US Patent No. 10,536,436


Patent No. 10,536,436
Issue Date January 14, 2020
Title Client Authentication Utilizing Shared Secrets To Encrypt One-time Passwords
Inventorship Marc R. Barbour, Woodinville, WA (US)
Ruchith Udayanga Fernando, Bothell, WA (US)
Assignee Amazon Technologies, Inc., Seattle, WA (US)

Claim of US Patent No. 10,536,436

1. A computer-implemented method, comprising:obtaining, from a first user device and by a server, a request to access a computer-implemented service;
transmitting, by the server, a notification to a second user device to cause the second user device to invoke an application to establish an authenticated communication with the computer-implemented service using a password authenticated key exchange protocol;
obtaining, from the second user device and by the server, information associated with a user usable to generate a shared secret with the application, the information generated using credential information of the second user device;
generating, by the server and through use of the information from the second user device, the shared secret;
obtaining, from the second user device and by the server through the authenticated communication using the password authenticated key exchange protocol, a hash of a second shared secret, the second shared secret generated by the application;
determining, by the server, whether the shared secret and the second shared secret match; and
as a result of the shared secret matching the second shared secret:
generating, by the server, a one-time password for authentication of the user;
utilizing, by the server, the shared secret to encrypt the one-time password resulting in an encrypted one-time password;
transmitting, by the server, the encrypted one-time password to the second user device to enable the second user device to utilize the second shared secret to decrypt the encrypted one-time password;
obtaining, from the first user device and by the server, a decrypted one-time password;
comparing, by the server, the decrypted one-time password to the one-time password to determine whether the decrypted one-time password and the one-time password match; and
as a result of the decrypted one-time password matching the one-time password, allowing the first user device to access the computer-implemented service.