This invention refers to a process and an apparatus for controlling the access of a user to a service provided in a data network.
In conventional access control systems, as applied to data networks, identification or authentication means, respectively, of the knowledge-based type are being used to fulfil the security requirements. In particular, for decades password-based or PIN based identification/authentication schemes are known and generally used. More specifically, in spy- or fraud-sensitive applications, such as home banking applications, supplementary security measures like the provision and obligatory use of individual transaction codes or TANs, respectively, are known and widely used. Even such supplementary security-enhancing schemes are knowledge based and suffer, therefore, from the typical disadvantages of all knowledge based schemes, i.e. problems related to the loss of the relevant information by the authorised user on one hand and risk arising from the access to such information by an unauthorized user on the other hand.
Therefore, in recent years considerable efforts have been made to include other types of identification/authentication schemes into the security mechanisms of data networks. In particular, approaches to add “possession-based” (tokens) and/or “being-based” (biometry-based) mechanisms to the well-known knowledge-based mechanisms have been tried. For example, in automatic cash dispensers biometrical authentication schemes based on fingerprint or retina recognition, respectively, have been proposed, for controlling the access to bank accounts. Furthermore, the meanwhile well-established fingerprint-based access control means of notebooks and other personal computers should be mentioned as some kind of means for controlling the access to data networks.
More recently, voice-based authentication solutions, as a specific type of biometry-based identifications/authentications, are widely introduced by firms to supplement their internal knowledge-based access control schemes.
In internet and mobile based services and activities, in particular in internet market places like ebay or internet financial transaction systems like PayPal, with the rapidly growing worldwide user base the number of fraudulent attacks increases significantly. The probability of a successful attack on accounts of a worldwide internet-based service with millions of users is much higher than with phishing attacks on local banks.
Meanwhile, system providers like PayPal and ebay have reacted on the increasing number of attacks by introducing a hard token as a second layer of security for users' accounts. In recently developed solutions of this type, an individual security code which is periodically generated is supposed to protect the user against fraudulent abuse of his/her personal account.
These recently developed schemes suffer from an additional cost burden which is to be borne by the providers and/or users and from the typical disadvantages of possession-based identification/authentication means.