System and method for managing tokens authorizing on-device operations

摘要

A system and method can support on-device operation management. A token issuer on a backend server, and/or a tool, can generate an authorization token, which is bound to a user of one or more devices using a unique identifier (ID) that is assigned to the user. The unique ID can be known and/or shared between the an on-device authorizing entity and the token issuer. Then, the on-device authorizing entity can verify the authorization token before granting an execution of one or more protected on-device operations. Furthermore, the on-device authorizing entity may not grant the execution of the one or more protected on-device operations, when the unique ID is erased from the device.

主权项

1. A method for supporting on-device operation management, comprising:
providing an on-device authorizing entity on a device that includes one or more microprocessors, wherein the on-device authorizing entity stores a unique identifier assigned to a user of the device, wherein the unique identifier is shared with a token issuer that stores the unique identifier; receiving, at the device, an authorization token generated by the token issuer, wherein the authorization token includes the unique identifier; verifying, by the on-device authorizing entity, the authorization token by comparing the unique identifier contained in the authorization token with the unique identifier stored in the on-device authorizing entity, to determine whether to grant an execution of one or more protected operations on the device; and wherein the token issuer operates to provision the unique identifier (ID) stored therein on the device after the device is reset, or on a new device, in response to a request by the user.