It is often necessary to authenticate or verify the identity of a user of a device before allowing that user to access data or services that may be confidential, proprietary or fee based, for example. Some systems require the user to provide a password, passcode or personal identification number (PIN) to gain access, but these items may be stolen or otherwise compromised and users typically find it difficult to remember or manage passwords. This is particularly true for so-called “strong” passwords (e.g., of increased length and more random combinations of characters), which may be more difficult to compromise.
Some systems use one-time-passcodes (OTPs) for improve authentication security. This technique generates a different (e.g., one-time) passcode for each authentication event based on a security seed or token (typically provided to the user in an earlier provisioning operation) in combination with a user password/passcode/PIN. Because the generated passcode may be a “strong” passcode that changes with each use, the passcode may be more difficult to anticipate or steal. This approach is still vulnerable, however, unless a more cumbersome hardware based token is employed, because the identity of the device generating the OTP is unknown and therefore an attacker could use malware to export the OTP seed to another device. Thus, the possibility exists that the security seed may be stolen and/or transferred to another unauthorized or malicious device or that the OTP may be generated on an intended first device but used by a second unauthorized device.
Although the following Detailed Description will proceed with reference being made to illustrative embodiments, many alternatives, modifications, and variations thereof will be apparent to those skilled in the art.