Methods and systems for performing secure authenticated updates of authentication credentials

1 . A method of updating an authentication credential, the method comprising: by one or more client devices, each associated with a user: receiving an authentication credential from the user; generating an access key that is derived from the authentication credential; determining whether the access key decrypts a storage key that encrypts at least a portion of a computer-readable storage medium of the client device; in response to determining that the access key decrypts the storage key: decrypting the storage key with the access key to create a decrypted storage key, and decrypting the at least a portion of the computer-readable storage medium of the client device with the decrypted storage key; and in response to determining that the access key does not decrypt the storage key: sending a request to an authentication server, wherein the request comprises the authentication credential; receiving, from the authentication server, a recovery key, and generating an updated storage key using the recovery key. 2 . The method of claim 1 , wherein receiving an authentication credential from a user comprises receiving the authentication credential from a user in response to prompting the user to provide the authentication credential. 3 . The method of claim 1 , wherein receiving an authentication credential from a user comprises receiving the authentication credential from a user in response to receiving an indication that the authentication credential should be updated. 4 . The method of claim 1 , wherein determining whether the access key decrypts a storage key that encrypts at least a portion of a computer-readable storage medium of the client device comprises determining whether the access key decrypts a storage key that encrypts at least a portion of a computer-readable storage medium of the client device during a first stage of a boot process of the client device, wherein the first stage of the boot process is implemented via a boot loader and occurs prior to a boot of an operating system of the client device. 5 . The method of claim 1 , further comprising: determining, by the client device, whether a current access key has expired; and in response to determining that the current access key has expired, removing the current access key and all storage keys protected by the current access key from the client device. 6 . The method of claim 1 , further comprising: receiving, from the authentication server, an indication that a current access key has been revoked; and removing all storage keys protected by the current access key from the client device. 7 . The method of claim 1 , wherein receiving a recovery key comprises receiving a decryption half of a recovery key. 8 . The method of claim 1 , further comprising, in response to generating an updated storage key using the recovery key, providing the user with access to the client device. 9 . The method of claim 1 , further comprising: in response to determining that access key does not decrypt the storage key, determining whether another failed attempt to decrypt the storage key has occurred; and in response to determining that another failed attempt to decrypt the storage key has occurred, revoking one or more current access keys. 10 . The method of claim 9 , wherein revoking one or more current access keys comprises revoking one or more current access keys according to a security policy associated with the authentication server. 11 . A method of updating an authentication credential, the method comprising, by an authentication server: receiving, during a first stage of a boot process, from a client device associated with a user, a request to verify an authentication credential of the user, wherein the request comprises: the authentication credential, a unique client device identifier associated with the client device, and a unique user identifier associated with the user; determining whether the authentication credential corresponds to the unique client device identifier and the unique user identifier by comparing the authentication credential, the unique client device identifier and the unique user identifier to information stored by the authentication server; and in response to determining that the authentication credential corresponds to the unique client device identifier and the unique user identifier, sending a key to the client device and one or more other client devices associated with the user. 12 . The method of claim 11 , further comprising: determining whether any access keys associated with the client device have been revoked; and in response to determining that at least one access key has been revoked, sending an indication to the client device to remove the revoked access key and any storage keys protected by the revoked access key from the client device. 13 . The method of claim 11 , wherein sending a key to the client device comprises sending one or more of the following based on a security policy associated with the authentication server: one or more access keys associated with the authentication credential; and a decryption portion of a recovery key that can be used by the client device to generate one or more access keys associated with the authentication credential. 14 . (canceled) 15 . A system of updating an authentication credential, the system comprising: a computing device; and a computer-readable storage medium in communication with the computing device, wherein the computer-readable storage medium comprises one or more instructions that, when executed, cause the computing device to: receive an authentication credential from a user, generate an access key that is derived from the authentication credential, determine whether the access key decrypts a storage key that encrypts at least a portion of the computer-readable storage medium, in response to determining that the access key decrypts the storage key: decrypt the storage key using the access key to create a decrypted storage key, and use the decrypted storage key to decrypt the at least a portion of the computer-readable storage medium of the client device; and in response to determining that access key does not decrypt the storage key: send a request to an authentication server, wherein the request comprises the authentication credential, receive, from the authentication server, a recovery key, and generate an updated storage key using the recovery key. 16 . The system of claim 15 , wherein the one or more instructions that, when executed, cause the computing device to receive an authentication credential from a user comprise one or more instructions that, when executed, cause the computing device to receive the authentication credential from a user in response to prompting the user to provide the authentication credential. 17 . The system of claim 15 , wherein the one or more instructions that, when executed, cause the computing device to receive an authentication credential from a user comprise one or more instructions that, when executed, cause the computing device to receive the authentication credential from a user in response to receiving an indication that the authentication credential should be updated. 18 . The system of claim 15 , wherein the one or more instructions that, when executed, cause the computing device to determine whether the access key decrypts a storage key that encrypts at least a portion of the computer-readable storage medium of the client device comprise one or more instructions that, when executed, cause the computing d