The processing of sensitive computer data poses various problems. In particular, in the medical world in France, the law requires strong protection of medical computer data and recommends for this that health professionals use a smart card as a strong authentication means for accessing these medical data.
The authentication of the entity requiring access to computer data is a preferred means for ensuring the protection of sensitive computer data. Simple authentication (typically with an identifier and simple password) is commonly used but does not provide a sufficient level of security to ensure the protection of sensitive computer data. Its main weakness lies in the ease with which the identity of the entity can be usurped: by virtue, for example, of hacking techniques based on social engineering which make it possible to find a password defined by a user.
It is therefore necessary to use strong authentication for effective protection of sensitive computer data. Strong authentication is defined here as two factor authentication or multiple factor authentication. The use of the smart card, in association with a second item of authentication data of the PIN code type, is for example a strong authentication solution making it possible, for example, to obtain a security level that is sufficient to control access to sensitive computer data.
Such strong authentication applies various constraints on the user: he must carry his authentication means (for example a card, a token, etc), have a reader that is appropriate for this authentication means, and a terminal compatible with the authentication method required to access the service. It is therefore not systematically possible for this user to authenticate himself in an appropriate manner with a server controlling access to data, particularly when this user has an itinerant occupation and he frequently travels without being able to carry all the necessary equipment with him.
The inventors of the present disclosure have therefore noted the need to have a technique for protecting access to sensitive computer data which offers a security level equivalent to that provided by strong authentication, but without being as constraining as a strong authentication.