1. Field of the Invention
The invention relates to computer security systems.
2. Related Art
Security systems which attempt to authenticate a user are based on one or more of three kinds of information: (1) secret information which is shared by the user and the system, such as a password, PIN, or pass phrase; (2) a physical object which is possessed by the user and recognized by the system, such as a physical key, token or active electronic device; and (3) biometric information which is unique to the user and which can be received and authenticated by the system, such as a fingerprint, handwritten signature, retinal scan, or voiceprint. Security systems which use more than one of these factors are considered more secure than those which do not.
Electronic security systems which require a physical token may operate by using a challenge and response system, in which the system issues an electronic challenge to the physical token and in which the user interacts with the physical token to obtain an electronic response. If the response is one which the system associates with the challenge as proper, the physical token is recognized and the security system is able to authenticate the user, at least using the physical factor.
A first problem which has arisen in the art is that such physical tokens are thus required to be "active," that is that they require electrical power to operate and therefore have a limited operational lifetime.
A second problem which has arisen in the art is that known security systems which require such physical tokens operate by first authenticating the user using secret information (such as requiring the user to log in using a password), then execute an application program for security authentication of the physical token. Similarly, known security systems which require biometric information operate by first authenticating the user using secret information, then execute an application program for security authentication of the biometric information. Security systems which allow users to execute application programs before they have been fully authenticated are considered less secure than those which do not.
A third problem which has arisen in the art is that known security systems which require such physical tokens require the user to enter the secret information (such as a password or PIN) to the physical token for the challenge and response. This provides an additional source for authentication error or for exposure of the user's secret information, neither of which would be desirable.
Accordingly, it would be desirable to provide a method and system for providing authentication using two or more factors without allowing the user to execute any application programs before authentication for all factors is complete. It would also be desirable to provide a method and system for providing electronic authentication using a physical token which does not require electrical power to operate. It would also be desirable to provide a method and system for providing electronic authentication using a physical token which does not require the user to enter data or otherwise interact with the physical token. These advantages are achieved in an embodiment of the invention in which the physical token includes a passive storage device and a login service obtains password information from the storage device, so as to simultaneously authenticate the user with both a password and the physical token itself.