In the Internet era, an online authentication process typically begins with a screen prompt asking the end user to input sign-in credentials such as a username and password. A website or application (generally referred to as service hereafter) then verifies the user input against information obtained during the user registration with the service. Despite its popular use password-based authentications suffer from poor security and clumsy user experience. They are not only inherently weak against many common cyber threats but also add unpleasant friction to online transactions, as many users are averse to creating yet another password given their struggles in keeping track of the existing ones. Various methods which have been created as additional measures to strengthen the password-based authentication approach, often at the expense of further degrading the user login experience, fail to address the fundamental security issue associated with using passwords. Given the challenges they are facing many users have resorted to relying other means to manage their sensitive login information. For example, some users chose to write down passwords and relevant account information on paper or save them in unencrypted computer files or emails, which inevitably lead to tarnished security and bad user experience. On the other hand, massive amount of sensitive user identifying information is redundantly stored on countless servers across the Internet, attracting all types of nefarious actors to attack, breach and eventually compromise such valuable information of online consumers. As online presence becoming increasingly important in people's lives, user privacy and account security should no longer be left at the mercy of arbitrary password practices commissioned by the varying websites born on the Internet.
Numerous technological approaches have been attempted in addressing the challenges associated with protecting online user accounts, including the use of multi-factor authentications such as specialized hardware token, SMS text messaging or one-time password (OTP) token etc. While multi-factor authentications significantly boost the security of the user login process their wide range acceptances have been impeded by user experience and additional cost concerns associated with large scale deployment of such technologies.
With the emergence of personal mobile devices such as smartphones recent authentication solutions have been designed to take advantage of the rich sensory found on modern mobile devices, such as the built-in cameras or fingerprint scanners to replace or supplement passwords as means to authenticate end users. Despite their improved usability these mobile assisted authentication solutions continue to suffer from various security issues. As an example, in one such solution, users are presented with QR images or animated waves, upon scanning of a such image using a user's mobile device the user's login session on a remote desktop computer may be remotely authenticated. Because users are not able to distinguish a legitimate QR image from one planted by a potential hacker such solution without additional preventive measures could subject users to online phishing or image substitution attacks. Furthermore, most mobile assisted authentication solutions existed today use certain device information or meta data as authentication credentials. As a result, such solutions are not only inherently weak in security but are limited to working with designated replying parties only. They also require device registration in order to bind a new device to a registered user account before it can be used for authenticating user logins.
Some recent solutions try to mitigate the security problem by showing multiple numbers on user's mobile device then asking the user to tap on the one number that's also displayed on the user's desktop computer where the login session is initiated. Even though the matching number technique makes session spoofing more difficult, patient and determined hackers will still be able to target their victims with careful foreplaning since these solutions still rely on the user to key in certain account identifier in order to start the login process. Lastly, most of these mobile assisted authentication solutions rely on custom technology to integrate with specific websites, making them incompatible for broader implementation for relying parties.
The present invention addresses following needs:                Offers a generic method that can remotely authenticate login sessions using user's mobile device with a security level no weaker than current two-factor authentication methods.        Offers a more pleasant user experience that is simpler than the existing single-factor authentication methods.        Allows easy integration with any existing website so that end users don't need to download many different authentication apps for different websites.        Effectively address common security threats imposed by key loggers, password brute forcing and URL phishing etc.        Securely store user login credentials and identifying information on each user's own mobile device as opposed to storing them in the databases of individual websites.        
The present invention accomplishes the following goals:                Unlike many other algorithm-based security tokens, the AICs used in the present invention may be randomly generated.        Unlike most security tokens, the AICs themselves are not the secrets used to authenticate the end user. Knowing the AIC associated with a given device would only allow the initiation of the authentication request but not the approval of it. The user still needs to consent to the request before the actual identity verification data can be used to approve the login.        A compromise of the communication server or its communication channel alone will not subject the user's account to unauthorized access since the communication server is not involved in authenticating or transmitting the identity verification information.        Instead of relying on end users to inspect for bogus website URLs the system will always verify and ensure the authentication response can only be submitted to the intended web address to effectively end phishing attacks.        Since the end users are not required to key in passwords during the authentication process spyware such as key logger will become inept in stealing user's login credentials.        