Maintaining secure logon practices is critical to many web sites and applications, including financial, business and governmental web sites. A common way that an end user is authenticated prior to accessing a web site (or application) is by the end user providing a password to the web site, where software that executes on the web site authenticates the password so provided before granting to the end user access to the web site. However, because passwords may be lost or compromised, a second method (i.e., second level) of authentication is sometimes used. This second method may involve providing personal information that is typically in the end user's sole possession, such as a mother's maiden name or a one-time password generated by a token device. Typically, these backup authentication methods are employed when an existing customer uses a new device, such as a PC, tablet, or smartphone, to access the secure web site or application. In financial services, backup authentication methods are sometimes employed to further authenticate risky transactions, such as the transfer of large sums of money or wire transfers.
The “two-factor” authentication method described above, however, has become less secure, because hackers may be able to obtain user IDs and passwords using malware, and may also be able to obtain an end user's personal information, such as a mother's maiden name or birth date, using social media and other tools. One way to make two-factor authentication more secure is to employ a “one-time use” token (e.g., a password) as the second-level authentication method, but devices for generating the one-time use tokens are typically expensive. Thus, consumers do not like using them. The one-time use token may be delivered via SMS, but without validation of the delivery end point, it could be delivered to an unintended address, or redirected to a hacker's address. The use of such tokens also requires then entry of additional data by the end user, which tends to further reduce the potential adoption rate of one-time use tokens.
Another authentication method that has been adopted to determine if user credentials are being improperly used involves identifying the device that is being utilized for the logon. One approach currently in use is referred to as “device reputation.” With this approach, software on the device being used for logging on creates a “device fingerprint,” which is composed from the software and operating system configuration of the device. When an end user registers with an authentication service, the device fingerprint is generated upon user registration, is subsequently stored by the authentication service, and, during each attempted logon to the end user's account, the stored device fingerprint is compared with a device fingerprint generated by the user's device at the time of the logon attempt. However, while this approach has some value, it is not particularly reliable, as software configurations often change. Further, the device reputation approach is not entirely secure because the device fingerprint can be copied.