The approaches described in this section could be pursued, but are not necessarily approaches that have been previously conceived or pursued. Therefore, unless otherwise indicated herein, the approaches described in this section are not prior art to the claims in this application and are not admitted to be prior art by inclusion in this section.
Virtual private networks (“VPNs”) allow secure communication between two or more devices over a public or non-trusted network. In a typical VPN arrangement, an end user is associated with an endpoint device, such as a workstation, personal computer, or mobile phone, which executes VPN client software. The endpoint establishes a connection through a non-trusted network, such as the public Internet, to a gateway or other network node, which executes VPN server software and is associated with a secure network of a business enterprise or other entity. The endpoint and network node negotiate encryption keys, essentially creating an encrypted “tunnel” connection through the un-trusted network. The endpoint and network node then communicate encrypted information over the un-trusted network, and the encrypted information is decrypted at the endpoints.
In this arrangement, the end user can securely obtain information from private network resources through the VPN tunnel, even though one or more intermediate networks are un-trusted. Typical VPN users are enterprise workers who telecommute or telework.
VPNs sometimes allow VPN sessions to last for long periods of time. For example, a VPN session may survive connection disruptions or power state changes on endpoint systems. Long-lived sessions reduce the frequency that the user needs to reauthenticate to the VPN server. However, long-lived sessions may reduce network security. For example, if the endpoint device is lost or stolen but a long-lived VPN session remains active, then the device could be used to gain access to the corporate network without needing any authentication information.
Two-factor authentication for VPNs may involve providing authentication data from a hardware token to VPN software on a separate machine. One example of a hardware token used for two-factor authentication is the RSA SecurID card. Typically, the hardware token (the card) generates authentication material at the outset of the VPN session when the user enters a Personal Identification Number (PIN) into the token. The user then copies the authentication material displayed by the token into the VPN software. This two-factor process protects the private network if the device running the VPN software is misplaced or stolen. However, this process is inconvenient for the user and can only be used at the outset of a VPN session; the process cannot be used to protect the secret data of an always-on VPN.