Authentication is a mechanism for verifying the identity of an individual or entity, e.g., one seeking access to a physical location or a visitor to a Web site or particular Web application. A simple form of authentication can be by requiring the user to give a user name and password as a visitor. Multi-factor authentication is an approach to security authentication which requires that the user of a system provide more than one form of verification in order to prove their identity and allow access to the system or some portion thereof, e.g., to a web-site or specific web-page/application. Multi-factor authentication takes advantage of a combination of several factors of authentication. Three major factors include verification by requiring something a user knows (such as a user name or password, etc.), something the user has, e.g., a software and/or hardware authenticator (also “token”) (such as a smart card, Internet access device having, e.g., a unique a uniform resource locator (URL) identifier, or other security token), and something the user is (such as personal identifiers, e.g., biometrics: fingerprints, voice recognition, retinal scans, facial recognition systems, etc.). Each authentication factor can cover a range of elements used to authenticate, i.e., verify a person's identity prior to being granted access, approving a transaction request, signing a document or other work product, granting authority to others, etc. Due to their increased complexity, authentication systems using a multi-factor configuration in general are harder to compromise than ones using a single factors, even ones using several different examples of a single factor, e.g., both a user name and a password, personal identification number (“PIN”) or the like.
An authenticator (“security token”), which as noted may be, e.g., a hardware/software token, authentication token, universal serial bus (USB) token, cryptographic token, electronic key fob (or the key itself), other user device with a unique URL or the like) may be a physical device that, e.g., an authorized user of computer services can be given, e.g., by the provider of the service, to facilitate authentication. The term may also refer to software tokens, e.g., contained within a hardware authenticator (“token”). Security tokens can be used to prove one's identity electronically (as in the case of a customer/user trying to access a bank account of the customer/user). The token can be used in addition to or in place of a password to prove that the customer/user is who he/she claims to be. The token can act, e.g., like an electronic key to access something, e.g., a physical location or a virtual location, e.g., on-line. Some tokens may store cryptographic keys, such as a digital signature, biometric data, or other data, which itself may be encrypted. Some token designs feature, e.g., tamper resistant packaging, while others may include small keypads to allow entry of a personal identification number (“PIN”) or a simple button to start a generating routine with some display capability to show a generated key number or something to be used along with a user's key number, i.e., password or PIN. Some token designs can include, e.g., a USB connector, radio frequency ID (“RFID”) functions or Bluetooth wireless interface to enable transfer of a generated key number or other authenticator number, code or the like, e.g., to a client system.
“True” multi-factor authentication requires the use of elements from two or more categories. Supplying a user name (“something the user knows”) and password (more of “something the user knows”) is still single factor authentication, despite the use of multiple pieces of distinct information. An example of true multi-factor authentication is requiring that the user also utilize a hardware token or Virtual Token™, a smart card or USB dongle, (“something the user has”), or a thumbprint or iris scanner print (“something the user is”), as opposed, e.g., to the biometric identifying data itself, which may be considered something the user “has,” e.g., contained in a user token that the user has.
At the same time as validating the identity of a user, many relying parties, e.g., online sites, can, e.g., also attempt to confirm the validity of the site to the user (called “mutual authentication”), e.g., attestation of the validity of the identity of the site to the user, i.e., authentication in the opposite direction, i.e. “mutual”). A relatively weak form of mutual authentication generally displays, e.g., an image and/or phrase previously selected by the user. More advanced forms of mutual authentication can, e.g., engage in a challenge/response with the user's device, e.g., by exchanging a challenge, with the user device, which can be, e.g., a one-time key, and which the user device can identify as uniquely being from the particular relying party and to which the user's device can respond with a response unique to the user's device. There are many other possible examples.
A credential is an attestation of qualification, competence, or authority issued to an individual, usually by a third party with a relevant or de facto authority or assumed competence to do so. Issuance or granting of a credential is an act of such attestation. Relevant examples of credentials can include certifications, security clearances, identification documents, badges, passwords, user names, keys, including electronic, e.g., encryption keys, etc. Credentials in information technology (“IT”) systems are widely used to control access to information or other resources. As an example the combination of a user account number or name and a secret password is a widely-used example of IT credentials. An increasing number of information systems use other forms of documentation of credentials, such as biometrics identifying templates, or X.509 certificates, public key certificates, etc.
Authentication factors for granting credentials to an individual or entity of the same type are generally subject to the same types of attack by fraudsters or spoofers. As an example, the “something you have” factor may be represented by and analogized to a key to a lock. The key embodies the authenticator, a secret which is shared between the lock and the key, i.e., as an example, the relying party and the user, and enables access by the user/possessor of the key to the place where access is desired to be controlled by the relying party. Such a system may be attacked in several ways, such as, an attack on the authenticator or management system used by the authenticator to issue the secret in order to obtain knowledge of the secret, as an example the authenticator, e.g., the key or a copy of the key.
As an example, in a computer system, obtaining such access might be possible through a structured query language (“SQL”) injection. The attacker could steal the key from the authorized user and, if possible, make a copy of the key before the authorized user realizes the theft occurred, thus limiting the probability that the user will immediately change the key. In a so called “man-in-the-middle attack” the fraudster may insert himself/herself in the communication channel and masquerade as the authenticator, i.e., the party seeking authentication, i.e., the relying party, such as the employer of the valid user. In such a way, the intruder/fraudster can, e.g., intercept the user's provision of a key to the authenticator and then later use the key itself.
The security of the system therefore relies on the integrity of the authenticator and physical or electronic protection of the “something you have.” Copy protection of the “something you have” can, therefore, be useful. This may comprise some form of physical tamper resistance or tamper-proofing. It may use a challenge/response to prove knowledge of the shared secret whilst avoiding risk of disclosure. It may involve the use of a pin or password associated with the device itself, independent of any password that might have been demanded as a first factor. A challenge/response, however, will not defeat a man-in-the-middle attack on the current authentication session but can prevent the attacker from successfully reusing or replaying credentials separately from the current session. Even biometrics are subject to spoofing by fraudsters. Fingerprints can be lifted from something touched by a user having the biometric as an authenticating factor. As seen in the movies and read in fiction eye balls can be gouged from the socket, hands can be lopped off, etc. In this context, systems that can detect whether or not the presented biometric is part of a living human can be useful in further maintaining the integrity of the presentation by the user of the “something you have.”
There remains, therefore, a need for a system and method for authenticators, e.g., banks, credit card companies, telecommunications companies, computer operating systems, employers and the like to be able to assess the likelihood that a person or entity seeking a credential and therefore also credentialed access to a location, physical or in cyber-space, or authority to engage in a transaction, or both, is in reality the individual or entity that the authenticator (‘relying party”) believes the person or entity to be. Thus, there is a need for a strong authentication process. Such authentication can also be used in reverse for, e.g., users authenticating the authenticator. This is especially true for non-in-person access seeking and transaction authentications, “through the cloud,” i.e., virtually over some electronic network, like the Internet.