The introduction of electronic communications and e-commerce have highlighted the need for security for all forms of data and communications exchange. Hackers and Con Artists have been able to perpetrate fraud and ID theft by intercepting communications, costing individuals and businesses in the U.S. billions of dollars. In many cases fraud has been executed even when encryption systems are part of the solutions architecture. Strong dynamic authentication is needed to ensure non-repudiation of the entity requesting access to sensitive information or for executing privileged transactions.
The majority of e-Commerce and financial transactions executed on-line allow simple username and password schemes for authenticating users over a secure protocol. In many e-Commerce applications a user's name and password is static (unchanged) for a long period of time. In addition, if an authentication method is not intuitive and non-intrusive for users, businesses and individuals alike will not effectively use them. The most recent vulnerabilities in certain implementations of the Secure Socket Layer (SSL) Protocol demonstrated the high risk to sensitive information using simple username and password schemes in the event the secure protocol is compromised.
Simply providing user credentials, without a method to dynamically change the credential values (such as by providing one-time-use keys) provides opportunity for capture and unauthorized reuse. This, however, poses a problem: until now, dynamic authentication and session initialization methods have required large overhead and user protection of their credentials and secrets. Experience has proven that hackers and con artists can easily get users to disclose or share their authentication credentials with simple deception tactics.