MOBILE MULTIFACTOR SINGLE-SIGN-ON AUTHENTICATION

US 20140082715A1
Filed: 03/14/2013
Published: 03/20/2014
Est. Priority Date: 09/19/2012
Status: Active Grant

First Claim

Patent Images

1. A non-transitory computer storage medium which stores a non-browser mobile client application comprising executable code that directs a mobile computing device to perform a process comprising:

directing, by an authentication module, an independent browser, executable on the mobile computing device, to access a uniform resource locator (URL) associated with an authentication appliance configured to verify, with an identity database, authentication information received from the browser and configured to transmit a browser-accessible token to the browser,wherein the non-browser mobile client application comprises the authentication module,wherein the independent browser has not been specifically configured to provide identity information for non-browser mobile applications,wherein the authentication information is associated with a user of the mobile device, andwherein the authentication appliance is configured to provide single-sign-on (SSO) services that comprise accepting, for purposes of authentication, in lieu of the authentication information, a previously created valid browser-accessible token that was the result of a previous authentication between the authentication appliance and a second non-browser mobile client application;

receiving, at the authentication module, from the independent browser, a URL string comprising a client application identity distinct from the previously created valid browser-accessible token, that indicates the user of the mobile device and that the user of the mobile device has been authenticated by the authentication appliance, the URL string configured to invoke the non-browser mobile client application upon receipt by the independent browser, the independent browser receiving the URL string from the authentication appliance in response to authenticating the user,wherein at least a portion of the URL string is uniquely associated with the non-browser mobile client application; and

using the client application identity obtain access to a non-browser network-based application service associated with the non-browser mobile client application.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Features are disclosed for authentication of mobile device applications using a native, independent browser using a single-sign-on system. An authentication module within the mobile application can direct the mobile device'"'"'s native browser to a URL to initiate authentication with an authentication appliance. The mobile browser can receive and store a browser-accessible token to indicate previous authentication performed by the user. The mobile application can receive from the application appliance and store a client application ID token that may be presented to network services for access. A second mobile device application may direct the same browser to the authentication appliance. The authentication appliance may inspect the persistent browser-accessible token and issue a second client application ID identity to the second application without collecting additional authentication information, or collecting additional authentication information that is different from the first authentication information.

692 Citations

30 Claims

1. A non-transitory computer storage medium which stores a non-browser mobile client application comprising executable code that directs a mobile computing device to perform a process comprising:
- directing, by an authentication module, an independent browser, executable on the mobile computing device, to access a uniform resource locator (URL) associated with an authentication appliance configured to verify, with an identity database, authentication information received from the browser and configured to transmit a browser-accessible token to the browser,wherein the non-browser mobile client application comprises the authentication module,wherein the independent browser has not been specifically configured to provide identity information for non-browser mobile applications,wherein the authentication information is associated with a user of the mobile device, andwherein the authentication appliance is configured to provide single-sign-on (SSO) services that comprise accepting, for purposes of authentication, in lieu of the authentication information, a previously created valid browser-accessible token that was the result of a previous authentication between the authentication appliance and a second non-browser mobile client application;
  
  receiving, at the authentication module, from the independent browser, a URL string comprising a client application identity distinct from the previously created valid browser-accessible token, that indicates the user of the mobile device and that the user of the mobile device has been authenticated by the authentication appliance, the URL string configured to invoke the non-browser mobile client application upon receipt by the independent browser, the independent browser receiving the URL string from the authentication appliance in response to authenticating the user,wherein at least a portion of the URL string is uniquely associated with the non-browser mobile client application; and
  
  using the client application identity obtain access to a non-browser network-based application service associated with the non-browser mobile client application.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The non-transitory computer storage medium of claim 1, which stores the non-browser mobile client application comprising executable code that directs the mobile computing device to perform the process further comprising searching for the client application identity and using, for a second time, the client application identity to obtain access to the non-browser network-based application service.
  - 3. The non-transitory computer storage medium of claim 1 wherein the client application identity as received by the non-browser mobile client application comprises an encrypted portion of the URL string.
  - 4. The non-transitory computer storage medium of claim 1, which stores the non-browser mobile client application comprising executable code that directs the mobile computing device to perform the process further comprising initiating a network connection between the non-browser mobile client application and the authentication appliance to decrypt the client application identity.
  - 5. The non-transitory computer storage medium of claim 1, which further stores a second non-browser mobile client application comprising executable code that directs the mobile computing device to perform the process further comprising directing, by a second authentication module, the independent browser to access the uniform resource locator associated with the authentication appliance, wherein the second non-browser mobile client application comprises the second authentication module.
  - 6. The non-transitory computer storage medium of claim 1, wherein the authentication information comprises a username, password, and one of:
    - a portion of an SMS message, a knowledge based answer, a static pin, or a USB key.
  - 7. The non-transitory computer storage medium of claim 1, wherein the browser-accessible token is stored by the browser and in one of:
    - HTML4 browser cookie space, HTML5 storage space, Adobe Flash Space, Android Dalvik Storage space, J2ME Managed code space, .NET mobile code space, or Native X.509v3 certificate storage space.
  - 8. The non-transitory computer storage medium of claim 1, which stores the non-browser mobile client application comprising executable code that directs the mobile computing device to perform the process further comprising directing the independent browser, executable on the mobile device, to access a second uniform resource locator (URL) associated with the authentication appliance configured to remove an association between the browser-accessible token and the client application identity.

9. A system for providing single-sign-on (SSO) authentication to a user on a mobile device, the system comprising:
- one or more processors;
  
  a computer-readable memory; and
  
  an authentication server comprising executable instructions stored in the computer-readable memory, wherein the one or more processors are programmed to at least;
  
  receive, from an independent browser on a mobile device, a first request to access a first uniform resource locator (URL) associated with a first non-browser mobile application;
  
  authenticate the user interacting with the mobile device by;
  
  receiving first authentication information related to the user from the independent browser,verifying the first authentication information with an identity database,identify a first URL mapping configured to invoke the first non-browser mobile application;
  
  send, to the independent browser, (1) the first URL mapping configured to invoke the first non-browser mobile application, (2) a browser-based token and (3) a first client application identity that the first non-browser mobile application will consume, wherein the browser-based token is distinct from the first client application identity;
  
  receive, from the independent browser on the mobile device, a second request to access a second URL associated with a second non-browser mobile application, wherein the second request comprises the browser-based token, wherein the second URL is distinct form the first URL, and wherein the first non-browser mobile application is distinct from the second non-browser mobile application;
  
  verify, with the identity database, non-revocation of the browser-based token; and
  
  identify a second URL mapping configured to invoke the second non-browser mobile application; and
  
  send, to the independent browser, (1) the second URL mapping and (2) a second client application identity, distinct from the browser based token, for the second non-browser client application to consume,wherein the independent browser has not been specifically configured to provide identity information for non-browser mobile applications.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The system of claim 9, wherein the authentication server stores a plurality of mappings, each mapping associating a non-browser mobile application with a distinct URL configured to invoke the non-browser mobile application.
  - 11. The system of claim 9, wherein the the first client application identity is distinct from the second client application identity.
  - 12. The system of claim 9, wherein the first client application identity comprises an encrypted portion of a URL query string.
  - 13. The system of claim 9, wherein the first authentication information comprises a username, password, and one of:
    - a portion of an SMS message, a knowledge based answer, a static pin, or a USB key.
  - 14. The system of claim 9, wherein the one or more processors are further programmed to at least receive, from the independent browser, second authentication information that is different than the first authentication information.
  - 15. The system of claim 9, wherein the one or more processors are further programmed to at least send, to the independent browser, a plurality of uniform resource locators configured to trigger logout of one or more logged-in non-browser mobile applications.

16. A computer-implemented method for providing single-sign-on (SSO) authentication to a user of a client application on a mobile device, the computer-implemented method comprising:
- receiving, from an independent browser on a mobile device, a first request to access a first uniform resource locator (URL) associated with a first non-browser mobile application executing on the mobile device;
  
  authenticating the user interacting with the mobile device at least partly by;
  
  receiving first authentication information related to the user from the independent browser, and verifying the first authentication information with an identity database;
  
  identifying a first URL mapping ping configured to invoke the first non-browser mobile application;
  
  sending, to the independent browser, a browser-based token, the first URL mapping, and a first client application identity for use by the first non-browser mobile application;
  
  receiving, from the independent browser on the mobile device, a second request to access a second uniform resource locator (URL) associated with a second non-browser mobile application executing on the mobile device, wherein the second request comprises the browser-based token;
  
  verifying, with the identity database, non-revocation of the browser-based token;
  
  identifying a second URL mapping configured to invoke the second non-browser mobile application; and
  
  sending, to the independent browser, a second client application identity for use by the second non-browser mobile application and the second URL mapping,said method performed in its entirety by a computer system that is separate from the mobile device,wherein the independent browser has not been specifically configured to provide identity information for non-browser mobile applications.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23)
- - 17. The method of claim 16, wherein the first uniform resource locator (URL) is identical to the second uniform resource locator (URL).
  - 18. The method of claim 16, wherein the first non-browser mobile application and the second non-browser mobile application are distinct mobile applications.
  - 19. The method of claim 16, wherein the first URL mapping configured to invoke the first non-browser mobile application comprises a URL registered in the mobile device in association with the first non-browser mobile application.
  - 20. The method of claim 16, wherein the first client application identity comprises one of an encrypted portion of a URL query string parameter.
  - 21. The method of claim 16, wherein the first authentication information comprises a username, password, and one of:
    - a portion of an SMS message, a knowledge based answer, a static pin, or a USB key.
  - 22. The method of claim 16, further comprising receiving, from the independent browser, second authentication information that is different than the first authentication information.
  - 23. The method of claim 16, further comprising sending, to the independent browser, a list of uniform resource locators for use by the first non-browser mobile application configured to trigger logout of one or more logged-in non-browser mobile applications.

24. A non-transitory computer storage medium which stores a program comprising executable code that directs a computing device to perform a process that provides single-sign-on (SSO) authentication to a user of a mobile device, comprising:
- receiving, from an independent browser on a mobile device, a first request to access a first uniform resource locator (URL) associated with a first non-browser mobile application executing on a mobile device;
  
  authenticating the user interacting with the mobile device by;
  
  receiving first authentication information related to the user from the independent browser,verifying the first authentication information with an identity database;
  
  identifying a first URL mapping configured to invoke the first non-browser mobile application;
  
  sending, to the independent browser, a browser-based token, the first URL mapping, and a first client application identity for use by the first non-browser mobile application;
  
  receiving, from the independent browser on the mobile device, a second request to access a second uniform resource locator (URL) associated with a second non-browser mobile application executing on the mobile device, wherein the second request comprises the browser-based token;
  
  verifying, with the identity database, non-revocation of the browser-based token;
  
  identifying a second URL mapping configured to invoke the first non-browser mobile application;
  
  andsending, to the independent browser, a second client application identity for use by the second non-browser mobile application and the second URL mapping,wherein the independent browser has not been specifically configured to provide identity information for non-browser mobile applications.
- View Dependent Claims (25, 26, 27, 28, 29, 30)
- - 25. The non-transitory computer storage medium of claim 24, wherein the first uniform resource locator (URL) is identical to the second uniform resource locator (URL).
  - 26. The non-transitory computer storage medium of claim 24, wherein the first non-browser mobile application and the second non-browser mobile application are distinct non-browser mobile applications.
  - 27. The non-transitory computer storage medium of claim 24, wherein the first URL mapping configured to invoke the first non-browser mobile application comprises a URL registered in the mobile device in association with the first non-browser mobile application.
  - 28. The non-transitory computer storage medium of claim 24, wherein the first client application identity comprises one of:
    - a userid sent as a URL query string parameter, a userid sent as an encrypted URL query string parameter, a cookie, or an encrypted cookie.
  - 29. The non-transitory computer storage medium of claim 24, wherein the first authentication information comprises a username, password, and one of:
    - a portion of an SMS message, a knowledge based answer, a static pin, or a USB key.
  - 30. The non-transitory computer storage medium of claim 24, which stores the program comprising executable code that directs the computing device to perform the process further comprising sending, to the independent browser, a plurality of distinct uniform resource locators, each uniform resource locator configured to trigger logout of distinct logged-in non-browser mobile applications.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SecureAuth Incorporated
Original Assignee
SecureAuth Incorporated
Inventors
Grajek, Garret Florian, Lo, Jeff Chiwai, Phillips, Robert Jason, Tung, Shu Jen

Granted Patent

US 8,769,651 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/8
CPC Class Codes

G06F 16/955   using information identifie...

G06F 21/31   User authentication

G06F 21/41   where a single sign-on prov...

H04L 2463/082   applying multi-factor authe...

H04L 63/08   for authentication of entit...

H04L 63/0815   providing single-sign-on or...

H04L 63/0823   using certificates cryptogr...

H04L 63/083   using passwords cryptograph...

H04L 63/0853   using an additional device,...

H04L 63/168   above the transport layer

H04W 12/068   using credential vaults, e....

H04W 12/069   using certificates or pre-s...

MOBILE MULTIFACTOR SINGLE-SIGN-ON AUTHENTICATION

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

692 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

MOBILE MULTIFACTOR SINGLE-SIGN-ON AUTHENTICATION

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

692 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links