As smart devices and network applications become popular, users are able to access various network applications through client applications (also referred to as apps or app clients) installed on devices. When the client application accesses services on an application server (also referred to as an app server), authentication, in particular dual-channel authentication of user identities is commonly performed. For example, if a user forgets the login password for an app, he or she will send a password retrieval request to the app server. The app server sends back verifying information in a text message to the device via a separate channel such as a separate wireless connection. The user inputs this verifying information using his device. After the app server checks its database and deems the verifying information as correct, the server can confirm that user identity has been validated and thus send a password back to the user.
However, in existing dual-channel authentication schemes, the device on which the app is installed is the same device as the one that receives the verifying information during identity authentication. Thus, if the device is stolen by a malicious third party or is infected by malicious software, user identity authentication can be very easily realized through this device. As a result, the identity authentication is not very secure, and the user's private information can be easily compromised.