The present invention relates to security authentication, and more specifically to an apparatus and method for two-step authentication.
Authentication between computers occurs on a daily basis. Authentication in many cases helps entities confirm their identity to gain access to information. For example, an entity, such as a user of a computer or software running on the computer, may communicate with another computer to confirm the identity of one or more of the communicating entities, including the user, the software, the computer, or the other computer, or a combination thereof. In this way, entities can operate with a degree of certainty that communications are from whom the communication claims to be. One type of authentication system prevalent in and outside the Internet utilizes password-only authentication with a username/password combination. Authentication transactions such as these are nearly ubiquitous in network communications.
However, there are also those who try to attack or impersonate other entities to gain access that would otherwise be denied. These type of attacks also occur on a daily basis, and often times include attempts on popular websites (e.g., gmail.com, yahoo.com) to gain privileged access by guessing username/password combinations. Attackers are in some cases successful, because many passwords are easy to guess. As a result, password-only authentication systems, or systems solely based on something you know, have been considered less secure than two-factor authentication systems—systems based on two of the following: (1) something you know, (2) something you have, and (3) something you are (e.g., a biometric fingerprint).
Many two-factor authentication systems utilize a password and a security token in possession of the entity. As an example, a user may authenticate themselves by entering their password and a onetime pad (OTP) conventionally generated by the security token. The OTP conventionally generated from the security token (something you have) is combined with the password (something you know) to form a two factor authentication system. Many of these hardware authentication tokens or security tokens are now about the size of a keychain, and offer a degree of assurance that the entity providing the password and OTP is whom they claim to be. However, these two-factor authentication systems are also not without weaknesses. The security of the two-factor system is based primarily on two premises: 1) it is hard for an adversary to gain access to an entity's password and 2) the OTP conventionally generated from the security token is random and cannot be reproduced computationally. This second premise has been reported as being subject to compromise in conventional two-factor systems. For instance, RSA, a well-known two-factor hardware security token vendor, has been reportedly compromised in recent times. Many believe the compromise is related to the underlying conventional algorithm used to generate the OTP.
The OTP in this and other conventional two-factor systems is based on a pseudorandom stream of randomness, or a computationally random seed. By using hash computation tables, the hashing algorithm or function used to generate the OTP may be reverse engineered and reduced to the original seed value, and subsequent random numbers or OTPs resulting from the hash function may be computed. In other words, an attacker may generate random numbers or OTPs that mimic those of the security token without actually possessing the security token. Thus, the reliance on a pseudorandom stream of randomness based on a function that is seeded by an unknown pseudorandom value may be misplaced.