The Internet is having an identity crisis. Long regarded as a powerful tool for cost reduction and service enhancement, the Internet is falling short of its promise because of the real and perceived threat of identity theft. Financial losses and insurance costs are mounting, as organizations struggle to protect their information perimeters and improve the strength of their authentication systems to ensure that the authorized user is present during the sign-in process. The widespread use and misuse of passwords as authentication tokens is generally cited as a cause of the accelerating erosion of user confidence and the increasing incidence of identity theft. It is generally agreed that passwords are not enough. Much has been lost, however, in the race toward person-present authentication systems. While the application of passwords is fraught with risk, the introduction of complex authentication infrastructures and cumbersome end user technology has eroded usability and increased the cost of security dramatically. This paper describes a new authentication approach that retains the simplicity and low cost of passwords, while gracefully introducing as much person-present assurance as is required by the application.
are prone. Strong, dynamic biometric authentication systems, however, remain expensive and are further diminished by the requirement for a hardware device to take the required measurements at every access point. For example, if the user has a dynamic signature tablet for authentication on their office desktop, they will need another similar device at home to achieve the same level of security when working from home, effectively doubling the cost of the solution. Furthermore, until such devices are more