The Internet is having an identity crisis. Long regarded as a powerful tool for cost reduction and service enhancement, the Internet is falling short of its promise because of the real and perceived threat of identity theft. Financial losses and insurance costs are mounting, as organizations struggle to protect their information perimeters and improve the strength of their authentication systems to ensure that the authorized user is present during the sign-in process. The widespread use and misuse of passwords as authentication tokens is generally cited as a cause of the accelerating erosion of user confidence and the increasing incidence of identity theft. It is generally agreed that passwords are not enough. Much has been lost, however, in the race toward person-present authentication systems. While the application of passwords is fraught with risk, the introduction of complex authentication infrastructures and cumbersome end user technology has eroded usability and increased the cost of security dramatically. This paper describes a new authentication approach that retains the simplicity and low cost of passwords, while gracefully introducing as much person-present assurance as is required by the application.
combines elements of both biometrics and cryptography to yield a solution with the simplicity and economy of password authentication, yet without its traditional limits. The Problems with Passwords Problem 1: Short Passwords Though computers are excellent at remembering long strings of random information, people are notoriously poor at it. When presented with the chance to choose a possible password 5-10 characters long, composed of letters and numbers, the majority of people choose short, simple