FIELD OF THE INVENTION
The present invention generally relates to authentication systems and methods
related thereto. In particularly, the present invention relates to integration of 5 two
factor authentication system at a protocol decoding level using one touch
authentication to protect the personal mail accounts, files and confidential
information of users and methods related thereto. More particularly, the present
invention relates to system and method of providing a two-factor authentication for
10 access to an authenticating service.
BACKGROUND OF THE INVENTION
The Internet has changed the way, people communicate with each other. Letters,
15 couriers, registered post etc. have become obsolete in the age where large
volumes of documents can be immediately transferred via emails at a click of a
button.
Free or paid mail services have become a warehouse of personal information
20 where everything from personal and professional mails, chats, contacts etc. are
stored by users. Email is still the safest bet when information has to be spread in
large number of people. While an email address is necessary to log into almost
every popular social media forum – from facebook to twitter to LinkedIn, business
transactions including proposals, RFP’s etc. are frequently transferred on mails as
25 well.
Thus, a mail account today has become one of the most important IT assets of an
individual, literally defining one’s identity on the internet.
30 In such a situation, an unauthorized access to one’s mail account can have
unforeseeable ramifications not just for an individual but also for a complete
organization – leakage of financial and marketing data, R&D papers, IP of a
3
company, HR policies etc. may cause that more than one organization gets
affected by an unauthorized access to a mail account of a key personnel.
With thousands of people in an organization unaware of the security implications
or know how of protecting their mail accounts, it becomes important for th5 e
organizations involved to protect their digital identity.
The security community has long sought a viable solution for better protection of
mail account infrastructure to prevent attacks on the security systems. However,
10 much to the chagrin of the security community, passwords have been the primary
factor for authentication for vast majority of user accounts gaining access to their
mail accounts. However, security protection wherein static passwords are used as
a sole factor for authentication present a range of issues and cannot be relied
upon solely.
15
Most people, either accidently or deliberately, end up sharing their passwords with
their friends or colleagues and seldom remember the number of people with
whom the account details may have been shared with. At the same time,
passwords are not changed at frequent intervals giving an outsider unlimited
20 access to the account of the user. Moreover, even if the user has not disclosed
the password, they fall prey to common social engineering techniques and end up
revealing answers to their security questions thereby providing intruders a chance
to gain unauthorized access to the user’s account.
25 What is worse is the fact that in today’s world most users end up using the same
or similar passwords for multiple accounts. This leads to a possibility where an
inadvertent leak may provide access to multiple accounts of the users. Phishing
attacks and various forms of viruses have been used since the evolution of the
internet to steal the identity of the user.
30
In order to curb the above mentioned disadvantages associated with the sole use
of static passwords, two factor authentications have been developed and used to
supplement and fortify passwords as a means for user authentication. In two
4
factor authentications, users are usually issued a token which displays a random
number that changes periodically. Both hardware and software tokens are
available. Users who have paired a token with a network resource must supply the
number currently on the screen at any given moment as part of the login
procedure in addition to the static password which is the first authentication factor5 .
If the provided code matches an expected value at the token-aware backend
server for a given instance, the system grants the authentication request feeling
confident that a request that can provide a password and a valid code from the
token is reasonably to be an authentic request.
10
To this end, technologies which are used for two factor authentication includes
TOTP (Time Sync One Time Password) and HOTP (Hashed One Time Password)
among others. In TOTP based two factor authentication, a one-time password
(OTP) is generated on the basis of a seed which is unique to a user and changes
15 after every specific duration of time. The said one time password is generated by
the server. The HOTP is based on a challenge response technology wherein a
one-time password (OTP) is generated by the user using a seed. While the TOTP
passwords keep on changing and are only valid for a short window in time, the
HOTP passwords can be valid for an unknown amount of time making them
20 susceptible to security invasions.
The said systems have been reported by the users to be cumbersome and
irritating due to additional hassle of entering an OTP in addition to the already
existing static password. Further, servers are required to generate one time
25 passwords which may require complicated infrastructure implementations.
Furthermore, the existing technologies are not “on demand” technologies and
generate an OTP irrespective of the fact whether a user wishes to use it or not.
The servers generate OTP to validate the One time Password entered by the
user. To generate the OTP, servers require Time Stamp (when the token was
30 activated) as well as ‘Seed’ which is a core value required to generate OTP. If a
hacker gains access to the server, the entire security of the user will be
compromised as the hacker will gain access to seeds as well the Time Stamps.
5
Moreover, the above discussed technology cannot be integrated with third party
applications such as mail clients on phones and desktops apart from legacy and
other applications where access to source code is not available.
Accordingly, it is desired to provide an improved two factor authentication syste5 m
and method related thereto which overcomes the above-discussed
disadvantages.
Further, it is also desired to provide an effective and efficient authentication
10 system and method by integrating two factor authentication at protocol decoding
level thereby securing mail accounts of users. It is further intended to provide an
improved authentication system which is cost effective and eliminates the need of
complicated infrastructure implementations.
15 OBJECTS OF THE INVENTION
A primary object and advantage of the present invention is to address and
overcome the problems cited in the prior art.
20 Another object and advantage of the present invention is to provide an effective
and efficient authentication system and method to protect the personal
information, mail accounts, files and confidential information of users.
Another object and advantage of the present invention is to provide an effective
25 and efficient authentication system and method which integrates two factor
authentication system at a protocol decoding level using one touch authentication
to protect the personal mail accounts, files and confidential information of users
allowing seamless integration with desktop/mobile mail clients and other
applications.
30
Another object and advantage of the present invention to provide an effective and
efficient authentication system and method which uses a dual mode of
6
identification where along with the user ID and password, verification is done
through challenge response PKI mechanism using a smart phone.
Another object and advantage of the present invention to provide an effective and
efficient authentication system and method based on a public and private 5 key
encryption which converts a smart phone into a PKI token whereby a hacker
would need to have both the server as well as the device in possession to carry
out a hacking attack.
10 A further object and advantage of the present invention is to provide an effective
and efficient authentication system and method which maps the physical identity
of the user to the server and increases the security of financial and other critical
transactions/information.
15 A further object and advantage of the present invention is to provide an effective
and efficient authentication system and method which prevents Online Credit Card
fraud, Card Cloning, Identity theft but also helps in preventing the acts of habitual
cyber criminals.
20 A further object and advantage of the present invention is to provide an effective
and efficient authentication system wherein a one touch authentication token
works by generating a “Push notification” and sending it to the registered mobile
phone of the user anytime a user wishes to log in for his approval or denial.
25 Yet another object and advantage of the present invention is to provide an
effective and efficient authentication system wherein even if a hacker gains
unauthorized access to the server, the user’s information will not be compromised
as both public and private key or seed is required to gain access to user’s
information in the server.
30
Yet another object and advantage of the present invention is to provide an
effective and efficient authentication system wherein two factor authentication is
7
required not just to login to mail account of users but is also required for
downloading mails in desktop and mail clients.
A further object and advantage of the present invention is that the user will
automatically be alerted if an intruder attempts to use credentials of a user or th5 e
user name and password of the user have been compromised.
A further object and advantage of the present invention is that the integration is
done at a protocol level thereby ensuring that two factor authentication can be
10 integrated with almost any application even though it may not have inbuilt support
for second factor of authentication.
A further object and advantage of the present invention is that the one touch
authentication challenge is generated on demand i.e. only when a user wishes to
15 log into the critical infrastructure.
A further object and advantage of the present invention is that the two factor
authentication authenticates and verifies the user based on something only the
user has (mobile phone, registered desktop / laptop or the like) and something
20 only the user knows (user ID and password).
A further object and advantage of the present invention is that it binds the identity
of the user to his registered devices.
25 A further object and advantage of the present invention is that it is cost effective
and does not require complicated infrastructure implementations in comparison to
the existing technologies.
A further object and advantage of the present invention is that it can be integrated
30 with multiple applications apart from mail clients such as Database workflow
queries, third party applications including SAP, any mail clients either on the
phone or the desktop.
8
Yet another object and advantage of the present invention is that it can ensure
that a user will be able to login only if he is within specific defined geocoordinates.
SUMMARY OF THE INVENTIO5 N
The aspects of the invention relates to a system and method of providing a twofactor
authentication for access to an authenticating service. In one embodiment,
the integration of two factor authentication is done at a protocol decoding level
10 using one touch authentication to protect the authenticating service including
personal mail accounts, files and confidential information of users.
Thus, the invention relates to a method of providing a two-factor authentication
for access to an authenticating service, the method comprising the steps of:
15 receiving from a user, a request to access the authenticating service, including,
not being limited to, mail accounts, files and confidential information of the user,
wherein the request comprises a first authentication information/factor and a
second authentication information/factor; authenticating the user using a twofactor
authentication protocol based on the first and second authentication
20 information/factor; allowing access by the user to the authenticating service in
response to a positive authentication result; and preventing access by the user to
the authenticating service in response to a negative authentication result.
In one embodiment, the authentication information/factor includes one or more of
25 a one touch authentication, push notification, encrypted challenge, verbal
authentication, PIN, biometric authentication factor such as, not being limited to,
retinal scan, face recognition, fingerprint recognition, voice profile and the like.
In one embodiment the authentication information/factor for verification of the user
30 includes information relating to one or more of IP address making a request,
location, time stamp, IP address of the server, last login by the user and the like.
9
The invention also relates to a method of providing a two-factor authentication for
access to an authenticating service, the method comprising the steps of: enrolling
a user or an organization having multiple users with an authentication system i.e.
authentication frontend server; providing access to the authentication front end
server with required number of license keys; registering the users by syncing wit5 h
an AD/LDAP or manually; providing the user a panel to associate licence keys
with user names upon registration; generating and sending an authentication code
to the user mail ID once the licence keys associated with the user name; allowing
download and activation of an application for authentication on an authentication
10 device e.g. smart phone or the like of the user; generating a public private key
pair upon activation of the application for authentication.
In one embodiment The method further comprising the steps of: receiving a first
authentication information/factor by the authenticating service; communicating the
15 first authentication factor to the authentication frontend server; comparing the
details of the user received by the authentication frontend server with the details
of the user available in an backend server; providing the user access to the
authenticating service if the details of the user received by the authentication
frontend server are same as the details of the user available in the backend
20 server.
In another embodiment, the method further comprising the steps of: receiving a
first authentication information/factor by the authenticating service; communicating
the first authentication factor to the authentication frontend server; comparing the
25 details of the user received by the authentication frontend server with the details
of the user available in a backend server; sending a request to the backend server
to generate an encrypted challenge if the details of the user received by the
authentication front end server do not correspond to the details of the user
available in the backend server; sending the encrypted challenge to the
30 authentication device of the user; providing access to the authenticating service if
the user approves the challenge; preventing access by the user to the
authenticating service if the user fails to approve the challenge.
10
In one embodiment, the encrypted challenge sent by the backend server is sent
by using protocols such as, not being limited to, XMPP protocol or GGM/ANP.
The invention also relates to a system to provide a two-factor authentication for
access to an authenticating service, the system comprising: at least on5 e
authenticating terminal, an authenticating service, an authentication system and
an authentication device associated with an user.
In one embodiment, the authenticating terminal is an end point terminal including,
10 not being limited to, home computers, work computers, laptops and the like to
access authenticating services such as, not being limited to, a third party website,
an email service or the like.
In one embodiment, the authentication system is provided with at least one
15 authentication backend server, at least one authentication front end server, an
authenticating service server, at least one load balancer, and a network
connecting each of backend server, authentication front end server, authenticating
service server and load balancer.
20 In one embodiment, the request from the user may be received through a virtual
private network. The virtual private network may be one of layer 2 tunneling
protocol (L2TP), a point-to-point tunneling protocol (PPTP), secure sockets layer
(SSL), and Internet Protocol security (IP Sec) virtual private network.
25 In one embodiment, the first authentication information/factor may include a login
identification and a password, and the second authentication information/factor
may include a passcode generated from a nondeterministic random sequence of
numbers.
30 BRIEF DESCRIPTION OF THE ACCOMPANYING DRAWINGS:
Fig. 1 illustrates the technical architecture for logging into OWA according
to the present invention;
11
Fig. 2 illustrates the technical architecture for logging into active sync. or
outlook according to the present invention;
Fig. 2 illustrates the technical architecture for logging into SAP accordin5 g
the present invention.
DETAILED DESCRIPTION OF THE INVENTION
10 Embodiments of the present invention provides system and methods that provide
two factor authentication using second authentication information/factor such as,
not being limited to, one touch authentication to be used in conjunction with a first
authentication information/factor such as, not being limited to, user name and
static password log in combination.
15
One embodiment of the system of the present invention includes, not being limited
to, authenticating terminals, authenticating service, authentication system and a
Mobile authentication device associated with the user.
20 An authenticating terminal is an end point terminal such as, not being limited to,
home computers, work computers, laptops and the like to access authenticating
services such as, not being limited to, a third party website, a web based email
service or the like. A first authentication information/factor such as a combination
of user name and password is provided from the authenticating terminal to the
25 authenticating service.
The authenticating service communicates with the authentication system to verify
user’s action. The authentication system comprises combination of computing
system such as, not being limited to servers, load balancers and the likes
30 interconnected by any form or medium of digital data communication such as a
communication network. Examples of communication network include a local area
network “LAN” or a wide area network “WAN” such as internet.
12
In one embodiment, the authentication system is provided with a combination of at
least one backend server, at least one authentication frontend server, a mail
server, load balancer in communication with each other via a network.
It should be understood that that the various actions in the various embodiment 5 of
the system of the present invention can be performed by specialized circuits,
circuitry such as logic gates interconnected to perform specified function, program
instructions executed by one or more processor or any combination thereof. Thus
the various aspects be embodied in various forms and all such forms are
10 contemplated to be within the scope of the present invention.
Architecture(s) for logging into Mails using two factor authentication (2FA) are
discussed below:
1.1 Technical Architecture for logging into OWA
15 Process
Flow Detailed Processes
1  Request received by authentication frontend Servers
 The server validates the IP address of the user
 In case of Intranet IP, request is forwarded to Mail servers
2  User Name, Password validation is done from AD
3  Check with Authentication server whether user has been
assigned a Second Factor of Authentication
 In case user has not been assigned 2FA, the request is
forwarded to Mail servers
4  In case user has been assigned 2FA, a push notification is
generated and sent to the registered device of the user (desktop
/ mobile)
13
5  Based on the response of the user, the request is forwarded to
the mail servers or rejected
1.2 Technical Architecture for logging into Active Sync / Outlook
Process
5
Flow Detailed Processes
1  Request received by Authentication Frontend Server
 The server validates the IP address of the user
 In case of Intranet IP, request is forwarded to mail servers
2  User Name, Password validation is done from AD
3  Check with Authentication server
o Whether user has been assigned a Second Factor of
Authentication
o Whether the previous registered IP address of the user
has changed
o Whether the time duration assigned to the user has
expired
4  A Push Notification is sent to the registered device of the user
(Desktop / Mobile)
5  Response forwarded to Authentication Frontend Servers
6  Based on response of the user, the request forwarded to Mail
servers or rejected
Multiple Components:
14
 Authentication frontend server with protocol decoding engine – The
component receives the request from the user for authentication. It checks
with authentication server for multiple criteria and conditions including, but
not limited to, whether the IP address of the user since his last
authentication request has changed. Based on the response given by th5 e
authentication server, it sends the authentication request further to the mail
server or rejects the request.
 Authentication Server – It is configured to check multiple criteria including,
10 but not limited to, change from last IP address of the user, time span
allocated to the user, range of IP address allowed to the user etc. to identify
whether to prompt the user for second authentication information/factor or
not. In case required, the authentication server generates an authentication
request, encrypts it using the public key of the user and sends it to the
15 registered authentication device of the user. It is also configured to receive
the response from the authentication device, decrypt the response and
notify to the authentication frontend server accordingly.
 Authentication device – This is the registered authentication device of the
20 user which receives the encrypted authentication request from the
authentication server, decrypts the request and notifies the user. The user
has to then approve or reject the request. The response is then encrypted
by the authentication device using the private key of the user and sent to
the authentication server for further action accordingly.
25
Architecture for logging into SAP using the current system:
Process
Flow Detailed Processes
1  Request received by authentication frontend server
2  User name, password validation is done from AD
15
3  Check with authentication server
o Whether user has been assigned a second authentication
information/factor
o Whether the previous registered IP address of the user
has changed
o Whether the time duration assigned to the user has
expired
4  A push notification is sent to the registered device of the user
(desktop / mobile)
5  Response of the user is forwarded to authentication frontend
server
6  Request forwarded to SAP servers
User Registration:
The first step involves enrolment of an user or an organization having multiple
users with the authentication system. Upon enrolment the organization receive5 s
the following components:
 Authentication front end servers
 Access to authentication server with required number of license keys
10
The organization can login to authentication server using a user name and
password to login. The organization can then register their users by syncing with
the AD / LDAP or register the users manually. For user’s registration the following
details are required –
15
 Name of organization
 Name of domain
 User name
16
 User’s mail ID
 User’s phone number
On registration, the user is provided with a panel to associate license keys with
user names. The moment license keys are associated with user names, 5 an
activation code in the form of QR code is generated and sent to the mail ID of the
user.
The user can download the application on his authentication device such as smart
10 phone from playstore or itunes or windows market place or the like. The
application can be activated by scanning the QR code sent to the user or it can be
activated via a URL.
Once activated, a public private key pair is generated. The private key is stored on
15 the secure database area of the phone / desktop while the public key is sent to the
authentication server (backend) over an encrypted connection. The public key is
stored on the server against the user name. The private-public key is generated
based on RSA 1024 algorithm.
20 After registration, when the user performs login actions to access an
authenticating service such as an email or a third party website, a first
authentication factor such as a user name or password is provided by the user to
the authenticating service via authenticating terminals.
25 The first authentication factor is communicated to the authentication system
(authentication frontend server) by the authenticating terminal to verify the user
action.
In one embodiment, authentication frontend server sends the request to
30 authentication server which in turns checks for various parameters including
whether the user is allocated two factor authentication (2FA) or not, whether the
last registered IP address of the user has changed or not etc.
17
In case all the parameters are true, the response is sent to authentication frontend
server which in turn forwards the request to authenticating service such as, not
being limited to, mail servers. In case the parameters are false, a permission
request is made by the authentication server to the registered authentication
terminal and/or authentication device of the user (mobile / desktop) in the form 5 of
a push notification which also contains information including the location and IP
address of the user from where he is attempting to login. The permission request
is encrypted using the public key of the user.
10 The permission request is received by the user’s registered authentication
terminal and/or device (mobile / desktop) which decrypts the request using the
private key of the user. The user uses the authentication device to send a
permission response to the authentication system which is passed along to the
authenticating service providing the second information/factor of authentication.
15 The permission response is encrypted using the private key of the user and sent
to the authentication server. The authentication server decrypts the request using
the public key of the user and validates the response. The response is then
forwarded to the authentication frontend server which forwards the original
request to the mail servers or rejects it depending upon the fulfilment of
20 authentication criteria.
In one of the embodiments of the present invention, the permission request sent
to the mobile authentication device by the authentication system is performed by
one touch authentication as opposed to the existing prior art systems wherein
25 OTP’s (one time passwords) are generated which are required to be manually
transcribed by the user to perform two factor authentication. The verification in
one touch authentication is performed through a challenge response mechanism
wherein a user is prompted to approve or deny the challenge using a single click.
30 In another embodiment of the invention, the permission request sent to the user
may be presented audibly by text to voice applications wherein user accepts or
denies the challenge using verbal input.
18
In another embodiment of the present invention, the permission response may
also be paired with one or more secure factors of authentication including
biometric authentication factor such as, not being limited to, retinal scan, face
recognition, a fingerprint, voice profile and the like.
5
In one embodiment of the present invention, the method of
authentication/authorization comprises the steps of:
 receiving a first authentication factor (such as a user name and password)
by the authenticating service such as web based email or a third part10 y
website etc.;
 communicating the first authentication information/factor to the
authentication frontend server via a load balancer in the authentication
system by the authenticating terminal and/or authenticating device;
15  comparing the details of the user received by the authentication frontend
server with the details present/available in the back end server;
 providing access to the authenticating service such as emails if the details
of the user received by the authentication frontend server are same as
details of the user present/available in the back end server.
20
The authentication frontend server checks with the authentication server whether
two factor authentication (2FA) is allocated to the user and if the last registered IP
address of the user has changed. In case the parameters return a ‘False’
response, the user is prompted for an one time password. The user enters the
25 one time password which is sent by the authentication frontend server to the
authentication server for validation.
In another embodiment of the present invention, the method of
authentication/authorization comprises the steps of:
30
 receiving a first authentication information/factor (such as a user name and
password) by the authenticating service such as web based email or a third
party website etc.;
19
 communicating the first authentication factor to the authentication frontend
server via a load balancer in the authentication system by the
authenticating terminal;
 comparing the details of the user received by the authentication frontend
server with the details present in the back end server5 ;
 sending a request to the backend server to generate an encrypted
challenge if the details of the user received by the authentication frontend
server do not correspond to the user’s details present at the back end
server;
10  sending the encrypted challenge to the mobile authentication device with
pre-defined details and the option of accepting or denying challenge using
a single click/touch;
 providing access to the authenticating service by the authenticating system
if the user approves the challenge;
15  appending the password entered by the user during first authentication
factor with junk characters and sending it to the authenticating service
wherein the access to the authenticating service is denied.
The details received by the authentication frontend server which are verified or
20 compared with the details of the back end server to proceed with two factor
authenticator factor may be, not being limited to, expiry date of time validity of
user name and password, IP address making the request, location etc.
The encrypted challenge sent by the backend server may be sent using protocols
25 such as, not being limited to, XMPP protocol or GCM/ANP.
The encrypted challenge or push notification sent to the mobile authentication
device for verification of the user accessing the authenticating services may have
details, such as not being limited to, IP Address making a request, time stamp, IP
30 address of the server and further details of the user such as last login and the like.
The present invention uses mobile authentication devices such as smart phones
such as being not limited to, Android Platform 2.2 OS and above, Blackberry OS
20
5.0 and above, iOS 4 and above and Window Mobile OS or desktops / laptops
using Windows 7.0 and above, Linux (all flavors) or Mac OS or the like.
From the foregoing description, it will be apparent to one ordinarily skilled in the
art that many changes and modification can be made thereto without departin5 g
from the spirit or scope of the invention as set forth herein. Accordingly, it is not
intended that the scope of the foregoing description be limited to the description
set forth above, but rather that such description be construed as encompassing all
of the features of patentable novelty that reside in the present invention, including
10 all the features and embodiments that would be treated as equivalents thereof by
those skilled in the relevant art.
Thus, it is intended that the scope of the present invention herein disclosed should
not be limited by particular disclosed embodiments described above but should be
15 determined only by a fair reading the appended claims.

WE CLAIM:
1. A method of providing a two-factor authentication for access to an
authenticating service, the method comprising the steps of5 :
receiving from a user, a request to access the authenticating service,
including, not being limited to, mail accounts, files and confidential information of
the user, wherein the request comprises a first authentication information/factor
and a second authentication information/factor;
10 authenticating the user using a two-factor authentication protocol based on
the first and second authentication information/factor;
allowing access by the user to the authenticating service in response to a
positive authentication result; and
preventing access by the user to the authenticating service in response to a
15 negative authentication result.
2. The method as claimed in claim 1, wherein the authentication
information/factor includes one or more of a one touch authentication, push
notification, encrypted challenge, verbal authentication, PIN, biometric
20 authentication factor such as, not being limited to, retinal scan, face recognition,
fingerprint recognition, voice profile and the like.
3. The method as claimed in claim 2, wherein the authentication
information/factor for verification of the user includes information relating to one or
25 more of IP address making a request, location, time stamp, IP address of the
server, last login by the user and the like.
4. A method of providing a two-factor authentication for access to an
authenticating service, the method comprising the steps of:
30 enrolling a user or an organization having multiple users with an
authentication system i.e. authentication frontend server;
providing access to the authentication front end server with required
number of license keys;
22
registering the users by syncing with an AD/LDAP or manually;
providing the user a panel to associate licence keys with user names upon
registration;
generating and sending an authentication code to the user mail ID once the
licence keys associated with the user name5 ;
allowing download and activation of an application for authentication on an
authentication device e.g. smart phone or the like of the user;
generating a public private key pair upon activation of the application for
authentication.
10
5. The method as claimed in claim 4, further comprising the steps of:
receiving a first authentication information/factor by the authenticating
service;
communicating the first authentication factor to the authentication frontend
15 server;
comparing the details of the user received by the authentication frontend
server with the details of the user available in an backend server;
providing the user access to the authenticating service if the details of the
user received by the authentication frontend server are same as the details of the
20 user available in the backend server.
6. The method as claimed in claim 4, further comprising the steps of:
receiving a first authentication information/factor by the authenticating
service;
25 communicating the first authentication factor to the authentication frontend
server;
comparing the details of the user received by the authentication frontend
server with the details of the user available in a backend server;
sending a request to the backend server to generate an encrypted
30 challenge if the details of the user received by the authentication front end server
do not correspond to the details of the user available in the backend server;
sending the encrypted challenge to the authentication device of the user;
23
providing access to the authenticating service if the user approves the
challenge;
preventing access by the user to the authenticating service if the user fails
to approve the challenge.
5
7. The method as claimed in claim 6, wherein the encrypted challenge sent by
the backend server is sent by using protocols such as, not being limited to, XMPP
protocol or GGM/ANP.
8. A system to provide a two-factor authentication for access to 10 an
authenticating service, the system comprising: at least one authenticating
terminal, an authenticating service, an authentication system and an
authentication device associated with an user.
15 9. The system as claimed in claim 8, wherein the authenticating terminal is an
end point terminal including, not being limited to, home computers, work
computers, laptops and the like to access authenticating services such as, not
being limited to, a third party website, an email service or the like.
10. The system as claimed in claim 8, wherein the authentication system is
provided with at least one authentication backend server, at least one
authentication front end server, an authenticating service server, at least one load
balancer, and a network connecting each of backend server, authentication front
end server, authenticating service server and load balancer.