More Annuity News

Health/Employee Benefits News

More Health/Employee Benefits News

Life Insurance News

Sponsor
More Life Insurance News