Computer users interact with 10's and even 100's of Internet-based web service providers on a routine basis due to the explosion of the Internet and web-based interactions. Each service provider wishes to maintain a subscriber base in order to maintain close access to his or her customers. Consequently, users are expected to manage 10's and even 100's of accounts and corresponding usernames and passwords. Users often misuse password credentials (e.g., use weak passwords, and reuse passwords and usernames) to easily access web-based services. Several problems can occur including cross-site account hacks, service provider collusion and tracking of user transactions. These attacks result in a user losing control of their information, real world assets, damaged reputation and even job loss.
User studies show that password management is a major usability challenge and is a contributing factor to web account mismanagement. Current solutions rely on user account creation protocols that involve the user creating a password and providing a series of password reset challenge questions (e.g., favorite pet). These mechanisms are weak because many times the challenge information is public and/or can be easily inferred. Another approach integrates public key infrastructure (PKI) into the website and client. However, the user client must purchase a client X.509 certificate for use with each service provider, which is cost prohibitive for most users. Similarly, use of a one-time-password (OTP) device that authenticates the user to a particular service provider is cost prohibitive for discrete OTP devices. Software OTP devices may be used to reduce cost, but each service provider must support the particular OTP implementation, and in any event the OTP device can only be used for authentication and cannot be used to encrypt or sign data.