JP2007249466A - Authentication system, controller and control method - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide an authentication system capable of retaining secret information with excellent operability. <P>SOLUTION: An authenticated person authenticated to be a valid user and an operator of an operated device are specified from images inputted by an imaging means, and whether the authenticated person is the same as the operator of the operated device or not is determined. When the operator is determined not to be the same as the authenticated person, operation by the operator is permitted as the use permission state of the operated device to the authenticated person is continued, with a use restriction stricter than the case in which the operator is determined to be the same as the authenticated person. According to this, even if the authenticated person is not matched to the operator, the operator can continuously use the operated device without reuse permission. <P>COPYRIGHT: (C)2007,JPO&INPIT

Description

  The present invention relates to a personal authentication technique.

  In recent years, there is a need to effectively protect personal information and the like of users (hereinafter also referred to as “users” or “users”) stored in information devices due to the networking of information devices and the multifunction of information devices. Is growing. For this reason, there are devices that perform user authentication using personal authentication technology when using information equipment.

  The user authentication performed at the start of use determines whether or not the user who wants to use the information device can use the information device.

  After the end of use, the user notifies the information device of the end of use by logout operation, but this logout operation is often omitted. For this reason, in general, logout processing is performed after a predetermined time has elapsed since the end of the final operation.

  In such information devices, security is ensured at the start of use, but for a certain period after the user finishes using it, anyone becomes a security hole that can use the information device. .

  As a technique for solving such problems, a technique is proposed in which a user is monitored at a predetermined interval and a lock state of an information device is controlled according to whether or not the user is a legitimate user by using face authentication technology. (Patent Document 1).

Japanese Patent Laid-Open No. 2003-141088

  However, the above-described technique has a problem that flexible system operation cannot be performed due to the following circumstances.

  Specifically, in a device that is frequently used by a plurality of people being switched, it is necessary to execute a logout operation and a login operation of the information device every time the user changes, and this may impair user convenience. Exists.

  In particular, when a plurality of persons including users who have logged in through authentication are used at the same time, logout and login are performed each time a person who actually operates the information device (hereinafter referred to as “operator”) is changed. Since this is necessary, the operability is significantly impaired.

  Therefore, the present invention has been made in view of the above problems, and it is an object of the present invention to provide a technology capable of improving the convenience of the user while ensuring the security of personal information stored in an information device. To do.

  In order to solve the above-mentioned problem, the invention of claim 1 is an authentication system related to an operated device, and is authenticated as an authorized user of the imaging means and the operated device, and is given permission to use the operated device. An certifier specifying means for specifying an identified person as an certifier among persons existing in the image input by the imaging means, and an operator of the operated device from among persons existing in the image. An operator specifying means for specifying, a determining means for determining whether or not the authenticator and the operator are the same person, and a control means for controlling a use restriction level of the operated device for the operator. And the control means, when it is determined that the operator present in the image is not the same person as the certifier, the use permission state for the certifier of the operated device is continued, Control As well as permit operation by user, the operator, characterized in that impose severe use restriction than if it is judged to be the same person as the authenticator.

  Further, the invention of claim 2 is a controller capable of restricting the use of the operated device by the operator based on an image input by the imaging means, as a regular user of the operated device. Authenticator specifying means for specifying a person who has been authenticated and authorized to use the operated device as an certifier among persons existing in the image, and the operated person from among persons existing in the image An operator specifying means for specifying an operator of the apparatus; a determining means for determining whether or not the authenticator and the operator are the same person; and controlling a use restriction level of the operated apparatus for the operator And when the operator present in the image is determined not to be the same person as the certifier, the control means sets a use permission state for the certifier of the operated device. Continued And anyway with to permit operation by the operator, the operator, characterized in that it imposes severe use restriction than if it is judged to be the same person as the authenticator.

  Further, the invention of claim 3 is the controller according to the invention of claim 2, wherein the authenticator specifying means detects whether or not the authenticator is present in the image, and the control means When it is determined that the person is not the same person as the certifier, the use restriction imposed on the operated device is more imposed when the certifier is present in the image than when the certifier is not present in the image. It is characterized by relaxation.

  According to a fourth aspect of the present invention, in the controller according to the second or third aspect of the present invention, when the control means determines that the operator is the same person as the certifier, When the presence of a third party who is neither the operator nor the certifier is detected, a stricter usage restriction is imposed than when the presence of the third party is not detected.

  Further, the invention according to claim 5 is the controller according to claim 4, wherein the control means determines that the third person is included in the image when it is determined that the operator is the same person as the certifier. When the presence of a person is detected, a warning that is not issued when the presence of the third party is not detected is issued.

  Further, the invention of claim 6 is a control method in a controller for controlling the use restriction level of the operated device, and is authenticated as an authorized user of the operated device and given permission to use the operated device. An authenticator specifying step of specifying a person as an authenticator from among persons existing in the captured image, and an operator specifying step of specifying an operator of the operated device from the persons existing in the image A determination step for determining whether or not the certifier and the operator are the same person, and a control step for controlling a use restriction level of the operated device for the operator, the control step comprising: When it is determined that the operator present in the image is not the same person as the certifier, the operation by the operator is continued while the use permission state for the certifier of the operated device is continued. As well as soluble, characterized in that impose severe use restriction than when the operator is determined to be the same person as the authenticator.

  According to the first to sixth aspects of the present invention, it is determined whether the authenticator who has received permission to use the operated device and the operator of the operated device are the same person, and the operator authenticates. When it is determined that the person is not the same person as the user, the operation by the operator is permitted while the use permission state of the operated device for the authenticator is continued, and the operator is determined to be the same person as the user. Because it imposes stricter usage restrictions than if the operator does not agree with the certifier, the operator can continue to use the operated device without obtaining re-use permission, while ensuring security. It becomes.

  In particular, according to the invention described in claim 3, when it is determined that the operator of the operated device is not the same person as the authenticator who has received permission to use the operated device, the authenticator exists in the image. When this is done, the usage restrictions imposed on the operated device are relaxed compared to when there is no certifier, so that the operator can perform a relatively wide range of operations while protecting confidential information effectively. .

  In particular, according to the fourth aspect of the present invention, when it is determined that the operator of the operated device is the same person as the authenticator who has received permission to use the operated device, When the presence of a third party who is neither a certifier nor a certifier is detected, usage restrictions are imposed more severely than when a third party is not detected, thus preventing confidential information from being known to others. Is possible.

  In particular, according to the invention described in claim 5, when it is determined that the operator of the operated device is the same person as the certifier who has received permission to use the operated device, a third party is included in the image. When the presence of a third party is detected, a warning that is not issued when the presence of a third party is not detected is issued, so that it is possible to notify the certifier that the usage state may impair confidentiality.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings.

<Configuration>
FIG. 1 is a schematic diagram showing the overall configuration of an authentication system 1A according to an embodiment of the present invention. As shown in FIG. 1, the authentication system 1A includes an imaging device 10, a controller 30, a personal authentication device 20, and an information device main body 40a in an information device (operated device) 40.

  The authentication system 1A includes a controller 30 that imposes a predetermined usage restriction on the information device main body 40a according to information (use (operation) status) obtained from the imaging device 10 and the personal authentication device 20, and according to the usage status. The operation and function of the information device main body 40a are provided to the operator SH (see FIG. 11 and the like).

  Hereinafter, each device provided in the authentication system 1A will be described. In the present embodiment, a case where, for example, a multi-function peripheral (hereinafter abbreviated as “MFP”) is used as the information device 40 will be exemplified.

  FIG. 2 is an external view of the authentication system 1A.

  As shown in FIG. 2, the imaging apparatus 10 is installed so that a person existing around the MFP 40 can be photographed by stereo viewing with two cameras CA1 and CA2. Further, the imaging apparatus 10 starts shooting when it detects a login state (described later) of the MFP 40, and repeatedly performs shooting at predetermined intervals (for example, every 1/15 second) while the login state continues.

  The personal authentication device 20 collates an identification function for identifying a predetermined person who is about to start using the MFP 40 and whether or not the person specified by the identification and the predetermined person are the same person. And authenticating (determining) whether or not a predetermined person who is to start using the MFP 40 is an authorized user. When the personal authentication device 20 authenticates the predetermined person as a legitimate user, the personal authentication apparatus 20 grants permission to use the MFP 40 to the predetermined person. In other words, when authenticated as a legitimate user, the MFP 40 enters a login state (also referred to as “use permission state”), and the authenticated person uses the MFP 40 within a range permitted by the person. It becomes possible.

  The identification method includes a method for inputting a user ID or a method using an ID card, and the verification method includes a method for inputting a user password. Further, identification and verification may be performed simultaneously using biometric authentication. In the personal authentication device 20 according to the present embodiment, it is determined whether or not the person who is about to start using the MFP 40 is a legitimate user by biometric authentication using a person's fingerprint.

  The controller 30 gives a predetermined usage restriction to the MFP 40 based on an image photographed by the imaging device 10 and information obtained from the personal authentication device 20.

  Specifically, this will be described in detail with reference to FIG. FIG. 3 is a block diagram showing functions of the authentication system 1A (40).

  As shown in FIG. 3, the controller 30 includes a face detection unit 31, an authenticator face specification unit 32, an operator face specification unit 33, and an operation authority setting unit 34.

  The face detection unit 31 has a function of detecting an area representing a human face (also referred to as “face area” or simply “face”) in each of two images taken by the imaging apparatus 10.

  The authenticator face identification unit 32 selects the face of the user who has been authenticated by the personal authentication device 20 from the faces detected by the face detection unit 31, and uses the face as the face of the authenticator NH (see FIG. 11 and the like). And a function of tracking and specifying the face of the authenticator NH in images continuously acquired at predetermined intervals after the face of the authenticator NH is specified. It also has a function of detecting whether or not the face of the authenticator NH exists in the photographed image.

  The operator face specifying unit 33 has a function of specifying the face of the person who is actually operating the MFP 40 as the face of the operator SH. It also has a function of detecting whether the face of the operator SH is present in the photographed image.

  The operation authority setting unit 34 determines whether or not the face of the operator SH existing in the image matches the face of the authenticator NH, and whether the face of the authenticator NH is not the operator SH or the authenticator NH in the captured image. It has a function of detecting whether or not there are three parties. Then, it has a function of controlling the use restriction level imposed on the MFP 40 based on the usage status of the MFP 40 specified by the detection result.

  The MFP 40 is a multifunction machine having a copier (copy) function, a scan function, a printer function, a facsimile communication (FAX) function, an information storage (box) function, and the like. The MFP 40 is also expressed as an image forming apparatus having a function of forming an image.

  Here, the copy function is a function for copying a document on the document table and outputting it to a paper medium. The scan function is a function of reading a document on a document table as image data and transferring the generated image data to a predetermined storage unit or another information device. For example, the generated image data is transferred to a desired computer and stored. The facsimile communication function is a function for generating image data by reading a document on a document table and transmitting the image data to a transmission destination by facsimile communication. The printer function is a function for performing print output based on data in the storage unit of another computer or data in the hard disk of the MFP 40. The box function is a function for storing the generated image data and the like in the hard disk of the MFP 40.

  In the MFP 40, use of some or all of the plurality of functions may be restricted for each user. For example, for a certain user, all functions of the MFP 40 can be used in the login state of the user, and for one user, the copy function, the printer function, and the FAX function can be used in the login state.

  As shown in FIG. 2, the MFP 40 includes a display (hereinafter also referred to as “operation panel”) 12 that displays an instruction menu for the user, displays information about the acquired image, accepts an instruction operation from the user, and the like. The display 12 is configured as a liquid crystal panel incorporating a contact sensor or the like, and can detect a position touched by the finger of the operator SH in the display 12. Accordingly, the operator SH can input various instructions by pressing various virtual buttons or the like displayed on the display 12 with a finger or the like.

  The MFP 40 is connected to a network NW, and can transmit and receive various types of data to and from other information devices (for example, computers) via the network NW. The “network” is a communication line network for performing data communication. Specifically, various communication line networks such as LAN, WAN, Internet, etc., which are constituted by electric communication lines (including optical communication lines). It is. The connection form for the network may be a permanent connection using a dedicated line or a temporary connection such as a dial-up connection using a public telephone line such as an analog line or a digital line (ISDN). Also good. Further, the transmission method may be either a wireless method or a wired method.

<Operation>
Hereinafter, the operation of the authentication system 1A will be described.

  FIG. 4 is a flowchart showing the overall operation of the authentication system 1A. FIG. 5 is a diagram illustrating an image captured by the imaging apparatus 10, and FIG. 6 is a diagram illustrating a face detected from the captured image. FIG. 7 is a diagram for explaining the calculation of the distance between each detected face and the personal authentication device 20. FIG. 8 is a diagram for explaining the calculation of the distance between each detected face and the operation panel 12. FIG. 9 is a diagram illustrating a situation in which only the authenticator NH exists in the captured image, and FIG. 10 illustrates the authenticator NH (which is also the operator SH in this case) and the other person TH in the captured image. It is a figure which shows the condition where there exists. FIG. 11 is a diagram illustrating a situation where the operator SH and the authenticator NH exist in the captured image, and FIG. 12 illustrates a situation where only the operator SH that is not the authenticator NH exists in the captured image. FIG.

  As shown in FIG. 4, the authentication system 1A authenticates that the person who intends to start using the MFP 40 in the personal authentication device 20 is a legitimate user, and the MFP 40 enters a login state (step SP1). In FIG.

  First, in step SP2, a person existing around the MFP 40 is photographed by the imaging device 10. Shooting is performed by stereo viewing using the two cameras CA1 and CA2, and two images are acquired.

  In step SP3, a human face (face area) is detected from each of the two images taken in step SP2. Various methods can be employed as the face area detection method. In this embodiment, the face area is detected by pattern matching using a plurality of face images prepared in advance.

  For example, it is assumed that an image in which two persons H1 and H2 exist as subjects as shown in FIG. 5 is photographed by the camera CA1 in step SP2. In this case, the faces (face areas) HK1 and HK2 of the two persons H1 and H2 are detected by the face detection process in step SP3 (see FIG. 6).

  In step SP3, the three-dimensional coordinates (three-dimensional position) of each detected face are calculated based on the two images taken by stereovision. Note that the origin O of the three-dimensional space may be set to an appropriate position, and may be set to the midpoint of a straight line connecting the installation position of the camera CA1 and the installation position of the camera CA2 (see FIG. 2), for example. Further, as the three-dimensional coordinates of the face, the coordinates at the center of gravity of the detected face area may be used.

  In the next step SP4, it is determined whether or not a human face has been detected in step SP3. If it is determined that a face has been detected, the process proceeds to step SP5.

  In step SP5, the face of the authenticator NH is determined from the detected faces. Specifically, the face of the user who is authenticated as a legitimate user by the personal authentication device 20 and is permitted to use the MFP 40 is selected (determined) from the detected faces as the face of the certifier NH. Is done.

  As a method for determining the face of the certifier NH, for example, a technique can be adopted in which the face existing closest to the personal authentication device 20 at the time of login (or immediately after login) is the NH face. Specifically, the distance from the personal authentication device 20 to each face is obtained based on the three-dimensional coordinates (three-dimensional position) of each face calculated in step SP3. Then, by comparing the distances, the face closest to the personal authentication device 20 can be specified.

  For example, the coordinates in the three-dimensional space of the centroid PK1 of the face HK1 and the centroid PK2 of the face HK2 detected in step SP3 are PK1 (10.0, 60.0, 80.0) and PK2 (50.0, 50. 0, 130.0) (see FIG. 7A), and the position of the personal authentication device 20 is (10.0, -1.0, 10.0) in the three-dimensional space (FIG. 7). (See (b)). In this case, the distances from the personal authentication device 20 to the centroids PK1 and PK2 are 92.8 and 136.3, respectively (see FIG. 7C). Therefore, in this case, the face HK1 is selected as the face closest to the personal authentication device 20, and the face HK1 is determined to be the face NK of the certifier NH.

  In step SP6, the face of the operator SH is determined from the faces detected in step SP3. Specifically, the face of the person actually operating the MFP 40 is selected as the face of the operator SH from the detected faces.

  As a method for determining the face of the operator SH, for example, a technique in which the face existing closest to the operation panel is the face of the operator SH can be employed.

  For example, the coordinates in the three-dimensional space of the centroid PK1 of the face HK1 and the centroid PK2 of the face HK2 detected in step SP3 are PK1 (10.0, 60.0, 80.0) and PK2 (50.0, 50. 0, 130.0) (see FIG. 8A), and the position of the operation panel 12 is (0.0, −1.0, 0.0) in the three-dimensional space (FIG. 8 ( b)). In this case, the distances from the operation panel 12 to the centroids PK1 and PK2 are 93.3 and 139.6, respectively (see FIG. 8C). Therefore, in this case, the face HK1 is selected as the face closest to the operation panel 12, and the face HK1 is determined to be the face SK of the operator SH.

  Next, in step SP7, it is determined whether or not the face of the authenticator NH determined in step SP5 matches the face of the operator SH determined in step SP6.

  If it is determined in step SP7 that the face of the authenticator NH matches the face of the operator SH, the process proceeds to step SP8.

  In step SP8, it is determined whether or not the face detected in step SP3 includes a face of a person other than the authenticator (in this step, the same person as the operator). Specifically, if there is no face of another person other than the certifier NH in the photographed image as shown in FIG. 9, the process proceeds to step SP9, and another person TH other than the certifier as shown in FIG. If the face TK exists, the process proceeds to step SP10.

  In step SP9 and step SP10, a signal related to the operation authority permitted to the operator SH when using the MFP 40 is output to the MFP 40.

  Specifically, when the process proceeds to step SP10, a signal to the MFP 40 that a predetermined usage restriction RA is performed is output to the operator SH. The usage restriction RA will be described later.

  When the process proceeds to step SP9, a signal indicating that the use is not restricted for the operator SH (that the authority given to the certifier NH is not further restricted) is output to the MFP 40. To do. Alternatively, in this case, no signal indicating that usage is restricted may be output.

  On the other hand, if it is determined in step SP7 that the face of the authenticator NH does not match the face of the operator SH, the process proceeds to step SP11.

  In step SP11, it is determined whether or not the face NK of the certifier NH exists among the faces detected in step SP3. If the face NK of the certifier NH exists as shown in FIG. 11, the process proceeds to step SP12. If the face NK of the certifier NH does not exist as shown in FIG. 12, the process proceeds to step SP13.

  In step SP12 and step SP13, a signal related to the operation authority of the operator SH of the MFP 40 is output to the MFP 40. Specifically, when the process proceeds to step SP12, a signal is output to the MFP 40 to perform a predetermined use restriction RB for the operator SH, and when the process proceeds to step SP13, the operator SH. A signal indicating that predetermined use restriction RC is to be performed is output. The usage restrictions RB and RC will be described later.

  When the output of the signal regarding the operation authority (steps SP9, SP10, SP12, SP13) is completed, the operations from step SP2 to step SP13 are executed again for a new image taken again after a predetermined time has elapsed.

  For a new image taken again, in principle, the same operations as in the above-described steps are executed, but a different operation is executed in step SP5 after once determining the face NK of the authenticator NH.

  Specifically, the face of the certifier NH is selected (determined) from the faces existing in the newly photographed image by tracking the face determined as the certifier NH in the previously photographed image. .

  As a face tracking method, for example, it is considered that temporal correlation is very high between images continuously captured at predetermined intervals by the imaging device 10. A method is used in which a difference between the position of the face of the authenticator NH and the position of each face in the newly photographed image is calculated, and the face with the smallest position difference in the new image is determined as the face of the authenticator NH. be able to. Alternatively, a method described in JP 2000-36052 A or the like may be used.

  When no face is detected from the continuously shot images (step SP4), a signal to execute a logout (logoff) process is output to the MFP 40 (step SP14). That is, when the operator SH no longer exists in the image, logout processing is executed.

<About usage restrictions>
Next, usage restrictions imposed on the MFP 40 based on the usage status will be described in detail. In the following description, it is assumed that the authenticator NH can use the box function, copy function, and scan function of the MFP 40 in the login state. In addition, the usage restrictions RA, RB, and RC described below are merely examples and are not limited thereto.

  FIG. 13 is a diagram showing the operation authority of the operator SH in each use situation, and FIG. 14 is a diagram showing an example of function restriction in each use restriction. FIG. 15 is a diagram showing an initial menu screen IG displayed on the display 12. FIG. 16 is a diagram illustrating a display example of the display 12 when the box function is selected, and FIG. 17 is a diagram illustrating a display example of the warning display JB. FIG. 18 is a display example of the display 12 when the box function is selected, and FIG. 19 is a display example of the display 12 when the box function is selected when there is a predetermined use restriction. FIG. 20 is a display example of the display 12 when the history function is selected, and FIG. 21 is a diagram illustrating a display example of the face image JD. FIG. 22 is a display example of the address list JE when the scan function is selected, and FIG. 23 is a display example of the address list JE when there is a predetermined usage restriction.

  As shown in FIG. 13, a predetermined usage restriction is imposed on the MFP 40 in accordance with the usage status of the MFP 40.

  Specifically, in the situation CS5 where no face is detected from the captured image, the logout process of the MFP 40 is executed.

  On the other hand, when a face is detected from the captured image, an appropriate usage restriction is imposed on the MFP 40 in accordance with the further subdivided four usage situations CS1 to CS4.

  Specifically, in the usage situations CS1 (FIG. 9) and CS2 (FIG. 10) in which the face of the authenticator NH and the face of the operator SH match when a face is detected from the captured image, the authenticator Since it is considered that the NH itself is operating the MFP 40, in principle, the MFP 40 can be used within a range permitted by the certifier NH. On the contrary, in the usage situations CS3 (FIG. 11) and CS4 (FIG. 12) where the face of the certifier NH and the face of the operator SH do not match, a person other than the certifier NH is operating the MFP 40. Therefore, use restrictions RB and RC that do not disclose particularly confidential information of the certifier NH are imposed on the MFP 40.

  For example, as shown in FIG. 14, the confidential file display function of the MFP 40 can be used in the usage statuses CS1 and CS2, and the function of the MFP 40 is limited so that it cannot be used in the usage statuses CS3 and CS4. As described above, in the usage situations CS3 and CS4, the use restriction on the MFP 40 is imposed by refusing the use of some functions of the MFP 40.

  Furthermore, in the usage situation CS2 (FIG. 10) in which a face other than the authenticator NH is present in the face detected from the captured image when the face of the authenticator NH and the face of the operator SH match. A usage restriction RA is imposed on the MFP 40, such as a warning when disclosing confidential information of the certifier NH. The use restriction RA is for notifying the authenticator that the use situation may impair the confidentiality by restricting a series of operations up to the disclosure of the confidential information. Performing the confirmation operation, which is a new operation in addition to the normal operation (the operation when full access is permitted), impedes good operability only by the normal operation. It can also be expressed as a usage restriction.

  In addition, in the usage situation CS3 (FIG. 11) in which the face of the authenticator NH exists in the face detected from the captured image when the face of the authenticator NH does not match the face of the operator SH. Compared to the usage situation CS4 (FIG. 12) in which the certifier NH does not exist, the usage restrictions imposed on the MFP 40 are relaxed.

  For example, as shown in FIG. 14, in the usage situation CS4, a part of the copy function and a part of the scan function can be used and all other functions are restricted, but in the usage situation CS3, the authenticator Since it is considered that the operation is performed under monitoring, it is possible to use functions other than the confidential file display function.

  As described above, the necessity of ensuring security is determined for each use situation, and in the use situation where the need for ensuring security is high, the MFP 40 is controlled so as to impose stricter usage restrictions. In this embodiment, as security needs increase according to the usage status in the order of usage status CS1-> CS2-> CS3-> CS4, usage restrictions imposed on the MFP 40 are no usage restrictions (full access) → usage restrictions RA → usage restrictions. The order is stricter from RB to use restriction RC.

  Below, each usage restriction is explained in full detail.

Full access (step SP9):
If it is determined that the face of the certifier NH and the face of the operator SH match, and there is no face other than the certifier NH in the face detected from the captured image, CS1 (see FIG. 9), A signal to the effect that the use is not restricted is output to the MFP 40 to the operator SH (in this case, the authenticator NH) (step SP9). As a result, the MFP 40 does not restrict usage, and the operator SH of the MFP 40 can use the MFP 40 without any limitation within the range permitted by the MFP 40.

  That is, when full access is possible, the operator SH can use various functions of the MFP 40 by pressing each function button KB on the left end of the screen from the initial menu screen IG as shown in FIG. .

◎ Usage restriction RA (step SP10):
When it is determined that the face of the authenticator NH and the face of the operator SH match, and the face TK of a person TH other than the authenticator is present in the face detected from the photographed image, CS2 (see FIG. 10). The controller 30 outputs, to the MFP 40, a signal for performing a predetermined usage restriction RA for the operator SH (in this case, the authenticator NH) (step SP10). Then, the MFP 40 executes an operation according to the usage restriction RA.

  As the usage restriction RA, for example, a warning display (confirmation display) is displayed when displaying a self-file (confidential file) including confidential information stored in the MFP 40. Such warning display (confirmation display) requires an operation other than normal operation, and thus corresponds to a kind of usage restriction.

  More specifically, when the box selection button B3 is pressed on the initial menu screen IG and the box list JA1 as shown in FIG. 16 is displayed, the item WY1 of the confidential file E is selected and the content display button BN1 is selected. When the button is pressed, a warning display JB of “whether or not the confidential file may be displayed” is performed (see FIG. 17).

  As described above, by executing the warning operation (confirmation operation) when displaying the information of the confidential file, it is confirmed that a person other than the operator SH (here, the certifier NH) exists near the operator SH. It is possible to notify the operator SH, and for example, confidential information can be effectively protected from snooping.

◎ Usage restriction RB (step SP11):
When it is determined that the face of the authenticator NH and the face of the operator SH do not match, and the face NK of the authenticator NH exists in the face detected from the captured image, CS3 (see FIG. 11), The controller 30 outputs to the MFP 40 a signal to the operator SH that the predetermined use restriction RB is to be performed (step SP12). Then, the MFP 40 executes an operation according to the usage restriction RB.

  As the usage restriction RB, for example, the confidential file is not displayed in the box list displayed when the operator SH presses the box selection button B3 on the initial menu screen IG.

  More specifically, when the box selection button B3 is pressed and the face of the authenticator NH and the face of the operator SH match (no use restriction or use restriction RA), as shown in FIG. While the file of the certifier NH is displayed in the box list JA1 in a state where the confidential file is also included, in the usage restriction RB, the file of the certifier NH is excluded in a state where the confidential file is excluded as shown in FIG. Is displayed in the box list JA2.

◎ Usage restriction RC (step SP13):
When it is determined that the face of the authenticator NH and the face of the operator SH do not match and the face detected from the photographed image does not include the face NK of the authenticator NH (see FIG. 12), The controller 30 outputs, to the MFP 40, a signal for performing a predetermined use restriction RC for the operator SH (step SP12). Then, the MFP 40 executes an operation according to the usage restriction RC.

  As the use restriction RC, for example, the functions that can be used by the operator SH are limited to only the copy function and the scan function, and the following security functions are added when the copy function and the scan function are used. Can be mentioned.

  In the copy function, for the operator SH who used the copy function when there is no certifier NH, the face image of the operator SH is saved together with the usage history, and the certifier NH later re-logged in. To be able to check when.

  More specifically, when the authenticator NH presses the history display button B5 on the initial menu screen IG when logging in again, a history display JC as shown in FIG. 20 is displayed. In this history display JC, it is recorded that the copy function is used by an operator (proxy operator) when no certifier NH exists. For example, as shown in FIG. 20, the use of the proxy operator can be expressed by attaching a predetermined symbol (here, “◯”) to the proxy display field WT1.

  Furthermore, when the use history item WY2 by the proxy operator is selected and the image display button BN2 is pressed, the face image JD of the proxy operator is displayed as shown in FIG.

  In the scan function, when used by a proxy operator, a mail address list used when transmitting read image data or the like to another information device is not displayed.

  Specifically, in the mail address list JE displayed when the destination of the outgoing mail is determined, when there is no use restriction (at the time of full access), the address registered in advance by the certifier NH is displayed as shown in FIG. However, in the usage restriction RC, nothing is displayed as shown in FIG.

  As described above, it is determined whether or not the authenticator NH who is permitted to use the MFP 40 and the operator SH of the MFP 40 are the same person, and it is determined that the operator SH is not the same person as the authenticator NH. The operator SH permits the operation by the operator while the use permitted state of the MFP 40 by the certifier NH who has received the permission is continued, and imposes a predetermined usage restriction on the MFP 40, so that the operator SH matches the certifier NH. Even if not, the operator SH can continue to use the MFP 40 without obtaining re-use permission in a state where the confidential information of the authenticator NH is effectively protected and security is ensured.

  Furthermore, even if it is determined that the operator SH is not the same person as the certifier NH, if the certifier NH exists in the photographed image (the certifier NH exists nearby), the certifier Compared to the case where NH does not exist, the use restriction of the MFP 40 is relaxed, so that the operator SH can operate the MFP 40 in a relatively wide range with the confidential information effectively protected. This is particularly effective when the operator SH is taught the operation method of the MFP 40 under the monitoring of the authenticator NH.

  In addition, even if the certifier NH no longer exists, by allowing limited operations that are frequently used such as a copy function or a scan function, the convenience of the user is improved while ensuring the necessary security. It becomes possible.

  Furthermore, when it is determined that the operator SH is the same person as the certifier NH, and the presence of a third party who is neither the operator SH nor the certifier NH is detected from the captured image, Since the use restriction is more severe than when the presence of the three parties is not detected, it is possible to prevent the confidential information from being known to others.

  Furthermore, when it is determined that the operator SH is the same person as the certifier NH, when the presence of a third party is detected from the photographed image, it is not emitted when the presence of the third party is not detected. Since the warning is issued, it is possible to notify the certifier NH that the use state may impair confidentiality.

<Modification>
Although the embodiments of the present invention have been described above, the present invention is not limited to the contents described above.

  For example, in step SP4 of the above embodiment, it is determined whether or not a face is present in the captured image by determining whether or not a face is detected in step SP3. However, the present invention is not limited to this. . Specifically, the distance from the MFP 40 to each detected face is calculated, and only a face that is within a predetermined distance (for example, 2 meters) is determined as an effective face that is present in the image. Good. According to this, since only the face that may affect the operation can be specified, it is possible to appropriately grasp the usage status of the MFP 40.

  In addition, when a predetermined operation requiring confidentiality is being performed, when it is necessary to limit the predetermined operation due to a change in usage status (for example, a change in the operator SH due to an interruption or the like), the MFP 40 May be returned to the initial state immediately after login, or the operation state of the MFP 40 may be switched within a range permitted by the operator SH in the changed usage state.

  Specifically, when the certifier NH is executing a confidential file display operation, if the operator SH changes to a person other than the certifier, it is necessary to immediately stop the display of the confidential file to ensure security. Occurs. In such a case, the operation of the MFP 40 performed by the certifier NH may be reset to return to the initial state immediately after login.

  Further, for example, when the operator SH changes to a person other than the certifier NH in the operation state as shown in FIG. 17, when the certifier is nearby, the operation state of FIG. 17 is changed to the operation state of FIG. You may switch. That is, when the usage status C2 is shifted to the usage status C3, the usage restriction RA may be switched to the usage restriction RB instantaneously (see FIG. 13).

It is the schematic which shows the whole structure of the authentication system 1A which concerns on embodiment of this invention. It is an external view of authentication system 1A. It is a block diagram which shows the function of authentication system 1A (40). It is a flowchart which shows the whole operation | movement of authentication system 1A. 3 is a diagram illustrating an image captured by the imaging apparatus 10. FIG. It is a figure which shows the face detected from the image | photographed image. It is a figure for calculating the distance between each detected face and the personal authentication device 20. It is a figure for calculating the distance of each detected face and the operation panel. It is a figure which shows the condition where only the authenticator NH exists in the image | photographed image. It is a figure which shows the condition where authenticator NH and the other person TH exist in the image | photographed image. It is a figure which shows the condition where operator SH and authenticator NH exist in the image | photographed image. It is a figure which shows the condition where only operator SH who is not authenticator NH exists in the image | photographed image. It is a figure which shows the operation authority of operator SH in each use condition. It is a figure which shows the example of a function restriction in each use restriction. It is a figure which shows the initial menu screen IG displayed on the display. It is a figure which shows the example of a display of the display 12 at the time of box function selection. It is a figure which shows the example of a display of warning display JB. It is a figure which shows the example of a display of the display 12 at the time of selecting a box function. It is a figure which shows the example of a display of the display 12 at the time of selecting a box function when there exists a predetermined | prescribed use restriction. It is a figure which shows the example of a display of the display 12 at the time of log | history function selection. It is a figure which shows the example of a display of the face image JD. It is a figure which shows the example of a display of the address list JE at the time of scanning function selection. It is a figure which shows the example of a display of the address list JE when there exists a predetermined | prescribed use restriction.

Explanation of symbols

10 Imaging device 12 Display (operation panel)
20 Personal authentication device 40a MFP
CA1, CA2 Camera NH certifier SH operator

Claims (6)

An authentication system for an operated device,
Imaging means;
Authenticator identification that identifies a person who is authenticated as an authorized user of the operated device and is permitted to use the operated device as a certifier from among persons existing in the image input by the imaging means Means,
An operator specifying means for specifying an operator of the operated device from among persons existing in the image;
Determination means for determining whether or not the authenticator and the operator are the same person;
Control means for controlling a use restriction level of the operated device for the operator;
With
When it is determined that the operator present in the image is not the same person as the certifier, the control means continues the use permission state of the operated device with respect to the certifier. An authentication system characterized by permitting an operation according to, and imposing a stricter usage restriction than when the operator is determined to be the same person as the certifier. A controller capable of restricting the use of the operated device by an operator based on an image input by an imaging means,
An authenticator specifying means for specifying, as an authenticator, a person who is authenticated as an authorized user of the operated apparatus and is permitted to use the operated apparatus;
An operator specifying means for specifying an operator of the operated device from among persons existing in the image;
Determination means for determining whether or not the authenticator and the operator are the same person;
Control means for controlling a use restriction level of the operated device for the operator;
With
When it is determined that the operator present in the image is not the same person as the certifier, the control means continues the use permission state of the operated device with respect to the certifier. And a controller that imposes stricter usage restrictions than when the operator is determined to be the same person as the certifier. The controller of claim 2,
The authenticator specifying means detects whether or not the authenticator is present in the image;
In the case where it is determined that the operator is not the same person as the certifier, the control means is configured such that when the certifier is present in the image, compared to when the certifier is not present in the image. A controller characterized by relaxing usage restrictions imposed on operating devices. The controller according to claim 2 or claim 3,
In the case where it is determined that the operator is the same person as the certifier and the control means detects the presence of a third party who is neither the operator nor the certifier in the image, A controller that imposes stricter usage restrictions than when the presence of the third party is not detected. The controller of claim 4, wherein
In the case where it is determined that the operator is the same person as the certifier, and the presence of the third party is not detected when the presence of the third party is detected in the image, the control means A controller characterized by issuing a warning that cannot be issued. A control method in a controller for controlling a use restriction level of an operated device,
A certifier identification step of identifying a person who is authenticated as a regular user of the operated apparatus and is permitted to use the operated apparatus as an certifier from persons existing in the captured image;
An operator specifying step of specifying an operator of the operated device from among persons existing in the image;
A determination step of determining whether the authenticator and the operator are the same person;
A control step of controlling a use restriction level of the operated device for the operator;
With
In the control step, when it is determined that the operator present in the image is not the same person as the certifier, the operator continues to use the operated device with respect to the certifier. A control method characterized by permitting an operation according to, and imposing a stricter usage restriction than when the operator is determined to be the same person as the certifier.

Images