Users frequently access a variety of secured resources, such as online accounts or networks, by supplying some form of authentication credentials. Social networks, bank accounts, online file storage services, and corporate network accounts, for example, commonly require users to provide a username and password. Protecting these authentication credentials is critically important for individuals and organizations. Users rely on these online resources to securely store personal data such as credit card information, activity data, and other personal identification data. If these credentials are somehow leaked or mishandled, it can lead to severe reputational and financial loss to the user or for organizations. Further, users often use the same or similar credentials for multiple accounts or networks, so if authentication data is compromised for one resource, it can have cascading effects for other secured resources or networks.
Unfortunately, high-profile data breaches or inadvertent releases have become commonplace. Even large, well-known enterprises (e.g., leading social network providers, software companies, gaming developers, e-commerce sites, etc.) cannot guarantee the safe storage and handling of users' authentication credentials. Authentication data is often being used and stored in an unsecure manner. In many authentication processes, when a user wants to authenticate itself for access to a particular resource, the user passes authentication credentials to an authentication server. The authentication server then decides if the supplied credentials (or a hash) match stored credentials (or a hash) for the user. In some circumstances, the user's authentication data is stored in an unencrypted manner on hard drives or in databases. This transfer and storage of data leaves it vulnerable to data breaches or theft. For example, if the authentication server is compromised the user's authentication data may be exposed.
Even in situations where attempts are made at data security, existing solutions focus on hardening the authentication component itself. For example, some authentication services may encrypt the user's authentication data. The data, however, is often stored on a single server (or limited group of servers), where it may still be vulnerable to various attack techniques. Further, the encryption keys used to encrypt the data are often stored in the memory of the authentication service, leaving it vulnerable as well.
Accordingly, in view of these and other deficiencies in existing techniques, technological solutions are needed for securely authenticating a user and storing user authentication data. Solutions should advantageously allow users to uniquely control the use and storage of their authentication credentials. An authentication system should be capable of authenticating a user without storing the user's original authentication credentials, and the encryption key used to encrypt the data should be generated with each request, without being stored. Therefore, even if data is stolen from the authentication system, an attacker would not obtain or be able to reproduce the user's original authentication data or the encryption key.