Patent Issued for System And Method For Secure Authenticated User Session Handoff (USPTO 10,826,895)

2020 NOV 16 (NewsRx) -- By a News Reporter-Staff News Editor at Insurance Daily News -- From Alexandria, Virginia, NewsRx journalists report that a patent by the inventors Krut, Derek (Bloomington, IL); Broadstone, Neill (Bloomington, IL); Muppalla, Sekhar (McKinney, TX); Littell, Gary L. (Goodfield, IL), filed on October 4, 2018, was published online on November 16, 2020.

The patent’s assignee for patent number 10,826,895 is State Farm Mutual Automobile Insurance Company (Bloomington, Illinois, United States).

News editors obtained the following quote from the background information supplied by the inventors: “A native application provides a better user experience on a mobile device than a web application. However, a native application will typically have a smaller user base than a web application, so a new digital feature is usually implemented on the web application first. Until the digital feature is implemented on the native application, one temporary solution that extends the feature to the native application is to configure the native application to direct a mobile device’s internet browser to call the web application, thereby providing access to the digital feature on the mobile device.

“When sensitive information is to be exchanged between the native application and the web application, maintaining information security throughout the navigation from the native application to the web application is paramount. However, the connection between the native application and the internet browser is rarely secure. Thus, when the native application directs the internet browser to call the web application, the use of the internet browser must be authenticated. This requires interrupting the user session with a request and manual reentry and/or confirmation of login credentials via the internet browser. This interruption is highly inconvenient and degrades the user experience.

“The background discussion is intended to provide information related to the present invention which is not necessarily prior art.”

As a supplement to the background information on this patent, NewsRx correspondents also obtained the inventors’ summary information for this patent: “Embodiments of the present technology relate to systems, computer-implemented methods, and systems comprising computer-readable media for enabling user session persistence between a native application and a mobile internet browser.

“In one aspect, a computer-implemented method for enabling user session persistence between a native application and a mobile internet browser may be provided. The method may include: (1) authenticating a use of the native application; (2) issuing an authentication token to the native application; (3) receiving from the native application the authentication token in connection with a destination address; (4) obtaining first identifying data regarding a mobile device; (5) generating a key; (6) associating the key, the authentication token, the destination address, and the first identifying data regarding the mobile device together in a database; (7) encrypting the key to generate an encrypted key; (8) transmitting the encrypted key to the native application; (9) receiving from a mobile internet browser the encrypted key; (10) obtaining second identifying data in connection with the encrypted key; (11) decrypting the encrypted key to generate a decrypted key; (12) locating the authentication token, the destination address, and the first identifying data within the database using the decrypted key; and (13) confirming that the mobile internet browser is executing on the mobile device based at least in part on a comparison of the first identifying data and the second identifying data.

“In another aspect, a system for enabling user session persistence between a native application and an internet browser may be provided. The system may include a mobile device having the native application and the internet browser executing thereon and a server in communication with the mobile device. The server may include a token management database, an authentication service, an authenticated redirect cache service, and a web application pre-launcher. The authentication service may be configured to: (1) receive login credentials from the native application; (2) verify the login credentials; (3) generate a session token; and (4) transmit the session token to the native application. The authenticated redirect cache service may be configured to: (1) receive from the native application the session token, a first client token, and a desired universal resource identifier (URI); (2) obtain first identifying data from the native application regarding the mobile device; (3) generate a server token; (4) encrypt the server token to generate an encrypted server token; (5) store the server token, the first client token, the desired URI, and the first identifying data in association in the token management database; and (6) transmit the encrypted server token to the native application. The web application pre-launcher may be configured to: (1) receive from the internet browser a second client token and the encrypted server token; (2) obtain second identifying data from the internet browser regarding the mobile device and in connection with the encrypted server token; and (3) provide the second client token, the encrypted server token, and the second identifying data to the authenticated redirect cache service as a redirect request. The authenticated redirect cache service may be further configured to: (1) decrypt the encrypted server token to determine a pointer to a location in the token management database; (2) retrieve the first client token and the first identifying data from the location in the token management database; (3) confirm that the redirect request originated with the mobile device at least in part by verifying respectively that the first client token matches the second client token, and that the first identifying data is consistent with the second identifying data; and (4) transmit the session token and the desired URI to the internet browser via the web application pre-launcher.

“In another aspect, a system comprising computer-readable media for enabling user session persistence between a native application and a mobile internet browser on a mobile device may be provided. The system may include a first non-transitory computer-readable medium with a program stored thereon, wherein the program instructs one or more processing element of a server to perform the following: (1) authenticate a use of the native application; (2) issue an authentication token to the native application; (3) receive from the native application the authentication token in connection with a destination address; (4) obtain first identifying data regarding the mobile device; (5) generate a key; (6) associate the key, the authentication token, the destination address, and the first identifying data regarding the mobile device together in a database; (7) encrypt the key to generate an encrypted key; (8) transmit the encrypted key to the native application; (9) receive the encrypted key from the mobile internet browser; (10) obtain second identifying data in connection with the received encrypted key; (11) decrypt the encrypted key to generate a decrypted key; (12) locate the authentication token, the destination address, and the first identifying data within the database using the decrypted key; and (13) confirm that the mobile internet browser is executing on the mobile device based at least in part on a comparison of the first identifying data and the second identifying data.

“In another aspect, a system comprising computer-readable media for enabling user session persistence between a native application and a mobile internet browser on a mobile device may be provided. The system may include a first non-transitory computer-readable medium with a program stored thereon, wherein the program instructs one or more processing elements of a server to perform the following: (1) receive login credentials from the native application; (2) verify the login credentials; (3) generate a session token; (4) transmit the session token to the native application; (5) receive from the native application the session token, a first client token, and a desired URI; (6) obtain first identifying data from the native application regarding the mobile device; (7) generate a server token; (8) encrypt the server token to generate an encrypted server token; (9) store the server token, the first client token, the desired URI, and the first identifying data in association in a token management database; (10) transmit the encrypted server token to the native application; (11) receive from the internet browser a second client token and the encrypted server token; (12) obtain second identifying data from the internet browser regarding the mobile device and in connection with the encrypted server token; (13) decrypt the encrypted server token to determine a pointer to a location in the token management database; (14) retrieve the first client token and the first identifying data from the location in the token management database; (15) confirm that the internet browser is executing on the mobile device at least in part by verifying respectively that the first client token matches the second client token, and that the first identifying data is consistent with the second identifying data; and (16) transmit the session token and the desired URI to the internet browser via the web application.

“Advantages of these and other embodiments will become more apparent to those skilled in the art from the following description of the exemplary embodiments which have been shown and described by way of illustration. As will be realized, the present embodiments described herein may be capable of other and different embodiments, and their details are capable of modification in various respects. Accordingly, the drawings and description are to be regarded as illustrative in nature and not as restrictive.”

The claims supplied by the inventors are:

“We claim:

“1. A computer-implemented method for enabling user session persistence between a native application and a mobile internet browser on a mobile device, the method comprising: authenticating a use of the native application; issuing an authentication token to the native application; receiving from the native application the authentication token in connection with a destination address; obtaining first identifying data regarding the mobile device; generating a key; associating the key, the authentication token, the destination address, and the first identifying data regarding the mobile device together in a database; encrypting the key to generate an encrypted key; transmitting the encrypted key to the native application; receiving from a mobile internet browser the encrypted key; obtaining second identifying data in connection with the encrypted key; decrypting the encrypted key to generate a decrypted key; locating the authentication token, the destination address, and the first identifying data within the database using the decrypted key; and confirming that the mobile internet browser is executing on the mobile device based at least in part on a comparison of the first identifying data and the second identifying data.

“2. The method of claim 1, further including-- transmitting the destination address and the authentication token to the mobile internet browser; receiving, at a server corresponding to the destination address, the authentication token from the mobile internet browser; authenticating a use of the server by the mobile internet browser based on the authentication token.

“3. The method of claim 2, wherein the step of transmitting the destination address and the authentication token to the mobile internet browser includes injecting the authentication token into a session cookie.

“4. The method of claim 1, further including-- receiving from the native application a client token; associating the client token with the key, the authentication token, the destination address, and the first identifying data in the database; receiving the client token from the mobile internet browser, wherein confirming that the mobile internet browser is executing on the mobile device includes matching the client token against the client token of the database.

“5. The method of claim 1, wherein the destination address points to a computing device executing a mobile web application.

“6. The method of claim 1, wherein the database is a token management database.

“7. The method of claim 1, further including deleting at least one of the key, the authentication token, the destination address, and the first identifying data from the database after comparison of the first identifying data against the second identifying data.

“8. The method of claim 1, wherein the first identifying data and the second identifying data each includes an IP address.

“9. The method of claim 1, wherein the first identifying data and the second identifying data each includes GPS coordinates.

“10. The method of claim 1, wherein the first identifying data and the second identifying data each includes biometric data of a user.

“11. The method of claim 1, wherein authentication of the use of the native application includes receiving login credentials.

“12. The method of claim 11, wherein the login credentials include a username and password.

“13. The method of claim 1, wherein the encrypted key is passed between the native application and the mobile internet browser in the mobile device via an insecure connection.

“14. The method of claim 13, wherein the encrypted key is subject to expiration after a set time.

“15. The method of claim 1, wherein the destination address comprises a HTTP 302 redirect.

“16. The method of claim 1, wherein the destination address points to a web server configured to provide access to sensitive user data.

“17. The method of claim 1, further including transmitting a notification to the native application if the first identifying data does not match the second identifying data.

“18. The method of claim 17, wherein the communications take place during a user session, further including deleting all data received during the user session from the mobile device via the native application based, at least in part, on the notification.

“19. The system of claim 18, wherein each of the first identifying data and the second identifying data is an IP address.

“20. A system for enabling user session persistence between a native application and an internet browser, the system comprising: a mobile device having the native application and the internet browser installed thereon; a server in communication with the mobile device, the server including-- a token management database; an authentication service configured to-- receive login credentials from the native application; verify the login credentials; generate a session token; transmit the session token to the native application; an authenticated redirect cache service configured to-- receive from the native application the session token, a first client token, and a desired URI; obtain first identifying data from the native application regarding the mobile device; generate a server token; encrypt the server token to generate an encrypted server token; store the server token, the first client token, the desired URI, and the first identifying data in association in the token management database; transmit the encrypted server token to the native application; and a web application pre-launcher configured to-- receive from the internet browser a second client token and the encrypted server token; obtain second identifying data from the internet browser regarding the mobile device and in connection with the encrypted server token; provide the second client token, the encrypted server token, and the second identifying data to the authenticated redirect cache service as a redirect request; wherein the authenticated redirect cache service is further configured to-- decrypt the encrypted server token to determine a pointer to a location in the token management database; retrieve the first client token and the first identifying data from the location in the token management database; confirm that the redirect request originated with the mobile device at least in part by verifying respectively that the first client token matches the second client token, and that the first identifying data is consistent with the second identifying data; transmit the session token and the desired URI to the internet browser via the web application pre-launcher.”

For additional information on this patent, see: Krut, Derek; Broadstone, Neill; Muppalla, Sekhar; Littell, Gary L. System And Method For Secure Authenticated User Session Handoff. U.S. Patent Number 10,826,895, filed October 4, 2018, and published online on November 16, 2020. Patent URL: http://patft.uspto.gov/netacgi/nph-Parser?Sect1=PTO1&Sect2=HITOFF&d=PALL&p=1&u=%2Fnetahtml%2FPTO%2Fsrchnum.htm&r=1&f=G&l=50&s1=10,826,895.PN.&OS=PN/10,826,895RS=PN/10,826,895

(Our reports deliver fact-based news of research and discoveries from around the world.)