It is known to allow computing devices to remotely connect to an enterprise or other private computer network over the public Internet. In order to control who has access to enterprise networks, IT managers use a variety of security policies and systems to help prevent unauthorised users from remotely accessing their computer networks.
Remote users are generally only allowed to remotely access an enterprise network upon successful completion of an appropriate user authentication procedure. Dual-factor authentication is largely considered by administrators of IT networks to be able to authenticate a user to a reasonable level of certitude. Dual-factor authentication is generally based on the key concepts of ‘something I have’, (such as a smart card or hardware token generator) and ‘something I know’ (such as a password).
Remote connections to enterprise networks are typically made over a secure virtual private network (VPN) to ensure that communications between the user's device and the enterprise network are suitably secured, for example through use of appropriate encryption techniques, although other access techniques, such as using HTTPS may be used.
To connect a computing device to a remote network via a VPN, the user of the computing device typically has a hardware or software token generator (‘something I have’) which, in response to a correct password (‘something I know’) being given, generates an authorisation token. Some token generators are arranged to receive a PIN protected smart-card containing cryptographic data used in the generation of the authorisation token. In this case, the smart-card can be considered a ‘something I have’ factor. The generated authorisation token is sent to a network based authentication system that determines that the user has been authenticated.
Although dual or multi-factor authentication techniques provide a strong level of user authentication, they are somewhat inconvenient for users. For instance, users may have to separately carry with them a hardware token generator, a smart card, or both depending on particular configurations. Furthermore, connecting through a VPN typically requires a number of independent steps that must be carried out in the correct order. For instance, a user may have to first unlock their computer using their an operating system username and password, to insert their smart card into their token generator, to enter a password into the token generator, to open their VPN client application, and to manually enter the generated authentication token to the VPN client application.
Accordingly, one aim of the present invention is to overcome, or at least to alleviate, at least some of the above-mentioned problems.