Authenticating users before allowing access to websites is crucial. Online services such as banking, bill payment, social networking and e-commerce utilize ever increasing amounts of personal and financial user data online. Identity thieves and other malicious parties use a wide variety of techniques to attempt to gain unauthorized access to the accounts of innocent parties to commit financial fraud, obtain personal information and otherwise harm the interests of legitimate account owners and service providers. Properly authenticating users attempting to access online services (e.g., websites) protects against such fraud, whereas insufficient authentication creates vulnerabilities.
Password authentication, in which the only authentication factor a user needs to provide is a password, is relatively weak. The types of passwords commonly utilized are fairly easy to crack, whereas strong passwords are difficult for users to remember and hence are rarely used at all, or else are written down in accessible locations. These problems are compounded by the number of separate password authenticated accounts most users need to maintain. Despite this, because password authentication is easy for service providers to implement, it is the current de facto authentication standard on the web. Some service providers attempt to strengthen their user authentication by supplementing the password requirement with challenge questions (e.g., mother's maiden name, zip code, city of birth, etc.), but this adds limited protection, as the answers to such questions can be guessed or learned by fraudulent parties relatively easily.
Multifactor authentication is more secure than password based authentication. In multifactor authentication, the user must present multiple authentication factors of different types to access a service. For example, in two-factor authentication (TFA), a user must provide two or more of three factors: something the user knows (e.g., a password or PIN), something the user has (e.g., a hardware token generated random number, a onetime pad, a magnetic stripe card) and something the user is (e.g., a fingerprint or retina scan). Multifactor authentication is much harder to crack than password only authentication, and is thus critical in providing secure access to websites. Identity proofing, in which users are required to prove that they are who they claim to be before being granted initial access to a service (e.g., given an account or issued authentication credentials in the first place), is also important in this regard. However, these are difficult technologies to build and maintain, and many online service providers do not have the expertise to either build or integrate them into their websites.
It would be desirable to address these issues.