Many secure access techniques are known to gain access to secure computer systems, bank accounts, and other processes within a computer or Internet appliance. For example, communication units include Web browsers that may be used to gain access to Web-based information from a Web server and may be coupled via a wireless or non-wireless communication link. Techniques are known to provide per session based authentication between, for example, a user device (i.e., such as a personal computer (PC), Internet appliance, laptop computer, smart card, radio telephone, or any other suitable device) and external system, such as a Web service on the Internet, or to processes within the same device. Cryptographic engines are often used to provide public key-based encryption, decryption, digital signing and signature verification as known in the art, and in such systems public and private key pairs are periodically generated and allow a user to digitally sign information, or decrypt information using private keys.
Session-based single factor authentication techniques are known wherein, for example, a first unit, such as a user device, is asked by a server which may contain, for example, credit card accounts, bank accounts or any other secure information, for the user to enter a user ID and a password to send so that the server can trust the user device. However, some such systems can be vulnerable to attack. For example, an attacker that maliciously obtains a user password can thereafter impersonate that user. Two factor authentication adds another level of security. For example, a server may return an authentication code, such as a random number generated by a random number generator in the server to the user device after the user entered the correct user ID and password. The user device receives and digitally signs the received authentication code using a private signature key located on a smartcard that has been inserted into a smartcard reader at the user device, and returns the digitally signed authentication code over a same channel that was used to originally send the generated authentication code. However, deployment of such schemes is limited based at least on the monetary expense of supporting card readers at user devices.
Other two-factor authentication schemes are known, which do not require a hardware reader at the user device. For example, systems may use smart cards with display screens thereon in the following manner. The user is assigned a user ID and may select a personal identification number to be used as a password. A software routine running in a server such as a Web server or other suitable server, executes a similar routine executed by the smart card to generate a random number (authentication code) every few minutes. Although the smart card randomly generates a number every few minutes and the server randomly generates a random number every few minutes, these devices are typically not in communication with one another. These are two stand alone devices typically. When a user wishes to gain access to the server, the user uses the smart card by entering a PIN into the smart card. If the PIN is accepted, the smart card then displays the random number that it generates on the display device. At the same time the server generates a random number based on the same algorithm so that the numbers are identical. The user then manually enters the displayed number in a keypad or other input device that is coupled to the server. The randomly generated number serves as a second level or second factor authentication code. However, because the two devices are not in communication and suitably synchronized, the server typically allows for a user to use a displayed random number that has previously been displayed as an acceptable number. In other words, there is a window during which time a server will accept more than one random number generated by the smart card. Accordingly, a problem can arise since an unscrupulous party may obtain the displayed number and still gain access to the system since the smart card and server are typically not in communication during a session, and multiple authentication codes can be used to gain access to the system.
Other two factor authentication techniques are known. For example, in some systems, a user is given a user ID and password and is e-mailed authentication information in an out of band communication, such that it is not sent during a session, to allow a user to enroll in a given system. However, the out of band authentication code could be intercepted and is not directly tied into a particular session.
Moreover, information security systems are being developed to allow a user to roam from one device to another. For example, a user profile that includes, for example, private keys such as private decryption keys and private signing keys along with user password information and other cryptographic keys, may be encrypted and stored in a server that is accessible by a user using a plurality of devices. The user profile is then sent to a user but only after an authentication procedure is carried out. Such authentication procedures may typically involve a user using a Web browser through which a user ID and password is entered. However, no other user-specific credentials are typically necessary. As a result, an unscrupulous party may gain access a user's private keys if they are able to obtain a user ID and password such as overlooking a user while a user is entering the information on a keyboard.
Accordingly, there exists a need for an improved authentication method and apparatus that overcomes one or more of the above deficiencies.