CN113727344A - Multi-factor authentication method in different scene safe internet access - Google Patents
Multi-factor authentication method in different scene safe internet access Download PDFInfo
- Publication number
- CN113727344A CN113727344A CN202010449026.XA CN202010449026A CN113727344A CN 113727344 A CN113727344 A CN 113727344A CN 202010449026 A CN202010449026 A CN 202010449026A CN 113727344 A CN113727344 A CN 113727344A
- Authority
- CN
- China
- Prior art keywords
- authentication
- user
- stage
- internet
- security gateway
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 51
- 230000008447 perception Effects 0.000 claims abstract description 36
- 230000004044 response Effects 0.000 claims abstract description 28
- 230000008569 process Effects 0.000 claims abstract description 15
- 238000012795 verification Methods 0.000 claims description 11
- 238000013500 data storage Methods 0.000 claims description 8
- 238000012790 confirmation Methods 0.000 claims description 2
- 238000012423 maintenance Methods 0.000 abstract description 6
- 238000010586 diagram Methods 0.000 description 4
- 230000002452 interceptive effect Effects 0.000 description 4
- 230000006870 function Effects 0.000 description 3
- 241001391944 Commicarpus scandens Species 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000008676 import Effects 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
- H04W12/068—Authentication using credential vaults, e.g. password manager applications or one time password [OTP] applications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
- H04W12/069—Authentication using certificates or pre-shared keys
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The invention provides a multi-factor authentication method in safe internet access in different scenes, which comprises the following steps: the first-stage user does not sense the authentication request and the second-stage user has a sense authentication request, wherein after the first-stage authentication is passed and the security gateway receives the response, the authentication state is stored, the traffic data is released, and the user can surf the internet safely and normally; and if the first-stage authentication is not passed, entering a second-stage user perception authentication request. The multi-factor authentication method in the safe internet access in different scenes ensures the internet access safety of the user on the basis of convenient use and simple maintenance by adopting the multi-factor authentication mode in the first stage and the second stage, also gives consideration to the safety and the use convenience, and improves the use experience of the user by performing one operation at most in one normal authentication process.
Description
Technical Field
The invention relates to the field of computer networks, in particular to a multi-factor authentication method in secure internet access in different scenes.
Background
Two main authentication modes in the current wireless environment exist, one is the authentication mode defined in the 802.11 wireless protocol, such as open, wep, wpa/wpa 2-personal, wpa/wpa 2-enterprise; one is a WEB-based authentication method, which is generally used for pushing advertisements and the like, and the authentication method mainly includes account secret, short message, WeChat and the like.
Among authentication methods defined in the 802.11 protocol:
open is open, and all users can access;
wep is easy to break and is abandoned by various manufacturers and users basically;
wpa/wpa 2-individuals share the same password for multiple people, and the password is easy to leak, such as tools like master keys;
wpa/wpa 2-enterprises are complex in configuration, have the modes of eap-peap, eap-md5, eap-mschapv2, eap-tls, eap-ttls and the like, are different in safety, and need professional IT management personnel to perform configuration and maintenance.
In the authentication mode based on WEB:
1. many people still adopt the initial password or the simple static password to log in the WEB;
2. a web login password forgetting event happens occasionally;
3. weak passwords easily cause unauthorized login to cause a violation of a flow event;
4. because the account is not recovered in time, the enterprise employee still has the access right of the web.
The wireless environment has a potential risk of information leakage, and if network maintenance is performed by professionals, high cost is needed, so that a method capable of improving the network security in the wireless network environment is urgently needed in the field.
Disclosure of Invention
The invention aims to provide a multi-factor authentication method in safe internet access in different scenes, which can solve the problems of information leakage and high network maintenance cost in the conventional wireless environment.
The invention provides a multi-factor authentication method in safe internet access in different scenes, which comprises the following steps:
a first stage of user imperceptible authentication request;
a user sends a network connection request through electronic equipment;
the security gateway receives a network connection request sent by the electronic equipment, monitors the internet and limits the internet access behavior of the electronic equipment, and is in linkage response with the authentication server;
the authentication server inquires an authentication request of the electronic equipment, sends information to the electronic equipment, receives a response based on the information sent by the electronic equipment, and authenticates the response if the response is an imperceptible authentication response;
returning the authentication result to the security gateway after the response is verified;
if the authentication is passed, the security gateway receives the response, then the authentication state is stored, the traffic data is released, and the user can surf the internet safely and normally; if the authentication is not passed, entering a second stage that the user has a perception authentication request;
and the second stage user has a perception authentication request:
the security gateway limits the internet surfing behavior of the electronic equipment and informs the electronic equipment of a perception authentication request;
the electronic device accessing an authentication application;
the user inputs authentication information on an authentication application prompt interface;
the authentication server receives a certificate associated with a user of the electronic equipment from the authentication application, authenticates the certificate, and confirms whether authentication information of the electronic equipment passes after the certificate is authenticated;
after the authentication application passes the confirmation, allowing the service or resource of the authentication application to perform network access, simultaneously, informing the security gateway of releasing the data traffic by the authentication server, and after the authentication is finished, normally accessing the internet by the user;
and after the data traffic is not passed through the authentication, the authentication server informs the security gateway that the data traffic is not released, the user wireless network connection is intercepted, and the authentication is finished.
Preferably, the authentication request of the authentication server querying the electronic device in the first-stage user unaware authentication request includes one or more of device information, location factor and time range.
Preferably, the authentication request of the first-stage user unaware authentication request, which is inquired by the authentication server about the electronic device, includes one or more of mac address, IMEI, certificate, time and location information of the electronic device.
Preferably, in the second-stage user perceived authentication request, the authentication information of the user inputting the authentication information in the authentication application prompt interface includes one or more of a device mac address, a user account, a password, a short message verification code, fingerprint identification, face identification, voiceprint identification, a mail, a WeChat and an iris.
Preferably, the first-stage user imperceptible authentication request and the second-stage user perceptible authentication request are both multi-factor authentication.
Preferably, the authentication server comprises a data storage module therein,
the data storage module stores authentication records of the electronic equipment, and the authentication server analyzes the similarity between the current authentication information and the historical behavior characteristics through a fuzzy algorithm to judge whether the electronic equipment passes the authentication;
after receiving the response of the authentication server, the security gateway saves the authentication state, and if the authentication is passed, the data traffic is released to allow the electronic equipment to surf the internet; and if the authentication is not passed, performing a second stage user perception authentication request process.
Preferably, the security gateway in the first-stage user unaware authentication request receives a network connection request sent by the electronic device and an authentication request of the electronic device inquired by the authentication server is the same data packet, and after receiving an authentication response of the authentication server, if data traffic is released through the security gateway during authentication, the electronic device is connected to the wireless network at the same time.
Preferably, the electronic device is kept connected with the internet, and when the authentication server notifies the security gateway to allow the data traffic to pass, the user uses the electronic device to connect with the internet at the same time.
Preferably, the security gateway includes a state storage module for storing an authentication state of a user.
Compared with the prior art, the multi-factor authentication method for the safe internet surfing in different scenes has the following beneficial effects that:
1. according to the invention, the first-stage user non-perception authentication request and the second-stage user perception authentication request are set, so that the old user can be authenticated through the first-stage user non-perception authentication request process aiming at the new user and the old user respectively, the old user can be connected with a wireless network under the condition of no perception, the new user or the user who fails to pass the authentication can enter the second-stage user perception authentication request, and the authentication application and the authentication server can carry out interactive authentication.
2. The invention ensures the safety of user surfing on the basis of convenient use and simple maintenance by adopting a multi-factor authentication mode.
3. The invention gives consideration to safety and use convenience, and the user can carry out operation at most once in a normal authentication process, thereby improving the use experience of the user.
4. The invention greatly improves the security of the wireless local area network, and improves both enterprise information security and personal user information security.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are only used for explaining the concept of the present invention.
Fig. 1 is a schematic diagram of a framework of a first embodiment of a multi-factor authentication method in secure internet access in different scenarios according to the present invention;
fig. 2 is a schematic diagram of a framework of a second embodiment of a multi-factor authentication method in secure internet access in different scenarios according to the present invention;
fig. 3 is a schematic diagram of a framework of a third embodiment of a method for multi-factor authentication in secure internet access in different scenarios of the present invention.
Detailed Description
Hereinafter, an embodiment of a method for multi-factor authentication in secure internet access in different scenarios according to the present invention will be described with reference to the accompanying drawings.
The examples described herein are specific embodiments of the present invention, are intended to be illustrative and exemplary in nature, and are not to be construed as limiting the scope of the invention. In addition to the embodiments described herein, those skilled in the art will be able to employ other technical solutions which are obvious based on the disclosure of the claims and the specification of the present application, and these technical solutions include any obvious replacement or modification of the embodiments described herein.
The drawings in the present specification are schematic diagrams, which are included to assist in explaining the concepts of the present invention and schematically show the interrelationship between the various parts.
The terms of art referred to in the present invention are explained as follows:
the user: a user of the network;
an electronic device: devices used by users to surf the internet, such as mobile phones, computers, tablets and the like, are also called terminal devices;
and (3) authentication application: the application installed on the electronic equipment is used for acquiring user information and software for interacting with the authentication server, and can be a browser or other special applications for acquiring authentication information such as a human face, a fingerprint, an IMEI and the like;
the security gateway: the gateway equipment with the safety function can monitor and limit the internet surfing behavior of the internet surfing equipment, is linked with the authentication server and implements a corresponding safety strategy;
an authentication server: the server equipment with the authentication function manages user information in a centralized manner, configures a secure internet access strategy, and provides services such as authentication and authorization in a linkage manner with the secure gateway.
The invention provides a multi-factor authentication method in safe internet access in different scenes, which comprises the following steps:
a first stage of user imperceptible authentication request;
a user sends a network connection request through electronic equipment;
the security gateway receives a network connection request sent by the electronic equipment, monitors the network and limits the internet surfing behavior of the electronic equipment, and responds to the security gateway and the authentication server in a linkage manner;
the authentication server inquires an authentication request of the electronic equipment, sends information to the electronic equipment, receives a response based on the information sent by the electronic equipment, and authenticates the response, wherein the response is an imperceptible authentication response;
returning the authentication result to the security gateway after the response is verified;
if the authentication is passed, the security gateway receives the response, then the authentication state is stored, the traffic data is released, and the user can surf the internet safely and normally; if the authentication is not passed, entering a second stage that the user has a perception authentication request;
and the second stage user has a perception authentication request:
the security gateway limits the internet surfing behavior of the electronic equipment and informs the electronic equipment of a perception authentication request;
the electronic device accessing an authentication application;
a user inputs authentication information on an authentication application prompt interface;
the authentication server receives a certificate associated with a user of the electronic equipment from the authentication application, authenticates the certificate, and confirms whether authentication information of the electronic equipment passes after the certificate is authenticated;
after the authentication is passed, the service or resource of the authentication application is permitted to access the network, meanwhile, the authentication server informs the security gateway to pass the data traffic, the authentication is finished, and the user normally surfs the internet;
and after the data traffic is not passed through the authentication, the authentication server informs the security gateway that the data traffic is not released, the user wireless network connection is intercepted, and the authentication is finished.
According to the invention, the first-stage user non-perception authentication request and the second-stage user perception authentication request are set, so that the old user can be authenticated through the first-stage user non-perception authentication request process aiming at the new user and the old user respectively, the old user can be connected with a wireless network under the condition of no perception, the new user or the user who fails to pass the authentication can enter the second-stage user perception authentication request, and the authentication application and the authentication server can carry out interactive authentication.
The invention ensures the safety of user surfing on the basis of convenient use and simple maintenance by adopting a multi-factor authentication mode.
The invention gives consideration to safety and use convenience, and the user can carry out operation at most once in a normal authentication process, thereby improving the use experience of the user.
In a further embodiment of the present invention, the authentication request for the authentication server to query the electronic device in the first-stage user unaware authentication request comprises one or more of device information, location factor and time range. Preferably, the authentication request for inquiring the electronic device by the authentication server in the first-stage user unaware authentication request comprises one or more of a mac address, an IMEI, a certificate, time and location information of the electronic device. The first stage user non-perception authentication request is a user non-perception authentication request stage, and since old users in the stage have internet surfing records, data traffic can be directly released after interactive authentication between the security gateway and the authentication server, a second stage perception authentication request process is not needed, so that the user experience is greatly enhanced, and a complicated authentication process is not required to be carried out for internet surfing.
In a further embodiment of the present invention, the authentication information of the second-stage user perceived authentication request, which is input by the user in the authentication application prompt interface, includes one or more of a device mac address, a user account, a password, a short message verification code, fingerprint identification, face identification, voiceprint identification, email, WeChat, and an iris. In the second stage, in the process that the user has a perception authentication request, the user can perform user authentication according to the prompt of authentication application, and the authentication is recognized through various authentication factors such as user name and password combination verification, fingerprint verification, face recognition verification and the like, so that the user information is obtained, whether the authentication passes or not is verified, and the security gateway is informed whether to pass or not.
In a further embodiment of the present invention, the first stage user unaware authentication request and the second stage user aware authentication request are both multi-factor authentication. According to the invention, the first-stage user non-perception authentication request and the second-stage user perception authentication request are set, so that the old user can be authenticated through the first-stage user non-perception authentication request process aiming at the new user and the old user respectively, the old user can be connected with a wireless network under the condition of no perception, the new user or the user who fails to pass the authentication can enter the second-stage user perception authentication request, and the authentication application and the authentication server can carry out interactive authentication. Specifically, the security and the use convenience are both considered by the multi-factor authentication method for the first-stage user non-perception authentication request and the second-stage user perception authentication request, and in a normal authentication process, the user performs operation at most once, so that the use experience of the user is improved.
Preferably, the authentication server includes a data storage module, the data storage module stores an authentication record of the electronic device, and the authentication server analyzes similarity between current authentication information and historical behavior characteristics through a fuzzy algorithm to determine whether the electronic device passes authentication. After receiving the response of the authentication server, the security gateway saves the authentication state, and if the authentication is passed, the data traffic is released to allow the electronic equipment to surf the internet; and if the authentication is not passed, performing a second stage user perception authentication request process. In the first stage, the security gateway in the user non-perception authentication request receives the network connection request sent by the electronic equipment and the authentication request of the electronic equipment inquired by the authentication server is the same data packet, after receiving the authentication response of the authentication server, if the data traffic is released through the security gateway in authentication, the electronic equipment is connected with the wireless network at the same time.
In addition, the security gateway includes a state storage module for storing an authentication state of the user.
In a further embodiment of the invention, the electronic device remains connected to the internet while the user connects to the internet using the electronic device when the authentication server notifies the security gateway to pass the data traffic.
The first stage of the invention is mainly characterized in that the user is not perceived, the whole authentication system is mainly used for actively judging whether the user is a legal user or not, the judgment is based on passive information (such as time, position, mac information and the like), one or more kinds of information of the user are collected, and the user characteristics are analyzed through algorithms such as machine learning and the like to judge the user legality; if the judgment is passed, the user is directly allowed to surf the internet; if the judgment fails, more information needs to be acquired, and the second stage judgment is carried out.
The user does not judge in the first stage, and the user needs to actively provide some information to judge the legality in the first stage, and the information which can be adopted in the first stage comprises account number, short message verification code, fingerprint identification, face identification and the like, and whether the user is allowed to surf the internet is determined by comparing the information with the user information stored in the system.
Example one
As shown in fig. 1, the multi-factor authentication method in secure internet access in different scenarios of the present invention is applicable to campus scenarios. In the campus scene, the user is a student, the authentication application is a browser, and the electronic device is a mobile phone.
Step 1: a student initiates a wireless network connection request through a mobile phone;
step 2: the security gateway checks whether the network can be accessed;
and step 3: the security gateway monitors the data traffic sent by the mobile phone, does not have the authentication state of the mobile phone at the moment, and needs to inquire whether the mobile phone of the student can surf the internet or not from the authentication server;
and 4, step 4: the authentication server inquires the history record according to the received mac information and the current time, judges whether the internet can be accessed through a fuzzy algorithm, assumes that the authentication is carried out for the first time, so the judgment is failed, and returns the inquiry result to the security gateway;
and 5: the security gateway informs the mobile phone that authentication is required;
step 6: the mobile phone opens the browser and accesses the authentication page;
and 7: the student inputs a user name and a password on an authentication page;
and 8: the browser sends the user name and the password input by the student to the authentication server;
and step 9: the authentication server compares and checks student information stored by the data storage module, and returns an authentication result, wherein the authentication result is successful if the information is correct;
step 10: the authentication server informs the security gateway, the mobile phone passes authentication, the security gateway no longer intercepts the data traffic of the mobile phone, and the authentication state is stored, and at the moment, the authentication is finished, and the user can surf the internet normally;
step 11: the connection between the mobile phone and the Internet is smooth;
step 12: students can normally use mobile phones to surf the internet.
Example two
As shown in fig. 2, the multi-factor authentication method in secure internet access in different scenarios of the present invention is applicable to campus scenarios. In the campus scene, the user is a student, the authentication application is a browser, and the electronic device is a mobile phone. In this embodiment, the students are web users.
Step 1: a student initiates a wireless network connection request through a mobile phone;
step 2: the security gateway checks whether the network can be accessed;
and step 3: the security gateway monitors the data traffic sent by the mobile phone, does not have the authentication state of the mobile phone at the moment, and needs to inquire whether the mobile phone of the student can surf the internet or not from the authentication server;
and 4, step 4: the authentication server inquires the history record according to the received mac information and the current time, judges whether the internet can be accessed through a fuzzy algorithm, in the example, the old user can access the internet for multiple times, so that the authentication is passed, and returns the inquiry result to the security gateway;
and 5: the security gateway releases the data, and the authentication state is stored, and at the moment, the user can normally surf the internet after the authentication is finished;
step 6: the connection between the mobile phone and the Internet is smooth;
and 7: students can normally use mobile phones to surf the internet.
In the example, in step 4, the user has accessed the internet many times, the authentication server keeps the authentication record of the mobile phone, and the similarity between the authentication and the historical behavior characteristics is analyzed through a fuzzy algorithm, in the example, the authentication factors are mac and time, that is, the mac of the mobile phone is not changed, and the authentication time and the historical authentication record are in the same or similar time periods, for example, if the student usually accesses the internet at the time of class in the evening or on the weekend, and does not access the internet at the time of class in the daytime, such a historical behavior characteristic is used as a judgment basis to determine whether the mobile phone can access the internet, and after receiving the response, the security gateway saves the authentication state and releases the data traffic.
In addition, in this embodiment, the data packets in steps 2 and 5 are the same-data packet, and the security gateway passes through directly after authentication.
EXAMPLE III
As shown in fig. 3, the multi-factor authentication method in secure internet access in different scenes of the present invention is applicable to office scenes. In the office scene, the user is a staff, the authentication application is app, and the electronic device is a mobile phone. In this embodiment, the employee is a first-time internet user.
Step 1: the employee initiates a wireless network connection request through a mobile phone;
step 2: the security gateway checks whether the network can be accessed;
and step 3: the security gateway monitors data traffic sent by the mobile phone, does not have the authentication state of the mobile phone at the moment, and needs to inquire whether the mobile phone of the employee can surf the internet or not from the authentication server;
and 4, step 4: the authentication server inquires the history record according to the received mac information and the current time, judges whether the employee can surf the internet or not through a fuzzy algorithm, judges that the employee can not pass the authentication for the first time and returns the inquiry result to the security gateway;
and 5: the security gateway informs the mobile phone that the mobile phone cannot be connected with the network and needs to be authenticated;
step 6: the APP cannot be connected with the network and needs to be authenticated;
and 7: the employee actively opens the APP for fingerprint verification;
and 8: the APP sends the fingerprint identification information input by the staff to an authentication server to request authentication;
and step 9: the authentication server compares and checks the employee information stored in the data storage module and returns an authentication result, and the information is assumed to be correct in the embodiment and the authentication is successful;
step 10: the authentication server informs the security gateway, the mobile phone passes authentication, the security gateway does not intercept the data traffic of the mobile phone any more, and the authentication state is stored, and at the moment, the employee can normally surf the internet after the authentication is finished;
step 11: the connection between the mobile phone and the Internet is smooth;
step 12: the staff can normally use the mobile phone to surf the internet.
Example four
The steps in this embodiment are the same as those in the third embodiment except for the specific authentication factors, and are not described in detail here, but only the differences are described. The multi-factor authentication method in the safe internet access in different scenes is also suitable for office scenes. In the office scene, the user is a staff, the authentication application is app, and the electronic device is a mobile phone.
In a specific office scene, the first stage can also adopt mobile phone mac information authentication, and the second stage adopts the combination of a user name, mobile phone mac information and a short message for authentication.
In the office scene, a certain company only requires that employees are allowed to access an office intranet through own working mobile phones, and the working mobile phones are uniformly issued by the company, so that mobile phone mac information, mobile phone numbers and employee information are recorded. And in the second stage, the corresponding relation between the user and the mac information can be checked, and the secondary verification is carried out in a short message verification mode after the verification is passed, so that the safe internet surfing is realized through multi-factor authentication.
EXAMPLE five
The steps in this embodiment are the same as those in the fourth embodiment except for specific authentication factors and applicable scenarios, and are not described in detail here, and only differences are described. The multi-factor authentication method in the safe internet access in different scenes is also suitable for meeting scenes. In the meeting scene, the user is a participant, the authentication application is app or a browser, and the electronic device is a mobile phone or a computer.
In a specific meeting scene, the first stage adopts time and place information authentication, and the second stage adopts password input for authentication, namely, a wireless network can be used only in a meeting time period and a meeting room.
EXAMPLE six
The steps in this embodiment are the same as those in the fourth embodiment except for specific authentication factors and applicable scenarios, and are not described in detail here, and only differences are described. The multi-factor authentication method in the safe internet surfing in different scenes is also suitable for wireless internet of things scenes. In the wireless internet of things scene, the electronic equipment can be a wireless advertisement screen.
In a specific meeting scene, a client certificate and location information are adopted for authentication in a first stage, and a gesture password is adopted for authentication in a second stage, namely, only the verified equipment is allowed to access a wireless network in the scene of the wireless Internet of things.
The client certificate information may be used to import the client certificate into the electronic device and the authentication server before deployment.
The multi-factor authentication method in the safe internet surfing in different scenes can be suitable for a plurality of use scenes, not only can be used in the scene embodiments listed in the six embodiments, but also can be used for authenticating different factors according to the required scenes, but a user who has authentication records before can pass authentication through a first-stage no-perception authentication request when using a wireless network for the second time, and if the user is the first-stage user, the user also needs to pass a second-stage perception authentication request process, so that the safety and the use convenience are simultaneously considered, in a normal authentication process, the user performs operation at most once, and the use experience of the user is improved.
The method for multi-factor authentication in secure internet access in different scenes is described above. The specific features, such as shape, size and position, of the device corresponding to the multi-factor authentication method in secure internet access in different scenes can be specifically designed according to the functions of the features disclosed above, and the design can be realized by those skilled in the art. Moreover, the technical features disclosed above are not limited to the combinations with other features disclosed, and other combinations between the technical features can be performed by those skilled in the art according to the purpose of the present invention, so as to achieve the purpose of the present invention.
Claims (9)
1. A multi-factor authentication method in secure internet access in different scenes is characterized by comprising the following steps:
a first stage of user imperceptible authentication request;
a user sends a network connection request through electronic equipment;
the security gateway receives a network connection request sent by the electronic equipment, monitors the internet and limits the internet access behavior of the electronic equipment, and is in linkage response with the authentication server;
the authentication server inquires an authentication request of the electronic equipment, sends information to the electronic equipment, receives a response based on the information sent by the electronic equipment, and authenticates the response if the response is an imperceptible authentication response;
returning the authentication result to the security gateway after the response is verified;
if the authentication is passed, the security gateway receives the response, then the authentication state is stored, the traffic data is released, and the user can surf the internet safely and normally; if the authentication is not passed, entering a second stage that the user has a perception authentication request;
and the second stage user has a perception authentication request:
the security gateway limits the internet surfing behavior of the electronic equipment and informs the electronic equipment of a perception authentication request;
the electronic device accessing an authentication application;
the user inputs authentication information on an authentication application prompt interface;
the authentication server receives a certificate associated with a user of the electronic equipment from the authentication application, authenticates the certificate, and confirms whether authentication information of the electronic equipment passes after the certificate is authenticated;
after the authentication application passes the confirmation, allowing the service or resource of the authentication application to perform network access, simultaneously, informing the security gateway of releasing the data traffic by the authentication server, and after the authentication is finished, normally accessing the internet by the user;
and after the data traffic is not passed through the authentication, the authentication server informs the security gateway that the data traffic is not released, the user wireless network connection is intercepted, and the authentication is finished.
2. The method according to claim 1, wherein the authentication request for the authentication server to query the electronic device in the first-stage user unaware authentication request includes one or more of device information, location factors, and time ranges.
3. The method according to claim 2, wherein the authentication request for querying the electronic device by the authentication server in the first-stage user unaware authentication request includes one or more of mac address, IMEI, certificate, time and location information of the electronic device.
4. The method according to claim 1, wherein the authentication information of the user inputting the authentication information in the authentication application prompt interface in the second-stage user presence-aware authentication request includes one or more of a device mac address, a user account, a password, a short message verification code, fingerprint recognition, face recognition, voiceprint recognition, a mail, a WeChat, and an iris.
5. The method according to claim 1, wherein the first-stage user imperceptible authentication request and the second-stage user perceptible authentication request are both multi-factor authentication.
6. The method of claim 1, wherein the authentication server comprises a data storage module,
the data storage module stores authentication records of the electronic equipment, and the authentication server analyzes the similarity between the current authentication information and the historical behavior characteristics through a fuzzy algorithm to judge whether the electronic equipment passes the authentication;
after receiving the response of the authentication server, the security gateway saves the authentication state, and if the authentication is passed, the data traffic is released to allow the electronic equipment to surf the internet; and if the authentication is not passed, performing a second stage user perception authentication request process.
7. The method according to claim 1, wherein the security gateway in the first-stage user unaware authentication request receives a network connection request sent by the electronic device and the authentication request of the electronic device inquired by the authentication server is a same data packet, and after receiving the authentication response of the authentication server, if the authentication passes through the security gateway, the electronic device is simultaneously connected to the wireless network.
8. The method as claimed in claim 1, wherein the electronic device is connected to the internet, and when the authentication server notifies the security gateway to allow data traffic to pass, the user connects to the internet using the electronic device.
9. The method for multi-factor authentication in secure internet surfing according to claim 1, wherein the security gateway comprises a state storage module, and the state storage module is used for storing an authentication state of a user.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010449026.XA CN113727344A (en) | 2020-05-25 | 2020-05-25 | Multi-factor authentication method in different scene safe internet access |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010449026.XA CN113727344A (en) | 2020-05-25 | 2020-05-25 | Multi-factor authentication method in different scene safe internet access |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113727344A true CN113727344A (en) | 2021-11-30 |
Family
ID=78671569
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010449026.XA Pending CN113727344A (en) | 2020-05-25 | 2020-05-25 | Multi-factor authentication method in different scene safe internet access |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113727344A (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170279795A1 (en) * | 2016-03-25 | 2017-09-28 | Fortinet, Inc. | Secure, automatic second factor user authentication using push services |
| CN107404485A (en) * | 2017-08-02 | 2017-11-28 | 北京天翔睿翼科技有限公司 | A kind of self-validation cloud connection method and its system |
| CN107690140A (en) * | 2016-08-04 | 2018-02-13 | 深圳市信锐网科技术有限公司 | WAP authentication method, apparatus and system |
| CN109862565A (en) * | 2019-02-11 | 2019-06-07 | 广东省城乡规划设计研究院 | A kind of WLAN unaware control method, system and readable storage medium storing program for executing |
| CN109962917A (en) * | 2019-03-26 | 2019-07-02 | 中国民生银行股份有限公司 | Authentication information processing method and equipment, system, storage medium |
| CN110784447A (en) * | 2019-09-18 | 2020-02-11 | 深圳云盈网络科技有限公司 | Method for realizing non-perception authentication across protocols |
-
2020
- 2020-05-25 CN CN202010449026.XA patent/CN113727344A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170279795A1 (en) * | 2016-03-25 | 2017-09-28 | Fortinet, Inc. | Secure, automatic second factor user authentication using push services |
| CN107690140A (en) * | 2016-08-04 | 2018-02-13 | 深圳市信锐网科技术有限公司 | WAP authentication method, apparatus and system |
| CN107404485A (en) * | 2017-08-02 | 2017-11-28 | 北京天翔睿翼科技有限公司 | A kind of self-validation cloud connection method and its system |
| CN109862565A (en) * | 2019-02-11 | 2019-06-07 | 广东省城乡规划设计研究院 | A kind of WLAN unaware control method, system and readable storage medium storing program for executing |
| CN109962917A (en) * | 2019-03-26 | 2019-07-02 | 中国民生银行股份有限公司 | Authentication information processing method and equipment, system, storage medium |
| CN110784447A (en) * | 2019-09-18 | 2020-02-11 | 深圳云盈网络科技有限公司 | Method for realizing non-perception authentication across protocols |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112039909B (en) | Authentication method, device, equipment and storage medium based on unified gateway | |
| Ashibani et al. | A context-aware authentication framework for smart homes | |
| US10219154B1 (en) | Frictionless or near-frictionless 3 factor user authentication method and system by use of triad network | |
| US20170366556A1 (en) | Multichannel device utilizing a centralized out-of-band authentication system (cobas) | |
| CN100591011C (en) | Identification method and system | |
| US8225103B2 (en) | Controlling access to a protected network | |
| CN101714918A (en) | Safety system for logging in VPN and safety method for logging in VPN | |
| CN104518876A (en) | Service login method and device | |
| US8914847B2 (en) | Multiple user authentications on a communications device | |
| EP2965251A1 (en) | Computer implemented multi-factor authentication | |
| CN108010150A (en) | Intelligent Checking on Work Attendance recording method, electric terminal and computer-readable recording medium | |
| CN101986598B (en) | Authentication method, server and system | |
| CN107277812A (en) | A kind of wireless network authentication method and system based on Quick Response Code | |
| US7512967B2 (en) | User authentication in a conversion system | |
| CN105703910A (en) | Dynamic password verifying method based on Wechat service number | |
| CN109040030A (en) | Single-point logging method and system | |
| CN114079971A (en) | Service flow management and control method, system, DPI node and storage medium | |
| EP1927254B1 (en) | Method and a device to suspend the access to a service | |
| CN109933974A (en) | Cryptographic initialization method, apparatus, computer equipment and storage medium | |
| CN113727344A (en) | Multi-factor authentication method in different scene safe internet access | |
| JP2007102731A (en) | Linkage control device and network management system | |
| US20230161860A1 (en) | Using a digital badge to access managed devices | |
| KR101473719B1 (en) | Intelligent login authentication system and method thereof | |
| CN109361659A (en) | A kind of authentication method and device | |
| CN106921632B (en) | Wireless hotspot access control method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20211130 |