Almost all the network information systems or internet information systems provide a login function that requires a user to be logged in to have access to acquire the service. The user login information is confidential. When a user logs in with a public computer or computer invaded by a Trojan horse, a computer virus or a computer worm, there is a serious risk of information disclosure. In addition, the user login information is vulnerable to phishing attacks that the login account may be stolen or hijacked.
The traditional network information systems or internet information systems implement the user login function by a login method including:
1. receiving a request for login from a user, and appearing a login interface of an information system on the client side;
2. receiving a user name and a password input by the user on the login interface, wherein some service providers provide a verification code on the login interface, in order to prevent dictionary and brute force attacks; and
3. creating, by the information system, a logon session for the user, when the login is successful, and returning, by the information system, an error message to the client side, when the login is unsuccessful.
The above login method, as a single-factor authentication, is too simple, and is easy for users to fall into phishing scams. With the above login method, the user name and password may be stolen when the client side is infected by a Trojan horse virus, so the above login method is low in security.