Wireless multi-factor authentication with captive portals

US 10,321,316 B1
Filed: 04/19/2018
Issued: 06/11/2019
Est. Priority Date: 08/13/2012
Status: Active Grant

First Claim

Patent Images

1. A method for network authentication, comprising:

determining, by a system comprising a processor, a device identity based on a first factor challenge output a first time over a Contact-less data sharing connection in response to an attempt by the device to access the network,wherein, in the event the device is unable to perform authentication using the preferred networking protocol, a captive portal allows submission of various inputs from a third party supplicant that can be utilized on the server side as if they were authenticated over the preferred network protocol where the client limitations with respect to native supplicants would otherwise preclude multi-factor authentication of this type;

receiving, by the system, data indicative of a user identity based on a second factor challenge output a first time over a subnetwork after receipt of a successful response to the first factor challenge;

associating, by the system, a subnetwork with the device, the subnetwork restricts transmission and reception by the device prior to successful completion of the second factor challenge output a second time; and

performing one of;

denying, by the system, access to the network based on a determination that the data indicative of the user identity is not verified within a threshold number of attempts, orgranting, by the system, access to the network based on a determination that the data indicative of the user identity is verified within the threshold number of attempts,wherein the threshold number of attempts is variable, depending upon device identity, location, previous history, time of day, and other contextual factors to determine how many failed attempts are acceptable.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for device-agnostic, multi-factor network authentication are disclosed. In some embodiments, a wireless network connection can authenticate a device over secure authentication means with a certificate that confirms a device identity. After authenticating the device, a user can be prompted to provide credentials in a captive portal. The captive portal can be inaccessible to devices that have not already authenticated using a certificate. After providing approved credentials to the captive portal, the user can access the network. This embodiment and additional embodiments are readily integrated into private wireless networks and others.

30 Citations

View as Search Results

18 Claims

1. A method for network authentication, comprising:
- determining, by a system comprising a processor, a device identity based on a first factor challenge output a first time over a Contact-less data sharing connection in response to an attempt by the device to access the network,wherein, in the event the device is unable to perform authentication using the preferred networking protocol, a captive portal allows submission of various inputs from a third party supplicant that can be utilized on the server side as if they were authenticated over the preferred network protocol where the client limitations with respect to native supplicants would otherwise preclude multi-factor authentication of this type;
  
  receiving, by the system, data indicative of a user identity based on a second factor challenge output a first time over a subnetwork after receipt of a successful response to the first factor challenge;
  
  associating, by the system, a subnetwork with the device, the subnetwork restricts transmission and reception by the device prior to successful completion of the second factor challenge output a second time; and
  
  performing one of;
  
  denying, by the system, access to the network based on a determination that the data indicative of the user identity is not verified within a threshold number of attempts, orgranting, by the system, access to the network based on a determination that the data indicative of the user identity is verified within the threshold number of attempts,wherein the threshold number of attempts is variable, depending upon device identity, location, previous history, time of day, and other contextual factors to determine how many failed attempts are acceptable.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, further comprising ignoring, at least temporarily, network traffic not related to the first factor challenge prior to the receipt of the successful response.
  - 3. The method of claim 1, wherein the order of challenges can be dynamic such that different users or devices encounter varying and nonstandard orders for establishing device identity.
  - 4. The method of claim 3, wherein the captive portal is inaccessible to an unidentified device.
  - 5. The method of claim 1, wherein for frequently-threatened access points requiring maximum access control, third and fourth challenges can be implemented at different phases of authentication, and the order in which the challenges are presented can rotate or vary randomly.
  - 6. The method of claim 1, wherein biometric scans are employed as an authentication technique.
  - 7. The method of claim 6, further comprising ignoring, at least temporarily, network traffic not related to the first factor challenge after denying the access to the network and before the receipt of the other successful response to the first factor challenge.
  - 8. The method of claim 6, further comprising triggering, by the system, a captive portal based on determining the device identity a second time, wherein the captive portal restricts a view of network traffic not related to an authentication input until the other user identity is verified.
  - 9. The method of claim 8, wherein the captive portal is inaccessible to an unidentified device.

10. A system for network authentication, comprising:
- a first authentication component that verifies an identity of a device attempting to access the network;
  
  a second authentication component that, after verification of the identity, sends a request for identification of a user of the device, wherein the second authentication component verifies the user identity over a subnetwork that restricts transmission and reception by the device until the second authentication component verifies the user identity;
  
  wherein, based on a determination that the second authentication component does not verify the user of the device, the first authentication component re-verifies the identity of the device and the second authentication component sends another request for identification of the user of the device, andwherein, based on a determination that the second authentication component verifies the user of the device, the second authentication component grants access to the network,wherein the authentication components verify identities over contact-less data sharing connections,wherein after authentication the device is disconnected unintentionally from the network, the steps taken to reconnecting include storing credentials and repeating no, one, or all authentication steps such that;
  
  for a very secure network, all authentication steps will be repeated after any interruption in the connection of the device to the network or any change in the status of the configuration of the device,for a relatively secure network, if after authentication the device is disconnected from the network for less than a preset time period, the device is reconnected automatically after being identified,for networks that are less secure, credentials are stored for a limited period of time such that disconnections do not require re-authentication at a frequency greater than once per a set period of time.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The system of claim 10, wherein the first authentication component verifies the identity based on a match between the identity and a set of credentials recognized by the first authentication component.
  - 12. The system of claim 10, wherein the device is identified as particular make, model, or version.
  - 13. The system of claim 10, wherein the device is identified as belonging to a specific group of devices allowed on the network without performing a unique identification.
  - 14. The system of claim 10, wherein the second authentication component grants access to the network based on a determination that the user identity is verified within a threshold number of attempts.
  - 15. The system of claim 10, wherein the second authentication component denies access to the network based on a determination that the user identity is not verified within a threshold number of attempts.

16. A computer-readable storage device storing executable instructions that, in response to execution, cause a system comprising a processor to perform operations, comprising:
- verifying a device identity based on a reply to a first authentication request;
  
  receiving data indicative of a user identity in reply to a second authentication request, wherein the second authentication request is output after verification of the device identity in response to the first authentication request;
  
  verifying the device identity again based on a reply to a third authentication request, wherein the third authentication request is output based on the user identity not being verified within a predetermined number of attempts, and wherein the first authentication request and the third authentication request are similar authentication requests;
  
  receiving other data indicative of the user identity in reply to a fourth authentication request, wherein the fourth authentication request is output after verification of the device identity in response to the third authentication request, and wherein the second authentication request and the fourth authentication request are similar authentication requests; and
  
  selectively granting access to the network based on a determination that the user identity is verified,wherein the first authentication request and the third authentication request are communicated over a contact-less data sharing connection,wherein the second authentication request and the fourth authentication request are communicated over a subnetwork, andwherein the second authentication component verifies the user identity over a subnetwork that restricts transmission and reception by the device until the second authentication component verifies the user identity.
- View Dependent Claims (17, 18)
- - 17. The computer-readable storage device of claim 16, wherein, if at any point authentication of the device fails, the device will be disconnected temporarily.
  - 18. The computer-readable storage device of claim 16, wherein, if at any point authentication of the device fails, the device will be disassociated or disconnected permanently, that is, at least requiring intervention by a network administrator to allow further authentication attempts.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Wells Fargo Bank NA (Wells Fargo & Company)
Original Assignee
Wells Fargo Bank NA (Wells Fargo & Company)
Inventors
Belton, Jr., Lawrence T., Beaty, Brian, Morris, Timothy H., Rodgers, Douglas S., Smith, Lynn Allen
Primary Examiner(s)
Pwu, Jeffrey C
Assistant Examiner(s)
Ambaye, Samuel

Application Number

US15/957,168
Time in Patent Office

418 Days
Field of Search

280483
US Class Current
CPC Class Codes

G06F 21/00   Security arrangements for p...

H04L 63/08   for authentication of entit...

H04L 63/102   Entity profiles

H04L 67/306   User profiles

H04L 9/32   including means for verifyi...

H04W 12/06   Authentication

H04W 12/062   Pre-authentication

H04W 12/069   using certificates or pre-s...

H04W 12/08   Access security

Wireless multi-factor authentication with captive portals

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

30 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Wireless multi-factor authentication with captive portals

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

30 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links