Many service providers use the internet to provide]offerings to potential or current customers. The offerings may be generally provided in the form of software applications that operate using dedicated resources of the service provider.
Many application services store sensitive client content such as account numbers, personal information, purchase history, passwords, social security numbers and the like. Authentication controls must be implemented by service providers to limit unauthorized access to sensitive customer content.
Many authentication controls validate clients based on some combination of factors including knowledge factors (something the client knows), ownership factors (something the client has), and inherence factors (something the client is). Knowledge factors may include a password, partial password, pass phrase, or personal identification number (PIN), challenge response (the user must answer a question, or pattern). Ownership factors may involve something the client has in their possession (e.g., wrist band, ID card, security token, implanted device, cell phone with built-in hardware token, software token, or cell phone holding a software token). Inherence factors may relate to something the user is or does (e.g., fingerprint, retinal pattern, DNA sequence, signature, face, voice, unique bio-electric signals, or another biometric identifier).
Access to the information and services of a service provider is generally controlled via a layered security protocol designed to protect sensitive and/or critical information using multi-factor authentication techniques. Despite such efforts, service provider systems remain vulnerable to phishing, man-in-the-middle and other malicious attacks, particularly during username/password exchanges, which are particular targets of hackers that understand a user's tendency to use a common password across multiple platforms. Cryptographic encoding of passwords may impair, but does not eliminate, a malicious party's ability to interfere with client accounts.