CN-122001650-A - Multi-factor identity authentication method, equipment, medium and product

Abstract

A multi-factor identity authentication method, equipment, medium and product relate to the field of identity authentication. The method comprises the steps of receiving an access request of a user to a target application, analyzing the access request to obtain a main authentication credential, carrying out main authentication on the user through a unified identity management directory, acquiring multidimensional context information and a historical behavior baseline when the user passes the main authentication, calculating a dynamic security risk value, determining an authentication level of the access request, carrying out identity authentication based on an authentication flow corresponding to the authentication level, generating security assertion containing identity information of the user and pushing the security assertion to the target application when the authentication of the user passes the authentication of the target application, and completing access authorization of the target application. The application can accurately improve the authentication efficiency while ensuring the safety.

Inventors

• Request for anonymity
• Request for anonymity

Assignees

• 北京联池系统科技有限公司

Dates

Publication Date

20260508

Application Date

20260204

Claims (10)

1. 1. A multi-factor identity authentication method, applied to an identity management system, comprising: receiving an access request of a user to a target application, and analyzing the access request to obtain a main authentication credential; Based on the master authentication credentials, performing master authentication on the user through a unified identity management directory; When the user passes the main authentication, acquiring multidimensional context information of the access request in real time; Calculating a dynamic security risk value of the access request based on the multidimensional context information and a historical behavior baseline of the user stored in the unified identity management directory, wherein the historical behavior baseline is used for representing a conventional behavior portrait of the user; Determining an authentication level of the access request based on the dynamic security risk value and a preset authentication level mapping table, wherein the authentication level at least comprises additional authentication exemption, standard multi-factor authentication and enhanced multi-factor authentication; when the authentication level is the additional authentication exemption, determining that the authentication of the user passes; When the authentication level is the standard multi-factor authentication or the enhanced multi-factor authentication, pushing a multi-factor authentication challenge corresponding to the authentication level to the user, and judging whether the user passes authentication or not based on a response result of the multi-factor authentication challenge; when the authentication of the user passes, generating a security assertion containing the identity information of the user based on the authentication protocol of the target application; pushing the security assertion to the target application to complete access authorization to the target application.
2. 2. The method of claim 1, wherein prior to said primary authentication of the user via a unified identity management directory based on the primary authentication credentials, the method further comprises: configuring multi-source connectors respectively corresponding to a plurality of heterogeneous identity sources, wherein the heterogeneous identity sources comprise at least two of enterprise directory services, a cloud identity platform, an instant messaging platform organization architecture and a human resource management system; Monitoring identity life cycle events of the corresponding heterogeneous identity sources in real time through each multi-source connector; Performing attribute mapping and normalization processing on the identity lifecycle event, generating a globally unique user identity record and the historical behavior baseline, and storing the user identity record and the historical behavior baseline in the unified identity management directory; And when the identity life cycle event represents an off-office event, synchronously disabling the account of the corresponding off-office user and terminating all access rights of the off-office user in the unified identity management directory, and sending an access revocation notification to the target application.
3. 3. The method of claim 1, wherein the multi-dimensional context information includes at least network layer information, device layer information, behavior layer information, and request layer information, wherein calculating the dynamic security risk value for the access request based on the multi-dimensional context information and historical behavior baselines for the user stored in the unified identity management directory includes: Calculating a network layer risk value of the access request based on the network layer information and the network abnormal deviation degree of the historical behavior baseline, wherein the network layer information comprises a source IP address for initiating the access request, geographic position information corresponding to the source IP address and a threat reputation value of the source IP address; Calculating a device layer risk value of the access request based on the device layer information and the device abnormal deviation degree of the historical behavior baseline, wherein the device layer information comprises a device fingerprint of a terminal device corresponding to the access request and a management state of the terminal device; Calculating a behavior layer risk value of the access request based on the behavior layer information and the behavior abnormality deviation degree of the historical behavior baseline, wherein the behavior layer information comprises the initiating time of the access request and whether the initiating time is in a regular activity period of the user; Calculating a request layer risk value of the access request based on the request layer information and the request abnormal deviation degree of the historical behavior baseline, wherein the request layer information comprises a preset sensitivity level of the target application; And based on a preset weight set, carrying out weighted summation on the network layer risk value, the equipment layer risk value, the behavior layer risk value and the request layer risk value to obtain the dynamic security risk value.
4. 4. The method of claim 3, wherein prior to the weighting and summing the network layer risk value, the device layer risk value, the behavior layer risk value, and the request layer risk value based on the set of preset weights to obtain the dynamic security risk value, the method further comprises: When the equipment layer information characterizes that the equipment fingerprint is matched with the historical white list equipment fingerprint, the preset weight set is adjusted so that the weight corresponding to the equipment layer risk value is a first weight; When the equipment fingerprint is identified as a strange fingerprint, the preset weight set is adjusted so that the weight corresponding to the equipment layer risk value is a second weight, and the second weight is larger than the first weight; and when the equipment fingerprint is matched with the historical blacklist equipment fingerprint, adjusting the preset weight set to enable the weight corresponding to the equipment layer risk value to be a third weight, wherein the third weight is greater than the second weight.
5. 5. The method according to claim 1, wherein when the authentication level is the standard multi-factor authentication or the enhanced multi-factor authentication, pushing a multi-factor authentication challenge corresponding to the authentication level to the user, and determining whether the user is authenticated based on a response result of the multi-factor authentication challenge, comprises: When the authentication level is the standard multi-factor authentication, pushing an authentication confirmation notice to the mobile terminal pre-bound by the user, requiring the user to input a temporary password in the authentication confirmation notice, and acquiring a standard response result to judge whether the user passes the authentication; setting the authentication level to the enhanced multi-factor authentication when the standard response result characterizes that the user authentication is not passed; And when the authentication level is the enhanced multi-factor authentication, the user is required to complete the authentication based on the FIDO2 protocol and the biometric authentication through the hardware security key, and an enhanced response result is obtained to judge whether the user passes the authentication.
6. 6. The method of claim 1, wherein the generating a security assertion containing identity information of the user based on the authentication protocol of the target application comprises: acquiring an authentication protocol type of the target application; When the authentication protocol type is SAML protocol, generating as the security assertion a SAML assertion that conforms to SAML specifications and contains the identity information of the user; When the authentication protocol type is OIDC protocol, an identity token conforming to OIDC specification and including the identity information of the user is generated as the security assertion.
7. 7. The method of claim 1, wherein pushing the security assertion to the target application comprises requesting a security token service from a cloud platform management console and obtaining a temporary access time limit and a temporary access credential based on the security assertion when the target application is the cloud platform management console, generating a temporary login address of the cloud platform management console based on the temporary access credential, redirecting the user to the temporary login address to complete access authorization to the cloud platform management console, and further comprising creating a global authentication session for the user and setting a validity period of the global authentication session, and authenticating the user based on the global authentication session when the user issues an access request to other applications other than the target application within the validity period and the other applications are within the authority of the user.
8. 8. A multi-factor identity authentication device comprising one or more processors and memory coupled to the one or more processors, the memory to store computer program code comprising computer instructions that the one or more processors invoke to cause the multi-factor identity authentication device to perform the method of any of claims 1-7.
9. 9. A computer readable storage medium comprising instructions which, when run on a multi-factor authentication device, cause the multi-factor authentication device to perform the method of any of claims 1-7.
10. 10. A computer program product, characterized in that the computer program product, when run on a multi-factor authentication device, causes the multi-factor authentication device to perform the method of any of claims 1-7.

Description

Multi-factor identity authentication method, equipment, medium and product Technical Field The present application relates to the field of identity authentication, and in particular, to a multi-factor identity authentication method, device, medium, and product. Background The enterprise digital development makes staff frequently visit various applications, and traditional scattered identity authentication mode leads to user operation complicacy and password potential safety hazard to be outstanding. Therefore, the prior art proposes a single sign-on scheme based on unified entry, and preset fixed authentication rules for different applications, for example, when accessing a specific system, a password and a short message verification code are always required, and when a user logs in, the system automatically executes a corresponding static authentication process according to an access target, thereby reducing repeated login. However, the authentication mode depending on the preset rule is difficult to adapt to dynamically-changed access scenes, and because the real-time risk condition during login cannot be perceived, the same authentication steps are adopted for all requests for accessing the same application, so that unnecessary complex authentication is performed in a low-risk scene, the efficiency is reduced, security holes are possibly generated due to insufficient authentication strength in a high-risk scene, the authentication process is difficult to be intelligently adapted to the real-time risk, and the authentication efficiency is accurately improved while the security is ensured. Disclosure of Invention The embodiment of the application provides a multi-factor identity authentication method, equipment, medium and product, which are used for solving the technical problem of how to accurately improve authentication efficiency while ensuring safety. In a first aspect, an embodiment of the present application provides a multi-factor identity authentication method, applied to an identity management system, including: receiving an access request of a user to a target application, and analyzing the access request to obtain a main authentication credential; Based on the master authentication credentials, performing master authentication on the user through a unified identity management directory; When the user passes the main authentication, acquiring multidimensional context information of the access request in real time; Calculating a dynamic security risk value of the access request based on the multidimensional context information and a historical behavior baseline of the user stored in the unified identity management directory, wherein the historical behavior baseline is used for representing a conventional behavior portrait of the user; Determining an authentication level of the access request based on the dynamic security risk value and a preset authentication level mapping table, wherein the authentication level at least comprises additional authentication exemption, standard multi-factor authentication and enhanced multi-factor authentication; when the authentication level is the additional authentication exemption, determining that the authentication of the user passes; When the authentication level is the standard multi-factor authentication or the enhanced multi-factor authentication, pushing a multi-factor authentication challenge corresponding to the authentication level to the user, and judging whether the user passes authentication or not based on a response result of the multi-factor authentication challenge; when the authentication of the user passes, generating a security assertion containing the identity information of the user based on the authentication protocol of the target application; pushing the security assertion to the target application to complete access authorization to the target application. Optionally, before the user is subjected to primary authentication through a unified identity management directory based on the primary authentication credentials, configuring multi-source connectors respectively corresponding to a plurality of heterogeneous identity sources, wherein the heterogeneous identity sources comprise at least two of enterprise directory services, cloud identity platforms, instant messaging platform organization structures and human resource management systems, monitoring identity lifecycle events of the corresponding heterogeneous identity sources in real time through each multi-source connector, performing attribute mapping and normalization processing on the identity lifecycle events to generate globally unique user identity records and historical behavior baselines, storing the user identity records and the historical behavior baselines in the unified identity management directory, and synchronously disabling accounts of the corresponding off-job users and terminating all access rights of the off-job users in the unified identity management directory and