Various methods are used to control users' access to systems, information, and network resources. In general, a typical access-control system performs two primary functions: an authentication function and an authorization function. For example, prior to providing a user access to a resource (e.g., a computing device, an application, or a website) an access-control system may first request authentication-factor information (e.g., a username, a password, a one-time-use password, etc.) from the user that the access-control system can use to positively identify the user. If the identity of the user can be established using the provided authentication-factor information, the access-control system may then determine whether the user has permission to access the resource and, if so, may allow the user to access the resource.
The level of security provided by an access-control system may be affected by the type and quantity of authentication factors that a user must have to be authenticated. Examples of authentication factors that a user may need to be authenticated may include knowledge factors that the user knows (e.g., a username, a password, or a personal identification number), possession factors that the user possesses (e.g., a smartcard or a hardware token or smartphone that generates one-time-use passwords), and inherence factors that are part of the user (e.g., a biometric characteristic of the user such as a fingerprint). To increase the level of security provided by its access-control systems, many enterprises implement access-control systems that authenticate users using an authentication method, commonly referred to as multi-factor (or two-factor) authentication, that uses two or more types of authentication factors (e.g., both knowledge factors and possession factors).
While multi-factor authentication generally provides greater levels of security, various issues may arise when typical multi-factor authentication methods are implemented. One of the biggest issues that may arise when typical multi-factor authentication methods are implemented is that, if a user loses a possession factor, the user may be unable to be authenticated. Moreover, the user may have limited options for recovering access to his or her accounts that required authentication. In general, standard techniques for resetting knowledge factors, such as resetting via email or other knowledge-factor based authentication techniques, cannot be used to reset possession factor since using these methods may defeat the purpose of requiring a possession factor in the first place. Some access-control systems may attempt to solve the problem of possession-factor loss by requiring that each user maintains multiple possession factors so that if one possession factor is lost, then one of the others can be used. Unfortunately, this solution may also fail when a user loses all possession factors. The instant disclosure, therefore, identifies and addresses a need for systems and methods for preventing loss of possession factors.