At a basic level, “something-you-know” authentication techniques include asking a user to create some randomness for the user to remember, and having the user subsequently provide and/or input that randomness on-demand to successfully authenticate. Common examples of “something-you-know” authentication schemes include passwords, personal information numbers (PINs), life questions, etc. Unfortunately, humans are generally unable and/or unwilling to generate and recall randomness of sufficient sophistication within the context of such schemes to avoid common security vulnerabilities.
In addition to the use of passwords or PINs that lack moderate or significant entropy, attack vectors can pose challenges when authentication can be observed in progress, or when evidence of the authentication remains for later analysis. For example, a practice commonly known as shoulder-surfing is concerned with the ease of replay from watching a user provide his or her authentication information. For instance, if keystrokes are easily visible, an attacker can potentially replay the same keystrokes in the same order to break the authentication scheme. Attacks based on evidence of authentication have become increasingly prevalent with touchscreen-based devices, wherein, for example, residue left behind by a user's finger may provide hints as to the interaction required with the device to authenticate.
Accordingly, a need exists for providing a secure authentication scheme while maintaining an ease-of-use aspect.