Systems for authenticating users to computer systems and networks, including cloud-based resources, are known. The most well-known such system is a simple username and password combination. Concerns over identity theft have led users and resource providers to additional layers of security, such as longer and more complicated passwords and so-called multifactor authentication.
Multifactor authentication is fairly common now and adds a security token to the username and password combination. An underlying principle of multifactor authentication is to combine “something you know” e.g., a password, with “something you have” e.g., a security token or biometric feature. The token may be provided in software or hardware, and is usually embodied as a lengthy code, which need not, but may change according to an algorithm known to the resource provider. One example of a typical multifactor hardware token is the RSA SecurID Hardware Authenticator. The RSA SecurID authentication mechanism consists of a “token” which is assigned to a computer user and which generates an authentication code at fixed intervals (usually 60 seconds) using a built-in clock and the token's factory-encoded random key; known as the “seed”. The seed is different for each token, and is loaded into the corresponding RSA SecurID server as the tokens are purchased. A user authenticating to a network resource using a SecurID token is required to enter both a personal identification number and the number being displayed at that moment on their RSA SecurID token. Some systems using RSA SecurID disregard PIN implementation altogether, and rely on password/RSA SecurID code combinations. The server, which also has a real-time clock and a database of valid cards with the associated seed records, computes what number the token is supposed to be showing at that moment in time, checks it against what the user entered, and makes the decision to allow or deny access. There are also implementations of RSA SecurID which generate the authentication information purely in software (“Soft Tokens”).
In more extreme cases a multifactor token can be biometric, e.g. a retina, fingerprint, or facial scan of the authorized user. The purpose of all of these systems is to prove the identity of a person.
These systems are vulnerable however, to attempts to impersonate an authorized user by theft of the token. This can either be due to physical theft of a hardware device generating the multifactor token, such as an RSA SecurID tag, or through indirect means such as a man-in-the-middle attack (“MITM”). In the latter case, the user's transmitted multifactor authentication information is intercepted prior to reaching the desired computing resource. The authentication information can be intercepted for example, by malicious software executing on the user's access hardware. If attackers can intercept the user's authentication data, they can use the captured credentials to authenticate on their own behalf, thereby gaining access to the resource.
Antivirus software for identifying and neutralizing malicious programs on computer systems and networks is also known. This software is typically installed on a hardware device by an authenticated user. It is executed manually or automatically on a periodic basis, and also can be updated on a periodic basis in order to identify and neutralize new malicious programs as they come into existence. This type of security measure protects personal hardware internetworked to other computers from malicious attacks.
Both antivirus and user authentication software can be provided on hardware tokens such as USB sticks or other storage devices such as flash drives and the like. In these cases the security software can be executed either directly on the storage device or downloaded for execution on the hardware.
With the rapid growth of cloud computing, both the programs used and the data generated are located in the cloud, making user authentication even more important. Users want authentication systems to safeguard their data and resource providers want authentication to prevent unauthorized access to their programming resources. These security issues are exacerbated because the cloud permits users to access data and resources from multiple devices, including public computing resources or other hardware devices on which the users are not administrative users responsible for the physical security of the hardware. In such cases, the user has little if any knowledge or assurance about the security of the hardware and therefore the user's authentications for cloud data and resources are vulnerable to theft, not only by the hardware owner but by malicious code on the public hardware. What is needed therefore is a security system for cloud computing that will improve the security of users' authentications to cloud data and resources.