Search

CN-116569518-B - Second factor based domain selection for federated authentication

CN116569518BCN 116569518 BCN116569518 BCN 116569518BCN-116569518-B

Abstract

In a method for authenticating a user name, a processor maintains a mapping of the user name and a domain. The processor receives a user name and a time-based one-time password code (TOTP code) for the user name based on the authentication application. The processor, upon receiving the TOTP code, determines a domain from the map based on the received user name and the received TOTP and requests entry of a credential associated with the user name in the domain. Upon receiving the requested credentials, the processor authenticates the user name by determining that the received credentials match the expected credentials for the domain.

Inventors

  • T. Dull
  • BAESSLER MICHAEL
  • H. kneg
  • O. Kosi
  • T. Schwartz

Assignees

  • 国际商业机器公司

Dates

Publication Date
20260505
Application Date
20211205
Priority Date
20201215

Claims (20)

  1. 1. A computer-implemented method for authenticating a user name, the method comprising: Receiving, by one or more processors, a user name entered by a user through a browser and a time-based one-time password code, TOTP, for the user name based on an authentication application; upon receiving the TOTP: validating, by one or more processors, the TOTP; determining, by the one or more processors, a domain from the maintained mapping of usernames and a plurality of domains based on the received usernames and the TOTP, the determined domain being a user repository owned by the user; validating, by the one or more processors, the determined domain; Requesting, by one or more processors, entry of credentials associated with the user name in the domain, and Upon receipt of the requested credentials, authenticating, by the one or more processors, the username by determining that the received credentials match an expected credentials for the domain; Receiving, by one or more processors, the username-related password; Upon receiving the username-related password, the username-related password is validated to the determined domain by one or more processors.
  2. 2. The method of claim 1, further comprising: The user name and the TOTP are received in two steps by one or more processors.
  3. 3. The method according to claim 1 or 2, further comprising: A user interface adapted to receive the user name and the TOTP is provided by one or more processors.
  4. 4. A method according to claim 3, wherein the user interface is selected from the group consisting of a graphical user interface and a command line interface.
  5. 5. The method of claim 1, further comprising: The user name and the TOTP are received by one or more processors during a single step.
  6. 6. The method of any of claims 1, 2, and 5, wherein the domain is selected from the group consisting of an application in a cloud computing environment, a marketplace, a software development environment, a social media platform component, and an internet store.
  7. 7. The method of any of claims 1, 2, and 5, wherein the authentication application is a client-side TOTP generator.
  8. 8. The method of any of claims 1,2, and 5, wherein the mapping further comprises TOTP.
  9. 9. The method of any of claims 1,2, and 5, wherein the mapping is performed using content selected from the group consisting of tables, linked lists, and databases.
  10. 10. The method of any one of claims 1,2, and 5, further comprising: determining, by one or more processors, that the TOTP is still valid, and When the TOTP is no longer valid, the process is terminated by one or more processors.
  11. 11. A computer program product for authenticating a user name, the computer program product comprising: One or more computer-readable storage media, and program instructions collectively stored on the one or more computer-readable storage media, the program instructions comprising: program instructions for receiving a user name entered by a user through a browser and a time-based one-time password code, TOTP, for the user name based on an authentication application; program instructions for, upon receipt of the TOTP: validating the TOTP; Determining a domain from a maintained mapping of usernames and a plurality of domains based on the received usernames and the TOTP, the determined domain being a user repository owned by the user; Validating the determined domain; Requesting entry of credentials associated with the user name in the domain; Upon receipt of the requested certificate, authenticating the username by determining that the received certificate matches an expected certificate for the domain; Receiving a password related to the user name; upon receiving the username-related password, the username-related password is validated against the determined domain.
  12. 12. The computer program product of claim 11, further comprising: Program instructions, commonly stored on the one or more computer-readable storage media, for receiving the user name and the TOTP in two steps.
  13. 13. The computer program product of claim 11 or 12, further comprising: Program instructions collectively stored on the one or more computer-readable storage media for providing a user interface adapted for receiving the username and the TOTP.
  14. 14. The computer program product of claim 13, wherein the user interface is selected from the group consisting of a graphical user interface and a command line interface.
  15. 15. The computer program product of claim 11, further comprising: program instructions, collectively stored on the one or more computer-readable storage media, for receiving the username and the TOTP during a single step.
  16. 16. The computer program product of any of claims 11, 12, and 15, wherein the domain is selected from the group consisting of an application in a cloud computing environment, a marketplace, a software development environment, a social media platform component, and an internet store.
  17. 17. The computer program product of any of claims 11, 12, and 15, wherein the authentication application is a client-side TOTP generator.
  18. 18. The computer program product of any of claims 11, 12, and 15, wherein the mapping further comprises TOTP.
  19. 19. The computer program product of any of claims 11, 12, and 15, wherein the mapping is performed using content selected from the group consisting of tables, linked lists, and databases.
  20. 20. The computer program product of any of claims 11, 12 and 15, further comprising: Program instructions collectively stored on the one or more computer-readable storage media for determining that the TOTP is still valid, and Program instructions collectively stored on the one or more computer-readable storage media for terminating the process when the TOTP is no longer valid.

Description

Second factor based domain selection for federated authentication Background The present invention relates generally to the field of authentication of user names, and more particularly to authentication of user names by automatic selection of a domain (realm) in a cloud computing environment. The trend to use cloud computing resources operated by cloud providers rather than keep applications on-site is uninterrupted. The topic "cloud" is still one of the first three priorities of CIO. However, the continuing trend to use hybrid clouds and more complex cloud computing products is also a burden on IT organizations and users. As cloud computing centers continue to grow and computing and storage capacities increase, access to such resources may also become more complex. This must be combined with the complexities involved in more secure access to cloud computing resources. Two-factor authentication has become a requirement of many vertical industries that are very often governed by government regulations. Today, large clouds often support federated login with customer owned user repositories. Thus, each such repository may be represented by an identifier denoted as a "domain" ID. However, the domain identifier may be a long, complex encrypted ID (identifier). It is not easy or at all possible for the user to remember the obscure ID. Typically, the target scope ID must be manually selected during the search because the user name is not unique in all user repositories. Furthermore, manual domain selection may involve a large number of domains, which makes it impossible to select the correct domain. From the perspective of the user, there is basically a problem with each serious cloud computing provider. However, the replacement of the domain selection field, i.e. the static domain list, also has substantially the same limitations and constraints as described above. From a security perspective, second factor authentication (also known as two-factor authentication) is a prior art technique to prevent cryptographic attacks. Such a second factor may be implemented using a time-based one-time password or a time-based one-time password code (TOTP code). Thus, the TOTP mechanism is established for each user of each domain on the authentication server used and exported into the client application. The TOTP code generated by the client app is valid only for a certain amount of time and must be provided after entering the username/password combination to verify on the authentication server. This process is essentially the same for all reputable cloud providers. However, this is still a cumbersome process, as it requires typing in all selected domain identifiers. There are several known documents describing the technical background of the solutions proposed herein. U.S. patent No. 9,419,968B1 describes a mobile push user authentication for local client-based login. Thus, the authentication server receives a password from a user interface at the local client for logging in to the remote server based on the local client. The method determines whether a portion of the pass includes a one-time password (OTP). When the password includes the OTP, the method verifies the remaining portion of the pass as a first authentication factor and verifies the OTP as a second authentication. Further, U.S. patent application publication No. 2020/0153814A1 describes a method for authentication with an identifier provider via a federated authorization server having at least one interface to at least one identity provider. Each identifier provider is configured to verify the user identity using a respective verification method. Thus, the method includes receiving login data through the web page, the login data indicating at least an identity provider and a user. However, the known drawbacks of requiring identification of input domains (particularly represented by complex or obscured identifiers) in cloud computing environments remain. Thus, there is a need to overcome this limitation of current solutions and provide easy access to cloud computing domains in large cloud computing systems. Disclosure of Invention According to one aspect of the invention, a computer-implemented method for authenticating a user name may be provided. The method may include maintaining a mapping of a user name and a domain, and receiving the user name and a time-based one-time password code (TOTP code) for the user name based on an authentication application. The method may further include, upon receipt of the TOTP code, determining a domain from the map based on the received user name and the received TOTP and requesting entry of a credential associated with the user name in the domain. Further, the method may include authenticating the user name upon receipt of the requested credential by determining that the received credential matches the expected credential for the domain. According to another aspect of the present invention, an authentication system for authenti