Search

US-20260128865-A1 - USER AUTHENTICATION TECHNIQUES FOR NATIVE COMPUTING APPLICATIONS

US20260128865A1US 20260128865 A1US20260128865 A1US 20260128865A1US-20260128865-A1

Abstract

A method for user authentication at a client device is described. The method includes obtaining a unique identifier of a user associated with the client device. The method further includes performing a first sequence of operations to register the unique identifier and the client device with a native computing application in accordance with a cryptographic authentication protocol. One or more operations of the first sequence may be performed using a platform-agnostic framework associated with the native computing application. The method further includes performing a second sequence of operations to authenticate the client device and the user of the client device in accordance with the cryptographic authentication protocol. One or more operations of the second sequence may be performed using the platform-agnostic framework. The method further includes accessing the native computing application via the client device based on performing the first sequence of operations and the second sequence of operations.

Inventors

  • Michael Alexander Nachbaur
  • Rajdeep Nanua
  • Rita Zerrizuela

Assignees

  • Okta, Inc.

Dates

Publication Date
20260507
Application Date
20251219

Claims (20)

  1. 1 . A method for user authentication at a client device, comprising: transmit, to a server associated with a native computing application, a registration request comprising a unique identifier of a user associated with the client device; receiving information associated with a data object and one or more cryptographic parameters of a cryptographic authentication protocol, wherein the one or more cryptographic parameters are supported by the native computing application; generating, in accordance with a platform-agnostic framework associated with the native computing application, a private key and a public key in accordance with the one or more cryptographic parameters, wherein the private key and the public key are provisioned for the native computing application; signing the data object using the private key generated by the client device; transmitting, to the server associated with the native computing application, the signed data object and the public key generated by the client device; storing the private key in a secure module of the client device; authenticating, in accordance with the platform-agnostic framework, the client device and the user of the client device in accordance with the cryptographic authentication protocol that includes the one or more cryptographic parameters; and accessing the native computing application via the client device based at least in part on authenticating the client device.
  2. 2 . The method of claim 1 , further comprising: performing, by an internal authenticator of the client device, an authentication procedure, wherein generating the private key and the public key are based at least in part on performing the authentication procedure.
  3. 3 . The method of claim 1 , further comprising: transmitting, to the server associated with the native computing application, an authentication request comprising an identifier of the user of the client device and an identifier of the client device, wherein authenticating the client device and the user of the client device is based at least in part on transmitting the authentication request.
  4. 4 . The method of claim 3 , wherein the authentication request comprises an indication to authenticate the user of the client device and the client device via the platform-agnostic framework.
  5. 5 . The method of claim 1 , wherein the one or more cryptographic parameters comprise one or more parameters associated with storing the private key in the secure module of the client device.
  6. 6 . The method of claim 1 , wherein authenticating the client device comprises: receiving, via the native computing application, the data object provisioned by a first server associated with an identity management platform; retrieving the private key from the secure module of the client device based at least in part on verifying a credential provided by the user of the client device; signing the data object using the private key retrieved from the secure module of the client device; and transmitting the signed data object to a second server associated with the native computing application.
  7. 7 . The method of claim 6 , wherein the signed data object provided by the client device is verified using the platform-agnostic framework.
  8. 8 . The method of claim 1 , wherein the platform-agnostic framework comprises a software development kit (SDK) that is compatible with a plurality of native computing environments.
  9. 9 . The method of claim 8 , wherein the platform-agnostic framework is configured by an identity management platform and the plurality of native computing environments are associated with application providers that use the identity management platform.
  10. 10 . The method of claim 8 , wherein the SDK supports WebAuthn integration for non-browser-based native computing applications.
  11. 11 . The method of claim 1 , wherein the one or more cryptographic parameters comprise one or more key synchronization parameters of the cryptographic authentication protocol.
  12. 12 . The method of claim 1 , wherein the data object comprises an attestation, and wherein signing the data object is based at least in part on signing the attestation.
  13. 13 . A client device for user authentication, comprising: one or more memories storing processor-executable code; and one or more processors coupled with the one or more memories and individually or collectively operable to execute the code to cause the client device to: transmit, to a server associated with a native computing application, a registration request comprising a unique identifier of a user associated with the client device; receive information associated with a data object and one or more cryptographic parameters of a cryptographic authentication protocol, wherein the one or more cryptographic parameters are supported by the native computing application; generate, in accordance with a platform-agnostic framework associated with the native computing application, a private key and a public key in accordance with the one or more cryptographic parameters, wherein the private key and the public key are provisioned for the native computing application; sign the data object using the private key generated by the client device; transmit, to the server associated with the native computing application, the signed data object and the public key generated by the client device; store the private key in a secure module of the client device; authenticate, in accordance with the platform-agnostic framework, the client device and the user of the client device in accordance with the cryptographic authentication protocol that includes the one or more cryptographic parameters; and access the native computing application via the client device based at least in part on authenticating the client device.
  14. 14 . The client device of claim 13 , wherein the one or more processors are individually or collectively further operable to execute the code to cause the client device to: perform, by an internal authenticator of the client device, an authentication procedure, wherein generating the private key and the public key are based at least in part on performing the authentication procedure.
  15. 15 . The client device of claim 13 , wherein the one or more processors are individually or collectively further operable to execute the code to cause the client device to: transmit, to the server associated with the native computing application, an authentication request comprising an identifier of the user of the client device and an identifier of the client device, wherein authenticating the client device and the user of the client device is based at least in part on transmitting the authentication request.
  16. 16 . The client device of claim 15 , wherein the authentication request comprises an indication to authenticate the user of the client device and the client device via the platform-agnostic framework.
  17. 17 . The client device of claim 13 , wherein the one or more cryptographic parameters comprise one or more parameters associated with storing the private key in the secure module of the client device.
  18. 18 . The client device of claim 13 , wherein, to authenticate the client device, the one or more processors are individually or collectively operable to execute the code to cause the client device to: receive, via the native computing application, the data object provisioned by a first server associated with an identity management platform; retrieve the private key from the secure module of the client device based at least in part on verifying a credential provided by the user of the client device; sign the data object using the private key retrieved from the secure module of the client device; and transmit the signed data object to a second server associated with the native computing application.
  19. 19 . The client device of claim 18 , wherein the signed data object provided by the client device is verified using the platform-agnostic framework.
  20. 20 . A non-transitory computer-readable medium storing code for user authentication, the code comprising instructions executable by one or more processors to: transmit, to a server associated with a native computing application, a registration request comprising a unique identifier of a user associated with a client device; receive information associated with a data object and one or more cryptographic parameters of a cryptographic authentication protocol, wherein the one or more cryptographic parameters are supported by the native computing application; generate, in accordance with a platform-agnostic framework associated with the native computing application, a private key and a public key in accordance with the one or more cryptographic parameters, wherein the private key and the public key are provisioned for the native computing application; sign the data object using the private key generated by the client device; transmit, to the server associated with the native computing application, the signed data object and the public key generated by the client device; store the private key in a secure module of the client device; authenticate, in accordance with the platform-agnostic framework, the client device and the user of the client device in accordance with the cryptographic authentication protocol that includes the one or more cryptographic parameters; and access the native computing application via the client device based at least in part on authenticating the client device.

Description

CROSS REFERENCE The present Application for Patent is a Continuation of U.S. Non-Provisional Ser. No. 18/362,779 by Nachbaur et al., entitled “USER AUTHENTICATION TECHNIQUES FOR NATIVE COMPUTING APPLICATIONS,” filed Jul. 31, 2023, assigned to the assignee hereof, and expressly incorporated by reference in its entirety herein. FIELD OF TECHNOLOGY The present disclosure relates generally to identity management and user authentication, and more specifically to user authentication techniques for native computing applications. BACKGROUND WebAuthn is a web standard that supports user authentication of websites viewed within web browsers. WebAuthn uses public key cryptography to verify users without passwords. The WebAuthn protocol includes a client registration process and a client authentication process. During the client registration process, a client device registers a public key credential with a relying party. During the client authentication process, the relying party uses the previously registered public key credential to verify the identity of the client device. WebAuthn provides a secure, convenient mechanism for users of web applications to sign-in without passwords. However, many aspects of the WebAuthn protocol are performed by web browsers, which makes it difficult for software developers to leverage WebAuthn for native computing applications (such as non-browser-based mobile or desktop applications). SUMMARY A method for user authentication at a client device is described. The method may include: obtaining a unique identifier of a user associated with the client device; performing a first sequence of operations to register the unique identifier and the client device with a native computing application in accordance with a cryptographic authentication protocol, where one or more operations of the first sequence are performed using a platform-agnostic framework associated with the native computing application; performing a second sequence of operations to authenticate the client device and the user of the client device in accordance with the cryptographic authentication protocol, where one or more operations of the second sequence are performed using the platform-agnostic framework; and accessing the native computing application via the client device based on performing the first sequence of operations and the second sequence of operations. An apparatus for user authentication at a client device is described. The apparatus may include one or more memories storing processor executable code, and one or more processors coupled with the one or more memories. The one or more processors may be individually or collectively operable to execute the code to cause the client device to: obtain a unique identifier of a user associated with the client device; perform a first sequence of operations to register the unique identifier and the client device with a native computing application in accordance with a cryptographic authentication protocol, where one or more operations of the first sequence are performed using a platform-agnostic framework associated with the native computing application; perform a second sequence of operations to authenticate the client device and the user of the client device in accordance with the cryptographic authentication protocol, where one or more operations of the second sequence are performed using the platform-agnostic framework; and access the native computing application via the client device based on performing the first sequence of operations and the second sequence of operations. Another apparatus for user authentication at a client device is described. The apparatus may include: means for obtaining a unique identifier of a user associated with the client device; means for performing a first sequence of operations to register the unique identifier and the client device with a native computing application in accordance with a cryptographic authentication protocol, where one or more operations of the first sequence are performed using a platform-agnostic framework associated with the native computing application; means for performing a second sequence of operations to authenticate the client device and the user of the client device in accordance with the cryptographic authentication protocol, where one or more operations of the second sequence are performed using the platform-agnostic framework; and means for accessing the native computing application via the client device based on performing the first sequence of operations and the second sequence of operations. A non-transitory computer-readable medium storing code for user authentication at a client device is described. The code may include instructions are executable by one or more processors to: obtain a unique identifier of a user associated with the client device; perform a first sequence of operations to register the unique identifier and the client device with a native computing application in accordance with a cryptog