Many services use multi-factor authentication to control who may access online user accounts. According to multi-factor authentication, a service requests that users present two (or more) different forms of authentication to establish an identity that is authorized to access their corresponding accounts. For example, the service may request for a user to present both a knowledge factor (e.g., knowledge of a previously designated password) and a possession factor (e.g., access to a previously designated object that the user possesses).
Because users may forget the knowledge factor or lose access to the possession factor, online services have developed methods for allowing users to update these factors. In general, the traditional protocol for updating a lost possession factor is the same as the protocol for updating a forgotten knowledge factor. Specifically, the protocol allows users to update the factor if they successfully answer security questions. Unfortunately, this traditional protocol allows users to forgo presenting a possession factor (i.e., possession of the object) by, instead, presenting a knowledge factor (i.e., answers to security questions). Users may thereby circumvent the possession factor, which essentially negates the security added by using a possession factor mechanism. Accordingly, the instant disclosure identifies a need for improved systems and methods for updating possession factor authentication credentials.