A Partial Password authentication technique may be employed to protect a user password from key loggers and/or from direct observation, e.g., “shoulder surfing”. In the Partial Password authentication technique, a server may challenge a user of a client device networked with the server with a predetermined set of password character positions. The user responds by entering the corresponding individual characters of a unique user password appearing at the challenged positions. For example, when a user is challenged to identify the characters appearing at positions 1, 3, and 5 of a password “PaSsWorD”, the user enters “PSW”. The server then verifies the entry against an expected partial password to determine if the response is correct.
Online theft attempts have increased with the ever-expanding use of the internet for conducting business transactions. As a result, password-based authentication security measures alone may provide relatively weak protection. Hardware-based or software-based multi-factor authentication schemes such as a One Time Passcode or Password (OTP) and Public Key Infrastructure (PKI) are becoming increasingly popular. Due to the practical limitations of hardware-based solutions, software-based solutions may be preferred in mass deployment situations.
Such authentication schemes might use the full Password, i.e., a “Known Factor”, to lock an Additional Factor such as an OTP-Shared Secret or a Private Key maintained on a disk or other tangible storage media. A client unlocks the Additional Factor and ultimately derives the proof of identity, for example generates the OTP, signs the challenge, etc., thereby completing the required authentication. That is, multi-factor schemes usually require the full Password to be available on the client-side of a given transaction during the authentication process. However, the user still must enter the full Password via the client device, a process which remains vulnerable to the key logging and shoulder surfing techniques noted above.