The use of usernames and passwords is well known in the art. A growing problem exists where the server side storage of passwords is becoming more prone to attack and the burden on users to use different and secure passwords across multiple web sites has introduced inconvenience, inordinate complication and continuing security exposure.
Attempts to solve this problem include device hardware fingerprinting or other multi factor authentication such as biometrics. These are used in an attempt to bolster the security and reduce the exposure of problems associated with standard username and password authentication systems. However, typically they only add more steps of complexity and inconvenience to an already burdensome process.
One example of such an attempt is U.S. Pat. No. 5,875,296 to IBM the content of which is incorporated herein by cross reference. Its solution is outlined in claim 1 thereof which reads:
A method of authenticating a client to a Web server connectable to a distributed file system of a distributed computing environment, the distributed computing environment including a security service for returning a credential to a user authenticated to access the distributed file system, comprising the steps of:
responsive to receipt by the Web server of a user id and password from the client, executing a login protocol with the security service and storing a credential resulting therefrom;
returning to the client a persistent client state object having an identifier therein; and
having the client use the persistent client state object including the identifier in lieu of a user id and password to obtain subsequent access to Web documents in the distributed file system.
This arrangement can be interpreted as utilising a “cookie” as the persistent client state object. This arrangement suffers from significant security issues.
Further prior art examples (all of which are included by cross reference) include:
U.S. Pat. No. 8,447,977 Canon KK whose main claim reads:
A method of authenticating a device with a server over a network, the method comprising the steps of:
establishing, by the device, a secure connection with the server;
communicating, by the device, identification information of the device to the server, wherein the identification information uniquely identifies the device to the server and is pre-stored in the device;
determining, by the server, the credibility of the device using the identification information communicated by the device; and
in a case where the server determines that the device is credible:
creating, by the server, a first authentication token for the device, the first authentication token indicating that the device is credible;
storing, by the server, the first authentication token;
transferring, by the server, the first authentication token to the device using the secure connection; and
storing, by the device, the first authentication token;
wherein the method further comprises the steps of:
establishing, by the device, a secure re-connection with the server; and
authenticating, by the server and over the secure re-connection, the device using the first authentication token stored by the device.
U.S. Pat. No. 6,668,322 Sun MicroSystems whose main claim reads
A session credential for use in a security architecture controlling access to one or more information resources, the session credential comprising:
a principal identifier uniquely identifying a principal; and
an encoding of authorization accorded by the security architecture after prior authentication of a login credential corresponding to the principal,
the principal identifier and authorization encoding being cryptographically secured and allowing the security architecture to evaluate sufficiency of the authorization for access to the one or more information resources without re-authentication of the login credentials.
U.S. Pat. No. 6,421,768 First Data whose main claim reads
A method for transferable authentication, by which a user accessing a first computer can be authenticated to a second computer remote from said first computer, without necessarily requiring the user to explicitly identify himself to said second computer, comprising the steps of:
at a user's computer, accessing said first computer;
authenticating said user to said first computer;
receiving from said first computer a cookie including said first computer's digital voucher of a user characteristic, said voucher being cryptographically assured by said first computer, said user characteristic being encrypted and incorporated into said digital voucher by said first computer using a client side public key confidential to said first computer and said second computer but unknown to said user, said client side public key being cryptographically assured using an asymmetric key of at least one of said first computer and said second computer;
transmitting said cryptographically assured client side public key to said second computer via said user's computer; and
sending at least a portion of said cookie, including said voucher, to said second computer configured to:
authenticate said voucher without necessarily requiring said user to explicitly identify himself to said second computer;
extract said user characteristic from said voucher; and
perform an action based on said user characteristic.
As stated above cookies have particular security issues and have ongoing adoption issues these days.
Also disclosed are the following which disclose alternative ways of seeking to secure systems without the use of repetitive password entry and explicit communication of the password from one machine to another. These systems can be more complex including the use of a third party machine to perform verification/authentication.
U.S. Pat. No. 4,578,531 AT&T
U.S. Pat. No. 6,134,592 Netscape
U.S. Pat. No. 6,205,480 Computer Assoc
U.S. Pat. No. 7,523,490 Microsoft
US20110320820 IBM
US20130219472 A1 QSAN
Embodiments of the present invention are designed to address these issues.
Notes
The term “comprising” (and grammatical variations thereof) is used in this specification in the inclusive sense of “having” or “including”, and not in the exclusive sense of “consisting only of”.
The above discussion of the prior art in the Background of the invention, is not an admission that any information discussed therein is citable prior art or part of the common general knowledge of persons skilled in the art in any country.