The use of the Internet and World Wide Web (or simply the Web) is ever increasing. To prevent unauthorized access to resources on the Web, providers may require clients to authenticate to gain access to the resources.
In a traditional approach for authentication, a client may submit credentials (e.g., username and password) to an authentication service, which validates the credentials and if appropriate issues a token that can be used to gain access to resources. In this approach, authentication may occur over a secure channel, such as using Secure Sockets Layer (SSL)/Hypertext Transfer Protocol Secure (HTTPS) for secure communications or using another type of secure channel. For some providers, though, a token that is obtained over a secure channel in response to a “single sign-on” may be valid to access resources from various sites including some sites that are secure (e.g., sites using HTTPS) and some sites that may employ less security (e.g., sites using Hypertext Transfer Protocol (HTTP)).
Although the token may be encrypted, when the token is used during insecure communications with a site (e.g., HTTP communications in the clear), the potential exists for an attacker to steal the token. The attacker may then “replay” the token (e.g., present the token to a service) and thereby obtain unauthorized access, even to secure sites. Thus, tokens issued in accordance with traditional authentication approaches may be considered insecure because the tokens are susceptible to being stolen and replayed to gain unauthorized access to resources.