Public and private usage of distributed processing systems, such as the Internet and other information networks, continues to increase at a prodigious rate. Conducting commerce over such distributed systems (i.e., e-business) continues to gain in popularity. Users of e-business and other sensitive applications are typically required to provide a user identifier and a password (e.g., PIN number) before the user is permitted access to such applications. When these and other applications operate within a multiple process environment, it is generally necessary that each process involved in a given transaction authenticate the user prior to performing a requested operation. A process authenticates a user typically by verifying that the user password is properly associated with the user identifier.
It can be appreciated that the resources of several processes may be required in order to complete a particular user transaction. By way of example, and with reference to FIG. 1, two processes, Process-124 and Process-225 are required to complete a transaction requested by a user 20. Both Process-124 and Process-225 are needed to authenticate the user 20 in this illustrative example. It is noted that Process-124 may have direct access to the user 20, while Process-225 may or may not have access to, the user 20.
In a typical client/server environment, for example, the client, such as Process-124, may readily perform a user authentication process through use of an available interface provided between Process-124 and the user 20. However, the server, such as Process-225, typically has no access to the user 20, which complicates the user authentication procedure. Even if Process-225 included an interface that provided access to the user 20, Process-225 would have to request and verify the user's identification and password, which is duplicative of the authentication steps performed by Process-124. Such redundancies in the user authentication process negatively impacts transaction speeds.
Another conventional approach to authenticating a user for purposes of performing a number of tasks on behalf of the user by a number of processes involves caching the user identifier and password. Caching the user's identifier and password obviates the need to repeatedly request this information from the user by each of the processes involved in a particular transaction. It will be appreciated, however, that such an approach is problematic from a security perspective. Although encrypting the user identifier and password may provide for some degree of increased security, increasing the encryption strength typically limits the ability to export the program encompassing the encryption algorithm(s) overseas.
Further, such a caching approach is typically incapable of satisfying user authentication requirements in certain multiple process applications, such as in applications that use digital certificates as user identifiers. In this scenario each process requires that the user be authenticated prior to performing tasks on behalf of the user. It can be appreciated that only those processes that have direct access to the user can perform the required authentication procedure.
In many applications operating within a multiple process environment, such as a typical client/server environment, direct access to the user by all processes is either impractical or impossible. There exists a need for an improved approach to authenticating a user in a multiple process environment. There exists a further need for such an approach that provides for a high degree of security. The present invention fulfills these and other needs.