Authentication, which is the process by which a computer system positively identifies a user, is commonly considered to be one of the weakest links in modern computer security systems. Every day a new story emerges about an identity theft or a computer break-in due to stolen credentials. With the proliferation of network-based and online applications, the trend is only going to continue. Unfortunately, the dominant authentication system in production today is based on user names and passwords. This relatively weak system is subject to a number of flaws, including notoriously poor user password choices, password harvesting via keylogging software, phishing and man-in-the-middle attacks, and others.

The most common solution to these authentication problems is to use a two-factor authentication system. Two-factor authentication works by requiring both something the user has and something the user knows, as opposed to just something known (typically a password). The “something you have” is usually a piece of hardware that is impossible (or at least very difficult) to duplicate, and the “something you know” is typically a password or PIN. Two-factor authentication systems are secure because it is very difficult to obtain both factors. Even if an attacker manages to learn the user’s password, it is useless without also having physical possession of the device. Conversely, if the user happens to lose the physical device, the finder of that device won’t be able to use it unless he or she can also guess the user’s password.

Security professionals have deployed various two-factor solutions, but no solution has widely displaced traditional user name and password authentication. The industry has seen enterprise deployments of token-based systems from vendors such as RSA® and VeriSign®, smartcard-based solutions, and various forms of biometric authentication. Each solution has significant drawbacks, historically leading to limited adoption by users.

For online consumer logins, such as banking and financial websites, these limiting factors have dramatically limited two-factor deployments. These websites have instead opted to deploy security questions and image identification as an additional layer of security.