A user ID and password often is required in order for a suspect user to gain access to a network resource from an access authority of a computer network. In such a system, the network resource may comprise an application, service, or device of the computer network, or even access to the computer network itself. The access authority may comprise a server of the computer network, which grants access once the user ID has been authenticated using the password received from the suspect user. Moreover, the access authority may Include security privileges for granting specific types of access by authenticated users, and the access authority may additionally perform the authentication of suspect users.
The increasing number of systems each requiring a user ID and password in order for a suspect user to gain access to a network resource ultimately confuses users. To reduce confusion, users typically choose easy-to-remember-passwords. Otherwise, users tend to forget complex passwords and record the passwords in easily accessible areas for later reference. For example, many users maintain a list of user IDs and passwords in a spreadsheet or text file on their computer or personal digital assistant. Programs even have been written to help maintain user ID and password combinations.
Enterprises, such as corporations, Internet service providers, portals, application service providers (ASPs), e-commerce providers, online financial services, etc., must manage user IDs and passwords for their users. Allowing users to employ simple passwords reduces security at a time when security attacks are increasing and are increasingly expensive when they occur. On the other hand, enforcing the use of complex passwords and requiring passwords to be changed frequently increases security, but also increases cost in the form of help desk and customer service calls for the resetting of passwords. The systems that have been developed to allow users to use personal information to reset a password automatically without human intervention tend to be less secure because personal information can be guessed or obtained surreptitiously. Some systems, for example, use information from credit reports—despite the fact that credit bureaus are in the business of proactively selling that information.
For user convenience, single sign-on systems also have been developed in which a user is able to authenticate to a single trusted authentication server, which then propagates that authentication to multiple access authorities. While the use of a single authentication server eases the user burden of remembering multiple passwords for accessing various network resources, such a system typically is limited to accessing network resources of a single enterprise. Such a system also is susceptible to a security problem known as “keys to the kingdom.” If an attack gains access to the user ID and password required to authenticate to the authentication server, then access to all network resources relying upon that authentication server are compromised.
Stronger forms for authenticating user IDs also have been developed beyond the single-factor authentication employed in using passwords. Notably, hardware token such as USB tokens and time-based tokens—RSA's SecureID is an example—are now being utilized in some multi-factor authentication systems wherein these tokens are able to uniquely identify themselves. For example, a token utilizing physical access to a device and knowledge of a shared secret, such as a PIN, can construct a rotating key that matches a synchronized server key. Such a system is a “two-factor” authentication system because it requires something the user has, i.e., the token, in addition to something the user knows, i.e., the password. Unfortunately, each token in one of these two-factor authentication system is expensive, subject to loss, and typically restricted to use with one or more network resources of a particular computer network.
In view of the foregoing, a need exists for an improved multi-factor authentication system that overcomes one or more of the aforementioned disadvantages of current authentication systems. One or more of these disadvantages are overcome by one or more embodiments of the present invention, as described in detail below.