1. Technical Field
Embodiments disclosed herein are related to systems and methods for authenticating a user and device with information in addition to a username and password. In particular, embodiments disclosed herein are related to a system and method for authenticating a user and a device with low-quality or low-entropy information supplied in addition to a username and password.
2. Related Art
As people use the internet for more and more reasons, scammers and so-called “black-hat” hackers increasingly look to the internet as a new frontier of illicit opportunity. People who use the internet to conduct financial transactions, such as making purchases and banking, can be attacked by the scammers and hackers, and attackers can gain access to the online financial accounts of these people. The attackers can use this access for their financial gain, which can hurt the financial standing and credit rating of the people. Moreover, access to one account of a person may result in access to additional accounts because of the exploitable personal information viewable in the accessed account.
In some cases, attackers may know a user's login or password, but not both. As a result, an attacker may try a brute force attack by entering common passwords with a known username, or common or user-identifiable (i.e., jdoe1) usernames with known or common passwords. Passwords with few characters, such as a common four-character personal identification number (PIN), may be particularly vulnerable to brute force attacks because there are few permutations, and many common PINs are used by users for their convenience. One method to stop brute force attacks is to limit the rate at which an attacker can make password guesses, such that the account is disabled after a certain number of incorrect guesses. However, this method disables the account associated with a particular username, and cannot prevent attacks that enter a common password with many different usernames, which is referred to as a “vertical attack”. For example, in many cases a PIN number of 2580 is very common because it is simply the center row of numbers on a keypad. An attacker having a list of usernames can try that PIN number (or other common PIN numbers) on each of the usernames, and may have some moderate level of success.
The variety and portability of internet-capable devices have resulted in not only users being capable of performing internet communications and transactions more frequently, but also in the opportunity for attackers to attempt attacks on unsuspecting users. The lucrative potential that these attacks present the attackers encourages attackers to try and stay one or more steps ahead of the security. When a countermeasure or other security provision is put into place to stop or otherwise limit the effect of an attack, the attackers develop ways to overcome the countermeasure, or find additional ways to exploit the operating system, browser or other executable software to launch another, possibly more effective attack.
Accordingly, there is a need for a system and method for authenticating a user using low-quality or low-entropy information supplied in addition to a username and password.