1. Field of the Invention
The present invention relates to a user authentication system for network security and management, and more particularly, to a token based two factor authentication and virtual private networking system for third party network management and security of online networks.
2. Background Information
Any network, including Wi-Fi networks, will need to control what computer resources specific users have access to and will generally need to keep track of the activity of users over the network. Authentication is the process of identifying an individual, usually relying upon on a username and password. Authentication is based on the idea that each individual user will have unique information that sets him or her apart from other users. Authorization is the process of granting or denying a user access to network resources once the user has been authenticated, such as through the username and password. The amount of information and the amount of services the user has access to depend on the user's authorization level. Finally, accounting is the process of keeping track of a user's activity while accessing the network resources, including the amount of time spent in the network, the services accessed while there and the amount of data transferred during the session. Accounting data is used for trend analysis, capacity planning, billing, auditing and cost allocation. In computer technology, an “identity’ is the unique name of a person, device, or the combination of both that is recognized by a system. Many types of network management systems rely on unique identities to ensure the security of the network and its resources.
There are three universally recognized factors for authenticating individuals: (1) “Something you know”, such as a password or personal identification number (PIN); (2) “Something you have”, such as a mobile phone, a Automatic Teller Machine (ATM) Card, or hardware security token; and (3) “Something you are”, such as a fingerprint, a retinal scan or other biometric.
A system uses “two factor authentication”, also called T-FA or dual factor authentication, when it requires at least two of the authentication form factors mentioned above. This contrasts with traditional password authentication, which requires only one authentication factor (such as knowledge of a password) in order to gain access to a system. Common implementations of two-factor authentication use ‘something you know’ (a password) as one of the two factors, and use either ‘something you have’ (a physical device) or ‘something you are’ (a biometric such as a fingerprint) as the other factor. A common example of T-FA is an ATM card wherein the card itself is the physical “something you have” item, and the personal identification number (PIN) is the “something you know” password that goes with it.
Using more than one factor is also called strong authentication; using just one factor, for example just a static password, is considered by some to be weak authentication.
Establishing and protecting identity is an increasing challenge and burden to both consumers and suppliers of goods or services. While identity verification and protection is a widespread issue for all networks, the identity challenges on the Internet are most prominent as “online identity” (meaning identity over the internet) is inherently problematic. “Online” will be used herein to generally reference internet applications. There is a growing demand for solutions to address its challenges.
Effective improvements in online identity require an increase in security. New security technology must address today's online identity threats. However, higher security alone is not a complete solution. The security technology must be easy to use or, preferably, essentially transparent to the end user in order to achieve adoption and success. Security solutions that are not accepted by users and used are ineffective. It is an object of the present invention to improve online identity exchange by simultaneously increasing security and simplicity for both end users and system administrators.
The burden of identity is more than just preventing user identity theft. It is more inclusive of challenges to an entire online ecosystem that spans users and providers across all industries and user groups. The online space is very dynamic and growing at a fast pace. Identity standards have not kept pace with changing needs and threats, which is putting online commerce and communication at risk to increasing vulnerability. The need for better standards and techniques is reaching a critical level. This problem will only grow worse as the Internet is increasingly used as the delivery platform for media content and services.
The Internet is fast becoming the standard communication protocol for voice, video, music, instant message, email and reference information including news, search, blogging, personal websites and picture sharing. Changes in software are shifting to software as a service (SaaS) where applications and data are stored on servers and accessed via the Internet instead of installed on the computer. This trend is pushed by companies like Google, Sun and Microsoft.
Ecommerce is more than just shopping online. It includes bill payment, banking, stock trading, and money transfers. A majority of these growing services require some form of user authentication. Authentication—proving you are who you say you are as discussed above—allows users and providers to protect or personalize online services and information. Online Service Providers also must prove their identity to their growing number of users to prevent against phishing and spoofing attacks. Thus, authentication is a mutual concern. As the number and extent of online services continue to expand, the need for online authentication and the frequency of its use will also multiply.
The common form of user authentication today, usernames and passwords, is weak and cumbersome (weak authentication as noted above). The username and password was an early internal corporate standard that was never intended for an open online ecosystem. The security weakness of usernames and passwords is well documented and as Microsoft's Bill Gates describes the situation, “Today, we're using password systems, and password systems simply won't cut it; in fact, they're very quickly becoming the weak link”. Because username and password systems have varying rules and standards, users must also use and remember a variety of usernames and passwords. With online services proliferating, the burden of remembering which combination was used for each application becomes problematic.
Regulatory agencies, standards bodies and popular demand are driving changes in online authentication to eliminate security weakness and user difficulty. In October 2005, the Federal Financial Institutions Examination Council (FFIEC), declared two-factor authentication the standard for online banks by the end of 2006 in order to combat identity theft, which rose to $14.8 Billion in reported losses from April 1994 to May 2005. Infoweek reports that the number one weapon against future malware war is “strong authentication” as defined above. Agencies and regulations in other industries are also driving businesses and individuals to adopt the use of strong authentication, including HIPAA in health care, Sarbanes-Oxley in public corporations, and FIPS 140 standards in the federal government.
From an end user standpoint, there is growing frustration with the increasing threat of exposure of their personal data and finances and the increasing variety of systems they must interact with to protect themselves. Online service providers also need solutions which keep their applications safe and will drive users to their services without increasing the burden of identity. All parties are calling for a simple and effective solution to secure authentication.
As further background information virtual private network, or VPN, is a network that is constructed by using public connections (e.g. wires or wireless couplings) to connect devices of a network. A VPN provides a system for securing transmissions across TCP/IP networks. A VPN is a secure “tunnel” between two points on the network, through which all traffic is encrypted and secure. For example, VPN software running on a laptop computer can establish a secure connection from the laptop, across the Internet to a VPN server behind a corporate firewall thousands of miles away. Such systems use encryption and other mechanisms (e.g. passwords) to try and ensure that only authorized users can access the network and that the data cannot be intercepted.
The right solution to the identity crisis, particularly online, must be comprehensive in its scope and simple in its operation in order to be effective. Some enterprise organizations have implemented strong authentication, including two-factor authentication utilizing Virtual Private Network (VPN) solutions, but these solutions were complex and produce end-user confusion and frustration. These enterprise solutions have been built for the enterprise environment, where the technical support desk is, in theory, waiting on hand. Employees have tolerated difficult authentication solutions because they have few options. Expensive enterprise in-house network authentication solutions requiring complicated installation and user inconvenience cannot simply be thrown over the wall to consumers and expect acceptance. The winning solution must be able to meet higher security standards and break down the barriers of complexity, implementation costs and adoption risks.