As malicious attacks on electronic devices and networks grow in frequency and sophistication, an entity, such as a device, may be required to authenticate itself using its cryptographic certificate showing possession of a private key, along with identifying information, all of which may be signed by a trusted Certificate Authority. Generally, a user (generally understood to be the owner of a device, the device being uniquely distinguishable by an identifier such as a unique serial number, an International Mobile Equipment Identity (IMEI) number or a mobile equipment identifier (MEID) number) is the only one which possesses the private key corresponding to the cryptographic certificate and third parties recognize the user via readable strings embedded in the certificate.
The ability of devices and applications to achieve granularity of access control can be limited in cases where an entity is required to use the same cryptographic certificate across a range of accessing contexts or attempts to enforce access controls utilizing multiple access factors, such as biometric factors (e.g., fingerprint or iris scans). Where a cryptographic certificate only shows a device's possession of a private key associated with a full set of certificate-based access privileges, certificate-based access controls lack granularity and become an “all or none” proposition.