A number of authentication schemes have been developed to authenticate users of data processing devices or communications terminals. A well-known authentication scheme involves a teaching phase in which setting up a new user account comprises teaching a username (login name) and password to an authentication element. A subsequent authentication phase comprises requesting the user to enter the username-password combination. If the entered username-password combination matches a pre-stored (taught) combination, the user is positively authenticated.
Such simple systems are vulnerable to intrusion and fraudulent behavior. Intruders can tap into the authentication system in several ways. They can cause installation of malware software in the users' computers. The malware software records keyboard entries by the user during login and relays the keyboard entries to the intruders. Another technique is to eavesdrop communication channels between an authentication server and the users' terminals. A third technique is to hack into the authentication server.
Attempts have been made to alleviate the security problems relating to current authentication schemes. Many improved authentication schemes are based on a paradigm known as “what you know and what you have”. The username-password combination is an example of “what you know”, while a mobile network identity is an example of “what you have”. For instance, the teaching phase of authentication may involve teaching a mobile identity, such as an MSISDN number, to the authentication system. In the authentication phase the authentication server may generate a pseudo-random code and send it to the user's mobile terminal and request the user to return the pseudo-random code from another terminal, such as a computer, within a relatively short period of time. Because modern mobile communication systems use a PIN-code-based authentication, possession of a mobile terminal coupled with the mobile identity taught to the authentication system is an additional measure of security relating to the user being authenticated. Reference documents #1 and #2, which are a commonly-owned PCT application and US patent application, respectively, disclose various techniques for authentication. In particular, Reference document #1 discloses a technique called Dynamic Dialog Matrix (DDM), in which a mediator (proxy server) varies a sender number assigned to Short Message Service (SMS) messages and assigns a different sender number to each SMS message of a sequence. When clients (mobile users) respond to the SMS messages of the sequence, each reply message has a unique combination of sender address (the mobile terminal numbers) and recipient address (the address the mediator as sender address assigned to the query message). The unique combination of sender address and recipient address act as row and column addresses to data structure (called the DDM), and the cell identified by the two addresses contains the reply. With the DDM, the mediator knows not only which reply belongs to which query, but the mediator also knows, with a reasonable certainty, that the mobile user sending a reply message is the person to whom the query message was sent. Nobody else knows which sender address has been assigned to a query of interest. Accordingly, nobody else knows which recipient address a reply message should be sent.
In Reference document #2, FIGS. 9A, 9B and 9B of and their associated descriptions disclose techniques in which a combination of a general-purpose computer and a mobile terminal is used for authentication (and for additional functions, some of which may not be relevant for the present invention). FIG. 10 of Reference document #2 and its associated description disclose a system architecture which can be used to implement the present invention. The contents of said reference documents are incorporated herein by reference.
In spite of improvements of known authentication schemes, some residual problems remain. For instance, most authentication schemes are unnecessarily rigid, which means that the same level of security is required regardless of the value of a transaction or the user's prior history or other related factors. Another problem is that the combination of username, password and mobile identity can all be stolen from a legitimate user.
Accordingly, there is still need for improvements to authentication techniques, with respect to flexibility, security or both.