Organizations or enterprises are including legacy computer systems that use traditional password-based user authentication, i.e., authentication based on username/password pair. Some systems or applications may employ Active Directory authentication pairs, while others may require their own credentials. In larger organizations there may be several such legacy applications that a user may use, every one requiring a respective password.
One approach to password management in such circumstances is for each user to manage his own passwords for both in-enterprise and third-party applications. Because of the difficulty of remembering a number of complex or arbitrary passwords, there is tendency for the passwords to be weak. They might be easily guessed. Even stronger passwords are not safe, as they can be phished or extracted by malware that has infected a computer system. If the passwords are not changed often enough, then there is opportunity for a system to be accessed improperly using a stolen or guessed password.
There are known systems that can provide stronger user authentication with less risk of password compromise or damage resulting from any compromise. One system employs so-called “one-time passwords” or OTPs. Users are given hardware or software “tokens” that execute a secure algorithm for generating random passwords, and these are synchronized to counterpart server-executed algorithms. Whenever a user authenticates to a system or application, the token is used to generate a new OTP, which is compared with an OTP generated within the system. A match indicates user possession of the assigned token, leading to authentication of the user. Another type of system employs so-called “federation”, in which a collection of servers are integrated with a centralized authentication server that handles user authentication and issues briefly lived passcodes or tickets that are accepted by the servers as evidence of user authentication. Both types of system require some type of integration of the specialized authentication methods/facilities into the service computer or application, and thus are not universally utilized. Even in an enterprise that uses such a system, there may be legacy systems or applications that are not integrated into the system and thus pose a security vulnerability due to their reliance on user-managed passwords.