The specification relates to a system and method for authenticating online communications. In particular, the specification relates to client-side authentication of communications.
Websites increasingly include plug-ins authored by third parties. These third parties are not trusted by the website and the client devices that access the website. For this reason, among others, the website and the client devices cannot trust the plug-ins with their credentials. However, the plug-in (or the third-party server that hosts the plug-in) must be able to make certain privileged requests on behalf of the website or the client devices. Current solutions to this problem require a trusted server that does not host either the plug-in or the website to perform authentication of the plug-in requests.
A first problem present in existing authentication solutions is that they require extra time (approximately two hundred milliseconds) for the trusted server to perform the authentication step. The longer the authentication, the more time it takes to serve the user the requested content.
A second problem in existing authentication solutions is that they require the client device to trust a third party to protect the client device from unauthorized use of client information. Because the third party is motivated by personal gains, the third party can commit malfeasance if given the client credentials.
A third problem present in existing authentication solutions is that they do not permit client input in the period of time in which the authentication sessions lasts.