Web sites such as Internet sites often provide information, products, services, and the like to their users. Many web sites require users to register before their web servers will grant access to the users. During registration, a user typically supplies personal information such as a username, account number, address, telephone number, e-mail address, computer platform, age, gender, and/or hobbies to the registering web site. The registration information may be necessary to complete transactions (e.g., commercial or financial transactions). Typically, the information also permits the web site to contact the user directly (e.g., via electronic mail) to announce, for example, special promotions, new products, or new web site features. Additionally, web sites often collect user information so web site operators can better target future marketing activities or adjust the content provided by the sites.
When registering a user for the first time, a web site typically requests that the user select a login identifier, or login ID, and an associated password. The login ID allows the web site to identify the user and retrieve information about the user during subsequent user visits to the web site. Generally, the login ID must be unique to the web site such that no two users have the same login ID. The combination of the login ID and password associated with the login ID allows the web site to authenticate the user during subsequent visits to the web site. The password also prevents others (who do not know the password) from accessing the web site using the user's login ID. This password protection is particularly important if the web site stores private or confidential information about the user, such as financial information or medical records.
If the user visits several different web sites, each web site may require entry of similar registration information about the user, such as the user's name, mailing address, and e-mail address. This repeated entry of identical data is tedious when visiting multiple web sites in a short period of time. Many web sites require the user to register before accessing any information provided on the site. Thus, the user must first enter the requested registration information before he or she can determine whether the site contains any information of interest.
After registering with multiple web sites, the user must remember the specific login ID and password used with each web site or other network service. Without the correct login ID and password, the user must re-enter the registration information. A particular user is likely to have different login IDs and associated passwords on different web sites. For example, a user named Bob Smith may select “smith” as his login ID for a particular site. If the site already has a user with a login ID of “smith” or requires a login ID of at least six characters, then the user must select a different login ID. After registering at numerous web sites, Bob Smith may have a collection of different login IDs such as: smith, smith1, bsmith, smithb, bobsmith, bob_smith, and smithbob. Further, different passwords may be associated with different login IDs due to differing password requirements of the different web sites (e.g., password length requirements or a requirement that each password include at least one numeric character and/or at least one uppercase character). Thus, Bob Smith must maintain a list of web sites, login IDs, and associated passwords for all sites that he visits regularly.
Although presently available multi-site user authentication systems or login services permit a web user to maintain a single login ID (and associated password) for accessing multiple, affiliated or relying web servers or services, further improvements are desired. For example, transactional communications between a client computer and a server computer are at risk of tampering by a third party. When a user on a client computer communicates with server such as a web site via, for example, a hypertext transfer protocol (HTTP), there is often a need to share authentication information between the client and the server. One common way to share authentication information (e.g., a token) is by storing authentication information as a block of data on the client computer. Such a block of data, commonly known as a cookie, is generated by a server and sent to the client. Cookies were standardized as Internet Engineering Task Force (IETF) Request for Comments (RFC) 2965. Presently, cookies are widely supported by web browsers and allow a server to store arbitrary state information on the client.
The client computer presents the cookie with authentication information to the server during subsequent visits to web pages served by the server. However, cookies are unreliable because the cookie carrying the authentication token may be captured and used in a replay attack. That is, a captured cookie (e.g., a cookie with a captured uniform resource locator) may be resubmitted to the server by an attacker masquerading as the user to gain improper access to another user's information for the life of the authentication token. In general, carrying the authentication token in a cookie has historically proven vulnerable to multiple exploits leading to compromise of the information stored in the cookie (e.g., critical authentication credentials). Bugs in cookie handling code as well as their availability to active content such as JAVASCRIPT have created serious vulnerabilities.
For these reasons, a system for improving the security of protocols constructed around authentication tokens is desired to address one or more of these and other disadvantages.