An access control is a mechanism required for all computer systems, not only in a client/server system or a client/browser system, but also in a cloud system, including a simplest mechanism of user name/password, a widely used mechanism of authentication code/verification code (CAPTCHA), a currently widely used mechanism of a short message verification code or a hardware-based USB Key (Ukey) and the like. The short message verification code and the UKey both need support from an external device.
Multi-factor authentication (MFA) is an optimal practical approach for account safety which is simple and effective and can add one or more layers of safety protection in addition to the user name and the password. In terms of cryptography theory, identity authentication mainly includes three types of elements: identity authentication content which needs to be memorized by a user, such as a password or an identity card number; authentication hardware owned by the user, such as the UKey, an intelligent card (abbreviated as IC card below) or a magnetic card; and a unique characteristic of the user himself/herself, such as fingerprint, pupil, voice or the like. Each individual element is vulnerable, and if multiple elements are combined to implement the multi-element authentication, it is possible to effectively improve security of the access control of a system, which is so-called multi-factor authentication.
A verification code is one way widely applied to the multi-factor authentication currently. There are two widely used verifying ways at present. In a first way, a server and a client generate verification information synchronously; and in a second way, the server generates a verification code, and transmits the verification code to user equipment.
In the first way in which for example a random electronic token is generated by the Ukey, the server and the UKey have synchronous random number generators, and periodically generate the electronic token which randomly changes. However, in the first way, a UKey needs to be allocated to all users, and a massive random number synchronization system for all users needs to be maintained in the background, resulting in a high cost. In the second way, for example, in a way of cell phone verification code, the server generates a verification code, and transmits the verification code to a cell phone user, and then the cell phone user enters the verification code according to a prompt. However, with popularity of smart phone, vulnerabilities of a cell phone system are increasing and various Trojan horses occur, resulting in problems in security of the cell phone verification code. No matter which way is used, either the verification code is acquired synchronously by the server and the client, or the server generates the verification code and then transmits the verification code to the user, rather than the user generating the verification code initiatively prior to the server and then the server verifying the verification code in a particular condition, that is, the user cannot control verification information initiatively.