Prior to the advent of high-speed communications and the proliferation of mobile computing devices such as notebook computers, tablet computers, and smart phones, a user typically accessed data via a single device. With limited means of accessing data, a password and simple encryption often sufficed for security. Now, with a user having access to multiple workstations and mobile computing devices, data may be accessed almost anywhere. Enhanced security measures are not only desired but in many applications required.
In trusted and secure computing environments, validation beyond login credentials, which typically include a user name and password, may be desirable for account and network access. Through careless user actions, malware, phishing, hacking, password cracking and other means, a user's login credentials may be exposed and used for unauthorized access to a user's account.
There are two commonly used general approaches for providing an additional level of security to help prevent unauthorized access to a user's account. In one approach, a distinct physical item is linked to the user's account. For example, the physical item may be a smart card, badge, token or biometric information that only the authorized user would possess. The physical item is used in addition to login credentials to gain access to the user's account.
In another approach, a user is required to specifically authorize each device by providing multi-factor authentication, which may be a code or secret sent via email, text message or other out of band means. The multi-factor authentication may alternatively or additionally include other information that only the authorized user would know or have, such as answers to security questions. The multi-factor authentication information may be saved, generally in encrypted form, on the user's device. Subsequent logins can validate that the device was previously authorized by the user and not require the user to provide additional validation at each login. By limiting access to a specific user account to devices that have been authenticated, unauthorized access to a user's account may be prevented from other devices. The user's devices may be physical devices, such as a smartphone, tablet, laptop, desktop or other physical computing device, or a virtual device such as an application running on a virtual machine, in a browser or other software environment.
Though multi-factor authentication provides added protection against unauthorized account access, a user's account may be prone to attack through cloning of a user's device. An attacker with physical or remote access to one of the user's devices could clone the device, by copying the relevant data or the entire disk on which the authentication information is saved. Backup and restore utilities, which are normally used for non-malicious purposes, may be used to transfer applications and associated data from a user's device to an attacker's device. If an attacker were to obtain physical or remote access to a device, clone the device and acquire the user's name and password, the attacker could then create an additional authorized device and bypass the extra authentication that is normally required to add an additional device to an account.
For some multi-factor authentication information, an attacker may require physical access to the device. For example, physical access may be required to access the Unique Device Identifier (UDID), the International Mobile Equipment Identity (IMEI) number, WLAN MAC address, Bluetooth address or other device specific identification values. Given physical access to the device, such device identification information may be readily obtained, and techniques exist to spoof or clone the identification information and to pass off as coming from the original device. Mobile phone service providers have a variety of techniques for detecting a cloned phone on their cellular networks, such as the authentication provided by SIM cards and radio fingerprinting. However, these techniques are generally unavailable to anyone other than the cellular carrier and are thereby unable to provide protection to other accounts from a cloned device. A cloned device could authenticate using its legitimate credentials on the cellular network, whilst using the cloned information to access another user account. Using a WiFi connection instead of the cellular network further masks the cloned device from existing detection schemes.