Computing session multi-factor authentication
US-2023020656-A1 · Jan 19, 2023 · US
Browser extensionless phish-proof multi-factor authentication (MFA)
US12309141B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-12309141-B2 |
| Application number | US-202418636468-A |
| Country | US |
| Kind code | B2 |
| Filing date | Apr 16, 2024 |
| Priority date | Nov 17, 2021 |
| Publication date | May 20, 2025 |
| Grant date | May 20, 2025 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A multi-factor authentication scheme uses an MFA authentication service and a browser extensionless phish-proof method to facilitate an MFA workflow. Phish-proof MFA verifies that the browser the user is in front of is actually visiting the authentic (real) site and not a phished site. This achieved by only allowing MFA to be initiated from a user trusted browser by verifying its authenticity through a signing operation using a key only it possesses, and then also verifying that the verified browser is visiting the authentic site. In a preferred embodiment, this latter check is carried out using an iframe postMessage owning domain check. In a variant embodiment, the browser is verified to be visiting the authentic site through an origin header check. By using the iframe-based or ORIGIN header-based check, the solution does not require a physical security key (such as a USB authenticator) or any browser extension or plug-in.
First claim
Opening claim text (preview).
The invention claimed is: 1. A computer program product in a non-transitory computer readable medium, the computer program product holding computer program instructions that, when executed by a processor in a computing machine, facilitate a browser extension-less phish proof authentication of a user to a site, the user having a mobile device, the computer program instructions comprising program code configured to: during a multi-factor authentication (MFA) workflow initiated by the user logging into the site in association with a site page, transmitting a request to a service, the request having been generated at least in part by retrieving a private key of a browser key pair and using the private key of the browser key pair to create a signature over an assertion comprising a random value and a domain name of the site page; and responsive to a successful push notification at the mobile device, the successful push notification having occurred as a result of the service verifying the signature using a public key of the browser key pair and then forwarding the assertion to the mobile device, completing the MFA workflow. 2. The computer program product as described in claim 1 , wherein the request is generated by an invisible iframe associated with the site page, the invisible iframe having been configured to create the request by catching a message from the site page that passes the random value and using the private key of the browser key pair to create the signature. 3. The computer program product as described in claim 2 , wherein the message is a window.PostMessage message, and wherein the domain name of the site page is obtained from a window.postMessage browser call. 4. The computer program product as described in claim 1 , wherein the request is generated by a form page that comprises a script and a blob of data, the blob of data comprising a hidden variable comprising the random value, a state variable containing opaque state information for the site of interest, and an origin domain name, the script being configured to create the request by signing the blob of data using the private key of the browser key pair. 5. The computer program product as described in claim 1 , wherein the public key of the browser key pair is linked to a list of sites that include the site and to which the user is permitted to authenticate. 6. The computer program product as described in claim 1 , wherein the MFA workflow verifies that a browser the user is using during the MFA workflow is actually visiting the site and not a phished site. 7. The computer program product as described in claim 6 , wherein the MFA workflow uses an origin header check. 8. The computer program product as described in claim 1 , wherein the browser extension-less phish proof authentication of the user to the site does not require a physical security key, a browser extension or a browser plug-in.
Assignees
Inventors
Classifications
Push-based network services · CPC title
using an additional device, e.g. smartcard, SIM or a different communication terminal (cryptographic mechanisms or cryptographic arrangements for entity authentication involving additional secure or trusted devices H04L9/3234) · CPC title
based on web technology, e.g. hypertext transfer protocol [HTTP] · CPC title
applying multi-factor authentication · CPC title
involving digital signatures · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US12309141B2 cover?
- A multi-factor authentication scheme uses an MFA authentication service and a browser extensionless phish-proof method to facilitate an MFA workflow. Phish-proof MFA verifies that the browser the user is in front of is actually visiting the authentic (real) site and not a phished site. This achieved by only allowing MFA to be initiated from a user trusted browser by verifying its authenticity t…
- Who is the assignee on this patent?
- Akamai Tech Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/083. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue May 20 2025 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 4 related publications on this page (citations in our corpus or others sharing the same primary CPC).