In a distributed computing environment, a remotely hosted network resource (e.g. a Web site, service, application, etc.) may require that a user be authenticated on their user device before they are granted access to the network resource. Existing user devices have responded to requests to authenticate a current user by performing an authentication process to authenticate the user, and then used a locally stored key to digitally sign an indication that the user of the device has been successfully authenticated. For example, some existing user devices have digitally signed an indication of successful user authentication using a locally stored private key of a public and private key-pair that is uniquely assigned to the device. This digitally signed authentication indication was conveyed from the user device to the authentication requestor, in order to provide an indication that the user was successfully authenticated by the user device.
Security of the locally stored private key used to sign authentication indications has been provided in previous user devices through hardware-based security mechanisms. Such hardware-based security mechanisms are sometimes referred to as “hardware-roots of trust.” Examples of hardware-based security mechanisms include i) embedding the private key within the hardware or firmware of the user device, and/or ii) only using the private key to sign the authentication indication within processes executing in a hardware-protected secure execution region of the user device.