Daily life requires the use of a wide variety of information devices, such as mobile phones, personal computers, notebook computers, and tablet computers. The information devices may keep users' personal data and identity data. Due to the prevalence of networks, an increasing number of network functions are performed on-line. In particular, servers have to store users' personal data and identity data in order to provide network services, such as social networking services, webpage/email services, mobile commerce services, banking on-line transaction services, database access services, or content and information provider services. Hence, to ensure security and privacy, the servers usually require that, before accessing the services provided by the servers, users have to follow an authentication procedure for recognizing the users' identity. At present, the most common authentication procedure is a password-based challenge authentication procedure whereby a server typically requires that, before accessing its services, users ought to enter a username and a password for identity recognition (or known as “login”), in order to prevent user personal data from being stolen or fraudulently changed.
With network coverage and accessibility increasing rapidly, hackers are becoming more likely to target a user's password with a view to faking the user's identity. Therefore, simple passwords no longer provide adequate protection. In view of this, various mechanisms are put forth to provide better protection. For example, users are required to create a password that meets the requirements of password length, complexity, and unpredictability, such that the strength of the password is sufficient to fend off brute-force search attacks and dictionary attacks. Furthermore, users are required to change their passwords regularly to invalidate old passwords, thereby reducing the chance that their passwords will be cracked. The aforesaid mechanisms enhance security and thus help users protect their accounts.
However, users usually seek Web-based access to various Websites for various online services through a username/password authentication process and challenges. In practice, most users log in to different Websites with different usernames and passwords. The aforesaid mechanisms require the users to memorize multiple passwords for accessing online services offered by various Websites. Users often log in to just a small number of Websites daily and thus seldom correctly remember the passwords of infrequently visited Websites.
Some authentication mechanisms dispense with usernames but require users to enter a password for obtaining access authority, for example, entering a passcode, a PIN, or a power-on password into a cell phone or a mobile device (such as an iPad or a tablet) in order to unlock the cell phone or the mobile device. The passcode usually consists of a set of numbers. The password is formed from a combination of a set of letters and numbers and thus provides a higher security level than the passcode which contains just a set of numbers. In practice, the security levels provided by the aforesaid mechanisms are unsatisfactory because the mobile devices are usually intended for use in public spaces. As a result, onlookers or unauthorized persons beside a mobile device user can see and memorize a passcode or password being entered into the mobile device by the user while the user is unlocking the mobile device.