Patent Issued for Digital credentials for user device authentication (USPTO 11770261): Workday Inc.
2023 OCT 18 (NewsRx) -- By a
The patent’s inventors are Hamel, Bjorn (
This patent was filed on
From the background information supplied by the inventors, news correspondents obtained the following quote: “A database system distributes cryptographic digital credentials to a user to allow the user to prove qualifications (e.g., a degree, employment experience, health insurance coverage, etc.). Credentials can be assigned to a user by a trusted third party client of the database system (e.g., a university, an insurer). Digital credentials can be used to authenticate a device login to an application system, however, using credentials for authentication requires a system designed to use the credentials securely. Once the device has completed a secure connection to the application system the user should be able to make new connections without needing to reuse the credential for a period of time. However, this creates a problem if the authenticated user leaves his desk, an adversarial user can user the device credential to gain access. This type of attack must be prevented.”
Supplementing the background information on this patent, NewsRx reporters also obtained the inventors’ summary information for this patent: “The invention can be implemented in numerous ways, including as a process; an apparatus; a system; a composition of matter; a computer program product embodied on a computer readable storage medium; and/or a processor, such as a processor configured to execute instructions stored on and/or provided by a memory coupled to the processor. In this specification, these implementations, or any other form that the invention may take, may be referred to as techniques. In general, the order of the steps of disclosed processes may be altered within the scope of the invention. Unless stated otherwise, a component such as a processor or a memory described as being configured to perform a task may be implemented as a general component that is temporarily configured to perform the task at a given time or a specific component that is manufactured to perform the task. As used herein, the term ‘processor’ refers to one or more devices, circuits, and/or processing cores configured to process data, such as computer program instructions.
“A detailed description of one or more embodiments of the invention is provided below along with accompanying figures that illustrate the principles of the invention. The invention is described in connection with such embodiments, but the invention is not limited to any embodiment. The scope of the invention is limited only by the claims and the invention encompasses numerous alternatives, modifications and equivalents. Numerous specific details are set forth in the following description in order to provide a thorough understanding of the invention. These details are provided for the purpose of example and the invention may be practiced according to the claims without some or all of these specific details. For the purpose of clarity, technical material that is known in the technical fields related to the invention has not been described in detail so that the invention is not unnecessarily obscured.
“The system for digital credentialing is designed to empower individual users to own their verifiable professional identity and to be able to enable this identity to be useable in scenarios where a verified identity allows access by providing proof of identity. An application might use the system to prove the identity or verify a user’s access ability to something. The application queries the system regarding a proof of identity and the user provides the proof using a credential to the system that is ultimately passed to the application to prove identity of the user. The system allows an application developer to pick attributes that an application challenges for and the sources that will satisfy any given challenge. The proof of identity is embodied in a digital credential that is able to be secured using a combination of cryptography and a distributed ledger (e.g., a decentralized ledger, a permissioned ledger, a public ledger, etc.) to assure legitimacy of the proof of identity.
“A system for digital credentialing receives the digital credential from a credential issuing system. The system for digital credentialing stores user information for the user. The system for digital credentialing further determines a set of credentials available to the user based on the user information as well as stores a record of previously issued credentials. The credentials comprise categories satisfied by the user information at differing levels of specificity (e.g., greater than an amount, in a range of amounts, less than an amount, etc.). For example, in the case where the user comprises an employee earning
“In various embodiments, a credential comprises data that is validated or verified to be authentic-for example, data verifying academic diplomas, academic degrees, certifications, security clearances, identification documents, badges, passwords, user names, keys, powers of attorney, human resource data, personal information, or any other relevant information,”
The claims supplied by the inventors are:
“1. A system for credential authentication, comprising: an interface configured to: receive a request from an application for authorization to access, wherein access to the application is requested by a user using a user device; and a hardware processor configured to: provide an authentication request to the user device; receive a device credential, wherein the device credential is backed by data stored in a distributed ledger; determine a user identifier and an authentication device associated with the user based at least in part on the device credential, wherein the authentication device is different from the user device; provide a proof request to the authentication device, wherein the proof request comprises an indication of a set of credentials that can be used to authorize access to the application; receive a proof response, wherein the proof response is created by the authentication device, and wherein the proof response comprises a credential of the set of credentials; determine that the proof response is valid by determining that a credential signature corresponding to the device credential is valid by checking the device credential against the data stored in the distributed ledger; generate a lease key, wherein the lease key grants access to the user device for a predetermined period of time, and wherein the lease key is encrypted using a public key of the authentication device to create an encrypted lease key; provide the encrypted lease key and an authentication token to the user device, wherein the user device accesses the authentication device using a proximity communication protocol to decrypt the encrypted lease key, and wherein the authentication device decrypts the lease key and signs the authentication token using the lease key to create a signed token; receive the signed token from the authentication device; and in response to a determination that the signed token is valid, generate a login token and provide the login token to the application to verify login and grant the user the requested access to the application.
“2. The system of claim 1, wherein the authentication request comprises a universal second factor authentication request.
“3. The system of claim 1, wherein the processor is further configured to determine the set of credentials that can be used to authorize access to the application.
“4. The system of claim 3, wherein the set of credentials is determined using rules.
“5. The system of claim 1, wherein the authentication device includes a credential wallet that is able to be unlocked by the user.
“6. The system of claim 5, wherein the credential wallet is unlocked using a biometric.
“7. The system of claim 5, wherein the credential of the set of credentials is retrieved from the credential wallet.
“8. The system of claim 7, wherein the credential of the set of credentials retrieved from the credential wallet is based at least in part on rules specified in the proof request.
“9. The system of claim 1, wherein the proof response is signed with an authentication device private key.
“10. The system of claim 1, wherein determining that the proof response is valid further comprises determining that a credential is not revoked.
“11. The system of claim 1, wherein the processor is further configured to generate a session keypair for a pairing of the user device and the user.
“12. The system of claim 11, wherein there is a time period associated with the session keypair.
“13. The system of claim 12, wherein the time period comprises 1 week, 1 day, or 1 hour.
“14. The system of claim 11, wherein the processor is further configured to store a public key component of the session keypair.
“15. The system of claim 14, wherein the public key component of the session keypair is stored in a storage device for session leases.
“16. The system of claim 11, wherein the processor is further configured to provide a private key component of the session keypair to the user device.
“17. The system of claim 16, wherein the processor is further configured to encrypt the private key component of the session keypair.
“18. The system of claim 17, wherein the private key component of the session keypair is encrypted with an authentication device public key.
“19. The system of claim 11, wherein the private key component of the session keypair is encrypted and stored by the user device.
“20. The system of claim 16, wherein the processor is further configured to provide an authentication request to the user device comprising a presigned token and receive an authentication response from the user device, wherein the authentication response is signed with the private key component of the session keypair.
“21. The system of claim 20, wherein the processor is further configured to validate the authentication response from the user device, wherein validating the authentication response comprises checking a device signature of the authentication response.
“22. The system of claim 21, wherein the login token is generated in response to a positive validation of the authentication response from the user device.
“23. The system of claim 1, wherein the processor is further configured to receive a second request from a second application for authorization to access, wherein access to the second application is requested by the user using the user device.
“24. The system of claim 23, wherein the processor is further configured to provide a second authentication request to the user device.
“25. The system of claim 24, wherein the second authentication request comprises a universal second factor authentication request.
“26. The system of claim 24, wherein the processor is further configured to receive a second authentication response from the user device, wherein the second authentication response is signed with a private key component of a session keypair.
“27. The system of claim 26, wherein the second authentication response is generated by and provided to the user device, wherein the second authentication response is generated by: 1) determining that an encrypted private key component of the session keypair is available; 2) providing the encrypted private key component of the session keypair to the authentication device for decryption; 3) receiving at the authentication device a decrypted private key component of the session keypair; and 4) generating the second authentication response that is signed using the private key component of the session keypair.
“28. The system of claim 27, wherein an authentication device challenge is provided to the authentication device via the proximity communication protocol.
“29. The system of claim 1, wherein the proximity communication protocol comprises Bluetooth or NFC.
“30. The system of claim 1, wherein the processor is further configured to determine a distance between the authentication device and the user device is less than a threshold distance.
“31. A method for credential authentication, comprising performing by a hardware processor: receiving a request from an application for authorization to access, wherein access to the application is requested by a user using a user device; providing, using a processor, an authentication request to the user device; receiving a device credential, wherein the device credential is backed by data stored in a distributed ledger; determining a user identifier and an authentication device associated with the user based at least in part on the device credential, wherein the authentication device is different from the user device; providing a proof request to the authentication device, wherein the proof request comprises an indication of a set of credentials that can be used to authorize access to the application; receiving a proof response, wherein the proof response is created by the authentication device, and wherein the proof response comprises a credential of the set of credentials; determining that the proof response is valid by determining that a credential signature corresponding to the device credential is valid by checking the device credential against the data stored in the distributed ledger; generating a lease key, wherein the lease key grants access to the user device for a predetermined period of time, and wherein the lease key is encrypted using a public key of the authentication device to create an encrypted lease key; providing the encrypted lease key and an authentication token to the user device, wherein the user device accesses the authentication device using a proximity communication protocol to decrypt the encrypted lease key, and wherein the authentication device decrypts the lease key and signs the authentication token using the lease key to create a signed token; receiving the signed token from the authentication device; and in response to a determination that the signed token is valid, generating a login token and providing the login token to the application to verify login and grant the user the requested access to the application.”
There are additional claims. Please visit full patent to read further.
For the URL and additional information on this patent, see: Hamel, Bjorn. Digital credentials for user device authentication.
(Our reports deliver fact-based news of research and discoveries from around the world.)
Patent Issued for Systems and methods for utilizing electricity monitoring devices to mitigate or prevent structural damage (USPTO 11769996): State Farm Mutual Automobile Insurance Company
State Health Plan forms partnership State Health Plan partnership will lower costs of some drugs
Advisor News
- Social Security retroactive payments go out to more than 1M
- What you need to know to find success with women investors
- Senator Gary Dahms criticizes Governor Walz's proposed insurance tax increase
- Social Security staff cuts could ‘significantly impact’ beneficiaries
- Building your business with generative AI
More Advisor NewsAnnuity News
Health/Employee Benefits News
- WA lawmakers push to expand mental health insurance coverage
- Researchers’ from Huntsman Cancer Institute Report Details of New Studies and Findings in the Area of Cancer [Adaptation, Feasibility, and Acceptability of a Health Insurance Literacy Intervention for Caregivers of Pediatric Cancer Patients …]: Cancer
- State-by-state report by Dems projects millions could lose Medicaid coverage
- CT bill would prohibit AI use by health insurers
- Evil stalks the land
More Health/Employee Benefits NewsLife Insurance News