The Internet is having an identity crisis. Long regarded as a powerful tool for cost reduction and service enhancement, the Internet is falling short of its promise because of the real and perceived threat of identity theft. Financial losses and insurance costs are mounting, as organizations struggle to protect their information perimeters and improve the strength of their authentication systems to ensure that the authorized user is present during the sign-in process. The widespread use and misuse of passwords as authentication tokens is generally cited as a cause of the accelerating erosion of user confidence and the increasing incidence of identity theft. It is generally agreed that passwords are not enough. Much has been lost, however, in the race toward person-present authentication systems. While the application of passwords is fraught with risk, the introduction of complex authentication infrastructures and cumbersome end user technology has eroded usability and increased the cost of security dramatically. This paper describes a new authentication approach that retains the simplicity and low cost of passwords, while gracefully introducing as much person-present assurance as is required by the application.
how airport security works
a site, and knows how the system works, and knows what questions to ask (recall that questions are user-specific, and sometimes based on events shared only by the user and the system), and even if the user is fooled into attempting a login at a fraudulent site, attackers can gain knowledge of only a single set of challenge questions (and their responses). If the attacker were to attempt illegitimate access to the enterprise using information gleaned in this fashion, he or she would be foiled when