Authentication mechanisms use one or more authentication factors to control access to secured services. An authentication mechanism may require a knowledge factor (e.g., a username and a password), an ownership factor (e.g., a hardware security token), an inherence factor (e.g., a biometric identifier such as a fingerprint), or combinations thereof. The first of these is commonly referred to as proof of knowledge.
Authentication based on proof of knowledge includes a provisioning phase (e.g., enrollment) to define user knowledge, and a use phase to authenticate a user that proves that knowledge. Authentication based on conventional identity management techniques provides access control to secured services by validating a username and password to demonstrate proof of knowledge. Improved identity management techniques to authenticate a user employ picture passwords (rather than textual passwords) that prove that the user has knowledge of a combination of input actions together with a known image (such as, for example, a still picture, a motion picture with or without sound, a photograph). Although using a picture password increases security due to the increased complexity of the proof of knowledge, access control for authenticated users remains unchanged in existing systems.
Online portals such as websites use the aforementioned rigid identity management techniques as proof of knowledge to control access to private information such as a bank account, a brokerage account, electronic billing, or a payment system. A relying party such as a bank providing the bank account, a brokerage firm providing the brokerage account, or a proprietor of the electronic billing or payment system requires robust forms of proof of knowledge to maintain control over access to the private information.
The online portals may use additional mechanisms to distinguish between human and machine input. For example, mechanisms such as Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA) provide a type of challenge-response test to determine whether or not a user is a human, instead of, for example, a “robot” or other type of computer agent seeking to thwart an authentication mechanism.
Thus, conventional identity management techniques are used to control access to services by merely validating human input of a user's identity to demonstrate proof of knowledge. Although existing mechanisms can grant access to services based on whether a user's identity is valid, a need exists to improve access control to services without being constrained by the aforementioned rigid identity management techniques.