In the post-September 11 era, security is becoming more and more critical. An important component of information security is user authentication, the ability of an information system to certify that a user is who she claims she is. Authentication can involve one of two processes: identification or verification. For identification, identifying information from an unknown user must be compared against similar information for all possible users. The best match is returned within a confidence level. For verification, a user identity (entered as a user name for example) must be compared only against an existing signature (usually a password) stored for that user. While identification is important for database searches, for example to locate a person based on fingerprints left at a crime scene, most information systems implement authentication as verification. A user types in their user name or scans an identification card, then enters a password to verify the identity. Authentication as verification is used for both physical access (for example to secure areas) and for online access (for example to log in to a computer terminal). Secure user authentication requires that users be endowed with credentials which are i) unique for each user, ii) not easily stolen or lost and iii) reasonably affordable and iv) convenient to use. The order above is not an indication of importance of the various requirements.
It might not be obvious that the four requirements listed above are conflicting. No one technology has been demonstrated that can offer the perfect solution, meeting all of the four requirements simultaneously. The challenge is compounded with the proliferation of mobile networks that expose users to an increased volume of external threats. More and more users need to access many more different information systems, often from public or unsecured computers, and sometimes over unsecured network connections. Additionally, users need to access multiple information systems, each with different authentication mechanisms, which increases the number of credentials the user must carry (and the likelihood that some of the credentials will get lost). Finally, as users need to carry an ever larger number of credentials, the cost increases and the convenience decreases.