By: Kurt Seifried, [email protected], Copyright Kurt Seifried, 2001
Users need to authenticate to a server in some manner (username/password, smart card, or biometrics) that is cost effective and reasonably simple. They need to be able to traverse servers (i.e. go to www.company.com and then to accounting.company.com) without having to re-authenticate. So the user either has to re-authenticate for each transaction (page viewed) or posses some sort of semi-permanent token that they can show to the server as needed. Secondary considerations include the ability to generate an audit trail, track usage in real time (i.e. if an account that is only used from location A suddenly gets used from location B you can deny it), and you need to log the user out when they are not using the system. This paper covers existing methods primarily that can be integrated into the existing framework of browsers (primarily Netscape and MSIE) and servers (SSL based). There are newer (and in some ways much better) authentication protocols, however implementing them would require a massive change in the existing infrastructure, so they are by and large not terribly practical.