With the expansion of the Internet, many activities previously conducted face-to-face in real life are gradually being replaced by communications over the Internet.
With the spread of network applications, an increasing number of people are using network applications for online shopping and online payment. To ensure security, when accessing systems having high security requirements such as online banking to perform an operation, users are typically first required to authenticate their identity (also known as “identity verification” or “authorization”). Only when a user's identity conforms to a set of requirements is the user confirmed as a valid user.
One conventional identity authentication method is as follows: when a user is to access a system, a server where the system is located sends a text message, via a telecommunications service or short message system (SMS) using an SMS service interface, to the user's mobile phone, and the text message includes a verification code randomly generated by the server. Upon receipt of this text message, the user enters the verification code included in the text message into a login screen of the system. Subsequently, the entered verification code is sent to the server. The server compares the received verification code against the previously sent verification code. If the two codes match, then the user is determined to be authenticated.
Specifically, a random number can be generated on the server and sent to the designated mobile telephone via the text message. Upon receipt of the random number, the user enters this random number during the login process and submits the random number to the server. The server confirms that the user is the owner of the designated mobile phone by verifying the random number, thereby the user has passed identity authentication.
However, security risks in the above conventional identity authentication method exist. Hackers or cheats could possibly intercept text messages by embedding a mobile phone Trojan or using deception to fraudulently obtain contents of the text message, and victims would remain unaware during this process (in the case of mobile phone Trojans), or simply tell the cheats the contents of the text message (in the case of deception). As a result, the cheats and/or the hackers would obtain the contents of the text message, and successfully steal the victims' identity or funds.