Patent disclosure #213

W3C internal identifier for this patent
213
Specification
Web Authentication: An API for accessing Public Key Credentials - Level 3, delivered by Web Authentication Working Group
Type/State
issued
Name
US 12,250,317 B2
Jurisdiction
US
Scope (essential or only relevant)
essential
Disclosed by
Okta.
Disclosed on
2026-01-23
Held by
Okta
Claim
1. A method for passkey authentication at an identity management platform, comprising: receiving, from an administrator of the identity management platform via a first user interface configured for the identity management platform, an indication to enable passkey authentication for clients of the identity management platform; receiving, via a web browser executing on a device associated with a user of the identity management platform, capability information associated with the device that indicates whether the device is capable of using passkey authentication; transmitting, for display at a second user interface configured for a client of the identity management platform associated with the user and based at least in part on enabling the passkey authentication, an option to use the passkey authentication for login procedures, wherein displaying the option to use the passkey authentication for the login procedures is in response to the received capability information indicating that the device is capable of using passkey authentication; receiving, from the user associated with the client via the second user interface, a selection of the option to use the passkey authentication for a login procedure; obtaining a public key for the user in response to the user selecting the option to use the passkey authentication for the login procedure; and performing the login procedure using at least the public key to authenticate an identity of the user. 2. The method of claim 1, wherein performing the login procedure comprises: transmitting an indication of a cryptographic challenge to a device associated with the user; receiving an indication of a cryptographic response from the device in response to the cryptographic challenge, wherein the cryptographic response comprises a digital signature; and authenticating the user based at least in part on using the public key to verify the digital signature in the cryptographic response. 3. The method of claim 2, further comprising: determining that the device has access to a private key associated with the user based at least in part on the digital signature in the cryptographic response, wherein authenticating the user is based at least in part on determining that the device has access to the private key. 4. The method of claim 3, wherein the private key is locally unlocked on the device after the user successfully performs a facial recognition procedure, a voice recognition procedure, a fingerprint recognition procedure, a personal identification number verification procedure, a security key verification procedure, or a combination thereof. 5. The method of claim 3, wherein the private key is generated and stored at the device after the user selects the option to use the passkey authentication for the login procedure. 6. The method of claim 1, further comprising: receiving an indication that the user has registered the public key with the client of the identity management platform, wherein obtaining the public key for the user is based at least in part on the indication. 7. The method of claim 1, wherein receiving the selection of the option to use the passkey authentication comprises: receiving the selection via a web browser executing on a device associated with the user, wherein the public key of the user is stored at the identity management platform in association with the user, the web browser, the device, an operating system of the device, or a combination thereof. 8. The method of claim 1, further comprising: storing the public key at the identity management platform in association with an identifier of the user, a password of the user, an account number associated with the user, or a combination thereof, wherein the public key is retrieved from the identity management platform after the user initiates the login procedure. 9. The method of claim 1, wherein receiving the indication to enable the passkey authentication comprises: enabling the passkey authentication for the clients of the identity management platform in response to the administrator of the identity management platform selecting one or more user interface elements displayed in the first user interface. 10. The method of claim 9, wherein the one or more user interface elements comprise a checkbox, a toggle switch, a dropdown list, a button, or a combination thereof. 11. The method of claim 1, further comprising: configuring a passkey for the user based at least in part on performing one or more application programming interface calls to a web authentication service, wherein the passkey comprises the public key and a corresponding private key associated with the user. 12. The method of claim 1, wherein displaying the option to use the passkey authentication comprises: transmitting, for display at the second user interface, a first option to use the passkey authentication for the login procedure and a second option to use other credentials for the login procedure, wherein the first option is selected by the user. 13. An apparatus for passkey authentication at an identity management platform, comprising: a processor; memory coupled with the processor; and instructions stored in the memory, wherein the instructions are executable by the processor to cause the apparatus to: receive, from an administrator of the identity management platform via a first user interface configured for the identity management platform, an indication to enable passkey authentication for clients of the identity management platform; receive, via a web browser executing on a device associated with a user of the identity management platform, capability information associated with the device that indicates whether the device is capable of using passkey authentication; transmit, for display at a second user interface configured for a client of the identity management platform associated with the user and based at least in part on enabling the passkey authentication, an option to use the passkey authentication for login procedures, wherein displaying the option to use the passkey authentication for the login procedures is in response to the received capability information indicating that the device is capable of using passkey authentication; receive, from the user associated with the client via the second user interface, a selection of the option to use the passkey authentication for a login procedure; obtain a public key for the user in response to the user selecting the option to use the passkey authentication for the login procedure; and perform the login procedure using at least the public key to authenticate an identity of the user. 14. The apparatus of claim 13, wherein the instructions to perform the login procedure are executable by the processor to cause the apparatus to: transmit an indication of a cryptographic challenge to a device associated with the user; receive an indication of a cryptographic response from the device in response to the cryptographic challenge, wherein the cryptographic response comprises a digital signature; and authenticate the user based at least in part on using the public key to verify the digital signature in the cryptographic response. 15. The apparatus of claim 13, wherein the instructions are further executable by the processor to cause the apparatus to: store the public key at the identity management platform in association with an identifier of the user, a password of the user, an account number associated with the user, or a combination thereof, wherein the public key is retrieved from the identity management platform after the user initiates the login procedure. 16. A non-transitory computer-readable medium storing code for passkey authentication at an identity management platform, the code comprising instructions that are executable by a processor to: receive, from an administrator of the identity management platform via a first user interface configured for the identity management platform, an indication to enable passkey authentication for clients of the identity management platform; receive, via a web browser executing on a device associated with a user of the identity management platform, capability information associated with the device that indicates whether the device is capable of using passkey authentication; transmit, for display at a second user interface configured for a client of the identity management platform associated with the user and based at least in part on enabling the passkey authentication, an option to use the passkey authentication for login procedures, wherein displaying the option to use the passkey authentication for the login procedures is in response to the received capability information indicating that the device is capable of using passkey authentication; receive, from the user associated with the client via the second user interface, a selection of the option to use the passkey authentication for a login procedure; obtain a public key for the user in response to the user selecting the option to use the passkey authentication for the login procedure; and perform the login procedure using at least the public key to authenticate an identity of the user. 17. The non-transitory computer-readable medium of claim 16, wherein the instructions to perform the login procedure are executable by the processor to: transmit an indication of a cryptographic challenge to a device associated with the user; receive an indication of a cryptographic response from the device in response to the cryptographic challenge, wherein the cryptographic response comprises a digital signature; and authenticate the user based at least in part on using the public key to verify the digital signature in the cryptographic response.
Portion of the specification covered
WebAuthn Relying Party Operations
Licensing info
Exclusions
Not excluded

Patent disclosures and exclusions are archived in the patent-issues mailing list.