1. Field
Embodiments of the invention generally relate to techniques for authenticating users in accessing computing applications. More specifically, techniques are disclosed for performing authentication using a certificate store on a mobile device and a nonce generated on a server.
2. Description of the Related Art
Protecting access to computing systems is a well known issue in a broad variety of contexts. For example, it is common for a computing application to require users to provide a username and password. As more computing applications are accessed in a distributed manner, e.g., by accessing applications hosted in a cloud based environments, simple passwords frequently provide inadequate security. That is, passwords suffer from a number of known drawbacks, primarily in that they may be forgotten, guessed, or otherwise disclosed or obtained. For example, users frequently choose insecure passwords that can be broken using a “dictionary” attack.
A variety of techniques have been developed to improve security and provide more reliable authentication mechanisms. For example, one solution is to use one-time passwords (OTP) generated using a shared secret held by a client and an authentication system. In addition to authenticating a user based on a username and password, the shared secret is used to compute a OTP which is valid for brief period of time or for a single use. However, a security breach at the server can potentially compromise the shared secret for an entire population of users.
Another approach includes using strong authentication solutions like public key infrastructure (PKI). PKI presents a number of challenges, particularly for applications that can be accessed from anywhere, e.g., an application deployed on a computing cloud. In such a case, a user may require access to their certificates from different computing devices, but a certificate installed on one computer cannot be used from other devices without copying the private key to each device. This prevents the “on demand from anywhere” access desired for some applications. Installing a certificate (and private key) on a hardware token gives the flexibility to access the certificate store from multiple computers, but the requirements of an available of USB interface and ability to install device drivers on a given machine can limit this flexibility. Generally, if a user's keys are installed on a computer key store, the user will not be able to access them from other computing devices. Even if the keys are stored on a hardware token, the user requires proper device drivers to access the keys. Further still, deploying PKI solutions is complicated due to various browser, OS, certificate stores and application dependencies.