1. Technical Field
Embodiments of the present invention generally relate to online commerce and social interactions conducted over a communication network such as the Internet and, more particularly, to authentication for secure communications, over the network, between service users and service providers, including secure account access and authorizations.
2. Related Art
Secure communication over the Internet between parties to a transaction (e.g., an online shopper and a merchant website, or a user of a social networking website and the social networking website) often relies on the user registering on the website and then logging in to the website using the familiar combination of a username and a password. The username-password login is one example of what is often referred to as single factor authentication. The factors of authentication typically include: “something you have” (e.g., mobile phone or hardware token), “something you know” (e.g., personal identification number (PIN) or password), and “something you are” (e.g., biometric information). In the online shopper example, an entity (the shopper, referred to as “end-user” or “user”) that wants to assert a particular identity may communicate some authentication information to another entity (the merchant website, referred to as “relying party” or “service provider”) that wants to verify the end-user's identity. Each service provider may provide their own system for login and authentication so that any particular user may need to register an identifier (e.g., username and password) at every service provider the user wishes to maintain an account or identity with.
OpenID is an open standard for authentication that allows users to consolidate their digital identities and eliminates the need for service providers to provide their own individual or ad hoc systems. OpenID may provide a user with one login for multiple sites. For example, a user may create accounts with one or more of the user's preferred OpenID identity providers, and then use those accounts as the basis for signing on to any website which accepts OpenID authentication. The OpenID standard provides a framework for the necessary communication between the identity provider and the OpenID relying party. An extension to OpenID—OpenID Attribute Exchange—facilitates the transfer from the OpenID identity provider to the relying party of certain user information, such as name and address, that may be requested by a relying party.
Similarly, OAuth is an open standard for authorization, complementary to, but distinct from OpenID, that allows users to share private information stored on one site with another site without having to compromise identity credentials. Typically, OAuth supplies a token that grants access to a specific site for certain user information for a specified period of time. This allows a user to grant a third party site access to their information stored with another service provider, without sharing their access permissions or the full extent of their data.
The OpenID protocol does not rely on a central authority to authenticate a user's identity. Moreover, neither service providers nor the OpenID standard may mandate a specific approach to authenticating users, allowing for various approaches including username-password, smart cards, or biometrics. OpenID typically, however, uses the familiar username and password authentication, which is prone to a number of disadvantages. For example, a quality password should have many characters which are a mix of upper, lower, punctuation, and special characters so that it is difficult to compromise. However, a good quality password is often difficult and time-consuming to type, is often forgotten (as various password requirements exist on various sites), and users are advised to use different passwords for different accounts (to further reduce the chance their accounts will be compromised). This is especially true on a mobile device using touch keypads that have various ‘levels’ of keypads for characters beyond simple alpha-numeric. These difficulties or “friction” perceived on the part of the user, however minor, may lead to certain compromises. For example, many users may be apt to use less than optimal passwords, and use them repeatedly, which can be vulnerable to many well-known types of attack, such as a dictionary attack (a script that systematically tries out commonly used passwords) or trying out passwords which relate to the user (e.g. name of child, spouse, pet, or important dates).