Websites and other online resources typically require authentication before a user is granted access to sensitive information. Conventional forms of user authentication include user identifiers, passwords, personal identification numbers (PINs), and/or token codes.
Some online systems used PIN-based authentication. In these systems, a user registers a PIN with a server and then manually enters the PIN each time the user attempts to log on. The PIN is generally four to eight digits long. The server receives the PIN and admits the user if the PIN matches the registered value for that user.
Some systems use token code based authentication. As is known, token codes are multi-digit codes generated by portable devices, such as key fobs, which generate new codes periodically, such as every few seconds. A portable token code device is synchronized with a server so that both generate the same codes at the same times, thereby allowing the token codes to function as temporary passwords. A popular example of this type of device is the SecurID®, which is available from RSA Security Inc. of Bedford, Mass.
Some systems employ multiple authentication factors. A common two-factor scheme requires a user to enter both a PIN and a token code. This approach thus combines something the user knows (the PIN) with something the user holds (the token code). In a typical example, a user enters both a PIN and a token code in a single passcode field of a login screen. The user then submits the entered values to the server, which tests them against expected values to allow or deny access to the user.