Patent Issued for Systems and methods for device binding across multiple domains using an authentication domain (USPTO 11831754): Aetna Inc.

2023 DEC 20 (NewsRx) -- By a News Reporter-Staff News Editor at Insurance Daily News -- According to news reporting originating from Alexandria, Virginia, by NewsRx journalists, a patent by the inventors Barbir, Abbie (Ogdensburg, NY, US), Garstka, Victoria (Scottsdale, AZ, US), Jain, Salil Kumar (Jackson Heights, NY, US), Kurian, Cisa (Unionville, CT, US), Poirier, John (Queen Creek, AZ, US), Tennarangam, Abhishek (Hartford, CT, US), Ulrich, Amy (Phoenix, AZ, US), Verry, Erick (Fleming Island, FL, US), filed on April 21, 2021, was published online on November 28, 2023.

The assignee for this patent, patent number 11831754, is Aetna Inc. (Hartford, Connecticut, United States).

Reporters obtained the following quote from the background information supplied by the inventors: “An organization such as an enterprise organization (e.g., company) may provide multiple different services that are hosted and/or operated on multiple different domains/servers. For instance, an organization may provide a first service such as a pharmacy service (e.g., prescription pick-up service) and a second service such as a grocery service (e.g., a grocery pick-up service). As compared to the grocery service, the pharmacy service may have drastically different procedures that are implemented so as to ensure the prescription for a particular user is accurate. In addition, other organizations may also provide additional services that are hosted by additional domains/servers.

“Traditionally, to access content hosted on these different domains (e.g., request and pick-up a prescription), the user may use a user device to log-onto the domain by providing their user credentials such as a user identifier (ID) and password. Additionally, the user device may generate, create, and use a key pair (e.g., a public and private key) to bind the device with the domain. The key pair may be used to encrypt/decrypt information being sent to and being received from the particular domain. Each domain may have its own key pair for encrypting/decrypting the information. However, using multiple key pairs may be burdensome especially for the user as they have to register for a different account for each domain individually. Furthermore, each domain may require further authentication steps such as providing biometric authentications from the user and each added process may increase the burden on the user. Accordingly, there remains a technical need to bind a user device to multiple different domains.”

In addition to obtaining background information on this patent, NewsRx editors also obtained the inventors’ summary information for this patent: “In some examples, the present application provides a method and system for device binding across multiple domains using an authentication domain. For example, a user may use a user device to request access for content on a first domain that is hosted and/or managed by a first system (e.g., a first authentication server). A system such as an authentication domain system may intercept the request and/or redirect the user device to an authentication domain that is hosted by an authentication domain system. The authentication domain system may check to see whether the user device has already enrolled into a key pair authentication with the server. If not, the authentication domain system may enroll the user device into the key pair authentication. For instance, the authentication domain system may request and the user device may provide a public key of a private and public key pair. The private and public key pair might not be associated solely with the first domain, but rather it may be associated with the authentication domain. Using the private and public key pair for the authentication domain, the user device may be granted access to content on the first domain.

“Subsequently, the user device may request access for content on a second domain that is hosted and/or managed by a second system (e.g., the second authentication server). The authentication domain system may redirect the user device to the authentication domain and check to see whether the user device has enrolled into the key pair authentication. Due to the user device enrolling into the key pair authentication for the first domain, the authentication domain system may determine the user device has already enrolled into the key pair authentication. Therefore, the user device may be granted access to content on the second domain using the private and public key pair for the authentication domain. In other words, rather than creating a completely new private and public key pair for the second domain, the user device may be able to access content on the second domain using an already created private and public key pair. This already created private and public key pair may be generated when the user device requests access to content on the first domain and may further be for an authentication domain rather than an individual domain such as the first domain and/or the second domain.

“In one aspect, a method for authenticating a user using key pair authentication is provided. The method comprises: in response to a user request requesting access to content on a first domain, enrolling, by a user device, the user into key pair authentication by generating a private and public key pair for an authentication domain; accessing the content on the first domain based on enrolling the user into the key pair authentication with a key pair authentication server using the private and public key pair for the authentication domain; requesting, by the user device, access for different content on a second domain; based on enrolling the user into the key pair authentication for the first domain, redirecting, by the user device, a browser from the second domain to the authentication domain; and accessing, by the user device, the different content on the second domain based on performing the key pair authentication with the key pair authentication server using the private and public key pair for the authentication domain.

“Examples may include one of the following features, or any combination thereof. For instance, in some examples, the method further comprises: based on authenticating user credentials for the first domain, redirecting, by the user device, the browser from the first domain to the authentication domain.

“In some instances, the key pair authentication server is a fast identity online (FIDO) server.”

The claims supplied by the inventors are:

“1. A method for authenticating a user using key pair authentication, comprising: in response to a user request requesting access to content on a first domain, receiving, from a global identifier server and by a user device, a global identifier based on the user request, wherein the user request comprises a user identifier; providing, by the user device, the global identifier to a key pair authentication server; enrolling, by the user device, the user into key pair authentication in response to determining that the global identifier associated with the user does not exist within the key pair authentication server, wherein the enrolling comprises: after redirecting the user device from the first domain to an authentication domain, generating a public-private key pair for the authentication domain; signing a challenge for the key pair authentication server using a private key of the public-private key pair to obtain a signed challenge; providing the signed challenge and a public key of the public-private key pair to the key pair authentication server, wherein the user is enrolled into the key pair authentication based on the signed challenge and binding the public key of the public-private key pair with the global identifier, and wherein the key pair authentication server validates the signed challenge using the public key of the public-private key pair and stores the public key as a valid key; receiving, by the user device, a signed JSON web token (JWT) from the key pair authentication server; accessing, by the user device, the content on the first domain based on enrolling the user into the key pair authentication and trading the signed JWT for a valid OpenID Connect (OIDC) token with a resource manager server, wherein the valid OIDC token is used to access the content on the first domain; requesting, by the user device, access for a different content on a second domain; in response to the requesting access for the different content on the second domain, receiving, from the global identifier server and by the user device, the global identifier; in response to determining that the public key was bound to the global identifier during the enrollment of the user into the key pair authentication for the first domain, redirecting, by the user device, a browser from the second domain to the authentication domain; and accessing, by the user device, the different content on the second domain based on performing the key pair authentication with the key pair authentication server using the public-private key pair for the authentication domain.

“2. The method of claim 1, wherein redirecting the user device from the first domain to the authentication domain further comprises: based on authenticating user credentials for the first domain, redirecting, by the user device, the browser from the first domain to the authentication domain.

“3. The method of claim 1, wherein the key pair authentication server is a fast identity online (FIDO) server.

“4. The method of claim 1, further comprising: determining whether the received global identifier for the user is stored in the key pair authentication server; and based on the received global identifier not being stored in the key pair authentication server, providing user credentials to a first authentication server associated with the first domain.

“5. The method of claim 1, wherein enrolling the user for the key pair authentication further comprises: based on generating the private and public key pair, receiving, by the user device, lithe challenge and allowed authenticators from the key pair authentication server; wherein the key pair authentication server binds the public key with the global identifier based on associating and storing the global identifier, the authentication domain, and the public key together.

“6. The method of claim 1, wherein accessing the different content on the second domain based on performing the key pair authentication with the key pair authentication server comprises: receiving a second challenge and allowed authentications from the key pair authentication server; signing the second challenge using the public-private key pair for the authentication domain to obtain a signed second challenge; providing the signed second challenge to the key pair authentication server, wherein the key pair authentication server validates the signed second challenge with the public key of the public-private key pair associated with the authentication domain; and accessing the different content on the second domain based on the validation.

“7. The method of claim 6, wherein accessing the different content based on the validation comprises: receiving a second signed JSON web token (JWT) based on the key pair authentication server validating the signed second challenge; and trading the signed second JWT for a second valid OpenID Connect (OIDC) token with the resource manager server, wherein the second valid OIDC token is used to access the different content on the second domain.

“8. The method of claim 1, wherein the user request requesting access to the content on the first domain further comprises a first user identifier for the first domain, wherein requesting access for the different content on the second domain further comprises providing a second user identifier for the second domain, and wherein the first user identifier is different from the second user identifier.

“9. A system for authenticating a user using key pair authentication, the system comprising: a global identifier server comprising: one or more first processors; and a first non-transitory computer-readable medium having first processor-executable instructions stored thereon, wherein the first processor-executable instructions, when executed by the one or more first processors, facilitate: in response to a first user request from a user device requesting access to content on a first domain, providing a global identifier associated with the user; in response to a second user request from the user device requesting access to different content on a second domain, providing the global identifier associated with the user; and a key pair authentication server comprising: one or more second processors; and a second non-transitory computer-readable medium having second processor-executable instructions stored thereon, wherein the second processor-executable instructions, when executed by the one or more second processors, facilitate: subsequent to the first user request and based on determining the global identifier associated with the user does not exist within the key pair authentication server, enrolling the user in the key pair authentication, wherein the enrolling comprises: redirecting the user device from the first domain to an authentication domain; receiving, from the user device, a signed challenge and a public key of a public-private key pair associated with the authentication domain, wherein the signed challenge is signed using a private key of the public-private key pair; validating the signed challenge using the public key of the public-private key pair; storing the public key as a valid key responsive to successful verification of the public key; and enrolling the user in the key pair authentication based on the signed challenge and binding the public key with the global identifier; subsequent to the second user request and based on the enrollment of the user into the key pair authentication, determining that the public key is bound to the global identifier; in response to determining that the public key is bound to the global identifier, providing instructions to redirect the user device to the authentication domain; performing the key pair authentication with the user device for the second domain using the public key of the public-private key pair for the authentication domain; and providing a signed JSON web token (JWT) for accessing the different content on the second domain.

“10. The system of claim 9, wherein the key pair authentication server is a fast identity online (FIDO) server.

“11. The system of claim 9, wherein the second processor-executable instructions, when executed by the one or more second processors, further facilitate providing a challenge to the user device by: providing, to the user device, the challenge and allowed authenticators.

“12. The system of claim 11, wherein the second processor-executable instructions, when executed by the one or more second processors, further facilitate providing the allowed authenticators by providing one or more biometric requests to the user device, wherein the biometric requests request a biometric marker associated with the user.

“13. The system of claim 11, wherein the second processor-executable instructions, when executed by the one or more second processors, further facilitate: based on enrolling the user in the key pair authentication, providing a signed JSON web token (JWT) for accessing the content on the first domain.”

There are additional claims. Please visit full patent to read further.

For more information, see this patent: Barbir, Abbie. Systems and methods for device binding across multiple domains using an authentication domain. U.S. Patent Number 11831754, filed April 21, 2021, and published online on November 28, 2023. Patent URL (for desktop use only): https://ppubs.uspto.gov/pubwebapp/external.html?q=(11831754)&db=USPAT&type=ids

(Our reports deliver fact-based news of research and discoveries from around the world.)