Credential Management

Last updated

Credential Management, also referred to as a Credential Management System (CMS), is an established form of software that is used for issuing and managing credentials as part of public key infrastructure (PKI).

Public key infrastructure System that can issue, distribute and verify digital certificates

A public key infrastructure (PKI) is a set of roles, policies, and procedures needed to create, manage, distribute, use, store & revoke digital certificates and manage public-key encryption. The purpose of a PKI is to facilitate the secure electronic transfer of information for a range of network activities such as e-commerce, internet banking and confidential email. It is required for activities where simple passwords are an inadequate authentication method and more rigorous proof is required to confirm the identity of the parties involved in the communication and to validate the information being transferred.

Contents

CMS software is used by governments and enterprises issuing strong two-factor authentication (2FA) to employees and citizens. The CMS integrates with the components of PKI to provide one joined-up solution for IT departments to issue and manage credentials to a wide selection of devices, including smart cards, USB keys, smartphones, laptops and desktop computers. [1]

Credential Management is also a proposed application programming interface (API) under development by the World Wide Web Consortium for standardizing aspects of how password managers used by web user agents (web browsers and other applications) create, store, use, and modify username and password combinations for logins, in addition to the management of "federated" credentials (such as single sign-on tokens) by user agents. The API is being developed by the W3C's Web Application Security Working Group, and has been in Working Draft status since April 2016. It is a Recommendation-track proposal, expected to become an accepted standard, but may undergo significant changes before that occurs. [2] [3] The Credential Management API has already been extended by the WebAuthn (Web Authentication) proposal, which reached Candidate Recommendation status in April 2018 and adds the ability to handle public-key authentication. [4]

In computer programming, an application programming interface (API) is a set of subroutine definitions, communication protocols, and tools for building software. In general terms, it is a set of clearly defined methods of communication among various components. A good API makes it easier to develop a computer program by providing all the building blocks, which are then put together by the programmer.

World Wide Web Consortium web standards organization

The World Wide Web Consortium (W3C) is the main international standards organization for the World Wide Web.

A password manager assists in generating and retrieving complex passwords, potentially storing such passwords in an encrypted database or calculating them on demand.

It is common for modern web browsers to be able store and automatically enter usernames and passwords for website logins, though they have often used suboptimal heuristics for guessing which form fields and data are supposed to be filled/stored, resulting in inconsistent and sometimes faulty behavior. Browsers can also have trouble filling in login forms for federated identities, such as when a user connecting to a website uses an account for a third-party web service (like Facebook, Google, or Twitter) to authenticate and provide identity information. The Credential Management specification also aims to streamline the process of changing passwords so that the locally stored password on the client can be updated at the same time it is modified on the server.

Autofill is a function in some computer applications or programs, typically those containing forms, which prefills in a field automatically.

A heuristic technique, often called simply a heuristic, is any approach to problem solving or self-discovery that employs a practical method, not guaranteed to be optimal, perfect, or rational, but instead sufficient for reaching an immediate goal. Where finding an optimal solution is impossible or impractical, heuristic methods can be used to speed up the process of finding a satisfactory solution. Heuristics can be mental shortcuts that ease the cognitive load of making a decision. Examples that employ heuristics include using a rule of thumb, an educated guess, an intuitive judgment, a guesstimate, profiling, or common sense.

A webform, web form or HTML form on a web page allows a user to enter data that is sent to a server for processing. Forms can resemble paper or database forms because web users fill out the forms using checkboxes, radio buttons, or text fields. For example, forms can be used to enter shipping or credit card data to order a product, or can be used to retrieve search results from a search engine.

Google Chrome has included some support for Credential Management since version 51, [5] released in May 2016, [6] and Opera has included support since version 44, [5] released in April 2017. [7] Mozilla Firefox includes a subset of the API to support WebAuthn since version 60, released in May 2018. [8]

Google Chrome Web browser developed by Google

Google Chrome is a cross-platform web browser developed by Google. It was first released in 2008 for Microsoft Windows, and was later ported to Linux, macOS, iOS, and Android. The browser is also the main component of Chrome OS, where it serves as the platform for web apps.

Opera (web browser) freeware web browser using the Blink browser engine

Opera is a web browser for Microsoft Windows, Android, iOS, macOS, and Linux operating systems, developed by Opera Software AS. Opera Software is a Norwegian software company publicly listed on the NASDAQ stock exchange, with the majority of ownership and control belonging to Chinese businessman Zhou Yahui, founder of Beijing Kunlun Tech which specialises in mobile games and Chinese cybersecurity company Qihoo 360. Opera is a Chromium-based browser using the Blink layout engine. It differentiates itself because of a distinct user interface and other features.

API

As of the August 2017 working draft, [9] user agents supporting the Credential Management API must implement a "credential store" for persistent storage of credential objects, and should also include a "credential chooser" to allow users to interact with the objects and allow or deny their use for logins. Credentials will ideally have a name and favicon associated with them, perhaps along with other related information, to help distinguish which website or service they are used for, as well as the ability to differentiate credentials for multiple accounts on the same site.

Favicon icon associated with a particular Web site

A favicon, also known as a shortcut icon, website icon, tab icon, URL icon, or bookmark icon, is a file containing one or more small icons, associated with a particular website or web page. A web designer can create such an icon and upload it to a website by several means, and graphical web browsers will then make use of it. Browsers that provide favicon support typically display a page's favicon in the browser's address bar and next to the page's name in a list of bookmarks. Browsers that support a tabbed document interface typically show a page's favicon next to the page's title on the tab, and site-specific browsers use the favicon as a desktop icon.

The API defines four main JavaScript methods, which expose the CredentialsContainer interface: navigator.credentials.create(), navigator.credentials.store(), navigator.credentials.get(), and navigator.credentials.preventSilentAccess(). It also specifies the top-level Credential interface object, with descendant PasswordCredential and FederatedCredential object types. (WebAuthn also defines a PublicKeyCredential interface object.) The API is only available when a user agent is connected to a secure (HTTPS) website. Browsers can still implement auto-filling of login information on non-secure sites, but must not allow such sites to benefit from the automation that the API provides, since it could lead to accidental exposure of passwords or other credentials. In addition, API access is only allowed in top-level windows, and not within <iframe> elements or other nested browsing contexts.

The navigator.credentials.create() method is used for constructing credential objects in memory, and store() triggers writing an object to the credential store following a successful login. get() requests potentially relevant credentials from storage, which may be presented to the user in a credential chooser. When retrieval requests are made, user agents are required to prompt the user for authorization by default, though the user interface can allow a flag to be set that allows "silent" authorization without presenting a prompt. A website can reset that flag with the preventSilentAccess() method, recommended for use when logging out.

See also

Related Research Articles

Document Object Model convention for representing and interacting with objects in HTML, XHTML and XML documents

The Document Object Model (DOM) is a cross-platform and language-independent interface that treats an XML or HTML document as a tree structure wherein each node is an object representing a part of the document. The DOM represents a document with a logical tree. Each branch of the tree ends in a node, and each node contains objects. DOM methods allow programmatic access to the tree; with them one can change the structure, style or content of a document. Nodes can have event handlers attached to them. Once an event is triggered, the event handlers get executed.

Single sign-on (SSO) is a property of access control of multiple related, yet independent, software systems. With this property, a user logs in with a single ID and password to gain access to any of several related systems. It is often accomplished by using the Lightweight Directory Access Protocol (LDAP) and stored LDAP databases on (directory) servers. A simple version of single sign-on can be achieved over IP networks using cookies but only if the sites share a common DNS parent domain.

Java Authentication and Authorization Service, or JAAS, pronounced "Jazz", is the Java implementation of the standard Pluggable Authentication Module (PAM) information security framework. JAAS was introduced as an extension library to the Java Platform, Standard Edition 1.3 and was integrated in version 1.4.

In the context of an HTTP transaction, basic access authentication is a method for an HTTP user agent to provide a user name and password when making a request. In basic HTTP authentication, a request contains a header field of the form Authorization: Basic <credentials>, where credentials is the base64 encoding of id and password joined by a single colon (:).

A federated identity in information technology is the means of linking a person's electronic identity and attributes, stored across multiple distinct identity management systems.

XMLHttpRequest (XHR) is an API in the form of an object whose methods transfer data between a web browser and a web server. The object is provided by the browser's JavaScript environment. Particularly, retrieval of data from XHR for the purpose of continually modifying a loaded web page is the underlying concept of Ajax design. Despite the name, XHR can be used with protocols other than HTTP and data can be in the form of not only XML, but also JSON, HTML or plain text.

The graphical identification and authentication (GINA) is a component of Windows 2000, Windows XP and Windows Server 2003 that provides secure authentication and interactive logon services. GINA is a replaceable dynamically linked library that is loaded early in the boot process in the context of Winlogon when the machine is started. It is responsible for handling the secure attention sequence, typically Control-Alt-Delete, and interacting with the user when this sequence is received. GINA is also responsible for starting initial processes for a user when they first log on. GINA is discontinued in Windows Vista.

DPAPI is a simple cryptographic application programming interface available as a built-in component in Windows 2000 and later versions of Microsoft Windows operating systems. In theory the Data Protection API can enable symmetric encryption of any kind of data; in practice, its primary use in the Windows operating system is to perform symmetric encryption of asymmetric private keys, using a user or system secret as a significant contribution of entropy.

Password fatigue is the feeling experienced by many people who are required to remember an excessive number of passwords as part of their daily routine, such as to logon to a computer at work, undo a bicycle lock or conduct banking from an automated teller machine (ATM). The concept is also known as password chaos or more broadly as identity chaos.

OAuth open standard for authorization

OAuth is an open standard for access delegation, commonly used as a way for Internet users to grant websites or applications access to their information on other websites but without giving them the passwords. This mechanism is used by companies such as Amazon, Google, Facebook, Microsoft and Twitter to permit the users to share information about their accounts with third party applications or websites.

In computer systems, an access token contains the security credentials for a login session and identifies the user, the user's groups, the user's privileges, and, in some cases, a particular application. Typically one may be asked to enter the access token rather than the usual password.

HTTP+HTML form-based authentication

HTTP+HTML form-based authentication, typically presently colloquially referred to as simply form-based authentication, is a technique whereby a website uses a web form to collect, and subsequently authenticate, credential information from a user agent, typically a web browser.

Identity assurance in the context of federated identity management is the ability for a party to determine, with some level of certainty, that an electronic credential representing an entity with which it interacts to effect a transaction, can be trusted to actually belong to the entity.

Universal 2nd Factor

Universal 2nd Factor (U2F) is an open standard that strengthens and simplifies two-factor authentication (2FA) using specialized Universal Serial Bus (USB) or near-field communication (NFC) devices based on similar security technology found in smart cards.

Web API security entails authenticating programs or users who are invoking a web API.

Intuitive Password is a proprietary freemium password manager and secure digital wallet that stores users' passwords and confidential data. It was launched in 2013 by the Australian company Intuitive Security Systems. Intuitive Password received mixed reviews. Neil J. Rubeking wrote in PC Magazine in 2013 that Intuitive Password's not having automated password capture like some of its competitors was a significant downside.

WebAuthn Public-key authentication standard

WebAuthn is a web standard published by the World Wide Web Consortium (W3C). WebAuthn is a core component of the FIDO2 Project under the guidance of the FIDO Alliance. The goal of the project is to standardize an interface for authenticating users to web-based applications and services using public-key cryptography.

Bitwarden password manager

Bitwarden is an open-source password management service that stores sensitive information such as website credentials in an encrypted vault. The Bitwarden platform offers a variety of client applications including a web interface, desktop applications, browser extensions, mobile apps, and a CLI. Bitwarden offers a cloud-hosted service as well as the ability to deploy the solution on-premise.

The FIDO2 Project is a joint effort between the FIDO Alliance and the World Wide Web Consortium (W3C) whose goal is to create a strong authentication solution for the web. At its core, FIDO2 consists of the W3C Web Authentication (WebAuthn) standard and the FIDO Client to Authenticator Protocol (CTAP). FIDO2 is based upon previous work done by the FIDO Alliance, in particular the Universal 2nd Factor (U2F) authentication standard.

References

  1. "Credential Management System - MyID CMS". Intercede. Retrieved 2019-07-31.
  2. West, Mike, ed. (2017-08-04). "Credential Management Level 1". W3C. Retrieved 2018-05-12.
  3. "W3C Web Application Security Working Group" . Retrieved 2018-05-12.
  4. Balfanz; et al. (2018-03-20). "Web Authentication: An API for accessing Public Key Credentials Level 1". W3C. Retrieved 2018-05-12.
  5. 1 2 "Credential Management API". MDN Web Docs. Mozilla. 2018-02-20. Retrieved 2018-05-13.
  6. "Stable Channel Update". Chrome Releases. 2016-05-25. Retrieved 2018-05-13.
  7. Mielczarczyk, Kornelia (2017-04-05). "Opera 44.0.2510.1159 Stable update". Opera Blogs. Retrieved 2018-05-13.
  8. "Firefox — Notes (60.0) — Mozilla". Mozilla. 2018-05-09. Retrieved 2018-05-13.
  9. West, Mike, ed. (2017-08-04). "Credential Management Level 1, W3C Working Draft, 4 August 2017" . Retrieved 2018-05-12.