In order to gain access to applications or other resources via a computer or another device, users are often required to authenticate themselves by entering authentication information. Such authentication information may comprise, for example, passcodes that are generated by a security token carried by, or otherwise available to, a user. A passcode may be a one-time passcode (OTP) that is generated using a time-synchronous or event-based algorithm. For example, in the time-synchronous algorithm, the OTP changes at the end of a predetermined time period, e.g., a new OTP is generated by the token every 60 seconds. One particular example of a well-known type of security token is the RSA SecurID® user authentication token commercially available from RSA Security Inc. of Bedford, Mass., U.S.A.
However, as security fraud techniques progress, the use of the traditional OTPs using a security token may not be secure enough for certain security applications. To improve security with the OTP approach, user-known information (such as, e.g., a fixed prefix or suffix of digits or characters representing a password) can be added to the OTP generated by the token. This improvement achieves so-called two-factor authentication (user-known information+OTP). Still, security concerns may exist with respect to the robusteness of this particular two-factor authentication approach for certain security applications.