In order to gain access to applications or other resources via a computer or another user device, users are often required to authenticate themselves by entering authentication information. Such authentication information may comprise, for example, passwords that are generated by a security token carried by a user. These passwords may be one-time passwords that are generated using a time-synchronous or event-based algorithm. One particular example of a well-known type of security token is the RSA SecurID® user authentication token commercially available from RSA Security Inc. of Bedford, Mass., U.S.A.
In most existing token-based user authentication systems, a token belonging to a user U generates a one-time passcode for consumption by a single server S. In a symmetric-key-based scheme, the secret cryptographic keys from the token are shared with an authentication server. In most symmetric-key-based schemes, an adversary that compromises S can impersonate U by stealing the user's credentials from S. Such an attack requires only transient server compromise, i.e., the adversary need only learn the state of S, and need not alter its operation. This type of attack is referred to as a transient attack. In a stronger, active attack, the adversary controls the operation of S over an extended period of time. Such an adversary can completely subvert the authentication process, impersonating U even if the user's credentials are periodically refreshed, and even if authentication relies on public-key operations. This type of attack is referred to as an active attack.
A number of techniques have been proposed or suggested to reduce the susceptibility of authentication systems to such attacks. For example, U.S. Pat. No. 7,725,730 discloses secure authentication protocols for authenticating a client device, such as a mobile communications device having limited computational resources, using at least two servers. The two servers utilize information generated from a password to collectively authenticate the client device.
Nonetheless, a need remains for a multi-server authentication scheme based on symmetric-key cryptography. Yet another need remains for a multi-server authentication scheme where one-time passcodes are securely revealed to a plurality of servers.