Extensible system for building and evaluating credentials

Abstract

A method and apparatus for authenticating and authorizing a user of a device connected to a network. In one embodiment, a set of credential descriptors is generated that describes credentials that must be built for authenticating the user. The set of credential descriptors is provided to a first device, which includes a first master credential builder for building credentials corresponding to at least one of the credential descriptors. In the event that the first master credential builder does not build all of the credentials corresponding to the set of credential descriptors, another set of credential descriptors is provided to a second device, which includes a second master credential builder for building at least one credential remaining to be built. This process continues until all credentials have been built or a determination is made that they cannot be built. After all credentials have been built, the credentials are provided to a master credential evaluator, which may be included in the first device, the second device, or another device. If the master credential evaluator successfully evaluates the built credentials, then user authentication is completed. Advantageously, credential builders and credential evaluators can be added to or removed from the master credential builders and the master credential evaluator, respectively, to allow dynamic modification of the master credential builders and the master credential evaluator to suit specific and changing requirements for user authentication/authorization.