User authentication technique is used for protecting applications. In the case where a user authentication teqnique (e.g., password authentication) that has been introduced for an application is changed to a more robust authentication technique (e.g., biometric authentication), the application itself protected by the user authentication technique needs to be changed.
In order to cope with the above problem, there has been proposed an authentication technique using a plurality of authentication methods. For example, there is known a technique that manages user authentication information that a user uses for authentication, terminal authentication information that a user terminal uses for authentication, and a login script to an ASP (Application Service Provider) (refer to, e.g., Japanese Laid-open Patent Publication No. 2002-328904). In this authentication technique, only when user authentication has been successfully completed, the login script to the ASP is sent to the user terminal, and the user terminal acts as the user to execute authentication to the ASP using the terminal authentication information. In this authentication technique, the two pieces of information (user authentication information and terminal authentication information) are managed in association with each other by a management server.
However, in the technique disclosed in Japanese Laid-open Patent Publication No. 2002-328904, if the terminal authentication information is leaked, a system is in a vulnerable state until a system administrator or a user changes the terminal authentication information.