Technological advancements have led to increased ability to access, control, utilize, etc. information from substantially any location. For example, users can receive and read email, perform banking tasks, purchase goods and service, retrieve and update personal records, and so forth from most any geographic location by employing one or more of a variety of devices. Moreover, such devices can be users' personal devices (e.g., personal computers, laptops, personal digital assistants (PDAs), handhelds, gaming devices, cellular phones, . . . ) and/or public devices shared between users such as, for instance, devices available for use in internet cafes, airport lounges, business centers, and the like.
Public devices can be untrusted in the sense that they can be suspected to be infected with spyware that snoops on user activity. Accordingly, use of untrusted machines can present problems in connection with entering sensitive data such as passwords and the like. Employing untrusted machines may be undesirable, yet roaming users oftentimes have little choice but to utilize such machines. Further, these roaming users typically are unable to judge the security status of these machines. Either malice or negligence on the part of an administrator can mean that such machines can be running spyware such as a keylogger, for example. The roaming user has no reliable way of determining whether employing an untrusted device is safe, and has no alternative to typing in a password upon the untrusted device.
In the recent past there has been a surge in various ploys targeting information that can be directly exploited for financial gain, for instance. Keylogging is one of the most insidious threats to a user's personal information. Passwords, credit card numbers, and other sensitive or personally identifying information can be potentially exposed in connection with keylogging. Moreover, keyloggers are becoming more readily available (e.g., writing a keylogger is trivially easy in most major operating systems, there are numerous freeware offerings, . . . ) and many of them make efforts to conceal their presence. For example, keyloggers oftentimes do not appear in a process list.
Enterprise users can most likely trust their desktop systems provided their network administrators maintain good firewall and anti-virus regimes. Knowledgeable home users who keep their systems updated are oftentimes also well protected. However, home users who are less proficient or who leave their system unpatched can be at a greater risk. Further, roaming users who use unfamiliar machines can be subject to an even greater risk since the spyware infection status of public machines is typically regarded as unknown. Safety is based upon both competence and trustworthiness of the administrators managing such unfamiliar machines. As things stand, a roaming user has no reliable way to determine if a machine is running a keylogger or not. In this environment, every session on such a machine can be assumed to be logged. Accordingly, authentication of a user to a login server is oftentimes not secure since sensitive information (e.g., passwords) entered can be logged and thereafter employed by an attacker (e.g., logging in as the user by way of replay of the logged information).