Generally, security systems employ an identity-based authentication scheme in order to verify the identity of a user seeking access to a protected resource (e.g., a computerized resource). One goal of such security systems is to accurately determine identity so that an unauthorized party cannot gain access. Security systems can use one or more of several factors, alone or in combination, to authenticate users. For example, security systems can be based on something the user knows, something the user is, or something that the user has.
Examples of something a user knows are a code word, password, personal identification number (“PIN”) and the like. One exemplary computer-based method involves the communication of a secret that is specific to a particular user. The user seeking authentication transmits the secret or a value derived from the secret to a verifier, which authenticates the identity of the user. In a typical implementation, a user communicates both identifying information (e.g., a user name) and a secret (e.g., a password) to the verifier. The verifier typically possesses records that associate a secret with each user. If the verifier receives the appropriate secret for the user, the user is successfully authenticated. If the verifier does not receive the correct secret, the authentication fails.
Examples of something the user is include a distinct characteristic or attribute known as a biometric. It will be known by those skilled in the art that a biometric is a unique physical or behavioral characteristic or attribute that can be used to identify a person uniquely. Biometrics that facilitate accurate identification of a person include fingerprinting, facial recognition, retina blood vessel patterns, DNA sequences, voice and body movement recognition, handwriting and signature recognition. In one exemplary method, a verifier typically observes these characteristics before making a decision whether or not to authenticate. The observation of these characteristics is referred to generally as biometric measurement. The verifier then compares the observed characteristics to records of characteristics associated with the user. If the comparison is successful, the verifier grants authentication. Otherwise, authentication is denied.
An example of something a user possesses is a physical or digital object, referred to generally as a token, unique, or relatively unique, to the user. It will be appreciated that possession of a token such as a bank card having certain specific physical and electronic characteristics, for example, containing a specific identification number that is revealed when the token is accessed in a particular manner, can be this type of factor. A token containing a computing device that performs encryption using an encryption key contained in the device would also be regarded as this type of factor. For example, a token could accept user input, which might include a PIN or a challenge value, and provide as output a result encrypted with a secret encryption key stored in the card. A verifier then compares the output to an expected value in order to authenticate the user.
Unfortunately, the above authentication factors do not always provide sufficient means of authentication. It is known that these factors can from time to time be inadvertently obtained by unauthorized parties or fraudsters. For example, a fraudster may illegally obtain a token from a user without user knowledge. The fraudster may subsequently have a time window to fraudulently authenticate under the user's identity before the user notices the missing token. It is, therefore, important to have additional authentication factors that either alone or in combination with the above factors strengthen the authentication process such that the exposure of an authentication factor to a fraudster does not immediately result in a fraudulent transaction.