In short, it allows you to recognise us, and us to recognise you. And we can keep the information secure that we send back and forth to you and the server.
The three keys, in combination, ensure your information is kept secure in the database and in the communication over wifi and the internet.
You give us a 3rd key that we store, encrypted, in our database. Each time you log in you input 3 characters from that key, and they are stored in the web browser's memory. We then use those 3 characters as part of an encryption algorithm that prevents bad guys from understanding the communication, even if they are able to listen in.
That's how we prevent listeners from understanding the conversation between you and us.
Before every form we ask you to fill in, we show you a personal phrase, that's been through the encryption algorithms.
That's how you know it is us.
We have several verification algorithms we use to verify that the information we sent you is the information that is displayed. And that what you send us hasn't been tampered with.
That's how we know its you.
We believe there is a flaw in the way that most web sites do this recognition process.
On the internet, we use Certificates of Authenticity (CofA) to verify that the server we're talking to is, in fact, the one it claims to be. These certificates are each signed by a Certificate Authority (CA). If we get a certificate that we don't already trust, then we check with the Certificate Authority that signed that certificate, to verify the signature. If we don't trust that Certificate Authority, then we check with the Certificate Authority that signed its certificate, and so on, until we find one that we do trust.[1]
This is fine as long as we take the responses from the Certificate Authority as the final word. But often when a certificate is not confirmed, the browser shows a warning message and the user is allowed to continue anyway, trusting all the certificate(s) and authorities involved, from then on, always. And yes, that means that if the site used a fake certificate with a fake authority, our browser now will accept any fake certificate that uses that fake authority, as we've said that we trust that authority.
When warned about a bad security certificate, '90% of people will ignore it', BYU study
A real danger exists here with public computers. Anyone who has used that computer before could have accepted a fake authority, and that browser will now accept any and all certificates signed by that fake authority.
The only way to ensure that you are who you say you are, and not someone intercepting our conversation, is for us to ask you for a few characters from your authentication key, the 3rdKey. And the only way for you to know that we are who we say we are, is that a verification phrase that you gave us will be shown to you when you put in the correct characters. Basically we encrypt one of your phrases using the characters from the 3rd key, then decipher it within your browser to show to you.
[1] - 'Server Authentication During SSL Handshake', Oracle