1. Technical Field
The present invention relates generally to the field of distributed computer networks and, in particular, to providing an authentication framework for use in authenticating clients having a plurality of permitted authentication device types.
2. Description of the Related Art
It is commonplace today for computer users to connect their machines to other computers, known as xe2x80x9cservers,xe2x80x9d throughout a network. The network may be a private network, such as a corporate intranet of networked computers that is accessible only to computer users within that corporation, or it may be a public network, such as the Internet. The Internet is a vast collection of computing resources, interconnected as a network, from sites around the world.
A user may connect his computer to a server using a xe2x80x9cwirelinexe2x80x9d connection or a xe2x80x9cwirelessxe2x80x9d connection. Wireline connections are those that use physical media such as cables or telephone lines, whereas wireless connections use media such as satellite links, radio frequency waves, and infrared waves. Many connection techniques can be used with these various media, including: using the computer""s modem to establish a connection over a telephone line; using a local area network (LAN) card such as Token Ring or Ethernet; using a cellular modem to establish a wireless connection, and the like. The user""s computer may be any type of computer processor having processing and communication capabilities. Traditionally, such devices include desktop, laptop and handheld computers.
Conventional user id and password schemes for controlling user access to network resources are well-known. Recently, it has been proposed to provide client workstations in a network with so-called xe2x80x9calternativexe2x80x9d authentication devices for access control purposes. Such devices include, for example, xe2x80x9ctoken cardsxe2x80x9d and xe2x80x9cbiometricxe2x80x9d (e.g., finger, eye or voice print) scanners. Representative token card systems are available commercially from Security Dynamics (SecureID(trademark)) and Axent (Defender(trademark)). Numerous third parties provide biometric scanning systems. A representative patent illustrating a biometric personal identification system based on iris analysis is U.S. Pat. No. 5,291,560. While these devices provide significant advantages, each authentication device vendor has a different way of encoding input information and validating the user""s identity. Thus, it has not been possible to enable existing client/server and Internet-based applications to incorporate such alternate authentication devices into their current authentication schemes without compromising server trust policies.
The present invention solves this problem.
An object of the present invention is to provide an authentication framework for use in authenticating clients having a plurality of permitted authentication device types.
Another object of this invention is to provide an authentication architecture that enables client-server and Internet-based applications to use alternate authentication devices, e.g., token cards and biometric devices.
It is a more specific object to provide an application server with the capability of managing authentication request traffic from a variety of clients having disparate authentication devices or schemes.
A still further object of this invention is to enable the application server to manage such authentication request traffic without having to verify specific authentication device data, which typically varies depending on the device type and vendor.
Yet another object of this invention is to provide an architecture by which current and future applications may support varied authentication devices without necessarily having to be rewritten.
Still another more general object of this invention is to provide a pluggable framework for authentication services.
In the preferred embodiment, the authentication framework of the present invention has three (3) basic elements. First, a given application client has an authentication device attached to it, and the device is one of a plurality of permitted authentication device types. Thus, for example, the device is a token card or a biometric reader. Second, an application server of the framework knows what types of devices and servers it trusts. Third, given device authentication servers merely verify that authentication device data is acceptable for authentication. The device authentication servers may comprise part of the framework or operate in association with the framework.
In operation, each given application client passes to the application server a request for authentication. The request includes a user id and device id identifying a respective client and an authentication device coupled thereto. The application server (if it trusts the device and has support for it) determines which device authentication server the request is intended, and then routes given authentication data to that server. If the device authentication server verifies that the authentication data is acceptable for authentication, an authorization token is returned to the client.
The foregoing has outlined some of the more pertinent objects and features of the present invention. These objects should be construed to be merely illustrative of some of the more prominent features and applications of the invention. Many other beneficial results can be attained by applying the disclosed invention in a different manner or modifying the invention as will be described. Accordingly, other objects and a fuller understanding of the invention may be had by referring to the following Detailed Description of the Preferred Embodiment.