Strong user authentication is achieved through the simultaneous presentation of multiple authentication factors, classically defined as: (1) something you know, (2) something you have, and (3) something you are. Most e-commerce today is based upon weak authentication utilizing only one factor—a password (something you know). Because of the increase of password-stealing exploits on the Internet, wider adoption of two-factor authentication is desirable.
However, two-factor authentication has been difficult to deploy, because it traditionally requires either (a) the distribution of new hardware to the user, such as a key fob or a smart card and reader, and/or (b) the installation of new software on the user's computer, such as a digital certificate. Therefore, the use of two-factor authentication has been limited to a relatively small number of very high-value relationships and transactions.
Individuals must present credentials to demonstrate that they are who they claim to be. These credentials are varied, and fall into three types, often referred to as authentication factors:
1. Information (“Something You Know”)
Password, passphrase, PIN, zip code, phone number, Social Security number, account number, mother's maiden name, recent transactions, credit history, etc.
2. Object (“Something You Have”)
Credit card, driver's license, ID card, passport, ticket, paper certificate, smart card, contactless card or key fob, dynamic password generator, phone, PDA, computer, peripheral, etc.
3. Person (“Something You Are”)
There is only one instance of a person, but there are numerous ways to measure a person: photograph, signature, fingerprint, retinal scan, hand geometry, facial geometry, voiceprint, DNA analysis, etc.
Because individual credentials can be stolen or counterfeited, security can be increased by using multiple credentials. Multiple credentials of the same type offer less increased security than credentials of different types, because they can often be misappropriated at the same time in the same way. (For instance, if an attacker steals your wallet, he will get your driver's license and your credit cards.) But because credentials of different types must generally be stolen using different types of attack, the simultaneous use of different types of credentials—“multi-factor” authentication—increases the strength of an authentication. (For instance, an attacker might steal your wallet and get your ATM card, but would not have your PIN. Or an attacker might surreptitiously observe you entering your PIN, but would not have physical possession of your ATM card.)
In face-to-face interactions, credentials of all three types can be directly inspected. However, in remote interactions such as those done over the Internet, credentials which are objects or persons cannot be directly inspected—so their presence and authenticity should be verified in some other way. Typically, this is done by accessing some unique data stored on the object (such as the data encoded on a magnetic card) or by taking some measurement of the object or person (such as the fingerprint of a person). To prevent the fraudulent replay of such data, some systems employ dynamic data or a cryptographic challenge-response.
Systems which utilize objects or persons as authentication factors in remote electronic authentication generally require one or more of the following: (1) new software installed on the user's computer, (2) new hardware—such as a reader—attached to the computer, and/or (3) a hardware token, such as a smart card or a key fob, distributed to the user.
What is needed is a system and method that can perform two-or-more-factor authentication that can be deployed without requiring any software or hardware that the typical Internet user doesn't already possess.