Two-way authentication between a person and an authentication device involves (i) the authentication device authenticating to that person, and (ii) that person authenticating to the authentication device. The authentication device authenticates to that person to indicate that the authentication device is legitimate rather than malicious (e.g., that the authentication device is not a phishing device attempting to steal that person's password and other information). The person authenticates to the authentication device to show that the person is legitimate rather than an imposter.
One conventional two-way authentication approach involves the person initially submitting a username to the authentication device. If the authentication device does not find that username in its database, the authentication device informs the person that the username is incorrect (e.g., perhaps the username was mistyped) and allows that person to re-enter the username. If the authentication device finds the username in its database, the authentication device provides the person with evidence that the authentication device is legitimate such as a selected picture or a catch phrase that was provided earlier to the authentication device by that person (e.g., during a setup session).
Once that person is convinced that the authentication device is legitimate, that person then authenticates to the authentication device. In particular, the person provides password information to the authentication device to show the authentication device that the person is legitimate and not an imposter.