Using one-time passwords to prevent password phishing attacks

Phishing is now a serious threat to the security of Internet users’ confidential information. Basically, an attacker (phisher) tricks people into divulging sensitive information by sending fake messages to a large number of users at random. Unsuspecting users who follow the instruction in the messages are directed to well-built spoofed web pages and asked to provide sensitive information, which the phisher then steals. Based on our observations, more than 70% of phishing activities are designed to steal users’ account names and passwords. With such information, an attacker can retrieve more valuable information from the compromised accounts. Statistics published by the anti-phishing working group (APWG) show that, at the end of Q2 in 2008, the number of malicious web pages designed to steal users’ passwords had increased by 258% over the same period in 2007. Therefore, protecting users from phishing attacks is extremely important. A naı̈ve way to prevent the theft of passwords is to avoid using passwords. This raises the following question: Is it possible to authenticate a user without a preset