( 12 ) United States Patent
`Jakobsson
`
`( 10 ) Patent No . : US 10 , 360 , 351 B1
`( 45 ) Date of Patent :
`* Jul . 23 , 2019
`
`US010360351B1
`
`( 72 )
`
`( * ) Notice :
`
`( 54 ) AUTHENTICATION TRANSLATION
`( 71 ) Applicant : RightQuestion , LLC , Portola Valley ,
`CA ( US )
`Inventor : Bjorn Markus Jakobsson , Portola
`Valley , CA ( US )
`( 73 ) Assignee : RightQuestion , LLC , Portola Valley ,
`CA ( US )
`Subject to any disclaimer , the term of this
`patent is extended or adjusted under 35
`U . S . C . 154 ( b ) by 0 days .
`This patent is subject to a terminal dis
`claimer .
`( 21 ) Appl . No . : 15 / 042 , 636
`( 22 ) Filed :
`Feb . 12 , 2016
`Related U . S . Application Data
`( 63 ) Continuation of application No . 13 / 706 , 254 , filed on
`Dec . 5 , 2012 , now Pat . No . 9 , 294 , 452 .
`( 60 ) Provisional application No . 61 / 569 , 112 , filed on Dec .
`9 , 2011 , provisional application No . 61 / 587 , 387 , filed
`on Jan . 17 , 2012
`Int . CI .
`G06F 21 / 00
`( 2013 . 01 )
`G06F 21 / 10
`( 2013 . 01 )
`H04L 29 / 06
`( 2006 . 01 )
`( 2013 . 01 )
`G06F 21 / 12
`U . S . CI .
`CPC . . . . . . . . . . . . G06F 21 / 10 ( 2013 . 01 ) ; G06F 21 / 121
`( 2013 . 01 ) ; G06F 21 / 128 ( 2013 . 01 ) ; H04L
`63 / 083 ( 2013 . 01 ) ; H04L 63 / 0861 ( 2013 . 01 ) ;
`H04L 63 / 10 ( 2013 . 01 ) ; H04L 63 / 20 ( 2013 . 01 )
`( 58 ) Field of Classification Search
`None
`See application file for complete search history .
`
`( 51 )
`
`( 52 )
`
`( 56 )
`
`References Cited
`U . S . PATENT DOCUMENTS
`6 , 016 , 476 A
`1 / 2000 Maes
`7 , 512 , 965 B1 *
`3 / 2009 Amdur
`. . . . . HO4L 63 / 20
`726 / 1
`7 , 950 , 051 B1 *
`5 / 2011 Spitz . . . . . . . . . . . . . . . . . . . . . . G06F 21 / 31
`380 / 277
`8 , 549 , 300 B1 *
`10 / 2013 Kumar . . . . . . . .
`HO4L 9 / 3247
`713 / 153
`8 , 577 , 813 B2
`11 / 2013 Weiss
`8 , 856 , 539 B2 10 / 2014 Weiss
`9 , 100 , 826 B2
`8 / 2015 Weiss
`2004 / 0107170 A1 6 / 2004 Labrou
`2004 / 0236632 A1 11 / 2004 Maritzen
`( Continued )
`FOREIGN PATENT DOCUMENTS
`W O - 2004051585 A2
`6 / 2004
`2005001751 AL
`1 / 2005
`
`WO
`WO
`
`OTHER PUBLICATIONS
`Hammer - Lahav , Ed . “ The OAuth 1 . 0 Protocol ” , from https : / / tools .
`ietf . org / html / rfc5849 , Apr . 2010 .
`
`Primary Examiner - Andrew J Steinle
`( 74 ) Attorney , Agent , or Firm — Van Pelt , Yi & James
`LLP
`
`ABSTRACT
`( 57 )
`Authentication translation is disclosed . A request to access a
`resource is received at an authentication translator , as is an
`authentication input . The authentication input corresponds
`to at least one stored record . The stored record is associated
`at least with the resource . In response to the receiving , a
`previously stored credential associated with the resource is
`accessed . The credential is provided to the resource .
`
`32 Claims , 8 Drawing Sheets
`
`122
`
`Bank
`Website
`
`Online
`Camera
`Retailer
`
`134
`Authentication
`Translator for Bank
`Website
`
`5120
`Social
`Networking
`Site
`
`132
`
`1024
`
`Authentication
`Translator
`Module
`
`100
`
`140
`Cloud
`Storage
`Service
`
`5136
`30 Party
`Authentication
`Translator
`
`2110
`
`106
`
`APPL-1011
`APPLE INC. / Page 1 of 17
`
`

`

`US 10 , 360 , 351 B1
`Page 2
`
`( 56 )
`
`References Cited
`U . S . PATENT DOCUMENTS
`2005 / 0198348 A1 *
`9 / 2005 Yeates . . . . . . . . . . . . . . . . H04L 12 / 6418
`709 / 232
`2009 / 0100269 A1 *
`4 / 2009 Naccache . . . . . . . . . . . . HO4L 9 / 3271
`713 / 186
`2010 / 0242102 A1 *
`9 / 2010 Cross . . . . . . . . . . . . . . . . . . . . G06F 21 / 32
`726 / 7
`2011 / 0205016 A1 *
`8 / 2011 Al - Azem . . . . . . . . . . . . H04L 63 / 0861
`340 / 5 . 52
`2011 / 0231651 A1 *
`9 / 2011 Bollay . . . . . . . . . . . . . . H04L 63 / 166
`713 / 152
`5 / 2012 Beigi . . . . . . . . . . . . . . GO6Q 20 / 3223
`2012 / 0110341 A1 *
`713 / 186
`6 / 2012 Gargaro . . . . . . . . . . . . . . . . GO6F 21 / 41
`2012 / 0167193 Al *
`726 / 8
`
`* cited by examiner
`
`APPL-1011
`APPLE INC. / Page 2 of 17
`
`

`

`U . S . Patent
`
`Jul . 23 , 2019
`
`Sheet 1 of 8
`
`US 10 , 360 , 351 B1
`
`122
`
`Bank
`Website
`
`_ 134
`
`Authentication
`Translator for Bank
`Website
`
`- 120
`Social
`Networking
`Site
`
`124
`Online
`Camera
`Retailer
`
`- - - - - - - -
`
`- 110
`
`140
`Cloud
`Storage
`Service
`
`5136
`3rd Party
`Authentication
`Translator
`
`Authentication
`Translator
`Module
`
`. . . . . . . . . . . .
`
`. . . . . . . . .
`
`. . . . . . . . . . . . . . . . . . . . . . . . . . .
`
`100
`
`FIG . 1
`
`APPL-1011
`APPLE INC. / Page 3 of 17
`
`

`

`U . S . Patent
`
`Jul . 23 , 2019
`
`Sheet 2 of 8
`
`US 10 , 360 , 351 B1
`
`202
`Ti Template 11
`- - - - all
`- Template 2 ? ??
`
`-
`
`- Template 3 !
`
`-
`
`-
`
`|
`!
`
`? ?
`
`? ?
`
`!
`
`210
`220
`- -
`- - -
`-
`- -
`-
`- -
`| dom
`li domain , username , credential
`—
`—
`—
`—
`—
`-
`-
`-
`-
`-
`-
`-
`-
`-
`-
`- -
`domain , username , credential
`-
`-
`-
`-
`-
`-
`-
`domain , username , credential
`-
`-
`-
`-
`-
`-
`-
`wwwwwwwwww
`w
`-
`-
`-
`
`wwww
`
`w www
`
`www
`
`204
`-
`-
`- 1
`Template 1 !
`
`L ! Template 211
`
`-
`
`Ir
`- - - - -
`-
`-
`-
`domain , username , credential
`!
`|
`-
`-
`-
`-
`-
`-
`-
`-
`-
`-
`-
`-
`
`- 206
`
`Template 1 ! -
`
`-
`
`-
`
`Template 2 !
`
`-
`
`- - - - - - - - - - - - -
`domain , username , credential
`-
`-
`-
`-
`-
`-
`-
`-
`-
`-
`-
`domain , username , credential
`-
`-
`- -
`-
`-
`-
`- -
`-
`-
`-
`domain , username , credential
`
`!
`|
`
`l
`
`www
`
`200
`
`FIG . 2
`
`APPL-1011
`APPLE INC. / Page 4 of 17
`
`

`

`U . S . Patent
`
`Jul . 23 , 2019
`
`Sheet 3 of 8
`
`Sheet 3 of 8
`
`US 10 , 360 , 351 B1
`
`- 304
`
`processor
`
`302
`
`Insecure storage ( large )
`
`308
`
`processor
`
`306
`
`Secure storage ( small )
`
`sensor
`
`3104
`
`300
`
`FIG . 3
`
`APPL-1011
`APPLE INC. / Page 5 of 17
`
`

`

`U . S . Patent
`
`Jul . 23 , 2019
`
`Sheet 4 of 8
`
`US 10 , 360 , 351 B1
`
`1406
`
`Site
`
`4042
`
`Primary Device
`
`408
`410
`
`4025
`
`Peripheral
`
`FIG . 4
`
`APPL-1011
`APPLE INC. / Page 6 of 17
`
`

`

`U.S. Patent
`
`Jul. 23, 2019
`
`Sheet 5 of8
`
`US 10,360,351 B1
`
`Receive request to access resource and receive
`authentication input.
`
`Provide credential to resource.
`
`Access stored credential associated with resource.
`
`FIG. 5
`
`APPL-1011
`APPLEINC./ Page 7 of 17
`
`APPL-1011
`APPLE INC. / Page 7 of 17
`
`

`

`U . S . Patent
`
`Jul . 23 , 2019
`
`Sheet 6 of 8
`
`US 10 , 360 , 351 B1
`
`Client
`
`Proxy
`
`Server
`
`544444444444444444444444
`
`data request
`( no identity information ) record UA
`i
`
`wW
`
`W
`
`Ww
`
`????????????????????????????
`
`data request
`( no cookie )
`
`data
`SET cookie
`
`data
`SET cookie
`SET cache cookie
`
`record cookie ,
`cache cookie
`
`FIG . 6
`
`APPL-1011
`APPLE INC. / Page 8 of 17
`
`

`

`U . S . Patent
`
`Jul . 23 , 2019
`
`Sheet 7 of 8
`
`US 10 , 360 , 351 B1
`
`Proxy
`
`Server
`
`data request
`( + identity information )
`
`*
`
`find record
`get cookie
`
`data request
`( + cookie )
`
`data
`
`A
`
`wwwwwwwwwww
`
`????
`
`D
`
`.
`
`data
`
`FIG . 7
`
`APPL-1011
`APPLE INC. / Page 9 of 17
`
`

`

`atent
`
`Jul . 23 , 2019
`
`Sheet 8 of 8
`
`US 10 , 360 , 351 B1
`
`uniquename . jpg
`
`0000000002
`
`samename . html
`
`. . . A
`
`T WWWWWWWWWWW SESE
`WW
`
`FIG . 8
`
`callingpage . html
`
`APPL-1011
`APPLE INC. / Page 10 of 17
`
`

`

`US 10 , 360 , 351 B1
`a memory described as being configured to perform a task
`AUTHENTICATION TRANSLATION
`may be implemented as a general component that is tem
`CROSS REFERENCE TO OTHER
`porarily configured to perform the task at a given time or a
`specific component that is manufactured to perform the task .
`APPLICATIONS
`5 As used herein , the term “ processor ' refers to one or more
`This application is a continuation of co - pending U . S .
`devices , circuits , and / or processing cores configured to
`patent application Ser . No . 13 / 706 , 254 , entitled AUTHEN -
`process data , such as computer program instructions .
`TICATION TRANSLATION filed Dec . 5 , 2012 which is
`A detailed description of one or more embodiments of the
`incorporated herein by reference for all purposes . U . S .
`invention is provided below along with accompanying fig
`patent application Ser . No . 13 / 706 , 254 claims priority to "
`ures that illustrate the principles of the invention . The
`U . S . Provisional Patent Application No . 61 / 569 , 112 entitled
`invention is described in connection with such embodi
`BACKWARDS COMPATIBLE ROBUST COOKIES filed
`ments , but the invention is not limited to any embodiment .
`Dec . 9 , 2011 , and also claims priority to U . S . Provisional
`The scope of the invention is limited only by the claims and
`Patent Application No . 61 / 587 , 387 entitled BIOMETRICS
`the invention encompasses numerous alternatives , modifi
`SUPPORTED SECURE AUTHENTICATION SYSTEM 15 cations and equivalents . Numerous specific details are set
`filed Jan . 17 , 2012 , both of which are incorporated herein by
`forth in the following description in order to provide a
`reference for all purposes .
`thorough understanding of the invention . These details are
`provided for the purpose of example and the invention may
`BACKGROUND OF THE INVENTION
`20 be practiced according to the claims without some or all of
`Providing credentials to a service , whether via a mobile or
`these specific details . For the purpose of clarity , technical
`other device , is often a tedious experience for a user .
`material that is known in the technical fields related to the
`invention has not been described in detail so that the
`Unfortunately , to make authentication easier for themselves ,
`users will often engage in practices such as password re - use ,
`invention is not unnecessarily obscured .
`and / or the selection of poor quality passwords , which render 25
`FIG . 1 illustrates an embodiment of an environment in
`which authentication translation is provided . In the example
`their credentials less secure against attacks . Accordingly ,
`improvements in authentication techniques would be desir
`shown , a variety of client devices 102 - 108 connect , via one
`or more networks ( represented as a single network cloud
`able . Further , it would be desirable for such improvements
`110 ) to a variety of services 120 - 124 ( also referred to herein
`to be widely deployable , including on existing / legacy sys
`30 as sites 120 - 124 ) . In particular , client device 102 is
`a
`tems .
`notebook computer owned by a user hereinafter referred to
`BRIEF DESCRIPTION OF THE DRAWINGS
`as Alice . Notebook 102 includes a camera , a microphone ,
`and a fingerprint sensor . Client device 104 is a smartphone ,
`Various embodiments of the invention are disclosed in the
`also owned by Alice . Client device 104 includes a camera .
`following detailed description and the accompanying draw - 35 Client device 106 is a tablet owned by Bob , and sometimes
`used by Bob ' s son Charlie . Client device 106 includes a
`ings .
`FIG . 1 illustrates an embodiment of an environment in
`camera and a fingerprint sensor . Client device 108 is a kiosk
`located in the lobby of a hotel . Kiosk 108 includes a camera
`which authentication translation is provided .
`FIG . 2 illustrates an embodiment of credential informa
`and a microphone . The techniques described herein can be
`40 used with or adapted to be used with other devices , as
`tion stored on a device .
`FIG . 3 illustrates an embodiment of a device with secure
`applicable . For example , the techniques can be used in
`conjunction with gaming systems , with peripheral devices
`storage .
`such as mice , and with embedded devices , such as door
`FIG . 4 illustrates an example of a renegotiation .
`FIG . 5 illustrates an embodiment of a process for per -
`locks .
`Service 120 is a social networking site . Service 122 is a
`forming authentication translation .
`FIG . 6 illustrates an example of what occurs when a client
`website of a bank . Service 124 is the online store of a
`device first visits the site of a legacy server via an authen -
`boutique camera retailer . Each of services 120 - 124 requires
`a username and password ( and / or a cookie ) from a user prior
`tication translator .
`FIG . 7 illustrates an example of what occurs when a
`to giving that user access to protected content and / or other
`device subsequently visits the site of a legacy server via an 50 features . As will be described in more detail below , using the
`techniques described herein , users need not type such user
`authentication translator .
`FIG . 8 shows the structure of an example of a cache
`names and passwords into their devices whenever required
`by a service . Instead , users can authenticate themselves to an
`cookie used in some embodiments .
`“ authentication translator " via an appropriate technique , and
`55 the authentication translator will provide the appropriate
`DETAILED DESCRIPTION
`credentials to the implicated service on the user ' s behalf .
`The invention can be implemented in numerous ways ,
`Also as will be described in more detail below , authentica
`ci
`including as a process ; an apparatus ; a system ; a composi
`tion translators can be located in a variety of places within
`tion of matter ; a computer program product embodied on a
`an environment . For example , notebook computer 102
`computer readable storage medium ; and / or a processor , such 60 includes an authentication translator module 132 that pro
`as a processor configured to execute instructions stored on
`vides authentication translation services . The other devices
`and / or provided by a memory coupled to the processor . In
`104 - 108 can also include ( but need not include ) their own
`this specification , these implementations , or any other form
`respective authentication translator modules . The owner of
`that the invention may take , may be referred to as tech -
`bank website 122 also operates an authentication translator
`niques . In general , the order of the steps of disclosed 65 134 associated with the bank . Finally , authentication trans
`processes may be altered within the scope of the invention .
`lator 136 provides authentication translation services to a
`Unless stated otherwise , a component such as a processor or
`variety of businesses , including online camera retailer 124 .
`
`45
`
`APPL-1011
`APPLE INC. / Page 11 of 17
`
`

`

`US 10 , 360 , 351 B1
`
`15
`
`140 or to an alternate form of external storage ) . As needed ,
`FIG . 2 illustrates an embodiment of credential informa
`authentication information or portions thereof can be loaded
`tion stored on a device . In particular , device 200 stores three
`into secure storage and decrypted . For example , one can use
`user profiles 202 - 206 , each of which contains a username
`AES to encrypt the files one by one , using a key stored on
`and one or more templates ( e . g . , template 210 ) associated
`5 the secured storage . A message authentication technique ,
`with the user . In various embodiments , a template is a
`such as HMAC , can be used for authenticating the encrypted
`collection of biometric features . Using fingerprints as an
`files to provide tamper prevention . Profiles and vaults can be
`example type of biometric , a corresponding template
`updated while in secure storage ; if this occurs , they are
`includes a collection of patterns , minutia , and / or other
`encrypted and MACed before being written back to the
`features that can be matched against to determine if a
`person ' s fingerprint matches the fingerprint of the registered 10 insecure storage , which may in turn propagate them to
`user ( i . e . , the owner of a given user profile ) . A representation
`external backup storage . In yet other embodiments , profiles
`of a single fingerprint may be included in multiple templates
`and vaults are stored entirely in secure storage , in plaintext ,
`( e . g . , in different resolutions , in accordance with different
`which allows them to be both read and written and in
`protocols , as captured during warm vs . cold conditions ,
`particular , searched .
`and / or by itself or in combination with multiple fingerprints )
`Example Transaction Types
`. When other biometrics are employed ( e . g . , facial recogni -
`A variety of transaction types can take place in the
`tion , voiceprint , or retina scan technology ) , features appro -
`environment shown in FIG . 1 , examples of which are
`priate to those types of biometrics are included in the
`discussed in this section .
`template . Other types of features can also be included in
`Initial Registration
`templates . As one example , a user ' s typing speed and / or 20
`In order to begin using the techniques described herein ,
`accuracy can be measured by a device , such as device 102 ,
`users perform some form of initial registration . As one
`and used to distinguish between multiple users of a device .
`example , suppose Alice launches an enrollment program
`For example , suppose Alice types at 100 words per minute
`installed on laptop 102 . She uses the program to capture
`and rarely makes mistakes . A representation of this infor -
`various biometric information ( e . g . , fingerprints , photo
`mation can be stored in template 212 . Also suppose Alice ' s 25 graphs of her face , etc . ) . A user profile is created for Alice ,
`niece , who sometimes uses Alice ' s laptop computer when
`and the biometric information captured about her is encoded
`visiting Alice types at 20 words per minute and makes many
`into a plurality of templates , such as templates 210 and 214 .
`mistakes . In some embodiments , the fact that a user was
`In some embodiments , Alice is also explicitly asked to
`recently ( e . g . , within the last 5 minutes ) typing on laptop 102
`supply credential information for services she would like to
`at 90 words per minute is evidence of a match against 30 use , such as by providing the domain name of social
`template 212 . In this case , the typing speed of 90 words per
`networking site 120 , along with her username and password
`minute is similar enough to Alice ' s typical behavior , it is
`for site 120 . In other embodiments , domain / username / cre
`considered a match . Various policies can be included in a
`dential information is at least passively captured on Alice ' s
`profile that govern how matches are to be performed . For
`behalf and included in one or more vaults such as vault 220 .
`example , policies can specify thresholds / tolerances for what 35 Credential information can also be important from a browser
`constitutes a match , and can specify that different levels of
`password manager already in use by Alice or other appro
`matches can result in different levels of access to different
`priate source . In some embodiments , Alice also registers
`with cloud storage service 140 , which will allow her to back
`resources .
`WIL
`A profile is associated with a vault ( e . g . , vault 220 ) . The
`up her authentication information and to synchronize it
`vault , in turn , contains triples specifying a service provider / 40 across her devices ( e . g . , 102 and 104 ) , as described in more
`domain , a username , and a credential . The vault can also
`detail below .
`contain other sensitive user information , such as account
`Other registration approaches can also be used . For
`numbers , address / phone number information , and health
`example , registration can be integrated into the experience
`care data . The credential for a service provider / domain can
`the first time a device is used . Thus , when Bob first turns on
`be a password ( e . g . , for legacy servers ) , and can also take 45 tablet 106 , he may be prompted to take a picture of his face
`alternate forms ( e . g . , a cryptographic key for service pro -
`( with a profile / templates being created in response ) . Simi
`larly , the first time Charlie uses tablet 106 , the techniques
`viders supporting stronger authentication methods ) .
`In some embodiments , profiles , templates , and vaults
`described herein can be used to determine that Charlie does
`not yet have a profile ( e . g . , because none of the templates
`( collectively " authentication information " )
`are stored
`entirely in an unprotected storage area , and are stored in the 50 already present on tablet 106 match his biometrics ) and
`clear . In other embodiments , secure storage techniques are
`Charlie can be prompted to enroll as a second user of the
`used to secure at least a portion of the authentication
`device .
`Authentication
`information .
`One example of a device with secure storage is illustrated
`Suppose Alice wishes to authenticate to banking website
`in FIG . 3 . In the example shown , a mobile phone 300 55 122 . Using a fingerprint reader incorporated into her laptop ,
`includes a large and insecure storage 302 attached to a fast
`she performs a fingerprint scan , which causes her biometric
`processor 304 , and a smaller but secure storage 306 attached
`features to be extracted and compared to any stored tem
`to a dedicated processor 308 and a sensor 310 ( e . g . , a camera
`plates residing on her computer . If a match is found , an
`or a fingerprint reader ) . Users ( and applications ) can read
`associated decryption key is selected , and the associated
`from and write to the insecure storage area . However , users 60 vault is loaded and decrypted . The vault is scanned for an
`cannot access the secure storage area , and the fast processor
`entry that matches the selected service provider ( i . e . , website
`can only communicate with the dedicated processor / sensor
`122 ) . If a matching entry is found , the associated domain ,
`via a restricted API . As another example , a unique decryp -
`username , and site credential are extracted from the vault . In
`tion key associated with a given vault can be stored in a
`some embodiments , the validity of the domain name map
`profile . The vault is an encrypted and authenticated con - 65 ping is verified at this point to harden the system against
`tainer that can be stored on insecure storage , e . g . , on the
`domain name poisoning . Next , a secure connection is estab
`device , and also backed up ( e . g . , to a cloud storage service
`lished between Alice ' s computer and the service provider ,
`
`APPL-1011
`APPLE INC. / Page 12 of 17
`
`

`

`US 10 , 360 , 351 B1
`
`authentication . Renegotiation can also be used when a
`and Alice is authenticated . For service providers supporting
`secure component of the primary device 404 performs the
`strong user authentication , mutual SSL can be used , for
`negotiation of the SSL connection and another and poten
`example . A variety of policies can be involved when per -
`tially insecure component of the primary device 404 is
`forming matching . For example , to access certain domains ,
`Alice ' s print may need only match template 210 . To access 5 involved in the transaction protected by the authentication .
`other domains , Alice may need to match multiple templates
`FIG . 5 illustrates an embodiment of a process for per
`( e . g . , both 210 and 214 ) . As another example , in order to
`forming authentication translation . The process begins at
`access social networking site 120 , Alice may merely need to
`502 when a request to access a resource is received , as is an
`be sitting in front of her computer , which has an integrated
`authentication input . One example of the processing per
`webcam . Even in relatively low light conditions , a match 10 formed at 502 is as follows . Suppose Alice wishes to sign
`can be performed against Alice ' s face and features stored in
`into social networking website 120 . She directs a web
`a template . However , in order to access bank website 122 ,
`browser application installed on client 102 to the social
`Alice may need a high quality photograph ( i . e . , requiring her
`networking website . Authentication translator module 132
`to turn on a bright light ) and may need to demonstrate
`recognizes , from the context of Alice ' s actions ( e . g . , that she
`liveness ( e . g . , by blinking or turning her head ) . As yet 15 is attempting to access site 120 with her browser ) that she
`another example , other contextual information can be
`would like to access a particular resource . Authentication
`included in policies . For example , if Alice ' s IP address
`translator module 132 prompts Alice ( e . g . , by a popup
`indicates she is in a country that she is not usually in , she
`message or via a sound ) to provide biometric information
`may be required to match multiple templates ( or match a
`( e . g . , to use the integrated fingerprint reader on her laptop ) .
`template with more / better quality features ) in order to access 20 In some embodiments , the translator module does not
`retailer 124 , as distinguished from when her IP address
`prompt Alice , for example , because Alice has been trained to
`provide biometric information automatically when attempt
`indicates she is at home .
`In some embodiments , the biometric sensor used by a user
`ing to access certain resources . In yet other embodiments ,
`may be a peripheral device ( e . g . , a mouse with an integrated
`the translator module only prompts Alice if she fails to
`fingerprint scanner that is connected to the user ' s primary 25 provide acceptable biometric information within a timeout
`device via USB ) . In such scenarios , the peripheral device
`period ( e . g . , 30 seconds ) .
`may be responsible for storing at least a portion of authen -
`Module 132 compares Alice ' s supplied biometric data to
`tication information and may perform at least some of the
`the templates stored on her computer . If a suitable match is
`authentication tasks previously described as having been
`found , and if an entry for site 120 is present in the applicable
`performed by Alice ' s computer . For example , instead of 30 vault , at 504 , a previously stored credential associated with
`processors 304 and 308 , and storages 302 and 306 being
`the resource is accessed . In particular , the username and
`collocated on a single device ( e . g . , laptop 102 ) , processor
`password for the website , as stored in a vault , such as vault
`304 and storage 302 may be present on a primary device , and
`220 , are retrieved from the vault .
`processor 308 and storage 306 may be present on a periph -
`Finally , at 506 , the credential is provided to the resource .
`eral device ( e . g . , that also includes a sensor , such as a 35 For example , Alice ' s username and password for site 120 are
`fingerprint reader ) .
`transmitted to site 120 at 506 . The credential can be trans
`In such scenarios , once Alice ' s login to banking website
`mitted directly ( e . g . , by the module or by Alice ' s computer )
`122 is successfully completed , the secure session can be
`and can also be supplied indirectly ( e . g . , through the use of
`handed over from the peripheral device to the primary
`one or more proxies , routers , or other intermediaries , as
`device , in
`a way that does not allow the primary device 40 applicable ) .
`retroactive access to the plaintext data of the transcripts
`Other devices can also make use of process 500 or
`exchanged between the peripheral device and the service
`portions thereof . For example , when Alice launches a bank
`provider . One way this can be accomplished is by renego -
`ing application on phone 104 , implicit in her opening that
`tiating SSL keys between the peripheral device and the
`application is her desire to access the resources of website
`website , after which the newly negotiated key can be handed 45 134 . The application can take Alice ' s picture and compare it
`off from the peripheral device to the primary device . This
`to stored templates / vault information . If an appropriate
`avoids retroactive credential capture in a setting where the
`match is found , a credential can be retrieved from the vault
`on her phone ( or , e . g . , retrieved from cloud storage service
`device is infected by malware .
`An example of renegotiation is depicted in FIG . 4 . Spe -
`140 ) and provided to website 134 .
`cifically , after a user has successfully authenticated to a
`As another example , suppose Charlie is using tablet 106
`fingerprint reader , a login is performed to a service provider .
`and attempts to visit site 120 , whether via a dedicated
`Using the primary device ( 404 ) as a proxy , the peripheral
`application or via a web browser application installed on the
`fingerprint reader 402 negotiates a first SSL connection
`tablet . Charlie ' s photograph is taken , and then compared
`( 408 ) with a service provider 406 , over which credentials are
`against the profiles stored on tablet 106 ( e . g . , both Bob and
`exchanged . The proxy then renegotiates SSL ( 410 ) , which 55 Charlie ' s profiles ) . When a determination is made that
`replaces the old key with a new one . The new key is
`Charlie ' s photograph matches a template stored in his stored
`disclosed to the device , which then seamlessly takes over the
`profile ( and not , e . g . , Bob ' s ) , Charlie ' s credentials for site
`connection with the service provider and performs the
`120 are retrieved from a vault and transmitted by an authen
`transaction protected by the authentication . The credentials
`tication translator module residing on client 106 .
`exchanged during the first SSL connection cannot be 60
`As yet another example , kiosk 108 can be configured to
`accessed by device 404 , since the key of the renegotiated
`provide certain local resources ( e . g . , by displaying a com
`session is independent of the key of the original session ; this
`pany directory or floor plan on demand ) when users speak
`provides protection against malware residing on the device .
`certain requests into a microphone . Enrolled users ( e . g . , with
`Renegotiation can be used when the primary device 404 is
`stored voiceprint or facial recognition features ) can be
`believed to be in a safe state when performing the negotia - 65 granted access to additional / otherwise restricted services in
`tion of the SSL connection , but it is not known whether it is
`accordance with the techniques described herein and process
`in a safe state during the transaction protected by the
`500 .
`
`50
`
`APPL-1011
`APPLE INC. / Page 13 of 17
`
`

`

`US 10 , 360 , 351 B1
`
`profiles on their shared tablet 106 ) , and to avoid that
`New Device
`criminals with physical component access to lost devices
`In some embodiments , to register a new device , a user
`gain access to templates and vault contents . In some embodi
`provides an identifier , such as a username or an account
`ments , polices such as ones where a template self - wipes if
`number to the device . The new device connects to an
`it is not matched within a particular duration of time are
`external storage ( such as cloud storage 140 ) , provides the 5
`supported . Since user data can be frequently backed up to
`user identifier and credential , and downloads the user ' s
`the cloud storage , and recovered from this using the new
`templates / vaults from the service . In some embodiments , the
`device registration process , inconvenience to the user will be
`templates / vaults are encrypted . Once downloaded , the tem -
`minimized .
`plate is decrypted and stored in a secure storage area , while
`the still encrypted vault can be stored in insecure storage . 10L egacy Server Support
`The decryption key can be generated from information the
`New authentication schemes typically require changes to
`user has / knows , or from biometric data — such as features
`a significant codebase residing with service providers . If the
`extracted from fingerprinting of all ten fingers . In some
`code is well written and documented , such changes may be
`embodiments , more arduous fingerprinting is required for
`relatively simple . Commonly , though , this may not be so .
`the setup of a new device than for regular authentication to
`15 The engineers who originally wrote the code of relevance
`avoid that a new device gets registered by a user thinking she
`may have long since left the company ; the code they left
`is merely authenticating or worse still , simply touching the
`behind may be poorly documented — if documented at all . In
`device . Moreover , it translates into higher entropy of the
`severe cases , the legacy code may have been written in an
`outdated programming language or written in a way that
`decryption keys .
`20 does not follow guidelines for good code . This makes
`Backup Authentication
`updates to the codebase impractical or virtually impossible
`Backup authentication allows a user , such as Alice , to
`access resources in the event she is unable to or unwilling to
`in many common cases . Even if none of these challenges
`interact with a particular biometric sensor . As one example ,
`complicate the desired modifications , it is commonly a great
`instead of having a single temp