There are currently several methods for authorizing user and especially securing on-line transactions, such as transactions when selling, buying, transferring funds, online banking, etc.
Some of these methods rely upon one-time codes having previously been provided to a registered user. According to other methods for securing one-line transactions, each user is provided with his personalized code-generating device, whereby the user can, when appropriate, generate codes which can be used as, for example, passwords or digital signatures.
The code generating device (pin pad) may comprise a display and a numerical keypad. The user connects to the bank server using the browser, then uses the pin pad to prove her identity.
This scenario uses a bank as an example, but the procedure is applicable to any application where authentication is necessary, e.g., secure communication within a company or for VPN access.
This is a typical scenario, with the user's actions may comprise the steps of:                The user opens a browser to the server's (banks) address on her computer        The user enters her SSN or some other personal data to establish her identity        The server generates a random 8-digit number, called a challenge below, and shows it to the user        The user enters her secret four-digit PIN on her pin pad to unlock it        The user enters the 8-digit challenge on the pin pad        The pin pad encodes the challenge and displays the result as another 8-digit number, called the response        The user enters the 8-digit response in the web browser        The server now knows that the user is someone who both has possession of the pin pad and knows its PIN        
Using a mobile terminal, in the case of, for example, signing a transaction, a challenge code, generated by a transaction server system, is typically displayed to the user on the display of the terminal, such as an internet-connected computer or a mobile terminal. The user subsequently enters this challenge code in his code-generating device. Based on the entered code, the code-generating device generates a response code, a digital signature, which the user provides to the transaction server system through his communication device. If the digital signature can be verified by the transaction server system, the transaction is carried out.
Entering of such, often very long, codes into the code-generating device may, however, be seen as cumbersome by the user, which may motivate the transaction service provider to make a trade-off between security and ease-of-use which may, for example, involve limiting the complexity and/or occurrence of digital signature challenges. Hereby, the security level is decreased without achieving a truly user-friendly method for secure interaction.