User authentication using techniques such as passwords, one time passwords, hardware or software smart cards, etc., have all proven to be either too weak and susceptible to man in the middle (MITM) or man in the browser (MITB) attacks, or else have proven too cumbersome and expensive. The use of single sign on techniques such as OpenID, FaceBook Connect, etc., only make the problem worse as once the attacker has compromised the master account they can now break into all other accounts that rely on that initial login. Further, the focus of attackers has shifted from trying to break the login process to using sophisticated techniques to come in after the act of login and to attack the transactions being performed. This has made transaction authentication, the act of confirming if the transaction seen at the back end web server is identical to that intended by the user, even more important.
Out of band authentication (OOBA), a technique by which a transaction is relayed to the user, and confirmation obtained, using an alternate form of communication, for instance by placing a voice phone call or a text message, is a promising alternative, but is also to inconvenient and costly to be used very often. It might be useful for the highest value transactions, or rare events like password resets, but using it for large number of transactions is too costly and cumbersome.
In prior work (see the related applications identified above), we described an innovation that addresses some of these problems. Specifically, we introduced the notion of the establishment of a security server that communicates with an independent pop-up window on the user's desktop that is being used to access the website. We described how this security server can alert the user, via communications to the pop-up as to the legitimacy of the web site the user is browsing via their browser. We also described how this pop-up window can provide a user with a one time password to enable login into the web site (i.e. authentication of the user to the website), based on a secret shared between the web site and the security server. Of particular utility in this invention was that it provided the security of one time passwords, but did not require a per user shared secret which all prior one time password systems have required.
The innovations described herein extend our prior work to provide for (i) transaction authentication, (ii) different hardware and software form factors as substitutes for the browser based pop up, and (iii) using accumulated login and transaction data as an input to a risk management engine.