1. Technical Field
This invention relates generally to remote computer system access control, and in particular to secure distribution of authentication information used in user authentication.
2. Description of the State of the Art
In a computer network, network resources are accessible to computer systems or devices which are connected in the network. Many computer networks also support remote access to network resources from computer systems or devices external to the network. For remote access, two-factor authentication is often used to control network access. Two-factor authentication is based on something a user knows, such as a password, and something the user has, such as an access code generator or token. In order to remotely access a network, a user provides authentication information including the password and the access code.
In a known two-factor authentication scheme, the code generator is a hardware component which stores a secret key or “seed”, which is shared between the code generator and an authentication system at the computer network, and a code generation algorithm. The code generation algorithm generates an access code, valid for a relatively short period of time, using the seed and a current time, and the access code is displayed on a user interface. The user enters the access code and transmits the access code and other required authentication information to the authentication system at the computer network. The authentication system then retrieves the user's seed from a store at the computer network, and uses the same algorithm and a current time to calculate an access code that should have been generated at the code generator. When the received access code and the calculated access code match, or the received code is within a predefined range or window of past or future access code values, then remote access to the computer network is granted.
Hardware code generators tend to be physically small and are thus prone to being misplaced or damaged. When a user travels with a laptop computer but forgets the hardware token, for example, the user cannot remotely access a computer network without intervention by a network owner or administrator. Although software-based code generators installed on a computer system or device from which a user remotely accesses the computer network alleviate the problem of lost or forgotten hardware code generators, seeds used in access code generation must be shared only between the network authentication system and the code generator. Known seed distribution techniques involve email, requiring network administrator intervention to retrieve and insert each user's seed into an email message, or use of a particular seed transfer mechanism such as a serial connection to a networked computer system. As well, email is generally not desirable because a copy of the seed is stored, for example, in an email system and data backups. Encrypting messages containing seeds could address these concerns, but creates an encryption key distribution problem. More automated and convenient systems and methods of securely distributing seeds to such computer systems and devices are therefore desirable.