When computers were invented decades ago, most authentication consisted of users keying in a username and password to gain system access. Today, little has changed—the userstype in a username (or the email address) and the password to log in. Some improvements to this traditional login have appeared, such as secure keyboards, smartcards, electronic tokens, biometric scanners, SSL encryption, Turing anti-robot challenges, virus scanners, anti-spyware tools, and keylogger protection. Unfortunately, hackers and their technology have readily adapted, and they enjoy little resistance to their widespread theft of usernames and passwords, or their hijacking of login sessions, credit cards, and bank accounts. Hackers use tricks and tools like viruses, Trojan-horses, worms, spyware, software keyloggers, hardware key-press recorders, phishing attacks, spoof web sites, confidence tricks, dictionary attacks, and numerous other security exploits.
Computers and the internet are increasingly relied upon to handle valuable information, and hence are increasingly targeted by criminals. It is now very important to secure the login process and protect peoples usernames and passwords.
It would be preferable to utilize standards-based technology (a mouse, keyboard, and web browser) to secure the login process, without requiring additional software to be deployed on a user's computer.
Threat 1—Phishing—a confidence trick whereby the attacker attempts to lure a victim into revealing their usernames and password (usually, but not always, by trying to get them to log in to a spoof or fake look-alike web site)—is the most widespread and successful attack method plaguing the internet today.
This threat succeeds because victims are unaware that they are revealing their passwords etc to the wrong place—which is a result of the security oversight made by their provider: the victim has not been given an easy nor foolproof way to verify that the request for their password comes from the legitimate place (eg: their bank or their online auction provider etc).
It would be preferable to introduce easy and foolproof protection to verify such requests (that is—two-way authentication, so called because the computer authenticates to the user, as well as the user authenticating to the computer), as well as providing keylogger/spyware protection and secure 2-factor authentication (the first factor being something the user knows, which is their password, the second factor being something the user has, which is usually a physical hardware token).
Threat 2—Keyloggers (software and hardware) and security-targeted Viruses, Spyware, Trojans, and Worms are all automatic programs designed to steal usernames and passwords. These programs are installed automatically via operating system vulnerabilities, or via confidence trickery such as phishing, or indeed via any other method the perpetrators can dream up. They all rely on their ability to steal passwords, and the fact that stolen passwords can later be used successfully by the hacker.
It would be advantageous to overcome these threats by providing a non-traditional and thus difficult-to-steal graphical element as part of a user's password, as well as providing for single-use passwords that, if stolen, cannot later be used again.
Threat 3—Careless user's—it is often said (but not true) that no amount of security can protect people from their own mistakes: things like writing down their passwords on paper, telling other people what their passwords are, or choosing easy-to-guess passwords.
It would be advantageous to provide a strong level of protection to everyday user's in a way that is easy enough to use that users themselves barely notice they're being protected from their own mistakes.
Threat 4—Denial of Service (DoS) attacks—are a type of indirect threat in which a particular user is denied access to a server computer account by the older security software of the server computer itself. This type of attack works as follows: the attacker obtains or guesses the username of the person who's access to be denied. The attacker then repeatedly accesses the authentication/login page of the server computer and repeatedly enters the username of the victim, along with a bogus password. After a certain number of such efforts, the server security software notices that the username of the victim is being attacked by multiple login attempts, despite the fact that the attacker has no realistic desire to access the service. The security software then cuts off access to that username and the attacker ceases the attack. When the victim of the attack next attempts to access the service, they are denied service by the security software, which has no method of differentiating the real user (the victim) from the attacker.
It would be advantageous to provide a method of preventing denial of service attacks from accessing the real authentication/login page of the victim.