The Internet environment is characterized by many online resources and services that are purchased by a user or an employer of a user. To protect such resources and services from unauthorized use, i.e., use by an individual who has not purchased the resource or service, user authentication techniques are implemented that typically require an authorized user to provide a valid password prior to accessing the resource or service. Typically, one or more of the following processes are required to set up an authentication service for a user:
A Provisioning Process: In a corporate environment where employees are granted access to corporate resources and services, a new employee typically completes a provisioning process. This process involves setting up the new employee by recording various items of personal information, providing authorization to utilize various corporate resources and services, and assigning an employee identifier and initial passwords for authorized services. When the provisioning process is completed, the new employee is eligible to register or enroll in various services within the corporate environment.
An Enrollment Process: Once the new employee has completed the provisioning process, he or she enrolls in services offered by the corporation. The enrollment process typically requires the new employee to utilize the initially assigned passwords to access services, and once granted access, to fill out a questionnaire containing information of a personal nature.
A Password Creation Process: Once the new employee has enrolled in one or more services, he or she may be allowed to change the initially assigned passwords to user specified passwords.
Once the user has completed the provisioning, enrollment, and password creation processes, access to the service or resource is protected from unauthorized use. Accordingly, an individual who fails to present a valid password will be denied access to the service or resource.
While the above described authentication process is effective for its intended purpose, it is, without doubt, a time consuming and tedious process for the user who must enroll or register with each protected service or resource prior to use. Moreover, if the user forgets the password, the user will be required to contact a system administrator, typically “help desk” personnel, or some other service that has the ability to verify the user's identity and to issue a temporary password so that the user can reset his or her password. This presents significant added costs because “help desk” personnel must be hired or a service must be engaged. Another disadvantage of the typical password-oriented approach is that the passwords and personal information of users must be encrypted and stored in a protected database or in a directory in the protected service or resource. This presents additional costs and poses a security risk for having the confidential and private information misappropriated.
In order to alleviate some of the burdens associated with the authentication process, an authentication system has been developed that eliminates the enrollment requirement by assigning a PIN to the user and utilizing an authenticator, referred to as a “token,” that displays to the user a dynamic token value, i.e., the value changes frequently. When the user attempts to access a protected resource, the user enters the PIN and the current token value. The authentication system verifies the PIN and the token value, and if each matches, the user is granted access to the resource. While this approach minimizes the enrollment process for the user, it still requires the user to remember the PIN/password. If the user forgets the PIN/password, the user must contact the “help desk,” as before. Also, the PIN/password must still be stored and managed, which is costly and presents a potential security risk.
Accordingly, what is needed is an improved method and system for authenticating a user who wishes to utilize a protected resource or service. The method and system should authenticate a user without requiring the user to perform an enrollment process, and without requiring the user to submit a password. The present invention addresses such a need.