CN111787003A - Method for supporting multi-factor authentication interface protocol - Google Patents
Method for supporting multi-factor authentication interface protocol Download PDFInfo
- Publication number
- CN111787003A CN111787003A CN202010623376.3A CN202010623376A CN111787003A CN 111787003 A CN111787003 A CN 111787003A CN 202010623376 A CN202010623376 A CN 202010623376A CN 111787003 A CN111787003 A CN 111787003A
- Authority
- CN
- China
- Prior art keywords
- user
- login
- factors
- authorized
- authentication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 17
- 238000012795 verification Methods 0.000 claims description 30
- 235000014510 cooky Nutrition 0.000 claims description 17
- 230000007246 mechanism Effects 0.000 abstract description 2
- 238000013475 authorization Methods 0.000 description 5
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
Abstract
The invention provides a method for supporting an interface protocol of multi-factor authentication, which comprises the following steps: checking a client ID, checking whether the ID is authorized or not in step (2), checking whether a token stored after pin code encryption exists or not in step (3), and guiding a user to input an account password for login if the pin code does not exist in step (4); step (5), inputting an account password, successfully authenticating, and setting the number of login factors to be n + 1; step (6), the authentication server compares the number of login factors, and at least the number of the required factors is N; step (7), if N is greater than N, suspending the user login state; step (8) the server checks whether the user has other authorized login equipment, the user can be authorized only after passing through more than two authentication mechanisms, and the computer resources are used, so that the security can be improved by the authentication mode.
Description
Technical Field
The invention relates to the technical field of security authentication, in particular to a method for supporting an interface protocol of multi-factor authentication.
Background
With the development of the internet, the requirement for communication security is becoming more important, and the internet still lacks a corresponding security function in practical applications such as electronic commerce, enterprise management informatization, and distance education, so that the internet is often threatened by natural and human factors in practical operation. Identity authentication (i.e., "authentication" or "authentication") is a process of verifying whether the true identity of a user is consistent with the external identity of the user, so as to determine whether user information is reliable, prevent an illegal user from impersonating other legal users to obtain a series of related rights, and ensure the safety and legal benefits of the user information.
Disclosure of Invention
The technical problem to be solved by the present invention is to provide a method for supporting multi-factor authentication interface protocol, so as to solve the problems proposed in the above background art.
The technical problem solved by the invention is realized by adopting the following technical scheme: a method of supporting a multi-factor authenticated interface protocol, comprising the steps of:
step (1), checking a client ID, and if the client ID does not have the equipment ID, generating an equipment ID;
and (2) checking whether the ID is authorized, and if so, determining that the user has the basic factor n ═ s.
Step (3), checking whether a token stored after pin code encryption exists or not, if yes, guiding a user to input a pin code for login, after pin code authentication, enabling the user to have a factor number n which is the factor number recorded in the token to be n + t, and entering the step (6);
step (4), if no pin code exists, the user is guided to input an account password for login;
step (5), inputting an account password, successfully authenticating, and setting the number of login factors to be n + 1;
step (6), the authentication server compares the number of login factors, and at least the number of the required factors is N;
step (7), if N is greater than N, suspending the user login state;
step (8), the server checks whether the user has other authorized login equipment, if so, the server pushes a verification request to other authorized login equipment to perform auxiliary verification, and after the auxiliary authentication of other equipment is successful, the server directly enters the step (12); if the other equipment does not act, the step (9) can be continued;
step (9), if the user has no other authorized login equipment, checking whether the user sets other verification means;
step (10), if the user has other verification means for prompting the problem of the mobile phone or the password, performing verification of the means, and if the number of the authentication factors is m; after the verification, the number of the login factors is n ═ n + m, and the step (7) is continued;
step (11), if the user does not bind the mobile phone or other verification means for prompting the problem by the password, guiding the user to bind the mobile phone and add the operation for prompting the problem, if the number of the authentication factors is m, and after the operation is successful, the number of the login factors is n-n + m, and continuing to perform the step (7);
step (12), if N is equal to N, the user logs in successfully;
and (13) if the user starts login reminding or remote login reminding, pushing a login notification to other authorized equipment.
The step (1) comprises browser login and client login.
The client logs in to check whether the client ID is an authorized device ID of the server, and if the client ID is an authorized device, the client has a base factor number n ═ s.
The browser login is that a user logs in the browser, whether the cookie stores the device ID or not is checked, and if the cookie does not store the device ID, a device ID is generated and stored in the cookie.
In the step (3), when the token fails or frequently logs in other places, the device is initialized, the browser cleans the cookie, the local token is cleaned, the device ID is changed or the number of factors in the server token is reduced, and the user is guided to perform missing multi-factor authentication again.
Compared with the prior art, the invention has the beneficial effects that: the user can be authorized only after passing through more than two authentication mechanisms, and the computer resources are used, so that the security can be improved by the authentication mode.
Drawings
FIG. 1 is a schematic flow chart of the present invention.
Fig. 2 is a schematic view of a risk detection process according to the present invention.
Detailed Description
In the description of the present invention, it should be noted that unless otherwise specified or limited, the terms "mounted," "connected," and "connected" are to be construed broadly and may be, for example, fixedly connected, detachably connected, or integrally connected, mechanically or electrically connected; they may be connected directly or indirectly through intervening media, or they may be interconnected between two elements.
As shown in fig. 1 and fig. 2, a method for supporting an interface protocol of multi-factor authentication includes the following steps:
step (1), checking a client ID, and if the client ID does not have the equipment ID, generating an equipment ID;
and (2) checking whether the ID is authorized, and if so, determining that the user has the basic factor n ═ s.
Step (3), checking whether a token stored after pin code encryption exists or not, if yes, guiding a user to input a pin code for login, after pin code authentication, enabling the user to have a factor number n which is the factor number recorded in the token to be n + t, and entering the step (6);
step (4), if no pin code exists, the user is guided to input an account password for login;
step (5), inputting an account password, successfully authenticating, and setting the number of login factors to be n + 1;
step (6), the authentication server compares the number of login factors, and at least the number of the required factors is N;
step (7), if N is greater than N, suspending the user login state;
step (8), the server checks whether the user has other authorized login equipment, if so, the server pushes a verification request to other authorized login equipment to perform auxiliary verification, and after the auxiliary authentication of other equipment is successful, the server directly enters the step (12); if the other equipment does not act, the step (9) can be continued;
step (9), if the user has no other authorized login equipment, checking whether the user sets other verification means;
step (10), if the user has other verification means for prompting the problem of the mobile phone or the password, performing verification of the means, and if the number of the authentication factors is m; after the verification, the number of the login factors is n ═ n + m, and the step (7) is continued;
step (11), if the user does not bind the mobile phone or other verification means for prompting the problem by the password, guiding the user to bind the mobile phone and add the operation for prompting the problem, if the number of the authentication factors is m, and after the operation is successful, the number of the login factors is n-n + m, and continuing to perform the step (7);
step (12), if N is equal to N, the user logs in successfully;
and (13) if the user starts login reminding or remote login reminding, pushing a login notification to other authorized equipment.
The step (1) comprises browser login and client login.
The client logs in to check whether the client ID is an authorized device ID of the server, and if the client ID is an authorized device, the client has a base factor number n ═ s.
The browser login is that a user logs in the browser, whether the cookie stores the device ID or not is checked, and if the cookie does not store the device ID, a device ID is generated and stored in the cookie.
In the step (3), when the token fails or frequently logs in other places, the device is initialized, the browser cleans the cookie, the local token is cleaned, the device ID is changed or the number of factors in the server token is reduced, and the user is guided to perform missing multi-factor authentication again.
In the invention, each login mode is granted with quantized login factors, the password login of the user is set as the factor number of 1, and the factor numbers of other authentication modes can be configured by a background administrator and can be expanded with other login modes. In addition, the old equipment can also be logged in and can be determined to have a certain factor number to participate in the calculation. If the basic requirement is that the user can log in only if the factor number of the user is 3, and the factor number of the old device is 2, the user can directly log in successfully only by inputting an account password on the old device.
When the user logs in, the server checks whether the sum of the authorized factors of the user reaches the necessary factors for logging in the user, and if the sum of the authorized factors of the user does not reach the necessary factors, the server should guide the user to continue authorization by using other login factors. And if the user reaches the necessary factor number, completing login, binding the currently logged-in equipment, and setting PIN codes and other subsequent operations for the user.
After the user authorizes, a token is distributed, and the information of the user, the information of the client, the number of authorization factors and other authorization information are stored in a server safe corresponding to the token. So as the number of authorizations increases, the number of factors that the token vault records also increases. The token is a key for opening the authorization information recorded by the server, and resources of the user can be acquired by the token, so that the token is well protected at the client, and is stored at the client after being encrypted by a simple pin code, so that the password can be prevented from being input again, the password is prevented from leaking, and the user experience can be improved by the simple and well-remembered pin code.
Example 1
When the browser logs in, the user logs in the browser, whether the cookie stores the device id is checked, and if the cookie does not store the device id, a device id is generated and stored in the cookie. And comparing the device ID in the cookie, judging whether the device ID is authorized, if so, checking whether a token stored after the encryption of a pin code exists in the browser or not by the user, if so, inputting a pin code to the user for login, if so, authenticating the pin code by the user, if so, inputting an account password to the user for login by the user, if not, inputting an account password to the user, and otherwise, logging in. And inputting an account password, successfully authenticating, and setting the number of login factors to be n + 1. The authentication server compares the number of login factors, and at least the number of the required factors is N. If N > N, the user login state is suspended. The server checks whether the user has other authorized login equipment, if so, the server pushes a verification request to the other authorized login equipment to perform auxiliary verification, after the other equipment succeeds in auxiliary authentication, the other equipment does not act, and if the user does not have other authorized login equipment, the server checks whether the user is bound with a mobile phone or sets other verification means such as password prompt problems and the like. If the user has other verification means such as mobile phone binding or password prompting problem, the means are verified, and if the number of the authentication factors is m. If the number of the login factors is N + m after verification is finished, if the user does not bind other verification means such as a mobile phone or a password prompting problem, the user is guided to bind the mobile phone and add operations such as a prompting problem, if the number of the verification factors is m, after the operation is successful, the number of the login factors is N + m, if N is N, the user logs in successfully, and if the user starts a login reminder or a remote login reminder, the login notice is pushed to other authorized equipment.
Example 2
Client login
And checking whether the client id is the device id authorized by the server, if the client id is the authorized device, the device has a basic factor number n which is s. And if the token is stored, the user is guided to input the password to decrypt the token and send the password to the server for authentication. The user has a factor number n ═ n + t; and if the pin code does not exist, the user is guided to input an account password for logging in. And inputting an account password, successfully authenticating, and setting the number of login factors to be n + 1. The authentication server compares the number of login factors, and at least the number of the required factors is N. If N > N, the user login state is suspended. The server checks whether the user has other authorized login equipment, if so, the server pushes an authentication request to the other authorized login equipment to perform auxiliary authentication, and if not, the server checks whether the user is bound with a mobile phone or sets other authentication means such as password prompt problems and the like. If the user has other verification means such as mobile phone binding or password prompting problem, the means are verified, and if the number of the authentication factors is m. If the user does not have other verification means such as mobile phone binding or password prompting, single sign-on is carried out on a web browser mailbox page, the user is guided to bind the mobile phone, operation such as prompting is added, operation is successful, if N is equal to N, the user successfully logs in, and if the user starts login reminding or remote login reminding, login notification is pushed to other authorized equipment.
In the above embodiment, when the token fails or the operations such as frequent login in different places, device initialization, cookie clearing by the browser and the like are performed, the local token is cleared, the device id is changed or the number of factors in the server token is reduced, and then the user is guided to perform the missing multi-factor authentication again.
The foregoing shows and describes the general principles and broad features of the present invention and advantages thereof. It will be understood by those skilled in the art that the present invention is not limited to the embodiments described above, which are described in the specification and illustrated only to illustrate the principle of the present invention, but that various changes and modifications may be made therein without departing from the spirit and scope of the present invention, which fall within the scope of the invention as claimed. The scope of the invention is defined by the appended claims and equivalents thereof.
Claims (5)
1. A method of supporting a multi-factor authenticated interface protocol, characterized by: the method comprises the following steps:
step (1), checking a client ID, and if the client ID does not have the equipment ID, generating an equipment ID;
step (2), checking whether the ID is authorized, and if so, determining that the user has the basic factor n ═ s;
step (3), checking whether a token stored after pin code encryption exists or not, if yes, guiding a user to input a pin code for login, after pin code authentication, enabling the user to have a factor number n which is the factor number recorded in the token to be n + t, and entering the step (6);
step (4), if no pin code exists, the user is guided to input an account password for login;
step (5), inputting an account password, successfully authenticating, and setting the number of login factors to be n + 1;
step (6), the authentication server compares the number of login factors, and at least the number of the required factors is N;
step (7), if N is greater than N, suspending the user login state;
step (8), the server checks whether the user has other authorized login equipment, if so, the server pushes a verification request to other authorized login equipment to perform auxiliary verification, and after the auxiliary authentication of other equipment is successful, the server directly enters the step (12); if the other equipment does not act, the step (9) can be continued;
step (9), if the user has no other authorized login equipment, checking whether the user sets other verification means;
step (10), if the user has other verification means for prompting the problem of the mobile phone or the password, performing verification of the means, and if the number of the authentication factors is m; after the verification, the number of the login factors is n ═ n + m, and the step (7) is continued;
step (11), if the user does not bind the mobile phone or other verification means for prompting the problem by the password, guiding the user to bind the mobile phone and add the operation for prompting the problem, if the number of the authentication factors is m, and after the operation is successful, the number of the login factors is n-n + m, and continuing to perform the step (7);
step (12), if N is equal to N, the user logs in successfully;
and (13) if the user starts login reminding or remote login reminding, pushing a login notification to other authorized equipment.
2. The method of claim 1, wherein the method comprises: the step (1) comprises browser login and client login.
3. A method of supporting a multi-factor authenticated interface protocol according to claim 2, wherein: the client logs in to check whether the client ID is an authorized device ID of the server, and if the client ID is an authorized device, the client has a base factor number n ═ s.
4. A method of supporting a multi-factor authenticated interface protocol according to claim 2, wherein: the browser login is that a user logs in the browser, whether the cookie stores the device ID or not is checked, and if the cookie does not store the device ID, a device ID is generated and stored in the cookie.
5. The method of claim 1, wherein the method comprises: in the step (3), when the token fails or frequently logs in other places, the device is initialized, the browser cleans the cookie, the local token is cleaned, the device ID is changed or the number of factors in the server token is reduced, and the user is guided to perform missing multi-factor authentication again.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010623376.3A CN111787003A (en) | 2020-07-02 | 2020-07-02 | Method for supporting multi-factor authentication interface protocol |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010623376.3A CN111787003A (en) | 2020-07-02 | 2020-07-02 | Method for supporting multi-factor authentication interface protocol |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111787003A true CN111787003A (en) | 2020-10-16 |
Family
ID=72760479
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010623376.3A Pending CN111787003A (en) | 2020-07-02 | 2020-07-02 | Method for supporting multi-factor authentication interface protocol |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111787003A (en) |
-
2020
- 2020-07-02 CN CN202010623376.3A patent/CN111787003A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP4721174B2 (en) | Method and apparatus for network evaluation and authentication | |
| CN111147255B (en) | Data security service system, method and computer readable storage medium | |
| US7730321B2 (en) | System and method for authentication of users and communications received from computer systems | |
| US20100250937A1 (en) | Method And System For Securely Caching Authentication Elements | |
| EP1719283B1 (en) | Method and apparatus for authentication of users and communications received from computer systems | |
| CN106453361B (en) | A kind of security protection method and system of the network information | |
| EP1339199A1 (en) | Dynamic user authentication | |
| CN106161348B (en) | Single sign-on method, system and terminal | |
| CN102457491B (en) | Dynamic identity authenticating method and system | |
| CN101051905A (en) | Agent identity certificiation method | |
| JP4862551B2 (en) | Authentication control program and authentication device | |
| WO2007038283A2 (en) | Web page approval and authentication application incorporating multi-factor user authentication component | |
| KR20120084631A (en) | Authentication system and method based by unique identifier | |
| JP4303952B2 (en) | Multiple authentication system, computer program, and multiple authentication method | |
| KR102409683B1 (en) | Account management method and device using antivirus program | |
| CA2611549C (en) | Method and system for providing a secure login solution using one-time passwords | |
| CN111787003A (en) | Method for supporting multi-factor authentication interface protocol | |
| CN105071993B (en) | Encrypted state detection method and system | |
| CN113794571A (en) | Authentication method, device and medium based on dynamic password | |
| JP3563012B2 (en) | User authentication system and user authentication method | |
| JP3974070B2 (en) | User authentication device, terminal device, program, and computer system | |
| CN110557407A (en) | Authentication terminal for compiling password based on identity authentication digital signature | |
| CN111740938A (en) | Information processing method and device, client and server | |
| CN114422270B (en) | Method and device for safe login authentication of Internet platform system | |
| TWI838149B (en) | Secure enabling system and method for enterprise authentication |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20201016 |
|
| WD01 | Invention patent application deemed withdrawn after publication |