| CPC H04L 9/0861 (2013.01) [H04L 9/0822 (2013.01); H04L 9/0894 (2013.01); H04L 9/3231 (2013.01)] | 5 Claims |
|
2. A non-transitory computer-readable storage medium storing instructions that when executed by a computer processor perform actions comprising:
receiving a request from a user to access a resource on a remote resource server;
receiving data beginning an authentication flow with the remote resource server;
obtaining an encrypted form of a software keystore password of a software keystore and a reference to a secure decryption key of a plurality of secure decryption keys of a hardware-backed keystore of a client device, differing secure decryption keys of the plurality of secure decryption keys being useable to decrypt differing software keystore passwords of the software keystore, the client device comprising the software keystore and the hardware-backed keystore;
requesting access to a decrypted form of the software keystore password from the hardware-backed keystore of an operating system of the client device, the access request including the encrypted form of the software keystore password and the reference to the secure decryption key, the access request causing the operating system to verify biometric credentials of a user of the client device;
responsive to the operating system successfully verifying the biometric credentials of the user, obtaining the decrypted form of the software keystore password from the hardware-backed keystore, the hardware-backed keystore using the secure decryption key to decrypt the encrypted form of the software keystore password;
obtaining a keypair of the user from the software keystore using the decrypted form of the software keystore password obtained from the hardware-backed keystore, and
using the obtained keypair for secure communication within the authentication flow.
|