Cryptographic device that binds an additional authentication factor to multiple identities
First Claim
1. In a computing environment, a method of binding a security artifact to a user'"'"'s account at a service provider, the method comprising a computing system performing the following:
- accessing a first pseudonym for a security artifact, wherein the security artifact comprises at least one of a cryptographic hardware device or a software module that provides an additional authentication factor that is reusable across accounts from multiple service providers to authenticate to the different service providers either directly or by unlocking security tokens that have already been issued by the service providers, and wherein the security artifact is configured to perform cryptographic operations to prove its presence during authentication, and wherein the first pseudonym is an identifier of the security artifact to a first service provider and wherein the first pseudonym uniquely identifies the particular security artifact to the first service provider over other different security artifacts when the user has other security artifacts to authenticate to the same service provider to access a user account at the first service for the user;
providing the first pseudonym for the security artifact to the first service provider, wherein the first pseudonym for the security artifact is bound with a user account at the first service provider for the user associated with the security artifact;
accessing a second pseudonym, different than the first pseudonym, for the same security artifact, wherein the second pseudonym is an identifier of the security artifact to a second service provider, different than the first service provider, and wherein the second pseudonym uniquely identifies the particular security artifact to the second service provider over other different security artifacts when the user has other security artifacts to authenticate to the same service provider to access a user account at the second service for the user;
providing the second pseudonym for the security artifact to the second service provider, wherein the second pseudonym for the security artifact is bound with a user account at the second service provider for the user associated with the security artifact; and
wherein using the first pseudonym for the first service provider and the second pseudonym for the second service provider prevents activity using the security artifact from being correlated across the first service provider and the second service provider by using the first and second pseudonyms with the first and second service providers respectively when using the security artifact with the first and second service providers.
2 Assignments
0 Petitions
Accused Products
Abstract
Binding a security artifact to a service provider. A method includes generating a pseudonym for a security artifact. The pseudonym is an identifier of the security artifact to the service provider that is unique to the service provider in that the pseudonym is not used to identify the security artifact to other service providers. Further, the pseudonym uniquely identifies the particular security artifact to the service provider even when a user has available a number of different security artifacts to authenticate to the same service provider to access a user account for the user. The method further includes providing the pseudonym for the security artifact to the service provider. The pseudonym for the security artifact is bound with a user account at the service provider for a user associated with the security artifact.
29 Citations
17 Claims
-
1. In a computing environment, a method of binding a security artifact to a user'"'"'s account at a service provider, the method comprising a computing system performing the following:
-
accessing a first pseudonym for a security artifact, wherein the security artifact comprises at least one of a cryptographic hardware device or a software module that provides an additional authentication factor that is reusable across accounts from multiple service providers to authenticate to the different service providers either directly or by unlocking security tokens that have already been issued by the service providers, and wherein the security artifact is configured to perform cryptographic operations to prove its presence during authentication, and wherein the first pseudonym is an identifier of the security artifact to a first service provider and wherein the first pseudonym uniquely identifies the particular security artifact to the first service provider over other different security artifacts when the user has other security artifacts to authenticate to the same service provider to access a user account at the first service for the user; providing the first pseudonym for the security artifact to the first service provider, wherein the first pseudonym for the security artifact is bound with a user account at the first service provider for the user associated with the security artifact; accessing a second pseudonym, different than the first pseudonym, for the same security artifact, wherein the second pseudonym is an identifier of the security artifact to a second service provider, different than the first service provider, and wherein the second pseudonym uniquely identifies the particular security artifact to the second service provider over other different security artifacts when the user has other security artifacts to authenticate to the same service provider to access a user account at the second service for the user; providing the second pseudonym for the security artifact to the second service provider, wherein the second pseudonym for the security artifact is bound with a user account at the second service provider for the user associated with the security artifact; and wherein using the first pseudonym for the first service provider and the second pseudonym for the second service provider prevents activity using the security artifact from being correlated across the first service provider and the second service provider by using the first and second pseudonyms with the first and second service providers respectively when using the security artifact with the first and second service providers. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. In a computing environment, a method of using a security artifact bound to a user account at a service provider to authenticate the security artifact to the service provider, the method comprising the security artifact performing the following:
-
accessing a unique identifier for a service provider; using the unique identifier from the service provider and a unique secret for a security artifact, generating an asymmetric private key and pseudonym for the security artifact, wherein the pseudonym for the security artifact is an asymmetric public key; sending the pseudonym for the security artifact to the service provider performing cryptographic operations to prove the presence of the security artifact during authentication, wherein performing cryptographic operations comprises; receiving a security artifact challenge from a service provider; accessing a nonce; signing the nonce with the asymmetric private key; and sending the signature on the nonce to the service provider, whereafter the service provider validates the signature on the nonce using the pseudonym of the security artifact to authenticate the security artifact; accessing the service provider as a result of the service provider authenticating the security artifact; and repeating the acts above for the same security artifact, but with a different service provider, such that the same security artifact is used with a different service provider using a different pseudonym for the security artifact where the different pseudonym is based on a unique identifier of the different service provider, such that using different pseudonyms for different service providers prevents activity using the security artifact from being correlated across the different service providers by using the different pseudonyms with the different service providers when using the security artifact with the different service providers. - View Dependent Claims (13, 14, 15, 16)
-
-
17. In a computing environment, a method of validating a user using a security artifact at a service provider, the method comprising
receiving a request from a security artifact for a site key, wherein the security artifact comprises at least one of a cryptographic hardware device or a software module that provides an additional authentication factor that is reusable across accounts from multiple service providers to authenticate to the different service providers either directly or by unlocking security tokens that have already been issued by the service providers, and wherein the security artifact is configured to perform cryptographic operations to prove its presence during authentication; -
in response to the request from the security artifact for a site key, returning a service provider unique identifier to the security artifact; receiving from the security artifact a pseudonym for the security artifact, wherein the pseudonym is generated using the service provider unique identifier and a security artifact secret unique to the security artifact to generate a pseudonym for the security artifact, wherein the pseudonym comprises a public key of an asymmetric key pair, and wherein the pseudonym is different than one or more other pseudonyms for the security artifact when the security artifact is used for different service providers than the service provider, which prevents activity using the security artifact from being correlated across different service providers by using different pseudonyms with different service providers when using the security artifact with different service providers; registering the pseudonym with a user account at a service provider; receiving a request for access of the user account from an application; sending a message to the application indicating that authentication is required to service the request; receiving a request from the application for authentication; in response to receiving a request from the application for authentication, sending a security artifact challenge to the application, wherein the security artifact challenge comprises the service provider unique identifier and a nonce; receiving a security artifact response comprising the signature on a nonce generated using a private key generated using the service provider unique identifier and the security artifact secret unique to the security artifact, the nonce being signed by the security artifact to prove the security artifact'"'"'s presence during authentication; and validating the security artifact response using the pseudonym.
-
Specification