1. Field of the Invention
The present invention relates to security in a distributed computing environment. More specifically, the present invention relates to a method and an apparatus for facilitating a single sign on to multiple applications by using applets (or other code fragments, modules or plug-ins) to access a password store.
2. Related Art
With the recent proliferation of web-based applications, the number of remote applications a typical user accesses has grown dramatically. For security purposes, it is often necessary to authenticate a user before allowing the user to access certain applications. This type of authentication is most commonly accomplished by requiring the user to provide a password for each application. This solution has been generally satisfactory until recently because users have typically accessed only a small number of applications.
However, this solution becomes less satisfactory when a large number of applications are involved. This is because it is extremely burdensome for a user to have to enter dozens of passwords each day. Furthermore, the proliferation in applications requiring passwords tends to compromise security because a user is typically unable to remember dozens of different passwords for dozens of different applications.
In order to keep track of different passwords, a user can write down all of the different passwords on yellow sticky notes attached to a computer monitor. However, writing passwords down in this way can greatly compromise security.
More typically, a user uses a single password for all of the different applications the user accesses. This creates even more of a security problem because this single password is known by numerous applications running on numerous computing systems. If any one of these applications or computer systems is insecure, the secrecy of the single password can be compromised.
Furthermore, as the number of passwords proliferate, help desks become burdened with requests to deal with forgotten or misplaced passwords, which can increase the cost of administering applications.
Additionally, users tend to use the simplest and shortest password possible in order to reduce the time required to enter the password and to make the password easy to remember. However, these shorter and simpler passwords tend to be less random and can be more easily cracked.
One solution to the authentication problem is to employ the public key infrastructure (PKI) to authenticate a user to various applications. PKI makes use of public key-private key pairs and chains of digital certificates to authenticate a user to an application. However, PKI has yet to be widely adopted because solutions to technical problems relating to certificate management and key life-cycle management are still being developed. Furthermore, it is difficult to retrofit legacy applications to make use of PKI.
Another solution to the authentication problem is to provide a single sign on facility. In a conventional single sign on facility, a user's passwords are stored in a single password store protected by login authentication or by operating system authentication. When an application is run, it retrieves a password associated with the application from the password store.
However, the problem with using a conventional password store is that it is possible for a rogue application to read the entire password store. Hence, users must completely trust all of the applications that have access to the password store.
What is needed is a method and an apparatus for providing a single sign on facility that does not require the applications that make use of the single sign on facility to be completely trusted.