Secure Remote App Access: Streamlining User Sessions with Cloud-Based Identity Management

Secure Remote App Access: Streamlining User Sessions with Cloud-Based Identity Management

INVENTIV.ORG

Invented by Prasad; Smitha, Villaplana; Mario John, Alexander; Sajan Andrew, Keralapura Manjunatha; Mahesh, Katika; Swaroop, Moses; Evan, Chen; Zheng, Yu; Phoebe

Let’s take a close look at a new way to keep user accounts safe. This method uses smart tricks to let people log in to their work apps without ever seeing or touching the real password. We’ll break down what makes this idea important, how it builds on what came before, and exactly what’s new about it.

Background and Market Context

In today’s digital world, companies have lots of apps and servers that only the right people should use. Every worker, partner, and sometimes customers need to access these resources. The challenge? Making sure only the right people get in, and that passwords never fall into the wrong hands.

Most companies use something called an identity management system (IMS). This is like a gatekeeper. It checks who you are and lets you see what you’re allowed to see. You might have used “single sign-on” (SSO) at work—where you log in once and can open many apps without typing your password again. For big companies, these systems are a must.

But there’s a problem. Even with SSO, there’s usually a password somewhere, and sometimes it’s still possible for a hacker to steal it. If someone gets a plain password, they might be able to sneak in and take sensitive company data. This is scary for organizations, and it creates real risks.

More and more apps are moving to the cloud, but older apps may still run on company computers in their own buildings. So, the gatekeeper needs to work with both the company’s own systems and stuff running in the cloud. The more complex the setup, the harder it is to keep things safe.

Over time, companies have tried lots of different ways to protect passwords and manage who can access what. They use multi-step logins (like sending a code to your phone), give users roles and permissions, and set up policies for how accounts can be used. Still, hackers keep getting smarter, and there’s always a risk that someone will make a mistake, like sharing a password in an email or leaving it written down.

Today, companies demand a solution that keeps passwords secret—even from the person logging in. They want to stop anyone from ever seeing or copying the real passwords, but still allow workers to log in and do their jobs. This is where the new invention comes in.

Scientific Rationale and Prior Art

To understand why this new method matters, let’s look at what’s been done so far. In the past, companies stored passwords in databases, sometimes encrypted, sometimes not. When you wanted to log in, the system would check if your password matched what was on file. With SSO, you log in once, and the system gives you a “token” to show other apps you’re trusted.

But there are weak points. If a hacker steals the password from the database, or grabs it while it’s being sent, they can pretend to be you. Even if passwords are encrypted in storage, sometimes they’re sent over the network in plain text. Some companies use password managers, but these can also be hacked if not protected properly.

Security experts have tried to fix this in a few ways:

Encrypting passwords before storing them, so if someone breaks in, they don’t see the real thing.
Using “secrets vaults” to hold passwords, so apps never keep them in their own files.
Adding extra steps, like sending users a text or using an app to prove it’s really them.

Even with these, there’s still a risk. If a password ever leaves the vault in plain text—maybe to log the user into a server—it can be stolen. Some systems let users “reveal” passwords to copy and paste them, which is also risky.

Some advanced systems use “proxy” servers. These act as a go-between—users connect to the proxy, which then connects to the real app. This way, users don’t connect right to the app itself. But often, the proxy still ends up with a plain password, or the user still has to know the password to get in.

The new method takes these ideas and pushes them further. It uses something called public-key encryption. In simple words, this means that a password is locked up with a key that only the right client can unlock. The real password never appears in a form that anyone else can read—not even the user.

This idea isn’t totally new—public-key encryption is used in many places, like secure websites. But using it in this way, to keep passwords hidden all the way from storage to login, is a smart step forward.

Previous inventions have tried to use encrypted credentials, but often, they either make things too slow, too hard to manage, or still let passwords be seen at some point. The new system solves these problems by making the process smooth, automatic, and always encrypted.

Invention Description and Key Innovations

Let’s walk through how this invention works in simple terms.

Imagine you are an employee trying to log in to a work app. You make a request to the company’s identity management system (the gatekeeper) through a safe channel called an API. You don’t give your password. Instead, you say, “I want to log in, and here’s my public key.” Think of this public key as a special padlock that only you can unlock, because only you have the matching private key.

The system talks to a secrets service—a super-secure place that stores real passwords. The secrets service takes the password for your account and locks it up using your public key. Now, even if someone grabs this locked password, they can’t open it. Only you, with your private key, can unlock it.

The system sends this locked password back to you (or sometimes to a gateway that helps you get to the app). You, or your trusted software client, use your private key to unlock the password. The unlocked password is only used to log in to the app server, and never shown on the screen or stored anywhere you can see.

Sometimes, instead of you unlocking the password, a gateway (another trusted computer) does this part. You send the locked password and a proof (certificate) that you are allowed to access the app. The gateway checks your proof, unlocks the password with its own private key, and logs in on your behalf. You never see the password, and the gateway only uses it to create a session for you.

This system also uses something called labels to decide who gets access. Each app server has its own labels—like “Windows server,” “HR system,” or “Payroll app.” Each user has labels too. The system checks if your labels match the server’s labels before letting you in. If the labels change, or if you lose your access, the system can quickly kick you out, closing the session so you can’t use the app anymore.

Here’s why this is special:

The real password is always protected—never shown or stored in a way users or hackers can see.
The session can be started by you or by a trusted gateway, but never leaks the password.
Access is based on clear, flexible labels, making it easy to add or remove permission as needed.
If company rules change, access can be revoked right away, closing any open sessions automatically.

This makes the system very safe, because even if a hacker tries to grab passwords, they only get locked data they can’t use. It also makes life easier for IT teams, since they don’t have to manually update long lists of who can use what. The system adjusts access quickly and keeps track of who’s allowed in at every moment.

The technical details are important, but the big idea is simple: keep passwords hidden, make access quick and safe, and give companies control over who gets in, all without slowing people down or making extra work for IT.

The invention also includes ways to monitor sessions over time. If you’re allowed in now, but later lose that right (maybe you leave the project or the company), the system finds out and ends your session. This way, old sessions don’t stay open by mistake.

The invention is built to work with all kinds of setups—cloud servers, company computers, and older apps. It uses safe, proven encryption and fits into existing security systems, but adds a new layer of protection. It even rotates passwords over time, making stolen passwords useless even if someone manages to get one.

In short, this method lets companies protect their most sensitive info, without making workers jump through hoops or learn new tricks. It’s safe, smart, and fits the way modern businesses work.

Conclusion

Protecting user accounts and company data is more important than ever. This new invention solves a big problem by making sure passwords stay hidden and safe at every step. By using encrypted handoffs and smart label checks, it lets the right people access the right apps—no more, no less—with no risk of leaking passwords.

For companies, this means fewer hacks, less work for IT, and more peace of mind. For users, it means easy, safe logins, and no more worries about stolen passwords. This is a big step forward in identity management and session security, and it sets a new standard for how access should work in the cloud age.

Click here https://ppubs.uspto.gov/pubwebapp/ and search 20250219821.

--- oOo ---

Patent FAQs - Patent Guide

Check out some our latest posts on patent filling and patent news:

Related Blogs

Disclaimer:

The information provided on this blog does not, and is not intended to, constitute legal advice; instead, all information, content, and materials available on this site are for general informational purposes only. Information on this website may not constitute the most up-to-date legal or other information. This website contains links to other third-party websites. Such links are only for the reader, user or browser; we do not recommend or endorse the contents of the third-party sites.

Readers of this website should contact their attorney to obtain advice for any particular legal matter. No reader, user, or browser of this site should act or refrain from acting based on information on this site without first seeking legal advice from counsel in the relevant jurisdiction. Only your attorney can provide assurances that the information contained herein – and your interpretation of it – is applicable or appropriate to your particular situation. Use of and access to this website or any links or resources within this site do not create an attorney-client relationship between the reader, user, or browser and website authors, contributors, contributing law firms, and their respective employers.

The views expressed at or through this site are those of the authors writing in their individual capacities only – not this site. All liability for actions taken or not taken based on the contents of this site are expressly disclaimed. The content on this posting is provided “as is;” no representations are made that the content is error-free.