What
is certificate-based authentication?
Most of us are familiar with password authentication, which is
based on the premise that you and only you know your password. If
someone presents your password to a web site, the web site authenticates
this person as you.
The certificate-based authentication is based on the premise that
you and only you have access to the secret information that is associated
with your certificate. The web site never sees your secret information
so your identity is secure (unlike password authentication).
Unlike passwords, certificates are too big to remember and the
mathematical operations to prove that you are in possession of the
associated secret information is too involved to perform manually.
Therefore, certificate-base authentication must be performed by
a computer. Fortunately all popular browsers handle certificates
and the associated math.
The certificate and secret information are usually held on the
computer's hard drive, but can also be stored on a smart card
(a portable device the size of a credit card) or on a USB token
(a portable device that plugs into a USB port). When a web site
asks for user authentication, the browser accesses the certificate
and secret information and performs the authentication on behalf
of the user. The browser can be configured to automatically authenticate
the user, so the user is not aware that the authentication took
place.
|