Authentication is the process of validating a set of credentials that are provided by a user or on behalf of a user. Authentication is accomplished by verifying one or more of something a user knows, something a user possesses, or some characteristic about the user through a challenge/response operation using various authentication protocols. For example, verification of something that a user knows may be accomplished through a shared secret, such as a user's password, or through something that is known only to a particular user, such as a user's cryptographic key. Verification of something that a user possesses may employ a smartcard or some other form of hardware token. Verification of a user characteristic might employ a biometric input, such as a fingerprint or a retinal map.
The Internet provides pervasive access to sensitive online information and transactions, including financial account transactions and product ordering transactions. Access to this information must be protected and unauthorized individuals must not be allowed to execute transactions (e.g., issue invalid orders or execute bank account withdrawals). Many online e-commerce providers provide only simple password level protection for such accounts. Some providers provide more sophisticated authentication commonly referred to as multi-factor or two-factor authentication. For example, a provider may require the use of a personal identification number (PIN) in combination with a digital certificate or a set of numbers generated by a token to authenticate a user. Nonetheless, “user ID and password” combination systems remain the most prevalent authentication strategy for authenticating a user attempting to access some remote resource via the Internet. There is a well known compromise between convenience—(i.e., a weak password that is easy to remember)—and security (i.e., a strong password with multiple alphanumeric digits, capitalization rules, etc.). Also, people often use the same user ID/password pair for multiple resources as they simply cannot manage or remember different user ID/password combinations for the large number of resources to which they subscribe. Reuse of these combinations, however, reduces the level of security attainable with this authentication scheme.
The common use of loyalty cards raises a related problem—individuals have too many of them. It is difficult if not impossible for a person to keep them on his or her person at all times. As a result, users often fail to use their loyalty cards, which results in lowered or lost loyalty status, or the user is forced to provide sensitive personal information to a clerk for authentication purposes.
The relative safety of customer/user private data maintained by all of these service providers is also a huge concern. As a rule, every service provider obtains private user data at the time of registration (e.g., user name, phone number, address etc.) and stores this information under a user profile in its own database. Those databases, or parts of them, may be (and quite often are) stolen or breached and then used for criminal purposes. Moreover, combining data from different sources can provide a detailed look into a user's life, providing the opportunity for fraud such as identify, account or credit fraud.
The problems associated with weak authentication and loss of private data present the largest threats to the future of e-commerce.