Computers and other devices, as well as secure facilities, services and financial accounts, often contain proprietary, personal and/or sensitive information, which could be compromised if accessed by unauthorized individuals. Thus, such devices, facilities, services and accounts (hereinafter, collectively referred to as “restricted items”) often incorporate security techniques, such as database access control mechanisms, to prevent unauthorized users from accessing, obtaining or altering the proprietary, personal and/or sensitive information. Authentication techniques allow users to prove their identity and obtain authorized access to a given restricted item.
A number of authentication protocols have been developed to prevent the unauthorized access of restricted items. Historically, authentication techniques have been evaluated based on the number of independent items (or factors) that are required for the user to obtain access to the restricted item. An authentication technique is typically considered to provide “strong authentication” if the technique requires the user to provide two independent items (or factors), often referred to as a “two factor authentication.” For example, a safe or vault that requires a combination (something the user knows) and a key (something the user has) provides two factor authentication. Typically, there is an inverse relationship between the level of security provided by a given authentication protocol and the corresponding impact the security measures have on the convenience to the user.
For example, a persistent cookie is often stored on a user's computer by a given server to identify the user upon a return visit to the same web-site. Persistent cookies offer the highest level of convenience for authentication behind a browser. A hacker, however, can typically easily obtain access to a user's computer, obtain the cookie and thereafter impersonate the user. Thus, persistent cookies are satisfactory only for applications requiring minimal security, such as a subscription to an online newspaper. Persistent cookies are considered a “one factor authentication,” since they rely only on something that the user has (in the user's browser).
In another common variation, access control mechanisms typically utilize some variation of an alphanumeric personal identification number (PIN) or password, that is presumably known only to the authorized user. Upon attempting to access a given restricted item, the user enters the appropriate password, to establish his or her authority. Many users select a PIN or password that is easy to remember. Thus, there is a significant risk that such passwords may be guessed or otherwise compromised, in which case an attacker can access the given restricted item.
To minimize the risk that a password will be compromised, the number of login attempts that may be attempted are often limited, so that an attacker cannot keep trying different passwords until successful. In addition, users are often encouraged or required to change their password periodically. These conditions make passwords too inconvenient for most applications, such as Internet usage. Password-based access control techniques are considered a “one factor authentication,” since they rely on something that the user knows.
One-time passwords have also been proposed to further increase security, where users are assigned a secret key that may be stored, for example, on a pocket token or a computer-readable card. Upon attempting to access a desired restricted item, a random value, referred to as a “challenge,” is issued to the user. The pocket token or computer-readable card then generates a “response” to the challenge by encrypting the received challenge with the user's secret key. The user obtains access to the restricted item, provided the response is accurate. In order to ensure that the pocket token or computer-readable card is utilized by the associated authorized user, the user typically must also manually enter a secret alphanumeric PIN or password. One-time passwords are generally considered very secure and provide a “two factor authentication,” since they rely on something that the user has (the pocket token or computer-readable card) and something that the user knows (the password or PIN).
While such authentication tools reduce the unauthorized access to restricted items, they suffer from a number of limitations, which if overcome, could dramatically increase the utility and effectiveness of such tools. For example, the requirement that the user must carry the pocket token or computer-readable card may not be practical for widespread deployment. Thus, a number of security systems that do not rely on a pocket token or computer-readable card have been developed. For example, a number of access control mechanisms have secured access to devices or secure locations by evaluating biometric information, such as fingerprints, retinal scans or voice characteristics. Unfortunately, however, the transmission of biometric information over a network can be computationally expensive and consume significant network bandwidth. In addition, such biometric access control systems require some kind of biometric reader at the location of the user to capture the biometric information.
A need therefore exists for an improved access control mechanism that does not require the user to carry any additional device, such as a pocket token or computer-readable card, beyond what the user would normally carry. A further need exists for an access control mechanism that uses a telephone call placed to or from a particular cellular telephone associated with the user to verify the identity of a person who is requesting access to a restricted item. Yet another need exists for an access control mechanism that provides strong security without significantly impacting the convenience of the user.