Online identity and password management has plagued users and online companies since the dawn of the Internet. Users find it onerous to remember different passwords for their online accounts on different websites. As a result, many users use the same password for many different websites, making themselves especially vulnerable to hacking and password phishing scams. To thwart this vulnerability, many online websites require users to increase the complexity of their passwords by using non-alpha-numeric characters, and/or by requiring users to substantially change their password at regular intervals. However, these requirements make it even harder for users to remember their own passwords, causing some users to write their passwords down next to their electronic devices, or store emails or documents containing lists of passwords. Often, users lose or fail to recall their password, and must re-set their password using some combination of a verified e-mail address and/or security questions. In some cases, users have to go so far as to call the online company to attempt to prove their identity to gain access to their online account.
One attempt to mitigate the disadvantages of traditional passwords involves the use of so-called “two-step verification,” which leverages the use of some physical key carried by a user. For example, many known methods involve the use of a pocket-sized authentication token which is carried by the user and displays a changing passcode on an LCD or e-ink display, which must be typed in at an authentication screen. The number is typically derived from a shared secret by a cryptographic process that makes it infeasible to work out the secret from the sequence of numbers, e.g., using a hash or other cryptography combined with a challenge. The same process repeated on the authentication server will yield the same result if the correct secret was used. The challenge can be either “sequence-based,” where the token has a button that is pressed to switch it on and display a new pass code, or “time-based,” where the absolute time is used as the challenge and a new pass code is displayed every 30 or 60 seconds. However, the use of such tokens is highly complex and yet still vulnerable to so-called “man-in-the-middle attacks” because they are physically disconnected from the authenticating entity.
Another technique for two-step authentication involves receiving a username and password from a user, and then sending, e.g., by SMS, a unique code to the user through a linked device, such as a mobile phone. The user receives the unique code at the mobile phone, and types it into the website to prove that the user has possession of the device, and is therefore likely the user associated with the previously input credentials. These traditional techniques for managing passwords and implementing two-step authentication involve a number of disadvantages. First of all, they all still rely heavily on the use of a password, which is vulnerable to keylogging, hacking, and phishing scams. Next, passwords that are lost, forgotten, or compromised must typically be replaced using techniques that are both onerous for the associated online company (e.g., requiring call centers, professional IT involvement, etc.) and risky for the user because password reset techniques, like security questions, are often vulnerable to guessing and publicly available data.
Accordingly, a need exists for systems and methods for authenticating users without using passwords. More generally, a need exists for systems and methods for authenticating users of Internet web pages using imaging techniques.