Traditional means of authenticating to computer systems and computer applications involve knowing a username and password. This results in password being an important piece of information that needs to be protected since a password leak could lead to unauthorized access to computer systems or applications resulting in business losses. Remembering a multitude of usernames and passwords can be cumbersome and error-prone which can potentially lead to insecure practices such using the same passwords across applications and systems which in turn increases the risk when a password is leaked.
Traditional two-factor authentication systems overcome some of these problems by using a physical token and password whereby just the loss of password does not compromise security. However, two-factor authentication can be expensive to install, use, maintain, and administer. In addition, many users are more familiar with single username and password use, and introducing a physical token and/or other means of delivering and using software tokens can result in productivity loss caused by having to adjust to a new security regime. Furthermore, various legacy applications and systems do not support two-factor authentication.
Restricting access to computer systems and applications to a select few individuals, carefully disseminating credential information, frequently changing passwords, monitoring, and auditing access are other traditional means of securing password use. But all of these approaches can be prone to human error resulting in password leakage either by accident, due to malware, phishing or some other cyberattack.
When granting internal system access to third-party entities, the challenges of securing credentials multiply as an organization may not have complete control over security, operating, and business practices of a third-party.
Based on the foregoing, there is a need for secure and automated credential handling such that credentials are not revealed except at the point of need and transported to the endpoint or application using cryptographically sound transport mechanisms.