Present day information technology (IT) is characterized by an abundance of electronic sites that are available, accessible by users over public (e.g. the Internet) and private (e.g. local) networks. A “site”, in the context of the present application, refers to any site that may be accessed by a user, such as, for example, an Internet site, an organizational management intranet system (e.g. Customer Relationship Management—CRM—system), a credit-card transaction approval system (e.g. remote systems, such as, for example, PayPal or local systems), an email box (e.g. Hotmail, Gmail etc), a bank account, an Automated Teller Machine (ATM) and so on.
Some of these sites only provide access to information (e.g. general, public, private and confidential information), while other sites allow users to view information as well as perform an action.
The access to some sites is not limited, whereas other sites limit the access and require that certain conditions be met in order to allow a user to access the site. Typically, sites with limited access require some form of identification and authentication. In many cases a user is required to register to that site, by selecting a user name and a password and in many cases also other personal information depending on the particular site requirements, and later on provide the user name and password (or other information) in order to access that site or perform an action at that site.
In most cases the access information a user is required to provide in order to gain access to a site is simple and may easily be apprehended. For example, in order to successfully complete a credit-card transaction over a network e.g. the Internet), a buyer is usually required to provide a full name, an address, credit card number, expiry date (sometimes also a Card Verification value—CVV—number located on the back of the credit card). Such information may not be too hard to obtain (e.g. overlook a person using a credit card or overhear a conversation in which this information is mentioned, or by having a Trojan Horse type virus installed on the user's computer for sending all typed information to a remote computer).
It is also known that many users (some even claim that this is true for the majority of users) tend to register in many sites using the same user name and password, or use very similar registration details by changing only one or a few letters or digits). Thus, if a users name and password are unlawfully apprehended, many sites to which that user is registered may be illegally accessed by others disguising as that user. Such unlawful access may result in private information being exposed, fraud and other illegal actions that may cause extensive damages.
Sometimes it is one of the sites that a user is registered to, which is hacked, and valuable personal information may be unlawfully retrieved and used for accessing other sites the user is registered to.
Current authentication methods typically do not address the situation in which more than one person is required to confirm an action. For example, many businesses and organizations require that two (or more) persons authorize an action, such as when engaging in a legal contract, performing a financial transaction, performing an action in a bank account, etc. Strangely enough, to-date, executives of such businesses and organizations are allowed to charge their company's credit card or draw money from an ATM machine without another person authorizing their transaction just because technically the credit card company has no technology to support that requirement.
The need for a more secured authentication has brought about the use of additional authentication measures. Two-factor or multi-factor authentication methods were introduced that require the presentation of two or more independent kinds of identity evidence.
Multi-factor authentication involves the use of two or more independent kinds of evidence to assert an entity, rather than two or more iterations of the same kinds. In essence, there are three independent means for establishing identity, which may be characterized as something the user knows (e.g., username, password, personal identification number—PIN), something the user has (e.g. a physical token, ID card, passport), and something the user is (e.g. biometric information, such as a fingerprint, retinal scan, face geometry).
It is generally accepted that any combination of these independent authentication means (e.g. password+value from a physical token) is multi-factor authentication.
Multi-factor authentication may include, inter-alia:
1. A designated security hardware component, which an authorized user is to use when connecting to a site. The hardware component is attached to the user's local machine or a hand-held machine (e.g. terminal, PC, PDA, smartphone, tablet), and includes authentication information pertaining to the user that the remote site requires, in addition to the regular login details the user is required to produce, in order to allow the user to gain access. Examples of such hardware component may include smart cards, fingerprint reader, USB plug, etc.
2. Some networks are designed to protect their users by offering a precluded space in which only select users, such as for example, VPN (Virtual Private Networks). Such networks allow only specific stations, devices or users identified in the network to access sites and services in that network.
3. Ciphering certificate protocols are also known (e.g. SSL certificates), which are installed on specific stations and on the remote site to confirm authorized access to the remote site by comparing the certificate from the station with the expected one on the site.
4. Sending confirmation messages with a unique code (e.g. SMS, email) to the user, confirming the execution of a transaction allegedly made by that user at the site by entering the sent code as a part of the regular login process.
5. Installing software on a second hardware device (like phone, smart USB keys, hardware devices like firewalls and routers) that generates random codes so that each time a user attempts to access a site, the generated code has to be used (manually or automatically input) during the access procedure, after providing the login details
6. Performing risk evaluation (typically used for credit-card transaction confirmations and money transfers), to calculate a risk level for that transaction in order to determine whether to authorize that transaction and execute it.
7. Human intervention (typically used for credit-card and banking transaction confirmations), which involves a human contacting the user to verify a specific transaction prior to its final confirmation, sometimes requiring additional authentication information (e.g. billing address, ID number and even send physical documents by fax or email etc,).