Wireless multi-factor authentication with captive portals
First Claim
Patent Images
1. A method for network authentication, comprising:
- determining, by a system comprising a processor, a device identity based on a first factor challenge output a first time over a Contact-less data sharing connection in response to an attempt by the device to access the network,wherein, in the event the device is unable to perform authentication using the preferred networking protocol, a captive portal allows submission of various inputs from a third party supplicant that can be utilized on the server side as if they were authenticated over the preferred network protocol where the client limitations with respect to native supplicants would otherwise preclude multi-factor authentication of this type;
receiving, by the system, data indicative of a user identity based on a second factor challenge output a first time over a subnetwork after receipt of a successful response to the first factor challenge;
associating, by the system, a subnetwork with the device, the subnetwork restricts transmission and reception by the device prior to successful completion of the second factor challenge output a second time; and
performing one of;
denying, by the system, access to the network based on a determination that the data indicative of the user identity is not verified within a threshold number of attempts, orgranting, by the system, access to the network based on a determination that the data indicative of the user identity is verified within the threshold number of attempts,wherein the threshold number of attempts is variable, depending upon device identity, location, previous history, time of day, and other contextual factors to determine how many failed attempts are acceptable.
1 Assignment
0 Petitions
Accused Products
Abstract
Systems and methods for device-agnostic, multi-factor network authentication are disclosed. In some embodiments, a wireless network connection can authenticate a device over secure authentication means with a certificate that confirms a device identity. After authenticating the device, a user can be prompted to provide credentials in a captive portal. The captive portal can be inaccessible to devices that have not already authenticated using a certificate. After providing approved credentials to the captive portal, the user can access the network. This embodiment and additional embodiments are readily integrated into private wireless networks and others.
30 Citations
18 Claims
-
1. A method for network authentication, comprising:
-
determining, by a system comprising a processor, a device identity based on a first factor challenge output a first time over a Contact-less data sharing connection in response to an attempt by the device to access the network, wherein, in the event the device is unable to perform authentication using the preferred networking protocol, a captive portal allows submission of various inputs from a third party supplicant that can be utilized on the server side as if they were authenticated over the preferred network protocol where the client limitations with respect to native supplicants would otherwise preclude multi-factor authentication of this type; receiving, by the system, data indicative of a user identity based on a second factor challenge output a first time over a subnetwork after receipt of a successful response to the first factor challenge; associating, by the system, a subnetwork with the device, the subnetwork restricts transmission and reception by the device prior to successful completion of the second factor challenge output a second time; and performing one of; denying, by the system, access to the network based on a determination that the data indicative of the user identity is not verified within a threshold number of attempts, or granting, by the system, access to the network based on a determination that the data indicative of the user identity is verified within the threshold number of attempts, wherein the threshold number of attempts is variable, depending upon device identity, location, previous history, time of day, and other contextual factors to determine how many failed attempts are acceptable. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A system for network authentication, comprising:
a first authentication component that verifies an identity of a device attempting to access the network; a second authentication component that, after verification of the identity, sends a request for identification of a user of the device, wherein the second authentication component verifies the user identity over a subnetwork that restricts transmission and reception by the device until the second authentication component verifies the user identity; wherein, based on a determination that the second authentication component does not verify the user of the device, the first authentication component re-verifies the identity of the device and the second authentication component sends another request for identification of the user of the device, and wherein, based on a determination that the second authentication component verifies the user of the device, the second authentication component grants access to the network, wherein the authentication components verify identities over contact-less data sharing connections, wherein after authentication the device is disconnected unintentionally from the network, the steps taken to reconnecting include storing credentials and repeating no, one, or all authentication steps such that; for a very secure network, all authentication steps will be repeated after any interruption in the connection of the device to the network or any change in the status of the configuration of the device, for a relatively secure network, if after authentication the device is disconnected from the network for less than a preset time period, the device is reconnected automatically after being identified, for networks that are less secure, credentials are stored for a limited period of time such that disconnections do not require re-authentication at a frequency greater than once per a set period of time. - View Dependent Claims (11, 12, 13, 14, 15)
-
16. A computer-readable storage device storing executable instructions that, in response to execution, cause a system comprising a processor to perform operations, comprising:
-
verifying a device identity based on a reply to a first authentication request; receiving data indicative of a user identity in reply to a second authentication request, wherein the second authentication request is output after verification of the device identity in response to the first authentication request; verifying the device identity again based on a reply to a third authentication request, wherein the third authentication request is output based on the user identity not being verified within a predetermined number of attempts, and wherein the first authentication request and the third authentication request are similar authentication requests; receiving other data indicative of the user identity in reply to a fourth authentication request, wherein the fourth authentication request is output after verification of the device identity in response to the third authentication request, and wherein the second authentication request and the fourth authentication request are similar authentication requests; and selectively granting access to the network based on a determination that the user identity is verified, wherein the first authentication request and the third authentication request are communicated over a contact-less data sharing connection, wherein the second authentication request and the fourth authentication request are communicated over a subnetwork, and wherein the second authentication component verifies the user identity over a subnetwork that restricts transmission and reception by the device until the second authentication component verifies the user identity. - View Dependent Claims (17, 18)
-
Specification