As access to services is pushed online, the scope of sensitive information that a user must protect broadens. Among this sensitive information, passwords as well as credit card numbers (CCNs) and social security numbers (SSNs) are the most prominent examples. Users increasingly find themselves in the position of having to enter sensitive information on untrusted machines, with the ensuing risk of compromising that information. By logging in to email accounts, bank and brokerage accounts, employee benefits sites, dating and social networking sites from an untrusted computer, users are at risk that a keylogger or other spyware will capture the password and gain unauthorized access. Users who reserve a hotel or rental car using a credit card number risk leaving all the ingredients necessary for credit card fraud on the untrusted computer. In addition, many banks use social security numbers as userids, and require these numbers for some transactions. Thus, these SSNs are particularly sensitive as knowing someone's SSN is a key component of identity theft.
Public or shared computers, like those found in internet cafés or kiosks, should be assumed untrusted, and due to poor security policies, risky browsing habits, installing executables of both unknown and known origin, home computers also can easily be infected with spyware. Key and mouse logging software are also common exploits: a malicious individual or entity may install such software and record keyboard and mouse events—including passwords—entered by an unsuspecting user. In summary, any given computer should be assumed untrusted unless a competent and knowledgeable individual has set it up and maintains it.
The combination of an ever increasing number of services that have to be accessed in password-protected remote login servers, with the increase of security-compromised computers, results in the need for systems and methods to access those services securely, without compromising a user's sensitive information. Existing approaches that address this issue fall essentially into three broad categories. (1) Server-based methods of authentication other than passwords. Examples include on-screen keyboards, two-factor authentication, and challenge-responses systems. These methods have to be adopted by the providers of the services, by introducing major changes to the server in order to provide the alternative method to authenticate the users. In addition, these methods do not provide means for entering sensitive information like CCNs and SSNs. (2) Password management systems. These systems store the sensitive information on either the client or an in-the-cloud server. In the latter, this server delivers the sensitive information directly to the desired destination server on the user's behalf. Nevertheless, storing sensitive information in an in-the-cloud server introduces a new vulnerability: If an attacker gains access to the user's account at this server, access to any sensitive information stored in the server is granted. Further, a server storing the sensitive information of hundreds or thousands of users can itself become a target for attacks. (3) Existing one-time-password systems. In such systems, instead of a single, re-usable password being assigned to a user, a server issues a number of passwords that the user can employ each at most once, e.g., one-time password, to gain access to the server. Typically, the server storing the one-time passwords is the same as the server authenticating the user.