There presently exist a number of techniques for identifying and authenticating computer system users. At present, most techniques rely on knowledge-based factors, such as passwords. However, passwords have limitations, especially with respect to the user's experience. Human users are simply not good at creating new passwords, which include strong and unique combinations of characters that are also memorable. Furthermore, passwords are commonly phished or stolen. Moreover, the password-creation rules that websites and services enforce are ever-changing and growing increasingly more complex. To keep up with this complexity, users often reuse passwords across multiple services, or make only small, predictable changes among passwords for different services. Also, because passwords are hard to remember, users often write them down or store them in a file for easy access, which also makes them easier to steal. Some users employ password managers to handle all of their passwords. However, password managers reduce security by creating a single point of failure.

Some systems rely on a two-factor authentication technique, which requires a user to carry an extra device to authenticate. However, this can be burdensome to the user because the device can be forgotten, run out of power, or break.

Other systems authenticate a user based on biometric factors, such as fingerprints. However, it is often inconvenient to use such systems, and they can require specialized hardware. Moreover, it is very difficult (or impossible) to alter a biometric signature in case it is compromised.

Hence, what is needed is a technique for identifying and authenticating users of computing systems without drawbacks of the above-described existing techniques.