Participants in a teleconference call are traditionally required to submit a personal identification number (PIN) in order to authenticate themselves and be allowed to join the teleconference call. However, personal identification numbers are insecure for several reasons.
First, in teleconference calls, the same personal identification number (PIN) is ordinarily shared among multiple participants. Therefore, a compromise of the personal identification number (PIN) by one participant in a teleconference call can lead to the security of the whole teleconference being compromised.
Second, the personal identification numbers (PINs) used for teleconference calls are cryptographically weak. The personal identification numbers (PINs) tend to be only several digits long, and, for this reason, they are usually easy to guess by third parties.
Third, personal identification numbers (PINs), in the teleconference context, are not reinforced by attack countermeasures. A common attack countermeasure is to lock an account after several unsuccessful access attempts by the same user. Since the true owner of the account is highly unlikely to misspell the correct password several times in a row, the series of unsuccessful access attempts serves as a warning that someone is trying to guess the correct password.
However, because personal identification numbers (PINs) in teleconference calls are shared, it is impossible to tell if the same person is entering the wrong personal identification number (PIN) multiple times or multiple persons are entering the wrong personal identification number (PIN) once. For this reason, attack countermeasures, such as password lockout, are not suitable in the teleconference context.
Fourth, there are no strong auditable methodologies to manage personal identification numbers (PINs) in teleconference systems. Ordinarily, security applications, such as bank account gateways, monitor the account access patterns of users by measuring how often an individual password is used. For example, if a user accesses his or her account five times in the same day, the unusual access pattern may signal that the user is not legitimate. However, because in the teleconference context, the same personal identification number (PIN) is shared among multiple users, it is impossible to tell whether a single user is using the personal identification number (PIN) in a suspicious way or whether multiple users are using the same personal identification number (PIN) in a seemingly random fashion.
Fifth, personal identification numbers (PINs) in teleconferences are long-standing—they are not updated periodically. While it is theoretically possible for personal identification numbers (PINs) to be discarded after each use and new numbers to be generated, this approach is not usually taken. Distribution and maintenance of personal identification numbers (PINs) carries significant overhead, and, for this reason, it is not usually practiced in teleconference applications. Personal identification numbers (PINs) are managed by a database on a teleconference system and not by a capable identity management system. Therefore, advanced personal identification number (PIN) management techniques are usually not implemented in teleconference systems.
Modern identity management systems, however, periodically update the authentication information for users in order to deter potential attackers. Such updates may consist of asking the user to change their passwords, user name, security question, and other authentication information. Performing such updates, narrows the time window in which an attacker can use a stolen password to break into an account.
Sixth, teleconference personal identification numbers (PINs) are vulnerable to being intercepted during transmission. When a user uses the dial pad of his telephony application to enter a personal identification number (PIN) number, the dialed number is transmitted as unencrypted dual tone multi-frequency (DTMF) signal. When this is the case, the unencrypted signals can easily be captured by an eavesdropper on the line. Therefore, the channel for transmission of personal identification numbers (PINs) is insecure and not sufficiently protected.
Seventh, keeping track of multiple identification numbers can be a source of great inconvenience to people who participate in many teleconference calls. If a person has to participate in multiple teleconference sessions on the same day, and the person has a separate personal identification number (PIN) for each session, that person can very easily become confused as to which personal identification number (PIN) is for which teleconference. Therefore, personal identification numbers (PINs) are not suitable for high-volume teleconference participants.
For these reasons, the need exists for a better method for authenticating the participants in a teleconference session.