With the popularity of the Internet and the rise of e-business and e-government, more and more people begin to try online transactions. Meanwhile, more and more personal privacy and business secrets information is transmitted over the network. However, the malicious threats, such as virus, hacker, and phishing fraud, bring a great challenge to the security of online transactions. Endless network crimes lead to a trust crisis to the identity on network. We have to focus on the problems on how to prove “who am I?” and how to prevent identify thefts again. It is urgent to safeguard identify authentication/recognition which is the primary problem in network security. The major identify authentication/recognition methods used in computer and network systems are username/password, ID card, dynamic password and USB Key (Token).
Username/password is the commonest and simplest method for identity authentication, but the password is easy to be doped out by other people. In addition, the password is static data and is transmitted through computer memory and network during authentication, so it is easy to be captured by Trojan or listener on network. Therefore, it's not a good method for identity authentication.
ID card authentication prevents user identity from being counterfeited as ID card cannot be duplicated. But the data read from ID card is also static and it is easy to be captured by memory scan or network listening. The security problems persist.
Dynamic password is a technology that allows user password to change with time or the number of uses, and the password can be used only once. Since each password must be generated by dynamic token and the private hardware of dynamic token is held only by valid user, the user identity can be authenticated through password verification. But if the time or the number of uses between the client and the server is not synchronized properly, a valid user probably could not log in. And the user is required to enter a long string of ruleless password using keyboard each time the user logs in, once there is a typo, the user must enter the password again. Obviously, it is not easy to use.