最基本且傳統的認證機制是以密碼為基礎的認證方式。現行的網頁應用程式通常將安全通道層(SSL)協定與密碼認證機制搭配使用，然而密碼認證機制並不能夠防止身份偷竊的問題。攻擊者可以利用字典攻擊取得通行碼，進一步地假冒合法使用者來存取只有會員才擁有權利讀取的資源。為了防止身分竊取，嚴密的使用者身分認證是其中之一的方法。在安全通道層(SSL)協定中，使用者端的認證是採用數位憑證。但是這種認證方式是由伺服端決定採用與否且通常不採用，另一方面數位憑證有被偷竊的風險，所以這種機制並沒有廣泛被使用。之後，一連串的使用者認證機制接連被提出，例如一次性密碼機制、智慧卡機制、行動電話機制和生物辨識機制。所謂的雙因子認證機制也就是結合以上所提認證方法再加上密碼認證。然而經由我們的分析卻發現了一些缺點在這些機制裡面。
因此我們根據微軟公司所提出的「產品啟動」機制而發展出一個用於網頁應用程式的雙因子認證機制。我們利用電腦中的硬體和軟體資料當作是使用者端的身份。以下列出三個主要的系統特性：(1)主要的使用者端認證資料稱為HS-Code，是由10項硬體和軟體的元件資料所組成。(2) 使用「weight」這個欄位來設計容錯的功能。此功能的目的是為了減少使用者重新認證的次數。(3)為了系統移動性考量，我們設計一組機制包括duplication machine、restricted function、flexible threshold and weight讓使用可以隨時隨地使用系統。另外為了證明本機制優於其他現行機制，我們以五種評斷準則來比較差異性。
我們利用微軟所提供的應用程式介面-WMI來實作此機制。因為此機制不需要大量的實作成本，對小規模的組織而言也可以負擔來建置；另外操作方式類似一般的網頁應用程式，使用者可以快速接納此機制。

Password authentication is regard as one of the simplest and most convenient authentication mechanisms. This authentication mechanism is usually employed with SSL protocol in the current web-based application systems. However, password-based authentication mechanisms are unable to resist the problem of identity theft. The intruders can take dictionary attacks on them and then impersonating legal users to access resources which only members have. To prevent from identity theft, client authentication is a solution. The digital certificate is a typical client authentication mechanism in the SSL protocol. Although SSL does offer it, the security service is optional and usually omitted. This is because of the fact that users typically do not have the necessary asymmetric key pair. Later, several client authentication mechanisms, such as one-time password tokens, smart cards and smart USB tokens, mobile phones and biometrics, are proposed to solve the problem of identity theft. Tow-factor authentication mechanism combines one of the above mechanisms and password authentication. Unfortunately, there are some flaws in these client authentication mechanisms by our analysis.
Therefore, we improve the idea of “Product Activation” addressed by Microsoft Co. to build a authentication mechanism. This mechanism provides the user’s identity by using hardware and software components in a machine. There are three features in our mechanism: (1) The main authentication data, also called HS-Code, is constructed of 10 components. (2) The use of weight filed is our idea for fault-tolerance. It can reduce the times of re-authentication for users. (3) Using a suit technology including duplication machine, restrict functions, and flexible threshold and weight to make users interact with the system everywhere and every computers. Furthermore, we evaluate this mechanism we proposed is superior to others by five criteria.
To establish this mechanism, we utilize the WMI which is the API in the platform of Microsoft Windows to implement the core technology. And our system is similar with current web-based application system, so any organization can deploy this mechanism quickly and can afford the implementation cost.

[1] Abadi, M., Tuttle, M. R., ”A Semantics for a Logic of Authentication”, Proceedings of the tenth annual ACM symposium on Principles of distributed computing , pp. 201-216, 1991
[2] Ali, M. H. and Hassanien, A. E., ”An Iris Recognition System to Enhance E-security Environment Based on Wavelet Theory”, Advanced Modeling and Optimization journal, Vol. 5, No. 2, pp.93-104, 2003
[3] Au, R., Vasanta, H., Choo K. R., and Looi M., ”User-Centric Anonymous Authorization Framework in Ecommerce Environment”, Proceedings of the Sixth ACM International Conference on Electronic Commerce, pp.138-147, 2004
[4] Basu, A. and Muylle, S., ”Authentication in E-Commerce”, Communications of the ACM, Vol. 46, No. 12, pp.159-196, 2003
[5] Halevi, S. and Krawczykt, H., ”Public-key cryptography and password protocols”, ACM Transactions on Information and System Security (TISSEC) ,Vol. 2, Issue 3, pp.230-268, 1999
[6] Hwang Z. G., ”The Research of Secure Document Transfer Protocol for Digital Campus”, Dept. of Information Electrical Engineering Chung Yuan Christian University, 2002
[7] Israel, E. and Linden, A., ”Authentication in Office System Internet works”, ACM Transactions on Information Systems (TOIS), Vol. 1, Issue 3, pp193-210, 1983
[8] Jain, A. I. and Pankanti, S.,” Biometrics Systems: Anatomy of Performance”, IEICE Transactions, Vol. E00-A, No.1, pp.788-799, 2001
[9] Khu-smith V. and Mitchell C. “Using GSM to enhance e-commerce security”, Proceedings of the 2nd international workshop on Mobile commerce, pp.75-81, 2002
[10] Ku, W. C., ”A Hash-Based Strong-Password Authentication Scheme without Using Smart Cards”, ACM SIGOPS Operating Systems Review, Vol. 38, Issue 1, pp.29-34, 2004
[11] Lin, C. L., Sun H. M., and Hwang T., 2001, ”Attacks and Solutions on Strong-Password Authentication”, IEICE Transactions on Communications, Vol.E84B, No.9, pp.2622-2627, 2001
[12] Li, J. N,” A Secure and Convenient Mobile Credit Payment Scheme Using Public Personal Information”, Thesis of Feng Chia University, Taiwan, R.O.C., 2003
[13]Seto, Y., Mimura, M.,” Standardization of accuracy evaluation for biometric authentication in Japan”, IEICE Transactions on Information and Systems, Vol.E84D, No.7, pp.806-811, 2001
[14] Zong, S.P., ”Implementation of Automatic Iris Recognition Systems Using C Language”, Thesis of National Chi Nan University, Taiwan, R.O.C., 2004
[15] Penn, J., “What To Look For In Consumer Strong Authentication Solutions”, FORRESTER research paper, 2005
[16] Victor, A., ” Effective Use of Authentication Concepts to Enhance Web Security”, Global Knowledge White Paper, 2005
[17] Microsoft MSDN, Platform SDK: Windows Management Instrumentation, About WMI, 2005
[18] Rainbow Technologies, ” The Secure Sockets Layer Protocol – Enabling Secure Web Transactions”, http://whitepapers.zdnet.co.uk, 2001
[19] RSA Solution White Paper, “The Power Behind RSA SecurID Two-factor User Authentication: RSA ACE/Server”, http://www.rocketsoftware.com/security/power.pdf
[20] Webopedia, http://www.webopedia.com/TERM/A/authentication.html
[21] Janet Rubenking, ”Identity Theft: What, Me Worry?”, http://www.pcmag.com/article2/0,1759,1522469,00.asp, 2004
[22] SearchSecurity.com, http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci211621,00.html
[23] Rainbow Technologies,” Two-Factor Authentication-Making Sense of all the Options”, http://www.itsecurity.com/papers/rainbow2.htm, 2002
[24] RFC 1938, “A One-Time Password System,” http://www.ietf.org/rfc/rfc1938.txt
[25] Information Technology Glossary, http://www.itglossary.net/keystroke.html
[26] Practical UNIX & Internet Security, “One-Time passwords,” http://www.unix.org.ua/orelly/networking/puis/ch08_07.htm#PUIS-CHP-8-FIG-3
[27] RSA Mobile to offer two-factor authentication by phone, http://security.itworld.com/4360/020828rsamobile/page_1.html
[28] Microsoft Product activation, http://www.microsoft.com/taiwan/piracy/basics/xp_activation.htm
[29] Technical Market Bulletin on Product Activation in Windows XP, http://www.microsoft.com/piracy/activation.mspx
[30] SSL client authentication: It's a matter of trust, http://www-128.ibm.com/developerworks/lotus/library/ls-SSL_client_authentication/index.html
[31] Intel Pentium III Processor: Processor Serial Number Questions & Answers, http://support.intel.com/support/processors/pentiumiii/sb/CS-007579.htm
[32] Intel Pentium 4 Processor: Support for the Processor Serial Number feature, http://www.intel.com/support/processors/pentium4/sb/cs-001641-prd483.htm
[33] ActiveXperts Network Monitor, Windows Management,
http://www.activexperts.com/activmonitor/windowsmanagement