1. Technical Field
The invention relates generally to Internet based authentication technology. More particularly, the invention relates to a system and method for distributed authentication service.
2. Description of the Prior Art
The explosive growth of the Internet is changing the ways in which we communicate, conduct business, and pursue entertainment. A few years ago, electronic commerce (E-commerce) was just an interesting concept. By 1999, however, it had become the hottest thing around. Today, not only are consumers buying an enormous volume of goods or services over the Internet, but the business-to-business E-commerce has taken off as well.
The basic cell of E-commerce is an electronic transaction, which requires a buyer or user fills out one or more electronic forms on screen and click a button named “send”, “buy” or “submit”, etc. To complete such an electronic transaction, a user has to go through an authentication process. In other words, the user must provide the seller or service provider with some information such as his or her personal identification, contact information, or even financial information. The authentication process may take from several minutes to hours. Because each seller or service provider maintains its own authentication server and database, millions of seller and service providers might share thousands of millions of consumers or users. Some of the consumers or users might be required to go through the same or similar authentication process again and again if they have transactions with many sellers or service providers. This repetitive authentication not only wastes consumers' precious time, but also burdens the sellers or service providers because they have to expand their databases to keep detailed authentication information for a growling number of users. This situation brings forth a technical need to create a universal, unified single-logon infrastructure wherein a specific user may be authenticated once for all and the authentication result is widely recognized by a large number of sellers or service providers.
In responding to that need, several approaches have been developed. For example, Microsoft Corporation has introduced a “.NET Passport” single sign-in system. With “.NET Passport”, a user doesn't need to register a member name and password at each new site he visits. The user may simply use his e-mail address and password that registered as his “.NET Passport” to sign in to any participating site or service. The information the user registers with “.NET Passport” is stored online, securely, in the “.NET Passport” database as the user's “.NET Passport profile.” When the user signs in to a “.NET Passport” participating site by typing his e-mail address and password in the “.NET Passport” sign-in box, “.NET Passport” confirms that (1) the e-mail address he typed is registered with “.NET Passport”, and (2) the password he typed is correct. “.NET Passport” then notifies the site that the user has provided valid “sign-in credentials”, and he is given access to the participating site. Once the user signs in to one “.NET Passport” participating site during an Internet session, he can sign in to others simply by clicking the “.NET Passport” sign-in button on each site.
Another example is America Online Inc.'s “Screen Name Service” system, which provides free service allowing anyone with a “Screen Name” to register easily and securely at a variety of Web sites. The “Screen Name Service” eliminates a user's need to remember multiple names and passwords for all the places he visits on the Web. With the “Screen Name Service” system, each user has a “My Profile”, which stores the user's personal information used to make registering at sites across the Web simple and secure. When the user registers at a participating Web site using the service, he has the opportunity to choose which fields of information stored by AOL, if any, he would like to share with that site. No information is shared with any Web site without the user's explicit permission. When the user agrees to share certain information with a participating site, that information is conveyed to the Web site at which he is registering. Another feature is that the user is provided with a “My Site List”, which is an effective way to manage personal information because it shows the user with which sites he has registered with using the service. The user can view the privacy policy of a site to see how it uses information it knows about the user. The user can also decide if he would like to be signed into the site without being prompted and if the site should be updated with information if “My Profile” changes.
The common characteristic of these approaches is that they implement a centralized solution for authentication and authentication information management. Undoubtedly, the centralized solution may overcome the repetitive authentication and repetitive storage problems that exist in the scattered, disorganized situation.
However, the centralized solution has three major disadvantages. First, in a centralized authentication system, because all the login requests go to a central authentication server, the traffic to the server could be very heavy, the requirements for the process capability and database size could be predictably high, and the authentication process would be very slow when the number of requests is overwhelmed for the server. Second, in case that the central authentication system fails, all the authentication requests would be suspended. Third, the central authentication service provider could monitor the participating sites' logon rates and a site which hosts a user's login page could monitor the user's logon information.
What is desired is a solution to have each authentication carried out at one of participating servers and have the authentication result distributed and cached all over the network of the participating servers so that the authentication results cannot be centrally monitored.