CPC H04L 9/3273 (2013.01) [H04W 12/0431 (2021.01); H04W 12/069 (2021.01); H04W 12/63 (2021.01); H04W 4/80 (2018.02)] | 15 Claims |
1. A method, comprising:
an enrollment phase comprising:
enrolling with an authentication system, the enrolling comprising:
generating a keypair consisting of a public key and private key;
providing, to the authentication system:
the public key; and
metadata comprising at least one of:
an operating system ID of a multi-factor authentication (MFA) device; or
network information of the MFA device; and
pairing with a login device to establish data for an encrypted communication channel between the MFA device and the login device over Bluetooth or near-field communication (NFC); and
an authentication phase comprising:
receiving signed authentication challenge metadata sent to the login device by the authentication system in response to a request by the login device to access a resource for which authentication is required;
verifying a signature of the authentication system on the signed authentication challenge metadata;
determining an answer to a challenge of the signed authentication challenge metadata;
generating MFA metadata, the MFA metadata comprising an indicator of a distance of the MFA device from the login device;
signing, with the private key, a payload comprising the answer and the MFA metadata; and
sending the signed payload directly to the authentication system, wherein the authentication system authenticates the login device responsive to verifying at least one of:
the answer, or
the MFA metadata using the metadata provided to the authentication system during the enrollment phase;
wherein operations of the authentication phase are performed by the MFA device without manual input from a user.
|