As the use of the Internet has become widespread, the number of online services such as online shopping and content services has been increasing. In a usual online service, a service providing apparatus for providing a service for the user and a client apparatus for performing user authentication for the service providing apparatus are connected to a network. The user needs user authentication for the service providing apparatus through the client apparatus, and the service providing apparatus provides a service for the user in accordance with the result of the user authentication.
Some user authentication methods are based on a password or cryptography. For the password-based authentication, the user must memorize his or her password. If the user uses many services, it would be difficult for the user to memorize all the passwords. To help the user, browsers and other application programs on the client apparatus have functions to store the passwords and to send a required one on behalf of the user at authentication.
Because of its high level of security against impersonation, cryptography-based authentication is suitable for authentication for high-value services. The cryptography-based authentication requires safe retention of secret information, such as the keys used in a cryptography operation.
In both password-based authentication and cryptography-based authentication, some secret information for authentication is generally held in the client apparatus. Means for retaining the secret information are classified roughly into software means and hardware means.
Software means for retaining the secret information includes a key store (refer to non-patent literature 1, for example) provided by the OS. Hardware means for retaining the secret information includes external devices attached to the client apparatus, such as a cryptographic token or a smart card.    Non-patent literature 1: “Certificate Store” [online], Microsoft Corp., [retrieved on Feb. 18, 2008].