The present invention relates generally to the field of authentication, and more specifically to the two-way authentication of a user to a computer system and computer system to a user.
The Internet and the World Wide Web allow users to communicate with software operating at various computer systems. Many of these communications are sensitive in nature. Examples of such communications include on-line banking, sending credit card information to purchase a product and the use of virtual private networking thereby providing access to sensitive network content via the Internet. Because of the anonymity provided by the Internet, there is a potential for unauthorized third parties to intercept portions of such communications to be able to obtain financial information (e.g., account numbers, etc.) or access to other sensitive information.
Various attempts to intercept portions can include an unauthorized third party appearing to be a legitimate entity on the Internet, thereby inducing a legitimate user into providing identifying information to an illegitimate site. This is sometimes known as phishing. By obtaining such identifying information, the unauthorized third party may be able to later gain access to the legitimate entity, such as a bank or virtual private networking site, by appearing to be the legitimate user.
Another attempt to intercept communications is often called a man-in-the-middle attack. In such a case, the illegitimate site functions as a go-between between the legitimate user and legitimate site, thereby capturing all information needed to appear to be the legitimate user and later gain entry to the legitimate site while the user in unaware of the communications capture.
Other attempts to intercept portions include keystroke capture in which an ability to record keystrokes of the user can enable an unauthorized third party to later masquerade as the legitimate user by repeating the keystrokes.
A need exists for an authentication approach that can aid a user in distinguishing a legitimate site from an illegitimate site, as well as inhibit unauthorized third parties from masquerading as a legitimate user and easily replicate the authentication steps asked of the user to gain entry to a computer system.