SYSTEM AND METHOD FOR AN INTEGRITY FOCUSED AUTHENTICATION SERVICE

US 20170339164A1
Filed: 07/27/2017
Published: 11/23/2017
Est. Priority Date: 04/17/2014
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

at an authentication service, the authentication service being implementing by one or more computing servers;

(i) receiving from a remote service provider, via a network, an account identifier and an authentication request for a service request received at the service provider from an initiating device;

(ii) using the account identifier to identify a predefined mapping stored with the authentication service for routing the authentication request from the remote service provider to a remote authentication device and for routing an authentication response to the authentication request from the remote authentication device to the remote service provider;

(iii) using the predefined mapping to transmit the authentication request to the remote authentication device;

(iv) receiving from the authentication device, a cryptographically signed authentication response to the authentication request; and

(v) using the predefined mapping to transmit, via the network, the cryptographically signed authentication response to the service provider.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for authentication. At an authentication service, key synchronization information is stored for an enrolled authentication device for a user identifier of a service provider. The key synchronization information indicates that a private key stored by the authentication device is synchronized with a public key stored at the service provider. Responsive to an authentication request provided by the service provider for the user identifier, the authentication service determines an authentication device for the user identifier that stores a synchronized private key by using the key synchronization information, and provides the authentication request to the authentication device. The authentication service provides a signed authentication response to the service provider. The authentication response is responsive to the authentication request and signed by using the private key. The service provider verifies the signed authentication response by using the public key.

Citations

19 Claims

1. A method comprising:
- at an authentication service, the authentication service being implementing by one or more computing servers;
  
  (i) receiving from a remote service provider, via a network, an account identifier and an authentication request for a service request received at the service provider from an initiating device;
  
  (ii) using the account identifier to identify a predefined mapping stored with the authentication service for routing the authentication request from the remote service provider to a remote authentication device and for routing an authentication response to the authentication request from the remote authentication device to the remote service provider;
  
  (iii) using the predefined mapping to transmit the authentication request to the remote authentication device;
  
  (iv) receiving from the authentication device, a cryptographically signed authentication response to the authentication request; and
  
  (v) using the predefined mapping to transmit, via the network, the cryptographically signed authentication response to the service provider.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 19)
- - 2. The method of claim 1, wherein the cryptographically signed authentication response is signed by the authentication device using a private cryptographic key, andwherein, upon receipt of the cryptographically signed authentication response from the authentication service, the service provider verifies the cryptographically signed authentication response using a public cryptographic key that forms a public/private key pair with the private key of the authentication device.
  - 3. The method of claim 1, wherein, prior to transmitting the authentication response to the authentication service, the authentication request is cryptographically signed by the service provider using the public cryptographic key.
  - 4. The method of claim 1, wherein further at the authentication service:
    - storing a plurality of predefined mappings, wherein each predefined mapping maps the service provider to each of a plurality of authentication devices associated with different account identifiers; and
      
      using the predefined mapping associated with the account identifier to select the authentication device among the plurality of authentication device.
  - 5. The method of claim 1, wherein further at the authentication service:
    - using the predefined mapping to select an authentication application residing on the authentication device; and
      
      wherein transmitting the cryptographically signed authentication request includes delivering the cryptographically signed authentication request to the authentication device via the selected authentication application.
  - 6. The method of claim 1, wherein further at the authentication service:
    - responsive to synchronization of keys between the service provider and the authentication device enrolled for the account identifier of the service provider, storing key synchronization information in association with address information of the authentication device, the account identifier, and authentication service account information for the service provider, the key synchronization information indicating that the private cryptography key associated with the account identifier and stored by the authentication device is synchronized with the public cryptography key stored at the service provider in association with the account identifier;
  - 7. The method of claim 6, wherein:
    - wherein at least one of the authentication service, the service provider and the authentication device synchronizes the private cryptography key and the public cryptography key between the service provider and the authentication device.
  - 19. The method of claim 1, wherein the predefined mapping identifies the authentication device as an intended recipient of the authentication request, wherein, as a result of the predefined mapping, the authentication service establishes operable communication with both the service provider and the authentication device that is the intended recipient of the authentication request thereby allowing the authentication service to (i) route the authentication request provided by the service provider to the authentication device and (ii) route to the service provider, from the authentication device, the response to the authentication request.

8. A method comprising:
- at an authentication service;
  
  configuring a communication channel via the authentication service between a service provider and an authentication device for authenticating a service request to the service provider;
  
  wherein for the authentication device;
  
  cryptography keys are synchronized with the service provider during an enrollment of the authentication device at the authentication service;
  
  the authentication device is enrolled responsive to enrollment information provided by at least one of the authentication device, a primary device, and the service provider, the enrollment information including a user identifier, address information of the authentication device, and information identifying the service provider;
  
  an enrollment record is stored at the authentication service, the enrollment record including the address information, and the authentication service account information for the service provider identified by the enrollment information;
  
  at least one of the authentication service, the authentication device and the service provider synchronizes the keys between the authentication device and the service provider; and
  
  the synchronization information is stored at the authentication service in association with the enrollment record, the synchronization information indicating that the keys are synchronized between the authentication device and the service provider.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16)
- - 9. The method of claim 8, wherein further at the authentication service:
    - managing service provider key synchronization information for the authentication device that is enrolled at the authentication service for the user identifier of the service provider, wherein for the authentication device the key synchronization information indicates that the private key associated with the user identifier and stored by the authentication device is synchronized with the public key stored at the service provider in association with the user identifier.
  - 10. The method of claim 8, further at the authentication service:
    - responsive to an authentication request provided by the service provider for the user identifier, identifying the authentication device for the user identifier that stores the private key that is synchronized with the service provider by using the key synchronization information, and providing the authentication request to the authentication device.
  - 11. The method of claim 10, further at the authentication service:
    - providing an authentication response signed by the authentication device to the service provider, the authentication response being responsive to the authentication request and being signed by using the private key,andwherein the service provider verifies the signed authentication response by using the public key.
  - 12. The method of claim 10,wherein the authentication request includes encrypted data that is encrypted by the service provider by using the public key, andwherein the at least one determined authentication device decrypts the encrypted data of the authentication request by using the private key.
  - 13. The method of claim 10,wherein the authentication response includes encrypted data that is encrypted by the at least one authentication device by using a public key received during enrollment of the at least one determined authentication device for the user identifier of the service provider, andwherein the service provider decrypts the encrypted authentication response by using a private key that corresponds to the public key used by the at least one determined authentication device to encrypt the authentication response.
  - 14. The method of claim 8,wherein the authentication service is a multi-factor authentication service that is external to the service provider, the service provider communicating with the multi-factor authentication service via a REST API, andwherein the authentication device includes an authentication application constructed to communicatively couple with the authentication service.
  - 15. The method of claim 8,wherein a plurality of authentication devices are enrolled for the user identifier at the authentication service, the plurality of authentication devices including at least a primary authentication device and at least one fallback authentication device, andwherein the authentication service provides an authentication request from the service provider to the fallback authentication device in a case where the authentication service cannot establish communication with the primary authentication device.
  - 16. The method of claim 8,wherein a plurality of authentication devices are enrolled for the user identifier at the authentication service, andwherein the authentication service provides an authentication request from the service provider to one or more of the plurality of authentication devices based on at least one of a user identifier profile at the authentication service and a service provider profile at the authentication service.

17. A method comprising:
- establishing synchronization information that defines;
  
  (a) a first communication channel for routing, via a network, an authentication request from a remote service provider to a remote authentication device and (b) a second communication channel for routing, via the network, an authentication response from the remote authentication device to the remote service provider;
  
  using the synchronization information to configure a routing function of an independent authentication service thereby configuring communication channels between the service provider and the authentication device via the independent authentication service, wherein the authentication service comprises an independent and remote service from both the service provider and the authentication device;
  
  in response to receiving the authentication request from the service provider, triggering the routing function of the independent authentication service.
- View Dependent Claims (18)
- - 18. The method of claim 17, wherein the synchronization information comprises user identifier information that identifies a user identifier that is associated with the routing function,wherein the authentication request from the service provider includes the user identifier.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Duo Security Incorporated (Cisco Systems, Inc.)
Inventors
Oberheide, Jon, Song, Douglas

Granted Patent

US 10,021,113 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0823   using certificates cryptogr...

H04L 63/12   Applying verification of th...

H04L 63/18   using different networks or...

H04L 9/3215   using a plurality of channe...

H04L 9/3247   involving digital signatures

SYSTEM AND METHOD FOR AN INTEGRITY FOCUSED AUTHENTICATION SERVICE

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHOD FOR AN INTEGRITY FOCUSED AUTHENTICATION SERVICE

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links