**Abstract**

This chapter analyzes existing user authentication methods for remote access to information systems and disadvantages of these methods. The method of multifactor authentication of users when they are accessing remote information systems, combining validation of knowledge on secret password and verification of conformity of the habits and preferences of Internet user's interests, is defined by registration in the system. Using the history of Web pages, the Internet browser creates a list of Web pages the user has visited in the past period of time. It is proposed to use the Bayesian classification for user's knowledge based on the analysis of information about Web pages visited by the user. For user authorization from someone else's computer, the user is invited to ask for additional questions to test knowledge of subject areas, which they selected during registration in the information system. This chapter defines the language and tools for implementation of the proposed authentication algorithm: the programming language PHP and the MySQL database management system (to create a database of registered users), Web-based open source application phpMyAdmin (to create and administer MySQL database management system), and the JavaScript programming language and HTML (for creating extensions for browsers receiving a list of the addresses of the Web pages visited by the user).

**Keywords:** user authentication, remote access, the document object model, classification of text documents, Bayesian method, PHP programming language, MySQL database management system

### **1. Introduction**

Many Internet sites and portals (including educational institutions) should limit access to their content (commercial secrecy, personal data, intellectual property, and other sensitive information) for unauthorized users. For example, universities of distance education must provide reliable authentication of students in carrying out evaluation tasks. Financial institutions (banks) should provide access to customer accounts only after credible evidence of their authenticity.

A security user login procedure largely determines the security of an information system as a whole (and in the case of distance learning systems and the reliability of the results of implementation of the students of educational tasks). Authenticating the name of the logged in user is one of the steps in the logon process.

To authenticate users of information systems, there are well-known techniques. The first group of such methods is based on checking the knowledge of the user based on some memorized secrets (e.g., secret combination password). In the authentication process, knowledge of this secret is validated. The second group of authentication methods is based on checking the user ownership of certain hardware which becomes the subject (device), such as a smart card or USB token. The device contains the base secret of the user (e.g., its private key digital signature), which does not need to remember. Third party authentication methods are based on checking whether a user has characteristics that could not be separated from it. These characteristics, for example, can be printing finger, face, or voice. Such methods are related to biometric authentications.

**2.2 User authentication using devices**

*DOI: http://dx.doi.org/10.5772/intechopen.88620*

constituting in fact microcomputer;

information to authenticate the device owner.

use of card readers;

(model "handshake").

readers;

**69**

your computer;

creating his software emulator; and

the keyboard or keyboard "handwriting," etc.).

**2.3 Biometric user authentication**

registered.

User name authentication using authentication devices is based on the uniqueness and the confidentiality of the information contained in the memory of the device. As such, information, for example, the private (secret) key of the user's electronic signature could be used. In the process of authenticating, the correctness of such key is validated using the user's public key certificate issued by a trusted certificate authority and is stored in an information system in which the user

Most often the following devices are used for authentication:

*User Authentication Based on Knowledge of Their Work on the Internet*

• tokens that require connecting to your computer using a USB port and

• passive devices (e.g., iButton or Touch Memory), which can only store

to detect the fact that the device is lost or stolen and lock it in this case.

• the possibility of device failure or accidental damage;

verification of one-time passwords or occasional request response calculation

But the use of authentication devices also has a number of disadvantages:

• the additional cost issued by the registered users of the devices and their

• the possibility to manufacture copies of analog devices or wrongdoing or

• the need to deploy a public key infrastructure (PKI) when using the private key of the user as electronic signature stored on his secret device [1].

The biometric authentication checks that the user is unique and inseparable from his personality characteristics shared by physical or static (patterns of papillary lines or fingerprints, hand shape, iris and the retina of the eyes, face shape, etc.) and behavioral or dynamic (timbre, handwritten signature, tempo text input with

The advantages of biometric authentication refers the validity of authentication, user friendliness (it does not need to remember long and complex passwords or

• the need for a free USB-port or additional equipment to connect your device to

• smart cards also constituting a microcomputer, but additionally requiring the

For active USB devices, added protection from theft applies reusable passwords (so-called PIN-codes), the knowledge of which confirms the use of authentication devices to its rightful owner. Other advantages of authentication devices are no limits in the length and complexity of storage in the device memory and the ability

Authentication procedure using active devices may include the generation and

But all these methods are as effective as possible in local authentication, when there is no doubt about the source of information for user authentication. If remote authentication has no such confidence, because data for verification can be provided to outsider, you want to create new authentication methods, suitable for use in remote access to information systems. These methods can be used in addition to the existing methods of authentication. Additional authentication methods, for example, are to verify a user based on the knowledge test about his preferences and competencies.

Data on user knowledge can be collected using the analysis of the content the user has visited Internet resources. Such an analysis could be based on the methods of classification of text documents.
