Search

US-20260128911-A1 - SECURE PROVISIONING OF FIDO CREDENTIAL

US20260128911A1US 20260128911 A1US20260128911 A1US 20260128911A1US-20260128911-A1

Abstract

A computing device implemented method of provisioning credential information includes activating a credentialing application stored in an authenticator device; receiving, by the credentialing application, user information entered into the authenticator device; establishing a secure channel between the authenticator device and an authentication server; sending the user information to the authentication server via the secure channel; generating a challenge by the authentication server in response to the user information and presenting the challenge to the user; sending a response to the challenge from the authenticator device to the authentication server via the secure channel; receiving a command from the authentication server to generate the credential information including a key pair; and registering a key of the key pair with the authentication server.

Inventors

  • François-Eric Michel Guyomarc'h
  • Marc Raymond Powell
  • Antonio Fidalgo

Assignees

  • ASSA ABLOY AB

Dates

Publication Date
20260507
Application Date
20221010

Claims (20)

  1. 1 . A computing device implemented method of provisioning credential information, the method comprising: activating a credentialing application stored in an authenticator device; receiving, by the credentialing application, a prompt entered into the authenticator device to register the authenticator device to access an online service; establishing a secure channel between the authenticator device and an authentication server; sending a request message to register the authenticator device to the authentication server via the secure channel, wherein the request message includes user information; generating a challenge by the authentication server in response to the request message and presenting the challenge to the user; sending a response to the challenge from the authenticator device to the authentication server via the secure channel; receiving a command from the authentication server to generate credential information for the online service, the credential information including a key pair; and registering a first key of the key pair with the authentication server.
  2. 2 . The method of claim 1 , wherein the generating the challenge from the authentication server includes the authentication server presenting the challenge using a web browser.
  3. 3 . The method of claim 2 , wherein the authentication server presenting the challenge includes the authentication server presenting a QR code using the web browser.
  4. 4 . The method of claim 1 , wherein the authentication server presenting the challenge includes the authentication server sending the challenge to the authenticator device via the secure channel.
  5. 5 . The method of claim 1 , wherein sending the response to the challenge includes sending a digital signature generated by the authenticator device using a second signature key of the key pair stored in the authenticator device.
  6. 6 . The method of claim 1 , including: accessing the online service associated with the credential information; receiving a challenge from the authentication server via a web browser; and sending a signed challenge response to the authentication server via the secure channel using the credentialing application.
  7. 7 . The method of claim 1 , including: accessing the online service associated with the credential information using a web browser; receiving a challenge from the authentication server via the web browser; and sending a signed challenge to the authentication server using the web browser.
  8. 8 . The method of claim 1 , wherein establishing a secure channel includes establishing a secure channel between the authenticator device and the authentication server using a secure channel.
  9. 9 . The method of claim 1 , wherein the credential information is Fast Identity Online (FIDO) credential information, and the key pair of the credential information is a FIDO key pair.
  10. 10 . An authentication server comprising: processing circuitry including at least one hardware processor; and a memory storing instructions that cause the at least one hardware processor to perform operations comprising: establish a secure channel with a credentialing application of a separate authenticator device; receive a request message to register the authenticator device via the secure channel; send a challenge to the credentialing application in response to receiving the user information; receive a response to the challenge from credentialing application via the secure channel; send a command to the credentialing application to generate credential information, the credential information including a key pair; receive a key of the key pair from the credentialing application; and register the key of the key pair.
  11. 11 . The authentication server of claim 10 , wherein the instructions further cause the at least one hardware processor to perform operations including sending the challenge via the secure channel.
  12. 12 . The authentication server of claim 10 , wherein the instructions further cause the at least one hardware processor to perform operations including sending the challenge via a web browser.
  13. 13 . The authentication server of claim 12 , wherein the instructions further cause the at least one hardware processor to perform operations including sending the challenge as a Quick Response (QR) code to the web browser for presenting on a web page.
  14. 14 . The authentication server of claim 12 , wherein the instructions further cause the at least one hardware processor to perform operations including: receiving a request message from the credentialing application to access an online service associated with the credential information; encoding a challenge to send to the credentialing application via the web browser in response to the request message; and decoding a signed challenge received from the credentialing application via the secure channel.
  15. 15 . The authentication server of claim 12 , wherein the instructions further cause the at least one hardware processor to perform operations including: decoding a request message from the credentialing application to access an online service associated with the credential information; encoding a challenge to send to the credentialing application via the web browser in response to the request message; and decoding a signed challenge received from the credentialing application via the web browser.
  16. 16 . The authentication server of claim 12 , wherein the instructions further cause the at least one hardware processor to perform operations including decoding a digital signature with the response to the challenge, wherein the digital signature is generated by the credentialing application using a second signature key of the key pair.
  17. 17 . The authentication server of claim 12 , wherein the instructions further cause the at least one hardware processor to perform operations including communicating information with the credentialing application of the separate device according to a global platform secure channel protocol, wherein the separate device is a mobile phone.
  18. 18 . The authentication server of claim 10 , wherein the instructions further cause the at least one hardware processor to perform operations including: sending a command to the credentialing application to generate Fast Identity Online (FIDO) credential information; and registering a FIDO key received from the credentialing application in response to the command.
  19. 19 . A computer readable storage medium including instructions that, when performed using processing circuitry of a mobile device, cause the mobile device to perform acts comprising: receiving, via a user interface of the mobile device, a prompt to register the mobile device with an online service; establishing a secure channel with an authentication server; sending a request message to register the authenticator device to the authentication server via the secure channel, wherein the request message includes user information; receiving a challenge from the authentication server in response to the user information; sending a response to the challenge to the authentication server via the secure channel; receiving a command from the authentication server to generate the credential information including a credential identifier (ID) and a key pair; and registering a first key of the key pair with the authentication server.
  20. 20 . The computer readable storage medium of claim 19 , including instructions that cause the mobile device to perform acts including receiving the challenge from the authenticator device via the secure channel.

Description

TECHNICAL FIELD Embodiments illustrated and described herein generally relate to automatic identity authentication systems that authenticate users for access to secure resources, and to techniques of secure messaging for identity authentication systems. BACKGROUND There are many applications for which quick and accurate remote authentication of identity of a person is desirable. Some examples include access to online accounts for mobile banking and mobile shopping. Remote authentication often involves authentication information being exchanged between a user's mobile phone or other mobile device and a server performing authentication. Unfortunately, attempts to defeat systems that provide secure authentication occur often. It is desirable to develop authentication practices that are difficult to defeat. BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 is a diagram of an example Fast Identification Online (FIDO) registration process. FIG. 2 is a diagram of an example FIDO authentication process. FIG. 3 is a diagram of another example of a FIDO registration process. FIG. 4 is a flow diagram of an example of a method of provisioning a FIDO credential using a credentialing application of an authenticator device. FIG. 5 is a block diagram schematic of portions of an example of an authenticator device. DETAILED DESCRIPTION It is desirable for automatic authentication of a person's identity based on verifiable identity information to be fast and secure. Automatic device authentication involves exchanging sensitive information between devices to prove identity of the holder of a device, or to prove that information is originating from, or being provided to, an authorized device. For device-based authentication, a credential device presents sensitive credential information to prove identity or authorization to a resource, and a verifier device authenticates the credential information. A verifier device can be an authentication server (e.g., a cloud-based server) of the backend of an authentication system. A credential device can be a platform device (e.g., a desktop computer) or a mobile device (e.g., a mobile phone, laptop computer, tablet computer, smartwatch, etc.) of the user wishing to prove identity or authorization. One approach to device-based authentication is to verify the device using passwords. However, passwords can be stolen or deduced by someone seeking unauthorized access to the secure resource. Fast Identification Online (FIDO) authentication is an open industry association that aims to reduce dependence on passwords for device-based authentication. For FIDO-based authentication, the credential device is an authenticator (e.g., a roaming authenticator or a platform authenticator). A user who wishes to enable FIDO-based authentication for an online service that supports FIDO needs to first register the user's authenticator device with that particular service. FIG. 1 is a diagram of an example FIDO registration process to register a FIDO authenticator 102. In the example, the authenticator 102 is a mobile phone. The registration is performed by a web server 104 of the online service that can be cloud-based and uses a support service provider (SSP) web browser 106 to provision credential devices. The web browser 106 implements the FIDO web authorization application program interface (WebAuthn API). To register, the user enters the domain name 108 of the online service (e.g., acme. com) into the authenticator 102 to navigate the web browser 106 to the registration webpage 107 of the online service. Using the authenticator 102, the user signs into their account or creates a new account with user information 110 sent to the web server 104. The user may sign-in using a password. The web browser 106 prompts the user to register, e.g., by displaying a “Register” button that the user selects. The web server 104 generates a challenge 112 that is presented to the user. The challenge 112 is for previously configured information such as a personal identification number (PIN) or biometric 114. If the challenge 112 is passed, the WebAuthn API causes the web browser 106 to tell the authenticator 102 to generate a new credential (e.g., a credential identifier (ID) and a public/private key pair). The credential ID 116 and the public key 118 are returned to the server 104 via the browser 106 so that they can be registered with the online service. The private key 120 is retained by the authenticator 102 that can be used for generating a signature 122 by the authenticator 102. The webpage may show “Registration Complete” to indicate that the registration of the authenticator was successfully completed. When the user wishes to authenticate to the server 104, the authenticator 102 proves possession of the private key 120 to the service by signing a challenge generated by the server 104. FIG. 2 is a diagram of an example FIDO authentication process. The user navigates to the webpage 107 in a web browser 106 using the authenticator