Access to confidential and proprietary areas are often performed using electronic access systems. Electronic access systems are typically required to access a network, network resources (e.g., servers, modems, etc.), software applications running on servers, Internet or World Wide Web pages, databases, files or other electronic data. Electronic access systems are particularly important with individual or networked computers that store confidential information.
Other electronic authorization systems have been developed to authenticate human users, generally with the use of personal passwords. However, these electronic access systems provide only a limited level of security since they rely on authenticating a user account identifier and password, thereby providing only one level of such security. An unauthorized user may obtain an authorized user's password and account identifier and thereby inappropriately access the system.
An ideal electronic access system performs user authentication, rather than simply machine or system authentication. In other words, such an electronic access system authenticates individuals or users who may access the system, rather than a system that has been pre-programmed with access information (e.g., running a "script" to permit access). Such an electronic authorization system, to maintain security, must ensure that only authorized users are allowed access to the system.
Certain personal authentication systems are available, such as fingerprint identifiers, retinal scan devices, etc. Such personal authentication systems, however, are typically very expensive and inapplicable to many environments. For example, such fingerprint or retinal scan identification devices are difficult or expensive to employ in a large network of computers, including a network where users may access the network from various geographic locations (e.g., via standard phone lines using a modem and lap top computer).
A lower cost system employs secure identification (ID) cards within a personal authentication system. Such a personal authentication system requires use of a physical card having an algorithm which generates a random code at predetermined intervals (e.g., every 10 seconds). A server computer (or "server") employs the same algorithm to generate the same code at the same predetermined interval. Aspects of the generated code are unique to the card. Thus, a user must possess the card to obtain authentication by the server. However, if the card is lost or damaged, the user cannot be authenticated. Additionally, unauthorized users could simply obtain the card and thereby gain access to the system. Furthermore, the card requires a battery to energize its internal circuitry. Therefore, the card has a limited life, after which time a new battery must be inserted.
Another personal authentication system employs a software solution known as "Softkey." The Softkey system provides a challenge to a user provided by a server, to which the user must respond, typically by means of a client computer (or "client") coupled to the server. When a user initially logs into the server, the server, for example, selects eight words from a table of words, where each word has four to eight characters. The user must then type in each of the eight words. As a result, the user must type 24 to 64 characters in a response to the server's challenge. The server generates the same eight words, and compares the eight words it receives from the client to those locally generated. If the two match, then the user is authenticated.
One problem with the Softkey system is that the user must correctly enter the eight words, requiring up to 64 keystrokes. Such a response by the user can be time consuming and tedious for non-touch typists. Additionally, the Softkey system suffers from additional limitations which make it not sufficiently robust for use in protecting highly confidential information on a computer network or in other suitable environments.