What is certificate-based authentication?

Most of us are familiar with password authentication, which is based on the premise that you and only you know your password. If someone presents your password to a web site, the web site authenticates this person as you.

The certificate-based authentication is based on the premise that you and only you have access to the secret information that is associated with your certificate. The web site never sees your secret information so your identity is secure (unlike password authentication).

Unlike passwords, certificates are too big to remember and the mathematical operations to prove that you are in possession of the associated secret information is too involved to perform manually. Therefore, certificate-base authentication must be performed by a computer. Fortunately all popular browsers handle certificates and the associated math.

The certificate and secret information are usually held on the computer's hard drive, but can also be stored on a smart card (a portable device the size of a credit card) or on a USB token (a portable device that plugs into a USB port). When a web site asks for user authentication, the browser accesses the certificate and secret information and performs the authentication on behalf of the user. The browser can be configured to automatically authenticate the user, so the user is not aware that the authentication took place.