Identity authentication has concerned online users and online companies since the advent of networking and the Internet. Passwords are often used to restrict access to certain content and to validate users, even though passwords present certain drawbacks. Users often find it difficult to remember and keep track of different credentials or logins (e.g., usernames and/or passwords) for their various online accounts and may either forget this information or provide incorrect login information. As a result, many users use the same password for many different websites and/or frequently have to reset login information. Password reuse poses a security problem, because if a malicious user obtains the password for one account, access to multiple accounts is effectively gained. Further, password reset functionality may be abused in order to hijack a user account.
One attempt to mitigate the disadvantages of traditional passwords involves the use of so-called “two-step verification” or “two-step authentication,” which leverages the use of some physical key carried by a user. For example, many known methods involve the use of a pocket-sized authentication token that is carried by the user and displays a changing passcode on an LCD or e-ink display, which must be typed in at an authentication screen. The number is typically derived from a shared secret by a cryptographic process that makes it infeasible to work out the secret from the sequence of numbers, e.g., using a hash or other cryptography combined with a challenge. The same process repeated on the authentication server will yield the same result if the correct secret was used. Another technique for two-step authentication involves receiving a username and password from a user, and then sending, e.g., by SMS, a unique code to the user through a linked device, such as a mobile phone. The user receives the unique code at the mobile phone, and types it into the website to prove that the user has possession of the device, and is therefore likely the user associated with the previously input credentials.
Unfortunately, many users have not yet implemented two-step verification or other password improvements to their online accounts. Often this is due to the added inconvenience of entering a code in addition to a regular password. This is especially true of people who opened online accounts years ago, or before certain other password or user verification techniques were implemented. To thwart this vulnerability, many online websites have increased the requirements associated with resetting accounts or passwords, by requiring all users attempting to reset login information to either submit substantial additional user data or call the online company and speak to a representative to attempt to prove their identity to gain access to their online account. However, these methods make it more difficult for even legitimate users to reset and access their accounts, and they do not differentiate between users of different levels of trustworthiness. For many people, an online company would have to resort to the undesirable options of either allowing each user to reset a password with minimal verification and trusting that they are who they say they are, or have to prevent the user from resetting a password, and instead insist on the undesirable workaround that the user abandon the account and start another.
Accordingly, a need exists for systems and methods for implementing a convenient multi-step verification process.