Wireless multi-factor authentication with captive portals
First Claim
Patent Images
1. A method for network authentication, comprising:
- determining, by a system comprising a processor, a device identity based on a first factor challenge output a first time over a WiFi connection in response to an attempt by the device to access the network;
receiving, by the system, data indicative of a user identity based on a second factor challenge output a first time over a subnetwork after receipt of a successful response to the first factor challenge;
performing one of;
denying, by the system, access to the network based on a determination that the data indicative of the user identity is not verified within a threshold number of attempts, orgranting, by the system, access to the network based on a determination that the data indicative of the user identity is verified within the threshold number of attempts;
associating, by the system, a subnetwork with the device, the subnetwork restricts transmission and reception by the device prior to successful completion of the second factor challenge, wherein the device is rolled back to the first factor challenge to re-authenticate if a threshold number of attempts at completing the second factor challenge fail,wherein upon a successfully completing the first factor challenge the device receives a temporary network IP address and upon successful completion of the second factor challenge the device receives a permanent network IP address; and
triggering, by the system, a captive portal based on the determining the device identity, wherein the captive portal restricts a view of network traffic not related to an authentication input until the data indicative of the user identity is verified.
1 Assignment
0 Petitions
Accused Products
Abstract
Systems and methods for device-agnostic, multi-factor network authentication are disclosed. In some embodiments, a wireless network connection can authenticate a device over secure authentication means with a certificate that confirms a device identity. After authenticating the device, a user can be prompted to provide credentials in a captive portal. The captive portal can be inaccessible to devices that have not already authenticated using a certificate. After providing approved credentials to the captive portal, the user can access the network. This embodiment and additional embodiments are readily integrated into private wireless networks and others.
-
Citations
17 Claims
-
1. A method for network authentication, comprising:
-
determining, by a system comprising a processor, a device identity based on a first factor challenge output a first time over a WiFi connection in response to an attempt by the device to access the network; receiving, by the system, data indicative of a user identity based on a second factor challenge output a first time over a subnetwork after receipt of a successful response to the first factor challenge; performing one of; denying, by the system, access to the network based on a determination that the data indicative of the user identity is not verified within a threshold number of attempts, or granting, by the system, access to the network based on a determination that the data indicative of the user identity is verified within the threshold number of attempts; associating, by the system, a subnetwork with the device, the subnetwork restricts transmission and reception by the device prior to successful completion of the second factor challenge, wherein the device is rolled back to the first factor challenge to re-authenticate if a threshold number of attempts at completing the second factor challenge fail, wherein upon a successfully completing the first factor challenge the device receives a temporary network IP address and upon successful completion of the second factor challenge the device receives a permanent network IP address; and triggering, by the system, a captive portal based on the determining the device identity, wherein the captive portal restricts a view of network traffic not related to an authentication input until the data indicative of the user identity is verified. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A system for network authentication, comprising:
-
a first authentication component that verifies an identity of a device attempting to access the network; a captive portal that is implemented at about the same time as the first authentication component verifies the device identity, wherein the captive portal restricts a view of network traffic not related to the network authentication until the user identity is verified; and a second authentication component that, after verification of the identity, sends a request for identification of a user of the device, wherein, based on a determination that the second authentication component does not verify the user of the device, the first authentication component re-verifies the identity of the device and the second authentication component sends another request for identification of the user of the device, and wherein, based on a determination that the second authentication component verifies the user of the device, the second authentication component grants access to the network. - View Dependent Claims (10, 11, 12, 13, 14)
-
-
15. A computer-readable storage device storing executable instructions that, in response to execution, cause a system comprising a processor to perform operations, comprising:
-
verifying a device identity based on a reply to a first authentication request; receiving data indicative of a user identity in reply to a second authentication request, wherein the second authentication request is output after verification of the device identity in response to the first authentication request; verifying the device identity again based on a reply to a third authentication request, wherein the third authentication request is output based on the user identity not being verified within a predetermined number of attempts, and wherein the first authentication request and the third authentication request are similar authentication requests; receiving other data indicative of the user identity in reply to a fourth authentication request, wherein the fourth authentication request is output after verification of the device identity in response to the third authentication request, and wherein the second authentication request and the fourth authentication request are similar authentication requests; triggering a captive portal based on determining the device identity, wherein the captive portal restricts a view of network traffic not related to an authentication input until data indicative of the user identity is verified; and selectively granting access to the network based on a determination that the user identity is verified. - View Dependent Claims (16, 17)
-
Specification