System and method for decentralized authentication of supplicant devices

摘要

In one embodiment, a method includes enrolling a supplicant device as an authentication factor for a user. The enrolling includes storing a public key of an asymmetric key pair generated by an authentication application on the supplicant device. The method also includes receiving, from an access device, a request to access a service using an identity of the user. In addition, the method includes, responsive to the receiving, publishing an authentication code to the access device. The method further includes receiving an authentication package from the authentication application without contacting the authentication application. The authentication package includes a digital signature of the authentication code. The method additionally includes validating the digital signature using the public key. Moreover, the method includes, responsive to a determination that the validating is successful, allowing the access device to access the service.

主权项

1. A method comprising:
on an authenticator computer system comprising an access device interface, an authentication module, a database, and a supplicant device interface, enrolling a supplicant device as an authentication factor for a user; wherein the enrolling comprises receiving a first request for enrollment from the access device, publishing an authentication uniform resource locator (URL) to the access device, storing a public key of an asymmetric key pair generated by an authentication application on the supplicant device and receiving an enrollment package comprising the public key from the supplicant device via the authentication URL; wherein the publishing of the authentication URL comprises causing a quick response (QR) code comprising the authentication URL to be displayed on the access device; the authenticator computer system receiving, from an access device, a second request to access a service using an identity of the user; responsive to the receiving, the authenticator computer system publishing an authentication code to the access device comprising the authentication URL; wherein the authentication code is forwarded from the access device to the supplicant device via a loop-back communication path; the authenticator computer system receiving an authentication package from the authentication application on the supplicant device using the authentication URL, the authentication package comprising a digital signature of the authentication code; the authenticator computer system validating the digital signature using the public key; responsive to a determination that the validating is successful, the authenticator computer system allowing the access device to access the service.