Application Serial No. 17/027,481
`Filing date: September 21, 2023
`Patent No. 11,514,138
`Issue date: November 29, 2022
`
`APPL-1005
`APPLE INC. / Page 1 of 343
`
`

`

` DANO
`
`5
`
`USOIL
`
`«2, United States Patent
`US 11,514,138 Bl
`(10) Patent No.:
`*Nov. 29, 2022
`Jakobsson
`(45) Date of Patent:
`
`AUTHENTICATION TRANSLATION
`
`Applicant: RightQuestion, LLC, Portola Valley.
`CA (US)
`
`Inventor: Bjorn Markus Jakobsson, Portola
`Valley, CA (US)
`
`(73)
`
`Assignee: RightQuestion, LLC, Portola Valley.
`CA (US)
`
`(58)
`
`(56)
`
`(*)
`
`Notice:
`
`Subject to any disclaimer, the term ofthis
`patent is extended or adjusted under 35
`U.S.C. 154(b) by 0 days.
`
`This patent is subject to # terminal dis-
`vlaimer.
`
`GO6F 21/44 (2013.01); HOLL 63/083
`(2013.01): HOIL 63/0861 (2013.01); HAL
`63/10 (2013.01); HO4L 63/20 (2013.01)
`Field of Classification Search
`None
`
`See applicationfile for complete search history.
`
`References Cited
`
`U.S. PATENT DOCUMENTS
`
`S.OLQ,571 A
`5,499,298 A
`
`4/199) Katznelson
`4/1996 Narasimhalu
`(Continued)
`
`FOREIGN PATENT DOCUMENTS
`
`Appl. No.; 17/027,481
`
`Filed:
`
`Sep. 21, 2020
`
`Related U.S. Application Data
`
`Continuation ofapplication No, 16/773,767. filed on
`Jan. 27. 2020, now Pat. No. 10,9279.512, which is a
`continuation of application No. 16/563.715, filed on
`Sep. 6. 2019, now Pat. No. 10,824,696, which is a
`continuation of application No. 16/273.797, filed on
`Feb. 12, 2019, now Pat. No. 10,521,568, which ts a
`continuation of application No, 15/042,.636, filed on
`(Continued)
`
`(2013.01)
`(2013.01)
`(2013.01)
`(2022.01)
`(2013.01)
`(2013.01)
`(2013.01)
`
`Int. Cl.
`G06F 21/00
`GO06F21/10
`G06F 2141]
`HOAL 9/40
`GU6F 21/12
`GO6F 21/44
`GU6P 21/32
`U.S. Cl.
`CPC we GOGF 21/70 (2013.01); GO6F 21/121
`(2013.01); G06F 21/728 (2013.01); G06F
`21/37 (2013.01): G06F 21/82 (2013.01):
`
`wo
`wo
`
`2004051585
`2005001751
`
`6/2004
`1/2005
`
`OTHER PUBLICATIONS
`
`Brands et al. Distance-Bounding Protocols. Jan, 28, 1994; https:
`citeseerx istpsu.edu/viewdoe download?doim10,1-1-51,64397 &rep=
`repL&typespdl.
`
`(Continued)
`
`Primary Exaniiner
`(74) Attorney, Agent, or Firm
`LLP
`
`Andrew J Steinle
`Van Pelt, Yi & James
`
`(37)
`
`ABSTRACT
`
`Authenticationtranslation is disclosed. A request to access a
`resource is received at an authentication translator, as is an
`authentication input. The authentication input corresponds
`to at least one stored record. The stored record is associated
`al least with the resource.
`ln response to the receiving, a
`previously stored credential associated with the resource is
`accessed. The credential is provided to the resource.
`
`25 Claims, 8 Drawing Sheets
`
`(S1)
`
`Ts
`Bane
`
`AutaanKectiens
`Traveialoebos Baers
`Wena
`
`
`
`
`
`APPL-1005
`APPLEINC./ Page 2 of 343
`
`APPL-1005
`APPLE INC. / Page 2 of 343
`
`

`

`S/20L1 Spitz
`7,950,051 BL
`3/2012 Boshra
`8,145,916 B2
`$549,300 BI* LO/2013 Kumar ...... 8. HO4T. 9/3263
`TLB/I75
`
`8,577,813 B2
`8.776.214 BI®
`
`8,856,539 B2
`8,984,596 B2
`9,100,826 B2
`10,872.152 BL
`2004/0107170 Al
`2004/0256632 Al
`2O0S/MI98348 Al
`20060085844 Al
`2007/0257104 AL
`2007/0266256 AL
`2008/0059804 AL
`2009/0 100269 AL
`
` LL/2013 Weiss
`7/2014 Johansson...... matt TOT, 63/08
`726/19
`
`10/2014 Weiss
`3/2005 Grillin
`8/2015 Weiss
` L2/2020 Martel
`6/2004 Labrou
`11/2004 Maritwen
`9/2005. Yeates
`4/2006 Buer
`[1/2007 Owen
`LL/2007 Shah
`3/2008 Shah
`4/2009 Naccache
`
`US 11,514,138 BI
`Page 2
`
`Related U.S. Application Data
`Feb. 12, 2016. now Pat. No. 10,360,351. which is a
`continuation of application No. 13/706,254, filed on
`Dec, 5, 2012, naw Pat. No, 9,294,452.
`
`Provisional application No. 61/587.387,filed on Jan,
`17, 2012, provisional application No. 61/569,112,
`filed on Dec. 9, 2011.
`
`(56)
`
`References Cited
`
`U.S. PATENT DOCUMENTS
`
`1/2000 Maes
`6016476 A
`6.091.232 BL 22004 Wood oo... LOL 63/0815
`7206/6
`
`7.512.965 Bl
`7,697,729 B2
`T7RO080 B2*
`
`3/2009 Amdur
`4/2010 Howell
`8/2010 Owen oe. G06 20/3674
`235/382
`
`20090191846 AL*
`
`7/2009
`
`2010/0242102 Al
`2010078771 Al
`201 0158450 Al
`2010205016 Al
`ZOLMV0231651 Al
`2OL2OLLO34L AI*
`
`20120167195 Al
`2014/0250079 Al
`20170230179 Al*
`
`9/2010
`3200
`2011
`8/2011
`9/2011
`5/2012
`
`6/2012
`o2014
`BQ017
`
`SHI cece HOT 63/0861
`455/411
`
`Cross
`Grillin
`Kesanupalli
`Al-Avem
`Bollay
`Beigi cece LOEW 12/069
`713/186
`
`Gargaro
`Gardner
`Mannan oiscceses we HO4L 9/3226
`
`OTHER PUBLICATIONS
`
`Jakobsson et al. Proving Without Knowing: On Oblivious. Agnostic
`and Blindfolded Provers. Jul. 24,
`(996: http:)/markus-jakobsson.
`com papers jakobsson-crypto96 pal.
`Monrose et al. Using Voice to Generite Cryptographic Keys. May
`13, 2001; https:wwwees.tuneedi~fabian/papersodyssey, pdf,
`Seshadri et al, Pioneer: Verifying Code Integrity and Enforcing
`Untampered Code Execution on Legacy Systems. Oct. 23, 2005:
`hips:/netsec.ethz.ch’publications’paperspioneer.pd.
`“Managing Authorization and Access Control”, Author: unknown,
`Published Nov, 3, 2005, pp, 1-12, URL: httpy technetmicrosolt.
`com/en-us/library/bb4 57 || 5.aspx.
`Iummer-Lahav, Ed. “The OAuth 1.0 Protocol”, from htips://tools.
`ietf.org’himlricS849, Apr. 2010,
`TPR2022-00244 Claim Mapping Table for the "696 Palent. Noy. 30,
`2021.
`TPR2022-00244 Petition for Inter Partes Review of US. Pat. No,
`10,824,696, Nov, 30, 2021,
`IPR2022-00251 Claim Mapping Table for the "512 Patent. Dec, L,
`2021,
`IPR2022-00251 Petition for Inter Partes Review of U.S. Pat, No,
`10,929,512. Dee. 1, 2021,
`
`* cited by examiner
`
`APPL-1005
`APPLEINC./ Page 3 of 343
`
`APPL-1005
`APPLE INC. / Page 3 of 343
`
`

`

`U.S. Patent
`
`Nov. 29, 2022
`
`Sheet 1 of 8
`
`US 11,514,138 Bl
`
`Bank
`Website
`
`124
`
`Online
`Camera
`Retailer
`
`Authentication
`Translator for Bank
`Website
`
`Networking
`
`Cloud
`Storage
`Service
`
`3" Party
`Authentication
`
`Translator Social
`Site |Authentication |
`
`Transiator
`|
`Module
`
`
`
`FIG. 1
`
`APPL-1005
`APPLEINC./ Page 4 of 343
`
`APPL-1005
`APPLE INC. / Page 4 of 343
`
`

`

`U.S. Patent
`
`Nov. 29, 2022
`
`Sheet 2 of 8
`
`US 11,514,138 B1
`
`I| ; Template 1 ‘en : domain, username,credential
`
`ot eee
`pee.
`|
`foo
`eee eee eee ee
`| Template 2 | = | domain, username, credential
`
`abeetet
`
`|
`
`err ey ee tee ae a ee 1
`
`|
`= Sa = | domain, username,credential
`Template 2 |
`MS
`terseesaaeeeeeed
`
`|
`
`| Pe pe eee ee ee eh 1
`|
`domain, username,credential
`
`FIG. 2
`
`APPL-1005
`APPLEINC./ Page 5 of 343
`
`APPL-1005
`APPLE INC. / Page 5 of 343
`
`

`

`U.S. Patent
`
`Nov. 29, 2022
`
`Sheet 3 of 8
`
`US 11,514,138 B1
`
`processor
`
`Insecure storage (large)
`
`sensor
`
`processor
`
`Secure storage (small)
`
`FIG. 3
`
`APPL-1005
`APPLEINC./ Page 6 of 343
`
`APPL-1005
`APPLE INC. / Page 6 of 343
`
`

`

`U.S. Patent
`
`Nov. 29, 2022
`
`Sheet 4 of 8
`
`US 11,514,138 B1
`
`
`
`Primary Device i
`
`402
`
`410
`
`Peripheral
`
`FIG. 4
`
`APPL-1005
`APPLEINC./ Page 7 of 343
`
`APPL-1005
`APPLE INC. / Page 7 of 343
`
`

`

`U.S. Patent
`
`Nov. 29, 2022
`
`Sheet 5 of 8
`
`US 11,514,138 B1
`
`s00—~
`
`Receive request to access resource and receive
`authentication input.
`
`Provide credential to resource.
`
`Access stored credential associated with resource.
`
`FIG. 5
`
`APPL-1005
`APPLEINC./ Page 8 of 343
`
`APPL-1005
`APPLE INC. / Page 8 of 343
`
`

`

`U.S. Patent
`
`Nov.29, 2022
`
`Sheet 6 of 8
`
`US 11,514,138 B1
`
`Client
`
`Proxy
`
`Aerie
`
`data request
`(no identity information)
`
`record UA
`
`SY }
`data request
`(no cookie)
`
`data
`SET cookie
`
`data
`SET cookie
`SET cache cookie
`
`a
`record cookie,
`cache cookie
`
`FIG. 6
`
`APPL-1005
`APPLEINC./ Page 9 of 343
`
`APPL-1005
`APPLE INC. / Page 9 of 343
`
`

`

`U.S. Patent
`
`Nov.29, 2022
`
`Sheet 7 of 8
`
`US 11,514,138 B1
`
`Client
`
`Proxy
`
`Server
`
`data request
`(+identity information)
`
`| Evora
`| get cookie
`
`—_____
`data request
`(+cookie)
`
`data
`
`data
`
`FIG. 7
`
`APPL-1005
`APPLEINC./ Page 10 of 343
`
`APPL-1005
`APPLE INC. / Page 10 of 343
`
`

`

`Sheet 8 of 8
`
`US 11,514,138 B1
`
`U.S. Patent
`
`Nov.29, 2022
`
`uniquename.jpg FIG.8
`
`APPL-1005
`APPLEINC./ Page 11 of 343
`
`APPL-1005
`APPLE INC. / Page 11 of 343
`
`

`

`US 11,514,138 BI
`
`1
`AUTHENTICATION TRANSLATION
`
`CROSS REFERENCE TO OTHER
`APPLICATIONS
`
`2
`FIG. & shows the structure of an example of a cache
`cookie used in some embodiments.
`
`DETAILED DESCRIPTION
`
`This application is a continuation ofU.S. patent applica-
`tion Ser, No. 16/773.767, entitled AUTHENTICATION
`TRANSLATION filed Jan. 27, 2020 which is incorporated
`herein by reference forall purposes. whichis a continuation
`of U.S. patent application Ser. No. 16/563,715, entitled
`AUTHENTICATION TRANSLATION filed Sep. 6, 2019
`which is incorporated herein by reference for all purposes,
`which is a is a continuation of U.S, patent application Ser,
`No. 16/273,797, entitledAUTHENTICATION TRANSLA-
`TION filed Feb. 12, 2019, now U.S. Pat. No. 10,521,568,
`which is incorporated herein by reference for all purposes,
`which is a is a continuation of U.S. patent application Ser.
`No. 15/042.636, entitledAUTHENTICATION TRANSLA-
`TION filed Feb. 12, 2016, now U.S. Pat. No. 10,360,351,
`which is incorporated herein by reference for all purposes,
`which is a continuation of U.S. patent application Ser. No.
`13/706,254, entitled AUTHENTICATION TRANSLATION
`filed Dec. 5, 2012. now U.S. Pat. No. 9,294,452, which is
`incorporated herein by reference for all purposes, which
`claims priority to U.S. Provisional Application No. 61/587,
`387.
`entitled BIOMETRICS-SUPPORTED SECURE
`AUTHENTICATION SYSTEM filed Jan. 17,2012 whichis
`incorporated herein by reference for all purposes. U.S.
`patent application Ser, No. 13/706,254 also claims priority
`to U.S. Provisional Patent Application No. 61/569.112 +
`entitled BACKWARDS COMPATIBLE ROBUST COOK-
`IES filed Dee. 9, 2011, which is incorporated herein by
`reference for all purposes.
`
`30)
`
`3
`
`The invention can be implemented in numerous. ways,
`including as a process; an apparatus: a system: a comiposi-
`tion of matter: a conyputer program product embodied on a
`computer readable storage medium: and/or a processor. such
`as a processor configured to execute instructions stored on
`and/or provided by a memory coupled to the processor, In
`this specification, these implementations, or any other form
`that the invention may take. may be referred to as tech-
`niques.
`In general,
`the order of the steps of disclosed
`processes may be altered within the scope ofthe invention,
`Unless stated otherwise, a component such as a processor or
`4 memory described as being conligured to perform a task
`may be implemented as a general component that is tem-
`porarily contigured to perform the task ata given time or a
`specific componentthat is manufactured to performthe task.
`As used herein. the term ‘processor’ relers to one or more
`devices, circuits, and/or processing cores configured to
`process data, such as computer program instructions,
`A detailed description of one or more embodiments ofthe
`invention is provided below along with accompanying fig-
`ures that
`illustrate the principles of the invention. The
`invention 1s described in connection with such embodi-
`ments, but the invention is not limited to ary embodiment,
`The scope of the invention is limited only by the claims and
`the invention encompasses numerous alternatives, modifi-
`cations and equivalents. Numerous specific details are set
`forth in the following description in order to provide a
`thorough understanding of the invention. These details are
`provided for the purpose of example and the invention may
`be practiced according to the claims without some or all of
`these specific details. For the purpose ofclarity, technical
`material that is known in the technical fields related to the
`invention has not been described in detail so that
`the
`invention is nol unnecessarily obscured.
`FIG. 1
`illustrates an embodiment of an environment in
`which authenticationtranslation is provided. In the example
`shown, a variety of clien| devices 102-108 connect, via one
`or more networks (represented as a single network cloud
`110) to a variety of services 120-124 (also referred to herein
`sas sites 120-124),
`In particular, client device 102 1s a
`notebook computer owned by a user hereinafter referred to
`as Alice. Notebook 102 includes a camera, a microphone.
`and a lingerprint sensor. Chent device 104 is a smartphone,
`also owned by Alice. Client device 104 includes a camera,
`Client device 106 is a tablet owned by Bob, and sometimes
`used by Bob's son Charlie. Client device 106 includes a
`camera and a fingerprint sensor. Client device 108 is a kiosk
`located in the lobby of a hotel. Kiosk 108 includes a camera
`and a microphone, The techniques described herein can be
`used with or adapled to be used with other devices, as
`applicable. For example.
`the techniques can be used in
`conjunction with gaming systems, with peripheral devices
`such as mice, and with embedded devices, such as door
`locks.
`Service 120 is a social networking site. Service 122 is a
`website of a bank. Service 124 is the online store of a
`boutique camera retailer. Rach of services 120-124 requires
`a username and password (and/or a cookie) froma user prior
`lo giving that user access lo protected content and/or other
`features. As will be described in more detail below, using the
`techniques deseribed herein, users need not type such user-
`names and passwords into their devices Whenever required
`
`BACKGROUND OF THE INVENTION
`
`35
`
`Providing credentials to a service. whethervia a mobile or
`other device,
`is often a tedious experience for a user.
`Unfortunately, to make authentication easier for themselves,
`users will ofien engage in practices such as password re-use,
`and/or the selection ofpoor quality passwords, which render
`their credentials less secure against attacks. Accordingly,
`improvements in authentication techniques would be desir-
`able, Further, it would be desirable for such improvements
`to be widely deployable, including on existing/legacy sys-
`lems.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`Various embodiments of the invention are disclosed in the 5
`following detailed description and the accompanying draw-
`ings.
`FIG, 1 illustrates an embodiment of an environment in
`which authentication translation is provided.
`FIG, 2 illustrates an embodiment ofcredential informa-
`tion stored on a device.
`FIG. 3 illustrates an embodiment of a device with secure
`storie.
`FIG, 4 illustrates an example of a renegotiation.
`FIG, 5 illustrates an embodiment of a process for per-
`forming authentication translation,
`FG, 6 ilhistrates an example of what occurs when a client
`device first visits the site of a legacy server via an authen-
`lication translator.
`PIG. 7 illustrates an example of what occurs when a
`device subsequently visits the site of a legacy server via an
`authentication translator.
`
`5
`
`5
`
`APPL-1005
`APPLEINC./ Page 12 of 343
`
`APPL-1005
`APPLE INC. / Page 12 of 343
`
`

`

`US 11,514,138 BI
`
`{
`
`3
`by a service. Instead, users can authenticate themselves to an
`“authentication translator” via an appropriate technique, and
`the authentication translator will provide the appropriate
`credentials to the implicated service on the user's behalf
`Also as will be described in more detail below, authentica-
`tion translators can be located in a variety of places within
`an environment. For example, notebook computer 102
`includes an authentication translator module 132 that pro-
`vides authentication translation services. The other devices
`104-108 can also include (but need not include) their own
`respective authentication translator modules. The owner of
`bank website 122 also operates an authentication translator
`134 associated with the bank. Finally, authentication trans-
`lator 136 provides authentication translation services to a
`variety of businesses, including online camera retailer 124,
`FIG, 2 illustrates an embodiment of credential informa-
`tion stored on a device. In particular, device 200 stores three
`user profiles 202-206, each of which contains a username
`i
`and one or more templates (e.g., template 210) associated 2
`with the user.
`In various embodiments, a template is a
`collection of biometric features. Using fingerprints as an
`example type of biometric, a corresponding template
`includes a collection of patterns, minutia, and/or other
`features that can be matched against
`to determine if a
`person’s fingerprint matches the fingerprint of the registered
`user(i.e., the owner ofa given userprofile). A representation
`ofa single fingerprint may be included in multiple templates
`(e.g..
`in different resolutions,
`in accordance with different
`protocols, as captured during warm vs. cold conditions,
`and/orby itself or in combination with multiple fingerprints)
`. When other biometrics are employed (e.z.. facial recogni-
`tion, Voiceprint, or retina scan technology). features appro-
`priate to those types of biometrics are included in the
`jemplate. Other types of features can also be included in
`lemplates. As one example, a user’s lyping speed and/or
`accuracy can be measured by a device, such as device 102,
`and used to distinguish berween multiple users of a device.
`For example, suppose Alice types at 100 words per minute
`and rarely makes mistakes. A representation of this infor-
`mation can be stored in template 212, Also suppose Alice's
`niece, who sometimes uses Alice’s laptop computer when
`visiting Alice types at 20 words per minute and makes many
`mistakes. In some embodiments, the fact that a user was
`recently (e.g. within the last 5 minutes) typing on laptop 102
`at 90 words per minute is evidence of a match against
`template 212. In this case, the typing speed of 90 words per
`minute is similar enough to Alice's typical behavior,
`it is
`4Ea}
`considered a match. Various policies can be included in a 5
`profile that govern how matches are to be performed. For
`example, policies can specify thresholds/tolerances for what
`constitutes a match, and can speetty that different levels of
`matches can result in different levels of access to different
`resources,
`
`Lat
`~
`
`A profile is associated with a vault (e.g.. vault 220). The
`vault, in turn, contains triples specifying a service provider/
`domain, a username, and a credential. The vault can also
`contain other sensitive user information, such as account
`numbers, address/phone number information, and health
`care data. The credential for a service provider/domain can
`be a password (e.g.. for legacy servers), and can also take
`alternate forms (e.g., a cryptographic key for service pro-
`viders supporting stronger authentication methods).
`In some embodiments, profiles,
`templates. and vaults
`(collectively
`“authentication
`information”)
`are
`stored
`entirely in an unprotected storage area, and are stored in the
`
`ou
`
`5
`
`4
`clear. In other embodiments, secure storage techniques are
`used to secure al
`least a portion of the authentication
`information.
`One example ofa device with secure storageis illustrated
`in FIG. 3.
`In the example shown, a mobile phone 300
`includes a large and insecure storage 302 attached to a [ast
`processor 304, and a smaller but secure storage 306 attached
`to adedicated processor 308 and a sensor 310(e.g., acamera
`or a fingerprint reader). Users (and applications) can read
`from and write to the insecure storage area, lowever, users
`cannot access the secure storage area, and the fast processor
`can only communicate with the dedicated processor/sensor
`via a restricled API. As another example, a unique decryp-
`tion key associated with a given vault can be stored in a
`profile. The vault is an enerypted and authenticated con-
`lainer that can be stored on insecure storage, e.g.. on the
`device. and also backed up (e.g.. to a cloud storage service
`140 or fo an alternate form of external storage). As needed,
`authentication information or portions thereofcan be loaded
`into secure storage and decrypted. for example. one can use
`AES to encrypt the files one by one, using a key stored on
`the secured storage. A message authentication technique,
`such as IMAC, can be used for authenticating the encrypted
`files to provide tamper prevention. Profiles and vaults can be
`updated while in secure storage: if this occurs. they are
`encrypted and MACed before being written back to the
`insecure storage. which may in turn propagate them to
`external backup storage. In yet other embodiments, profiles
`and vaults are stored entirely in secure storage, in plaintext,
`which allows them to be both read and written—and in
`particular, searched,
`
`Example Transaction Types
`
`A variety of transaction types can take place in the
`environment shown in FIG. 1, examples of which are
`discussed in this section.
`
`Initial Registration
`
`In order to begin using the techniques described herein.
`users perform some form of initial registration, As one
`example, suppose Alice launches an enrollment program
`installed on laptop 102, She uses the program to capture
`various biometric information (e.g.,
`fingerprints, photo-
`graphs ofher face. etc.), A user profile is created lor Alice,
`and the biometric information captured about her is encoded
`into a plurality of templates, such as templates 210 and 214,
`In some embodiments, Alice is also explicitly asked to
`supply credential informationfor services she would like to
`use, such as by providing the domain name of social
`networking site 120, along with her username and password
`for site 120. In other embodiments. domain/username/cre-
`dential information is at least passively captured on Alice’s
`behalf and included tn one or more vaults such as vault 220,
`Credential information can also be important trom a browser
`password manager already in use by Alice or other appro-
`priate source. In some embodiments. Alice also registers
`with cloud storage service 140, which will allowher to back
`up her authentication information and to synchronize it
`across her devices (¢.2., 102 and 104), as described in more
`detail below,
`Other registration approaches can also be used, Por
`example, registration can be integrated into the experience
`the first time a device ts used. Thus, when Bobfirst turns on
`tablet 106, he may be prompted to take a picture ofhis face
`(with a profile/lemplates being created in response), Simi-
`
`APPL-1005
`APPLEINC./ Page 13 of 343
`
`APPL-1005
`APPLE INC. / Page 13 of 343
`
`

`

`US 11,514,138 BI
`
`5
`
`larly, the first time Charlie uses tablet 106, the techniques
`described herein can be used to determine that Charlie does
`not yet have a profile (e.g., because none of the templates
`already present on tablet 106 match his biometrics) and
`Charlie can be prompted to enroll as a second user of the
`device
`
`Authentication
`
`{
`
`Mi
`
`6
`website, after which the newly negotiated key can be handed
`off from the peripheral device to the primary device. This
`avoids retroactive credential capture in a setting where the
`device is infected by malware.
`An example of renegotiation is depicted in FIG, 4. Spe-
`cifically, after a user has successfully authenticated to a
`fingerprint reader, a login is performed to a service provider,
`Using the primary device (404) as a proxy, the peripheral
`fingerprint reader 402 negotiates a first SSL connection
`(408) with a service provider 406, over which credentials are
`exchanged. The proxy then renegotiates SSL, (410). which
`replaces the old key with a new one. The new key is
`disclosed to the device, which then seamlessly takes over the
`connection with the service provider and performs the
`transaction protected by the authentication, The credentials
`exchanged during the first SSL connection cannot be
`accessed by device 404, since the key of the renegotiated
`session is independent of the key ofthe original session: this
`provides protection against malware residing on the device.
`Renegotiation can be used when the primary device 404 is
`believed to be in a safe state when performing the negotia-
`tion of the SSL connection, but it is not known whetherit is
`in a sale state during the transaction protected by the
`authentication, Renegotiation can also be used when a
`secure component ofthe primary device 404 performs the
`negotiation of the SSL connection and another and poten-
`tially insecure component of the primary device 404 is
`involved in the transaction protected by the authentication.
`FIG. 5 illustrates an embodiment of a process for per-
`forming authentication translation. The process begins at
`502 when a request to access a resource is received, as is an
`authentication input. One example of the processing, per-
`formed at 502 is as follows. Suppose Alice wishes to sign
`into social networking website 120. She directs a web
`browser application installed on client 102 to the social
`networking website. Authentication translator module 132
`recognizes, from the context of Alice’s actions (e.g., that she
`is attempting to access site 120 with her browser) that she
`would like to access a particular resource. Authentication
`translator module 132 prompts Alice (e.g.. by a popup
`message or Via a sound) to provide biometric information
`(c.g, lo use the integrated fingerprint reader on her laptop),
`In some embodiments,
`the translator module does not
`prompt Alice, for example, because Alice has been trained to
`5 provide biometric information automatically when attempt-
`ing to access certain resources. In yet other embodiments,
`ihe translator module only prompts Alice if she fails to
`provide acceptable biometric information within 4 timeout
`period (e.a.. 30 seconds).
`Module 132 compares Alice’s supplied biometric data to
`the templates stored on her computer. Ifa suitable match is
`found, and if'anentry for site 120 is present in the applicable
`vault, at 504, a previously stored credential associated with
`the resource is accessed.
`In particular, the username and
`password lor (he website, as stored in a vaull, such as vault
`220). are retrieved from the vault.
`Finally. at 506, the credential is provided to the resource.
`For example, Alice’s username and password for site 120 are
`transmitted to site 120 at 506. The credential canbe trans-
`mitted directly (e.g.. by the module or by Alice's computer)
`and can also be supplied indirectly (e.g., through the use of
`one or more proxies, routers. or other intermediaries, as
`applicable),
`Other devices can also make use of process 500 or
`3 portions thereof, For example, when Alice launches a bank-
`ing application on phone 104, implicit in her opening that
`application is her desire to access the resources of website
`
`Suppose Alice wishes to authenticate to banking website
`122. Using a fingerprint reader incorporated into her laptop.
`she performs a fingerprint scan, which causes her biometric
`features to be extracted and compared to any stored tem-
`plates residing on ber computer. If a match is found, an
`associated decryption key is selected, and the associated
`vault is loaded and decrypted. The vault is scanned for an
`entry that matches the selected service provider(i.e., website
`122). Ifa matching entry is lound, the associated domain,
`username, and site credential are extracted from the vault. In
`some embodiments. the validity of the domain name map-
`ping is verified at this point to harden the system against
`domain name poisoning. Next, a secure connectionis estab-
`lished between Alice’s computer and the service provider,
`and Alice is authenticated, Por service providers supporting
`strong user authentication, mutual SSL can be used,
`for
`example. A variety ofpolicies can be involved when per-
`forming matching. Por example, to access certain domains,
`Alice's print may need only match template 210. To access
`other domains, Alice may need to match multiple templates
`=
`(e.g. both 210 and 214). As another example.
`in order to :
`access social networking site 120, Alice may merely need to
`be sitting in front of her computer, which has an integrated
`webcam, Even in relatively low light conditions, a match
`can be performedagainst Alice’s face and features stored in
`a template. However, in order to access bank website 122,
`Alice may need a high quality photograph(1.¢., requiring her
`to tum on a bright
`light) and may need to demonstrate
`liveness (e.g., by blinking or turning her head). As yet
`another example. other contextual
`information can be
`included in policies. Por example,
`if Alice’s IP address
`indicates she is in a country that she is not usually in, she
`may be required to match multiple templates (or match a
`template with more/better quality features) in order to access
`retailer 124, as distinguished from when her IP address
`indicates she is at home,
`In some embodiments, the biometric sensor used by a user
`may be a peripheral device (e.2., a mouse with an integrated
`lingerprint scanner that is connected to the user's primary
`device via USB).
`ln such scenarios. the peripheral device
`a
`may be responsible for storing at least a portion of authen- §
`lication information and may perform at least some ofthe
`authentication tasks previously described as having been
`performed by Alice’s computer. For example. instead of
`processors 304 and 308, and storages 302 and 306 being
`collocated on a single device (e.g., laptop 102), processor
`304 and storage 302 may be present ona primary device, and
`processor 308 and storage 306 may be present on a periph-
`eral device (e.g.,
`thal also includes a sensor, such as a
`fingerprint reader).
`In such scenarios, once Alice's login to banking website
`122 is successfully completed, the secure session can be
`handed over from the peripheral device to the primary
`device,
`in a way that does not allow the primary device
`retroactive access lo the plaintext data of the transcripts
`exchanged between the peripheral device and the service
`provider. One way this can be accomplished is by renego-
`ialing SSI keys between the peripheral device and the
`
`-
`
`a
`
`45
`
`ou
`
`APPL-1005
`APPLEINC./ Page 14 of 343
`
`APPL-1005
`APPLE INC. / Page 14 of 343
`
`

`

`US 11,514,138 BI
`
`7
`134. The application can take Alice’s picture and compare it
`to stored templates/vault
`information.
`If an appropriate
`match is found, a credential can be retrieved from the vault
`on her phone(or, e¢.g., retrieved from cloud storage service
`140) and provided to website 134.
`As another example. suppose Charlie is using tablet 106
`and attempts to visil site 120, whether via a dedicated
`application or via a web browserapplication installedon the
`tablet. Charlie’s photograph is taken. and then compared
`against the profiles stored on tablet 106 (e.g.. both Bob and
`Charlie’s profiles). When a determination is made that
`Charlie's photograph matches a template stored in his stored
`profile (and not, e.g-, Bob’s), Charlie's credentials for site
`120 are retrieved from a vault and transmitted by an authen-
`lication translator module residing on client 106.
`As yet another example. kiosk 108 can be configured to
`provide certain local resources (e.p.. by displaying a com-
`pany directory or floor plan on demand) when users speak
`certain requests intoa microphone. Enrolled users (e.g... with
`stored voiceprint or facial recognition features) can be
`granted access to additional/otherwise restricted services In
`accordance with the techniques described herein and process
`500.
`
`New device
`
`8
`supplies a fingerprint and a second identifier, a cleartext
`version of her vault(s) could be made available.
`
`Access Policies
`
`In various embodiments, cloud storage service 140 js
`configured to accept backups from multiple devices associ-
`ated with a single account, and synchronize the updates so
`that all devices get automatically refreshed. For example.
`Alice’s laptop 102 and phone 104 could both communicate
`with cloud storage service 140 which would keep their
`authentication information synchronized. Refreshes can also
`be made in accordance withuser-configured restrictions. For
`example, Alice's
`employer
`could
`prevent privileged
`employer data from being stored on shared personal devices,
`or on any device that was not issued by the employer. As
`another example, arbitrary policies can be delined regarding
`the access to and synchronization ofsoftware and data, and
`to fie a license or access rights to a person (and her
`fingerprint) rather than to a device. As yet another example.
`in some embodiments (e.9.. where a device is made publicly
`available or otherwise shared by many users), no or 4
`reduced amount ofauthentication information resides on a
`device, and at least a portion ofauthentication information
`is always retrieved [rom cloud storage service 140.
`
`a
`
`In some embodiments, to register a new device, a user
`provides an identifier, such as a username or an account
`number to the device. The new device connects to an
`=
`external storage (such as cloud storage 140), provides the 3
`user identilier and credential, and downloads the user's
`templates/vaults from the service, In some embodiments, the
`lemplates/vaulls are encrypted. Once downloaded, the tem-
`plate is decrypted and stored in a secure storage area, while
`the suill enerypted vault can be stored in insecure storage.
`The decryption key can be generated from information the
`user has/knows, or from biometric data—such as features
`extracted from fingerprinting of all ten fingers.
`In some
`embodiments, more arduous fingerprinting is required for
`the setup of a new device than for regular authentication to
`avoidthat a new devicepets registered by a user thinking she
`is merely au