Wireless multi-factor authentication with captive portals

US 9,967,742 B1
Filed: 05/08/2015
Issued: 05/08/2018
Est. Priority Date: 08/13/2012
Status: Active Grant

First Claim

Patent Images

1. A method for network authentication, comprising:

determining, by a system comprising a processor, a device identity based on a first factor challenge output a first time over a WiFi connection in response to an attempt by the device to access the network;

receiving, by the system, data indicative of a user identity based on a second factor challenge output a first time over a subnetwork after receipt of a successful response to the first factor challenge;

performing one of;

denying, by the system, access to the network based on a determination that the data indicative of the user identity is not verified within a threshold number of attempts, orgranting, by the system, access to the network based on a determination that the data indicative of the user identity is verified within the threshold number of attempts;

associating, by the system, a subnetwork with the device, the subnetwork restricts transmission and reception by the device prior to successful completion of the second factor challenge, wherein the device is rolled back to the first factor challenge to re-authenticate if a threshold number of attempts at completing the second factor challenge fail,wherein upon a successfully completing the first factor challenge the device receives a temporary network IP address and upon successful completion of the second factor challenge the device receives a permanent network IP address; and

triggering, by the system, a captive portal based on the determining the device identity, wherein the captive portal restricts a view of network traffic not related to an authentication input until the data indicative of the user identity is verified.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for device-agnostic, multi-factor network authentication are disclosed. In some embodiments, a wireless network connection can authenticate a device over secure authentication means with a certificate that confirms a device identity. After authenticating the device, a user can be prompted to provide credentials in a captive portal. The captive portal can be inaccessible to devices that have not already authenticated using a certificate. After providing approved credentials to the captive portal, the user can access the network. This embodiment and additional embodiments are readily integrated into private wireless networks and others.

31 Citations

View as Search Results

17 Claims

1. A method for network authentication, comprising:
- determining, by a system comprising a processor, a device identity based on a first factor challenge output a first time over a WiFi connection in response to an attempt by the device to access the network;
  
  receiving, by the system, data indicative of a user identity based on a second factor challenge output a first time over a subnetwork after receipt of a successful response to the first factor challenge;
  
  performing one of;
  
  denying, by the system, access to the network based on a determination that the data indicative of the user identity is not verified within a threshold number of attempts, orgranting, by the system, access to the network based on a determination that the data indicative of the user identity is verified within the threshold number of attempts;
  
  associating, by the system, a subnetwork with the device, the subnetwork restricts transmission and reception by the device prior to successful completion of the second factor challenge, wherein the device is rolled back to the first factor challenge to re-authenticate if a threshold number of attempts at completing the second factor challenge fail,wherein upon a successfully completing the first factor challenge the device receives a temporary network IP address and upon successful completion of the second factor challenge the device receives a permanent network IP address; and
  
  triggering, by the system, a captive portal based on the determining the device identity, wherein the captive portal restricts a view of network traffic not related to an authentication input until the data indicative of the user identity is verified.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising ignoring, at least temporarily, network traffic not related to the first factor challenge prior to the receipt of the successful response.
  - 3. The method of claim 1, wherein the captive portal is inaccessible to an unidentified device.
  - 4. The method of claim 1, after denying the access to the network, the method further comprising:
    - outputting, by the system, the first factor challenge a second time over the WiFi network;
      
      receiving, by the system, other data indicative of another user identity based on the second factor challenge output a second time after receipt of another successful response to the first factor challenge; and
      
      performing one of;
      
      denying, by the system, access to the network based on a determination that the data indicative of the other user identity is not verified within a threshold number of attempts, orgranting, by the system, access to the network based on a determination that the data indicative of the other user identity is verified within the threshold number of attempts.
  - 5. The method of claim 4, further comprising ignoring, at least temporarily, network traffic not related to the first factor challenge after denying the access to the network and before the receipt of the other successful response to the first factor challenge.
  - 6. The method of claim 4, further comprising triggering, by the system, a captive portal based on determining the device identity a second time, wherein the captive portal restricts a view of network traffic not related to an authentication input until the other user identity is verified.
  - 7. The method of claim 6, wherein the captive portal is inaccessible to an unidentified device.
  - 8. The method of claim 6, further comprising associating, by the system, a subnetwork with the device, the subnetwork restricts transmission and reception by the device prior to successful completion of the second factor challenge output a second time.

9. A system for network authentication, comprising:
- a first authentication component that verifies an identity of a device attempting to access the network;
  
  a captive portal that is implemented at about the same time as the first authentication component verifies the device identity, wherein the captive portal restricts a view of network traffic not related to the network authentication until the user identity is verified; and
  
  a second authentication component that, after verification of the identity, sends a request for identification of a user of the device,wherein, based on a determination that the second authentication component does not verify the user of the device, the first authentication component re-verifies the identity of the device and the second authentication component sends another request for identification of the user of the device, andwherein, based on a determination that the second authentication component verifies the user of the device, the second authentication component grants access to the network.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The system of claim 9, wherein the first authentication component verifies the identity based on a match between the identity and a set of credentials recognized by the first authentication component.
  - 11. The system of claim 9, wherein the first authentication component verifies the identity of the device over a WiFi connection and the second authentication component verifies the user identity over a subnetwork that restricts transmission and reception by the device until the second authentication component verifies the user identity.
  - 12. The system of claim 9, wherein the captive portal is inaccessible to an unidentified device.
  - 13. The system of claim 9, wherein the second authentication component grants access to the network based on a determination that the user identity is verified within a threshold number of attempts.
  - 14. The system of claim 9, wherein the second authentication component denies access to the network based on a determination that the user identity is not verified within a threshold number of attempts.

15. A computer-readable storage device storing executable instructions that, in response to execution, cause a system comprising a processor to perform operations, comprising:
- verifying a device identity based on a reply to a first authentication request;
  
  receiving data indicative of a user identity in reply to a second authentication request, wherein the second authentication request is output after verification of the device identity in response to the first authentication request;
  
  verifying the device identity again based on a reply to a third authentication request, wherein the third authentication request is output based on the user identity not being verified within a predetermined number of attempts, and wherein the first authentication request and the third authentication request are similar authentication requests;
  
  receiving other data indicative of the user identity in reply to a fourth authentication request, wherein the fourth authentication request is output after verification of the device identity in response to the third authentication request, and wherein the second authentication request and the fourth authentication request are similar authentication requests;
  
  triggering a captive portal based on determining the device identity, wherein the captive portal restricts a view of network traffic not related to an authentication input until data indicative of the user identity is verified; and
  
  selectively granting access to the network based on a determination that the user identity is verified.
- View Dependent Claims (16, 17)
- - 16. The computer-readable storage device of claim 15, wherein the first authentication request and the third authentication request are communicated over a WiFi connection.
  - 17. The computer-readable storage device of claim 15, wherein the second authentication request and the fourth authentication request are communicated over a subnetwork.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Wells Fargo Bank NA (Wells Fargo & Company)
Original Assignee
Wells Fargo Bank NA (Wells Fargo & Company)
Inventors
Belton, Jr., Lawrence T., Beaty, Brian, Morris, Timothy H., Rodgers, Douglas S., Smith, Lynn Allen
Primary Examiner(s)
Pwu, Jeffrey
Assistant Examiner(s)
Ambaye, Samuel

Application Number

US14/707,783
Time in Patent Office

1,096 Days
Field of Search

280483
US Class Current
CPC Class Codes

G06F 21/00   Security arrangements for p...

H04L 63/08   for authentication of entit...

H04L 63/102   Entity profiles

H04L 67/306   User profiles

H04L 9/32   including means for verifyi...

H04W 12/06   Authentication

H04W 12/062   Pre-authentication

H04W 12/069   using certificates or pre-s...

H04W 12/08   Access security

Wireless multi-factor authentication with captive portals

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

31 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Wireless multi-factor authentication with captive portals

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

31 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links