1. Field of the Invention
The present invention generally relates to user authentication, and in particular, to use of passwords for authentication.
2. Related Art
With the ever-increasing use of the Internet and other electronic communication, more and more sensitive information is being communicated electronically. Such sensitive information may include social security numbers, passwords, date of birth, mother's maiden name, PINs, account numbers, etc. Fraudsters acquiring such information may result in identity theft, unauthorized use of funds, etc. Thus, capturing this important information is one of the targets of hackers and malicious applications.
One of the easiest ways of mounting this attack is for the malicious application to “listen” to keystrokes and record the sequence of the keys that the user has entered. This is also known as a “key-logging” attack. Protecting against key-logging attack is a nontrivial task that demands deep modifications performed to the operating environment to ensure that the malicious listeners are detected and blocked. The problem becomes more difficult to solve when a sensitive piece of code that has security requirements (such as protecting the user's credentials) is running inside a non-secure environment. The “environment” in this context is either another application or the operating system as a whole. The problem is equally applicable to personal computers (PC) that use a physical keyboard, as well as devices that deploy a touch-screen keyboard, such as Apple iPhone, pop-up virtual keyboard, or other data input means.
Sensitive information is often required to authenticate the user so that a service provider, such as a financial institution or merchant, can be reasonably sure the user is who he says he is. Without user authentication, the transaction may not be allowed to proceed.
Therefore, a need exists to provide the user a more secure way of entering and electronically transmitting sensitive information.