Authentication of users requesting access to computing resources is possible using a variety of techniques, each technique having a relative degree of assurance (whether objectively or subjectively defined). To improve authentication assurance more challenging approaches to authentication are devised combining one or more of: things users know (like secrets, passphrases etc.); things users have (like hardware tokens, smartcards etc.); and things users are (such as biometric indicators). Such approaches are known as n-factor authentication schemes.
Context based authentication is known. US Patent Publication No. 2007/0079136A1 describes methods and systems for performing authentication based at least in part on the context of a transaction. Further, European Patent Publication No. EP1603003A1 describes a method of authorizing a user in communication with a workstation using different methods for authorization in dependence on combinations of user data and workstation data, such as a geographic location of the workstation.
Context based authentication schemes imply the availability of multiple authentication methods to check and/or validate a user identity such that different authentication methods can be employed alone or in combination in dependence on an authentication context. Such different authentication methods can have different levels of assurance of the authentication. One way to define levels of assurance for authentication methods or schemes can be to determine objective characteristics and features of such methods and schemes. For example, the Office of Management and Budget (OMB) of the United States Government published “E-Authentication Guidance of Federal Agencies” (Memorandum M04-04, Office of Management and Budget, Executive Office of the President, 2003). The guidance defines four levels of authentication assurance as:                Level 1: Little or no confidence in the asserted identity's validity.        Level 2: Some confidence in the asserted identity's validity.        Level 3: High confidence in the asserted identity's validity.        Level 4: Very high confidence in the asserted identity's validity.        
The levels of authentication assurance are characterized by technical guidelines for each level for different authentication methods in the National Institute of Standards and Technology (NIST) document “Electronic Authentication Guideline” (NIST Special Publication 800-63-2, 2013). FIG. 1 depicts the NIST SP 800-63-1 E-Authentication Architectural Model in the prior art. A process of registration by a user 110, credential issuance and maintenance includes:                1. A user 110 applies to a registration authority 106 through a registration process.        2. The registration authority 106 identity proofs the user 110.        3. On successful identity proofing, the registration authority 106 sends a credential service provider 108 a registration confirmation message.        4. An authentication credential such as a secret token is established between the credential service provider 108 and the user 110.        5. The credential service provider 108 maintains the credential, its status, and the registration data collected for the lifetime of the credential (at a minimum). The user 110 maintains his or her token.        
Subsequent to registration, a process of authentication of the user 110 includes:                1. The user 110 proves to the verifier 114 that he or she possesses and controls an authentication credential through an authentication protocol.        2. The verifier 114 interacts with the credential service provider 108 to validate the credential that binds the user's identity to his or her token.        3. The verifier 114 provides an assertion about the user 110 to the relying party 112 which uses the information in the assertion to make an access control or authorization decision.        4. An authenticated session is established between the user 110 and the relying party 112.        
NIST defines characteristics of the above steps for each of the OMB levels of authentication assurance. Accordingly, system or service having multiple points of access, or access modes, each access mode requiring a different level of assurance, can be supported by multiple and potentially many different authentication methods. Where multiple authentication methods are available a decision as to an applicable authentication method for a user is made. US Patent Publication No. 2011/0047608 A1 describes an approach to dynamic user authentication in which one or more modes of authentication are dynamically selected based on various factors surrounding a request. Factors can include time of day, past action history of the user and the resource to which access is requested. The selection of authentication criteria are based on an authentication level that is determined based on a service accessed and factors associated with the access. However, despite the dynamic selection of modes of authentication, such as for different levels of authentication, authentication is still restricted to traditional authentication factors (i.e. something a user knows, has, or is). Further, where authentication schemes are attacked due to compromise of an authentication credential or mechanism, such as a stolen hardware token or misappropriated passphrase, authentication schemes are unable to detect the attack since the approach to authentication can be essentially acceptable. Thus it would be advantageous to provide for multi-level authentication of users requesting access to restricted resources of a service with improved assurance and improved protection against authentication attack.