Illegitimate accesses to online services or systems are the origin of frauds representing a huge amount of money each year. To mitigate such risks, online services rely on user authentication methods. Most often, a user of an online service is requested to create a user identification (ID) and a password for authentication purpose. Security and confidence in the authentication may be improved by enforcing security rules such as length or complexity of the password.
More robust methods have been developed such as multi-factor authentication. Multi-factor authentication is an approach to authentication which requires the presentation with the user identification of two or more of the three authentication factors:                a knowledge factor (“something only the user knows”, in other word a password),        a possession factor (“something only the user has”, in other word a device or token), and        an inherence factor (“something only the user is”, in other words, biometrics parameters).        
After presentation, each factor must be validated by the online service for authentication to occur.
Nevertheless, such methods, if they greatly improve the level of security, quite often present the weakness of being cumbersome for the users. Indeed, the users may not be ready to carry with them a secure token or go through a long authentication process every time they access a service.
Thus, online services may adapt the level of security according to some contextual information in order to facilitate the authentication process in given conditions. Some authentication method implemented for example to control access to a social network or a web site may adapt according to contextual information. Contextual information is information related to the device used by the user to request access to the service like for example the MAC address or the IP address of the device, or any information such as parameters stored on the device. Indeed, using said contextual information, the authentication method may be as simple as asking a login and corresponding password associated to the user. Sometimes, for example, in a web context, using a cookie stored on the device as contextual information may provide an access to a service without the cumbersome step of providing a login or password.
On the other hand, when contextual information does not match or correspond to the expected contextual information, the authentication method may be reinforced, for example by asking some answer to a secret question or by asking the user to answer some questions based on user information comprised in a user profile. Thus, for example, some social network, when a user tries to connect from a device not previously used by this same user to access the social network, may request the user to go through supplementary steps of authentication. This is possible by using contextual information like an ID of the device (media access control (MAC) address, internet protocol (IP) address, international mobile equipment identity (IMEI) . . . ) to identify previously used devices. Fraudulent access to the social network is therefore more complex as an attacker using an unknown device will need to defeat more complex challenges than the normal challenge presented to the user using a known device.
Nevertheless, forging such ID of a device is a known technique. An attacker, forging an ID of a known device of the legitimate user may be presented a simple challenge, or even may gain direct access to the service.
There is a need to improve the security of such authentication method.