The evolvement of the Internet has in many ways changed behaviours that have prevailed for a long time. Peer-to-peer communication and the ease by means of which exchange of information now can be performed have opened up for limitless ways of utilizing the Internet for everyday use.
Internet banking, electronic commerce and e-mail constitute but a few examples of the possibilities that the electronic world offer, thus omitting the need for a user to actually visit a bank, stores for purchasing goods, etc.
Unfortunately, however, the possibilities of doing business over the Internet, instead of physically visiting various physical locations, has also given rise to its own set of challenges and security issues, primarily in the areas of user authentication and secure data transfer.
A general Internet user is often registered to (member of) a plurality of different Internet sites, and when the user identifies himself/herself with such sites, this is often performed by entering a login name and a corresponding password. Every now and then, however, Internet sites are “hacked”, with the possible result that login (user) names and associated passwords of users (members) of the site come into the hands of unauthorized and, at worst, criminal persons.
If login information, such as user names and passwords, come into the hands of the wrong persons, users of a hacked site can suffer substantial damage, e.g. by finding themselves with cleared out bank accounts. Further, it is common that a member of one Internet site “reuses” login name and password from one site to another, with the further risk of suffering unauthorized access not only to the site being hacked, but at other sites as well. There is also an inherent risk that a potential intruder, given enough time and attempts, can obtain login information simply by “trial-and-error”.
Further, there is also an increasing desire from governments to be able to electronically communicate with citizens in a safe and secure manner with regard to various social services, and such social services often involve large amounts of personal and confidential data, with associated strict requirements on the ability to ascertain the identity of a particular user. Simpler authentication methods, such as user name and password, are simply not strong enough but must be strengthened.
Due to the above, it is becoming more and more common to strengthen the protection against unauthorized access by the use of one-time passwords in addition to the conventional (static) passwords. One-time passwords are constantly and inherently altered, which thus substantially reduces the risk of the passwords falling into the wrong hands. One-time passwords thus make it more difficult to gain unauthorized access to user accounts.
Consequently, there exist ways of strengthening security when accessing restricted resources. A drawback, however, in utilizing such stronger authentication methods is that one-time passwords often require, from the user point of view, some kind of hardware device, such as a digipass or code card or other means, for generating the one-time passwords, with the result that a user often ends up with various different methods of accessing the different restricted resources to which he or she belongs. Therefore, there exists a need for a simplified method of accessing restricted resources.