1. Field of the Invention
The present invention relates generally to user authentication, and more particularly to a password generation apparatus and method.
2. Description of the Related Art
Many secure access techniques are known to gain access to secure computer systems, bank accounts, and other processes within a computer or Internet device. For example, communication units include web browsers that may be used to gain access to web-based information from a web server and may be coupled via a wireless or non-wireless communication link. Techniques are known to provide session based authentication between, for example, a user device (i.e., such as a Personal Computer (PC), Internet device, laptop computer, smart card, radio telephone, or any other suitable device) and external system, such as a web service on the Internet, or to processes within the same device. Cryptographic engines are often used to provide public key-based encryption, decryption, digital signing and signature verification as known in the art, and in such systems public and private key pairs are periodically generated and a user is allowed to digitally sign information, or decrypt information using private keys.
Session-based single factor authentication techniques are known wherein, for example, a first unit, such as a user device, is queried by a server which may contain, for example, credit card accounts, bank accounts or any other secure information, for the user to enter a user identification (ID) and a password to send so that the server can trust the user device. However, such systems are vulnerable to attack. For example, an attacker that maliciously obtains a user password can thereafter impersonate that user. Two factor authentications add another level of security. For example, a server may return an authentication code, such as a random number generated by a random number generator in the server to the user device after the user entered the correct user ID and password. The user device receives and digitally signs the received authentication code using a private signature key located on a smartcard that has been inserted into a smartcard reader at the user device, and returns the digitally signed authentication code over a same channel that was used to originally send the generated authentication code. However, deployment of such schemes is limited by at least the monetary expense of supporting card readers at user devices.
Moreover, information security systems are being developed to allow a user to roam from one device to another. For example, a user profile that includes, for example, private keys such as private decryption keys and private signing keys along with user password information and other cryptographic keys, may be encrypted and stored in a server that is accessible by a user using a plurality of devices. The user profile is then sent to a user but only after an authentication procedure is carried out. Such authentication procedures may typically involve a user using a web browser through which a user ID and password is entered. However, no other user-specific credentials are typically necessary. As a result, an unscrupulous party may gain access to a user's private keys if they are able to obtain a user ID and password through observing a user, key logging, and screen capturing and the like, while the user is entering the information on a keyboard.