The present invention relates generally to security. Many types of devices exist for authenticating an individual prior to granting the user access. The access may be physical (e.g., access to a locked door) or virtual (e.g., access to information). Authenticating a user for the purposes of access normally includes verifying one or more of the following general types of information: who the user is (e.g., biometric information), what the user possesses (e.g. a key or card), and what the user knows (e.g., a password or PIN).
A common form of computer access control uses a combination of (1) a device which generates a pseudo-random number (e.g., the SecureID® token manufactured by RSA Security) and (2) a personal identification number (PIN) known to the user. In a typical use of these two pieces of information, a user attempting to gain access to a computer application enters the user's login name, and a passcode consisting of the PIN plus the pseudo random number displayed on the token, which cycles to a new number every minute to reduce vulnerability due to “electronic eavesdropping”. While this method provides reasonable security and works fairly well, it has limitations. The pseudo-random digit string must be relatively short to minimize user errors in data entry. Additionally, the method requires a keyboard or digit pad to allow the user to enter the PIN.