Using device-bound credentials for enhanced security of authentication in native applications

Assignee

• International Business Machines Corporation · US

Inventors

• Shane Bradley Weeden · Paradise Point, AU
• Craig Pearson · Gold Coast, AU
• Carsten Hagemann · Gold Coast, AU

Key dates

Classification

• Technology area (CPC H)Electricity
• CPC primaryH04L63/166
• WIPO fieldDigital communication
• WIPO sectorElectrical engineering

Abstract

A method allows access to computer resources to authorized native applications on a client device. An authorization server receives, from a native application on a device, an initial authorization grant, a public key of a private/public key pair generated on the device, and an attestation of authenticity of the native application. The authorization server receives, from the native application on the device, a refresh token and a digital signature of the refresh token that is created with the private key. The authorization server recognizes the refresh token only if the refresh token is verified with the public key that has been previously registered. The authorization server validates the digital signature of the refresh token, and transmits a new access token and a new refresh token to the native application on the device, thus allowing the native application on the device to access the computer resource.