Computer networks, such as those provided at a workplace, university, or another organization, are often configured to allow users to gain network access remotely through virtual private networks (VPNs), customized network settings, and/or other technologies. To gain access, users are generally required to authenticate to the remote network. Authentication may involve users providing various authentication factors, such as passwords, token codes, and personal identification numbers (PINs). Remote networks generally include, or have access to, an authentication server. The authentication server receives authentication requests from users and either grants or denies access, based on whether authentication factors provided with the requests match expected values. For added security, networks often require that multiple authentication factors be entered and verified before access can be granted.
A common two-factor authentication scheme involves both a token code and a personal identification number (PIN). The token code, also known as a one-time password, or “OTP,” is generated automatically, such as by a portable device that a user has in his or her possession. The PIN is a number, or possibly an alpha-numeric string, that the user has memorized. Both the token and the PIN have been registered previously in connection with the user at the authentication server. The user enters both the token code and the PIN in one or more fields of a network login screen on the user's computer. Access to the remote network is only granted to the user's computer if both the token code (something the user has) and the PIN (something the user knows) can be verified. An example of a portable token is SecurID®, which is available from RSA Security LLC, Bedford, Mass.
Recently, software has been introduced to perform the functions of tokens on smart mobile devices, such as smart phones, personal digital assistants (PDAs), and tablets. See, e.g., RSA SecurID, “Software Authenticators,” downloadable form http://www.emc.com/security/rsa-securid/rsa-securid-software-authenticators/iphone-and-ipad.htm. In one example, a user of a computer wishing to access a remote network enters his or her PIN into a field displayed on the user's mobile device. The mobile device sends the PIN to an authentication server. If the PIN matches an expected value, the authentication server sends back a signal to unlock the mobile device to allow the mobile device to display a token code. The user can then transfer the token code manually to the computer to enable the computer to gain access to the remote network.
PINs can be used alone or in combination with token codes or other factors to afford a high level of security. Unfortunately, however, PINs can be inconvenient. For example, users need to register their PINs. In addition, PINs can sometimes compromise security, as users may write down their PINs in presumably safe locations. Malicious parties, however, can sometimes discover and steal the PINs. Furthermore, a user may use only a single PIN for different applications, in an effort to avoid having to remember multiple PINs, thereby increasing the chance that the PIN will be stolen.
U.S. patent application Ser. No. 13/341,160, filed Dec. 30, 2011, entitled “Biometric Authentication with Smart Mobile Device,” (now U.S. Pat. No. 8,752,145), incorporated by reference herein, employs the mobile device of a user to obtain picture information of the user and then use the picture information as part of a biometric authentication operation of the user. In some examples, a server stores picture information for different users along with associated PINs. By matching picture information from a user's mobile device with picture information stored on the server, the user's PIN can be obtained, without the user having to register or remember the PIN.
While such biometric authentication techniques using the smart mobile device of the user have avoided some of the inconvenience and potential security risks associated with conventional PINs, a need still remains for event-based authentication techniques that provide improved security. A further need remains for mobile authentication techniques that do not require the token or token generating material to be stored on the mobile device of the user.