The present invention relates to a computer implemented method, data processing system, and computer program product for establishing that a current user accessing a data processing system is correctly responding to challenges in a way indistinguishable from the authorized user. More particularly, the invention relates to gauging the certainty of a user being genuine, and posing a stronger challenge or puzzle to the apparent user depending on the level of inactivity from input devices.
Data processing systems store data that can be secret, confidential or otherwise privileged details of a particular user, or an organization to which the user belongs. Accordingly, the owner or operator of such systems establish a password or other challenge that is known only to the authorized user or at least is the subject of a policy whereby the user is asked to avoid sharing or accidentally making available the password. These passwords and the attendant obfuscation that blocks their availability to spies have been in use for decades.
Nevertheless, black hat hackers can compromise passwords using many techniques, including social engineering. Normally, these techniques make simpler passwords more vulnerable to guessing by such hackers than more complex passwords.
However, when a computer re-iterates a challenge for a difficult password, especially within a short interval of previously authenticating a user, the user can be frustrated and less efficient. A policy of frequently getting a user to refresh his credentials does achieve high levels of security and integrity of the data processing system.