In a client/server system, an authentication of the client may be required in order to protect access to services or data of the server. The Username & Password scheme is the most widely used technique to authenticate users on servers like web sites. However it suffers from a security weakness. Users often have to type their password on untrusted devices, such as computers that they do not own (e.g. in public places). They can have no guarantee that there is no spyware (like key logger for example) capturing the typed password.
Several other authentication methods have been proposed to replace the username & password scheme, but none of them have succeeded to replace the simple password predominance. This is mostly due to the cost of deployment of these techniques, which often include the deployment of a hardware token, and the usage disruption they imply, for which the users would have to be educated. Secure mechanisms based on Public Key Infrastructure (PKI), Smart cards, or One-Time-Password (OTP) tokens may be expensive and complex to deploy. Storing passwords independently of the used client machine can be done using online services. These services require the user to create an account and imply that the user trusts the service enough to give it all its passwords, which is both a privacy and a security issue.
As long as the Username & Password scheme is managed in a non-secured environment, there is a risk of attack leading to the stealing of credentials used for the authentication of the client machine by the server. In addition, from the server point of view, such an attack may lead to Denial-Of-Service attacks against the server by using the stolen Username & Password couple.
There is a need for strengthening the establishment of a secure session between a device and a server by authenticating a user.