Abstract: A multifactor authentication system is implemented to enable interactive access to a secure application. A request to access a secure application can be received via a client device which can initially perform a credential exchange with a server associated with the secure application. Based on an indication that a credential exchange is valid, a secondary authentication request can to be sent to the client device to initiate multifactor authentication. An authentication check issued by an entity associated with the secure application can be scanned at the client device to, and an identification indicator associated with the authentication check and/or a signature of a user of the client device can be extracted. The identification indicator and the signature can be verified or otherwise authenticated, and access to the secure application via the client device can be enabled.

Abstract: To increase the effectiveness of push authentication, a push authentication can be augmented with another authentication factor. A push authentication can be augmented with the “what you know” factor, effectively merging the “what you know” factor into the “what you have” factor. Using a collection of “what you know” factor queries (e.g., knowledge-based questions), an authentication server can select a subset of the “what you know” factor queries and incorporate the selected one or more factor queries into a message that conveys the push authentication notification.

Abstract: A secure protocol has been developed that reduces the number of transactions associated with multifactor authentication (MFA) systems. An identity provider determines authentication factors which satisfy an application assurance level and constructs a credential collection file with input elements corresponding to the determined factors. The identity provider communicates the file to a client for collection of corresponding credentials. After submission of credential data, the collected set of credentials or credential data (“MFA credential set”) is returned to the identity provider for verification. The identity provider does not redirect to the client for additional transactions until after verifying the MFA credential set. In addition to reducing MFA communication overhead for a client, the credential collection file is based on a structure or schema that can be edited to adapt to changes in assurance level and authentication mechanisms.