Computer users typically login to many different websites (banking sites, shopping sites, work related sites, social networking sites, etc.), each of which requires a username and password. This frequent password-based logging in is inconvenient for users and creates opportunities for malicious parties to steal passwords. Users have the choice between using a different password for every website they login to, or repeating passwords across multiple sites. Using a different password for each site results in a large number of passwords for the user to manage. In such situations, users tend to forget their passwords, and therefore can find themselves unable to login to desired sites. To address this problem, some users write down their passwords in accessible locations, but this creates a security risk. Another partial solution is the use of a password manager, but this only works on the computer on which the password manager is installed, or on a computer which is synchronized thereto. This leaves the user unable to login to websites from other computers, such as those in hotel business centers, internet cafes, libraries, etc.
On the other hand, using the same password across multiple sites is not good security practice. If the single password becomes compromised, all of the user's accounts become vulnerable. Some users repeat passwords only across types of sites (for example, one password for social networks and a different password for financial sites). Even then, many users have a hard time remembering their passwords. Additionally, using a limited number of different passwords still creates more security risk than using a unique password for each site.
Malicious parties are able to steal passwords through various methods such as phishing, key loggers, network traffic monitoring, malicious browser plugins, and the replay of passwords captured for other sites. Password managers prevent password theft by key loggers (and mitigate phishing to some extent) but still leave the user vulnerable to other types of password misappropriation.
It would be desirable to address these issues concerning password-based logins.
Two factor authentication is becoming increasingly prevalent as laws are passed that require financial institutions to implement additional security measures. Two factor authentication is authentication of a user that requires two separate means of proof of the user's identity. In one factor authentication, the user can verify his or her identity with a single factor such as (most commonly) a password as described above, or (alternatively) a rolling value generated by a physical token or a biometric indicator such as a finger print or retina scan. In two factor authentication, two such factors (e.g., password and rolling value) must be provided. The most common form of two factor authentication currently uses a static user entered password as the first factor, with the addition of a rolling value that is generated and displayed to the user by a hardware key fob (such as RSA SecurID) or a specialized mobile device (such as Verisign VIP).
These hardware devices continue to generate new rolling values that are unique to the individual devices. A rolling value is a dynamic value which is regenerated every so often (e.g., every 30 seconds) or in response to given events (e.g., whenever the user presses a given input mechanism). A hardware device of the type mentioned above keeps generating a new rolling value, typically per period of time. Such a rolling value can be used to authenticate a user, and can be thought of as a rolling password associated with the specific generating device. Such rolling values typically comprise pseudo-random numbers of a given number of digits (e.g., six), generated based on a seed value such as the current time or a chain of previous values. An authenticating device is able to generate the same current rolling value as a given generating device at any given time (i.e., the authenticating device also has the seed value or whatever key is used to generate the rolling value). Thus, the authenticating device can verify that a received rolling value was actually generated by a given device.
Rolling value generating hardware devices are undesirable to users because they comprise yet another device for the user to carry. Additionally, the user must type in the current rolling value as well as the static password, which is even more burdensome than typing in the password alone. These devices are also undesirable to administrators and IT professionals, because they are frequently lost, have limited battery life and must be replaced on a reoccurring basis. There is rolling value generating software (for example, Verisign VIP), but this still requires the user to manually enter the current rolling value, and also presents a practical limitation to the length of possible rolling values.
It would be desirable to address these issues concerning two factor authentication as well.