A keyfob is a type of a security token, typically a small hardware device with built-in authentication mechanisms for accessing computer systems. Similar to physical keys held on a real-world key chain, the authentication mechanisms in the keyfob control access to computer systems, computer network services and information stored therein. Conventional keyfobs typically are small hardware devices. Because a key fob is a physical object, it is easy for the owner to know if it has been stolen, unlike a password, providing better security for passwords.
Conventional keyfobs have mechanisms to generate a large number of tokens rotating in synchronization with an authentication entity that issued the keyfob. The keyfob maintains a synchronization mechanism within the keyfob device for synchronization of the tokens with the server of the authentication entity. These tokens rotate such that each token is valid temporarily for a limited duration. Thus, the temporary nature of the token provides an additional layer of security, because the token, even if it is known by a third party, will not be valid after the limited duration. At any given moment, the keyfob can display the token valid at that time. The user enters the displayed token to the application software of the user computer. The keyfob is validated when the token is validated by the authentication entity.
FIG. 1A is a block diagram illustrating how a conventional keyfob is used with computer systems to access the server of a financial institution (authentication entity), and FIG. 1B is an interaction diagram illustrating how the conventional keyfob is used with computer systems to access the server of a financial institution (authentication entity). For purposes of illustration, the example in FIGS. 1A and 1B illustrate a situation where a user of a financial application software running on a user computer 102 uses a conventional keyfob to access the server of a financial institution (FI) 103 such as a bank and download his financial data from the FI 103 to the financial application software. The FI 103 is associated with an authentication entity (AE1) 104 for authenticating keyfobs issued by the FI 103. Although the server of the FI 103 and the computer of AE1 104 are shown as separate computers in FIG. 1A, this is merely for illustration and they can also be part of one computer performing the functions of both the FI 103 and AE1 104. The FI 103 typically issues the keyfob to the user so that the user can access the FI's computer to engage in financial transactions with the FI 103, such as depositing, transferring, or withdrawing funds or downloading the user's financial data to third party's financial application software running on the user computer 102.
Referring to FIGS. 1A and 1B, in order for the application software on the user computer 102 to access the computer of the FI 103, the user enters 103 the keyfob token displayed on the keyfob to the user computer 102 running the application software, together with login information such as the login ID and password of the user's account with the FI 103. The displayed token is the one valid at that time and selected from the plurality of tokens rotating in synchronization with the authentication entity 103.
The application software on the user computer 102 transmits 105 an authentication request to the FI 103 and AE1 104. The authentication request includes at least the keyfob token. The authentication entity (AE1) 104 validates 106 the keyfob token, and the user is granted access to the computer of the FI 103.
A problem arises when the user has accounts with multiple different financial institutions. If the conventional keyfob is to be used, each of the financial institutions (authentication entities) issues its own keyfob to the user, and thus the user will have multiple keyfobs. The user has to physically carry the multiple keyfobs, which is very inconvenient for the user and also poses a security concern as some of the many keyfobs may be lost.
Therefore, there is a need for a keyfob that can be used with multiple authentication entities. There is also a need for a method for an authentication entity to authenticate a keyfob that was issued by another authentication entity.