Existing approaches for securing user-initiated online transactions include authenticating the user at the beginning of a session (for example, when the user opens the online banking application, or starts the check-out process at an online retailer). This initial authentication is a necessary step for most online transactions, but it is very vulnerable to unwanted attacks (for example, attacks where the user is tricked into entering his secret credentials, such as a username and password, into a fake application that looks like the real one, but is set up by a wrong-doer).
Existing approaches to counter such attacks include using two-factor authentication (for example, using a static and a one-time password, or using a password and a secure hardware token) or improving the authentication of the online application towards the user. However, none of these mechanisms eliminate the risk completely, and many also have the problem of being complicated to use or expensive to introduce.