US2024039707A1PendingUtilityA1

Mobile authenticator for performing a role in user authentication

64
Assignee: HYPR CORPPriority: Jul 22, 2022Filed: May 2, 2023Published: Feb 1, 2024
Est. expiryJul 22, 2042(~16 yrs left)· nominal 20-yr term from priority
H04L 9/0825H04W 12/0433H04W 12/08H04W 12/06H04W 12/069H04W 12/068H04L 9/3218H04L 9/0894H04L 9/3247H04L 9/321
64
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

Provided is a process for authentication of a user on a mobile device. The user of the mobile device may authenticate with the mobile device, and credentials may be conveyed to a server via a relying device. The mobile device may directly communicate credentials to the relying device. In some examples, the user of the mobile device may authenticate using the mobile device without inputting credentials on the relying device. Credentials conveyed to the server by the relying device and authenticated by the server may permit user access to the relying device or access to an online resource from the relying device.

Claims

exact text as granted — not AI-modified
1 - 20 . (canceled) 
     
     
         21 . A tangible, non-transitory, machine-readable medium storing instructions that when executed by one or more processors of a computer system effectuate operations comprising:
 establishing, for a user of a mobile device executing a user authentication component, a record comprising a public credential of a credential pair corresponding to an identity of the user, the user being permitted to access a secure asset under the identity of the user;   receiving, from another device:
 a request to access the secure asset under the identity of the user, and 
 a selection to authenticate the user of the another device under the identity of the user via the mobile device; 
   receiving user authentication data generated based on a private credential of the credential pair by the mobile device;   verifying the user authentication data generated by the mobile device based on the record to determine whether the user of the another device is authenticated to the identity of the user access the secure asset from the another device; and   permitting, based on the verifying, the another device to access the secure asset under the identity of the user.   
     
     
         22 . The medium of  claim 21 , wherein establishing a record of an identity of a user comprises:
 obtaining the public credential corresponding to the mobile device and data signed using the private credential by the mobile device, the signed data being verifiable based on the public credential, and wherein:
 the private credential is accessible to the mobile device for generating the user authentication data responsive to authentication of the user upon a user credential by the user authentication component. 
   
     
     
         23 . The medium of  claim 22 , wherein:
 the mobile device generates the credential pair, wherein the public credential is a public key and the private credential is a private key,   the mobile device authenticates the user prior to permitting use of the private key, and   the mobile device generates the signed data based on the private key.   
     
     
         24 . The medium of  claim 23 , wherein:
 the user authentication component of the mobile device authenticates the user on one or more user credentials, and   the mobile device generates the signed data based on the private key and the one or more of the user credentials.   
     
     
         25 . The medium of  claim 21 , further comprising transmitting, to the another device, in response to the selection to authenticate the user of the another device under the identity of the user via the mobile device:
 identifying information corresponding to a server device for presentation to the mobile device.   
     
     
         26 . The medium of  claim 21 , wherein receiving, from another device, a request to access a secure asset under the identity of the user comprises:
 receiving the request from an application executed by the another device,   receiving the request via a website accessed by the another device,   receiving the request via a web application accessed by the another device, or   receiving the request from an operating system executed by the another device.   
     
     
         27 . The medium of  claim 21 , wherein receiving, from another device, a selection to authenticate the user of the another device under the identity of the user via the mobile device comprises:
 receiving an indication of the selection being performed within a user interface of an application executed by the another device,   receiving an indication of the selection being performed within a user interface of a website accessed by the another device,   receiving an indication of the selection being performed within a user interface of a web application accessed by the another device, or   receiving an indication of the selection being performed within a user-level account login interface of an operating system executed by the another device.   
     
     
         28 . The medium of  claim 21 , wherein receiving user authentication data generated based on a private credential of the credential pair by the mobile device comprises:
 receiving the user authentication data in a FIDO2 compliant protocol, and wherein:
 the user authentication component of the mobile device authenticates the user on one or more user credentials, 
 the mobile device generates the user authentication data after the authentication of the user, and 
 the user authentication data comprises a cryptographic signature of data using the private credential. 
   
     
     
         29 . The medium of  claim 21 , verifying the user authentication data generated by the mobile device based on the record to determine whether the user of the another device is authenticated to the identity of the user access the secure asset from the another device comprises:
 accessing the record based on an identifier associated with the access attempt by the another device;   obtaining the public credential associated with the record; and   verifying the authentication data using the public credential.   
     
     
         30 . The medium of  claim 21 , wherein permitting, based on the verifying, the another device to access the secure asset under the identity of the user comprises:
 granting access to an application executed by the another device,   granting access to a website accessed by the another device under an account of the user,   granting access to a web application accessed by the another device under an account of the user, or   granting access to a user-level account of an operating system executed by the another device, the user-level account corresponding to the user.   
     
     
         31 . A tangible, non-transitory, machine-readable medium storing instructions that when executed by one or more processors of a computer system effectuate operations comprising:
 establishing, for a mobile device executing a user authentication component, a record of an identity of a user, the record indicative of the mobile device and credentials by which the user authenticates on the mobile device;   receiving, from a second device, a request to access a secure asset and a selection to authenticate via the mobile device executing the user authentication component;   causing the second device to request the mobile device to generate user authentication data on an authentication protocol;   receiving the user authentication data generated by the mobile device in the authentication protocol;   verifying the authentication data based on the record to determine whether the user is authenticated to access the secure asset from the second device; and   permitting, based on the verifying, the second device to access the secure asset under the identity of the user.   
     
     
         32 . The medium of  claim 31 , wherein establishing a record of an identity of a user comprises:
 obtaining a public key corresponding to the mobile device, one or more credentials, and signed data, the signed data being verifiable based on the public key.   
     
     
         33 . The medium of  claim 32 , wherein:
 the mobile device generates a key pair including a private key and the public key, the mobile device generates the signed data based on the private key and one or more of the credentials, and   the mobile device authenticates the user on one or more of the credentials prior to permitting use of the private key.   
     
     
         34 . The medium of  claim 31 , wherein receiving, from a second device, a request to access a secure asset and a selection to authenticate via the mobile device comprises:
 receiving an indication of the selection being performed within a user interface of an application executed on the second device,   receiving an indication of the selection being performed within a user interface of a website accessed by the second device,   receiving an indication of the selection being performed within a user interface of a web application accessed by the second device, or   receiving an indication of the selection being performed within a user-level account login interface of an operating system executed by the second device.   
     
     
         35 . The medium of  claim 31 , wherein:
 a selection to authenticate via the mobile device comprises a selection to authentication via FIDO2 or Smart Card authenticator; and   receiving the user authentication data generated by the mobile device in the authentication protocol comprises receiving, over a network connection from the relying device, the user authentication data in the authentication protocol, the user authentication data being translated to the authentication protocol by the relying device from a direct wireless connection to the mobile device;   
     
     
         36 . The medium of  claim 31 , wherein causing the second device to request the mobile device to generate user authentication data on an authentication protocol comprises:
 transmitting, to the second device, identifying information corresponding to a server device by which the identity of the server device is verifiable by one or more of the second device and the mobile device; and   transmitting, to the second device, a request on the authentication protocol for authentication of the user of the mobile device.   
     
     
         37 . The medium of  claim 36 , wherein:
 the authentication protocol is a FIDO2 or Smart Card authenticator compliant protocol.   
     
     
         38 . The medium of  claim 31 , wherein receiving the user authentication data generated by the mobile device in the authentication protocol further comprises:
 receiving, over a network connection from the second device, the user authentication data in the authentication protocol, the user authentication data being translated to the authentication protocol by the second device from a direct wireless connection to the mobile device, wherein:
 the user authentication data is received over a FIDO2 or Smart Card authenticator compliant protocol, 
 the mobile device generates the user authentication data, and 
 the second device translates one or more packets conveying the user authentication data from a protocol of the direct wireless connection to the authentication protocol for conveyance over the network connection. 
   
     
     
         39 . The medium of  claim 31 , wherein verifying the authentication data based on the record to determine whether the user is authenticated to access the secure asset from the second device comprises:
 accessing the record based on an identifier received in association with the access attempt by the second device;   obtaining a cryptographic key associated with the record; and   verifying the authentication data using the cryptographic key.   
     
     
         40 . The medium of  claim 31 , wherein permitting, based on the verifying, the second device to access the secure asset under the identity of the user comprises:
 granting access to an application executed by the another device,   granting access to a website accessed by the second device under an account of the user,   granting access to a web application accessed by the second device under an account of the user, or   granting access to a user-level account of an operating system executed by the second device, the user-level account corresponding to the user.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.