Multi-factor authentication and comprehensive login system for client-server networks

摘要

Embodiments are directed to a system and method for authenticating a user of a client computer making a request to a server computer providing access to a network resource through an authentication platform that issues a challenge in response to the request requiring authentication of the user identity through a reply from the client computer, determining one or more items of context information related to at least one of the user, the request, and the client computer, and determining a disposition of the request based on the reply and the one or more items of context information. The reply includes a user password and may be provided by an authorizing client device.

主权项

1. A method for processing a request to access a target server over a network from a user operating a client computer, the method comprising:
receiving, at an authentication server, a request to access the target server from the user operating the client computer, wherein the target server is separate from the authentication server and wherein the target server is accessible to the user executing a web browser on the client computer; causing, by the authentication server, user input fields to be displayed on the client computer to prompt the user for entry of user credentials through the web browser; issuing, by the authentication server, a challenge to an authorizing client device requiring validation of an identity of the user in response to the request to access the target server; sending, from the authentication server, a command to the authorizing client device to prompt the user to input a response to the challenge into the authorizing client device; receiving, at the authentication server, verification from the authorizing client device that the response to the challenge is valid; evaluating, by the authentication server, at least one item of context information related to the client computer being operated by the user, the at least one item of context information including at least one of a location of the client computer, characteristics of a network to which the client computer is connected, security risk data associated with an application operating on the target server for which the user requests access, an identification of accounts common to both the client computer and the authorizing client device, and an identification of usage anomalies, wherein the at least one item of context information is provided by the client computer to the authentication server separate from the request to access the network resource and separate from the user credentials; determining, at the authentication server, a disposition of the request to access the target server based on the verification from the authorizing client device and the evaluation of the at least one item of context information; and releasing, by the authentication server, user credentials to a client desktop extension on the client computer when the determined disposition is to grant access, the released user credentials being used by the client computer to obtain access to the target server.