The transfer of information or goods often times requires authentication to ensure that the information or goods are properly delivered to authorized parties, and not delivered to wrong parties, or even worse, adverse parties trying to obtain access to the information or goods through malfeasance.
Thus, conventional techniques for transferring information or goods rely on robust authentication techniques. Authentication is the process of identifying an individual or party, usually relying upon on a username and password. Authentication is based on the idea that each individual user will have unique information that sets him or her apart from other individuals.
Logically following, an individual providing authentication awaits authorization. Authorization is the process of granting or denying an individual access to the information or goods (or e.g. network resources), once the individual has been authenticated, such as through the username and password. The amount of information and the amount of services the individual has access to depends on the individual's authorization level. In computer technology, an “identity’ is the unique name of a person, device, or the combination of both that is recognized by a system. Many types of network management systems rely on unique identities to ensure the security of the network and its resources.
FIG. 1(a) illustrates a prior art implementation of an authentication scheme 100. As shown, a user may enter a username 101, a password 102, and assert a confirmation element 103 after doing so. If the username and password are determined to be allowed, the user is allowed access to the information or goods associated with the authentication scheme 100.
A system may also employ “two factor authentication”, also called T-FA or dual factor authentication, when it requires at least two of the authentication form factors mentioned above. This contrasts with traditional password authentication, which requires only one authentication factor (such as knowledge of a password) in order to gain access to a system. Common implementations of two-factor authentication use ‘something you know’ (a password) as one of the two factors, and use either ‘something you have’ (a physical device) or ‘something you are’ (a biometric such as a fingerprint) as the other factor. A common example of T-FA is an ATM card wherein the card itself is the physical “something you have” item, and the personal identification number (PIN) is the “something you know” password that goes with it.
Using more than one factor is also called strong authentication; using just one factor, for example just a static password, is considered by some to be weak authentication.
FIG. 1(b) illustrates a two-factor authorization scheme according to a prior art implementation. Additional to scheme 100, an option to upload a security key 104 is also required. This security key may be an encrypted file previously communicated from the source of the information or goods desired to be shared.
The challenges with any implementer of an authentication regime are that parties attempting to violate security are routinely finding new and improved methods for detecting and defeating the various authentication techniques. For example, if a user types a password into a form for entering authentication, the violating party may track key strokes through an intercepting device, or employ a video camera to automatically view the user entering said password into the system.
In another example, a violating party may employ “spoofing”. A spoofing attack is defined as a situation in which one person or program successfully masquerades as another by falsifying data, thereby gaining an illegitimate advantage.
As such, ensuring secure transfer of information or goods becomes more difficult as the violating parties improve their technology for defeating current authentication schemes.