The advent of the Internet (i.e., World Wide Web) has opened up an entirely new paradigm for companies and individuals to conduct business and share information. A to key concern that arises during these transactions is security. Whenever a computer system (i.e., client or server) establishes network access to the Internet, the computer system itself becomes vulnerable to unauthorized or malicious Internet users gaining access to sensitive information or permission to perform malicious actions on the computer system.
Authentication is the process by which a computer system ensures that users who access information or perform a function on the computer system are in fact who they say they are and are authorized to do so. Currently, user authentication services for client/server systems can follow either completely centralized model or completely decentralized model.
A centralized user authentication system typically includes an application server hosting a web agent/application installed in a demilitarized zone (DMZ) established between a first and second firewall layer and an authentication server hosting an authentication service installed behind both the first and second firewall layers. In this model, a client (i.e., Internet web browser) seeking to access a resource protected by the authentication server would initially contact the web agent/application on the application server and then send authentication information (e.g., personal identification number, password, biometrics data, etc.) directly to the authentication server across two layers of firewalls. This practice is disapproved by many network security administrators because it compromises the security of the authentication service itself by exposing it to manipulation by malicious clients.
In a decentralized user authentication system, an application server hosting a web agent/application would typically be installed behind a firewall. The web agent/application itself would perform all the authentication functions of the authentication service without the need for a separate authentication server. Using this model, a client trying to access a resource protected by the web agent/application would communicate directly with the web agent/application. The limitation with this model is that it is difficult to standardize the display presentations across all web agent/application platforms and therefore can be cumbersome and expensive to maintain and support.
In view of the forgoing, a user authentication module is needed which can arbitrate authentication transactions between a client and an authentication service across multiple firewall layers enabling the authentication service to be maintained on a centralized server.