This invention relates to computer networks and more specifically, to authentication in computer networks.
Multi-factor authentication is popular and widely used by services across several industries. Validation of a secure token and/or answers to security questions can be required along with a username and password in determining authenticity of a user requesting access to an account. However, these methods can still be insecure if a username and password are stolen and/or exposed to a hacker. For example, consider a case where a user's mobile device is lost and/or stolen, and a web browser installed on the mobile device stores a username and password for access to a user account of a service. Suppose an application associated with the service stored on the mobile device uses secure token validation along with the username and password for a successful login. As soon as the thief/hacker attempts to login to the account via the stored username and password, the application server sends the secure token to same mobile device, irrespective of the person who attempts to login to the application. This offers a simple security breach, as the thief/hacker can simply enter the received code and be granted access. Similarly, if the thief/hacker knows or has access to other basic information associated with mobile owner, it can be easy to construct answers provided to the security questions posed by the application, such as pet name, first car purchase date, favorite city, mother maiden name, favorite teacher name, etc. For example, a quick web search of the user's name or a quick look at publicly available information posted to a social media profile could offer clues and/or answers to some or all of these questions. The cognitive psychology authentication system presented herein can be utilized to offer secure multi-factor authentication that addresses these issues.