Currently, a variety of devices and methods have been developed in an attempt to improve authentication fidelity and to safeguard sensitive personal identity and private information in light of the increasing security threat due to the rapid advancements in networking and mobile communication technologies. However, certain authentication technologies in use today are still based on the traditional “knowledge-based factor” or “possession-based factor” identification and verification approaches. In a typical knowledge-based authentication approach, only one authentication factor (such as knowledge of a password is required in order to gain access to a system. In a possession-based authentication approach, possession of one authentication factor (e.g. possession of card or token) is required in order to gain access to a system. More recently, some of these technologies have been implemented in combination as two-factor authentication schemes wherein both knowledge-based and possession-based factors are required simultaneously for authentication. These types of authentications have recently gained increasing acceptance. An example of such authentication scheme is the common bank card transaction wherein the card itself represents the authorizing possession factor (bearer has the card) and the corresponding personal identification number (PIN) represents the authorizing factor that is known only to the account holder. However, despite these apparent additional layers of security, misplacement of the possession factor such as lost or stolen cards and a breach of the knowledge factor (such as compromised password) remain problematic for these types of transactions. As a result, when the possession factor (e.g. card) and the password are simultaneously compromised or duplicated, there is no apparent suitable countermeasure for the breach as it is no longer possible to authenticate the true identity of the holder of said device.
In a typical access control transaction using the traditional two factor verification system, a bearer of the access control-processor device, such as, for example, an access card, presents the card to gain access or entry to a secured site. The card presented by the bearer is read or swiped using a magnetic reader or other similar devices. The information contained on the magnetic stripe of the card is read and transmitted to the issuing institution. The institution then interrogates its database of active cards against the information received. If the institution verifies that the card is valid and active, and/or when additional verification parameters are met, an approval is provided to the card holder to gain entry. In some instances, additional authentication scheme based on interrogation of information only known to the user such as, for example, a password, may be used to supplement and/or enhance the security scheme.
However, despite these apparent additional layers of security, misplacement of the possession factor such as lost or stolen cards and a breach of the knowledge factor (such as compromised passwords) remains problematic for these types of transactions. Within these conventional authentication systems, when the possession factor (e.g. card) and the password are simultaneously compromised or duplicated, there is no apparent suitable countermeasure for this type of security breach as it is no longer possible to authenticate the true identity of the holder of said device.
In light of these security threats, the use of access control processor devices (e.g. cards or badges) by non-authorized bearers continues to present a difficult and costly problem for institutions. Various security features have been designed and implemented with mixed success to minimize these types of fraud and security breach. Thus, there remains a need for improved methods and devices for user authentication during access control transactions.