Claims:We claim:
1. A provider server system, comprising:
a. a non-transitory memory comprising instructions; and
b. one or more hardware processors coupled to the non-transitory memory,
c. generating, by a code generation unit of the one or more hardware processors, encoded data;
d. transmitting the encoded data to a first device to display quick response data on a graphical user interface (GUI) of the first device;
e. receiving credential information from a second device,
f. determining a level of trust associated with the credential information that corresponds to the quick response data processed by the quick response component of the second device
g. sending a security token to a website server that enables a data transmittal associated with the first device and the website server based at least on the level of trust determined.
2. The provider server system of claim 1, wherein the data transmittal is initiated based at least on a safe login session with the website server and the first device.
3. The provider server system of claim 2, wherein the one or more hardware processors is configured to read the instructions to cause the provider server system to perform further operations
4. The provider server system of claim 3, wherein sending the security token to the website server.
, Description:Technical Field of the Invention
The present disclosure relates generally to systems and methods for authenticating users over a computer network. In particular, the present disclosure relates to methods and systems for using trusted devices to broker secure logins into websites from devices that may be insecure.
Background of the Invention
Internet users are frequently asked to login to websites from publicly shared devices. These devices may be inherently insecure as they may be infected with malware, or otherwise compromised by key-logger spyware, etc. Users entering their login credentials into unsecure devices face the risk of exposing their login credentials to unauthorized parties. Thus, there is a need for users to login to websites without entering sensitive information on insecure devices. Even when the devices are secure, there are situations where it may be difficult for users to manually enter credentials into the devices, such as on devices with limited input capabilities. While systems have been proposed to more securely authenticate users, these systems may require special hardware such as biometrics readers or near field communication (NFC) devices. In addition, even NFC devices may be compromised to expose sensitive information. To increase security, some websites may implement secondary authentication mechanism such as requiring users to use fobs or other second factor devices. However, these devices are inconvenient for users to carry. Accordingly, it is desirable to provide ways to users to login to websites securely, conveniently, and efficiently.
Object of the Invention
The present object of the invention is to provide Systems and methods are disclosed herein for a user to use a trusted device to provide sensitive information to an identity provider via QR (Quick Response) code for the identity provider to broker a login to a website or to assist in the authentication of the user by the website.
Summary of the Invention
The identity provider may be a service provider that facilitates transactions between the user and the website. Users may securely transact with the website from unsecured devices without the risk of exposing sensitive information to unauthorized parties running malware or key logger spyware on the unsecured devices. The QR code may be generated by the identity provider when the website desires to obtain sensitive information from users. The website may display the QR code on the unsecured devices. A user running a trusted application from the identity provider on the trusted device may scan the QR code to transmit the QR code to the identity provider. The identity provider may validate the QR code and prompt the user for the sensitive information. The identity provider may validate the QR code and may evaluate a trust level of the user to generate a security token based on the type of sensitive information received and/or the level of authentication performed on the user. The identity provider may provide the security token to the website for the website to display protected resources corresponding to the security token on the unsecured devices. Advantageously, the user may perform a safe login to the website from untrusted devices such as publicly shared devices.
The systems and methods disclosed may be used as a second factor authentication even after the user has entered login information directly into the unsecured devices. For example, the website may, through the identity provider, perform additional authentication of the user via QR code to increase the trust level of the user so as to prevent logins by fraudsters. The website may request the identity provider to generate QR code to prompt the user to provide information for the second factor authentication. The website may display the QR code on the unsecured devices. A user running a trusted application from the identity provider on the trusted device may scan the QR code for transmission to the identity provider. The identity provider may validate the QR code and may prompt the user for the information. The identity provider may evaluate the trust level of the user based on the credentials entered into the trusted device when the user logs into the identity provider, on the characteristics of the trusted device, and/or on other information entered by the user. The identity provider may generate a security token based on the level of trust of the user. The website may use the security token to guard against unauthorized logins. Advantageously, the user may avoid the need to carry second factor devices such as fobs for websites that implement second factor authentication mechanism when logging in from untrusted devices.
Brief Description of Drawings
FIG. 1 shows a flow chart of the steps for an identity provider to generate QR code for a website and to validate the QR code received from a trusted device to generate a security token to broker a login to the website according to one or more embodiments of the present disclosure.
Detailed Description of Invention
FIG. 1 shows a flow chart of the steps for an identity provider to generate QR code for a website and to validate the QR code received from a trusted device to generate a security token to broker a login to the website according to one or more embodiments of the present disclosure. In, identity provider receives a request for a QR code for a login session from website server. The QR code may encrypt information to allow identity provider to uniquely identity website server and to enable identity provider to associate user trusted device with a login session on website server. For example, the QR code may contain a key for retrieval of the security token associated with user trusted device for the login session, an identifier for website server, and a time stamp. The time stamp may indicate a period of validity of the QR code.
In, QR code generation unit of identity provider generates the QR code. QR code generation unit may encrypt an amount of data and size the QR code such that the QR code may be scanned and decoded from a reasonable distance by trusted device. To prevent a rogue site from putting up QR code masquerading as QR code generated by identity provider to steal login credentials from user, the QR code may be generated to be read only by trusted app from identity provider running on trusted device , and not by standard QR code readers. In one or more embodiments, the encoded data may only be decrypted by identity provider. In one or more embodiments, the encoded data may be decrypted by the trusted app from identity provider. In addition, to mitigate DDOD (Distributed Denial-of-Service) concerns and to ensure that QR code generation does not become a risk to identity provider, rate limiting may be implemented on the QR code generation. QR code generation unit may also generate the QR code on a “best effort” basis. If the QR code is generated by a service, there may be a dedicated pool of QR code that is considered best effort.
Identity provider provides the QR code to website server for website server to display the QR code on a login page on untrusted device. Website server may also display a “QR code safe login” button on untrusted device to inform users that the QR code is for initiating a safe login. The button may also be clicked by users after identity provider has generated the security token for website server to retrieve the security token from identity provider. To scan the QR code, user runs a trusted app from identity provider on trusted device. Trusted device has previously been registered with identity provider as belonging to user so that a security level is established for user when trusted app communicates with identity provider. The security level is one factor identity provider evaluates when generating the security token for the safe login session. The higher the security level of user, the higher the level of trust in the security token generated for user, and the more of the protected resources of website server may be accessible by user. To increase the security level, user may enter login credentials for identity provider into the trusted app.
In, identity provider determines if user has provided login credentials from trusted device. If login credentials are received, in, identity provider logs in user and increases the security level for user. Otherwise, the security level remains unchanged. The trusted app may display a “safe login” icon. User may click on the “safe login” icon to enable the camera on trusted device to scan the QR code displayed on untrusted device. The trusted app decodes the scanned QR code and transmits the data to identity provider.
In, identity provider receives the decoded QR code from trusted device. In one or more embodiments, identity provider may receive the un-decoded QR code from trusted device. Authentication and trust services unit of identity provider may, if necessary, decode the QR code and may decrypt the decoded data. In, identity provider determines if additional information is needed from user for authentication by website server. The additional information may include login credentials to website server or may include other sensitive information of user. If additional information is needed, identity provider may prompt user for the information on trusted device. In, identity provider receives the additional information from trusted device.
In, authentication and trust services unit validate the QR code. Authentication and trust services unit may verify that the time stamp for the QR code has not expired, that the QR code identifies website server, and that the key for retrieval of the security token is associated with a safe login session. Authentication and trust services unit also evaluates the security level for user, any additional information received from user, and history of trusted device to determine a level of trust for user. For example, if there is increased security level because user has logged into identity provider , user has provided additional information such as login credentials for website server, and there is no history of fraudulent use associated with trusted device, a high level of trust may be determined for user. On the other hand, if there is just a regular security level because user has not logged into identity provider, and user has not provided additional information for website server, a lower level of trust may be determined for user.
In step, authentication and trust services unit generates a security token corresponding to the level of trust determined for user. Identity provider may inform website server that a security token for a safe login session is available. In one or more embodiments, identity provider may transmit a message to trusted device instructing user to request website server to retrieve the security token. For example, user may be instructed to click on the QR code or the “QR code safe login” button displayed on untrusted device. When user clicks on the QR code or the button, website server requests the security token from identity provider. In, identity provider provides the security token for user to website server. Website server may evaluate the security token to establish a login session for user and may present protected resources corresponding to the level of trust of the security token on untrusted device for user to access. In one or more embodiments, identity provider may provide to website server the additional information received from trusted device, such as the login credential.