1. Field of the Invention
The present invention relates to information security devices, and more particularly to a system and method of providing a secure system for authentication and authorization utilizing a personal wireless digital communications device.
2. Discussion of the Related Art
As computers have become more tightly integrated with a broad spectrum of our daily personal and business lives, there is a growing need for secure authentication and authorization of our interactions with them. Today's methods are cumbersome, expensive and inadequate. In certain cases, users are forced to carry specialized devices, learn a host of mechanisms and possibly memorize scores of username and password combinations. In practice, providers are forced to either accept lower levels of security or to install expensive special-purpose security systems. Often the actual level of security is not nearly what is promised, because in order to simply be able to use the systems users resort to insecure storage of their usernames and passwords, whether on pieces of paper or in insecure digital documents.
Access to these systems and services is most often secured without the use of dedicated security devices through a simple challenge-response dialog presented over the same data path over which the primary interaction occurs. Typically the data path consists of a keyboard, mouse and monitor; and the challenge-response dialog initiated by a secured program is often in the form of a request for a “username/password” pair. The secured program then compares the password as entered by the user during the current session with one associated to the provided username in a previous session. The requested degree of access to the secured program or service is granted if the two passwords match, and denied if they do not.
To provide additional security, special-purpose credit card-sized devices with internal microprocessors, non-volatile memory and sometimes a keypad for data entry are utilized. These devices contain a unique identifier—stored in the non-volatile memory—along with personal cryptographic keys. They are issued to a user with a personal access code, commonly known as a Personal Identification Number (“PIN”). The user must present a correct PIN to the card—or to a device which reads the card—to unlock the card for operation. Once unlocked, the card may facilitate a variety of challenge-response dialogs can be used to authenticate and authorized transactions.
This approach presents several disadvantages. First, these special purpose security devices add complexity and cost. Second, they place the additional burden on the user to have the security device with them when they need access to the computer system. Third, the limited computing power and limited programmability of these devices makes it difficult to incorporate flexible challenge-response dialogs. Fourth, since the data paths between the user and the security device and between the security device and the computing system consist of keyboard entry, it is not possible to incorporate additional systems into the challenge-response dialog. Fifth, since there is little standardization, one user may be obliged to carry multiple devices for different purposes, and to remember the PIN for each.
Accordingly, a need exists for a secure, convenient, elegant and cost-effective method and apparatus for authentication and authorization. When being employed to facilitate authentication and authorization of one or more application programs executed on a host computer, such a technique will desirably be capable of implementation substantially independently from the host computer so as to maximize protection against unauthorized access.