Many online services rely on user credentials, such as a username and password, to authenticate a user or her client application. For example, a user trying to use an online synchronized content management system, such as Dropbox™ from Dropbox Inc. of San Francisco, Calif., may be asked to input her username and password into her web browser or her local client application before she can access content on the content management system's server.
In other instances, however, an online service may generate and issue a security key—a large randomly generated value that is computationally difficult to guess—to the client so that the client can later authenticate itself to the server with the key. This can simplify the user authentication process because the client does not have to ask the user to input her credentials each time the client attempts to communicate with the server. The security key can be transferred from the server to the client and stored inside the client device, such as in the form of a session cookie or a file saved in a secure location.
However, if the security key falls into the wrong hands, it can allow a malicious attacker to access the content belonging to the user account associated with the security key. For example, Brian may have installed a client application for an online synchronized content management service on his laptop computer. After Brian logs into the client application with his correct username and password, the application downloads a unique security key from the content management service's server. Brian can now use the application without having to enter the credentials every time because the client application can authenticate and communicate with the server using the security key. However, Brian, while using his laptop at a coffee shop, meets Susan, who asks Brian if she can borrow his laptop for a few minutes to browse the Internet. Unbeknownst to Brian, Susan is a malicious hacker who proceeds to steal Brian's security key by locating the file containing the key and copying the file on to her portable storage device. Using the stolen security key, Susan may be able to impersonate Brian and successfully access, from her own computer, his online files and folders on the content management service's server. Susan may not be required by the server to enter Brian's user credentials because she is in possession of Brian's security key.
In other instances, a security key can be compromised when a user device is lost or stolen. If the misplaced device contains a security key in its storage, then the security key can be exposed to a malicious user and similarly exploited. Thus, what is needed is a way for the online content management system and its client application to minimize the harm that can be caused by misuse of the security key.