1. Technical Field
The present disclosure relates generally to methods and systems for authentication in secure data communications. More particularly, the present disclosure relates to systems and methods for single sign-on with multiple authentication factors.
2. Related Art
Numerous aspects of a person's day-to-day work and personal lives involve computers and online services accessed thereby. In order to secure personal information from unauthorized use, and to provide an individualized experience, access to such online services is established based upon user accounts and corresponding passwords. Because computer systems and online services are operated and managed by different entities, separate accounts and passwords are necessary for each. For example, a bank account is accessed separately from a credit card account, which is different from a household utilities account, and so forth. Furthermore, a typical person may have one or more separately accessed e-mail accounts, as well as different from accounts for social networking sites, blogging sites, and special interest message board sites. Even in an enterprise information technology (IT) environment, separate accounts may be necessary for a given employee's computer, e-mail server, and file server access.
Due to the large number of account names and passwords that must be remembered and entered upon demand for access to these various computing resources, many suffer from password fatigue. Even individuals with good memory can forget account identifiers and passwords, particularly those that are used only sparsely, or those that are required to have some level of complexity such as uppercase/lowercase letters, numbers, and symbols. Password fatigue oftentimes leads to users adopting individual password and account management practices that paradoxically lead to less security, than more security as intended with deploying different access control systems for each resource. One of the more common of such unsecure practices is selecting the same account identifier and password combination for each resource to which the user has access. If one of the systems is compromised such that the account name and password is known to a malicious third party, then all of the systems with the same account name and password combination are compromised. Another common practice is writing down or otherwise recording account identifiers and passwords in an unsecure medium, and storing the same in close physical proximity to a terminal that is used to access the resource. If physical security is breached to where such written account identifiers and passwords can be pilfered, then the security of those resources can also be breached. In order to make memorizing passwords easier, users may select common words or phrases that can be easily determined with a common dictionary attack.
As a solution to the password fatigue problem, and in order to simply the coordinated management and security of multiple user accounts tied to a single user or identity over multiple computing resources, single sign-on (SSO) has been developed. In general, single sign-on refers to an access control modality in which the user supplies login credentials just once without being prompted again to gain access to other, related computing resources. Conventional single-sign on implementations treat each component as an independent secondary security domain, but with the user initially accessing a primary domain to establish a secured session therewith.
Access to the additional resources is through the primary domain, and can occur in one of several ways. In one known method, the credentials provided to access the primary domain are directly passed on to the secondary domain for immediately signing on thereto. Alternatively, the credentials for the primary domain are used to retrieve other account name and password information for the secondary stored thereon, and then provided to the secondary domain upon requesting access without prompting the user for manual entry.
Providing access to a server by an unknown client, or supplying access credentials from the client to an unknown server, over an open network environment, raises several security concerns. The server must be assured that the client is what it asserts it is, and the client must be assured that the server is what it asserts it is. One conventional authentication or initial login process for the user to gain access to the primary domain involves verification of the user with the account identifier and the corresponding password, which is only one factor. The secret nature of passwords, at least in theory, is intended to prevent unauthorized access. However, simple password protection is ineffective because they can be mistakenly revealed, and are susceptible to brute-force attacks. Besides what the user knows, that is, the password for an account, other authentication factors including what the user has (hardware access control devices, security certificates downloaded to a client device after verification via hardware devices and the like) and what the user is (biometrics such as fingerprints and retinas) are utilized. Multiple authentication factors are understood to decrease the likelihood of unauthorized access.
Existing implementations of single sign-on that utilize multiple authentication factors is deficient in several respects. One problem is the required use of particular application programming interfaces (APIs) along with the complexities of integration attendant thereto. Furthermore, system administrators must oftentimes manage and audit each application/secondary domain separately because of differing password policies. Accordingly, there is a need in the art for improved single sign on with multiple authentication factors.