As remote access of computer systems and applications grows in popularity, the number and variety of transactions which are accessed remotely over public networks such as the Internet has increased dramatically. This popularity has underlined a need for security; in particular: how to ensure that people who are remotely accessing an application are who they claim they are, how to ensure that transactions being conducted remotely are initiated by legitimate individuals, and how to ensure that transaction data has not been altered before being received at an application server.
One solution to secure the interaction of users with computer based applications is the usage of two-factor strong authentication solutions.
In two-factor authentication solutions, a user may be authenticated to, for example, a computer based application by a person claiming to be the legitimate user providing to an authentication verifying entity proof of two authentication factors. A first factor (the ‘what the user has’ factor) consists of a proof that the user possesses or has access to a specific object or token that may be linked or associated with a particular user. A second factor may consist of a proof that the user has knowledge of a specific piece of information that may be linked or associated with a particular user (the ‘what the user knows’ factor). This specific piece of information may comprise a secret that may be assumed to be known by no other person than the legitimate user, such as a secret password or a secret PIN (Personal Identification Number). This specific piece of information may be referred to in the remainder of this description as a passcode.
To ensure the security of authentication solutions using a passcode, it is essential that the confidentiality of the passcode is ensured and maintained at all times.
What is needed is a secure solution for protecting the secrecy and confidentiality of passcodes that are used with two-factor strong authentication solutions.