When computing devices (e.g., mobile phones, tablets, laptops, etc.) need to communicate with remote, access-protected network resources, they often make themselves vulnerable to credential theft. If a computing device locally stores a password, authentication credential, or other secret, the secret may be stolen by a malicious user with access to the computing device. Further, if the computing device utilizes a password manager (e.g., LastPass™, 1Password™, aWallet™, KeePass™, etc.), the secret likewise becomes exposed to theft because it is stored, at least temporarily, in local memory (e.g., random access memory) of the computing device. Indeed, with a password manager, the secret is transferred as a plaintext string over the Internet, usually with encryption, directly to a keystore. In this process, the secret is stored for at least some time as plaintext in the local memory of the computing device.
When a secret is stored in local memory on a computing device, the secret is vulnerable to theft or other attacks. For example, if a malicious user has access to the local memory, they may steal or wrongly use the secret. In addition, in some situations the attacker may listen in to the communication channel being utilized by the computing device (e.g., after the attacker has escalated its privileges through other attacks) and steal the secret from the monitored communications.
Certain forms of trusted execution environments or trusted platform modules have been developed, in part as an effort to attempt to secure the use of secrets on computing devices. Examples of trusted execution environments or trusted platform modules include Arm TrustZone™, Apple Secure Enclave™, Android KeyStore™. Such technologies may provide hardware isolation on a computing device for execution of trusted software. While these techniques may help to secure certain data and processing on a computing device, they do not eliminate the attack surface that is created when secrets are stored in local memory on a computing device. For example, using such technologies, a user's initial authentication still occurs in the unprotected environment on the computing device. The added security of the trusted execution environments or trusted platform modules is thus powerless to stop attackers, especially where the computing device has already been compromised or infected by an attacker.
In view of these vulnerabilities and deficiencies in existing approaches, technological solutions are needed to provide for the secure transfer of secrets to network resources. For example, techniques are needed for fully shifting the initial authentication phase for a user into a protected environment, not an exposed environment, of a computing device. Techniques are also needed for maintaining secrets in the protected environment. Further, techniques are needed for enabling ongoing secure communications between an application on a computing device (which may be in an exposed environment) and an access-protected network resource.