Authenticating a user of a computing device in order to provide access to restricted electronic data or access to restricted services such as banking services is critical for securing data and preventing fraud.
The most common system for authenticating a user is to require the user to enter a user ID and password combination. The password is then compared to a valid password that is stored in a secure location in association with the user ID.
If the user ID and password tendered by the user matches the valid password stored in association with the user ID, the user is granted access to the restricted electronic data or systems. On the other hand, if the user ID does not match a valid user ID's or the password does not match the valid password stored in association with the user ID, the user is denied access.
User ID and password systems are not considered the most secure because it is based solely on the person purporting to be the authorized user having knowledge of the user ID and password. Another individual who has knowledge of the user ID and password can gain access to the restricted systems.
Digital certificates also provide enhanced security. When using a digital certificate, a combination of a user entered User ID, user entered password, and a digital certificate are required to authenticate to the server. The digital certificate may be loaded onto the client computing device used to access the server or loaded to a hardware key that is coupled to the computing device at the time the user uses the computing device to access the server. Security is considered enhanced because access to the system requires not only knowledge of the user ID and password but also requires possession of the digital certificate.
Biometric measuring systems also provide enhanced security. Security is considered enhanced because access to the system further requires that the person attempting to gain access have the same biometric characteristics that are being measured as the authentic user (i.e. same finger print, same iris pattern, etc). Because certain biometric characteristics that are typically used for security are unique to each individual, it is extremely difficult for a different person replicate the biometric characteristic of the authentic user.
A challenge with use of biometrics for security and to restrict access to services is that biometric measuring devices are expensive and most biometric measuring devices are no readily portable.
In the field of computing devices, device locking mechanisms also provide security by restricting who may use the device to access electronic data to which the device has access. The most common method for unlocking a device is entry of a passcode. As with a password, it restricts based on knowledge and any individual with knowledge of the passcode can access the device. More recently, a system has been developed for mobile computing devices wherein a group of nine (9) position indicators are arranged in a tic-tac-toe pattern on a display with an overlaying touch sensitive panel. The device is unlocked by the user tracing a predetermined pattern across at least a portion of the nine (9) position indicators.
Phishing is a practice of using a fraudulent website that has the appearance of a genuine website to induce a person to provide his or her user ID and password to the operator of the fraudulent website. The operator of the fraudulent website has knowledge of the user ID and password combination and can gain access to the genuine website and the restricted electronic data or services provided by the genuine website. If the genuine website is a financial institution's banking application, the fraudster could gain access the user's account on the genuine website.
In an effort to thwart phishing, some websites utilize a site key as part of the login-authentication process. More specifically, when a user reaches the genuine web site, for example an internet banking web site, he/she is prompted to enter his/her user name only—not both user name and password. If the user ID is valid, the web site responds with a site key picture that the user has previously selected as the picture to display at log in. In conjunction with displaying the picture, the website displays the control for the user to enter his/her password. Also displayed is a prominent warning instructing the user to not enter his/her password if the site key picture is not correct.
This system reduces phishing fraud because it prevents replication of the genuine web site log-in process on a fraudulent website. More specifically, although the operator of a fraudulent web site can replicate the genuine website to induce the person to enter his or her user ID, the operator of the fraudulent website does not have access to the user's personally selected site key picture and therefore cannot replicate the genuine site's ability to display the personally selected site key in association with prompting the user to enter his or her password. Because the typical user becomes accustomed to using the two step log-in process and seeing his/her personally selected site key picture on the genuine web site, the lack of two step log in process and/or the lack of seeing the personally selected site key on a fraudulent web site make its obvious to the user that the website may not be genuine and that he or she should not provide their password.
It should be appreciated that a site key does not prevent access to the website so long as the user attempting to authenticate has the correct user ID and password. The site key system simply lowers the probability that a user will fall prey to a phishing scam and inadvertently provide his or her password to a fraudster.
What is needed is an improved system and method for authenticating the user of a device that does not rely on simply a user ID and password, digital certificates or biometric measuring systems.