Web applications are computer applications which are accessed by users via a Web browser over a network such as the Internet or an intranet. Often, it is desired to limit or restrict access to a Web application to only valid or registered users. To prevent access to such user-restricted Web applications by unknown or invalid users, users are typically required to login via a Web interface using an associated user ID and user password which provide authentication of the user.
For many reasons, password-based user authentication is the most common means of authentication on the Web. For example, passwords are familiar to users, are easy to use, require no distribution of hardware (e.g., hardware tokens, SSL/TLS client certificates), and require no pre-existing IT infrastructure (e.g., a certification authority that issues and revokes client certificates or a server that validates time-dependent passcodes). A password can be securely transmitted from a Web browser to a Web server using SSL/TLS protocol (Secure Sockets Layer/Transport Layer Security), which provides an encrypted connection after authenticating the server.
However, passwords also have drawbacks. First, for example, passwords have a poor reputation among security professionals as being susceptible to being guessed by an online attacker because they generally have low entropy (i.e., low degree of randomness), and because they are often reused by users at multiple Web sites. Second, users can be locked out (i.e., the user is not allowed to login) from their accounts with Web applications by forgetting their password (or another component of the user's login credential, such as a user ID), or by a security mechanism that limits a number of incorrect password attempts that can be made against the password of a user account, which may occur if the user repeatedly mistypes or forgets his/her password or if an attacker attempts to gain access to the user's account.
To address the user lock-out problem, many Web sites and Web applications employ “security questions” as an alternative login mechanism. According to such techniques, when a user creates his/her user account, the user chooses one or more questions, the answers to which the user is unlikely to forget. Later, if the user cannot log in, the user is allowed to authenticate himself/herself by answering the security questions.
However, employing a single security question whose answer is publicly known information, such as the traditional “mother's maiden name” question, essentially amounts to a security hole. Even a single question whose answer is not public information is insecure since the answer is generally low entropy, often being a single word found in a dictionary and whose range is further restricted by the question itself. Even multiple security questions may provide less entropy than a password. Furthermore, it is still possible that a user will forget an answer to a security question or repeatedly mistype an answer and, thus, remain locked out of his/her account.
Another technique to address the lock-out problem, which was developed by IT organizations long before the existence of the Web, is to have the user contact an administrator or help desk when he/she is locked out. Upon being contacted, the IT organization resets the user's password to a temporary password that the user can later change to a password known only to the user. Such a solution relies on the availability of a confidential, “out-of-band” communications channel via which the IT organization can communicate the temporary password to the user. Such a channel may be, for example, an internal e-mail deemed to be confidential, a telephone conversation, or a face-to-face meeting, for instance. However, such a technique is rarely employed on the Web because there is generally no such confidential, out-of-band communication channel between an administrator and a user.