System and method for an integrity focused authentication service
First Claim
1. A method comprising:
- at an authentication service;
responsive to synchronization of keys between a service provider and at least one authentication device enrolled for a user identifier of the service provider, storing key synchronization information in association with address information of the at least one authentication device, the user identifier, and authentication service account information for the service provider, the key synchronization information indicating that a private key associated with the user identifier and stored by the at least one authentication device is synchronized with a public key stored at the service provider in association with the user identifier;
receiving an authentication request provided by the service provider for a request received at the service provider from a primary device associated with the user identifier, the authentication request specifying the user identifier, wherein the authentication service is independent and external of the service provider;
mapping the authentication request to at least one authentication device identified by the key synchronization information as storing the synchronized private key to thereby identify the at least one authentication device as an intended recipient of the authentication request, wherein, as a result of the mapping, the authentication service establishes operable communication with both the service provider and the mapped at least one authentication device that is the intended recipient of the authentication request thereby allowing the authentication service to (i) route the authentication request provided by the service provider to the mapped at least one authentication device and (ii) route to the service provider, from the mapped at least one authentication device, a response to the authentication request;
providing the authentication request to the mapped at least one authentication device, wherein the authentication request provided to the mapped at least one authentication device is a request to authenticate a particular user or device on behalf of the service provider;
receiving a signed authentication response from the at least one authentication device, the signed authentication response being signed with the private key by the at least one authentication device; and
providing the signed authentication response to the service provider, the service provider verifying the signed authentication response by using the public key.
3 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods for authentication. At an authentication service, key synchronization information is stored for an enrolled authentication device for a user identifier of a service provider. The key synchronization information indicates that a private key stored by the authentication device is synchronized with a public key stored at the service provider. Responsive to an authentication request provided by the service provider for the user identifier, the authentication service determines an authentication device for the user identifier that stores a synchronized private key by using the key synchronization information, and provides the authentication request to the authentication device. The authentication service provides a signed authentication response to the service provider. The authentication response is responsive to the authentication request and signed by using the private key. The service provider verifies the signed authentication response by using the public key.
-
Citations
20 Claims
-
1. A method comprising:
at an authentication service; responsive to synchronization of keys between a service provider and at least one authentication device enrolled for a user identifier of the service provider, storing key synchronization information in association with address information of the at least one authentication device, the user identifier, and authentication service account information for the service provider, the key synchronization information indicating that a private key associated with the user identifier and stored by the at least one authentication device is synchronized with a public key stored at the service provider in association with the user identifier; receiving an authentication request provided by the service provider for a request received at the service provider from a primary device associated with the user identifier, the authentication request specifying the user identifier, wherein the authentication service is independent and external of the service provider; mapping the authentication request to at least one authentication device identified by the key synchronization information as storing the synchronized private key to thereby identify the at least one authentication device as an intended recipient of the authentication request, wherein, as a result of the mapping, the authentication service establishes operable communication with both the service provider and the mapped at least one authentication device that is the intended recipient of the authentication request thereby allowing the authentication service to (i) route the authentication request provided by the service provider to the mapped at least one authentication device and (ii) route to the service provider, from the mapped at least one authentication device, a response to the authentication request; providing the authentication request to the mapped at least one authentication device, wherein the authentication request provided to the mapped at least one authentication device is a request to authenticate a particular user or device on behalf of the service provider; receiving a signed authentication response from the at least one authentication device, the signed authentication response being signed with the private key by the at least one authentication device; and providing the signed authentication response to the service provider, the service provider verifying the signed authentication response by using the public key. - View Dependent Claims (2, 3)
-
4. A method comprising:
at an authentication service; managing service provider key synchronization information for at least one authentication device that is enrolled at the authentication service for a user identifier of a service provider, wherein for each authentication device the key synchronization information indicates that a private key associated with the user identifier and stored by the authentication device is synchronized with a public key stored at the service provider in association with the user identifier; responsive to an authentication request provided by the service provider for the user identifier, determining at least one authentication device for the user identifier that stores a private key that is synchronized with the service provider by using the key synchronization information, and providing the authentication request to at least one determined authentication device; providing an authentication response signed by the at least one determined authentication device to the service provider, the authentication response being responsive to the authentication request and being signed by using the private key, wherein the authentication request is for a request received at the service provider from a primary device associated with the user identifier, and wherein the service provider verifies the signed authentication response by using the public key; wherein for each determined authentication device; keys are synchronized with the service provider during enrollment of the authentication device; the authentication device is enrolled responsive to enrollment information provided by at least one of the authentication device, the primary device and the service provider, the enrollment information including the user identifier, address information of the authentication device, and information identifying the service provider; an enrollment record is stored at the authentication service, the enrollment record including the address information, and the authentication service account information for the service provider identified by the enrollment information; at least one of the authentication service, the authentication device and the service provider synchronizes the keys between the authentication device and the service provider; and the synchronization information is stored at the authentication service in association with the enrollment record, the synchronization information indicating that the keys are synchronized between the authentication device and the service provider. - View Dependent Claims (5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
-
19. A system comprising:
an authentication service constructed to; manage service provider key synchronization information for at least one authentication device that is enrolled at the authentication service for a user identifier of a service provider, wherein for each authentication device the key synchronization information indicates that a private key associated with the user identifier and stored by the authentication device is synchronized with a public key stored at the service provider in association with the user identifier; responsive to an authentication request provided by the service provider for the user identifier, determine at least one authentication device for the user identifier that stores a private key that is synchronized with the service provider by using the key synchronization information, and provide the authentication request to at least one determined authentication device; provide an authentication response signed by the at least one determined authentication device to the service provider, the authentication response being responsive to the authentication request and being signed by using the private key, wherein the service provider provides the authentication request responsive to a request received at the service provider from a primary device of the user identifier of the service provider, and wherein the service provider verifies the signed authentication response by using the public key; and the at least one determined authentication device, the at least one determined authentication device being constructed to;
store the private key; and
responsive to the authentication request;generate an authentication response; sign the authentication response by using the private key; and provide the signed authentication response to the authentication service wherein the at least one determined authentication device; keys are synchronized with the service provider during enrollment of the authentication device; the authentication device is enrolled responsive to enrollment information provided by at least one of the authentication device, the primary device and the service provider, the enrollment information including the user identifier, address information of the authentication device, and information identifying the service provider; an enrollment record is stored at the authentication service, the enrollment record including the address information, and the authentication service account information for the service provider identified by the enrollment information; at least one of the authentication service, the authentication device and the service provider synchronizes the keys between the authentication device and the service provider; and the synchronization information is stored at the authentication service in association with the enrollment record, the synchronization information indicating that the keys are synchronized between the authentication device and the service provider. - View Dependent Claims (20)
Specification