Traditional means of authenticating access to computer systems and computer applications involve knowing a username and password. This results in a password being an important piece of information that needs to be protected since a password leak could lead to unauthorized access to computer systems or applications resulting in business losses. Remembering a multitude of usernames and passwords can be cumbersome and error-prone for a typical user, which can potentially lead to insecure practices such as using the same passwords across applications and systems which in turn increases the risk when a password is leaked.
Traditional two-factor authentication systems overcome some of these problems by using a physical token and password whereby just the loss of password does not compromise security. However, two-factor authentication can be expensive to install, use, maintain, and administer. In addition, many users are more familiar with single username and password use, and introducing a physical token and/or other means of delivering and using software tokens can result in productivity loss caused by having to adjust to a new security regime. Furthermore, various legacy applications and systems do not support two-factor authentication.
Restricting access to computer systems and applications to a select few individuals, carefully disseminating credential information, frequently changing passwords, monitoring, and auditing access are other traditional means of securing password use. But all of these approaches can be prone to human error resulting in password leakage either by accident, due to malware, phishing or some other cyber-attack.
Additionally, the storing and distributing of information across the internet by means of remote databases, web servers, web clients and web browsers, etc., has introduced another opportunity for insecurity that is not easily controlled due to the anonymous nature of the internet. In some scenarios, if the security of a computer has been compromised unbeknownst to the user, any information such as username and password entered by the user is thereby compromised as well.
When granting internal system access to third-party entities, the challenges of securing credentials multiply as an organization may not have complete control over security, operating, and business practices of a third-party.
Based on the foregoing, there is a need for secure and automated credential handling such that credentials are not revealed except at the point of need and transported to the endpoint or application (such as a web application) using cryptographically sound transport mechanisms.