U.S. patent application number 14/482486 was filed with the patent office on 2014-12-25 for authentication information management of associated first and second authentication information for user authentication.
The applicant listed for this patent is FUJITSU LIMITED. Invention is credited to Itaru Nakagawa, Kazuo Sasaki.
Application Number | 20140380440 14/482486 |
Document ID | / |
Family ID | 42827251 |
Filed Date | 2014-12-25 |
United States Patent
Application |
20140380440 |
Kind Code |
A1 |
Nakagawa; Itaru ; et
al. |
December 25, 2014 |
AUTHENTICATION INFORMATION MANAGEMENT OF ASSOCIATED FIRST AND
SECOND AUTHENTICATION INFORMATION FOR USER AUTHENTICATION
Abstract
An authentication information management program of an
authentication information management apparatus allowing the
authentication information management apparatus to execute:
changing the first authentication information in correspondence
information which is information including the first authentication
information and second authentication information in association
with each other and stored in a storage section of the
authentication information management apparatus; transmitting the
authentication apparatus of the changed first authentication
information; determining, in response to a request from the
apparatus to be authenticated, whether the second authentication
information in the authentication request coincides with the second
authentication information in the correspondence information; and
returning, in the case where it is determined that the second
authentication information in the authentication request coincides
with the second authentication information in the correspondence
information, the first authentication information associated with
the second authentication information read from the storage
section.
Inventors: |
Nakagawa; Itaru; (Kawasaki,
JP) ; Sasaki; Kazuo; (Kawasaki, JP) |
|
Applicant: |
Name |
City |
State |
Country |
Type |
FUJITSU LIMITED |
Kawasaki-shi |
|
JP |
|
|
Family ID: |
42827251 |
Appl. No.: |
14/482486 |
Filed: |
September 10, 2014 |
Related U.S. Patent Documents
|
|
|
|
|
|
Application
Number |
Filing Date |
Patent Number |
|
|
12728420 |
Mar 22, 2010 |
8863254 |
|
|
14482486 |
|
|
|
|
Current U.S.
Class: |
726/6 |
Current CPC
Class: |
H04L 9/321 20130101;
H04L 63/0861 20130101; H04L 63/08 20130101; H04L 9/3271 20130101;
G06F 21/556 20130101; G06F 21/33 20130101; H04L 63/083
20130101 |
Class at
Publication: |
726/6 |
International
Class: |
H04L 29/06 20060101
H04L029/06 |
Foreign Application Data
Date |
Code |
Application Number |
Apr 1, 2009 |
JP |
2009-088745 |
Claims
1. A method for controlling an authentication server which manages
a first password for a login process from a client terminal to an
application comprising: managing the first password and
authentication information for the login process from the client
terminal to the authentication server; and generating a second
password which is different from the first password based on policy
information to change the first password.
2. The method for controlling the authentication server according
to claim 1, further comprising: requesting the application to
change the first password to the second password; and changing the
first password which is managed in association with the
authentication information to the second password.
3. The method for controlling the authentication server according
to claim 2, wherein the policy information includes an
authentication key generation condition.
4. The method for controlling the authentication server according
to claim 3, wherein the authentication key generation condition
includes a character type, an occurrence frequency of characters, a
password length or dissimilarity among passwords.
5. The method for controlling the authentication server according
to claim 2, wherein the policy information includes a change
timing.
6. The method for controlling the authentication server according
to claim 5, wherein the change timing includes change at every
login, change at periodic intervals, change at every
authentication, or whether to allow a change to be made in-use.
7. An authentication method for a login process from a client
terminal to an application comprising: receiving authentication
information inputted to the client terminal; managing a first
password for the login process to the application in association
with the authentication information; and generating a second
password which is different from the first password based on policy
information to change the first password.
8. The authentication method according to claim 7, wherein an
authentication method of the authentication information inputted to
the client terminal is different from an authentication method for
a login process to the application.
9. The authentication method according to claim 8, wherein the
authentication method of the authentication information inputted to
the client terminal is a biometric authentication method.
10. The authentication method according to claim 8, wherein the
authentication method of the authentication information inputted to
the client terminal is selectable among a plurality of
authentication methods which an authentication strength differ from
each other.
11. The authentication method according to claim 7, wherein the
generated second password is transmitted to a screen for a change
of a password of the application.
12. The authentication method according to claim 11, wherein the
second password is stored in association with the authentication
information after the password of the application is changed to the
second password.
13. The authentication method according to claim 7, wherein the
policy information includes an authentication key generation
condition.
14. The authentication method according to 13, wherein the
authentication key generation condition includes a character type,
an occurrence frequency of characters, a password length or
dissimilarity among passwords.
15. The authentication method according to 13, wherein the
authentication key generation condition includes a character
type.
16. The authentication method according to 13, wherein the
authentication key generation condition includes an occurrence
frequency of characters.
17. The authentication method according to 13, wherein the
authentication key generation condition includes a password
length.
18. The authentication method according to 13, wherein the
authentication key generation condition includes dissimilarity
among passwords.
19. The authentication method according to 13, wherein the policy
information includes a change timing.
20. The authentication method according to 19, wherein the change
timing includes change at every login, change at periodic
intervals, change at every authentication, or whether to allow a
change to be made in-use.
21. An authentication server which manages a first password for a
login process from a client terminal to an application comprising:
a storage configured to store the first password and authentication
information for the login process from the client terminal to the
authentication server, the authentication information being
associated with the first password; and a CPU configured to
generate a second password which is different from the first
password based on policy information to change the first
password.
22. The authentication server according to claim 17, wherein the
CPU further requests the application to change the first password
to the second password and changes the first password which is
managed in association with the authentication information to the
second password.
Description
CROSS-REFERENCE TO RELATED APPLICATIONS
[0001] This application is a divisional application of and claims
priority to U.S. Ser. No. 12/728,420, which was filed Mar. 22,
2010, is pending, and is hereby incorporated by reference in its
entirety for all purposes. U.S. Ser. No. 12/728,420 is based upon
and claims the benefit of priority of the prior Japanese Patent
Application No. 2009-088745, filed on Apr. 1, 2009, the entire
contents of which are incorporated herein by reference.
FIELD
[0002] The embodiments discussed herein are relates to a user
authentication technique.
BACKGROUND
[0003] User authentication technique is used for protecting
applications. In the case where a user authentication teqnique
(e.g., password authentication) that has been introduced for an
application is changed to a more robust authentication technique
(e.g., biometric authentication), the application itself protected
by the user authentication technique needs to be changed.
[0004] In order to cope with the above problem, there has been
proposed an authentication technique using a plurality of
authentication methods. For example, there is known a technique
that manages user authentication information that a user uses for
authentication, terminal authentication information that a user
terminal uses for authentication, and a login script to an ASP
(Application Service Provider) (refer to, e.g., Japanese Laid-open
Patent Publication No. 2002-328904). In this authentication
technique, only when user authentication has been successfully
completed, the login script to the ASP is sent to the user
terminal, and the user terminal acts as the user to execute
authentication to the ASP using the terminal authentication
information. In this authentication technique, the two pieces of
information (user authentication information and terminal
authentication information) are managed in association with each
other by a management server.
[0005] However, in the technique disclosed in Japanese Laid-open
Patent Publication No. 2002-328904, if the terminal authentication
information is leaked, a system is in a vulnerable state until a
system administrator or a user changes the terminal authentication
information.
SUMMARY
[0006] A computer-readable recording medium that records, in a
computer readable manner, an authentication information management
program for an authentication information management apparatus that
can be connected to an authentication apparatus that executes an
authentication based on first authentication information and an
apparatus to be authenticated based on the first authentication
information, allowing the authentication information management
apparatus to execute: changing the first authentication information
in correspondence information which is information including the
first authentication information and second authentication
information different from the first authentication information in
association with each other and stored in a storage section of the
authentication information management apparatus; transmitting the
authentication apparatus of the changed first authentication
information; determining, in response to a request for execution of
an authentication based on the second authentication information
which is issued from the apparatus to be authenticated, whether the
second authentication information in the authentication request
coincides with the second authentication information in the
correspondence information; and returning, in the case where it is
determined that the second authentication information in the
authentication request coincides with the second authentication
information in the correspondence information, the first
authentication information associated with the second
authentication information read from the storage section as a reply
to the request for the execution of the first authentication which
is issued from the apparatus to be authenticated.
[0007] The object and advantages of the invention will be realized
and attained by means of the elements and combinations particularly
pointed out in the claims.
[0008] It is to be understood that both the foregoing general
description and the following detailed description are exemplary
and explanatory and are not restrictive of the invention, as
claimed.
BRIEF DESCRIPTION OF DRAWINGS
[0009] FIG. 1 is a view illustrating the entire configuration of an
authentication system according to an embodiment of the present
invention;
[0010] FIG. 2 is a view illustrating a hardware configuration of
the authentication system of the present embodiment;
[0011] FIG. 3 is a view illustrating functional configurations of a
client terminal and an authentication information management
server;
[0012] FIG. 4 is a view illustrating authentication management
information;
[0013] FIG. 5 is a view illustrating policy information;
[0014] FIG. 6 is a view illustrating state information;
[0015] FIG. 7 is a sequence diagram illustrating operations of the
authentication system concerning login and logout;
[0016] FIG. 8 is a flowchart illustrating operations of change
processing performed in the case where the change timing is "change
at every login";
[0017] FIG. 9 is a flowchart illustrating operations of the change
processing performed in the case where the change timing is
"periodic intervals";
[0018] FIG. 10 is a flowchart illustrating operations of the change
processing performed in the case where the change timing is "change
at second authentication";
[0019] FIG. 11 is a flowchart illustrating operations of
transmitting processing;
[0020] FIG. 12 is a flowchart illustrating operations of the AP
server; and
[0021] FIG. 13 is a view illustrating an example of a computer
system to which the present invention is applied.
DESCRIPTION OF EMBODIMENTS
[0022] An embodiment of the present invention will be described
below with reference to the accompanying drawings.
[0023] First, the entire configuration of an authentication system
according to the present embodiment will be described. FIG. 1 is a
view illustrating the entire configuration of an authentication
system according to the present embodiment.
[0024] As illustrated in FIG. 1, an authentication system according
to the present embodiment includes a client terminal 1 (apparatus
to be authenticated), an authentication information management
server 2, and an AP (Application) server 3 (authentication server),
which are connected to one another through a network. The AP server
3 provides an application having an authentication function to the
client terminal 1. The client terminal 1 uses the application
provided by the AP server 3 through a login process. The
authentication information management server 2 manages
authentication information relating to the login process of the
client terminal 1.
[0025] In the authentication system of the present embodiment, the
login process of the client terminal 1 to the application is
accomplished through a first authentication for the application and
a second authentication for the authentication information
management server 2. The first authentication is an
application-specific authentication, so that its authentication
method depends on the application. In the case of the second
authentication, its authentication method does not depend on the
application; therefore an authentication method according to
desired authentication strength can be selected. Hereinafter,
authentication information relating to the first authentication is
referred to as "first authentication information", and
authentication information relating to the second authentication is
referred to as "second authentication information". Further, in the
present embodiment, the authentication information includes a set
of an ID and an authentication key.
[0026] Next, a hardware configuration and a functional
configuration of the authentication system of the present
embodiment will be described. FIG. 2 is a view illustrating a
hardware configuration of the authentication system of the present
embodiment. FIG. 3 is a view illustrating functional configurations
of the client terminal and authentication information management
server.
[0027] As illustrated in FIG. 2, the client terminal 1,
authentication information management server 2, and AP server 3 in
the authentication system of the present embodiment each have a CPU
(Central Processing Unit) 90 and a memory 91. Further, software for
the authentication of the present embodiment is installed in the
client terminal 1. As illustrated in FIG. 3, the installed software
allows the client terminal 1 to function as a second authentication
request section 11, a reception section 12, a first authentication
request section 13, and an end notification section 14. The
authentication information management server 2 has as its functions
an authentication information management section 21 (management
section), a second authentication section 22 (authentication
section), a reply section 23, a state management section 24, a
change section 25, and a transmitting section 26. The functional
sections described above are achieved by the CPUs 90 provided in
the client terminal 1 and the authentication information management
server 2.
[0028] The second authentication request section 11 of the client
terminal 1 requests the authentication information management
server 2 to execute the second authentication based on the second
authentication information and, after completion of the
authentication, requests the authentication information management
server 2 to transmit thereto the first authentication information.
The reception section 12 receives, from the authentication
information management server 2, a reply to the request made from
the second authentication request section 11 and first
authentication information. The first authentication request
section 13 requests the AP server 3 to execute the first
authentication based on the first authentication information. The
end notification section 14 notifies the authentication information
management server 2 of application logout in client terminal 1 as
an end notification.
[0029] The authentication information management section 21 of the
authentication information management server 2 associates
applications (application 1 and application 2) provided by the AP
server 3, first authentication information, and second
authentication information with one another to manage them as
authentication management information (correspondence information).
The second authentication section 22 executes the second
authentication based on the second authentication information and
receives the request for transmission of the first authentication
information from the client terminal 1. The reply section 23
transmits, to the client terminal 1, a reply to the request for
execution of the second authentication received by the second
authentication section 22 and the first authentication information
as a reply to the request for transmission of the first
authentication information. The state management section 24 manages
an application usage state of the client terminal 1 as state
information. The change section 25 changes the first authentication
information at the timing based on policy information indicating a
predetermined condition. The transmitting section 26 transmits the
first authentication information changed by the change section 25
to the AP server 3 for updating first authentication information of
terminal 1.
[0030] Next, the authentication management information will be
described. FIG. 4 is a view illustrating the authentication
management information.
[0031] As illustrated in FIG. 4, the authentication management
information includes an application, first authentication
information, and second authentication information in association
with one another. The first authentication information and second
authentication information each include an ID which is an
identifier uniquely identifying a specific user and an
authentication key in association with each other. In the
authentication management information illustrated in FIG. 4.
[0032] Next, the policy information will be described. FIG. 5 is a
view illustrating the policy information.
[0033] As illustrated in FIG. 5, the policy information includes an
application and a policy in association with each other. The policy
includes a change timing and an authentication key generation
condition in association with each other. The authentication key
generation condition includes an authentication method and a
generation condition in association with each other. The change
timing is a condition for changing the first authentication
information. The change timing condition includes whether to allow
a change to be made "change at every login", "change at periodic
intervals", and "change at second authentication", whether to allow
a change to be made in-use, and the like. These conditions are
examples and other conditions may be set. In the case where the
first authentication information is changed "change at periodic
intervals", the associated authentication key is changed in
periodic. The authentication method is an authentication system of
the associated application. The generation condition is a condition
for generating the authentication key corresponding to the
associated application.
[0034] Next, the state information will be described. FIG. 6 is a
view illustrating the state information.
[0035] As illustrated in FIG. 6, the state information includes an
ID of the second authentication information, an application, a use
state of the application, and a terminal using the application in
association with one another. The use state is represented by
"in-use" indicating a state where the client terminal is logging in
the application or "unused" indicating a state where the client
terminal is not logging in the application. In the case where the
use state is "in-use", the client terminal that is logging in the
application as a usage source terminal is associated with the
second authentication ID and application. Although the use state
includes both "in-use" and "unused" in FIG. 6, it may include only
an application in-use as a management target. In this case, only a
client terminal that utilizes the application to be managed is
entered into the state information and, when this client terminal
stops utilizing the application, the entry thereof is deleted from
the state information.
[0036] Next, operation of the authentication system concerning
login and logout of the client terminal to/from the application
will be described using a flowchart. FIG. 7 is a sequence diagram
illustrating the operations of the authentication system concerning
login and logout. It is assumed in FIG. 7 that the first and second
authentication information are stored for management, as
authentication information management information, in a storage
(e.g., memory 91) by the authentication information management
section.
[0037] The second authentication request section 11 of the client
terminal 1 requests the authentication information management
server 2 to execute the second authentication based on the second
authentication information (S101).
[0038] The second authentication section 22 of the authentication
information management server 2 executes the second authentication
based on the second authentication information in the
authentication information management information according to the
request from the client terminal 1 and returns a reply to the
client terminal 1 (S102). The second authentication is executed
based on determination of whether the second authentication
information in the second authentication execution request from the
client terminal 1 coincides with the second authentication
information in the authentication information management
information.
[0039] After completion of the second authentication by the
authentication information management server 2, the second
authentication request section 11 of the client terminal 1 requests
the authentication information management server 2 to transmit
thereto the first authentication information (S103).
[0040] The second authentication section 22 of the authentication
information management server 2 changes the application use state
of the client terminal 1 to "in-use" through the state management
section 24 (S104). After the change, the second authentication
section 22 refers to the authentication management information
illustrated in FIG. 4 and returns as a reply the first
authentication information associated with the second
authentication information based on which second authentication of
the client terminal 1 has been executed (S105).
[0041] The reception section 12 of the client terminal 1 receives
the first authentication information from the authentication
information management server 2 (S106). The first authentication
request section 13 detects an authentication screen of the
application to be logged in and requests the application to execute
the first authentication based on the first authentication
information received by the reception section 12 (S107). The
authentication screen is a screen for inputting the ID and a
password serving as the authentication key. The first
authentication request section 13 automatically inputs the ID and
password for the first authentication.
[0042] The application performs the first authentication based on
the first authentication information according to the request from
the client terminal 1 and returns a reply to the client terminal 1
(S108). The first authentication is executed based on determination
of whether the first authentication information used in the first
authentication execution request from the client terminal 1
coincides with the first authentication information transmitted by
the authentication information management server 2.
[0043] After returning the reply about completion of the first
authentication by the application, the client terminal 1 logs in
the application (S109) and uses the application (S110). When the
client terminal 1 logs out from the application after usage (S111),
the end notification section 14 transmits a end notification to the
authentication information management server 2 (S112).
[0044] After the transmission of the end notification from the
client terminal 1, the state management section 24 of the
authentication information management server 2 changes the
application use state of the client terminal 1 to "unused"
(S113).
[0045] Next, operation of change processing performed by the change
section will be described for each change timing. First, the change
processing performed in the case where the change timing is "change
at every login" will be described. FIG. 8 is a flowchart
illustrating operations of the change processing.
[0046] The change section 25 refers to the policy information
(S201) and determines whether the change timing is "change at every
login" (S202).
[0047] In the case where the change timing is "change at every
login" (YES in S202), the change section 25 determines whether the
client terminal 1 tries to log in the application or has logged out
from the application (S203). The determination of whether the
client terminal 1 tries to log in or has logged out from the
application is made based on whether the first authentication
information has been requested by the client terminal 1.
[0048] In the case where the client terminal 1 has logged in the
application (YES in S203), the change section 25 refers to the
state information (S204) through the state management section 24
and determines whether the client terminal 1 is using an
application which has been associated with the first authentication
information to be changed in the authentication management
information (S205).
[0049] In the case where the client terminal 1 is using the
application (YES in S205), the change section 25 determines whether
a change of the first authentication information that is being used
is allowed (S206).
[0050] In the case where the change of the first authentication
information that is being used is allowed (YES in S206), the change
section 25 changes the first authentication information in the
authentication management information through the authentication
information management section 21 (S207) and refers to the policy
information once again for next request (S201).
[0051] On the other hand, in the case where the change of the first
authentication information that is being used is not allowed (NO in
S206), the change section 25 refers to the policy information once
again for next request (S201).
[0052] In the case where the client terminal 1 is not using the
application (NO in S205), the change section 25 changes the first
authentication information in the authentication management
information through the authentication information management
section 21 (S207).
[0053] In the case where the client terminal 1 has not logged in
the application (NO in S203), the change section 25 refers to the
policy information once again for next request (S201).
[0054] In the case where the change timing is not "change at every
login" (NO in S202), the change section 25 refers to the policy
information once again for next request (S201).
[0055] Next, operation of the change processing performed in the
case where the change timing is "periodic intervals" will be
described. FIG. 9 is a flowchart illustrating operations of the
change processing performed in the case where the change timing is
"periodic intervals".
[0056] The change section 25 refers to the policy information
(S301) and determines whether the change timing is "periodic
intervals" (S302).
[0057] In the case where the change timing is "periodic intervals"
(YES in S302), the change section 25 determines whether a
predetermined period has elapsed based on, e.g., the date of a
previous change (S303).
[0058] In the case where the predetermined period has elapsed (YES
in S303), the change section 25 refers to the state information
through the state management section 24 (S304) and determines
whether the client terminal 1 is using an application which has
been associated with the first authentication information to be
changed in the authentication management information (S305).
[0059] In the case where the client terminal 1 is using the
application (YES in S305), the change section 25 determines whether
a change of the first authentication information that is being used
is allowed (S306).
[0060] In the case where the change of the first authentication
information that is being used is allowed (YES in S306), the change
section 25 changes the first authentication information in the
authentication management information through the authentication
information management section 21 (S307) and refers to the policy
information once again for next request (S301).
[0061] On the other hand, in the case where the change of the first
authentication information that is being used is not allowed (NO in
S306), the change section 25 refers to the policy information once
again for next request (S301).
[0062] In the case where the client terminal 1 is not using the
application (NO in S305), the change section 25 changes the first
authentication information in the authentication management
information through the authentication information management
section 21 (S307).
[0063] In the case where the predetermined period has not elapsed
(NO in S303), the change section 25 refers to the policy
information once again for next request (S301).
[0064] In the case where the change timing is not "periodic
intervals" (NO in S302), the change section 25 refers to the policy
information once again for next request (S301).
[0065] Next, operation of the change processing performed in the
case where the change timing is "change at second authentication"
will be described. FIG. 10 is a flowchart illustrating operations
of the change processing performed in the case where the change
timing is "change at second authentication".
[0066] The change section 25 refers to the policy information
(S401) and determines whether the change timing is "change at
second authentication" (S402).
[0067] In the case where the change timing is "change at second
authentication" (YES in S402), the change section 25 determines
whether a second authentication of the client terminal 1 has been
succeeded (S403).
[0068] In the case where the second authentication of the client
terminal 1 has been succeeded (YES in S403), the change section 25
refers to the state information through the state management
section 24 (S404) and determines whether the client terminal 1 is
using an application which has been associated with the first
authentication information to be changed in the authentication
management information (S405).
[0069] In the case where the client terminal 1 is using the
application (YES in S405), the change section 25 determines whether
a change of the first authentication information that is being used
is allowed (S406).
[0070] In the case where the change of the first authentication
information that is being used is allowed (YES in S406), the change
section 25 changes the first authentication information in the
authentication management information through the authentication
information management section 21 (S407) and refers to the policy
information once again (S401).
[0071] On the other hand, in the case where the change of the first
authentication information that is being used is not allowed (NO in
S406), the change section 25 refers to the policy information once
again (S401).
[0072] In the case where the client terminal 1 is not using the
application (NO in S405), the change section 25 changes the first
authentication information in the authentication management
information through the authentication information management
section 21 (S407).
[0073] In the case where the second authentication of the client
terminal 1 has not been succeeded (NO in S403), the change section
25 refers to the policy information once again (S401).
[0074] In the case where the change timing is not "change at second
authentication" (NO in S402), the change section 25 refers to the
policy information once again (S401).
[0075] Next, operation of transmitting processing performed by the
transmitting section will be described. FIG. 11 is a flowchart
illustrating operations of the transmitting processing.
[0076] The transmitting section 26 determines whether the first
authentication information in the authentication management
information has been changed (S501).
[0077] In the case where the first authentication information has
been changed (YES in S501), the transmitting section 26 transmits
an application with which the first authentication information
before change has been associated of the first authentication
information after change (S502). After the transmitting has been
made, the transmitting section 26 determines once again whether the
first authentication information in the authentication management
information has been changed (S501).
[0078] Next, operation of the AP server concerning the change of
the first authentication information will be described. FIG. 12 is
a flowchart illustrating the operations of the AP server.
[0079] The AP server 3 determines whether the first authentication
information has been transmitted from the authentication
information management server 2 (S601).
[0080] In the case where the first authentication information has
been transmitted from the authentication information management
server 2 (YES in S601), the AP server 3 updates the first
authentication information (S602) and determines once again whether
the first authentication information has been transmitted from the
authentication information management server 2 (S601).
[0081] On the other hand, in the case where the first
authentication information has not been transmitted from the
authentication information management server 2 (NO in S601), the AP
server 3 determines once again whether the first authentication
information has been transmitted from the authentication
information management server 2 (S601).
[0082] As described above, actively changing the first
authentication information allows quick action against a leakage of
the first authentication information. Further, the authentication
method of the second authentication is not dependent on the
application, so that the strength of authentication can be
increased by employing, e.g., biometrics as the method employed in
the second authentication.
[0083] Further, freely setting a condition for changing the first
authentication information allows a flexible response to the
application function or situation in which a user utilizes the
application. Further, by changing the first authentication
information under a condition according to a situation in which the
client terminal 1 utilizes the application, it is possible to
prevent an abnormality of the application due to the change of the
first authentication information. Such an abnormality can occur in,
e.g., an application that uses the first authentication information
once again during login state. In this case, making a setting so as
not to change the first authentication information during use of
the application prevents the abnormality of the application.
[0084] The present invention may be applied to a computer system as
described below. FIG. 13 is a view illustrating an example of a
computer system to which the present invention is applied. A
computer system 900 illustrated in FIG. 13 includes a main body 901
incorporating a CPU, a disk drive, and the like, a display 902 that
displays an image according to an instruction from the main body
901, a keyboard 903 for a user to input various pieces of
information in the computer system 900, a mouse 904 for a user to
specify a given position on a display screen 902a of the display
902, and a communication unit 905 that accesses an external
database or the like to download, e.g., a program stored in another
computer system. As the communication unit 905, a network
communication card, a modem, and the like may be employed.
[0085] It is possible to provide as an authentication information
management program a program that allows a computer to execute the
above steps in a computer system constituting the authentication
information management apparatus. By storing the above program in a
storage medium that can be read by the computer system, it is
possible to allow the computer system constituting the
authentication information management apparatus to execute the
program. The program executing the above steps is stored in a
portable recording medium such as a disk 910 or downloaded from a
recording medium 906 of another computer system by the
communication unit 905. An authentication information management
program (authentication information management software) allowing
the computer system 900 to exert at least an authentication
information management function is input to the computer system 900
and is compiled therein. The compiled program allows the computer
system 900 to operate as an authentication information management
apparatus having the authentication information management
function. The program may be stored in a computer-readable storage
medium such as a disk 910. The recording medium that can be read by
the computer system 900 mentioned here includes: an internal
storage device mounted in a computer, such as HDD, ROM or RAM, a
portable storage medium such as the disk 910, a flexible disk, a
DVD disk, a magneto-optical disk, or an IC card; a database that
holds computer program; another computer system and database
thereof; and various recording media that can be accessed from a
computer system connected thereto through a communication means
such as the communication unit 905.
[0086] All examples and conditional language recited herein are
intended for pedagogical purposes to aid the reader in
understanding the invention and the concepts contributed by the
inventor to furthering the art, and are to be construed as being
without limitation to such specifically recited examples and
conditions, nor does the organization of such examples in the
specification relate to a showing of the superiority and
inferiority of the invention. Although the embodiments of the
present inventions have been described in detail, it should be
understood that the various changes, substitutions, and alterations
could be made hereto without departing from the spirit and scope of
the invention.
* * * * *