Patent Application
20080289032
The present invention relates to a computer control method and a computer control system for controlling an operation of a computer based on an authentication result due to biological or biometric information, such as a fingerprint or the like, using an externally connected device, such as a USB memory.
When a computer is used for management of important information in a company or the like, it is widely known to provide an operating authority to the computer in order to prevent information leakage or the like due to an unauthorized operation of the computer by a third party. The most common procedure is one in which a password is assigned to a computer user, and the operating authority is granted only to a user whose personal identification has been authenticated resulting from a match of passwords. But it is difficult to sufficiently eliminate a risk of permitting the unauthorized operation due to the password being compromised. As a result, biological or biometric information (the terms biological information and biometric information are used interchangeably herein), such as a fingerprint, has been increasingly employed in recent years as an authentication mechanism with higher safety.
In order to perform the authentication using the biological information, biological information of a user who has been given use authority is registered into a computer side in advance, and biological information read from a part of a user's body by a sensor is compared, when using the computer, with the biological information that has been registered in advance to thereby determine whether or not both sets of biological data match in order to verify whether or not the user is an authorized operator. In this case, when the user having the use authority is fixed for every computer, what is necessary is simply to register the biological information into a computer mainframe in advance, whereas it is a closed network, such as an intra-company LAN, what is necessary is simply to register the biological information of the user having the use authority in the network into a server for management in advance.
In a stand-alone computer, and a computer used outside the closed network, however, when the user having the authority of using the computer cannot be specified in advance, the operating authority cannot be managed by registering the biological information into the computer in advance as mentioned above. As a technology to deal with such a case, Japanese Unexamined Patent Publication No. 2005-128741 (Kokai), e.g., discloses an invention for allowing the biological information to be carried freely by storing the biological information in a USB memory, and allowing the use authority also for the external computer to be managed using a biological authentication
According to the disclosure of Kokai, the system is configured in such a way that by storing fingerprint information of the user having the operating authority in the USB memory, and providing the USB memory with a verification mechanism for the fingerprint, when the computer is operated, the USB memory is connected to the computer, and if the personal identification is authenticated, software possible for the computer operation is sent, so that only a user having the authority can operate the computer.
As described above, according to Kokai, the USB memory is delivered for every user who is given the operating authority of the computer so that it is possible to manage in such a way that only the user having the authority can use the computer. According to this invention, while the operating authority is granted per every user, operations that can control the computer are limited to a computer start-up and a network connection, which can be controlled by the software or the like sent from the USB memory.
As an example in which the use authority is desired to be set in the computer outside the closed network which is usually used, following cases may be considered, for example: when a plurality of employees are dispatched from a certain company to another company, it is assumed that all of the employees can use the computer in the dispatched company, and if a predetermined responsible person is included in the dispatched employees, it is desired to make the responsible person use software for sales management (for example, a case where only word-processing software can be used when only a registered employee is dispatched, but accounting software can also be used when a manager is included).
According to the disclosure of Kokai, however, since the authority is set to every user, it cannot deal with a case where the authority is set in combination with a plurality of users, as in this case. Additionally, although it can deal with the computer start-up or the control of the network connection, it can not deal with a setup per application such that the word processor software can be used, but the accounting software cannot be used, as in this case, a setup per file such that another certain file can be accessed, but a certain file cannot be accessed, and even a setup per operation such that data can be read from a certain file but cannot be written therein.
The present invention is made to solve such a problem, and, according to various embodiments of the invention, provides a computer control method and a computer control system for controlling an operation of a computer based on an authentication result due to biological information, such as a fingerprint or the like, using an externally connected device, such as a USB memory or the like, and particularly a computer control method and a computer control system for allowing for a setup of an authentication authority in combination with a plurality of users, and a setup of authority per application and operation.
According to various embodiments of the present invention, an authentication condition per application and operation is stored in an externally connected device, such as a USB memory connected to a computer, along with biological information, such as fingerprints for a plurality of users, which is used for a biological (also called biometric) authentication. The externally connected device is connected for operating the computer while executing a biological authentication of a targeted user based on the biological information stored in the externally connected device: a) when starting the computer to logon, b) when a predetermined application program product is started, and c) when an agent program product detects a predetermined operation. This authentication verifies whether or not a result of the biological authentication satisfies the authentication condition stored in the externally connected device, so that an execution of logon upon starting the computer, an operation of the application program product, and other predetermined operations are controlled.
While it is required that the above-mentioned biological information and authentication condition are stored in the externally connected device according to embodiments of the present invention, a sensor for reading a users biological information, a program product for an arithmetic processing to compare the biological information, and a processing unit are provided in either of the computer and the externally connected device, but it is not limited thereto.
In other words, for the sensor for reading the biological information, either of: a) sensors provided in the computer (or the other external device connected to the computer), and b) provided in the externally connected device may be used. Meanwhile, a comparison program product of the biological information may be stored in either of: a) the computer (or an external storage device connected to the computer), and b) the externally connected device, and the arithmetic processing for comparison may be performed in a main memory of the computer, or may be performed in a dedicated memory provided in the externally connected device.
A first aspect of the present invention is a computer-implemented method for controlling an operation of the computer by connecting an externally connected device capable of storing biological information to a computer, wherein the externally connected device stores at least biological information of a plurality of users used for authentication on the computer, and an authentication condition for the user to cause the computer to execute a predetermined operation, the method including the steps of the computer receiving a logon request to the computer, the computer specifying a comparison result between the biological information of the plurality of users stored in the externally connected device, and biological information read from the plurality of users, the computer reading the authentication condition stored in the externally connected device to specify an authentication condition for logging on to the computer among the authentication conditions, and the computer determining whether or not the comparison result matches with the authentication condition for logging on to the computer, wherein when the comparison result does not match with the authentication condition for logging on to the computer, the computer does not execute a logon processing to the computer.
The externally connected device may store a password set to each of the plurality of users, and the comparison result specified at the step of specifying the comparison result includes a comparison result between the password of each of the plurality of users stored in the externally connected device, and a password entered by each of the plurality of users, along with the comparison result of the biological information.
The method may include the steps of, when the comparison result matches with the authentication condition for logging on to the computer, the computer requesting an input of a password to the user who has made the logon request, the computer receiving the password entered by the user, the computer determining whether or not the password matches with the password specified to the user, which is stored in the computer or the externally connected device, wherein when the password received at the step of receiving the password matches with the password specified to the user, the computer executes the logon processing to the computer.
According to the first aspect of the present invention, the biological information, such as fingerprints, of the plurality of users and the authentication condition for logging on to the computer are stored in the externally connected devices, such as a USB memory. This makes it possible to control, upon starting the computer to logon, the use authority of the computer according not only to use authority per user but also according to a combination of the authentication results of the plurality of users.
In the first aspect of the present invention, a logon may be permitted at the time of having verified the biological authentication defined in the authentication condition. A logon may also be permitted after the biological authentication is performed after the password authentication for verifying that the password entered by the user entered has matched with the password stored in the externally connected device to verify that these authentication results satisfy the authentication condition. Alternatively, the password authentication is executed after verifying that the result of the biological authentication satisfies the authentication condition, so that logon may be permitted.
Moreover, the first aspect of the present invention may include that when the logon processing to the computer is executed, the computer stores the comparison result, and the authentication condition is read from the externally connected device in a predetermined storage area of the computer. When the application program product stored in the computer is started, the application program product obtains the authentication condition set to the application program product from the predetermined storage area. Then, if the comparison result matches with the authentication condition set for the application program product, the application program product causes the computer to execute a normal processing, whereas if the comparison result does not match with the authentication condition set to the application program product, the application program product causes the computer to execute a processing for imposing a predetermined limitation on the application program product.
Furthermore, the first aspect of the present invention may include that when the logon processing to the computer is executed, the computer stores the comparison result, and the authentication condition is read from the externally connected device in a predetermined storage area of the computer. When an agent program product stored in the computer is started, the agent program product obtains the authentication condition associated with the operation from the predetermined storage area, for an operation including at least one of: a) writing or reading a specific file, and b) writing or reading a specific application, the request of which is received by the computer, and then, if the comparison result matches with the authentication condition set for the operation, the agent program product causes the computer to execute a normal processing regarding the operation, whereas if the comparison result does not match with the authentication condition set to the operation, the agent program product causes the computer to execute a processing for imposing a predetermined limitation to the operation.
As described above, the comparison result of the biological information specified upon logon and the authentication condition are stored in the predetermined area of the computer, for example, a main memory, a predetermined file, or the like, thus making it possible to respectively control an operation of the predetermined application after operating the computer, and other predetermined operations, such as reading or writing the file, by defining a condition for permitting the operation as the authentication condition.
A second aspect of the present invention is a computer-implemented method for controlling an operation of the computer by connecting an externally connected device capable of storing biological information to a computer, wherein the externally connected device stores at least biological information of a plurality of users used for authentication on the computer, and an authentication condition for the user to cause the computer to execute a predetermined application program product, the method including the steps of the computer receiving a start of an application program product stored in the computer, the computer specifying a comparison result between the biological information of the plurality of users stored in the externally connected device, and biological information read from the plurality of users, the computer reading the authentication condition stored in the externally connected device to specify an authentication condition set to the application program product among the authentication conditions, and the computer determining whether or not the comparison result matches with the authentication condition set to the application program product, wherein if the comparison result matches with the authentication condition set to the application program product, the computer executes a normal processing regarding the application program product, wherein if the comparison result does not match with the authentication condition set to the application program product, the computer executes a processing for imposing a predetermined limitation to the application program product.
According to the second aspect of the present invention, the biological information, such as fingerprints of the plurality of users and the authentication condition for limiting the operation of the application program product are stored in the externally connected devices, such as the USB memory, thus making it possible to control, when a predetermined application program product is started on the computer, a range of operating the application program product according to not only use authority per user but also a combination of the authentication results of the plurality of users.
A third aspect of the present invention is a computer-implemented method for controlling an operation of the computer by connecting an externally connected device capable of storing biological information to a computer, wherein the externally connected device stores at least biological information of a plurality of users used for authentication on the computer, and an authentication condition for the user to cause the computer to execute a predetermined operation, the method including the steps of the computer receiving a request of an operation including at least one of writing or reading a specific file, and writing or reading a specific application, the computer specifying a comparison result between the biological information of the plurality of users stored in the externally connected device, and biological information read from the plurality of users, the computer reading the authentication condition stored in the externally connected device to specify an authentication condition set to the operation among the authentication conditions, the computer determining whether or not the comparison result matches with the authentication condition set to the operation, wherein if the comparison result matches with the authentication condition set to the operation, the computer executes a normal processing regarding the operation, wherein if the comparison result does not match with the authentication condition set to the operation, the computer executes a processing for imposing a predetermined limitation to the operation.
According to the third aspect of the present invention, the biological information, such as fingerprints, of the plurality of users and the authentication condition for limiting the predetermined operation in the computer are stored in the externally connected devices, such as a USB memory, thus making it possible to control, when the predetermined operation, such as reading, writing the file, or the like is requested to the computer by operating the agent program product corresponding thereto on the computer, whether or not to execute the predetermined operation according to not only use authority per user but also a combination of the authentication results of the plurality of users.
An embodiment of the present invention, corresponding to the computer control methods in accordance with the first through the third aspects, can also be specified as a control system for executing each of the control methods, each including the externally connected device and the computer.
Namely, the computer control system corresponding to the first aspect of the present invention is a computer control system including an externally connected device capable of storing biological information, and a computer connecting the externally connected device, the externally connected device including authentication information storage mechanisms for a storing at least biological information of a plurality of users used for authentication on the computer, and an authentication condition for the user to cause the computer to execute a predetermined operation, the computer including a logon request receiving mechanism for receiving a logon request to the computer, a biological information specifying mechanism for specifying a comparison result between biological information of a plurality of users stored in the externally connected device, and biological information read from the plurality of users, an authentication condition specifying mechanism for reading the authentication condition stored in the externally connected device to specify an authentication condition for logging on to the computer among the authentication conditions, and a determination mechanism for determining whether or not the comparison result matches with the authentication condition for logging on to the computer, wherein when the comparison result does not match with the authentication condition for logging on to the computer, the computer does not execute a logon processing to the computer.
The authentication information storage mechanism of the externally connected device can store a password set to each of the plurality of users, and the comparison result specified by the biological information specifying mechanism includes a comparison result between the password of each of the plurality of users stored in the authentication information storage mechanism, and a password entered by each of the plurality of users, along with the comparison result of the biological information.
The computer may also include a password request mechanism for requesting, when the comparison result matches with the authentication condition for logging on to the computer, an input of a password to the user who has made the logon request, a password receiving mechanism for receiving the password entered by the user, and a password determination mechanism for determining whether or not the password matches with the password specified to the user, which is stored in the computer or the externally connected device, wherein if the password received by the password receiving mechanism matches with the password specified to the user, the computer executes the logon processing to the computer.
The computer may also include an authentication information holding mechanism for storing and holding, when the logon processing to the computer is executed, the comparison result, and the authentication condition read from the externally connected device in a predetermined storage area of the computer, and the application program product stored in the computer obtains, upon starting the application program product, the authentication condition set to the application program product from the predetermined storage area, and then if the comparison result matches with the authentication condition set to the application program product, the application program product causes the computer to execute a normal processing, whereas if the comparison result does not match with the authentication condition set to the application program product, the application program product causes the computer to execute a processing for imposing a predetermined limitation to the application program product.
The computer may also include an authentication information storage mechanism for storing, when the logon processing to the computer is executed, the comparison result, and the authentication condition read from the externally connected device in a predetermined storage area of the computer, and when the agent program product is started, an agent program product stored in the computer obtains the authentication condition set to the operation from the predetermined storage area, for an operation including at least one of writing or reading a specific file, and writing or reading a specific application, the request of which is received by the computer, and if the comparison result matches with the authentication condition set to the operation, the agent program product causes the computer to execute a normal processing regarding the operation, whereas if the comparison result does not match with the authentication condition set to the operation, the agent program product causes the computer to execute a processing for imposing a predetermined limitation to the operation.
The computer control system corresponding to the second aspect of the present invention is a computer control system including an externally connected device capable of storing biological information, and a computer connecting the externally connected device, the externally connected device including authentication information storage mechanism for a storing at least biological information of a plurality of users used for authentication on the computer, and an authentication condition for the user to cause the computer to execute a predetermined application program product, the computer including an application start receiving mechanism for receiving a start of an application program product stored in the computer, a biological information specifying mechanism for specifying a comparison result between biological information of a plurality of users stored in the externally connected device, and biological information read from the plurality of users, an authentication condition specifying mechanism for reading the authentication condition stored in the externally connected device to specify an authentication condition set to the application program product among the authentication conditions, and an authentication condition determination mechanism for the computer to determine whether or not the comparison result matches with the authentication condition set to the application program product, wherein if the comparison result matches with the authentication condition set to the application program product, the computer executes a normal processing regarding the application program product, wherein if the comparison result does not match with the authentication condition set to the application program product, the computer executes a processing for imposing a predetermined limitation to the application program product.
The computer control system corresponding to the third aspect of the present invention is a computer control system comprising an externally connected device capable of storing biological information, and a computer connecting the externally connected device, the externally connected device including an authentication information storage mechanism for a storing at least biological information of a plurality of users used for authentication on the computer, and an authentication condition for the user to cause the computer to execute a predetermined operation, the computer including an operation request receiving mechanism for receiving a request of an operation including at least one of writing or reading a specific file, and writing or reading a specific application, a biological information specifying mechanism for specifying a comparison result between biological information of a plurality of users stored in the externally connected device, and biological information read from the plurality of users, an authentication condition specifying mechanism for reading the authentication condition stored in the externally connected device to specify an authentication condition set to the operation among the authentication conditions, and an authentication condition determination mechanism for determining whether or not the comparison result matches with the authentication condition set for the operation, wherein if the comparison result matches with the authentication condition set to the operation, the computer executes a normal processing regarding the operation, wherein if the comparison result does not match with the authentication condition set to the operation, the computer executes a processing for imposing a predetermined limitation to the operation.
According to various embodiments of the present invention, biological information, such as fingerprints of a plurality of users, and an authentication condition per application or operation are registered into an externally connected device, such as a USB memory or the like, and when executing a predetermined operation on a computer, matching between these authentication conditions is verified, so that a setup of an authentication authority in combination with the plurality of users, and a setup of an authority per application and operation can be achieved.
For example, when a plurality of employees are dispatched and operate a computer in a dispatched company, the authority can be set according to a combination of the dispatched employees, and operation contents, such that fingerprint information of the plurality of employees, or the like, are registered into one USB memory to authenticate personal identification, and while only a presence of the authentication of the operator itself is verified in reading and writing a normal file using word-processing software or the like, authentications of not only the operator itself but also a manager among the dispatched employees are also required upon starting accounting software or the like to access critical information.
Hereinafter, the best mode for carrying out the present invention will be described in detail using the drawings. Note herein that embodiments described below are merely examples for carrying out the present invention, and the embodiments, such as a sensor for reading biological information, a configuration of a processing unit for performing an arithmetic processing of a biological authentication, and a timing for verifying whether or not a result of the biological authentication satisfies an authentication condition is not limited to the following examples.
Fingerprint information of the manager and the registered employees of the dispatch source is registered into the terminal X, and when dispatching the three individuals, A, B, and C, the fingerprint information of the three individuals is written in the externally connected device, and this is brought to the business establishment, which is the dispatch destination. In the business establishment of the dispatch destination, the externally connected device is connected to the terminal Y, the biological authentication of each of the manager and employees is verified, and then the terminal Y is operated by them.
When writing the fingerprint information in the externally connected device at the terminal X, the authentication condition for logon and starting the application at the terminal Y is also registered into the externally connected device by operating the terminal X. As an example of the authentication condition, a condition is set such that “Logon to the terminal Y is permitted for any of employees A, B, and C if the self biological authentication for them is granted. Starting the predetermined application program product requires, when the registered employees B and C operate it, a condition that not only the self authentication thereof but also the biological authentication of the manager A have been granted”. As for such condition, a condition registered into the terminal X in advance may be read, or it may be set at every registration by operating the terminal X according to a combination of the members to be dispatched.
When the three individuals A, B, and C are dispatched to the business establishment of the dispatch destination, the externally connected device in which the biological information has been written is connected to the terminal Y, and each of the employees is subjected to the biological authentication. In order to perform the authentication, the following are required: a) a sensor for reading the fingerprint information of the operator is provided, and b) a program product for comparing the fingerprint information that has been read with the fingerprint information that has been registered to thereby perform the biological authentication; these sensor and program product may be provided in any of the externally connected device and the terminal Y (or a peripheral device connected to the terminal Y).
Upon executing a logon operation from a dedicated screen at the terminal Y, if a connection of the externally connected device is detected, the three individuals A, B, and C whose fingerprint information is stored in the externally connected device is subjected to the biological authentication. According to the previous example, since self biological authentication should just be performed for the authentication condition upon logon, for example, when the employee B is going to log on, the determination of logon will be made with reference to a result of the biological authentication of the employee B. Meanwhile, when starting the application program product which also requests the biological authentication of the manager A as the authentication condition, an authentication result of the manager A is referred to along with the authentication result of the employee B, and then when personal identifications of both of them have been verified, starting the application will be permitted.
For example, if it is configured to use a dedicated USB memory for the externally connected device, a sensor for identifying fingerprints is provided in the USB memory, and a program product for authentication is stored in a part of the memory, management using the biological authentication can be performed even when the terminal Y is not provided with a mechanism of reading or verifying the fingerprint. It may also be configured in such a way that as providing a dedicated chip provided with an arithmetic unit in the USB memory, the biological authentication is performed only by the USB memory without using a main memory and a CPU of the terminal Y. The fingerprint information written in the memory is preferably erasable or rewritable, and the USB memory is preferably provided with sufficient storage capacity so that the processing may be dealt with by one USB memory even when the number of employees to be dispatched is increased or the number of patterns of the authentication condition is increased.
As for the registration of the fingerprint information at the terminal X, when the fingerprint information has not been set in the externally connected device, new fingerprint information may be registered without any limitation in particular, or a certain condition may be set as one of the authentication conditions. Meanwhile, when the fingerprint information of some employees is set in the externally connected device, it is preferable to prevent the fingerprint information from being illegally changed to be used. A certain authentication condition may be set to a change or a deletion of the registered fingerprint information, and an addition of new fingerprint information, whereas when any unique conditions are not set at all, on condition that the biological authentication of at least one user among the users whose fingerprint information have been registered is verified and the terminal can be operated, these operations can be executed.
While
While
As described using
In order to execute a predetermined processing by the biological information registration program product 141 stored in the HDD 14, and other application program product, various basic program products for hardware control, such as an input control, an output control, or the like, which are stored in the ROM 13, are started, and the CPU 11 performs the arithmetic processing while operating the RAM 12 as a work area of the application program product, so that the processing required for each application is executed.
A USB memory or the like is used for the externally connected device 20, which includes a memory 21, a biological information comparison section 22, and a biological information reading sensor 23. At least a biological information storage section 211 and an authentication condition storage section 212 are included in the memory 21, in which the biological information and the authentication condition obtained from the terminal 10 are written. For the biological information, biological information read from the biological information reading sensor 23 may be directly written in the biological information storage section 211. A dedicated chip provided with a function to execute the arithmetic processing for the biological authentication or the like is used for the biological information comparison section 22. The biological information reading sensor 23 is provided with a function to read the biological information, such as the fingerprint information, and is configured so that the read biological information may be compared with the biological information stored in the biological information storage section 211 in the biological information comparison section 22 to thereby perform the biological authentication.
The biological information or the like is written in the externally connected device 20 by connecting the externally connected device 20 to the USB port 15 of the terminal 10. The biological information storage section 142 stores the biological information of a user having the use authority of the computer, in attaching the identification information of registrants, such as an employee code, thereto, and when the identification information of a plurality of members dispatched to the external business establishment is specified among these, the biological information corresponding to the specified identification information is read respectively, and is sent to the externally connected device 20 via the USB port 15. The externally connected device 20 stores each received biological information in the biological information storage section 211 along with the identification information. Note that when the authentication with a password is requested together upon logon to the computer or the like, a password corresponding to each identification information may be stored in the biological information storage section 142 to then be stored in the biological information storage section 211 or the like along with the biological information.
The authentication condition corresponding to the operation contents of the computer operated in the dispatch destination is written in the externally connected device 20 while writing the biological information. While such authentication condition is selected by the operator of the terminal 10, the condition registered into the authentication condition storage section 143 in advance may be selected, or the condition may be set by the individual operation upon writing. The selected authentication condition is sent to the externally connected device 20 via the USB port 15. The externally connected device 20 stores the received authentication condition in the authentication condition storage section 212.
The biological information read by the biological information reading sensor 23 (not the biological information stored in the terminal 10) may be directly stored in the biological information storage section 211. Also in this case, however, upon writing the biological information, the externally connected device 20 is connected to the USB port 15 of the terminal 10, and the identification information attached when the read biological information is stored in the biological information storage section 211 is sent from the terminal 10 by the operation of an administrator. The authentication condition and the password sent from the terminal 10 are similarly stored in the authentication condition storage section 212 and the biological information storage section 211, respectively.
In other words, in a case where the authentication condition is set like the example shown in
For starting the application program product Y, if the biological authentication and the password authentication have verified the personal identification only for individual A, it can be started, but in order for individuals B and C to start it, it is required that the biological authentication has verified the personal identification for individual A who is the manager, in addition to the biological authentication and the password authentication of personal identifications for individuals B and C. (When individuals B and C who are the employees operate the application, it is used as a proof mark, in a case where it is necessary for individual A, who is the manager, to be subjected to the biological authentication.). For operations of reading and writing the document file using the word-processing software or the like, these operations are monitored by the agent program product, and when matching with a condition specified to each of them, an execution of the operation will be permitted.
As described above, after the biological information or the like is written in the externally connected device 20 at the terminal 10, the employees move to the business establishment or the like of the dispatch destination having the externally connected device 20 in which writing is completed, with them. A method of the biological authentication in the business establishment or the like of the dispatch destination will be described using
In order to execute a predetermined processing by the application program product 341 and the agent program product 342 stored in the HDD 34, various basic program products for hardware control, such as an input control, an output control, or the like, which are stored in the ROM 33, are started similar to the case of the terminal 10, and while operating the RAM 32 as a work area of the application program product, the required processing is executed by the CPU 31 performing the arithmetic processing.
When the externally connected device 20 is connected to the terminal 30, the biological authentication of the employee who uses the terminal 30 will be requested at the timing of logon to the terminal 30 and connecting the externally connected device 20. For example, in a case where the four employees, A, B, C, and D, are dispatched, the biological authentications of the four employees are requested, and when they make the biological information reading sensor 23 read the biological information, such as the fingerprint information or the like, by respectively specifying the identification information, such as employee codes, it is verified whether or not to match with the corresponding biological information stored in the biological information storage section 211, and then the dispatched employees are verified whether or not to be registered personal identifications.
For a comparison of the biological information, the arithmetic processing is performed in the biological information comparison section 22, but it is not limited to such a configuration, and it may be configured so that, for example, the program product for comparison processing may be stored in the HDD 34 of the terminal 30 to thereby perform the arithmetic processing in the terminal 30. Moreover, other peripheral devices provided with a sensor for reading provided in the terminal 30, and a sensor for reading connected to the terminal 30 may be used instead of the biological information reading sensor 23.
The result of the authentication performed in this way is stored in a virtualized memory area of the RAM 32 or the HDD 34 of the terminal 30. Alternatively, the result may be stored in the authentication information storage section 343 in a file form or the like. In any case, the information which can promptly specify whether or not the personal identification is verified for each of the employees by the biological authentication may be stored in the terminal 30 in a form shown in the example of
Additionally, together with the specification of the result of the biological authentication, the authentication condition in executing a predetermined operation is read from the authentication condition storage section 212 of the externally connected device 20 at the terminal 30, and the authentication condition will also be stored similarly in the virtualized memory area in the RAM 32 or the HDD 34, or the authentication information storage section 343, of the terminal 30 in a file form or the like. When performing the predetermined operation at the terminal 30, such authentication condition is referred to, and if the authentication is required, the authentication result is referred to, whether or not to satisfy the specified condition. Then, if the authentication result satisfies the authentication condition, the execution of the operation will be permitted.
For example, when a condition that the application program product 341 requires the biological authentication is set, an employee for whom the biological authentication is required is specified with reference to the authentication condition stored in the RAM 32, and a result of the biological authentication for the specified employee is verified with reference to the authentication result stored in the RAM 32.
In the examples shown in
Meanwhile, in a case of individual C starting the application Y, since it is a condition that the biological authentication of individual A, and the biological authentication and the password authentication of individual C have been performed based on the authentication condition, the authentication results of individuals A and C are referred to. In this case, since it is not recorded in the authentication result of individual C that the biological authentication has been performed, the application Y will be stopped, or some operations thereof will be limited. Alternatively, a message of requesting individual C to perform the biological authentication may be displayed. In a case of individual D starting the application Y, since individual D is limited to use the application Y based on the authentication condition, the application Y will be stopped, or some operations thereof will be limited.
Other than the above-mentioned example, in order to control an individual operation, such as reading and writing the file, the agent program product may reside in the terminal 30 to determine, while monitoring the operation, whether or not each operation satisfies the authentication condition. In this case, when the terminal 30 is started, the agent program product 342 is read in the RAM 32 to monitor that a predetermined arithmetic processing is executed in the RAM 32. When the predetermined arithmetic processing, such as an update of the document file, is detected, a manager or an employee for whom the biological authentication is required is specified with reference to the authentication condition stored in the RAM 32, and a result of the biological authentication for the specified manager or employee is verified with reference to the authentication result stored in the RAM 32.
In the examples shown in
Alternatively, if it is defined in the authentication condition that to re-execute an authentication other than the operator's personal identification is required, the biological authentication of individual A is requested again in addition to the password authentication of individual B, and if the password authentication of individual B and the biological information of individual A are verified, the update of the document file becomes valid. Also when individual D executes the update of the document file, it is performed in a manner similar to that described above. Meanwhile, in a case of individual C executing the update of the same document file, since it is a condition that the biological authentication of individual A, and the biological authentication and the password authentication of individual C have been performed based on the authentication condition, the authentication results of individuals A and C are referred to. In this case, since it is not recorded that the biological authentication has been performed for the authentication result of individual C, the update process of the document file will be stopped, or some operations thereof will be limited. Alternatively, a message of requesting individual C to perform the biological authentication may be displayed.
Incidentally, for the method of specifying the authentication condition and the authentication result, while the biological authentication of each of the employees is performed in advance upon logon or the like to thereby store the result in the RAM 32 or the authentication information storage section 343 or the like as described so far, the authentication condition is obtained from the authentication condition storage section 212 upon starting the application program product and the agent program product which require the biological authentication, respectively, so that the comparison processing may be performed by requesting for the biological authentication of the manager and the employee required based on the authentication condition.
The flow chart shown in
When the externally connected device in which the biological information of the plurality of managers and employees and the authentication condition at the time of the predetermined operation are stored is connected to the computer, and the power of the computer is turned ON (S01), a dedicated logon screen is displayed on a operation screen of the computer (S02). The computer verifies whether or not the externally connected device used for the present invention is connected to the USB port or the like, by the operation of an OS or the like (S03), and then, if the externally connected device is connected thereto appropriately, it verifies whether or not the biological information and the authentication condition have been registered (S04). If it is determined that they have been registered, the biological authentication processing will be executed as follows.
In order to verify whether or not a computer operator is the dispatched employee itself, the operator is requested for the biological information to be read, the biological information read from a biological information reading device, such as the biological information reading sensor provided with the externally connected device, is obtained (S05). The obtained biological information is compared with the biological information registered into the externally connected device (S06), and then if they match with each other, it is verified that the operator is the individual herself (the personal identification is verified).
After the personal identification is verified in this way, it is subsequently verified whether or not to match with the authentication condition for logon registered into the externally connected device (S07). For example, if it is a condition that logon is permitted by only one operator, it matches with the authentication condition, but if the authentication of the manager is also required in addition to the that of the operator, the biological authentication of the manager will be performed in order to verify that the authentication condition is satisfied (or if the biological authentication of the manager has already been completed, the authentication result will be obtained).
When it is verified that the authentication condition is satisfied, a password input screen for logon is displayed (S08) to verify whether or not a password entered to the computer by the operator and the password specified to this operator, which is stored in the externally connected device along with the biological information, match with each other (S09). If they match with each other, the logon processing is continued, and while the authentication result of the biological authentication and the authentication condition read from the externally connected device (for the authentication condition, all the conditions may be read out when the first staff or the like logs on) are recorded on a temporary storage area, such as a memory of the computer, or the like, the processing will be completed.
The logon processing continues in any case, and the process returns to the display of the initial dedicated logon screen even when the externally connected device is not connected to the computer, when neither the biological information nor the authentication condition is registered into the externally connected device, when the results of the biological authentications do not match with each other, when the authentication condition is not satisfied even although the biological authentication has been performed, and when the comparison results of the passwords do not match with each other. In these cases, however, the other processing, such as performing an error processing, or requesting for the comparison results when the comparison results do not match with each other, may be performed, and it is not particularly limited.
Moreover, in the above-mentioned flow, after performing the biological authentication to verify that the authentication condition is satisfied, the logon screen on which the password input is requested is displayed, but before verifying the matching of the authentication conditions, the password authentication may be performed together with the biological authentication. In this case, which of the biological authentication and the password authentication is performed previously is not particularly limited, and when both match with each other, it will be treated such that the personal identification is authenticated for this employee or the like.
When the computer receives a start of the application program product (S11), it is verified whether or not the authentication result of the biological authentication and the authentication condition are stored in a predetermined storage area, such as the memory of the computer (S12). If these pieces of information are not stored, the application waits, without being executed, until the authentication result and the authentication condition are verified (S15).
If these pieces of information are stored, it is determined whether or not the authentication result satisfies the authentication condition for normally operating the application program product (S13). If the authentication condition is satisfied, the application program product is executed in the normal operation (S14). If the authentication condition is not satisfied, an execution of the biological authentication for satisfying the authentication condition is requested (S16), and the process waits until a new authentication result is verified (S15).
Note that, as for the operation when satisfying the authentication condition is not verified, there may be performed another processing, such as performing an error processing while stopping the application program product, operating the application program product in a state where a predetermined limitation is imposed, or the like, other than the processing for normally operating the application without any limitations.
The flow shown in
The agent program product is a program product for monitoring the operation executed by the application program product or the like (such as writing and reading a specific file, writing and reading of a specific application program product, starting a screen saver, or the like), is started after computer start-up or logon (S21), and resides in the computer to monitor data or the like on the memory.
When the agent program product monitors the above-mentioned predetermined operation and detects an execution request of the operation which requires the authentication, it determines whether or not the authentication result of the biological authentication stored in the predetermined storage area, such as the memory of the computer or the like, and the authentication condition are applicable to the operation detected by the agent program product (S22). If it is determined to be applicable, the execution of this normal operation is permitted (S23), whereas if it is determined not to be applicable, a certain limitation will be imposed to the execution of this operation by the agent program product (S24). The limitation content is not limited in particular, and it may be to stop the execution of the requested operation, or may be to permit the execution under a condition of imposing limitations to a certain function.
The monitor of the predetermined operation by the agent program product like this continues until an end flag is set for indicating that the monitor by the agent program product is not needed any more, and after it is verified that the end flag is set to ON (S25), monitoring by the agent program product will be completed. It is not particularly limited which program product manages the end flag for such agent program product.
Also for a flow shown in
For the purposes of promoting an understanding of the principles of the invention, reference has been made to the preferred embodiments illustrated in the drawings, and specific language has been used to describe these embodiments. However, no limitation of the scope of the invention is intended by this specific language, and the invention should be construed to encompass all embodiments that would normally occur to one of ordinary skill in the art.
The present invention may be described in terms of functional block components and various processing steps. Such functional blocks may be realized by any number of hardware and/or software components configured to perform the specified functions. For example, the present invention may employ various integrated circuit components, e.g., memory elements, processing elements, logic elements, look-up tables, and the like, which may carry out a variety of functions under the control of one or more microprocessors or other control devices. Similarly, where the elements of the present invention are implemented using software programming or software elements the invention may be implemented with any programming or scripting language such as C, C++, Java, assembler, or the like, with the various algorithms being implemented with any combination of data structures, objects, processes, routines or other programming elements. Furthermore, the present invention could employ any number of conventional techniques for electronics configuration, signal processing and/or control, data processing and the like.
The particular implementations shown and described herein are illustrative examples of the invention and are not intended to otherwise limit the scope of the invention in any way. For the sake of brevity, conventional electronics, control systems, software development and other functional aspects of the systems (and components of the individual operating components of the systems) may not be described in detail. Furthermore, the connecting lines, or connectors shown in the various figures presented are intended to represent exemplary functional relationships and/or physical or logical couplings between the various elements. It should be noted that many alternative or additional functional relationships, physical connections or logical connections may be present in a practical device. Moreover, no item or component is essential to the practice of the invention unless the element is specifically described as “essential” or “critical”. Numerous modifications and adaptations will be readily apparent to those skilled in this art without departing from the spirit and scope of the present invention.
| Filing Document | Filing Date | Country | Kind | 371c Date |
|---|---|---|---|---|
| PCT/JP05/14286 | 8/4/2005 | WO | 00 | 12/6/2006 |
