With the advent of cloud services and web applications, users frequently access many different web or cloud services. Nowadays, we are likely to have more than ten accounts for computers, email accounts, websites, social networks, and various other cloud services, all with different security policies and passwords. Memorizing all passwords is both difficult and annoying, so people often tend to use simple passwords, or forget infrequently used ones. it would be very useful to develop a secure and convenient login system for accessing cloud services, which neither involves memorizing dozens of alphanumeric combinations, nor adds layers of complexity for users.
For password-based authentication methods, their security is mainly determined by the difficulty of guessing a user's password. Unfortunately, passwords usually have low cornplexities and are easier to guess than many users think To further enhance the security of password-based web applications, a promising solution is to deploy a technology called two-factor or multi-factor authentication. According to this approach, a user is required to provide additional authentication information besides passwords. The second piece of information is typically generated by a physical token (e.g., RSA SecurID™) or a software application (e.g., Google Authenticator™). It different service providers set up their own two-factor authentication services, users may have to experience painful registration and login processes repeatedly.
A naive way to reduce users' burden for holding multiple passwords for different cloud services is to store users' credentials in a single device or service, and use certain key derivation functions to generate temporal passwords for sequential logins. However, this approach exposes the authentication server as a primary target of attackers The other approach is to employ an Internet-scale identity system that defines standardized mechanisms enabling the identity attributes of its users to be shared between web applications and cloud services. A number of industry initiatives and standards such as OpenID, SAML, and OAuth have emerged to deliver an Internet-scale identity system during the past few years. The basic idea of those identity systems is to authenticate users with the aid of trusted Identity Providers (IDPs).
The forgoing creates challenges and constraints for providing a secure and convenient login process. It is an object of the present invention to mitigate or obviate at least one of the above mentioned disadvantages.