In the context of multi-user computers, authentication procedures are widely used to give a user access to the programs and system resources to which the user has been granted access. In the context of the present description, the term target component of a computer system is intended to refer to any entity of a computer system to which user-access may be granted based on an authentication scheme. Examples of such target components include a computer or group of computers, a computer network, a communications network, one or more computer programs executed on a data processing system, functionality of one or more computer programs, computer resources, such as drivers, memory, computer peripherals, data stored in a memory, services provided by a computer, etc. Traditional means of giving access make use of a user identification and a password. With the arrival of wide area networks and the internet, millions of computer programs and systems are now security-wise solely based on giving personalized access using a user identification and password. When communicating over a network, the method to keep track of the communication between the first and second computer device is done using a session identifier. In recent years, methods and programs to acquire a user's identity in the form of user identification and password have exploded in usage resulting in users being defrauded daily.
Sophisticated methods of stealing a user's identification and password involve so-called phishing, where a 3rd party gains access to a user's ID and password by criminal means. These methods may even involve more sophisticated attacks such as man-in-the-middle attacks, where a fraudulent 3rd party intercepts the communication between the user and a network, computer system or program when the user logs into said network, computer system or program. Once intercepted, the fraudulent 3rd party either establishes a parallel process and log into the same network, computer system or program as the user or simply acts as a middle-man and passes the user actions on to the said network, computer system or network for identity theft purposes.
One method for securing users against such attacks is to ensure that a second means of authentication is deployed. Such second means are also referred to as a second factor of authentication. The first generations of these solutions used a hardware device called a token that the user would carry with him/her everywhere. The method also seen as soft-tokens or sms-delivered token codes uses the method of a pre-issued passcode that is valid for a period of time or until used. These concepts have proven ineffective in preventing both phishing and in particular man-in-the-middle attacks as the user never knows, whether a fraudulent 3rd party has been present and intercepted the session.
A new generation of solutions is based on a message-based approach, most widely seen using the widely used Short Message System (SMS or Text Messaging) systems in cellular phone networks to send a passcode typically to a user's cell phone or, in an alternative implementation, the user will access a central server that then opens the system for the user's ID and password login process to be authorized. It is a problem of some current approaches that they use a separated login process where the SMS code is entered at the same time as the user ID and password, thus enabling phishing and similar methods for compromising credentials. The current implementations of these solutions also use pre-issued passcodes that are valid for a period of time or until used further, thus exposing them to man-in-the-middle attacks.
US 2007/0136573 discloses a system and method for authentication using at least one multiple multi-factor authentication. This prior art method relies on the presence and use of a trusted computer, and this prior art document does not disclose any method for establishing such a trusted computer such that the process for establishing the trusted computer is protected against man-in-the-middle attacks. It thus remains a problem to provide increased security against man-in-the middle attacks without the need for a trusted computer.