The present disclosure relates to the field of electronic data processing and, more specifically, to a computer-implemented method for user authentication using a cryptographically secured register.
Authentication is a basic component of access control to computer systems as well as to resources provided by computer systems. In order to ensure that only authorized users gain access, an authentication procedure is required to establish with some degree of confidence the identity of a user in order to grant privileges established for the respective identity.
However, authentication procedures via networks may create technical challenges, because of the need to establish and present confidence for user identities remotely over a network. This may in particular be the case in context of a network indented to enable a ubiquitous access to shared computer systems as well as resources provided by these systems. A user may face the requirement to authenticate to a plurality of independent computer systems or independent resources provided by those systems, like applications. In order to authenticate to each of these computer systems or applications, the user may use individual authentication data in order to authenticate to the computer systems or applications. However, for a growing number of computer systems or software systems such an authentication approach on an individual level may become increasingly impractical.
In order to facilitate the authentication for multiple related, yet independent, software or hardware systems, single sign-on (SSO) may be implemented. Using SSO, a user is enabled to authenticate with a single set of authentication data to a connected system or systems without using different authentication data. SSO may be implemented using SAML (Security Assertion Markup Language), which is an open standard for exchanging authentication data between parties. The SAML specification defines three roles: a principal, an identity provider, and a service provider. When the principal requests a service from the service provider, the service provider requests an authentication assertion from the identity provider. The identity provider authenticates the principal and provides the authentication assertion to the service provider. On the basis of this assertion, the service provider can make an access control decision, i.e. decide whether to perform some service for the connected principal.
Single sign-on is relatively easy to accomplish within a security domain ensuring a relationship of trust between identity provider and service provider but extending SSO across security domains becomes challenging. Hence, there is a constant need to improve the performance of user authentication.