After a client terminal (also referred to as a terminal) logs onto a server using a user account number input by a user, the terminal often issues a service request, such as a payment service request or an identity authentication service request, to the server. In web applications of browser-server (or client-server) architectures, the client issues a request to the server when asking for a service to be performed, which is called a service request. For example, the browser could issue a payment service request to the server when a user clicks a “PAY NOW” button on a payment service provider's website to transfer funds. Typically, for anti-fraud purposes, the server authenticates the user upon receiving the service request from the client. In order to validate the service request, after the server receives the service request, the server usually does not respond to the service request immediately, but instead generates a confirmation number (typically, a 6-digit confirmation number). In some cases, the server sends the generated confirmation number via a short message service (SMS) text message to a mobile phone bound to the user account number that was used when the terminal logged onto the server based on a binding relationship between locally stored user account numbers and mobile telephone numbers.
The mobile phone displays to the user the confirmation number sent by the server. The user then inputs a confirmation number into the terminal through an input port of the terminal. For example, the terminal displays to the user a page where the confirmation number can be input, and the user inputs a confirmation number into an input box on the page. The terminal sends the confirmation number input by the user to the server. The server compares the confirmation number sent by the terminal to a locally generated confirmation number. If the confirmation number sent by the terminal and the locally generated confirmation number are the same, the server authenticates the service request and responds to the service request.
However, during the actual service authentication process, the mobile phone that is bound to the user account can experience a Trojan Horse infiltration or some similar infiltration, or the user of the mobile phone bound to the user account can be a victim of fraud, such that the confirmation number is intercepted by a malicious third party. As a result, the confirmation number sent by the server to the mobile phone bound to the user account is misappropriated. If the misappropriated confirmation number is used by an unauthorized user during the authentication process relating to the service request, the reliability of the service request authentication cannot be assured.