Verifying the identity of a person or group of people, referred to as authentication, has many uses in the context of computing. People often have multiple user accounts—accounts in the operating systems of their computing devices, accounts with social networking sites, accounts with online retailers, and so on—that employ some type of authentication before access to the account is granted. In many cases, these accounts are configured to authenticate a user depending on whether the user provides a correct username and password combination. If the user provides a correct username and password, access to account resources is granted. If the user does not provide a correct username and password, access to account resources is denied.
Typically, authentication is performed by one or more of multiple factors. Example factors include: (1) something a user knows (e.g., a password), (2) something a user has (e.g., a physical key, card, bar code, mobile phone or certificate) and (3) something a user is (e.g., a person's physical characteristic such as DNA, iris, hand, skin texture, voice, face, fingerprint, blood vessel patterns, etc.). These three factors are often referred to as knowledge-based, token-based and biometric-based authentication factors, respectively. Demand for multifactor authentication systems that combine one or more of these factors is increasing because they present a higher obstacle to criminals. Such techniques are also becoming easier to implement thanks to the wide availability of mobile phones, PDAs and other such devices.
However, a delicate balance exists between security and disrupting a user's experience. For example, frequent attempts to request authentication can be frustrating to a user. As a result, multifactor authentication should be used judiciously.