CN116155521A - Verification method for secure login and related equipment - Google Patents

Abstract

The embodiment of the invention discloses a verification method for secure login and related equipment, which are used for improving the security of verification login requests and ensuring that a secure user can log in network equipment. The method of the embodiment of the invention comprises the steps that the network equipment receives a login request from the network management equipment. The login request includes a first authentication factor and a second authentication factor. The type of the first authentication factor is different from the type of the second authentication factor. The network device verifies the first verification factor by the first verification means. The network device verifies the second verification factor by the second verification means. The first authentication means and the second authentication means are two different devices. The first authentication factor and the second authentication factor are used together to determine whether the login request is authenticated.

Description

Verification method for secure login and related equipment

Technical Field

The present disclosure relates to the field of network security, and in particular, to a method and related device for authenticating secure login.

Background

Authentication, authorization, auditing (authentication authorization accounting, AAA) services is one security management mechanism in network security. The authentication server is responsible for authenticating login requests from the network management device. The authentication server determines that the login request is authenticated and the network management device has access to an access server to which the authentication server is connected. Specifically, if the authentication server determines that the authentication Factor (Factor) from the network management device and the stored Factor are identical, the authentication server determines that the login request passes authentication.

It can be seen that existing AAA services rely on authentication servers. If the verification server has information leakage and the like, the verification factor of the network management device is leaked, so that a security problem occurs.

Disclosure of Invention

The embodiment of the invention provides a verification method for secure login and related equipment. The method and the device can effectively improve the security of verification of the login request and ensure that a safe user can log in to the network equipment.

The first aspect of the embodiment of the invention provides a verification method for secure login. The method comprises the following steps: first, the network device receives a login request from the network management device. The login request is used to request login to the network device. The login request includes a first authentication factor and a second authentication factor. The type of the first authentication factor is different from the type of the second authentication factor. Next, the network device verifies the first verification factor by the first verification means. The network device verifies the second verification factor by the second verification means. The first authentication means and the second authentication means are two different devices. The first authentication factor and the second authentication factor are used together to determine whether the login request is authenticated.

The login request shown in the mode needs to be verified through two different verification devices, and only if the two verification devices pass, the network equipment can determine that the login request passes verification, so that the security of verifying the login request is improved.

Based on the first aspect, in an optional implementation manner, after the network device verifies the first verification factor through the first verification device and the network device verifies the second verification factor through the second verification device, the method further includes: the network device has received the first notification information from the first authentication means and has received the second notification information from the second authentication means, and the network device determines that the login request passes authentication. The first notification information is used to indicate that the first verification factor is verified. The second notification information is used to indicate that the second verification factor is verified. The network device shown in this manner determines that the first authentication factor is authenticated by the first authentication means and that the second authentication factor is authenticated by the second authentication means. The network device may determine that the login request is secure. The login request is verified through two independent verification devices, so that the security of verification of the login request is improved.

Based on the first aspect, in an optional implementation manner, after the network device verifies the first verification factor through the first verification device and the network device verifies the second verification factor through the second verification device, the method further includes: the network device has received at least one of third notification information from the first authentication apparatus or fourth notification information from the second authentication apparatus. The network device determines that the login request failed to be authenticated. The third notification information is used for indicating that the first verification factor fails to verify. The fourth known information is used for indicating that the second verification factor fails to verify. The network device shown in this manner fails to verify in determining at least one of the first verification factor or the second verification factor. The network device may determine that the login request is unsafe. The login request is verified through two independent verification devices, so that the security of verification of the login request is improved.

Based on the first aspect, in an optional implementation manner, the network device verifying the first verification factor through the first verification device includes: first the network device obtains a verification list. The authentication list includes a correspondence of a type of the first authentication factor and an address of the first authentication device. And secondly, the network equipment acquires the address of the first verification device corresponding to the type of the first verification factor according to the verification list. Finally, the network device sends the first verification factor to the first verification device according to the address of the first verification device. The network device shown in this manner is able to determine the address of the first authentication means for authenticating the first authentication factor from the authentication list. It is ensured that the network device can successfully send the first authentication factor to the first authentication means. The success rate of verifying the login request is improved.

Based on the first aspect, in an optional implementation manner, the network device includes a first verification device, and the network device verifying the first verification factor by using the first verification device includes: first, the network device receives authentication indication information. The authentication indication information is used to indicate the type of the first authentication factor. And secondly, the network equipment verifies the first verification factor through the first verification device according to the verification indication information. The network equipment is responsible for verifying the first verification factor, so that the efficiency of verifying the login request is improved, and the time delay of verifying the login request is reduced.

Based on the first aspect, in an optional implementation manner, the login request includes an address of a first verification device corresponding to the first verification factor, and the network device verifies, by using the first verification device, the first verification factor includes: the network device sends the first verification factor to the first verification device according to the address of the first verification device. The network device shown in this manner can determine the address of the first authentication means for authenticating the first authentication factor from the login request. It is ensured that the network device can successfully send the first authentication factor to the first authentication means. The success rate of verifying the login request is improved.

Based on the first aspect, in an optional implementation manner, after the network device verifies the first verification factor through the first verification device, before the network device verifies the second verification factor through the second verification device, the method further includes: the network device receives first notification information from the first authentication apparatus. The network device shown in this manner first verifies the first verification factor by the first verification means. After determining that the first verification factor passes the verification, the network device verifies the second verification factor through the second verification device. As the login request cannot be authenticated in case the first authentication factor fails. According to the method and the device, under the condition that the first verification factor fails to pass verification, verification of the second verification factor cannot be performed, and the efficiency of verifying the login request is effectively improved.

Based on the first aspect, in an optional implementation manner, after the network device verifies the first verification factor through the first verification device, the method further includes: first, the network device receives third notification information from the first authentication apparatus. Second, the network device sends a first authentication factor to the master authentication device. In the case that the network device shown in the mode determines that the first verification factor fails to verify, the network device verifies the first verification factor through the master verification device. The first verification factor can be verified again by the master verification device. And the security of the main verification device is higher, so that the accuracy of verification of the first verification factor is effectively improved.

Based on the first aspect, in an optional implementation manner, after the network device verifies the first verification factor through the first verification device, the method further includes: the network device determines that information indicating whether the first authentication factor passes authentication is not received within a preset period of time. The network device sends a first authentication factor to the master authentication device. When the network device determines that the first verification factor cannot be verified, the network device verifies the first verification factor through the master verification device. The first authentication can be effectively ensured to be verified. The situation that whether the login request passes the verification cannot be accurately determined because the first verification factor cannot be verified is avoided.

Based on the first aspect, in an optional implementation manner, the network device, the first verification device and the second verification device are satellites included in the satellite system. The first verification device and the second verification device are two different satellites which are closest to the network equipment in geographic position from a plurality of satellites included in the satellite system. The satellite with the geographic position close to the network equipment is selected as the verification satellite, so that the efficiency of verifying login information is effectively improved, and the verification time delay is effectively reduced.

The second aspect of the embodiment of the invention provides a verification method for secure login. The method comprises the following steps: the master verification device sends a first pre-stored factor to the first verification device. The master verification device sends a second pre-stored factor to the second verification device. The first authentication means and the second authentication means are two different devices. The first pre-stored factor and the second pre-stored factor are used together to verify whether a login request from the network management device is authenticated. The type of the first pre-stored factor is different from the type of the second pre-stored factor. The network management device is used for logging in the network device through the login request.

For an explanation of the beneficial effects of this aspect, please refer to the first aspect, and detailed descriptions thereof are omitted.

Based on the second aspect, in an optional implementation manner, the method further includes: the master verification device sends a verification list to the network equipment, wherein the verification list comprises the corresponding relation between the type of the first pre-stored factor and the address of the first verification device.

Based on the second aspect, in an optional implementation manner, the method further includes: the master verification device sends verification indication information to the network equipment, wherein the verification indication information is used for indicating the first verification device to verify the first verification factor, and the type of the first verification factor is the same as that of the first pre-stored factor.

Based on the second aspect, in an optional implementation manner, after the master verification device sends the first pre-stored factor to the first verification device, the method further includes: the master authentication device receives a first authentication factor from a network device. The login request includes a first authentication factor. The type of the first verification factor is the same as the type of the first pre-stored factor. If the master verification device determines that the first pre-stored factor is the same as the first verification factor, the master verification device sends information for indicating that the first verification factor passes verification to the network equipment. If the master verification device determines that the first pre-stored factor is different from the first verification factor, the master verification device sends information for indicating that the first verification factor fails verification to the network equipment.

Based on the second aspect, in an optional implementation manner, the first verification device and the second verification device are satellites included in the satellite system. The first verification device and the second verification device are two different satellites which are closest to the network equipment in geographic position from a plurality of satellites included in the satellite system.

A third aspect of an embodiment of the present invention provides a network device. Including a processor, a memory, and a transceiver. The processor is interconnected with the memory and the transceiver by lines, respectively. The transceiver is configured to receive a login request from a network management device. The login request is used to request login to the network device. The login request includes a first authentication factor and a second authentication factor. The first authentication factor is different from the second authentication factor. The processor invokes the program code in the memory to perform the steps of: the first verification factor is verified by the first verification means. The second verification factor is verified by the second verification means. The first authentication means and the second authentication means are two different devices. The first authentication factor and the second authentication factor are used together to determine whether the login request is authenticated. For an explanation of the beneficial effects of this aspect, please refer to the first aspect, and detailed descriptions thereof are omitted.

Based on the third aspect, in an optional implementation manner, after the processor is configured to verify the first verification factor by the first verification device and the processor is configured to verify the second verification factor by the second verification device, the processor is further configured to: determining that the login request is authenticated, determining that first notification information from the first authentication device has been received, and determining that second notification information from the second authentication device has been received, the first notification information being used to indicate that the first authentication factor is authenticated, the second notification information being used to indicate that the second authentication factor is authenticated.

Based on the third aspect, in an optional implementation manner, after the processor is configured to verify the first verification factor by the first verification device and the processor is configured to verify the second verification factor by the second verification device, the processor is further configured to: at least one of the third notification information from the first authentication device or the fourth notification information from the second authentication device is determined to have been received. And determining that the login request fails to be verified. The third notification information is used for indicating that the first verification factor fails to verify. The fourth known information is used for indicating that the second verification factor fails to verify.

Based on the third aspect, in an optional implementation manner, the processor is configured to, in a process of verifying the first verification factor by the first verification device, specifically: and acquiring a verification list, wherein the verification list comprises the corresponding relation between the type of the first verification factor and the address of the first verification device. And acquiring the address of the first verification device corresponding to the type of the first verification factor according to the verification list. And sending the first verification factor to the first verification device according to the address of the first verification device.

Based on the third aspect, in an optional implementation manner, the network device includes a first verification device, and the processor is configured to, in a process of verifying the first verification factor by using the first verification device, specifically: and receiving verification indication information. The authentication indication information is used to indicate the type of the first authentication factor. And according to the verification indication information, verifying the first verification factor by the first verification device.

Based on the third aspect, in an optional implementation manner, the network device, the first verification device and the second verification device are satellites included in the satellite system. The first verification device and the second verification device are two different satellites which are closest to the network equipment in geographic position from a plurality of satellites included in the satellite system.

A fourth aspect of an embodiment of the present invention provides a master verification apparatus. The master verification device includes a processor, a memory, and a transceiver. The processor is interconnected with the memory and the transceiver by lines, respectively. The processor invokes the program code in the memory to control the transceiver to send the first pre-stored factor to the first authentication device. And controlling the transceiver to send the second pre-stored factor to the second authentication device. The first authentication means and the second authentication means are two different devices. The first pre-stored factor and the second pre-stored factor are used together to verify whether a login request from the network management device is authenticated. The type of the first pre-stored factor is different from the type of the second pre-stored factor. The network management device is used for logging in the network device through the login request. For an explanation of the beneficial effects of this aspect, please refer to the first aspect, and detailed descriptions thereof are omitted.

Based on the fourth aspect, in an alternative implementation manner, the transceiver is further configured to send the authentication list to the network device. The authentication list includes a correspondence of a type of the first pre-stored factor and an address of the first authentication device.

Based on the fourth aspect, in an optional implementation manner, the transceiver is further configured to send verification indication information to the network device. The authentication indication information is used for indicating the first authentication device to authenticate the first authentication factor. The type of the first verification factor is the same as the type of the first pre-stored factor.

Based on the fourth aspect, in an alternative implementation manner, the network device, the first verification device and the second verification device are all satellites included in the satellite system. The first verification device and the second verification device are two different satellites which are closest to the network equipment in geographic position from a plurality of satellites included in the satellite system.

A fifth aspect of embodiments of the present invention provides a computer-readable storage medium. The storage medium stores a computer program. The computer program includes program instructions. The program instructions, when executed by a processor, cause the processor to perform the method as described in the first to second aspects above.

A sixth aspect of an embodiment of the present invention provides a communication system. The communication system comprises network management equipment and network equipment which are connected in sequence. The network device is connected with the first verification device and the second verification device respectively. The first verification device, the second verification device and the network management equipment are connected with the master verification device. The communication system is configured to execute the method shown in the first aspect or the second aspect, and the detailed execution process is shown in the first aspect or the second aspect, which is not described in detail.

A seventh aspect of the embodiments of the present invention provides a communication system. The communication system comprises network management equipment and network equipment which are connected in sequence. The network device comprises a first authentication means. The network device is connected with the second verification device. The network equipment, the second verification device and the network management equipment are connected with the master verification device. The communication system is configured to execute the method shown in the first aspect or the second aspect, and the detailed execution process is shown in the first aspect or the second aspect, which is not described in detail.

An eighth aspect of an embodiment of the present invention provides a communication system. The communication system comprises a network management device, a main verification device and a gateway station which are connected in sequence. The gateway station is also connected to the network management device. The gateway station is also connected to the target satellite, the first verification satellite and the second verification satellite, respectively. The target satellite is provided as a network device as shown in the first or second aspect. The first verification satellite serves as the first verification device shown in the first aspect or the second aspect. The second verification satellite serves as the second verification means of the first or second aspect. The specific implementation process is shown in the first aspect or the second aspect, and is not described in detail.

Drawings

Fig. 1 is a diagram of a first structural example of a communication system according to an embodiment of the present application;

FIG. 2 is a flowchart illustrating a first step of a method for verifying a secure login according to an embodiment of the present disclosure;

fig. 3 is a diagram illustrating a second configuration example of a communication system according to an embodiment of the present application;

FIG. 4 is a flowchart illustrating a second step of a method for verifying a secure login according to an embodiment of the present disclosure;

FIG. 5 is a flowchart illustrating a third step of a method for verifying a secure login according to an embodiment of the present disclosure;

Fig. 6 is a diagram illustrating a third configuration example of a communication system according to an embodiment of the present application;

FIG. 7 is a flowchart illustrating a fourth step of a method for verifying secure login according to an embodiment of the present disclosure;

fig. 8 is a structural example diagram of an embodiment of a communication device according to an embodiment of the present application.

Detailed Description

The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to fall within the scope of the invention.

The application provides a verification method for secure login, which can effectively improve the security of login request verification and ensure that a secure user can log in network equipment. The structure of the communication system provided in the present application will be described below with reference to fig. 1, where fig. 1 is a diagram illustrating a first structural example of the communication system provided in the embodiment of the present application.

The communication system 100 shown in the present embodiment includes a network management apparatus 101. The network management device 101 is also connected to the network device 103 and the master authentication apparatus 102, respectively. The network device 103 is also connected to a first authentication means 104 and a second authentication means 105, respectively. The master authentication device 102 is connected to a first authentication device 104 and a second authentication device 105, respectively.

The communication system 100 shown in the present embodiment is applicable to a satellite system. The first authentication device 104 and the second authentication device 105 are two different satellites. The communication system 100 is also applicable to data center systems. The first authentication device 104 and the second authentication device 105 may be two different data servers comprised by a data center system. As another example, communication system 100 may be applied to a transport network. The first authentication means 104 and the second authentication means 105 may be two different devices in the transport network.

The network management device 101 transmits a login request to the network device 103. The network device verifies the login request together by the first verification means 104 and the second verification means 105. After the login request is authenticated by the first authentication means 104 and the second authentication means 105, the network management device 101 can access to the network device 103. The network device 103 can implement services such as authorization, charging, and the like for the network management device 101. The network management apparatus 101 shown in the present embodiment is an apparatus held by a user. For example, the network management device 101 may be a smart phone, a desktop computer, a notebook computer, or the like. The network management device 101 may also forward the login request to the network device 103 through the network management system. The network management system may be any computing device capable of implementing AAA services for login requests from the network management device 101. For example, the network management system may be a network access server (network access server, NAS). The master verification device 102 can be deployed in a core machine room, and has high safety. For example, the master verification device may dial in an authentication service (remote authentication dial in user service, RADIUS) server for the remote user.

Based on the communication system shown in fig. 1, the following is an exemplary description of the execution procedure of the authentication method for secure login provided in the present application in connection with fig. 2. Fig. 2 is a flowchart of a first step of a method for verifying secure login according to an embodiment of the present application.

Step 201, the master verification device receives registration information.

In this embodiment, in order to achieve the purpose of logging into the network device, the user needs to register the network management device held by the user to the master verification device. Specifically, the network management apparatus forwards the registration information to the master authentication device. The registration information is used to request registration with the master authentication device. The registration information shown in this embodiment includes an account identifier of the user and a prestored factor corresponding to the account identifier.

The pre-stored factor shown in this embodiment is used to prove the identity of the user. The type of pre-stored factor may be a login password. The login password refers to a password corresponding to the account identifier. As another example, the type of pre-stored factor may be related to a physiological characteristic of the user. For example, the type of the pre-stored factor may be fingerprint information, looks information, iris information, or the like of the user.

Step 202, the master verification device acquires a first pre-stored factor and a second pre-stored factor.

After the main verification device determines that the user is successfully registered according to the registration information, the main verification device acquires a first pre-stored factor and a second pre-stored factor according to the registration information. The type of the first pre-stored factor shown in this embodiment is different from the type of the second pre-stored factor. For example, the type of the first pre-stored factor and the type of the second pre-stored factor are two different types of login passwords, fingerprint information, looks information, iris information or physiological characteristics of the user and tokens (token). For example, the first pre-stored factor is of the login password type and the second pre-stored factor is of the token type. The token shown in this embodiment is a string of characters. The master authentication device may generate a token after determining that the user registration was successful. The master authentication device sends the token to the network management device.

There are three alternative types of token generated by the master verification device. Alternatively, the token generated by the master authentication device may be a full network token. The whole network token refers to that the master verification device transmits the same token for all network management systems accessed to the master verification device, so that the token transmission efficiency of the master verification device can be improved. Alternatively, the token generated by the master authentication device is a network level token. The network level token refers to that the master verification device sends different tokens to different network management systems which are accessed. It can be known that different network management devices accessing the same network management system can receive the same token. The network management equipment accessed to different network management systems receives different token. It can be known that different network management systems can receive different token, so that the security of the network is effectively improved. Alternatively, type three, the token generated by the master authentication device is a user-level token. The user-level token refers to that the master authentication device transmits different tokens to different network management devices. The login request is verified based on the user-level token, so that the security of login request verification can be effectively improved.

Step 203, the master verification device sends a first pre-stored factor to the first verification device.

The master authentication device shown in this embodiment acquires a first authentication list stored in advance. The first authentication list includes a correspondence of a first factor type and an address of a first authentication device. The address of the first authentication device is an internet protocol (internet protocol, IP) address of the first authentication device. Wherein the first factor type is the type of factor that needs to be sent to the first authentication device. For example, the first factor type is a login password. Then the first pre-stored factor has a type that is the first factor type. The master verification device obtains the address of the first verification device according to the first verification list. It is known that, when the master verification device acquires the first pre-stored factor, the first pre-stored factor is sent to the first verification device according to the first verification list.

Step 204, the master verification device sends the second pre-stored factor to the second verification device.

The first authentication means and the second authentication means are two different devices. The master authentication device shown in this embodiment acquires a second authentication list stored in advance. The second authentication list includes a correspondence of a second factor type and an address of the second authentication device. Wherein the second factor type is the type of factor that needs to be sent to the second authentication device. For example, the second factor type is token. The master verification device determines the second pre-stored factor as token. Then the second pre-stored factor has a type that is a second factor type. The main verification device sends the description of the second pre-stored factor according to the second verification list, please refer to the main verification device shown in step 203 for sending the description of the first pre-stored factor according to the first verification list, which is not described in detail.

The execution timing between step 203 and step 204 is not limited in this embodiment.

Step 205, the network device receives a login request from the network management device.

The network management device used by the user sends a login request to the network device. The login request is for requesting login to the network device. The login request includes an account identification of the user, a first authentication factor and a second authentication factor. Wherein the type of the first authentication factor is different from the type of the second authentication factor. For the description of the first verification factor and the second verification factor, reference may be made to the above description of the first pre-stored factor and the second pre-stored factor, which are not described in detail. It can be seen that the first authentication factor shown in this embodiment is a login password, and the second authentication factor is token.

Step 206, the network device sends the first verification factor to the first verification device.

The following describes alternative ways in which the network device determines to send the first authentication factor to the first authentication means.

In mode 1, the network device may further receive a first authentication list from the master authentication apparatus. For the description of the first verification list, please refer to the above step 203, and detailed description thereof is omitted. Because the type of the first verification factor is the first factor type, the network device can determine the address of the first verification device corresponding to the first factor type according to the first verification list. The network device sends the first verification factor to the first verification device according to the address of the first verification device.

In mode 2, the login request received by the network device includes an address of the first authentication device corresponding to the first authentication factor. It is known that the network device can send the first authentication factor to the first authentication device according to the login request.

Step 207, the first verification device sends notification information to the network device.

The first verification means verifies that the first verification factor has been received to send notification information indicating whether the first verification factor passes verification to the network device. For example, if the first verification device determines that the first verification factor is the same as the first pre-stored factor, the first verification device sends the first notification information to the network device. The first notification information is used to indicate that the first verification factor is verified. If the first verification device determines that the first verification factor is different from the first pre-stored factor, the first verification device sends third notification information to the network equipment. The third notification information is used to indicate that the first verification factor fails to verify.

Step 208, the network device sends the second verification factor to the second verification device.

The network device shown in this embodiment may send the second authentication factor according to the second authentication list from the master authentication apparatus. Or, the network device may send the second authentication factor according to an address of the second authentication device included in the login request. The description of the process of the network device transmitting the second verification factor may refer to the description of the process of the network device transmitting the first verification factor shown in step 206, which is not described in detail.

Step 209, the second verification device sends notification information to the network device.

The second verification means verifies that the second verification factor has been received to send notification information indicating whether the second verification factor passes verification to the network device. For example, if the second verification device determines that the second verification factor is the same as the second pre-stored factor, the second verification device sends the second notification information to the network device. The second notification information is used to indicate that the second verification factor is verified. If the second verification device determines that the second verification factor is different from the second pre-stored factor, the second verification device sends fourth known information to the network equipment. The fourth known information is used for indicating that the second verification factor fails to verify.

The execution timing between step 206 and step 208 is not limited in this embodiment. For example, the network device in this embodiment may perform step 206 first and then perform step 208. Specifically, the network device sends the first authentication factor first and then sends the second authentication factor. As another example, the network device determines, via step 206, that the first verification factor is verified, then step 208 is performed. Specifically, the network device performs step 208 only if it determines that the first notification information from the first authentication apparatus is received. I.e. the network device will send the second authentication factor to the second authentication means after determining that the first authentication factor is authenticated. If the network device receives the third notification information from the first verification apparatus, the network device determines that the first verification factor fails to verify, and the network device does not perform step 208.

Step 210, the network device determines that the login request passes verification, and sends first verification information to the network management device.

The network device determines whether the login request passes the authentication based on the notification information from the first authentication device and the notification information from the second authentication device. And if the network equipment determines that the login request passes the verification, the first verification information is sent to the network management equipment. Specifically, if the network device determines that the first condition is satisfied, the network device determines that the login request is authenticated. The first condition is that the network device has received the first notification information and the second notification information. It is known that the network device, when determining that the first condition is satisfied, indicates that the login request has been authenticated by the first authentication device and the second authentication device. The network management device can determine that the login request passes the verification under the condition that the first verification information is received, so that the network management device can successfully log in the network device, and service transmission between the network management device and the network device is realized.

Step 211, the network device determines that the login request fails to verify, and sends second verification information to the network management device.

If the network device determines that the second condition is satisfied, the network device determines that the login request verification fails. The second condition may be that the network device has received the third notification information and the fourth notification information. As another example, the second condition may also be that the network device has received third notification information or fourth notification information. It is known that the network device indicates that the login request authentication fails in the case where it is determined that the second condition is satisfied. The network management device can determine that the login request authentication fails in the case of receiving the second authentication information. The user cannot log into the network device.

Taking the type of the second verification factor and the second pre-stored factor as token as an example, the master verification device may periodically or randomly change the specific character included in the second pre-stored factor. The master verification device synchronously updates the second pre-stored factors stored by the master verification device and the second verification device. Because the second pre-stored factor is in a dynamic change state, the condition that the second pre-stored factor is hijacked to cause unsafe login request to pass verification is effectively avoided. The network management device needs to send a login request including the updated second verification factor to the network device to request to login to the network device based on the updated second verification factor.

The login request shown in this embodiment includes a first authentication factor and a second authentication factor of mutually different types. The network management device respectively verifies the first verification factor and the second verification factor through two different verification devices. It is known that the process of verifying a login request does not depend excessively on a verification means. For example, if the first pre-stored factor stored in the first verification device leaks, the unsafe third party cannot obtain the second pre-stored factor. Then, the unsafe third party cannot successfully log in to the network device based on the first pre-stored factor only, so that the security of verifying the login request is improved.

The present embodiment verifies the first verification factor and the second verification factor by the first verification device and the second verification device, respectively. The number of factors verified by the first verification means as well as the second verification means is reduced. The verification efficiency of the first verification device and the second verification device is improved, and the time delay of the login request is reduced. The login request comprises a plurality of different verification factors, so that the proving power of the login request is improved, and the reliability of verification of the login request is effectively ensured.

The method for verifying secure login provided in the embodiment of the present application may also be based on the structure of the communication system shown in fig. 3. Fig. 3 is a diagram illustrating a second configuration example of the communication system according to the embodiment of the present application.

The communication system 300 shown in the present embodiment includes a network management apparatus 301, and the network management apparatus 301 is also connected to a network apparatus 303 and a master authentication device 302, respectively. For the description of the network management device 301, the master verification device 302, and the network device 303, refer to fig. 1, and details are not described in detail. The network device 303 shown in fig. 3 is also connected to a second authentication means 304. The master authentication means 302 is also connected to a network device 303 and to a second authentication means 304. For a specific description of the master verification device 302, please refer to fig. 1, and details are not repeated.

The network device 303 further comprises first authentication means. The function of the first authentication means may be partly or entirely implemented in software. At this time, the network device 303 includes a memory and a processor. Wherein the memory is for storing a computer program. The processor reads and executes the computer program stored in the memory to perform the corresponding processing of the first authentication means. Alternatively, the functions of the first authentication means may be partly or entirely implemented in hardware. In this case, the first verification means may be one or more chips, or one or more integrated circuits. For example, the first verification means may be one or more field-programmable gate arrays (FPGAs), application specific integrated chips (application specific integrated circuit, ASICs), system on chips (socs), central processing units (central processor unit, CPUs), network processors (network processor, NPs), digital signal processing circuits (digital signal processor, DSPs), microcontrollers (micro controller unit, MCUs), programmable controllers (programmable logic device, PLDs) or other integrated chips, or any combination of the above chips or processors, etc.

The present embodiment exemplifies that the second authentication apparatus 304 and the network device 303 are two independent devices, and the network device 303 includes the first authentication apparatus. In other examples, the network device and the first authentication means may also be two separate devices, and the network device 303 includes a second authentication means as an example.

Based on the communication system shown in fig. 3, the following describes the execution procedure of the authentication method for secure login provided in the present application with reference to fig. 4. Fig. 4 is a flowchart of a second step of the method for verifying secure login according to the embodiment of the present application.

Step 401, the master verification device receives registration information.

Step 402, the master verification device acquires a first pre-stored factor and a second pre-stored factor.

For a description of the execution process of steps 401-402, refer to steps 201-202 corresponding to fig. 2, and detailed description of the execution process is omitted.

Step 403, the master verification device sends the first pre-stored factor to the network device.

The master authentication device shown in this embodiment acquires a first authentication list stored in advance. The first validation list includes a correspondence of a first factor type and an address of the network device. For the description of the first factor type, please refer to step 203 corresponding to fig. 2, and detailed description is omitted. It is known that the master verification device sends the first pre-stored factor to the network device according to the first verification list.

Step 404, the master verification device sends a second pre-stored factor to the second verification device.

Step 405, the network device receives a login request from the network management device.

For the description of the execution process of step 404 to step 405, refer to step 204 to step 205 corresponding to fig. 2, which is not described in detail.

Step 406, the network device verifies the first verification factor.

The login request includes a first authentication factor and a second authentication factor. For the description of the first verification factor and the second verification factor, please refer to step 205 corresponding to fig. 2, which is not repeated. The network device obtains a first authentication factor from the login request. The network device verifies the first verification factor by means of the included first verification means. For example, the master authentication device transmits authentication instruction information to the network device. The authentication indication information is used for indicating a first factor type, and the authentication indication information is used for indicating that a first authentication device included in the network equipment is responsible for authenticating an authentication factor with the first factor type.

It is known that the network device obtains the first verification factor from the login request, and the type of the first verification factor is the first factor type. The network device verifies the first verification factor by the first verification means. For a description of the process of verifying the first verification factor by the first verification device included in the network device, please refer to step 207 corresponding to fig. 2, which is not described in detail.

Step 407, the network device sends the second verification factor to the second verification device.

Step 408, the second verification device sends notification information to the network device.

Step 409, the network device determines that the login request passes the verification, and sends first verification information to the network management device.

Step 410, the network device determines that the login request fails to verify, and sends second verification information to the network management device.

For a description of the execution of steps 407-410, refer to steps 208-211 corresponding to fig. 2, and detailed descriptions thereof are omitted.

The network device shown in this embodiment further includes a first authentication apparatus. The login request is authenticated together by the network device and the second authentication means. Under the condition that the security of verification of the login request is improved, the information quantity of interaction between related devices can be reduced, and the efficiency of verification of the login request is improved.

Continuing with the communication system shown in fig. 1, the following describes the execution of another verification method for secure login provided in the present application in conjunction with fig. 5. Fig. 5 is a flowchart of a third step of the method for verifying secure login according to the embodiment of the present application. The difference between this embodiment and the above embodiment is that this embodiment can ensure successful verification of the login request.

Step 501, the master verification device receives registration information.

Step 502, the master verification device acquires a first pre-stored factor and a second pre-stored factor.

Step 503, the master verification device sends a first pre-stored factor to the first verification device.

Step 504, the master verification device sends a second pre-stored factor to the second verification device.

Step 505, the network device receives a login request from the network management device.

Step 506, the network device sends the first verification factor to the first verification device.

For a description of the execution process of steps 501-506, refer to steps 201-206 corresponding to fig. 2, and detailed descriptions thereof are omitted.

Step 507, the network device sends a second verification factor to the second verification device.

For a description of the execution process of step 507, please refer to step 208 corresponding to fig. 2, which is not described in detail.

Step 508, the network device sends the first verification factor to the master verification device.

In this embodiment, when the network device determines that the first verification factor fails to verify, the network device verifies the first verification factor through the master verification device. It can be seen that the first verification factor can be verified again by the master verification means. And the security of the main verification device is higher, so that the accuracy of verification of the first verification factor is effectively improved. Specifically, if the network device receives the third notification information from the first verification device, it is determined that the verification of the first verification factor fails. For the description of the third notification information, please refer to step 211 corresponding to fig. 2, which is not described in detail.

If the network equipment determines that the first verification factor cannot be verified, the network equipment verifies the first verification factor through the master verification device. It can be seen that the first verification factor is verified by the master verification device, so that the first verification factor can be effectively ensured to be successfully verified. The situation that whether the login request passes the verification cannot be accurately determined because the first verification factor cannot be verified is avoided. For example, if the network device determines that the first notification information or the third notification information is not received within the preset time period, the network device determines that the first verification factor cannot be verified. The timing start point of the preset time period may be a time when the network device transmits the first verification factor to the first verification device. The duration of the preset time period is not limited in this embodiment.

Step 509, the master verification device sends the first master information to the network device.

As shown in step 502, the master verification device has stored a first pre-stored factor capable of verifying the first verification factor. Then, in case the network device sends the first authentication factor to the master authentication means, the master authentication means is able to authenticate the first authentication factor based on the first pre-stored factor. For example, in the case where the first verification factor is the same as the first pre-stored factor, the first master information transmitted by the master verification apparatus to the network device is used to indicate that the first verification factor passes verification. For another example, in the case that the first verification factor is different from the first pre-stored factor, the first master information sent by the master verification device to the network device is used to indicate that the verification of the first verification factor fails.

Step 510, the network device sends the second verification factor to the master verification device.

In this embodiment, the network device determines that the second verification factor fails to verify, or if the second verification factor cannot verify, the network device sends the second verification factor to the master verification device. In the case that the second verification factor fails to verify or cannot verify, please refer to the description of the first verification factor failing to verify or cannot verify shown in step 508, which is not repeated.

Step 511, the master verification device sends the second master information to the network device.

As shown in step 502, the master verification device has stored a second pre-stored factor capable of verifying the second verification factor. Then, in case the network device sends the second authentication factor to the master authentication means, the master authentication means is able to authenticate the second authentication factor based on the second pre-stored factor. For example, in the case where the second verification factor is the same as the second pre-stored factor, the second master information transmitted by the master verification apparatus to the network device is used to indicate that the second verification factor passes verification. For another example, in the case that the second verification factor is different from the second pre-stored factor, the second master information sent by the master verification device to the network device is used to indicate that the verification of the second verification factor fails.

Step 512, the network device determines that the login request passes the verification, and sends first verification information to the network management device.

If the network device determines that the login request passes the verification, the network device sends first verification information for indicating that the login request is successfully verified to the network management device. An optional case where the network device determines that the login request is authenticated is case 1, where the first authentication factor is authenticated by the first authentication means and the second authentication factor is authenticated by the second authentication means. Case 2, the first authentication factor passes the authentication of the master authentication device and the second authentication factor passes the authentication of the second authentication device. Case 3, the first authentication factor passes the authentication of the first authentication device and the second authentication factor passes the authentication of the master authentication device. In case 4, the first verification factor and the second verification factor pass the verification of the master verification device, respectively.

Step 513, the network device determines that the login request fails to verify, and sends second verification information to the network management device.

If the network device determines that the login request fails to verify, the network device sends second verification information for indicating that the login request fails to verify to the network management device. The network device may optionally determine that the login request fails to verify if the first verification factor fails to verify and/or the second verification factor fails to verify. The first verification factor failing to pass the verification specifically means that the first verification factor fails to pass the verification of the first verification device, or that the first verification factor fails to pass the verification of the master verification device. The second verification factor failing to verify specifically means that the second verification factor fails to verify by the second verification means, or that the second verification factor fails to verify by the master verification means.

The method shown in this embodiment may also be based on the communication system shown in fig. 3, and the detailed implementation process will not be described in detail.

By adopting the method shown in the embodiment, taking the first verification factor as an example, when the network device determines that the first verification factor fails to verify or cannot verify, the network device verifies the first verification factor through the master verification device. It can be seen that the first verification factor can be verified again by the master verification means. And the security of the main verification device is higher, so that the accuracy of verification of the first verification factor is effectively improved. And the first verification factor is verified through the main verification device, so that the first verification can be effectively ensured to be verified. The situation that whether the login request passes the verification cannot be accurately determined because the first verification factor cannot be verified is avoided.

The communication system on which the authentication method of secure login provided in the embodiment of the present application is based may also be shown in fig. 6. Fig. 6 is a diagram illustrating a third configuration example of a communication system according to an embodiment of the present application. The communication system shown in this embodiment includes a satellite system and a terrestrial system. The satellite system includes a plurality of satellites that orbit the earth. The satellite system may be a broadband satellite communication system, which may also be referred to as a multimedia satellite communication system. Broadband satellite communication systems are capable of providing processing and transport services for multimedia services such as voice, data, image and video. The ground system comprises a network management device 601 and a master verification means 602, which are connected in sequence. For the description of the network management device 601 and the master verification device 602, please refer to the embodiment shown in fig. 1, and details thereof are not repeated. The terrestrial system further comprises a gateway station 603, which gateway station 603 is responsible for information interaction with satellites comprised by the satellite system. The gateway station 603 is connected between the satellite and the network management device 601 to enable information interaction between the satellite and the network management device 601. The gateway station 603 is also connected between the satellite and the master verification device 602 to enable information interaction between the satellite and the master verification device 602.

This embodiment takes as an example a gateway station connected between a satellite and a network management apparatus 601 and between the satellite and a master verification device 602. In other examples, the base station may be a satellite base station, and the like, which is not particularly limited. The satellite system shown in this embodiment includes a target satellite 611, a first verification satellite 612 and a second verification satellite 613. The target satellite 611 is a satellite to which the network management apparatus 601 is to log in. The first authentication satellite 612 and the second authentication satellite 613 are satellites responsible for authenticating a login request from the network management apparatus 601. The satellite system comprises an inter-satellite link for enabling information interaction between two satellites. For example, an inter-satellite link between the target satellite 611 and the first verification satellite 612. The terrestrial system also includes a satellite-to-ground link for implementing a satellite and gateway station 603. Such as a link between the target satellite 611 and the gateway station 603.

Based on the communication system shown in fig. 6, the following describes the execution procedure of the authentication method for secure login provided in this embodiment with reference to fig. 7. Fig. 7 is a flowchart of a fourth step of the method for verifying secure login according to the embodiment of the present application.

Step 701, the master verification device receives registration information.

Step 702, the master verification device acquires a first pre-stored factor and a second pre-stored factor.

For the description of the execution process of steps 701-702, refer to steps 201 to 202 corresponding to fig. 2, and the detailed description of the execution process is omitted.

Step 703, the master verification device sends a first pre-stored factor to the first verification satellite.

The explanation of the process of the master verification device sending the first pre-stored factor to the first verification satellite shown in this embodiment may refer to the explanation of the process of the master verification device sending the first pre-stored factor to the first verification device shown in step 203 corresponding to fig. 2, which is not described in detail. Specifically, the master verification device transmits a first pre-stored factor to a first verification satellite through a gateway station.

Step 704, the master verification device sends a second pre-stored factor to a second verification satellite.

The explanation of the process of the main verification device sending the second pre-stored factor to the second verification satellite can be referred to the explanation of the process of the main verification device sending the first pre-stored factor to the first verification device shown in step 703, which is not described in detail.

The number of satellites that travel around the earth is enormous, and the master verification device shown in this embodiment can select, among a plurality of satellites, two different satellites that are geographically closest to the target satellite as the first verification satellite and the second verification satellite. For example, the master verification device may rank the geographic locations of the plurality of satellites by a near-to-far priority from the target satellite to obtain the geographic priority list. The master verification device takes satellites ordered in the first two bits in the geographic priority list as a first verification satellite and a second verification satellite. The geographic position of the satellite is calculated from broadcast ephemeris or ephemeris, etc. The satellite with the geographic position close to the target satellite is selected as the verification satellite, so that the efficiency of verifying login information is effectively improved, and the verification time delay is effectively reduced.

Alternatively, the master verification device may also select the first verification satellite and the second verification satellite based on the network bandwidth. Specifically, the master verification device may select, among the plurality of satellites, a satellite having a largest network bandwidth with respect to the target satellite as the first verification satellite and the second verification satellite. As another example, the master verification device may select the first verification satellite and the second verification satellite based on the transmission delay. Specifically, the master verification device may select, among the plurality of satellites, a satellite having the smallest transmission delay with respect to the target satellite as the first verification satellite and the second verification satellite.

Step 705, the target satellite receives a login request.

Specifically, the network management device transmits a login request to the target satellite via the gateway station. The login request is for requesting login to the target satellite. For a specific description of the login request, please refer to step 205 corresponding to fig. 2, which is not repeated. It is known that the login request comprises a first authentication factor and a second authentication factor.

Step 706, the target satellite transmits the first verification factor to the first verification satellite.

The target satellite sends the first verification factor to the first verification satellite for a description of the process of sending the first verification factor to the first verification device by the network device shown in step 206 corresponding to fig. 2, which is not described in detail.

Step 707, the first verification satellite sends notification information to the target satellite.

The first verification satellite verifies the received first verification factor. The process of verifying the first verification factor by the target satellite and the notification information are shown in step 207 corresponding to fig. 2, and are not described in detail.

Step 708, the target satellite transmits a second verification factor to the second verification satellite.

The target satellite sends the second verification factor to the second verification satellite for a description of the process of sending the second verification factor to the second verification device by the network device shown in step 208 corresponding to fig. 2, which is not described in detail.

Step 709, the second verification satellite transmits notification information to the target satellite.

The second verification satellite verifies the received second verification factor. The process of verifying the second verification factor by the target satellite and the description of the notification information are shown in step 209 corresponding to fig. 2, which is not described in detail.

Step 710, the target satellite determines that the login request passes verification, and sends first verification information to the network management device.

For a description of the process of acquiring the first verification information by the target satellite, please refer to the description of the process of acquiring the first verification information shown in step 210 corresponding to fig. 2, which is not repeated. Specifically, the target satellite transmits the first authentication information to the network management device via the gateway station.

Step 711, the target satellite determines that the login request fails to verify, and sends second verification information to the network management device.

For a description of the process of obtaining the second verification information by the target satellite, please refer to the description of obtaining the second verification information shown in step 211 corresponding to fig. 2, which is not repeated. Specifically, the target satellite transmits the second authentication information to the network management device via the gateway station.

The present embodiment exemplifies three separate satellites in a satellite system as target satellites, a first verification satellite and a second verification satellite. In other examples, the target satellite may integrate the first verification satellite. Then, the target satellite may also verify the first verification factor, and the specific process may be referred to the example shown in fig. 4, which is not described in detail.

If the first verification satellite cannot verify the first verification factor, the target satellite may verify the first verification factor by the master verification device. If the second verification satellite cannot verify the second verification factor, the target satellite may verify the second verification factor by the master verification device. For a detailed process, please refer to the corresponding embodiment of fig. 5, and detailed description is omitted.

The information interaction between the master verification device and the target satellite, the information interaction between the master verification device and the first verification satellite, and the information interaction between the master verification device and the second verification satellite, which are shown in this embodiment, may be based on secure channel interaction. The safety of information interaction is effectively improved, and leakage of the interacted information is avoided. Among them, the secure channel may employ, for example, a secure transport layer protocol (transport layer security, TLS), a secure shell protocol (SSH), or an internet security protocol (internet protocol security, IPsec), etc.

Taking the first verification satellite as an example, the master verification device may use the trusted computing to measure and prove the trusted status of the first verification satellite before the master verification device sends the first pre-stored factor to the first verification satellite. The master verification device sends a first pre-stored factor to the first verification satellite after determining that the first verification satellite is authentic. The security of verifying login information is improved.

The satellite system shown in this embodiment may include a plurality of satellite subnetworks. Different satellite subnets may each independently authenticate different login requests from different network management devices. The specific number of satellite subnetworks is not limited in this embodiment. It will be appreciated that if the number of devices included in the communication system is relatively large, then a plurality of satellite subnetworks may be deployed. Each satellite subnetwork may select an authentication satellite for use in authenticating the login request based on the geographic location of the satellite, network bandwidth or transmission delay, etc.

The potential safety hazard of satellite systems is relatively large. For example, satellite systems have a high degree of openness of the communication channel. The exposure of the communication channel and the openness of the link present the risk of the information being eavesdropped and tampered with far greater than the ground. As another example, an illegal user accessing the satellite system can hijack the satellite, control the satellite, and destroy unsafe behaviors such as the satellite. The embodiment can effectively ensure the verification security of the secure login. Specifically, the target satellite determines that the login request is authenticated because the target satellite determines that the login request is authenticated via the first authentication satellite and the second authentication satellite. For example, if the security risk of the satellite system results in leakage of the first pre-stored factor. Then, the first verification factor of the illegal login request sent by the illegal user can pass the verification of the first verification satellite. However, the second verification factor of the illegal login request cannot pass the verification of the second verification satellite. Therefore, the login request sent by the illegal user cannot pass through the verification of the first verification satellite and the second verification satellite at the same time, so that the security of the login request verification is effectively ensured.

The first verification satellite and the second satellite shown in this embodiment are two satellites that are completely independent and separately deployed. If a hacker wants an illegal login request to pass authentication, two authentication satellites need to be hijacked at the same time. Therefore, the difficulty of a hacker hijacking the satellite is greatly improved, and the security of the verification method for the secure login is improved.

The embodiment of the application also provides a communication system. The communication system may be shown in fig. 1, fig. 3 or fig. 6, and the detailed description is shown in fig. 1, fig. 3 or fig. 6, which is not repeated.

The embodiment of the application also provides communication equipment. The structure of the communication device can be seen in fig. 8. Fig. 8 is a structural example diagram of an embodiment of a communication device according to an embodiment of the present application. The communication device comprises a processor 802, a memory 803 and a transceiver 801. The processor 802 is interconnected with the memory 803 and the transceiver 801 by wires, respectively.

If the communication device is the master verification device in the embodiment corresponding to fig. 2. The transceiver 801 is configured to perform steps 201, 203, and 204. The processor 802 invokes the program code in the memory 803 to perform step 202. If the communication device is the master verification device in the embodiment corresponding to fig. 4. The transceiver 801 is configured to perform steps 401, 403 and 404. The processor 802 is configured to perform step 402. If the communication device is the master verification device in the embodiment corresponding to fig. 5. The transceiver 801 is configured to perform steps 501, 503, 504, 509, and 511. The processor 802 is configured to perform step 502. If the communication device is the master verification device in the embodiment corresponding to fig. 7. The transceiver 801 is configured to perform steps 701, 703 and 704. The processor 802 is configured to execute step 702.

If the communication device is a network device in the embodiment corresponding to fig. 2. The transceiver 801 is configured to perform steps 205, 206, 208, 210 and 211. If the communication device is the network device corresponding to fig. 4. Transceiver 801 is configured to perform steps 405, 407, 409 and 410. The processor 802 is configured to perform step 406. The processor 802 is configured to perform step 406. If the communication device is a network device in the embodiment corresponding to fig. 5. Transceiver 801 is used to perform steps 505, 506, 507, 508, 510, 512 and 513. If the communication device is the target satellite in the embodiment corresponding to fig. 7. Transceiver 801 is configured to perform steps 705, 706, 708, 710, and 711.

The above embodiments are only for illustrating the technical solution of the present invention, and not for limiting the same; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims (25)

1. A method of verifying secure login, the method comprising:

the network equipment receives a login request from the network management equipment, wherein the login request is used for requesting to login to the network equipment, the login request comprises a first verification factor and a second verification factor, and the type of the first verification factor is different from that of the second verification factor;

the network equipment verifies the first verification factor through a first verification device;

the network device verifies the second verification factor through a second verification device, the first verification device and the second verification device are two different devices, and the first verification factor and the second verification factor are used together for determining whether the login request passes verification.

2. The method of claim 1, wherein after the network device verifies the first verification factor by a first verification device and the network device verifies the second verification factor by a second verification device, the method further comprises:

the network device has received first notification information from the first authentication device and second notification information from the second authentication device, the network device determines that the login request is authenticated, the first notification information is used for indicating that the first authentication factor is authenticated, and the second notification information is used for indicating that the second authentication factor is authenticated.

3. The method of claim 1, wherein after the network device verifies the first verification factor by a first verification device and the network device verifies the second verification factor by a second verification device, the method further comprises:

the network device has received at least one of third notification information from the first authentication apparatus or fourth notification information from the second authentication apparatus, the network device determining that the login request authentication failed, the third notification information indicating that the first authentication factor authentication failed, the fourth notification information indicating that the second authentication factor authentication failed.

4. A method according to any one of claims 1 to 3, wherein the network device verifying the first verification factor by a first verification means comprises:

the network equipment acquires a verification list, wherein the verification list comprises the corresponding relation between the type of the first verification factor and the address of the first verification device;

the network equipment acquires the address of the first verification device corresponding to the type of the first verification factor according to the verification list;

And the network equipment sends the first verification factor to the first verification device according to the address of the first verification device.

5. A method according to any one of claims 1 to 3, wherein the network device comprises the first authentication means, and wherein the network device authenticating the first authentication factor by the first authentication means comprises:

the network equipment receives verification indication information, wherein the verification indication information is used for indicating the type of the first verification factor;

and the network equipment verifies the first verification factor through a first verification device according to the verification indication information.

6. A method according to any one of claims 1 to 3, wherein the login request includes an address of the first authentication means corresponding to the first authentication factor, and wherein the network device authenticating the first authentication factor by the first authentication means comprises:

and the network equipment sends the first verification factor to the first verification device according to the address of the first verification device.

7. The method of claim 2, wherein after the network device verifies the first verification factor by a first verification device, the network device further comprises, before verifying the second verification factor by a second verification device:

The network device receives the first notification information from the first authentication apparatus.

8. A method according to claim 3, wherein after the network device verifies the first verification factor by the first verification means, the method further comprises:

the network equipment receives the third notification information from the first verification device;

the network device sends the first authentication factor to a master authentication device.

9. The method according to any of claims 1 to 8, wherein after the network device verifies the first verification factor by the first verification means, the method further comprises:

the network equipment determines that information for indicating whether the first verification factor passes verification is not received in a preset time period, and the network equipment sends the first verification factor to a main verification device.

10. The method according to any one of claims 1 to 9, wherein the network device, the first verification means and the second verification means are each satellites comprised by a satellite system, and the first verification means and the second verification means are two different satellites, of the plurality of satellites comprised by the satellite system, geographically closest to the network device.

11. A method of verifying secure login, the method comprising:

the master verification device sends a first prestored factor to the first verification device;

the master verification device sends a second pre-stored factor to a second verification device, the first verification device and the second verification device are two different devices, the first pre-stored factor and the second pre-stored factor are used for verifying whether a login request from a network management device passes verification or not, the type of the first pre-stored factor is different from the type of the second pre-stored factor, and the network management device is used for logging in the network device through the login request.

12. The method of claim 11, wherein the method further comprises:

and the master verification device sends a verification list to the network equipment, wherein the verification list comprises the corresponding relation between the type of the first pre-stored factor and the address of the first verification device.

13. The method of claim 11, wherein the method further comprises:

the master verification device sends verification indication information to the network equipment, wherein the verification indication information is used for indicating the first verification device to verify a first verification factor, and the type of the first verification factor is the same as that of the first pre-stored factor.

14. The method according to any of the claims 11 to 13, wherein after the master authentication device sends the first pre-stored factor to the first authentication device, the method further comprises:

the master verification device receives a first verification factor from the network equipment, the login request comprises the first verification factor, and the type of the first verification factor is the same as the type of the first pre-stored factor;

if the master verification device determines that the first pre-stored factor is the same as the first verification factor, the master verification device sends information for indicating that the first verification factor passes verification to the network equipment;

and if the master verification device determines that the first pre-stored factor and the first verification factor are different, the master verification device sends information for indicating that the first verification factor fails verification to the network equipment.

15. The method according to any one of claims 11 to 14, wherein the first verification device and the second verification device are each satellites comprised by a satellite system, and the first verification device and the second verification device are two different satellites of the plurality of satellites comprised by the satellite system that are geographically closest to the network device.

16. A network device comprising a processor, a memory, and a transceiver, the processor being interconnected with the memory and the transceiver, respectively, by wires;

the transceiver is used for receiving a login request from a network management device, wherein the login request is used for requesting to login to the network device, the login request comprises a first verification factor and a second verification factor, and the type of the first verification factor is different from the type of the second verification factor;

the processor invokes program code in the memory for performing the steps of:

verifying the first verification factor by a first verification device;

and verifying the second verification factor by a second verification device, wherein the first verification device and the second verification device are two different devices, and the first verification factor and the second verification factor are commonly used for determining whether the login request passes verification.

17. The network device of claim 16, wherein the processor is configured to, after verifying the first verification factor by a first verification means and the processor is configured to verify the second verification factor by a second verification means, the processor is further configured to:

Determining that the login request is authenticated, determining that first notification information from the first authentication device has been received and determining that second notification information from the second authentication device has been received, the first notification information being used to indicate that the first authentication factor is authenticated, the second notification information being used to indicate that the second authentication factor is authenticated.

18. The network device of claim 16, wherein the processor is configured to, after verifying the first verification factor by a first verification means and the processor is configured to verify the second verification factor by a second verification means, the processor is further configured to:

at least one of third notification information indicating that the first authentication factor fails to authenticate or fourth notification information indicating that the second authentication factor fails to authenticate is determined to have been received from the first authentication device.

19. The network device according to any of the claims 16 to 18, wherein the processor is configured to, in the process of verifying the first verification factor by a first verification means, specifically:

Acquiring a verification list, wherein the verification list comprises the corresponding relation between the type of the first verification factor and the address of the first verification device;

acquiring an address of the first verification device corresponding to the type of the first verification factor according to the verification list;

and sending the first verification factor to the first verification device according to the address of the first verification device.

20. The network device according to any of the claims 16 to 18, wherein the network device comprises the first authentication means, and wherein the processor is configured to, in the process of authenticating the first authentication factor by the first authentication means, specifically:

receiving verification indication information, wherein the verification indication information is used for indicating the type of the first verification factor;

and according to the verification indication information, verifying the first verification factor by a first verification device.

21. A network device according to any one of claims 16 to 20, wherein the network device, the first verification means and the second verification means are each satellites comprised by a satellite system, the first verification means and the second verification means being two different satellites of the plurality of satellites comprised by the satellite system that are geographically closest to the network device.

22. A master verification device comprising a processor, a memory and a transceiver, wherein the processor is respectively interconnected with the memory and the transceiver through lines;

the processor invokes program code in the memory to control the transceiver to send a first pre-stored factor to a first authentication device and to control the transceiver to send a second pre-stored factor to a second authentication device, the first authentication device and the second authentication device being two different devices, the first pre-stored factor and the second pre-stored factor together being used to authenticate whether a login request from a network management device passes authentication, the type of the first pre-stored factor being different from the type of the second pre-stored factor, the network management device being used to login to the network device via the login request.

23. The master verification device of claim 22, wherein the transceiver is further configured to send a verification list to the network device, the verification list including a correspondence of the type of the first pre-stored factor and the first verification device address.

24. The master verification apparatus of claim 22, wherein the transceiver is further configured to send verification indication information to the network device, the verification indication information being configured to instruct the first verification apparatus to verify a first verification factor, the first verification factor being of a same type as the first pre-stored factor.

25. A primary verification device as claimed in any one of claims 22 to 24 wherein said network apparatus, said first verification device and said second verification device are each satellites of a satellite system, said first verification device and said second verification device being two different satellites of a plurality of satellites of said satellite system that are geographically closest to said network apparatus.

Images