This disclosure relates to improving authentication functionality as it relates to digital certificate signing requests and approvals, and more specifically to methods and systems for biometric authentication of individuals requesting and approving digital certificates.
A digital certificate is an electronic document that is issued by a certificate authority (CA) and used to prove a person's identity during an electronic interaction. For example, a programmer depositing updated code in a central code repository will often require a digital certificate to “sign” the deposit, thereby proving that the programmer and not some other user was responsible for the deposit. Digital certificates may be limited to specific number of uses or a specific timeframe in which they can be used. Accordingly, regular users of digital certificates frequently need fresh digital certificates, which they request using a certificate signing request (CSR). A CSR is a specially formatted request sent to the CA that results in the CA issuing the required digital certificate.
While digital certificates are themselves considered a measure of security and authenticity, the process of requesting digital certificates is prone to certain limitations. Some known CSR systems are limited in their ability to positively identify that the requestor is an authorized user. For example, where a CA is entirely automated, anyone with access and familiarity to the CA's CSR process can “game” the system by presenting fake credentials in order to acquire a valid digital certificate. Even CA's whose process includes human intervention before they issue the digital certificate are vulnerable to social engineering attacks that can cause security risks. In some cases, otherwise-authorized users can also exploit these vulnerabilities, such as where an authorized user acquires the credentials of another authorized user and uses those credentials to cause the CA to issue a digital certificate. Similarly, an unauthorized user can carry out schemes such as “phishing” or “man-in-the-middle” attacks to acquire data such as usernames and passwords used to request the digital certificate, and subsequently request the certificate while masquerading as the authorized user. Attacks such as “packet-sniffing” or other network intrusions can be used to intercept and log network traffic across computing devices and result in unauthorized users acquiring digital certificates.