The combination of device and user authentication is called “Two Factor” authentication. Enterprises already have this mechanism in place for remote users connecting through computers. RSA SecurID® or similar mechanism is the de facto way of enabling “two factor” authentication. Two Factor authentication requires a user to key in a special pass phrase or key that is displayed on a Secure Token. This token is typically issued by the company and is carried by the employee all the time. The token is linked back to token authentication server in the company. When the employee wants to login to corporate services, he/she must supply the pass phrase or key, which changes periodically, to ensure that only the employee is requesting the service. The supplied input data is validated against the authentication server and if the match occurs, the employee is granted the service. RSA tokens and RSA server are widely deployed two factor authentication mechanisms in corporations.
This above-mentioned technique works well for computer terminals as there are client applications built to accept the two factor authentication. There is, however, no client or the user interface to allow two factor authentication on phones. Unlike traditional phones that are always tied to a physical wire connected to PBX/Switch, the new breed of phones are Internet Protocol (IP) enabled and thus provide portability and mobility. For example, an employee can carry an IP Phone from his work and plug it into Ethernet connector at home and can access an entity's network. This flexibility enables businesses or other entities to deploy these phones to tele-workers, road warriors, consultants, partners and other. On the other hand, it makes these entities vulnerable to theft, attacks, and abuse. As a result, there is a need for a clientless two factor authentication for IP-based phones.