System and method for an integrity focused authentication service

US 10,021,113 B2
Filed: 07/27/2017
Issued: 07/10/2018
Est. Priority Date: 04/17/2014
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

at an authentication service, the authentication service being implementing by one or more computing servers;

(i) receiving from a remote service provider, via a network, an account identifier and an authentication request for authenticating a service request received at the remote service provider from an initiator, wherein the authentication request comprises an authentication challenge that is cryptographically secured with a public cryptographic key of the remote service provider;

(ii) using the account identifier to identify a predefined synchronization mapping established with the authentication service that identifies a destination of a user device having a private cryptographic key corresponding to the public cryptographic key of the remote service provider or a user application having a private cryptographic key corresponding to the public cryptographic key of the remote service provider, wherein the private cryptographic key of the destination and the public cryptographic key of the remote service provider define an asymmetric cryptographic key pair;

(iii) in response to identifying the destination based on the predefined synchronization mapping, routing by the authentication service the authentication request to the destination;

(iv) receiving from the destination an authentication response to the authentication request, the authentication response comprising a challenge response to the authentication challenge, the authentication response being cryptographically secured using the private cryptographic key of the destination; and

(v) in response to receiving the authentication response from the destination, routing the authentication response to the remote service provider based on the predefined synchronization mapping.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for authentication. At an authentication service, key synchronization information is stored for an enrolled authentication device for a user identifier of a service provider. The key synchronization information indicates that a private key stored by the authentication device is synchronized with a public key stored at the service provider. Responsive to an authentication request provided by the service provider for the user identifier, the authentication service determines an authentication device for the user identifier that stores a synchronized private key by using the key synchronization information, and provides the authentication request to the authentication device. The authentication service provides a signed authentication response to the service provider. The authentication response is responsive to the authentication request and signed by using the private key. The service provider verifies the signed authentication response by using the public key.

Citations

14 Claims

1. A method comprising:
- at an authentication service, the authentication service being implementing by one or more computing servers;
  
  (i) receiving from a remote service provider, via a network, an account identifier and an authentication request for authenticating a service request received at the remote service provider from an initiator, wherein the authentication request comprises an authentication challenge that is cryptographically secured with a public cryptographic key of the remote service provider;
  
  (ii) using the account identifier to identify a predefined synchronization mapping established with the authentication service that identifies a destination of a user device having a private cryptographic key corresponding to the public cryptographic key of the remote service provider or a user application having a private cryptographic key corresponding to the public cryptographic key of the remote service provider, wherein the private cryptographic key of the destination and the public cryptographic key of the remote service provider define an asymmetric cryptographic key pair;
  
  (iii) in response to identifying the destination based on the predefined synchronization mapping, routing by the authentication service the authentication request to the destination;
  
  (iv) receiving from the destination an authentication response to the authentication request, the authentication response comprising a challenge response to the authentication challenge, the authentication response being cryptographically secured using the private cryptographic key of the destination; and
  
  (v) in response to receiving the authentication response from the destination, routing the authentication response to the remote service provider based on the predefined synchronization mapping.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the cryptographically signed authentication response is signed by the destination using the private cryptographic key, andwherein, upon receipt of the cryptographically signed authentication response routed from the authentication service, the remote service provider decrypts and verifies the cryptographically signed authentication response using the public cryptographic key.
  - 3. The method of claim 1, wherein, prior to transmitting the authentication request by the remote service provider to the authentication service, the authentication request is cryptographically signed by the remote service provider using the public cryptographic key.
  - 4. The method of claim 1, wherein further at the authentication service:
    - storing a plurality of predefined synchronization mappings, wherein each predefined synchronization mapping maps the remote service provider to each of a plurality of destinations associated with different account identifiers; and
      
      using the predefined synchronization mapping associated with the account identifier to select the destination among the plurality of destination.
  - 5. The method of claim 1, wherein further at the authentication service:
    - using the predefined synchronization mapping to select an authentication application residing on the authentication device as the destination; and
      
      wherein transmitting the cryptographically signed authentication request includes delivering the cryptographically signed authentication request to the authentication device via the selected authentication application.
  - 6. The method of claim 1, wherein further at the authentication service:
    - responsive to synchronization of the asymmetric cryptographic keys between the remote service provider and the destination enrolled for the account identifier of the remote service provider, storing asymmetric cryptographic key synchronization information in association with address information of the destination, the account identifier, and authentication service account information for the remote service provider, the asymmetric cryptographic key synchronization information indicating that the private cryptographic key associated with the destination is synchronized with the public cryptographic key stored at the remote service provider in association with the account identifier.
  - 7. The method of claim 6, wherein:
    - at least one of the authentication service, the remote service provider and the authentication device synchronizes the private cryptographic key and the public cryptographic key between the remote service provider and the destination.
  - 8. The method of claim 1, wherein:
    - the asymmetric cryptographic key pair comprising the public cryptographic key of the remote service provider and the private cryptographic key of the destination is inaccessible to the authentication service.

9. A method comprising:
- at an authentication service;
  
  configuring an authentication channel via the authentication service between a service provider and a user authentication device for authenticating a service request to the service provider;
  
  wherein;
  
  a private cryptographic key associated with the user authentication device is synchronized with a public cryptographic key associated with the service provider during an enrollment of the user authentication device at the authentication service;
  
  the user authentication device is enrolled responsive to enrollment information provided by at least one of the user authentication device, a primary device, and the service provider, the enrollment information including a user identifier, address information of the user authentication device, and information identifying the service provider;
  
  an enrollment record is stored at the authentication service, the enrollment record including the enrollment information;
  
  at least one of the authentication service, the user authentication device and the service provider synchronizes the private cryptographic key and the public cryptographic key between the user authentication device and the service provider; and
  
  information associated with the synchronization is stored at the authentication service in association with the enrollment record as cryptographic key synchronization information, the cryptographic key synchronization information indicating that an asymmetric cryptographic key pair is synchronized between the user authentication device and the service provider;
  
  responsive to an authentication request received from the service provider for the user identifier, the authentication request comprising an authentication challenge that is cryptographically secured with the public cryptographic key of the service provider;
  
  using the user identifier to identify the synchronization information established with the authentication service that identifies a destination of the user authentication device having the private cryptographic key corresponding to the public cryptographic key of the service provider;
  
  in response to identifying the destination based on the synchronization information, routing by the authentication service the authentication request to the user authentication device;
  
  receiving from the user authentication device an authentication response to the authentication request, the authentication response comprising a challenge response to the authentication challenge, the authentication response being cryptographically secured using the private cryptographic key of the destination; and
  
  in response to receiving the authentication response from the destination, routing the authentication response to the service provider based on the synchronization information.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The method of claim 9,wherein the service provider decrypts and verifies the signed authentication response by using the public cryptographic key.
  - 11. The method of claim 9,wherein the user authentication device decrypts the authentication challenge of the authentication request by using the private cryptographic key.
  - 12. The method of claim 9,wherein the authentication service comprises a multi-factor authentication service that is external to and independent of the service provider, the service provider communicating with the multi-factor authentication service via a REST API, andwherein the user authentication device includes an authentication application constructed to communicatively couple with the authentication service.
  - 13. The method of claim 9,wherein a plurality of user authentication devices are enrolled for the user identifier at the authentication service, the plurality of user authentication devices including at least a primary authentication device and at least one fallback authentication device, andwherein the authentication service provides the authentication request from the service provider to the fallback authentication device when the authentication service cannot establish communication with the primary authentication device.
  - 14. The method of claim 9,wherein a plurality of user authentication devices are enrolled for the user identifier at the authentication service, andwherein the authentication service provides the authentication request from the service provider to one or more of the plurality of user authentication devices based on at least one of a user identifier profile at the authentication service and a service provider profile at the authentication service.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Duo Security Incorporated (Cisco Systems, Inc.)
Inventors
Oberheide, Jon, Song, Douglas
Primary Examiner(s)
Hirl, Joseph P
Assistant Examiner(s)
MURPHY, JOSEPH B

Application Number

US15/661,277
Publication Number

US 20170339164A1
Time in Patent Office

348 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0823   using certificates cryptogr...

H04L 63/12   Applying verification of th...

H04L 63/18   using different networks or...

H04L 9/3215   using a plurality of channe...

H04L 9/3247   involving digital signatures

System and method for an integrity focused authentication service

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for an integrity focused authentication service

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links