Web-based applications are flooding into areas that can benefit from enhanced security. Examples of such Web-based applications include: commercial transactions over the Internet (e.g., the purchase and sale of goods), on-line banking (e.g., electronic funds transfer), and medical transactions (e.g., provision of medical records in emergency situations), etc.
The security of information and transactions has been identified as a significant problem. At the center of the problem are crackers: individuals who seek to access computers, such as Web servers, so as to conduct pranks, vandalism, espionage or other illegitimate activities. Web security responds to these activities and, among other things, strives to maintain the confidentiality and integrity of information, both as resident on servers and as communicated in Web transactions. Increasing the vulnerability to crackers is that the Web is an open system available to anyone in possession of readily available, affordable technology.
An important security issue is authentication. While authentication takes various forms, authentication of individuals is particularly desirable. This authentication is directed to verifying that the individual seeking access to and/or through a server is in fact who that individual claims to be, and not an impersonator. This authentication relies on verification being performed at or above a predetermined minimum level of confidence. At the same time, authentication is generally an early hurdle that the individual must clear to conduct transactions with the server.
An example of an authentication tool is a token. The token is, e.g., a small handheld device or copy-protected software loaded onto a PC. Authentication tokens operate by query/response, time-based code sequences, or other techniques, such as lists of one-time-only passwords, etc. For example, it displays a constantly changing ID code that can be used to get access to a network or server. A user first enters a password and then the card displays an ID that is valid for logging on to a network until the ID changes, which can be every 5 minutes. The ID's usually are determined through a pseudo-random generator. Pseudo-random generators and algorithms to generate pseudo-random numbers are well known. The generator in the token is mirrored by a generator in the server or the network to ensure that the both agree on what is a valid ID for the time window considered.
The fact that the server and token operate in lock-step and each time produce the same ID the same time implies that the server and token are using identical algorithms. Servers can be hacked. The algorithm used by tokens commercially available in large batches from a manufacturer can be stolen or otherwise discovered, e.g., by disassembling a token. Moreover, the validity of the token is tied to a finite time window. Eavesdropping on the ID communication may enable an unauthorized person to ride piggyback on the authorized person in this window of opportunity to enter the secure server or network.
Accordingly, one could say that a need exists for alternative security measures, and methods to implement such measures. Moreover, a need exists for alternative authentication systems and methods.