The growth of the interne has spurred demand for secure, convenient and private access to networks and the web for consumers and companies. Users transmit confidential information when accessing email servers or financial accounts, making purchases online or even logging into personalized news sites. Unfortunately, the increased transmission of confidential information leads to increased risk of identity theft. Millions of Americans have become the victims of identity theft, leading to billions in losses.
Although there are various techniques designed to provide authentication to protect critical data and prevent identity theft, these techniques are subject to vulnerabilities or are difficult to use, thereby deterring wide spread implementation.
For example, a common form of authentication is the static password authentication method. In this method, a user enters a static user identification and password on a client site. A request is sent to an authentication server to validate the credentials of the user. If the credentials are valid, the user is traversed to the next page. If the user credentials are not valid, access to the next page is denied and the client site may again ask the user to enter proper credentials. However, this form of authentication is vulnerable to threats such as phishing, key logging, shoulder surfing, snooping, social engineering, brute force attack, replay, dictionary, browser cache, man in the middle (MITM) attacks and replay attacks.
To overcome some of the vulnerabilities of static passwords, random password authentication mechanisms and systems have been developed that rely upon passwords or codes that are valid for only a certain period of time. For example, a one-time password (OTP) is only valid for one login session or transaction. An example of this is RSA Secure ID, which utilizes an OTP authentication server and an OTP Client that share a secret key and a common OTP generation algorithm, to generate the one time password for each use. The one time password cannot be predicted based on knowledge of prior one time passwords. Some OTP algorithms are based on time-synchronization between the OTP authentication server and the OTP client, event based hash chain algorithms that generate a one-time password based on the previous password, or on a challenge and/or a counter.
OTP based authentication often use hard tokens (FOB keys) or soft tokens (software generated) as OTP clients. In both cases, the user enters a login identification and a combination of a fixed pin along with a token generated OTP. The use of token based OTP is prevalent in enterprises and corporate environment. Although more effective against tampering and spoofing, OTP tokens can be difficult to carry around, can get lost or broken, and are still subject to phishing, MITM or other types of attacks. OTP systems that are in-band, meaning that all information that is requested on the same node or network, are subject to a hacker being in the same environment as the authentication mechanism. Other mechanisms, such as Authenticate as a Service, use cloud computing or other web methods to deliver OTP tokens.
Multifactor authentication systems are more secure than static user identifications and passwords. However, they can be difficult and expensive to adopt and use.
Accordingly, an authentication system that mitigates some of the vulnerabilities of prior art systems is desired. Furthermore, an authentication system that provides a strong multi-factor authentication and transaction mechanism for service providers, including banks or large enterprises, to protect user identities and accounts and provide seamless usability for end users and is easy to implement is generally desired.