The protection and security of customer information is vital from an organization's perspective, not only to comply with applicable laws, but to earn and maintain customer trust. Enhanced security often comes at the cost of convenience for the user, such as by requiring the user to answer additional security questions. Various methods are used in authenticating a user attempting to access an account. Security analysts have identified three authentication factors that can be used in making a positive identification: ownership, knowledge, and inherence. Elements used to verify the first factor, ownership, may include a phone, a security token, or a software token. Elements used to verify the knowledge factor may include a password, username, personal identification number (PIN), or answers to security questions. Elements used to verify the inherence factor may include biometric data.
Verifying two of the factors, “two-factor authentication”, is commonly used to authenticate a user. For example, many applications on mobile devices require the user to enter a PIN, satisfying the knowledge factor, on a particular mobile device, satisfying the ownership factor. In some mobile devices, the ownership factor is generally assumed to be satisfied because many mobile devices, such as smartphones, are particular to one person. Thus, an impersonator would be required not only to have the mobile device, but also to know the PIN in order to access the application. This enables users to simply input a PIN into an application on a mobile device to be authenticated.
Personal computers (computing devices) pose additional complexities in authenticating users. Computing devices are commonly used by more than one person. Thus, it is not safe to assume that the identity of the computing device satisfies the ownership factor. Additionally, computing devices in general have been more easily compromised than other devices. Current solutions increase security, but are often inconvenient for users. For example, one solution includes providing users with some type of token, requiring the user to prove that the user has the token, such as by typing in a one-time code generated by the token in combination with a username/password/PIN. Other solutions focus on the knowledge factor such as by requiring the user to answer additional security questions.