Many common security techniques are based on outdated notions of enterprises having well-controlled and clearly defined perimeters. In such environments, firewalls were the primary security tool to protect computing resources within the enterprise. But in modern environments, applications are increasingly being hosted in cloud-based systems, rather than through on-premises infrastructure within an enterprise. Further, many users of computing devices are moving outside the perimeters of enterprises to perform their computing activities. Consequently, many legacy security techniques are not only costly, complex, cumbersome, and ineffective, but they also lead to security vulnerabilities.
Security approaches that rely on all users being within an enterprise perimeter create risks because they allow for unrestricted lateral movement by users within the enterprise. This includes connecting from computer to computer, to applications, and to other resources. Further, such approaches often require a hole in a firewall for outside communications, which is also a risk. Moreover, these approaches limit user freedom, movement, and productivity. They thus result in a poor user experience, require significant IT overhead within the enterprise, and lack visibility into users' actual use of applications.
Other existing security techniques are inadequate in terms of their usability, flexibility, security performance, and speed. For example, some techniques allow users to authenticate themselves through biometrics. Nevertheless, when biometrics alone are used, they are vulnerable in terms of attacks that duplicate biometric information or hashes of such information. Similarly, some techniques rely on the use of passwords. But passwords are also vulnerable to theft or duplication, and further require users to memorize them on a continuous and changing basis. Indeed, passwords are often the weakest link in a security regime. Passwords further require management and IT burdens. Other techniques attempt to authenticate users based on observed environmental factors or calculated risk factors, such as geographic location and user activity. Yet these techniques are prone to false positives and false negatives, and require complex sets of rules to implement. Further, none of these techniques can confirm the current physical proximity between a user, a computing device they are using, and a secured resource they are trying to access. At best, these techniques provide only partial information regarding such a proximity status.
Additional security vulnerabilities and disruptions occur when users needing to securely access devices, applications, files, data, or other resources have no network connection (e.g., because of air travel, lack of network coverage, network downtime, network failures, etc.) or a poor quality connection. When users anticipate a lack of a reliable network connection, they sometimes implement workarounds (e.g., storing sensitive documents or data locally, storing such materials on removable storage like USB drives, bypassing security requirements, etc.). This creates significant security gaps and vulnerabilities. On the other hand, when users wait until they have a reliable connection to access secure resources, this results in a loss of productivity, inefficiencies, and missed opportunities.
There are thus technological needs for systems and methods that more securely, flexibly, and quickly authenticate users seeking access to network-restricted resources. It would be advantageous for solutions to not rely on the presence of an agent running on an endpoint device in all situations. Further, it would be advantageous for such solutions to not require passwords or other authentication credentials that users must memorize or supply. It would also be advantageous to allow client devices to access controlled target network resources, following passwordless authentication, without directly connecting the client device to the target resources. In addition, it would be advantageous for such solutions to operate with various different types of identification and verification technologies and protocols. Such solutions may also advantageously utilize authentication techniques such as biometric recognition, voice recognition, body or movement sensing, and artificial intelligence techniques. It may also be advantageous for such solutions to be transparent to users of client devices, to the client devices they are using, or to target network resources they are accessing. Further, in situations where such solutions are implemented using an application (e.g., a mobile app), it may be advantageous to separate any confidential or biometric information about the user from the application itself, and instead store only public or non-sensitive user information in the app (e.g., name, title, contact information, etc.).
In addition, it would be advantageous for solutions to confirm the proximity between a user, their computing device, and a secured resource they are trying to access. By confirming the proximity between these entities, systems may more reliably determine that a user is who they purport to be. Further, it would be advantageous for such techniques to involve secret splitting, so that at least a portion of a secret needed for access control is provided to a computing device controlling access and another portion is provided to the user's personal computing device, such that a combination of the secret portions may enable access. In this manner, even if a malicious actor obtained one of the secret portions, they would not be able to access the secured resource because they would be lacking the other portion(s). According to such techniques, when implemented by a security service provider operating between the user and the secured resource, access control may also be guaranteed to run through the security service provider by requiring its intermediation, thus providing stronger levels of security.
In other embodiments, it would be advantageous to provide users access to secrets or access-protected resources (e.g., logging in to an operating system, running an application, accessing protected data, etc.) even when they have no network connection (or a weak connection). According to embodiments described herein, secrets (e.g., passwords, keys, tokens, certificates, hashes, etc.) may be stored securely on an endpoint device such that the secrets are inaccessible to a user without the user interacting with a separate auxiliary device to decrypt the secret. Through such techniques, even if an endpoint device (e.g., laptop, personal computer, tablet, etc.) is stolen, access to protected secrets on the device may be protected against theft or misuse.