Various authentication mechanisms such as usernames and passwords are often used to control access to various kinds of computing resources and processes. A person who wishes to gain access to a resource or process may be asked to enter a username and password. If the person enters the correct username and password, then access may be granted. Otherwise, access may be withheld. Access to computing resource scenarios such as e-mail accounts, online shopping accounts, online bank accounts, accessing school records, corporate portals, virtual private networking, authenticated machine to machine communications (M2M), logging into social networking services, etc., are some examples of web or cloud-based resources and services to which access may be password-controlled. Usernames and passwords may also be required to unlock a user device such as a personal computer, mobile phone or to access functions and resources that are locally available on the user's computing device. Usernames and password are one example of a type of shared secret between two endpoints. Other examples of shared secrets are numerical PIN codes without requiring a username, and biometric information such as fingerprint or retina scanners. In each of these scenarios a credential must be presented and verified before access to the desired resource is granted.
An issue that arises in the use of passwords and the like is that they are subject to certain types of attacks. A malicious actor may gain access to protected resources if the username and password are compromised or stolen. The basis on which a password provides security is the assumption that only the legitimate user of the password knows the password. If this assumption is not true, then the password no longer provides the intended security. If a malicious actor learns the password and then presents it to the authentication manager that controls access to a resource, then the malicious actor can gain the same access as the legitimate user. Computing systems try to provide numerous layers of safeguards against malicious actors gaining access to a user's account, however if the malicious actor presents valid usernames and password credentials, it may be nearly impossible to detect the intrusion without the layers of safeguards placing an undue burden on valid users accesses to try and detect the malicious actors.