Search

US-20260128905-A1 - SYSTEMS AND METHODS FOR AN ENHANCED PASSKEY FOR USER ACCOUNT SECURITY

US20260128905A1US 20260128905 A1US20260128905 A1US 20260128905A1US-20260128905-A1

Abstract

Systems, apparatuses, methods, and computer program products are disclosed for an enhanced authentication using a super passkey. An example method includes receiving a user operation request from a user device and determining an authentication passkey requirement set comprising one or more authentication passkey requirements required for authentication of the user operation request. The example method further includes performing an authentication routine to determine whether to authenticate the user operation request. The authentication routine includes authenticating a digital signature provided by the user device using a public cryptographic key of a passkey for the user account and determining whether current user device data satisfies the one or more authentication passkey requirements. In an instance in which the user operation request is successfully authenticated, the example method further includes performing an operational routine associated with the operation request type for the user account.

Inventors

  • Angela Sicord
  • Matthew N. Wheeler
  • John Andrew Chuprevich

Assignees

  • WELLS FARGO BANK, N.A.

Dates

Publication Date
20260507
Application Date
20241104

Claims (20)

  1. 1 . A method for improved authentication, the method comprising: receiving, by communications hardware, a user operation request from a user device, wherein the user operation request pertains to a user account and corresponds to an operation request type; determining, by authentication circuitry and based on the user account, an authentication passkey requirement set comprising one or more authentication passkey requirements required for authentication of the user operation request; performing, by the authentication circuitry, an authentication routine to determine whether to authenticate the user operation request, wherein the authentication routine comprises: authenticating, by the authentication circuitry, a digital signature provided by the user device using a public cryptographic key of a passkey for the user account, and determining, by the authentication circuitry, whether current user device data satisfies the one or more authentication passkey requirements, wherein the user operation request is successfully authenticated in an instance in which the digital signature is successfully authenticated and the current user device data satisfies each of the one or more authentication passkey requirements; and in an instance in which the user operation request is successfully authenticated, performing, by operation management circuitry and based on the user operation request, an operational routine associated with the operation request type for the user account.
  2. 2 . The method of claim 1 , further comprising: identifying, by configuration circuitry, a user configuration preference set from the user account, wherein the user configuration preference set defines user-defined conditions under which the passkey can be used for authentication; identifying, by the configuration circuitry, an entity configuration security requirement set, wherein the entity configuration security requirement set defines entity-defined conditions under which the passkey can be used for authentication; and generating, by the configuration circuitry, the authentication passkey requirement set based on the user configuration preference set and the entity configuration security requirement set.
  3. 3 . The method of claim 1 , further comprising: determining, by the authentication circuitry, a location of the user device from the current user device data; determining, by the authentication circuitry, whether the location of the user device corresponds to a trusted location for the operation request type as defined by an authentication passkey requirement of the one or more authentication passkey requirements; and in an instance in which the location of the user device is determined to correspond to the trusted location, determining, by the authentication circuitry, the authentication passkey requirement is satisfied.
  4. 4 . The method of claim 1 , further comprising: determining, by the authentication circuitry, a location of the user device from the current user device data; determining, by the authentication circuitry, whether the location of the user device corresponds to an excluded location for the operation request type as defined by an authentication passkey requirement of the one or more authentication passkey requirements; and in an instance in which the location of the user device fails to correspond to the excluded location, determining, by the authentication circuitry, the authentication passkey requirement is satisfied.
  5. 5 . The method of claim 1 , further comprising: determining, by the authentication circuitry, a current time pertaining to the user device; determining, by the authentication circuitry, whether the current time is within a trusted timeframe for the operation request type as defined by an authentication passkey requirement of the one or more authentication passkey requirements; and in an instance in which the current time is determined to be within the trusted timeframe, determining, by the authentication circuitry, the authentication passkey requirement is satisfied.
  6. 6 . The method of claim 1 , further comprising: determining, by the authentication circuitry, a current software application version for an associated software application installed on the user device from the current user device data; determining, by the authentication circuitry, whether the current software application version satisfies a software application version threshold for the operation request type as defined by an authentication passkey requirement of the one or more authentication passkey requirements; and in an instance in which the current software application version is determined to satisfy the software application version threshold, determining, by the authentication circuitry, the authentication passkey requirement is satisfied.
  7. 7 . The method of claim 1 , further comprising: determining, by the authentication circuitry, a user device identifier corresponding to a second user device from the current user device data; determining, by the authentication circuitry, whether the user device identifier corresponds to a trusted user device identifier defined by an authentication passkey requirement of the one or more authentication passkey requirements; and in an instance in which the user device identifier is determined to correspond to the trusted user device identifier, determining, by the authentication circuitry, the authentication passkey requirement is satisfied.
  8. 8 . The method of claim 1 , further comprising: generating, by the authentication circuitry, a challenge; providing, by the communications hardware, the challenge to the user device; and in response to providing the challenge, receiving, by the communications hardware, a challenge response comprising the digital signature from the user device.
  9. 9 . The method of claim 1 , further comprising: receiving, by the communications hardware, a logon request for the user account; authenticating, by the authentication circuitry, the logon request based on user credentials provided in the logon request; in an instance in which the logon request is successfully authenticated, establishing, by the communications hardware, a secure session with the user device; during the secure session, receiving, by the communications hardware, a user configuration preference from the user device; and updating, by configuration circuitry, the user account to include the user configuration preference in a user configuration preference set.
  10. 10 . The method of claim 1 , further comprising: generating, by configuration circuitry and based on the authentication passkey requirement set, a device configuration set comprising one or more device authentication rules that are indicative of user device data to provide in response to a received challenge; and providing, by the communications hardware, the device configuration set to the user device.
  11. 11 . An apparatus for improved authentication, the apparatus comprising: communications hardware configured to receive a user operation request from a user device, wherein the user operation request pertains to a user account and corresponds to an operation request type; authentication circuitry configured to: determine, based on the user account, an authentication passkey requirement set comprising one or more authentication passkey requirements required for authentication of the user operation request, perform an authentication routine to determine whether to authenticate the user operation request, wherein the authentication circuitry is configured to perform the authentication routine by: authenticating a digital signature provided by the user device using a public cryptographic key of a passkey for the user account, and determining whether current user device data satisfies the one or more authentication passkey requirements, wherein the user operation request is successfully authenticated in an instance in which the digital signature is successfully authenticated and the current user device data satisfies each of the one or more authentication passkey requirements; and operation management circuitry configured to, in an instance in which the user operation request is successfully authenticated, perform, based on the user operation request, an operational routine associated with the operation request type for the user account.
  12. 12 . The apparatus of claim 11 , further comprising configuration circuitry configured to: identify a user configuration preference set from the user account, wherein the user configuration preference set defines user-defined conditions under which the passkey can be used for authentication; identify an entity configuration security requirement set, wherein the entity configuration security requirement set defines entity-defined conditions under which the passkey can be used for authentication; and generate the authentication passkey requirement set based on the user configuration preference set and the entity configuration security requirement set.
  13. 13 . The apparatus of claim 11 , wherein the authentication circuitry is further configured to: determine a location of the user device from the current user device data; determine whether the location of the user device corresponds to a trusted location for the operation request type as defined by an authentication passkey requirement of the one or more authentication passkey requirements; and in an instance in which the location of the user device is determined to correspond to the trusted location, determine the authentication passkey requirement is satisfied.
  14. 14 . The apparatus of claim 11 , wherein the authentication circuitry is further configured to: determine a location of the user device from the current user device data; determine whether the location of the user device corresponds to an excluded location for the operation request type as defined by an authentication passkey requirement of the one or more authentication passkey requirements; and in an instance in which the location of the user device fails to correspond to the excluded location, determine the authentication passkey requirement is satisfied.
  15. 15 . The apparatus of claim 11 , wherein the authentication circuitry is further configured to: determine a current time pertaining to the user device; determine whether the current time is within a trusted timeframe for the operation request type as defined by an authentication passkey requirement of the one or more authentication passkey requirements; and in an instance in which the current time is determined to be within the trusted timeframe, determine the authentication passkey requirement is satisfied.
  16. 16 . The apparatus of claim 11 , wherein the authentication circuitry is further configured to: determine a current software application version for an associated software application installed on the user device from the current user device data; determine whether the current software application version satisfies a software application version threshold for the operation request type as defined by an authentication passkey requirement of the one or more authentication passkey requirements; and in an instance in which the current software application version is determined to satisfy the software application version threshold, determine the authentication passkey requirement is satisfied.
  17. 17 . The apparatus of claim 11 , wherein the authentication circuitry is further configured to: determine a user device identifier corresponding to a second user device from the current user device data; determine whether the user device identifier corresponds to a trusted user device identifier defined by an authentication passkey requirement of the one or more authentication passkey requirements; and in an instance in which the user device identifier is determined to correspond to the trusted user device identifier, determine the authentication passkey requirement is satisfied.
  18. 18 . The apparatus of claim 11 , wherein the authentication circuitry is further configured to generate a challenge; wherein the communications hardware is further configured to: provide the challenge to the user device, and in response to providing the challenge, receive a challenge response comprising the digital signature from the user device.
  19. 19 . The apparatus of claim 11 , wherein the communications hardware is further configured to receive a logon request for the user account; wherein the authentication circuitry is further configured to authenticate the logon request based on user credentials provided in the logon request; wherein the communications hardware is further configured to: in an instance in which the logon request is successfully authenticated, establish a secure session with the user device, and during the secure session, receive a user configuration preference from the user device; wherein the apparatus further comprises configuration circuitry configured to update the user account to include the user configuration preference in a user configuration preference set.
  20. 20 . A computer program product for improved authentication, the computer program product comprising at least one non-transitory computer-readable storage medium storing software instructions that, when executed, cause an apparatus to: receive a user operation request from a user device, wherein the user operation request pertains to a user account and corresponds to an operation request type; determine, based on the user account, an authentication passkey requirement set comprising one or more authentication passkey requirements required for authentication of the user operation request; perform an authentication routine to determine whether to authenticate the user operation request, wherein the authentication routine comprises: authenticating a digital signature provided by the user device using a public cryptographic key of a passkey for the user account, and determining whether current user device data satisfies the one or more authentication passkey requirements, wherein the user operation request is successfully authenticated in an instance in which the digital signature is successfully authenticated and the current user device data satisfies each of the one or more authentication passkey requirements; and in an instance in which the user operation request is successfully authenticated, perform, based on the user operation request, an operational routine associated with the operation request type for the user account.

Description

BACKGROUND User account security is paramount for keeping sensitive user information safe and out of the hands of bad actors. Passkeys are designed to improve security and usability by providing passwordless authentication that leverages cryptographic keys to ensure only a legitimate user can access his/her user account. BRIEF SUMMARY The use of passkeys for authentication is an improvement over the traditional password-based system. The traditional password method for user authentication typically relies on an alphanumeric string (e.g., a password) to grant access to a service and/or an account. The password used in this process may be stolen, guessed and/or cracked by cryptanalysis with relative ease. In contrast, the passkey system may leverage more secure cryptographic keys for user authentication. In particular, a user device locally stores a private cryptographic key and this key may be further secured through the various security systems on the user device (e.g., fingerprint recognition, face recognition, retinal scanning, and/or other biometric and security processes). A corresponding public cryptographic key is stored by the account service provider. The user may utilize the user device, registered to the passkey system, to request access to a service and/or an account. To allow access to a service and/or an account using a passkey, a digital challenge may be sent from the service provider to the user device. The private cryptographic key, accessed through the onboard security measures of the user device, may be used to sign the digital challenge, which is then sent back to the service provider for authentication. In an instance where the signature on the signed digital challenge corresponds to the stored public key, stored by the service provider, the user device is granted access to the desired service and/or account. Traditionally, the user device only sends a signed response to the passkey system, and typically there has been no way to include additional user device data in the passkey authentication process. In addition, there is typically no way for the service provider to enact additional security requirements on the use of passkeys to access its service and/or account after the enrollment of the user device in the passkey authentication system. Additionally, the use of a passkey authentication only provides one type/level of authentication for all services that may be requested. In contrast to these conventional techniques for passkey authentication, example embodiments herein describe a method for providing enhanced user account security by implementing an enhanced passkey authentication system that utilizes a “super passkey.” A super passkey may refer to a passkey for a user account and/or user device that is further associated with additional requirements defined in an authentication passkey requirement set. Thus, the passkey authentication system described herein may utilize traditional aspects of the passkey authentication process, including the use of both public and private cryptographic keys, stored by the service provider and the user device respectively, the signing of a challenge by the user device, and authentication of the signed challenge. However, the use of a super passkey may require the passkey authentication system to further evaluate user device data during the authentication process and determine an authentication result for a user operation request based on the user device data. More particularly, the user device data may be evaluated to determine whether one or more authentication passkey requirements of an authentication passkey requirement set are satisfied. A user operation request may be successfully authenticated in an instance a digital signature provided by the user device is successfully authenticated and each of the authentication passkey requirements are satisfied. Thus, use of a super passkey advantageously provides for improved security around the authentication process. Prior to use of a super passkey for authentication, an authentication passkey requirement set must be generated for the user account. The authentication passkey requirement set may be generated based on received user configuration preferences received for a user account, as well as entity configuration security requirements. A user configuration preference may be a user-defined condition under which the passkey can be used for authentication, whereas an entity configuration security requirement may be entity-controlled and configured parameters that may place restrictions on the conditions under which a passkey can be used for authentication for individual users. Thus, both user-defined preferences and entity-defined protection measures and restrictions are considered when generating the authentication passkey requirement set for a user account of the user. In doing so, example embodiments described herein allow a user to customize his/her authentication preferences within the boundaries d