Service providers receive login attempts from users wishing to gain access to applications, sensitive information and other resources. To gain access, users are generally required to authenticate themselves by presenting credentials, such as passwords, token codes, and/or personal identification numbers (PINs). An authentication server typically receives such authentication requests from users and either grants or denies access, based on whether the presented credentials match expected values. For added security, multiple authentication factors must often be entered and verified before access can be granted.
Multi-factor authentication requires the presentation of two or more of three authentication factors: something a user knows (such as a password), something the user has (such as a security token or a mobile device) and/or something the user is (such as a biometric of the user). A common two-factor authentication scheme involves both a token code and a PIN. The token code, also known as a one-time password, or “OTP,” is generated automatically, such as by a portable device that a user has in his or her possession. The PIN is a number, or possibly an alpha-numeric string, that the user has memorized. Both the token and the PIN have been registered previously in connection with the user at the authentication server. The user enters both the token code and the PIN in one or more fields of a network login screen on the user's computer. Access to the remote network is only granted to the user's computer if both the token code (something the user has) and the PIN (something the user knows) can be verified. An example of a portable token is SecurID®, which is available from RSA Security LLC, Bedford, Mass.
Recently, software has been introduced to perform the functions of tokens on smart mobile devices, such as smart phones, PDAs, and tablets. See, e.g., RSA SecurID, “Software Authenticators,” (EMC Corporation). In one example, a user of a computer wishing to access a remote network enters his or her PIN into a field displayed on the user's mobile device. The mobile device sends the PIN to an authentication server. If the PIN matches an expected value, the authentication server sends back a signal to unlock the mobile device to allow the mobile device to display a token code. The user can then transfer the token code manually to the computer to enable the computer to gain access to the remote network.
Since the user now communicates over two channels, the mobile phone becomes a two-factor, two-channel authentication mechanism. A need remains for improved mobile authentication techniques that authenticate a user accessing a protected resource using multiple channels, including the mobile device of the user.