Search

US-20260129445-A1 - SYSTEMS AND METHODS FOR USE IN SYNCHRONIZING KEYS FOR ENHANCED AUTHENTICATION AVAILABILITY

US20260129445A1US 20260129445 A1US20260129445 A1US 20260129445A1US-20260129445-A1

Abstract

Systems and methods are provided for use in consent-based synchronization of keys for enhanced authentication availability. One example computer-implemented method includes receiving, by a first fast identity online (FIDO) server, from a second FIDO server, a signed consent token, which is signed by a first private key specific to a mobile device of a user; retrieving a user profile for a user; verifying the signed consent token based on a first public key included in the user profile; based on the successful verification of the consent token, generating a response token, which includes the first public key; signing the response token with a second private key unique to the first FIDO server; and transmitting the signed response token to the second FIDO server.

Inventors

  • Ameya Vinayak Sohoni
  • Kaushal Shetty
  • Mayank Joshi

Assignees

  • MASTERCARD INTERNATIONAL INCORPORATED

Dates

Publication Date
20260507
Application Date
20241104

Claims (19)

  1. 1 . A computer-implemented method for use in consent-based synchronizing of keys for enhanced authentication availability for network services, the method comprising: receiving, by a first fast identity online (FIDO) server, from a second FIDO server, a signed consent token, which is signed by a first private key specific to a mobile device of a user; retrieving, by the first FIDO server, a user profile for a user; verifying, by the first FIDO server, the signed consent token based on a first public key included in the user profile; based on the successful verification of the consent token, generating, by the first FIDO server, a response token, which includes the first public key; signing, by the first FIDO server, the response token with a second private key, which is unique to the first FIDO server; and transmitting the signed response token to the second FIDO server, whereby the second FIDO server verifies the signed response token based on a second public key and extracts the first public key from the response token to permit the second FIDO server to authenticate the user at the mobile device based on the first public key, when the first FIDO server is unavailable.
  2. 2 . The computer-implemented method of claim 1 , wherein the first public key is specific to a service platform; and further comprising identifying, by the service platform, the second FIDO server, based on a uniform resource locator (URL) of the second FIDO server, as available for authenticating the user.
  3. 3 . The computer-implemented method of claim 1 , further comprising enrolling the mobile device for passkey authentication based on the first public key and the first private key.
  4. 4 . The computer-implemented method of claim 1 , wherein receiving the signed consent token includes further receiving at least one of: a phone number specific to the mobile device, a device identifier of the mobile device, and/or a credential ID; and wherein retrieving the user profile includes retrieving the user profile based on the at least one of: a phone number specific to the mobile device, a device identifier of the mobile device, and/or a credential ID.
  5. 5 . The computer-implemented method of claim 1 , wherein the response token further includes at least one of: a phone number specific to the mobile device, a device identifier of the mobile device, an email address specific to the user, and/or a credential ID.
  6. 6 . The computer-implemented method of claim 1 , wherein receiving the signed consent token from the second FIDO server is based on a consent of the user, at the mobile device, to share the first public key with the second FIDO server.
  7. 7 . The computer-implemented method of claim 1 , further comprising: receiving, by the second FIDO server, the signed response token; verifying, by the second FIDO server, the signed response token based on the second public token; extracting, by the second FIDO server, the first public key from the response token; and storing, by the second FIDO server, in a memory, the first public key in the user profile for the user to permit the second FIDO server to authenticate the user at the mobile device based on the first public key, when the first FIDO server is unavailable.
  8. 8 . The computer-implemented method of claim 7 , wherein the second public key is unique to the first FIDO server; and further comprising authenticating, by the second FIDO server, the user based on the first public key in connection with a message, which is signed by the first private key.
  9. 9 . A system for use in consent-based synchronization of keys for enhanced authentication availability, the system comprising: a first fast identity online (FIDO) server, which is configured, by executable instructions, to: receive, from a second FIDO server, a signed consent token, which is signed by a first private key specific to a mobile device of a user; retrieve a user profile for a user; verify the signed consent token based on a first public key included in the user profile; based on the successful verification of the consent token, generate a response token, which includes the first public key; sign the response token with a second private key unique to the first FIDO server; and transmit the signed response token to the second FIDO server, whereby the second FIDO server verifies the signed response token based on a second public key and extracts the first public key from the response token to permit the second FIDO server to authenticate the user at the mobile device based on the first public key, when the first FIDO server is unavailable.
  10. 10 . The system of claim 9 , wherein the first public key is specific to a service platform.
  11. 11 . The system of claim 9 , wherein the first FIDO server is further configured, by executable instructions, to enroll the mobile device for passkey authentication based on the first public key and the first private key.
  12. 12 . The system of claim 9 , wherein the first FIDO server is further configured, by executable instructions, to receive at least one of: a phone number specific to the mobile device, a device identifier of the mobile device, and/or a credential ID; and wherein the first FIDO server is configured to retrieve the user profile based on the at least one of: a phone number specific to the mobile device, a device identifier of the mobile device, and/or a credential ID.
  13. 13 . The system of claim 9 , wherein the response token further includes at least one of: a phone number specific to the mobile device, a device identifier of the mobile device, an email address specific to the user, and/or a credential ID.
  14. 14 . The system of claim 9 , wherein the first FIDO server is configured to receive the signed consent token from the second FIDO server based on a consent of the user, at the mobile device, to share the first public key with the second FIDO server.
  15. 15 . The system of claim 9 , further comprising the second FIDO server, which is configured, by second executable instructions, to: receive the signed response token; verify the signed response token based on the second public token, which is unique to the first FIDO server; extract the first public key from the response token; and store, in a memory, the first public key in the user profile for the user to permit the second FIDO server to authenticate the user at the mobile device based on the first public key.
  16. 16 . The system of claim 15 , wherein the first public key is specific to a service platform; and wherein the service platform is configured to identify the second FIDO server, based on a uniform resource locator (URL) of the second FIDO server, as available for authenticating the user.
  17. 17 . The system of claim 16 , wherein the service platform is configured to instruct the second FIDO server to authenticate the user, based on the URL of the second FIDO server; and wherein the second FIDO server is further configured, by the second executable instructions, to authenticate the user at the mobile device, based on the first public key and a signed challenge from the mobile device.
  18. 18 . The system of claim 16 , wherein the service platform is configured to instruct the second FIDO server to authenticate the user, based on the URL of the second FIDO server, after determining that the first FIDO server is unavailable.
  19. 19 . A non-transitory computer-readable storage medium comprising executable instructions for use in consent-based synchronizing keys for enhanced authentication availability for services, which when executed by at least one processor, cause the at least one processor to: receive, from a second FIDO server, a signed consent token, which is signed by a first private key specific to a mobile device of a user; retrieve a user profile for a user; verify the signed consent token based on a first public key included in the user profile; based on the successful verification of the consent token, generate a response token, which includes the first public key; sign the response token with a second private key unique to the first FIDO server; and transmit the signed response token to the second FIDO server, whereby the second FIDO server verifies the signed response token based on a second public key and extracts the first public key from the response token to permit the second FIDO server to authenticate the user at the mobile device based on the first public key, when the first FIDO server is unavailable.

Description

FIELD The present disclosure generally relates to systems and methods for synchronizing keys for enhanced authentication availability, and in particular, to extending public keys to additional servers to extend authentication for related services, thereby enhancing availability of the authentication. BACKGROUND This section provides background information related to the present disclosure which is not necessarily prior art. It is known for entities to rely on authentication to ensure that an entity is interacting with a person rightfully associated with identifying attributes. In connection therewith, fast identity online authentication, or FIDO authentication, is a set of open, standardized authentication protocols for use in place of passwords for authentication. The FIDO authentication may be used for a variety of entities. In use, the entity offers FIDO authentication, whereby as part of a registration process, a user's device creates a key pair that is unique to the device, and also an online service and/or a user account. The user's device retains the private key from the pair, and transmits the public key from the pair to a FIDO server of the entity. The FIDO server stores the public key for the user (or user's device). The key pair is later used, through the user's device, alone or in combination with a biometric, username, password, etc., for the user to authenticate with the entity. DRAWINGS The drawings described herein are for illustrative purposes only of selected embodiments and not all possible implementations, and are not intended to limit the scope of the present disclosure. FIG. 1 illustrates an example system of the present disclosure suitable for use in synchronizing keys for enhanced authentication availability; FIG. 2 is a block diagram of an example computing device that may be used in the system of FIG. 1; and FIG. 3 includes a flow diagram of an example method, which may be implemented in connection with the system of FIG. 1, for use in effecting consent-based synchronizing keys for enhanced authentication availability for network services. Corresponding reference numerals indicate corresponding parts throughout the several views of the drawings. DETAILED DESCRIPTION Example embodiments will now be described more fully with reference to the accompanying drawings. The description and specific examples included herein are intended for purposes of illustration only and are not intended to limit the scope of the present disclosure. In connection with fast identity online (FIDO) authentication, a user registers from a user device, whereby a key pair is generated and the public key of the pair is shared with a FIDO server, in connection with a service. Upon accessing the service, as necessary for authentication, the FIDO server participates to verify data with the public key. For various reasons, the FIDO server may be down, or otherwise unavailable, whereby access to the service is eliminated, or limited to additional authentication. In either instance, the user experiences associated friction in accessing the service, based on the unavailable FIDO server. Uniquely, the systems and methods herein provide for synchronizing keys for enhanced authentication availability (e.g., across FIDO servers, etc.). In particular, multiple FIDO servers are defined for a service. The user initially registers with one of the FIDO servers, and then consents (e.g., for a service, entity, interval, etc.) to share the public key generated from the enrollment with the one of the FIDO servers, with one or more additional ones of the FIDO servers. The initial one of the FIDO servers, through the operations described herein, then shares the public key with/to the one or more additional ones of the FIDO servers, whereby any one of the FIDO servers is available for authentication of the user in connection with the service. In this manner, one of the FIDO servers (e.g., the FIDO server with which the user registered, etc.) may be unavailable without impacting availability of the service. FIG. 1 illustrates an example system 100 in which one or more aspects of the present disclosure may be implemented. Although the system 100 is presented in one arrangement, other embodiments may include the parts of the system 100 (or other parts) arranged otherwise depending on, for example, service types, authentication requirements, privacy regulations and/or requirements, etc. The system 100 includes a service platform 102 (or service provider, etc.), multiple FIDO servers 104a-b, and a mobile device 106 associated with a user 108, each of which is coupled to (and is in communication with) one or more networks, represented by the cloud 101 in FIG. 1. The one or more networks may include, without limitation, one or more of a local area network (LAN), a wide area network (WAN) (e.g., the Internet, etc.), a mobile network, a virtual network, and/or another suitable public and/or private network capable of supporting communication