One of the simplest and most commonly used authentication methods employed is the static password, whereby a client computer challenges an end user for a pre-determined password. Once the end user provides the correct password, access is permitted to secure functions or data available on one or more remote computer systems. A significant limitation of the current art is that localized authentication transactions are potentially vulnerable to compromise by unauthorized programs running on the local client or by other illicit means intending to monitor the password authentication process. In a single point authentication process, once a point of entry to a network is compromised, all locations using the same security codes are generally compromised as well.
One security method commonly used to overcome single point authentication failures employs the use of separate static passwords for each pre-determined secure resource, While this method is an improvement over a single multi-use password, this method is still vulnerable to illicit password monitoring, requires an end user to remember multiple passwords, and inefficiently ties up network resources by repeating the entire authentication process each time access to a different secure resource is requested.
Also, as a practical consideration. requiring an end user to remember several different passwords typically results in the same password being used for all secure resources, hence defeating the entire purpose of performing multiple authentications using static passwords.
A more sophisticated approach than the previously described methods, involves the use of personal security devices (PSD) such as smart cards, which allows storage of multiple credentials, passwords, certificates, private keys, etc. By implementing the use of smart cards, the ability to compromise passwords is significantly reduced. However, PSDs are still somewhat vulnerable to illicit monitoring during local client cryptographic key generation as described in the background of the invention section of cross-referenced patent application,09/844,246 OCL1, “Method and System for Establishing a Remote Connection To a Personal Security Device.” An additional limitation of this method becomes apparent when attempting to perform multiple authenticating transactions using a single PSD over a network connection. The PSD, beings a slow serial device, only allows one transaction to occur at a time. In addition, network contention and processor execution speed issues become particularly problematic when low bandwidth connections (e.g. dialup connections) are made between a client and a remote computer system during authentication with the PSD.