Enterprises can control user access to enterprise applications, such as web applications, by authenticating users via user credentials, such as a username and password. Enterprises may wish to provide a more secure environment by implementing strong authentication, also known as second-factor authentication. Second-factor authentication requires a user to provide additional evidence of who they are, for example, via Smartcard or other physical token. A Smartcard can store a user's public key certificate and the corresponding private key. Instead of a password, the user provides a personal identification number (PIN) which authenticates the user to the Smartcard. The user's public key certificate is then retrieved from the Smartcard through a secure process and verified to be valid and from a trusted issuer. During the authentication process, a challenge based on the public key contained in the certificate is issued to the card. This challenge verifies that the card is in possession of and can successfully use the corresponding private key. The private key can then be used to decrypt incoming messages and for signing outgoing messages. The public key can then be used to encrypt incoming messages and validate the signatures of outgoing messages. Accordingly, Smartcards allow access to signing and encryption that other two factor authentication solutions may not provide. However, Smartcard implementation can be both costly and logistically difficult for an enterprise to implement. For example, the costs involved can include the costs for the Smartcards, costs for the Smartcard readers and, costs for shipping and storing the Smartcards and the Smartcard readers. Further, logistical difficulties can include restrictions on international shipping of cryptographic devices and retrieval of devices from individuals that are no longer authorized to use them.
Soft certificate solutions typically store public key certificates and corresponding private keys locally on a client device. As such, they do not incur the costs associated with Smartcards. However, soft certificates are not secured by the chip of a Smartcard, and can be vulnerable to potential attacks.