Typically, users log into accounts using a user name and password. For example, a user may use a web browser to log into their bank account information. The bank's web page requests the user's name and password, and then grants access to the user's account if the correct information is provided.
Unfortunately, users' names and passwords are compromised every day. Thieves, e.g. hackers, may steal names and passwords directly from a user's computer or from user information stored by corporations, e.g. banks, etc. Sometimes users use the same user name and password for many or all of their online accounts. In such cases, a thief need only trick an unsuspecting user into establishing a bogus account on a thief's counterfeit web site. When the user creates the account, the thief is given the user's name and password, and the thief now has access to all of the user's online accounts.
One solution to the problem is for users to authenticate their accounts using a physical dongle device, e.g. an authenticator. An authenticator is a second factor credential device that periodically calculates a unique code. The user reads the code from the authenticator, and enters the code along with their user name and password.
For example, a user may navigate to their bank's log in web page. The bank requests a user name, password, and authenticator code. The user enters their user name, password, and then copies the authenticator code from the authenticator dongle device onto the computer. The authenticator code is only good for one use and for a limited time. After the user uses the code or after some time has expired, the user must wait, e.g. 30 seconds, for the authenticator to generate a new code.
Use of a separate authenticator device can be problematic and user inconvenient. The authenticator is a separate device from the computer, e.g. a keychain attachment or cell phone running a mobile authenticator application, etc. If the keychain attachment or cell phone is lost, damaged, or stolen, the user cannot authenticate and log on to their account. This leads to IT support calls and user downtime in order to remove the lost authenticator from the user's account and add a new authenticator.