Multiple factor authentication in an identity certificate service

What is claimed is: 1. A method, comprising: sending, from an end entity to a service node, a certificate including a cryptographically-obscured identifier associated with the end entity, wherein the service node uses both the certificate and the cryptographically-obscured identifier to authenticate the end entity, wherein the service node is configured to deny the end entity with access to a service associated with the service node in the event the cryptographically-obscured identifier is validated and the certificate is not validated by a certificate authority; and accessing, based at least in part on the authentication and the validation, the service associated with the service node. 2. The method of claim 1 , further comprising: receiving the certificate from a device management server. 3. The method of claim 2 , wherein the device management server generates the certificate including the cryptographically-obscured identifier on behalf of the end entity. 4. The method of claim 3 , wherein the device management server generates the certificate on behalf of the end entity at least in part by: generating the cryptographically-obscured identifier; sending, to the certificate authority, a certificate request including the cryptographically-obscured identifier; and receiving the certificate including the cryptographically-obscured identifier from the certificate authority. 5. The method of claim 1 , further comprising: receiving the cryptographically-obscured identifier; sending a certificate request including the cryptographically-obscured identifier to a certificate authority; and receiving the certificate including the cryptographically-obscured identifier. 6. The method of claim 1 , further comprising: sending a certificate request to the certificate authority; and receiving the certificate including the cryptographically-obscured identifier, wherein the certificate authority generates the certificate at least in part by injecting the cryptographically-obscured identifier into the certificate. 7. The method of claim 1 , wherein the end entity includes one or more of a mobile device and an application included on the mobile device. 8. The method of claim 1 , wherein the cryptographically-obscured identifier is generated at a device management server. 9. The method of claim 1 , wherein the cryptographically-obscured identifier includes a hash of an identifier associated with the end entity. 10. The method of claim 1 , wherein the cryptographically-obscured identifier is generated by encrypting an identifier associated with the end entity using a public key associated with the service node. 11. The method of claim 1 , wherein the cryptographically-obscured identifier is generated by encrypting an identifier associated with the end entity using a shared secret associated with the service node and a device management server. 12. The method of claim 1 , wherein the cryptographically-obscured identifier includes one or more of a media access control (MAC) address, a mobile device serial number, an application universally unique identifier (UUID), a user identifier, and a mobile device international mobile station equipment identity (IMEI). 13. The method of claim 1 , wherein the reference identifier includes a device or application identifier included in a protocol-related communication between the end entity and the service node. 14. The method of claim 1 , wherein the service node uses both the certificate and the identifier to authenticate the end entity at least in part by: extracting the cryptographically-obscured identifier from the certificate; determining that the extracted identifier matches the reference identifier; validating the certificate with a certificate authority that issued the certificate; and providing access to the service based at least in part on the determined match and the validated certificate. 15. The method of claim 1 , wherein the service node uses both the certificate and the identifier to authenticate the end entity at least in part by: extracting a hashed identifier from the certificate; retrieving a hashed reference identifier; determining that the hashed identifier from the certificate matches the hashed reference identifier; validating the certificate with a certificate authority that issued the certificate; and providing access to the service based at least in part on the determined match and the validated certificate. 16. The method of claim 1 , wherein the service node uses both the certificate and the identifier to authenticate the end entity at least in part by: decrypting an encrypted identifier included in the certificate; determining that the decrypted identifier matches a reference identifier; validating the certificate with the certificate authority that issued the certificate; and providing access to the service based at least in part on the determined match and the validated certificate. 17. The method of claim 16 , wherein decrypting the encrypted identifier included in the certificate includes decrypting the encrypted identifier using one or more of a private key associated with the service node and a shared secret associated with the service node and a device management server. 18. A system, comprising: a processor; and a memory coupled with the processor, wherein the memory is configured to provide the processor with instructions which when executed cause the processor to: send, from an end entity to a service node, a certificate including a cryptographically-obscured identifier associated with the end entity, wherein the service node uses both the certificate and the cryptographically-obscured identifier to authenticate the end entity, wherein the service node is configured to deny the end entity with access to a service associated with the service node in the event the cryptographically-obscured identifier is validated and the certificate is not validated by a certificate authority; and access, based at least in part on the authentication and the validation, the service associated with the service node. 19. The system recited in claim 18 , wherein the service node uses both the certificate and the identifier to authenticate the end entity at least in part by: extracting the cryptographically-obscured identifier from the certificate; determining that the extracted identifier matches the reference identifier; validating the certificate with the certificate authority that issued the certificate; and providing access to the service based at least in part on the determined match and the validated certificate. 20. The system recited in claim 18 , wherein the device management server generates the certificate including the cryptographically-obscured identifier on behalf of the end entity. 21. A computer program product, the computer program product being embodied in a tangible non-transitory computer readable storage medium and comprising computer instructions for: sending, from an end entity to a service node, a certificate including a cryptographically-obscured identifier associated with the end entity, wherein the service node uses both the certificate and the cryptographically-obscured identifier to authenticate the end entity, wherein the service node is configured to deny the end entity with access to a service associated with the service node in the event the cryptographically-obscured identifier is validated and the certificate is not validated by a certificate authority; and accessing, base