In some cases, it is necessary to authenticate an entity via a communication network or computing device. For example, a bank might want to ensure that only an appropriate account owner will be able to access confidential information about a financial account or a mobile phone user wants to access information stored on their device or via the Internet. To provide such authentication, an entity is often asked to remember and provide an alphanumeric “key” through a communication network. For example, a person might be asked for his or her user name and password or Personal Identification Number (PIN) before being allowed to receive (and/or transmit) sensitive information on a web site via the Internet.
Such an approach, however, can have a number of disadvantages. For example, if an unauthorized party is able to view the password as it is entered by the entity, that party will later be able to impersonate the entity (e.g., by providing the same password). Similarly, an unauthorized party might install a “key logging” program on a computer that secretly records a password when it is entered. This risk may be especially significant when an entity is using a shared or public computer or network.
To avoid such results, an entity might be asked to use a specific physical item (e.g., a keychain fob or smart card able to transmit an identifier to a receiving device) to provide authentication. Once again, an unauthorized person might be able to intercept the identifier and later impersonate the entity. By way of example, a signal from a Radio Frequency Identification (RFID) chip or an electronically readable magnetic strip card might be intercepted. In addition, an entity might lose the item and be unable to provide authentication. Other approaches involve determining biometric information (e.g., by reading a person's fingerprint). Note that whenever special hardware is needed to implement an authentication technique, the cost required may be prohibitive.