1. Field of the Invention
The invention relates generally to user authentication systems used for access control in computer and network security systems; and more particularly “strong” and “layered” authentication algorithms and security systems based on more than one authentication factor, and utilizing in combination more than one communication channel for user authentication.
2. Description of Related Art
In systems allowing remote users, authentication is particularly important, because on-line systems operating under the normal societal presumption that the remote user is who she claims are vulnerable to fraud. The lack of appropriate authentication technology in recent years has led to significant financial losses in the financial industry and loss of consumer trust in on-line transactions. Thus, privacy and security concerns arising from the lack of appropriate authentication technologies have delayed implementation of e-commerce and promising on-line information systems in healthcare, education, and other industries.
In recent years, user authentication development is driven by a combination of social and technological factors. Notable social factors include legislation mandating compliance with various on-line security policies, for instance:                1. FFIEC Releases Guidance on Authentication in Internet Banking Environment (http://www.ffiec.gov/press/pr101205.htm) (http://0041b1a.netsolhost.com/FFIEC_FAQ.pdf)        2. U.S. Gramm-Leach-Bliley Act (GLBA) (http://www.ftc.gov/privacy/glbact/glbsub1.htm)Also, there have been several important technological advances in user authentication technology (SSL, VPN, etc.) and in enterprise software applications (ERP, CRM, etc.):        1. Authentication technology has been recognized as a center piece in commercial Identity and Access Management (I&AM) product offerings. I&AM products cover a complete spectrum of Authentication, Authorization, and Administration (AAA) capabilities and, as a result, promote intensive integration of authentication technologies into enterprise security systems.        2. It has been recognized by vendors of authentication (or full fledged AAA) systems and their customers that combining several authentication factors into a multi-factor “strong” authentication system is the best method for achieving enhanced security.        3. Commercial success and quick adoption of fraud prevention and monitoring, and risk analysis engines, especially in the financial sector, have led to intensive integration of complementary capabilities of the authentication technology and fraud/risk analysis algorithms (for instance, RSA Security's acquisition of Cyota (http://rsasecurity.com/press_release.asp?doc_id=6410&id=1034) followed later by EMC's acquisition of RSA Security (http://www.rsasecurity.com/press_release.asp?doc_id=7317&id=1034)).        4. It has become quite clear that remote user authentication has to be viewed in a context of more generic Web Services leading eventually to a federated identity system allowing an on-line user to access network resources for which the user is authorized with the one set of credentials and without re-authentication between connected sessions. This has led to efforts to developing common authentication standards (for instance, led by Sun Microsystems “Liberty Alliance” http://www.projectliberty.org, Microsoft, IBM, Identrus, and others), recommendations of the National Institute of Standards and Technology in September 2004 for authentication (Electronic Authentication Guideline; http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63v6—3—3.pdf), and the initiative for Open Authentication (OATH; http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1—0—2.pdf) which addresses the challenges of standard, open technology.        5. Verisign, the security division of EMC-RSA Security, and some other companies announced publicly available commercial user authentication services, which promote further integration of networking and authentication technologies for both consumer and enterprise market.        
“Strong” and “layered” authentication systems are based on combinations of two or more factors arising from three basic types of authentication factors, including (1) “what user knows” factors (PIN or password), (2) “what user is” factors (various systems utilizing unique biometric traits, such as fingerprint, voice pattern, retina pattern, etc.), and (3) “what user has” factors (hardware or software token, smart card, etc.). Generally speaking, a “strong” system is built by using two different types of authentication factors, whereas a “layered” system can use two different authentication factors of the same type. Hence, these security systems may use a PIN or password as one authentication factor and a hardware token as another, or any two or more combinations of various factors like two passwords, or one biometric factor and a hardware token. However, the choices of factors are based on optimization of three requirements—high usability, low Total Cost of Ownership (TCO), and high security. Certainly, having two passwords is not an attractive option for many customers as users have issues remembering just one, though TCO and security requirements may speak for this option. A combination of one biometric device and hardware token is obviously rejected, because of the high TCO and high usability requirement. A similar optimization technique is applied to any other possible combination of factors leaving the current leading techniques including PIN+card, PIN+token, or PIN+biometric device combinations. One should be careful when comparing influence of human factor on the authentication factor security. As a matter of fact, users forgetting their passwords, or easily disclosing them to intruders, or having difficulties in using passwords may just as easily forget or loose tokens, break them, feel uncomfortable wearing tokens all the time or using them, can keep tokens in unsafe locations, etc. In other words, a user, as a weakest link in the user authentication technology, could mishandle authentication factors with comparable ease. Hence, usability, TCO, security, and possible additional requirements (like availability of electronic deployment, availability of user on-line self-service, ease of administration, etc.) considered together is the only comprehensive optimization analysis which should be applied when comparing any “strong” and “layered” authentication solutions.
Traditional hardware-based authentication devices like tokens, smart cards, or biometric devices typically provide quite high security. The issues with their practical usage as “strong” and “layered” authentication system components lie in their relatively high manufacturing cost, the cost and time of deployment, and the cost and convenience of ongoing administration. Certainly, PIN- or password-based solutions look much more attractive in these respects.
Meanwhile, mobile devices like phones, PDAs, pagers, etc. rampantly swept worldwide markets in the last decade. This phenomenal spread of mobile devices, which far exceeds that of tokens, smart cards, or biometric devices, has brought the attention of security experts, who devise approaches to utilize these devices as another hardware-based user authentication factor. Indeed, account holders in mobile device networks are already verified and identified to assure their legal and financial responsibilities. There are no requirements for security system manufacturers and vendors, security services providers, and eventually, enterprise customers of these security systems to sustain manufacturing, distribution, and administrative costs of mobile devices—it is all taken care of by wireless carriers and service providers, and mobile account owners. Moreover, mobile phones can also be used as a hardware-based biometric authentication factor delivering user's voice pattern and as a hardware-based geographic location identification and verification factor (see for instance, Inoue, U.S. Pat. No. 6,973,068; Dacosta, U.S. Pat. No. 6,978,023; Inoue, U.S. Pat. No. 6,167,513; Multerer, U.S. Pat. No. 6,134,658; Sollee, U.S. Pat. No. 6,101,380; Bales, U.S. Pat. No. 5,781,863). These capabilities, allowing for integrating several user authentication factors in one hardware device, make mobile phones attractive as a hardware-based component for a multi-factor, “strong” and “layered” user authentication system.
It is apparent that there are limitations in using mobile devices for user authentication purposes as they do not yet have a global reach—there are locations in which communication is not available or somewhat hampered. There are possibilities that some sort of spam, viruses, worms, malware, and spyware can reach mobile devices, especially due to an obvious trend of integrating wireless phone, Internet, email, and SMS (Short Message Service) protocols and developing new networking applications for mobile devices. However, due to the reasons presented above, as well as continuous improvement of mobile services and technologies, and significant investment coming to the wireless market, the temptation to use mobile devices either as a stand alone user authentication factor, or in a combination with other authentication factors (multi-factor, “strong” and “layered” authentication systems) is quite high, and practical security system deployments embracing mobile devices have been announced in different countries.
Along with using a mobile device as a user authentication factor, a new authentication technology came into being under the name of One Time Pin (or Password)—OTP. There are numerous practical architectures utilizing this technology. Several key known schemes are as follows:                1. SMS payment security is a service that adds an additional layer of security by using Short Message Service (SMS) as part of completing bill payments and funds transfers to other people. SMS payment security service allows customers to first be identified by their internet banking login and password and then by the OTP—a one-time SMS code. This service works by sending a randomly generated, one time only code OTP via SMS to user's mobile phone while completing an on-line payment. Then, user enters the unique code into the payment confirmation screen within a short allowable period of time to complete the payment.        2. User enters user name and password (or PIN) into a browser or another login screen and then receives an SMS message with OTP which is expected to be entered into the login screen to complete the two-factor user authentication login process. There is a modified approach, where user enters a user name into a browser or another login screen and then receives an SMS message with OTP which is expected to be entered into the login screen together with user's PIN to complete the two-factor user authentication login process.        3. The server-generated OTP (in this case, it is a One Time Phone number) is presented to the user's login screen. Then, the user calls this number from her mobile phone with a previously registered number. The server, by verifying that the call came from a registered number, can be confident that the user is the account holder.The first scheme is basically a regular login into a user's account, followed by a particular transaction authorization for the user (the account holder) through successful performance of a user authentication step with an OTP sent through SMS to the user's mobile phone, and entered through the payment screen for delivery to the financial institution. It gives assurance and irrefutable (non-repudiation) evidence to the financial institution that this is the account holder who authorized the transaction, and it gives assurance to the user that nobody else can perform a transaction in this account without having the authentication credentials.        
Internationally known security expert Bruce Schneier recently noted (http://www.schneier.com/blog/archives/2005/03/the_failure_of.html; http://www.schneier.com/blog/archives/2005/04/more_on_twofact.html) that multi-factor login authentication, though useful as an additional security filter, is not addressing piggybacking by an intruder performing a Man-in-the-Middle (MITM) attack. In other words, the intruder is not after authentication credentials, but rather is waiting on the line between the user and the financial institution, humbly and quietly allowing authentication protocol messages to be exchanged until the user is authenticated. Then, the intruder can own the session by cutting off the user and, for example, making additional transactions such as disastrous money transfers. Hence, the first scheme allows elimination of a MITM attack through a user authentication step (which is not necessarily supposed to be utilizing a mobile device) which is bound to each particular transaction. The second scheme differs from the first one only in the sense that the authentication step involving OTP is requested during the user login process giving access to the user's account. The third scheme looks less practical for user authentication, requiring a large pool of available phone numbers for consumer level implementation and making it less convenient for a user by requesting to make a call.
Usability and TCO make mobile devices look quite attractive as hardware-based user authentication factors in security systems for the consumer market. That is why more attention is required to assess security of using mobile devices in various multi-factor “strong” and “layered” user authentication systems. There is a scheme in which the on-line account holder enters her user name into the login screen and then gets an SMS carrying an OTP on her mobile device to be entered into the same login screen to complete the authentication process. It is similar to scheme 2 discussed above but without a static password or PIN that the user is supposed to remember and enter first. Clearly, it is a very risky proposition because, if the mobile device is lost, stolen, or left anywhere, it will immediately put the account holder in danger.
The variation of this scheme is that the user gets an SMS carrying an OTP on her mobile device, and then, instead of entering OTP into the login screen, the user initiates another SMS message to the financial institution back office transmitting the very same OTP and displaying to the financial institution back office the user's mobile phone caller ID. This split of the authentication session onto several SMS communication sessions somewhat improves security, as intercepting on communication lines OTP sent to the user is not sufficient enough to let the intruder login to the user account without having the actual mobile device. Nevertheless, user authentication based only on a mobile device ownership provides insufficient security protection. Adding PIN or password to this scheme is a natural enhancement converting it into a two-factor “strong” user-authentication system with one “what user knows” authentication factor (PIN/password) and another “what user has” authentication factor (mobile phone). Indeed, adding PIN or password certainly improves security, and is not at odds with the user experience or a prohibitive cost increase.
At the same time, such a two-factor “strong” authentication system based on a PIN/password and a mobile device ownership is still quite vulnerable to conventional intruding techniques. There are numerous known attacks against PIN/password authentication factor—brute force, Trojan horses, key logging software, phishing, “shoulder surfing”, social engineering attacks, etc. Stealing user's mobile device or attempting an unauthorized usage of it—are no less conventional and accessible techniques. Therefore, just mechanically combining two independent user authentication technologies, though it does increase the amount of an intruder's effort needed to obtain authentication credentials, does not make it more challenging technologically.
Representative prior art authentication technologies are described in Engberg, U.S. Pat. No. 6,993,658; Katz, U.S. 2003/0061503; Ehlers, U.S. 2003/0172272; Bravo, U.S. 2002/0177433; Sormunen, U.S. Pat. No. 6,112,078.
Accordingly, what is needed is a multi-factor “strong” user-authentication system and a method which offers more than one communication channel for user's authentication session (like browser and mobile phone, or browser and e-mail, etc.) while enhancing OTP technology security by mitigating possible channel intrusion or preemption.
What is also needed is a multi-factor “strong” user-authentication system and method which offers more than one communication channel for a user's authentication session (like browser and mobile phone, or browser and e-mail, etc.) while enhancing PIN/password technology security by mitigating possible entropy leakage (or a complete entropy loss) of this authentication credential to intruder during one or several login sessions.
Also, what is yet needed is a multi-factor “strong” user-authentication system and method which offers more than one communication channel for a user's authentication session (like browser and mobile phone, or browser and e-mail, etc.) while enhancing OTP and PIN/password technologies' security against intruding attacks by integrating these technologies together and cutting off conventional techniques of attacking authentication credentials.