1. Field of the Invention
The present invention is directed to computer systems. More particularly, it is directed to authentication within computing environments.
2. Description of the Related Art
Password-based authentication protocols are among the most prevalent authentication protocols in use today. Typically, password-based authentication includes the use of a username that identifies a user and a password that verifies the user's identity. Many applications in use today utilize password-based authentication including online accounts, such as online bank accounts, online credit card accounts, and various online consumer accounts. For instance, before accessing an online bank account through the Internet, a user may be required to provide the bank website with a username and password in order to verify the user's identity. If the user provides the correct username and password combination, they may be given access to the online bank account in order to view account statements, transfer funds to other bank accounts, and other activities usually reserved for authorized individuals.
Since username and password combinations typically protect valuable items, such as access to bank or credit accounts, they have become frequent targets for social engineering attacks. One such attack is commonly referred to as “phishing.” Phishing is performed by “phishers” who attempt to fraudulently acquire sensitive information about a user including, but not limited to, username and password combinations, credit card numbers, addresses, names, personal identification numbers (PINs), and other information that may be used to defraud an individual. One common form of phishing is implemented through electronic mail messages (“emails”) that appear to be sent from a credible source. In many cases, a fraudulent email informs a user of an artificial circumstance that requires the user to provide sensitive information, such as a username and password. For example, some emails sent by phishers may indicate that a user's online account has recently undergone upgrades and that the user must provide their username and password to regain access to the account. Such emails may include a hyperlink to a fraudulent webpage that appears to be a legitimate login page of an online account. If an unsuspecting user provides their username and password to the fraudulent webpage, the username and password may be compromised, and the phisher may use the username and password to impersonate the user.
Various techniques have been utilized to prevent damage from phishing and other social engineering attacks. One such method includes requiring the user to carry a “token.” A token is typically “something that the user has” that verifies the user's identity. In other words, the user may verify his identity by proving he has possession of the token. The token may indicate a security code, such as through an electronic display. In many cases, the security code is time-dependent (e.g., the security code may change every minute). In most cases, the security code changes based on a time-dependent algorithm which is also known to the verifying entity (e.g., a bank), and thus the verifying entity may use the algorithm to determine if a given security code is legitimate. Authentication protocols including tokens may require the user to provide a username, a password, and the security code of the token. Accordingly, if a phisher obtains the username and password of a user, the phisher may not easily impersonate the user since the security code is also needed to gain access to the user's account. In spite of the use of a token, there are some circumstances when a phisher may access the user's account. For example, if a phisher obtains a username, password, and token security code, the phisher may impersonate the user at any time before the token security code expires. Additionally, the use of a token does not alone prevent “man-in-the-middle” attacks, such as situations where an attacker has complete (or nearly complete) access to the communication channel between a user and a verifier (e.g., an online bank).
Other techniques include requiring the user to make a security decision, such as verifying that a picture previously uploaded by the user is visible on a website to which the user seeks access. In other cases, web browsers and other applications may include security indicators such as security icons (e.g., a “lock” icon) or other indicators (e.g., the display of “https” instead of “http” in the web address field) that indicate the presence of a secure connection. Typically, when displaying an illegitimate webpage, web browsers do not display such indicators, and thus the user, by checking for such indicators, may determine whether a webpage is legitimate or illegitimate. In many cases, security techniques that require the user to make a security decision are unsuccessful due to human error. For example, the user may forget or may not be trained to check for previously uploaded pictures or security indicators.
Some password-based authentication protocols are also susceptible to “brute force attacks.” Brute force attacks include exhaustively checking possible passwords for a given username. For example, if an attacker knows the parameters of a given password, such as password length and possible characters, the attacker may exhaustively check all possible passwords for the given username. Even with modern computing power, some brute force attacks (e.g., for particularly long or well structured passwords) may be computationally infeasible. To reduce computational cost, an attacker may implement a similar attack known as a “dictionary attack.” Instead of exhaustively checking all possible passwords, a dictionary attack may include checking passwords from a list, such as a list of words from a dictionary as well as variations of such words. In some cases, dictionary attacks may be successful due to many users' tendency to choose passwords that are easy to remember, such as words of their native language.