1. Patent Search
  2. Details

Concurrent Token Authentication

20220376913 · 2022-11-24

    Inventors

    Cpc classification

    International classification

    Abstract

    The concurrent token authentication method, operating within a cryptographically secured context, enables a service account to be authenticated continuously by means of a set of three distinct tokens: primary, secondary, and reserved. A token is an immutable secret key. Through a lifecycle, a token is registered manually or programmatically to become the reserved token, thereafter upon first authentication said token is promoted from reserved to primary, and thereafter upon a subsequent new token registration and first authentication event, the original said token is promoted from primary to secondary. Thereafter upon another new token registration and first authentication event, the original said token is terminated. The concurrent token authentication lifecycle provides for token set expiration. Expiration is advanced following first authentication of a reserved token. Upon reaching expiration token set is terminated.

    Claims

    1. A method for the desynchronization and automation of a token renewal process with said method including an expiration, and a set of three unique, immutable, secret tokens: two interchangeable tokens designated primary and secondary, and a reserved token, wherein also the primary and secondary tokens are accepted interchangeably by the server for authentication, wherein also the secondary token is accepted for authentication until the reserved token is initially authenticated, thereafter, the secondary token is terminated, the primary token is promoted to secondary, the reserved token is promoted to primary, and the expiration is advanced by the token maximum lifespan interval, and additionally the set of all said tokens have a collective expiration, which is the moment at which said set of tokens are terminated; accordingly a life cycle of continuous authentication is established when a new unique secret token is registered as reserved by the server when requested by the client and authenticated with an acceptable primary or secondary token.

    2. The method according to claim 1, further comprising: a method wherein the client authenticates its token with the set of server tokens, whereby said token that is submitted with the client authentication request is evaluated for a match with any of primary, secondary, and reserved tokens.

    3. The method according to claim 1, further comprising: a method wherein the interval of time by which the expiration is advanced upon first authentication of an existing account is determined by the token maximum lifespan interval.

    4. The method according to claim 1, further comprising: a method wherein the interval of time between first authentication of a reserved token and next token registration during which token reservation is disallowed is specified by the token minimum lifespan interval.

    Description

    BRIEF DESCRIPTION OF THE DRAWING(S)

    [0014] FIG. 1 is the embodiment of token change lifecycle events and states.

    DETAILED DESCRIPTION OF THE INVENTION

    1. Definition of Terms

    [0015] Token—A secret key which is a unique, immutable value. It may represent any number, human readable password, computer generated random string, hash, or any value which may be represented as a string. The essential characteristics of a token are immutability, secrecy, and uniqueness with respect to other current tokens for an account. Additional non-essential characteristics of tokens are long length, randomly generated content, and long life cycle.

    [0016] Registration—the creation of a new reserved token. The registration request may be initiated manually, or it may be initiated programmatically by the client. The client supplies the token.

    [0017] Token Minimum Lifespan Interval—the minimum interval of time required between the first authentication of the previous reserved token and the registration of the next reserved token for an account. The reserved token is null during this interval.

    [0018] Token Maximum Lifespan Interval—the interval of time by which token set expiration is advanced following first authentication of a reserved token.

    [0019] Token Initial Lifespan Interval—the interval of time by which reserved token expiration is advanced relative to the moment the token is registered.

    [0020] Reserved Token—a newly registered token that has not yet been used for client authentication. Following first authentication a reserved token is promoted to primary token.

    [0021] Primary Token—a previously reserved token currently accepted for authentication by the server.

    [0022] Secondary Token—a previously primary token currently accepted for authentication by the server.

    [0023] Account—the server resource identified by a user ID and authenticated with a token.

    [0024] Client—the client which authenticates with the server. This may be a browser, application, or other computing device.

    [0025] Server—the host or service to which the client presents the token for authentication, this may be a computer system, database server, directory service, or any resource requiring authentication.

    [0026] Expiration—that moment the set of tokens for an account expires.

    [0027] First Authentication—the moment a reserved token is initially authenticated by the server as a result of an authentication request by the client.

    [0028] Termination—the token ceases to exist.

    [0029] Super User—a user with administrative credentials privileged to perform advanced operations on accounts such as create, delete, expire, unlock, and lock.

    2. Token Lifecycle

    [0030] All references are made to FIG. 1, wherein large rounded rectangles are states, circles are tokens, small shaded rounded rectangles are the concurrent tokens, solid line arrows are state changes, and dashed line arrows are state changes within a repeatable normal operation cycle. [0031] a. State 21 after a new account is created or unlocked with a reserved token: [0032] 1—reserved token (not null). [0033] 2—primary token (null). [0034] 3—secondary token (null). [0035] 4—concurrent tokens (null). [0036] b. State 22 after first authentication of the reserved token: [0037] 5—reserved token (null). [0038] 6—primary token (not null; formerly token 1 in state 21). [0039] 7—secondary token (null). [0040] 8—concurrent tokens (primary available). [0041] c. State 23 after registering new reserved token: [0042] 9—reserved token (not null). [0043] 10—primary token (not null; formerly token 6 in state 22). [0044] 11—secondary token (null). [0045] 12—concurrent tokens (primary available). [0046] d. State 24 after first authentication of reserved token: [0047] 13—reserved token (null). [0048] 14—primary token (not null; formerly token 9 in state 23). [0049] 15—secondary token (not null; formerly token 10 in state 23). [0050] 16—concurrent tokens (primary and secondary available). [0051] e. State 25 after registering new reserved token: [0052] 17—reserved token (not null). [0053] 18—primary token (not null; formerly token 14 in state 24). [0054] 19—secondary token (not null; formerly token 15 in state 24). [0055] 20—concurrent tokens (primary and secondary available). [0056] f. In normal operation state cycles between state 24 and 25. [0057] g. State 27 after expiration or lock: [0058] 27—reserved token (null). [0059] 28—primary token (null). [0060] 29—secondary token (null). [0061] 30—concurrent tokens (null).

    3. Token Set Expiration Methods

    [0062] a. The expiration of a set of tokens is triggered by events: [0063] 1. The passage of time past the expire date. [0064] 2. The account is locked by the super user. [0065] 3. The account is explicitly expired by the account user. [0066] b. The expiration datetime is set or advanced by events: [0067] 1. When an account is created, expiration is set to the current datetime plus the token initial lifespan interval. [0068] 2. When a new reserved token is registered, expiration is set to the current datetime plus the token maximum lifespan interval. [0069] 3. When a lock account is unlocked, expiration is set to the current datetime plus the token initial lifespan interval. [0070] 4. When an account is expired by the account user, expiration and all tokens are set to null. [0071] 5. When a reserved token is first authenticated, expiration is set to the current datetime plus the token maximum lifespan interval.

    4. Token Change Methods and Process

    [0072] a. A client changes the token in two steps: [0073] 1. A new reserved token is registered. [0074] 2. The reserved token is initially authenticated. [0075] b. A token change promotes existing tokens: [0076] 1. Primary token is promoted to secondary. [0077] 2. Reserved token is promoted to primary. [0078] c. A client assimilates an asynchronous token change: [0079] 1. Asynchronous token change condition is indicated when authenication by secondary token fails. [0080] 2. Client uses old primary token to get new primary token. [0081] 3. Client then has both primary and secondary tokens. [0082] d. An account is locked: [0083] 1. All tokens are set to null. [0084] e. An account is unlocked: [0085] 1. The reserved token is initialized. [0086] f. An account is created: [0087] 1. The reserved token is initialized. [0088] g. An account is deleted.