Search

US-12627473-B2 - Authentication service with shared session tokens for sharing authentication

US12627473B2US 12627473 B2US12627473 B2US 12627473B2US-12627473-B2

Abstract

Disclosed are systems, apparatuses, methods, computer readable medium, and circuits for sharing multifactor authentication with shared session tokens using an authentication service. According to at least one example, a method includes: in response to receiving a request to check an authentication status from a first application, transmitting a first message to an authentication service including shared information; providing first authentication credentials related to a first authentication to the authentication service; and receiving a message related to a second authentication to bypass the second authentication.

Inventors

  • Kyle William Mahan
  • Glenn Joseph Stempeck
  • Zach Weglarz
  • Sebastian Green-Husted
  • Ethan Dunnum
  • Denzil Eugene Long
  • Chris Cassell
  • Philip Darin Lowman

Assignees

  • CISCO TECHNOLOGY, INC.

Dates

Publication Date
20260512
Application Date
20231208

Claims (20)

  1. 1 . A method of sharing authentication using an authentication service, the method comprising: in response to receiving a request to check an authentication status from a first application, transmitting a first message to an authentication service including shared information; providing first authentication credentials related to a first authentication to the authentication service; receiving a message related to a second authentication to bypass the second authentication; receiving a request from the first application at a security agent; searching for the shared information corresponding to the request; and when the security agent determines that the shared information is unavailable, generating the shared information by the security agent.
  2. 2 . The method of claim 1 , wherein the first authentication and the second authentication are associated with the first application, and an authentication type of the first authentication is different from an authentication type of the second authentication.
  3. 3 . The method of claim 1 , wherein the first authentication is associated with the first application and the second authentication is associated with a second application.
  4. 4 . The method of claim 1 , wherein the shared information comprises a shared token that is provided to the authentication service, and wherein the shared token is used to identify a stored session of authentication access from a client device.
  5. 5 . The method of claim 1 , wherein the shared information comprises a public key that is provided to the authentication service, and wherein the public key is used to identify a stored session of authentication access from a client device.
  6. 6 . The method of claim 5 , wherein a private key corresponding to the public key generates a signature for message provided to the authentication service.
  7. 7 . The method of claim 1 , wherein the first message includes user information and the shared information, wherein the user information identifies a user and a client device.
  8. 8 . The method of claim 7 , further comprising: wherein the request including the user information.
  9. 9 . The method of claim 1 , wherein a hardware security module stores a private key and only provides the security agent access to use the private key.
  10. 10 . The method of claim 1 , wherein the first message comprises first information identified by the security agent based on user information.
  11. 11 . A system for sharing authentication using an authentication service, comprising: a storage configured to store instructions; and a processor configured to execute the instructions and cause the processor to: in response to receiving a request to check an authentication status from a first application, transmit a first message to an authentication service including shared information; provide first authentication credentials related to a first authentication to the authentication service; receive a message related to a second authentication to bypass the second authentication; receive a request from the first application at a security agent; search for the shared information corresponding to the request; and when the security agent determines that the shared information is unavailable, generate the shared information by the security agent.
  12. 12 . The system of claim 11 , wherein the first authentication and the second authentication are associated with the first application, and an authentication type of the first authentication is different from an authentication type of the second authentication.
  13. 13 . The system of claim 11 , wherein the first authentication is associated with the first application and the second authentication is associated with a second application.
  14. 14 . The system of claim 11 , wherein the shared information comprises a shared token that is provided to the authentication service, and wherein the shared token is used to identify a stored session of authentication access from a client device.
  15. 15 . The system of claim 11 , wherein the shared information comprises a public key that is provided to the authentication service, and wherein the public key is used to identify a stored session of authentication access from a client device.
  16. 16 . The system of claim 15 , wherein a private key corresponding to the public key generates a signature for message provided to the authentication service.
  17. 17 . The system of claim 11 , wherein the first message includes user information and the shared information, wherein the user information identifies a user and a client device.
  18. 18 . The system of claim 11 , wherein the request including user information.
  19. 19 . The system of claim 11 , wherein a hardware security module stores a private key and only provides the security agent access to use the private key.
  20. 20 . The system of claim 11 , wherein the first message comprises first information identified by the security agent based on the user information.

Description

CROSS-REFERENCE TO RELATED APPLICATIONS This application claims priority to U.S. Provisional Patent Application No. 63/506,454, filed on Jun. 6, 2023, entitled “SHARED SESSION STATE,” the content of which is incorporated herein by reference in its entirety. TECHNICAL FIELD The present technology pertains to an authentication service, and more particularly, to authentication service with shared session tokens for sharing authentication. BACKGROUND An authorization system for a computer is a critical component of ensuring data security and controlling access to resources within a computing environment. It involves the implementation of policies and mechanisms that govern the granting or denying of permissions to users or entities based on their identity, roles, or privileges. The authorization system establishes a framework to enforce restrictions and permissions, preventing unauthorized users from accessing sensitive information or performing actions beyond their authorized scope. This system typically utilizes authentication mechanisms, such as passwords, biometrics, or digital certificates, to verify the identity of users before granting them access. It also encompasses the management of user roles and permissions, allowing administrators to define and assign fine-grained access controls based on specific requirements and responsibilities. By implementing an effective authorization system, organizations can safeguard their data, mitigate security risks, and maintain compliance with regulatory standards. BRIEF DESCRIPTION OF THE DRAWINGS Details of one or more aspects of the subject matter described in this disclosure are set forth in the accompanying drawings and the description below. However, the accompanying drawings illustrate only some typical aspects of this disclosure and are therefore not to be considered limiting of its scope. Other features, aspects, and advantages will become apparent from the description, the drawings and the claims. FIG. 1 illustrates an example environment utilizing a multi-factor authentication (MFA) system in accordance with some aspects of the disclosure. FIG. 2 illustrates a timeline associated with multiple authentications that frequently occur in the course of normal operation. FIG. 3 illustrates a block diagram of an authentication system for remembering sessions that can be extended between different applications in accordance with some aspects of the disclosure. FIG. 4A illustrates a sequence diagram for registering a remembered session in accordance with some aspects of the disclosure. FIG. 4B illustrates a sequence diagram for authenticating an application using a remembered session in accordance with some aspects of the disclosure. FIG. 5 illustrates a sequence diagram illustrating creation of a shared session in accordance with some aspects of the disclosure. FIG. 6 illustrates a sequence diagram illustrating retrieval of a shared session in accordance with some aspects of the disclosure. FIG. 7 illustrates a flowchart of an example process implemented in accordance with some aspects of the disclosure. FIG. 8 shows an example of a trusted platform module (TPM) in accordance with some aspects of the disclosure. FIG. 9 shows an example of a system for implementing certain aspects of the present technology in accordance with some aspects of the disclosure. DESCRIPTION Certain aspects of this disclosure are provided below. Some of these aspects may be applied independently and some of them may be applied in combination as would be apparent to those of skill in the art. In the following description, for the purposes of explanation, specific details are set forth in order to provide a thorough understanding of aspects of the application. However, it will be apparent that various aspects may be practiced without these specific details. The figures and descriptions are not intended to be restrictive. The ensuing description provides example aspects only and is not intended to limit the scope, applicability, or configuration of the disclosure. Rather, the ensuing description of the example aspects will provide those skilled in the art with an enabling description for implementing an example aspect. It should be understood that various changes may be made in the function and arrangement of elements without departing from the spirit and scope of the application as set forth in the appended claims. The terms “exemplary” and/or “example” are used herein to mean “serving as an example, instance, or illustration.” Any aspect described herein as “exemplary” and/or “example” is not necessarily to be construed as preferred or advantageous over other aspects. Likewise, the term “aspects of the disclosure” does not require that all aspects of the disclosure include the discussed feature, advantage or mode of operation. Overview Disclosed are systems, apparatuses, methods, computer readable medium, and circuits for sharing authentication with shared session tokens using an authentica