In the physical world, individual persons are able to assess one another by sight, hearing and an accounting of physical attributes. Drivers' licenses, passports and other regulated documents provide verified accountings of attributes that permit individuals to validate who they are, or for others to validate who an individual says he or she is.
Fingerprints, retinal pattern, breath and DNA among other attributes are understood and recognized to be highly individualistic and are widely accepted and used to verify identity. But these attributes are physical and tied to a physical world.
Computers have become commonplace and highly integrated in nearly all aspects of modern life—transcending the bounds of professional and social spaces, computers are a prominent fixture in the workplace, in the home, as mobile devices and in many other places and arenas of daily life and modern existence.
Increasingly individuals are representing themselves in the cyber world of computer systems and computer networks, where digital information in the elemental form of binary data is entirely ignorant of physicality. A critical problem in cyberspace is knowing with whom you are dealing—in short, at the present time there is no precise way to determine the identity of a person in digital space. Friends, families, colleagues may use a common computer, share passwords, or even pretend to be people they are not. Sometimes these actions are benign—sometimes they are not.
Traditionally, different systems establish individualized, but similar signup and login procedures to collect information directly from users to establish user identities, passwords and other information in the effort to establish at least a notion of an identity for a user.
A typical person over the age of ten in a modern household with access to computer resources may have a number of user accounts, each with a user name and password as well as perhaps additional security measures such as pin numbers, security images, test questions, and the like.
But the redundancy of such systems, especially where use of a system is occasional or only desired for a brief interaction leads to many problems. Users struggling to remember passwords default to the use of simple phrase, such as “password”, “opensaysme”, “abcdgoldfish”, “0p3n4m3” or other simplistic phrases that are easily compromised. Although advances in data storage have increased dramatically in recent years there are still costs involved in archiving data—and establishing a user account and maintaining the data records for such an account may be costly for a system where the a high percentage of users never return.
Indeed, in some cases when a user is faced with forgetting his or her prior login information or being unsure if he or she even has an existing identity, the user may opt to create a new identity rather than try and recover the old identity—an action that further leads to increases in archived data, increased storage requirements, potential maintenance issues, and of course costs in terms of time, energy and money.
As computers are often used in a commercial setting such as a business, organization or secured network (hereinafter “business”), there are often very legitimate desires by that business to know who is accessing their network. In addition, in many instances it is highly desired by a business or organization to not only know who is using their system, but also to control the type of equipment that is used with their system.
For example, to comply with licensing, privacy or other external or internal regulation, a company may desire for its users to make use of provided equipment for conducting company business. In other words a new or existing employee is provided with a company system that may have customized software for word processing, email, network access etc. . . .
In addition, in some instances the different levels of employees may impose different requirements—i.e., a secretary may have email access to the multiple accounts for the persons he or she supports, a vice president or president may have access rights to an entire team, and a mail room person may have access to email and a company directory, but no file access.
Typically, companies permit varying granularity of configuration by individualized configuration—i.e., the system for a given employee must be either pre-configured and given the employee, or the employee must go to the tech resources group and receive his or her new machine.
In addition, in many instances companies or other entities make use of user identities, passwords and even digital certificates in an effort to gate control who has access to what, when, and perhaps from where.
Digital certificates, also known as public key certificates, are electronic documents that bind a digital signature (a mathematical schema for demonstrating authenticity) to a key, such as a public key, that is tied to an identity. More simply put, digital certificates are electronic documents that are offered to prove or verify the identity of the user. Typically a digital certificate is issued by a certificate authority (CA) that has performed or established some threshold of information to assert that the party to whom the certificate is issued is indeed the party he or she reports to be.
In addition to identifying a person, a digital certificate may also include additional information, such as the level of authorization that should be afforded to the holder of the certificate, the duration of validity for the certificate, the user's real name, the user's alternative name, the intermediate certificate authority who issued the certificate, or other such information pertinent to establishing both the identity of the user of the digital certificate as well as the veracity of the root certificate authority ultimately responsible for the apparent authority vested in the digital certificate.
Indeed, digital certificates can and often do provide a great deal of simplicity in authenticating a user as the user has clearly established him or herself in some way that is sufficient for a certificate authority to provide the digital certificate. Relying on a digital certificate can ease a network's reliance on parties having previously established or contemporaneously establishing a local identity—a savings both in terms of time for the user and costs associated with the overhead and storage of the user identity for the local network.
It should also be noted that in most cases, a user requesting access to resources who is providing a name and password is in essence already connected to the network, and as such there is a potential security risk.
The Open System Interconnection model, also referred to as the Open Source Interconnection model or more simply the OSI model, is a product of the Open System Interconnection effort at the International Organization for Standardization, and more specifically is a prescription of characterizing and standardizing the functions of a communication system in terms of seven abstraction layers of concentric organization—Layer 1 the physical layer, Layer 2 the data link layer, Layer 3 the network layer, Layer 4 the transport layer, Layer 5 the session layer, Layer 6 the presentation layer, and Layer 7 the application layer.
TCP/IP based network communication is established at Layer 2-3, the network layer. By contrast, when a user is presented with a login screen requesting a User Name and Password, that interaction is occurring at the Application layer 7. Moreover, because the User has actually established connection through the Layers 1-6, there is a possibility that errant code and or configuration of network devices could permit a user to gain unwarranted access to some if not all resources without actually providing a proper username and password.
The use of certificates in proving user identity in and among networked resources is not entirely new. The prior art reference of Appiah US 2010/0077208 teaches an authentication service configured to authenticate User Credentials and generate an authentication certificate based on the User Credentials and the System Identifier FOR subsequent authentication to a Data Center. The prior art reference of Borneman U.S. Pat. No. 7,953,979 teaches a system and method to establish trust so that a trusted third party may then provide Signed Certificates to verify Trust, i.e. Master System is delegating authority.
The prior art reference of Guo US 2010/0247055 is teaching device specific authentication for website access (Layer 7)—a user with a device known to an account authority service can obtain a security token via a communications network to present to another entity via a communications network as proof of identity. The prior art reference of Liu US 2010/0154046 is teaching a single sign-on methodology across web sites and services (Layer 7). The prior art reference of Norefors US 2006/0094403 teaches a method of obtaining network service by using a phone having existing telecommunications service and a PC connecting to a Web Server (Layer 7) which directs a One Time Password to be sent via Short Message Service, also known as SMS, to the user's phone read by the user and provided back to the Web Server via the PC (Layer 7).
Still further, the prior art reference of Benantar US 2002/0144119, teaches a User obtaining a digital certificate from a Certificate Authority and the public and private certificates being loaded to a keystore of a Single Sign On system. The Single Sign On system uses the digital certificate to gate access to legacy applications (Layer 7). And of course it is clear that these legacy applications are within the Benantar network.
However, in all of these instances the use of the Certificate for identification or signing purposes is occurring at Layer 7—the Application layer. In all of these references, the underlying network connections have already been established and are being used. Moreover, although the use of a Digital certificate is being taught as a way of potentially increasing user authentication all of these references fall short of any attempt to further safeguard the original network connection. While the digital certificate can certainly be used for access to network resources and that is highly desirable, there are underlying security issues that these references fail to address.
The prior art reference of Ringland US 2013/0103833 is different. Ringland, teaches how a user of a mobile device may move from one network to another and maintain a consistent network access—i.e., the user is on a cellular network watching a movie and arrives home so the network connection transfers from the cellular network to the home network with the same address so that the streaming of the video is undisturbed. Within this methodology, Ringland teaches that User submits credentials (username and password) directly to a certificate provisioning server and the server creates a certificate and delivers the certificate directly to the user. The User's home access point is configured with a list of users who may access the Local Area Network (LAN) by presenting their digital certificate to the home access point.
A fundamental element present in all of these prior art references is that they teach how a digital certificate may be used for access to a system or application. They do not focus specifically on how the certificate is provided to the User.
Moreover, how a certificate is provided to a user can often be taxing. Indeed as digital certificates are most commonly used as attestations of trust, i.e., the signing of documents, messages, applications and the like, as well as the verification that another party is who he or she says they are, there is typically a great deal of concern on who should receive a certificate—has the user been properly vetted, what resources should he or she have, how long should the certificate last, where and when can the certificate be used, etc. . . .
While these issues are extremely relevant in some settings—as with the prior art references above—they are not relevant in all settings. Indeed the use of certificates can significantly increase security in accessing secured networks and network resources, but even as this element of increased security is achieved the use of certificates may simplify the overhead of keeping track of who has access to what and when, as well as other matters. But the prior art materials presently known have not addressed these issues.
Hence there is a need for a method and system that is capable of overcoming one or more of the above identified challenges.