When a user attempts to access a protected remote resource over a network, such as the Internet, the user typically conforms to policy statements issued by a server that controls that resource. The policy statements provide a set of authentication and authorization rules required to initiate communication with a resource. For example, the policy statement may require a user to provide a password before accessing a resource. If the user provides a correct password, the user's identity is authenticated and access to the resource is allowed.
While the policy statement method of authentication works well in situations in which a single form of authentication is sufficient to initiate communication with a protected resource, policy statements do not work well in dynamic environments. In a dynamic environment, a single instance of authentication at the outset of communications between a client and a protected resource may not be enough. For example, when a user attempts to access a website with protected resources, it may initially be sufficient for the user to provide authentication by entering a password. However, once the user has access to the website, the user may attempt to change his or her password, update a directory, access a highly protected resource, or request the privileges of an elevated access group, such as the system administrator group. In such a case, the user is requesting to do more than simply view information. These actions have the potential to do a great deal of damage to the protected resource.
Some authentication methods require authentication before enabling communication with a resource. However, in a dynamic environment it is difficult to determine what authentication and authorization rules to apply until an actual request is received requesting access to a protected resource.