At present, industry chain mode of the Internet has gradually stepped into an age that applications are the great from the past age when access and attention are the great. Content providers have gradually occupied a core status in the whole industry chain. Along with various applications provided by the content providers, many problems are also brought out. For example, phenomena such as Trojan horse and stealing of service account seriously affect normal operation of the network game. In order to restrict the phenomena, network game providers provide various methods. However, the various methods make it inconvenience for the normal operation of the network game. As revealed by investigation, more than 65% of users have the experience of being stolen of the service account registered at an application server. The security problem of the service account becomes a nightmare to both the network game operators and the users.
Currently, there are mainly two methods for protecting the service account of the user: a first method of mobile phone protection and a second method of dynamic authentication.
In the first method, when the user logs on the application server, the application server generates a dynamic password and sends the dynamic password to the mobile phone of the user through a Short Message Service (SMS) gateway of a network operator according to a mobile phone number registered by the user. After receiving the dynamic password, the user logs on the application server using the dynamic password together with a static password (Personal Identification Number, PIN). In the first method, since nobody except for the user can obtain the dynamic password, an illegal user cannot log on the application server by stealing the password of the user.
The second method involves two devices to implement authentication of the user. One is an authentication server for authenticating identity of the user. The other is a password card for generating a dynamic password for the user. The authentication server and the password card have been installed with the same password generation software and an identification code uniquely identifying the user. When the user gets the password card, the identification code is loaded to the password card. Simultaneously, the identification code is installed in a user information table in a database of the application server. The user also has a PIN remembered by his/her own. When the user logs on the application server and enters the PIN, the password card generates a dynamic password uniquely corresponding to the password card every minute, which is unpredictable. The password card sends the service account, the PIN and the dynamic password to the application server. The application server determines the legality and authenticity of the user according to the dynamic password. Since the dynamic password is generated by the password card dynamically, nobody except for the legal user can obtain the password card and generate the correct dynamic password. Therefore, the dynamic password is immune from being peeked and wiretapped. Accordingly, the second method may avoid re-sending attack and is of high security and convenience.
In the two methods for protecting the service account of the user, the first method has a relatively high limitation to the service account. The dynamic password is required to be sent to the user via short message each time, and then the user enters the password received from the short message. It has a high time delay and wastes radio resources. In the second method, the protection is limited to the service account of a single service provider. Furthermore, when using the service, the user needs to buy an additional hardware, which baffles the competition of the application.