Computing session multi-factor authentication
US-2023020656-A1 · Jan 19, 2023 · US
Browser extensionless phish-proof multi-factor authentication (MFA)
US11962580B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-11962580-B2 |
| Application number | US-202117528504-A |
| Country | US |
| Kind code | B2 |
| Filing date | Nov 17, 2021 |
| Priority date | Nov 17, 2021 |
| Publication date | Apr 16, 2024 |
| Grant date | Apr 16, 2024 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A multi-factor authentication scheme uses an MFA authentication service and a browser extensionless phish-proof method to facilitate an MFA workflow. Phish-proof MFA verifies that the browser the user is in front of is actually visiting the authentic (real) site and not a phished site. This achieved by only allowing MFA to be initiated from a user trusted browser by verifying its authenticity through a signing operation using a key only it possesses, and then also verifying that the verified browser is visiting the authentic site. In a preferred embodiment, this latter check is carried out using an iframe postMessage owning domain check. In a variant embodiment, the browser is verified to be visiting the authentic site through an origin header check. By using the iframe-based or ORIGIN header-based check, the solution does not require a physical security key (such as a USB authenticator) or any browser extension or plug-in.
First claim
Opening claim text (preview).
The invention claimed is: 1. Multi-Factor Authentication (MFA) Software-as-a-Service (SaaS) for authenticating a user to a site, the user having a computing machine, and an associated mobile device, the computing machine having a browser and a web storage application programming interface (API) with a local storage component, comprising: hardware and associated software comprising program code configured to: during an MFA workflow initiated by the user logging into the site in association with a site page, receive a request, the request having been generated by an invisible iframe associated with the site page, the iframe configured to create the request by (a) catching a message from the site page that passes a random value, (b) retrieving a private key of a browser key pair from the local storage component, and (c) using the private key of the browser key pair to create a signature over an assertion comprising the random value together with a domain name of the site page; upon verifying the signature using a public key of the browser key pair, forward the assertion to the associated mobile device to facilitate completion of the MFA workflow. 2. The MFA SaaS as described in claim 1 wherein the program code is further configured, following a successful push notification at the mobile device, to forward the assertion back to the iframe as a response to the request, the iframe passing the assertion back to the site page for delivery to the site. 3. The MFA SaaS as described in claim 1 wherein the program code is further configured to: in association with enrollment of a user at the site, provide a script that, upon execution in the browser, selectively creates and stores the browser key pair, transmits the public key of the browser key pair to the MFA SaaS, and links the browser key pair to a list of sites that include the site. 4. The MFA SaaS as described in claim 3 wherein the public key of the browser key pair is linked to a list of sites that include the site and to which the user is permitted to authenticate using the MFA SaaS. 5. The MFA SaaS as described in claim 1 wherein the program code is further configured to: in association with enrollment of a site operating at the network-accessible resource, provide the site a public key of an integration key pair, wherein a private key of the integration key pair is maintained by the MFA SaaS. 6. The MFA SaaS as described in claim 1 wherein the message is a window.PostMessage message, and wherein the domain name of the site page is obtained from a window.postMessage browser call. 7. The MFA SaaS as described in claim 1 wherein the program code is further configured to selectively re-generate the assertion. 8. The MFA SaaS as described in claim 1 wherein the authenticating occurs in a browser extension-less phish-proof manner. 9. A method of authenticating a user to a site, the user having a computing machine and an associated mobile device, comprising: during a multi-factor authentication (MFA) workflow initiated by the user logging into the site in association with a site page, receiving a request, the request having been generated by an invisible iframe associated with the site page, the iframe having been configured to create the request by (a) catching a message from the site page that passes a random value, (b) retrieving a private key of a browser key pair, and (c) using the private key of the browser key pair to create a signature over an assertion comprising the random value together with a domain name of the site page; and upon verifying the signature using a public key of the browser key pair, forwarding the assertion to the associated mobile device to facilitate completion of the MFA workflow. 10. The method as described in claim 9 further including, responsive to a successful push notification at the mobile device, forwarding the assertion back to the iframe as a response to the request, the iframe being further configured to pass the assertion back to the site page for delivery to the site. 11. The method as described in claim 9 wherein the authenticating occurs in a browser extension-less phish proof manner. 12. A method of authenticating a user to a site of interest, the user having a computing machine and an associated mobile device, comprising: during a multi-factor authentication (MFA) workflow initiated by the user logging into the site of interest in association with a site page, receiving a request, the request having been generated at least in part by retrieving a private key of a browser key pair and using the private key to create a signature over an assertion comprising a random value and a domain name of the site page; and upon verifying the signature using a public key of the browser key pair, forwarding the assertion to the associated mobile device to facilitate completion of the MFA workflow. 13. The method as described in claim 12 wherein the request is generated by an invisible iframe associated with the site page, the invisible iframe having been configured to create the request by catching a message from the site page that passes the random value and using the private key of the browser key pair to create the signature. 14. The method as described in claim 12 wherein the request is generated by a form page that comprises a script and a blob of data, the blob of data comprising a hidden variable comprising the random value, a state variable containing opaque state information for the site of interest, and an origin domain name, the script being configured to create the request by signing the blob of data using the private key of the browser key pair. 15. The method as described in claim 12 wherein verifying the signature also checks an origin header associated with the request before forwarding the assertion to the associated mobile device. 16. The method as described in claim 12 wherein the authenticating occurs in a browser extension-less phish-proof manner. 17. The method as described in claim 12 wherein the private key of the browser key pair is stored in a local storage that is one of: HTML5 localstorage, and HTML5 IndexedDB.
Assignees
Inventors
Classifications
Push-based network services · CPC title
using an additional device, e.g. smartcard, SIM or a different communication terminal (cryptographic mechanisms or cryptographic arrangements for entity authentication involving additional secure or trusted devices H04L9/3234) · CPC title
based on web technology, e.g. hypertext transfer protocol [HTTP] · CPC title
applying multi-factor authentication · CPC title
involving digital signatures · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US11962580B2 cover?
- A multi-factor authentication scheme uses an MFA authentication service and a browser extensionless phish-proof method to facilitate an MFA workflow. Phish-proof MFA verifies that the browser the user is in front of is actually visiting the authentic (real) site and not a phished site. This achieved by only allowing MFA to be initiated from a user trusted browser by verifying its authenticity t…
- Who is the assignee on this patent?
- Akamai Tech Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/083. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Apr 16 2024 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 4 related publications on this page (citations in our corpus or others sharing the same primary CPC).