Because the Internet is easily accessible to anyone, the use of it involves different kinds of risks. Without any security actions the persons dealt with are not known and personal information might be spread out and made use of.
Examples of internet risks are identity thieves that use information they find online to drain bank account or ruin credit ratings. Generally, information on people in e.g. popular social networking sites might be misused or used in an undesired way for a user even resulting in m monetary losses for people.
Authentication and actions for data privacy are therefore used as methods to increase security. The ability to control the information one reveals about oneself over the Internet, and who can access that information, has become a growing concern. Another concern is web sites which collect, store, and possibly share personally identifiable information about users.
Information privacy, or data privacy (or data protection), is the relationship between collection and dissemination of data, technology, the public expectation of privacy, and the legal and political issues surrounding them. Legislation with respect to protection of people's privacy is becoming stricter around the world and along with the risks with e.g. the use of internet, people are getting more and more interested in the protection of their own privacy.
Privacy concerns exist wherever personally identifiable information is collected and stored—in digital form or otherwise. Improper or non-existent disclosure control can be the root cause for data and other privacy issues.
Also authorization (or authorisation), which is the function of specifying access rights to resources, is related to information security and computer security in general and to access control in particular. More formally, “to authorize” is to define access policy. During operation, the system uses the access control rules to decide whether access requests from (authenticated) consumers shall be approved (granted) or disapproved (rejected).
Authentication is used as a defense against unauthorized access to a service provided by a service provider or to a communication network. Information is exchanged to verify the identity of a user. The information can be encrypted at both ends. Authentication over a network is an especially important part for enabling security when remote clients are allowed to access network servers.
Authentication over a data network, especially a public data network like the Internet, is difficult because the communication between the client and server is susceptible to many different types of attacks.
A basic authentication scheme is for a server to request a password from the client. A password is a secret word or string of characters that is used for user authentication. The client types in the password and sends it to the server. This technique is vulnerable to eavesdroppers who may learn secret information by intercepting communication between the client and the server. Captured information can also be used by a hacker in what is called a “replay attack” to illegally log on to a system.
Another type of attack is a spoofing attack, in which an adversary impersonates the server, so that the client believes that it is communicating with the legitimate server, but instead it is actually communicating with the adversary. Further, in any password based authentication protocol, there exists the possibility that passwords will be weak and even easily guessed such that they are susceptible to dictionary attacks. A dictionary attack is a brute force attack on a password that is performed by testing a large number of likely passwords.
One solution to avoid attacks with replaying captured reusable passwords is to use one-time passwords (OTP). A one-time password can e.g be one password in a set of passwords, so constructed that it is extremely difficult to calculate the next password in the set or a one-time password system granting the visitor access for a limited time, e.g. one day.
Generally, authentication can be accomplished by verifying one or more of a password or PIN (something that a user knows, i.e. a knowledge factor), biometric information (something that a user is, such as a fingerprint, voiceprint or iris, i.e. an inherence factor), and some identification token, such as a smart-card or mobile phone (something that a user has, i.e. a possession factor). Multi-factor authentication, or two-factor authentication, is an approach to authentication which requires the presentation of two or more of the above mentioned three authentication factors. After presentation, each factor must be validated by the other party for authentication to occur.
As presented above, knowledge factors are the most common form of authentication as a basic authentication scheme.
Biometric authentication is usually unacceptably slow and comparatively expensive when a large number of users are involved. In addition, it is vulnerable to a replay attack. Voice biometrics, however, significantly reduce the risk of a successful replay attack but there is great user resistance to biometric authentication. Users resist having their personal physical characteristics captured and recorded for authentication purposes.
For many biometric identifiers, the actual biometric information is rendered into string or mathematic information. Comparison is therefore made between two data strings, and if there is sufficient commonality a pass is achieved. As it is a matter of choice of how much data to match, and to what degree of accuracy, all biometric devices, therefore, do not provide unambiguous guarantees of identity, but rather probabilities, and all may provide false positive and negative outputs. A bio-identifier can also be faked. For example, fingerprints can be captured on sticky tape and false gelatin copies made, or simple photos of eye retinas can be presented.
Two-factor authentication is commonly found in electronic computer authentication and seeks to decrease the probability that the requester is presenting false evidence of its identity. However, in reality, there are more variables to consider when establishing the relative assurance of truthfulness in an identity assertion than simply how many “factors” are used.
Other factors under debate are time and location. For example, two users (even perfect twins with cloned knowledge and tokens) cannot be in the same place at the same time.
Existing authentication methodologies involve the explained three types of basic “factors”. Authentication methods that depend on more than one factor are more difficult to compromise than single-factor methods.
A new category of Two-Factor Authentication, TFA, tools transforms the PC user's mobile phone into a token device using SMS messaging, an interactive telephone call, or via downloadable application to a smartphone. Since the user now communicates over two channels, the mobile phone becomes a two-factor, two-channel authentication mechanism.
According to proponents, Multi-Factor Authentication, MFA, could drastically reduce the incidence of online identity theft, and other online fraud, because the victim's password would no longer be enough to give a thief permanent access to their information. However, many MFA approaches remain vulnerable to man-in-the-browser and man-in-the-middle attacks.
Another drawback of two-factor authentication that are keeping many approaches from becoming widespread is that some consumers have difficulty keeping track of a hardware token or a USB plug. Furthermore, many consumers do not have the technical skills needed to install a client-side software certificate.
As a result, adding a second factor to the authentication process typically leads to significant increase in costs for implementation and maintenance. Most hardware token-based systems are proprietary and charge an annual fee per user. Deployment of hardware tokens is logistically challenging since hardware tokens may get damaged or lost and issuance of tokens in large industries such as banking or even within large enterprises needs to be managed.
In addition to capital expenses (CAPEX), two-factor authentication often carries significant additional operational expense (OPEX). Software certificates and software toolbar approaches have been reported to have the highest support costs.
As a result of challenges with cost integration and user acceptance, true two-factor authentication is not yet widespread, although it can be found in certain sectors requiring additional security (e.g. banking, military).
Furthermore, two-factor authentication is not standardized. There are various incompatible implementations of it. Therefore, interoperability is a further issue. There exist many processes and facets to consider in choosing, developing, testing, implementing and maintaining an end-to-end secure identity management system, inclusive of all relevant authentication mechanisms and their technologies.
Pre-authentication methods use call information to verify the calling number and dialed number, respectively, before answering a call. Using callback for added security takes place so that after authentication is complete, the call is hang up and a call back is made, ensuring that the connection is made only with a trusted number.
New hacker techniques are developed and new security vulnerabilities in networks are found every day. Computer-based attacks are likely to continue. For governments, businesses and ordinary individuals, the threat of hacking has created a need for secure information systems and networks which has never been greater.
The above described problems indicate that there is a continuous need to develop new methods and aspects for ensuring secrecy in order to be one step before advanced hackers.
The aforementioned two- and multifactor authentication methods are effective in many situations but in certain situations additional layers of security are desired, especially such methods which allow extra costs and complicated signaling to be simultaneously avoided.
The following references are mentioned as prior art.
US patent application 2007/0056022 discloses a two-factor authentication method that employs user's Internet Protocol (IP) address associated with a service and/or authentication request and user details of the request with an Internet Service Provider (ISP) account. If there is an indication that the IP address was issued by an ISP to a user matching the user details, the user is authenticated.
US patent application 2013/0055368 discloses a multi-factor authentication method using a designated link in a notification to an intended recipient of the message. The designated link includes a unique identifier associated with the message. Upon receiving a request to access the message, the method authenticates the request. The authentication includes verifying whether the request corresponds to the designated link provided in the notification. If the request passes authentication, the method communicates the message.
U.S. Pat. No. 8,286,227 presents an enhanced multifactor authentication method by using a first and a second authentication factor for successful verification of the identity.
U.S. Pat. No. 7,908,645 presents a method for authenticating access requests from user devices, which are identified with fingerprint information and their associated risks of fraud are determined from past experience or with similar devices and from third party information. The determination applies a set of predetermined evaluation rules for authenticating access requests at the server. The evaluation rules provide a score reflecting the likelihood that a current request is a security problem. Decision tables are used for a hierarchically arranged security evaluation. The tables return a score of “0” in case all evaluated data items are present and “10” if no data item is present, the score of “10” indicating a high likelihood of fraud for the request. In case some data items are present and match but some data items are absent and do not match, the tables invokes further checks. The rules can be based on historical behavior of a particular user by giving a mismatch if the user suddenly changes habits and this might indicate malicious intent. The rules can also restrict logins based on input from 3rd party database or black-listed IP addresses.
Instead of rule-based behavioral analysis, machine-learning algorithms can be used for determining the behavior. The algorithms automatically learn the behavioral patterns of each individual user, and any anomalies in behavior can be scored. The algorithms can automatically adjust the expected behavior according to the changes in user behavior, and use further authentication steps, like two-factor authentication, to strengthen the learning performance. The algorithms can also predict unforeseen behavioral attribute combinations as part of normal behavior unlike standard rule-based calculations, and also detect minute changes in the patterns as abnormal behavior.
The above method, however, requires certain pre-defined information for the algorithm to work properly.
The object of the method is a flexible two-factor or multi-factor authentication method that works in all situations.