As Internet usage becomes more popular, increasing numbers of users desire to conduct secure transactions, access sensitive information, and the like, using the Internet. At the same time, however, identity theft and fraudulent online transactions are increasing at alarming rates. Many solutions have been implemented to counter the growing incidence of online fraud, including the use of tokens in combination with passwords to provide two-factor authentication. One such solution, known as SecureID, is provided by RSA Security. To defeat such a solution, an attacker must obtain both the password and the token in order to masquerade as the owner. Such solutions, however, are cumbersome and expensive since tamper-resistant hardware tokens have to be built, personalized, distributed, and protected.
Other solutions employ “lockstep” mechanisms in which both tokens and an authentication server increment a lockstep code, which the token must provide for successful identity verification. Such solutions are less than ideal since the lockstep code is known to fall within a fairly narrow range, making guessing it rather easy for an intruder. More importantly, however, once an intruder knows the correct lockstep code, generating subsequent lockstep codes is trivial.
For at least the foregoing reasons, improved solutions are needed.