Generally, security systems employ identity-based authentication schemes to verify the identity of an entity that is allowed access to a physical location or object, in the case of a physical security system, or electronic access to a computer system or data, in the case of a data security system. One goal of such security systems is to accurately determine identity so that an unauthorized party cannot gain access. Security systems can use one or more of several factors, alone or in combination, to authenticate entities. For example, identification systems can be based on something that the entity knows, something the entity is, or something that the entity has.
Examples of something an entity knows are a code word, password, personal identification number (“PIN”) and the like. One exemplary computer-based authentication method involves the communication of a secret that is specific to a particular entity or user. The entity seeking authentication transmits the secret or a value derived from the secret to a verifier, which authenticates the identity of the entity. In a typical implementation, an entity communicates both identifying information (e.g., a user name) and a secret (e.g., a password) to the verifier. The verifier typically possesses records that associate a secret with each entity. If the verifier receives the appropriate secret for the entity, the entity is successfully authenticated. If the verifier does receive the correct secret, the authentication fails.
Examples of something the entity is include characteristics that are unique to people, such as physical, biological, and psychological characteristics (referred to generally here as biological characteristics), such as fingerprints, handwriting, eye retina patterns, and face, body, and organ appearance, size and shape. Suitable biological characteristics typically are not under the control of the person, and are therefore difficult for anyone besides the intended person to present, because, in part, they are difficult to replicate. The verifier typically can observe the characteristic, and compare the characteristic to records that associate the characteristic with the entity. The observation of biological characteristics is referred to generally as biometric measurement.
An example of something an entity possesses is a physical or digital device, referred to generally as a token, that is unique, or relatively unique, to the user. A simple example is a conventional metal key for use in a door. Possession of the door key in effect authenticates the user to the lock and allows entry. Similarly, possession of a token such as a bank card having certain specific physical and electronic characteristics, for example containing a specific identification number that is revealed when the token is accessed in a particular manner, can be this type of factor. A token containing a computing device that performs encryption using an encryption key contained in the device would also be regarded as this type of factor. For example, a token could accept user input, which might include a PIN or a challenge value, and provide as output a result encrypted with a secret encryption key stored in the card. The verifier can then compare the output to an expected value in order to authenticate the entity.
A token might also, or alternatively, use additional input information, such as time, or a counter, for example, such that the result changes over time but is deterministic to an entity that possesses a secret (e.g., a value known only by the token and the verifier), but not predictable by an observer who does not possess the secret. These systems generally perform some computation using a stored secret as input to generate an authentication code that is used to authenticate the entity. Some systems are time-based, in that they use a time-based dynamic variable to calculate a non-predictable authentication code that ultimately authenticates the entity. Here, “non-predictable” means that the authentication code is not predictable by a party that does not know the associated secret, the algorithm for calculating the code, or both.
As will be appreciated, the token over time can encounter errors or faults requiring the token to be sent to an IT professional to be fixed. However, the identification of the error or fault can be a difficult assignment for even the most experienced IT professionals.