A common step in deciding whether to grant a request for access to data or services in a network is to authenticate the requesting user. Authentication is the process of establishing or confirming one or more characteristics associated with a user or a request. For example, authentication may include confirming a user's identity or confirming that a request is generated by a particular device. In computer networks, authentication commonly involves the use of passwords. Knowledge of a password is assumed to warrant that the user is authentic. Typically, a user is assigned or selects a password, and upon each subsequent use the user must provide the password. A password is considered a first authentication factor because it is something the user knows that presumably no other user knows.
Since passwords are vulnerable to hackers, security can be improved by adding a second authentication factor. Second authentication factors generally include something the user has (as opposed to something the user knows). Second authentication factors preferably include credentials that can be generated systematically and verified efficiently. Common sources of second authentication factors include smart cards, tokens, and other similar security devices that may be referred to generally as security tokens.
A security token can include one or more secrets that may be shared with an authentication service. The token can use the secret as the basis for generating credentials such as One-Time Passwords (OTPs). An OTP can be a number or alphanumeric string that is generated once and is not reused. The token can generate an OTP and the user can send the OTP to an authentication service along with a unique serial number associated with the secret. The authentication service can generate an OTP using its copy of the secret associated with the serial number. The user is authenticated if the OTP determined by the authentication service matches the OTP provided by the user.
Secrets can be stored in numerous different types of devices and used as the basis for generating credentials. As examples, secrets may be stored in cell phones, personal digital assistants, notebook or laptop computers, personal computers, and other devices. Using the secrets, these devices can generate credentials that may be used, for example, to log in to various Internet services or to conduct on-line transactions.
When a user obtains a new device, such as a new cell phone, a new secret is typically obtained because security could be compromised if multiple devices shared the same secret. To prevent this, secrets are typically unique and are stored using tamper-resistant measures to prevent unauthorized disclosure or duplication. The new secret, however, has to be registered before it can be used to access data or services that were accessed using credentials generated with the old secret. Registering the new secret may include providing information to authenticate the user and providing information associated with the new secret. Registration may be required at each application where the credentials generated from the old secret were used. A token can be used in multiple customer web sites. Thus, a significant amount of time and effort may be required to register a secret before a new device can be used in the same manner as an old device to generate credentials and access data or services.
Thus, there is a general need in the art for improved methods and apparatus for provisioning devices with secrets.