The number of computer applications used by large corporations has increased significantly over the past twenty years. For example, companies may employ separate applications for electronic mail, document control, financial applications, inventory management, manufacturing control and engineering functions, in addition to overall network access. Each application often requires a separate logon procedure, including some form of personal identification such as a user ID, a password, a key sequence or biometric authentication. The increase in the number of applications requiring user authentication demands significant effort on the part of users to create, secure, and remember their authentication data. Furthermore, from a management perspective, the proliferation of computer applications with varying security and sign-on procedures adds significant cost to the ongoing maintenance of a secure information-technology infrastructure.
The user faces similar logon requirements when accessing server-based applications over the Web. For example, the user may face different logon procedures (typically involving different passwords) to access bank accounts, brokerage accounts, subscription content sites, etc.
Indeed, the mere need for computer users to keep track of multiple logon names, passwords and PINs in order to access different information itself increases the chances of unauthorized use and loss of private information. Users may resort to using the same logon name and password combinations for all accounts, rendering them equally vulnerable if unauthorized access to a single account is obtained. On the other hand, security-conscious users who maintain different logon names and passwords for individual accounts may, to avoid confusion, write them down where they may be found or store them on easily stolen devices such as personal digital assistants—thereby undermining their own efforts. Often those who routinely change their passwords but record them on paper or in a computer file are at greater risk of being compromised than those who use a single but difficult-to-crack password. At the very least, such security-conscious individuals risk forgetting their access information, necessitating time-consuming calls to customer-support lines. In some known systems, different applications may attempt to synchronize their logon procedures and user credentials, but this is often limited to applications from particular suppliers and cannot be extended across varying technology platforms.
Enterprises often maintain identity information in multiple directory stores in addition to the numerous application stores used to track application-specific account information. These stored identities may or may not link to the true identities of individual users. Users and administrators create aliases, shared accounts, and orphan accounts due to inadequate or poor tracking information (to identify the true user), absence of a robust de-provisioning process and/or poor enforcement of password-sharing and account-management policies.
System administrators are often charged with determining the actual unique identities of individuals associated with numerous application account credentials by manually comparing attributes (e.g., a phone number, an email address, or an employee number) associated with the credentials. One way to discover identities is to scan the credentials for each application (in, for example, an application-specific database, central employee database, or other shared authentication data store) in order to identify similarities among attributes. By locating multiple accounts associated with a particular user, it may be possible to learn the user's true identity. This process can be time consuming and labor intensive, and requires transitive lookups from one application database or directory to another by, for example, following links and, where necessary, using rules or fuzzy logic to verify the accuracy of each piece of information. If an account in one application is tied to an email address, for example, then the identity of the user in the email directory needs to be retrieved to obtain the employee ID, and so on, until some link leads to the user's true identity. In many instances, multiple user accounts can be associated with one individual, multiple users may share accounts in other applications, and in some legacy environments, inaccuracies can lead to dead ends in which there is no way to obtain the identity of the user from information in the application database itself.
What is needed, therefore, is the ability to consolidate user authentication data within application and directory stores in a way that facilitates automatic attribution of such authentication data to specific individuals. Having a distinct map of how resources are linked to the true identity of the individual is critical from both a management and security perspective.