1. Field of the Invention
The present invention relates generally to the field of authentication and more particularly to user authentication within federated computing systems.
2. Related Art
Passwords, one-time-passcodes (OTPs), image selection, biometrics and other methods are commonly used to authenticate users before providing access to sites or other services including online accounts, physical spaces and those provided person-to-person. The Internet and private networks provide users with access to multiple services offered by distinct service providers each requiring independent authentication of users. Typically, a user is required to provide a username/password pair to identify the account to the service provider. The requirements for username/password pairs vary among service providers. The condition has led to users having multiple distinct username/password pairs that must be remembered and kept secret by the user.
It is generally accepted that a username/password pair identifies the user in addition to identifying the account. The username/password pair may identify the user if the username/password pair is only known to the user and the authenticating system. In the presence of a compromised username/password pair, only the account is identified. Other users and particularly criminal users can abuse the account and services provided if they gain knowledge of the username/password. Additional methods of authentication have been created to prevent unauthorized access to accounts and services. These include biometrics and identification of devices to name a few.
Using combinations of the methods lead to additional methods. For instance, using voice and face biometrics can lead to fusion methods in which the independent results of voice and face recognition are processed to derive another measurement. There are many methods, modalities, etc. that can be used for authenticating users. The methods for authenticating a user are commonly based on one or more authentication factors, the most common being 1) something the user knows, 2) something the user has, 3) something the user does, and 4) something the user is. Other categories may exist.
A username/password pair is an example of “something the user knows.” Another example of “something the user knows” includes answering a question such as: what was the last charge on your credit card? If a username/password pair is used exclusively to authenticate a user, it is described as a single-factor authentication. Likewise, if a fingerprint is used exclusively to authenticate a user, it is described as a single-factor authentication.
If more than one factor is used to authenticate a user, the authentication is described as multifactor. For instance, username/pas sword and an OTP sent to a user's cellular phone that must be transcribed and sent to the authenticating system are described as a multifactor authentication. In this example, the multifactor authentication includes “something the user knows” (username/password) and “something the user has” (a cellular phone). It is thought to be more difficult for criminals to compromise accounts/sites that require more than one factor. Therefore, the factors and the number of factors applied to an authentication indicate the strength of authentication. It follows that users and service providers require/desire different authentication methods to better secure some servers, services and sites. Simultaneously, users and service providers require/desire more convenient authentication methods for other servers, services and sites.
Users that require/desire access to multiple services offered by multiple vendors often must know multiple credentials and be familiar with multiple authentication methods. For instance, a tablet may require a fingerprint scan, while the phone may require a passcode and a username/password, while a Personal Computer (PC) connected to the Internet may require a username/pas sword and an OTP for some collection of services. To simplify the authentication tasks in multi-service environments, services can trust the authentication performed by another service and avoid inconveniencing the user with additional authentication. For instance, logging into a corporate network often employs a username/password provided to a trusted authentication server. The user does not need knowledge of the particular trusted server providing the authentication. Once authenticated, the user may be authorized to use services provided by other servers that trust the authentication. When the user attempts to access a service available on the exemplary corporate network, the service contacts the authenticating server and verifies the user authentication. If the user has been authenticated, the user may be permitted to access the service. Otherwise, the user may be authenticated by the service or a trusted authentication server.
Networked environments comprising multiple servers that trust the authentication provided by other servers are described as federated. There exist a number of standards, protocols and implementations of federated authentication systems including: the Microsoft Security Token Service, OpenID Connect, Shiboleth, etc. Federated authentication systems operate within a trust framework comprising one or more authentication servers that provide results relied upon by another party. The authentication servers are known as Identity Providers (IPs). The consumers of the authentication results are known as Relying Parties (RPs). A server, service or site can be both an IP and an RP.
Federated authentication systems can simplify the user environment by providing the user with the choice of using a single authentication service. Users can select a single authentication server, authenticate once and have access to multiple services. This benefit is commonly referred to as Single Sign-on (SSO). Federated authentication systems provide varying methods of authentication that can often be selected by the user. For instance, a user may choose to use multifactor authentication including a username/password and OTP. Such a choice reflects a user's willingness to endure additional inconvenience (they must have their phone) in exchange for greater perceived security (use of additional factors). Once authenticated, however, the user gains access to services offered by servers in the federation. The user may be prompted to identify themselves to other servers participating in the federation. Therefore authentication servers provide a federated identity to users.
It should be appreciated that while federated authentication servers offer varying authentication methods, the user must select one. For instance, if a user chooses username/password for their authentication method to their federated authentication server, the authentication is valid for all servers, services and sites participating in the federation. In other words, the authentication applies equally to the user's bank account and the user's social media account. Because of this, savvy users may opt to authenticate with strong methods or authenticate separately to high-value accounts; both inconvenient to the user.