| CPC H04L 63/0876 (2013.01) [H04L 63/0428 (2013.01); H04L 2463/082 (2013.01)] | 9 Claims |
|
1. A method of provisioning two-factor authentication (2FA) for an enterprise service, the method comprising the steps of:
a. registering an enterprise service with a cloud authentication service (CAS) for two-factor authentication;
b. receiving from a trusted application on a subscriber device a device identity;
c. generating by the trusted application on the subscriber device a first public/private key set;
d. storing the first private key from the first key set in a trusted execution environment (TEE) on the subscriber device;
e. sending the device identity and data of the generated public key, both encrypted and signed by an original equipment manufacturer's (OEM) device hardware key resident on the subscriber device through the CAS to an OEM cloud service (OCS);
f. verifying the device identity of the subscriber device at the OCS and returning from the OCS to the CAS the trusted application's device-specific public key;
g. generating, at the CAS, a second public/private key set for the trusted application and device comprising a CAS public key and a CAS private key;
h. storing by the CAS in a cloud wallet service the first public key for the subscriber device and the CAS private key; and
l. sending to the subscriber device the CAS public whereby a private key for the subscriber device and the CAS public key are stored in the subscriber device in the TEE, thereby enhancing user control over the 2FA.
|