JP2013012043A - Image processing device, image processing system, and authentication device - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide an image processing device, an image processing system, and an authentication device which can secure high security without degrading usability for a legitimate user.SOLUTION: An operation history storage unit 402 stores a history of operations performed on an operation unit 200. A collation unit 403 determines whether information input via the operation unit 200 satisfies preregistered authentication conditions. When the collation unit 403 determines that the input information satisfies the authentication conditions, a user attribute determination unit 404 determines whether a user having input the information is an illegitimate user who had executed an abnormal operation on the basis of the operation history stored in the operation history storage unit 402. When the collation unit 403 determines that the input information satisfies the authentication conditions and also the user attribute determination unit 404 determines that the user is not an illegitimate user, an authentication unit 405 executes authentication processing on the basis of the information satisfying the authentication conditions.

Description

  The present invention relates to an image processing apparatus, an image processing system, and an authentication apparatus having a user authentication function.

  In recent years, MFPs (Multi Function Peripherals) having functions such as scanners, facsimiles, printers, and copiers have been used in offices and the like. A multifunction machine is often used in a situation where it is connected to an information processing terminal such as a personal computer through a network such as a LAN (Local Area Network). Then, it functions as an image forming device that prints image data input from the information processing terminal on paper, functions as an image reading device that acquires image data used in the information processing terminal, and searches document image data. It functions as a document management device that accumulates as possible.

  Some of these multifunction peripherals have a normal mode in which a general user performs image processing, and a maintenance mode that is open only to a limited number of persons such as service personnel. The maintenance mode cannot be executed even by an administrator who has a wider authority than a general user, such as a user registration authority, a change of a unit price table as a charging standard, counter information, and user information retrieval, etc. In this mode, all information can be accessed. Therefore, it is necessary to reliably prevent execution by a person who is not permitted to execute the maintenance mode such as a general user. Even when used in normal mode, some image data that is input from the information processing terminal as a print job or document image data that is stored in the multifunction peripheral has high sensitivity and is not desired to be obtained by others. To do.

  For this reason, in this type of MFP, user authentication is performed to confirm the user's usage qualification, so that maintenance mode can be executed, or image data input (printed) as a print job can be output or stored documents. User authentication that allows only authorized persons to access image data is widely used. Various techniques for improving the security of such user authentication have been proposed (see, for example, Patent Documents 1 and 2).

  For example, Patent Literature 1 discloses a configuration in which an access start notification message is transmitted to a destination registered in advance when a network device starts access to a network. In addition, when a valid user such as an owner activates the network device, the network device is configured to be able to cancel the transmission of the access start notification message by performing a specific input to the network device. According to this configuration, when an unauthorized user who is not the owner uses a network device, an access start notification message is transmitted to a pre-registered destination. The owner or administrator can know the start of use of the network device by an unauthorized user.

  Patent Document 2 discloses a configuration in which a plurality of passwords are input at the time of mode transition in an electronic device having a plurality of operation modes of a normal operation mode, a device management mode, and a device maintenance mode.

JP 2002-014928 A JP-A-2005-215101

  In the technology disclosed in Patent Document 1 described above, the start of use of a network device by an unauthorized user is notified to the owner or administrator via the network. However, it is necessary for the owner or the administrator to determine whether or not the use is an unauthorized user. For this reason, if the owner or the administrator cannot immediately respond to the notification, the use by the unauthorized user cannot be dealt with at all. That is, when data or the like is taken out by the unauthorized user or maintenance mode is executed, leakage of data or the like is prevented even if it can be recognized that the unauthorized user has used it by notification. I can't do it, it's too late. In addition, this technique cannot be applied to a device or the like that is used in a stand-alone manner in order to avoid intrusion or attack via a network.

  Further, since the technique disclosed in Patent Document 2 requires a plurality of password inputs, it is possible to improve security compared to user authentication that requires one password input. However, even with such a configuration, when a password with low password strength is used, the effect of increasing security is reduced. Therefore, in order to obtain a high security effect, it is necessary to increase the password strength of each password. It is possible to increase the password strength by increasing the number of characters and the types of characters constituting the password. However, when such a password with a high password strength is used, the convenience of use for legitimate users is impaired.

  On the other hand, in an image processing apparatus that is used in an environment such as an office that is not open to the public, a person who attempts to intrude or attack the apparatus becomes a person who is completely unrelated to the image processing apparatus. Is hard to imagine. That is, it should be assumed that a person who uses the image processing apparatus as a user and is aware of how to use the image processing apparatus becomes an unauthorized user. In this case, the unauthorized user has information such as a user authentication method.

  For example, in an image processing apparatus that requests input of user identification information and a password as information for user authentication, when an employee number or the like is used as user identification information, an unauthorized user is identified by another user. Can be easily known. For this reason, if the authentication condition is accidentally satisfied, for example, by inputting a password in a brute force manner, an unauthorized user can use the device in place of the authorized user.

  Such unauthorized use may be prevented, for example, by applying a known technique (so-called lockout) that disables the user ID when an incorrect password is continuously input a predetermined number of times. . However, if such a countermeasure is adopted, there is a disadvantage that a user who has not performed any operation is locked out without knowing. Therefore, it is not easy to achieve both convenience of use and security.

  The present invention has been made in view of the above-described problems of the prior art, and provides an image processing apparatus, an image processing system, and an authentication apparatus that can ensure high security without impairing the convenience of use for a legitimate user. For the purpose.

  In order to achieve the above object, the present invention employs the following technical means. That is, the image processing apparatus according to the present invention has a user authentication function, and includes an operation unit, an operation history storage unit, a verification unit, a user attribute determination unit, and an authentication unit. The operation unit has a plurality of operation buttons used for inputting information for user authentication. The operation history storage unit stores a history of operations on the operation unit. The collation unit determines whether information input through the operation unit satisfies a pre-registered authentication condition. When the user attribute determination unit determines that the verification unit satisfies the authentication condition, an operation stored in the operation history storage unit indicates whether the user who input the information is an unauthorized user who has performed an abnormal operation. Judgment based on history. Then, when the verification unit determines that the verification unit satisfies the authentication condition and the user attribute determination unit determines that the user is not an unauthorized user, the authentication unit performs an authentication process based on information that satisfies the authentication condition.

  In this image processing apparatus, an unauthorized user is specified based on an operation history stored in the operation history storage unit, and an authentication process is selectively executed for an authorized user who does not correspond to the unauthorized user. For example, when an operation that cannot be assumed to be a simple input mistake of the user is stored as the operation history, the user attribute determination unit certifies the user as an unauthorized user. And since an authentication process is implemented with respect to the legitimate user who does not correspond to such a legitimate user, security can be ensured without impairing the use convenience of the legitimate user.

  In the above-described image processing device, the user attribute determination unit determines that a user who has performed an obviously abnormal operation is an abnormal user belonging to an unauthorized user, and the user attribute determination unit determines that the user is an abnormal user. The unit may employ a configuration that prohibits the operation without executing the authentication process. In this configuration, even if the authentication condition is unfortunately satisfied by the brute force operation by the abnormal user, the operation of the image processing apparatus by the user is not permitted. As a result, security can be ensured without impairing the convenience of use by authorized users.

  In addition, when the user attribute determination unit determines that a user who has performed an operation suspected of being an abnormal operation is a suspect user belonging to an unauthorized user, and the user attribute determination unit determines that the user is a suspect user, the authentication unit normally It is also possible to adopt a configuration in which special authentication processing is executed instead of the above authentication processing. Here, an operation suspected of being an abnormal operation is an operation that does not correspond to the above-described abnormal operation, but cannot be assumed to be a simple input error of the user. In this configuration, for the suspected user, the authentication unit executes special authentication processing such as authentication processing that causes the verification unit to check the strong authentication conditions instead of the authentication conditions, and authentication processing that restricts operation authority. Therefore, the boundary between the legitimate user and the abnormal user can be set flexibly, and the use by the abnormal user can be surely excluded while reducing the possibility that the legitimate user is erroneously determined as the abnormal user.

  Note that the above-described authentication process can be applied to an authentication process for shifting from a normal mode in which image processing is performed to a maintenance mode for apparatus maintenance. The information for authentication can include identification information for identifying a user and a password associated with the identification information.

  In another aspect, the present invention relates to an image processing device, an operation device having a plurality of operation buttons for inputting information for user authentication, an operation history storage device for storing an operation history for the operation device, and an authentication device. It is also possible to provide an image processing system comprising: In this configuration, the authentication device includes a verification unit, a user attribute determination unit, and an authentication unit. The collation unit determines whether the information input through the controller device satisfies a pre-registered authentication condition. If the user attribute determination unit determines that the verification unit satisfies the authentication condition, the operation stored in the operation history storage device indicates whether the user who input the information is an unauthorized user who has performed an abnormal operation. Judgment based on history. If the verification unit determines that the verification unit satisfies the authentication condition, and the user attribute determination unit determines that the user is not an unauthorized user, the authentication unit performs an authentication process based on information that satisfies the authentication condition.

  Furthermore, from another viewpoint, the present invention can also provide an authentication device.

  According to the present invention, it is possible to ensure high security without impairing the convenience of use for authorized users.

1 is a schematic configuration diagram showing the overall configuration of a multifunction machine according to an embodiment of the present invention. 1 is a schematic diagram showing an operation panel of a multifunction machine according to an embodiment of the present invention. The figure which shows the hardware constitutions of the multifunctional device in one Embodiment of this invention. 1 is a functional block diagram showing a multifunction machine according to an embodiment of the present invention. The flowchart which shows an example of the user authentication procedure which the multifunctional machine in one Embodiment of this invention implements The flowchart which shows an example of the user attribute determination procedure which the multifunctional device in one Embodiment of this invention implements Functional block diagram showing another multifunction machine according to an embodiment of the present invention.

  Hereinafter, an embodiment of the present invention will be described in more detail with reference to the drawings. In the following, the present invention is embodied as a digital multifunction machine.

  FIG. 1 is a schematic configuration diagram illustrating an example of the overall configuration of a digital multifunction peripheral according to the present embodiment. As shown in FIG. 1, the multifunction peripheral 100 includes a main body 101 including an image reading unit 120 and an image forming unit 140, and a platen cover 102 attached above the main body 101. A document table 103 is provided on the upper surface of the main body 101, and the document table 103 is opened and closed by a platen cover 102. Further, the platen cover 102 includes a document conveying device 110.

  An image reading unit 120 is provided below the document table 103. The image reading unit 120 reads an image of a document with the scanning optical system 121 and generates digital data (image data) of the image. The document can be placed on the document table 103 or the document transport device 110. The scanning optical system 121 includes a first carriage 122, a second carriage 123, and a condenser lens 124. The first carriage 122 is provided with a linear light source 131 and a mirror 132, and the second carriage 123 is provided with mirrors 133 and 134. The light source 131 illuminates the document. The mirrors 132, 133, and 134 guide reflected light from the document to the condenser lens 124, and the condenser lens 124 forms an optical image on the light receiving surface of the line image sensor 125. In the scanning optical system 121, the first carriage 122 and the second carriage 123 are provided so as to be able to reciprocate in the sub-scanning direction 135. By moving the first carriage 122 and the second carriage 123 in the sub-scanning direction 135, the image of the document placed on the document table 103 can be read by the image sensor 125. When reading an image of a document set on the document conveying device 110, the image reading unit 120 temporarily fixes the first carriage 122 and the second carriage 123 according to the image reading position, and passes the image reading position. Are read by the image sensor 125. The image sensor 125 generates image data of a document corresponding to, for example, each color of R (red), G (green), and B (blue) from the light image incident on the light receiving surface. The generated image data can be printed on paper in the image forming unit 140. Further, the data can be transmitted to another device (not shown) through the network 162 by the network adapter 161.

  The image forming unit 140 prints image data obtained by the image reading unit 120 or image data received from another device connected to the network 162 on a sheet. The image forming unit 140 includes a photosensitive drum 141. The photosensitive drum 141 rotates in one direction at a constant speed. Around the photosensitive drum 141, a charger 142, an exposure unit 143, a developing unit 144, and an intermediate transfer belt 145 are arranged in this order from the upstream side in the rotation direction. The charger 142 uniformly charges the surface of the photosensitive drum 141. The exposure device 143 irradiates the surface of the uniformly charged photoconductor drum 141 with light according to the image data, and forms an electrostatic latent image on the photoconductor drum 141. The developing device 144 attaches toner to the electrostatic latent image and forms a toner image on the photosensitive drum 141. The intermediate transfer belt 145 transfers the toner image on the photosensitive drum 141 onto a sheet. When the image data is a color image, the intermediate transfer belt 145 transfers each color toner image onto the same sheet. The RGB color image is converted into C (cyan), M (magenta), Y (yellow), and K (black) format image data, and the image data of each color is input to the exposure unit 143.

  The image forming unit 140 feeds paper from the manual feed tray 151, the paper feed cassettes 152, 153, and 154 to the transfer unit between the intermediate transfer belt 145 and the transfer roller 146. Various sizes of paper can be placed or stored in the manual feed tray 151 and the paper feed cassettes 152, 153, and 154. The image forming unit 140 selects a sheet specified by the user or a sheet corresponding to the automatically detected document size, and feeds the selected sheet from the manual feed tray 151 or the cassettes 152, 153, and 154 by the feeding roller 155. . The fed paper is transported to the transfer section by transport rollers 156 and registration rollers 157. The sheet on which the toner image is transferred is conveyed to the fixing device 148 by the conveyance belt 147. The fixing device 148 has a fixing roller 158 and a pressure roller 159 with a built-in heater, and fixes the toner image on the sheet by heat and pressing force. The image forming unit 140 discharges the sheet that has passed through the fixing device 148 to the discharge tray 149.

  FIG. 2 is a diagram illustrating an example of an appearance of an operation panel included in the multifunction peripheral. The user can use the operation panel 200 to give the MFP 100 a start of copying and other instructions, and to confirm the status and settings of the MFP 100. On the operation panel 200, a display 201 with a touch panel and operation keys 203 are arranged. The display 201 includes a display surface including a liquid crystal display that displays operation buttons, messages, and the like, and a sensor that detects a pressed position on the display surface. The detection method of a press position is not specifically limited. Any method such as a resistance film method, a capacitance method, a surface acoustic wave method, and an electromagnetic wave method can be employed. The user can input through the display 201 using his / her finger or the touch pen 202.

  The display 201 displays an operation screen having a button display unit 204, a message display unit 205, and a status display unit 206. A plurality of tabs 208 are prepared in the button display unit 204, and operation buttons corresponding to the tab category are arranged on each tab. The “easy setting” tab has operation buttons used for basic setting. In the example of FIG. 2, operation buttons for setting paper size, copy magnification, density, printing surface, page aggregation, and post-processing are arranged. For example, when the user performs an operation of pressing the “density” button 207, a pop-up screen having selection buttons such as “light”, “normal”, and “dark” for selecting the density is displayed over the operation button. The density is set by the user's selection (pressing). In the example of FIG. 2, in addition to the “easy setting” tab, a “document / paper / finish” tab, a “color / image quality” tab, a “layout / edit” tab, and an “application / others” tab are also provided. The user can switch to the display of these tabs by performing an operation of selecting the tab button 208. While one tab is selected, other tabs and their elements are hidden on the operation screen.

  The message display unit 205 displays a message notifying the user of settings such as whether copying is possible and the number of copies. FIG. 2 shows a state before user authentication processing (login processing) described later is performed. Although not particularly limited, the present embodiment is configured to input user identification information (user ID) and a password as user authentication information, and the message display unit 205 requests “authentication” to input user authentication information. Please enter information "message is displayed.

  The status display unit 206 displays device status information as necessary. In this display, detection results of various sensors included in the multifunction peripheral 100 are reflected. The device status information means a message that notifies the user of a warning that prompts the user to respond to an abnormality although the device is in an operable state. For example, the fact that the remaining amount of paper is low, the document platen 103 is dirty, and the facsimile document is stored in the memory when the facsimile memory reception is set is included. Further, the device status information may include out-of-paper, conveyance jam, and the like.

  The operation keys 203 include a main power key 209, a numeric keypad 210, a start key 211, a clear key 212, a LogOut key 213, and the like. For example, the main power key 209 is used to switch the main power supply of the multifunction peripheral 100 on and off. The numeric keypad 210 can be used for specifying the number of copies and setting the copy magnification. When the user makes these settings, the multi-function device 100 displays a message such as “Can be copied (with settings)” on the message display unit 205 to notify the user that the settings have been made. The start key 211 is used for a start instruction for copying or image printing. The user operates the clear key 212 when canceling the setting made by the user. Since whether or not the machine accepts the setting by the user can be determined by the above-described message, the clear key 212 may be operated if the setting becomes unnecessary. Although not particularly limited, the present embodiment is configured such that operations through the operation panel 200 are prohibited except for information input related to user authentication until an authentication unit described later performs an authentication process. When the authenticated user presses the LogOut key 213 after using the multifunction peripheral, or when the operation of the operation panel 200 and the operation of the image reading unit 120 and the image forming unit 140 are not performed for a predetermined time after the authentication, the multifunction peripheral 100 It is configured to return to the state before the user authentication process is performed.

  FIG. 3 is a hardware configuration diagram of a control system in the multifunction machine. The multifunction peripheral 100 according to the present embodiment includes a CPU (Central Processing Unit) 301, a RAM (Random Access Memory) 302, a ROM (Read Only Memory) 303, an HDD (Hard Disk Drive) 304, an original transport device 110, and an image reading unit 120. A driver 305 corresponding to each drive unit in the image forming unit 140 is connected via an internal bus 306. The ROM 303, the HDD 304, and the like store programs, and the CPU 301 controls the multifunction peripheral 100 in accordance with the instructions of the control program. For example, the CPU 301 uses the RAM 302 as a work area, and controls the operation of each driving unit by exchanging data and commands with the driver 305. The HDD 304 is also used to store image data obtained by the image reading unit 120 and image data received from other devices through the network adapter 161.

  An operation panel 200 and various sensors 307 are also connected to the internal bus 306. The operation panel 200 receives a user operation and supplies a signal based on the operation to the CPU 301. The display 201 displays the above-described operation screen according to a control signal from the CPU 301. The sensor 307 includes various sensors such as an open / close detection sensor for the platen cover 102, a document detection sensor on the document table 103, a temperature sensor for the fixing device 148, and a detection sensor for the conveyed paper or document. The CPU 301 executes, for example, a program stored in the ROM 303 to realize each of the following means (functional blocks) and controls the operation of each means according to signals from these sensors.

  FIG. 4 is a functional block diagram of the MFP according to the present embodiment. As illustrated in FIG. 4, the multifunction peripheral 100 according to the present embodiment includes an operation recognition unit 401, an operation history storage unit 402, a collation unit 403, a user attribute determination unit 404, and an authentication unit 405.

  The operation recognition unit 401 recognizes pressing of the operation key 203 and pressing of the display 201 on the operation panel 200 and recognizes the operation content of the user. Although not particularly limited, in the present embodiment, the coordinates of the pressed position detected by the sensor that detects the pressed position of the display 201 are input to the operation recognition unit 401, and the operation recognition unit 401 is configured such as an operation button held by itself. Based on the coordinates of the screen elements and the coordinates of the input pressing position, the user's operation content on the display 201 is recognized. User operations recognized by the operation recognition unit 401 are stored in the operation history storage unit 402. Although not particularly limited, in the present embodiment, information for specifying the operated operation button is recorded in association with information indicating the relationship between the previous operation and the operation interval. Here, the time information is used as information indicating the relationship between the operation priorities and the operation interval.

  In the present embodiment, the operation panel 200 functions as an operation unit, and the operation buttons and operation keys 203 displayed on the display 201 all correspond to a plurality of operation buttons provided in the operation unit. Further, as described above, in this embodiment, user identification information (user ID) and a password are input to the multi-function device 100 as user authentication information. That is, the operation panel 200 functions as an identification information input unit 421 for inputting user identification information, and also functions as a password input unit 422 for inputting a password. Here, the user inputs user authentication information by using the numeric keypad 210 or a software keyboard displayed on the touch panel 201 as necessary as the identification information input unit 421 and the password input unit 422. The user identification information may be input to the multi-function device 100 via a portable storage medium such as an IC card, a magnetic card, or a USB (Universal Serial Bus) memory. In this case, the user inputs the user identification information stored in the portable storage medium by arranging the portable storage medium in an information reading device corresponding to the portable storage medium such as an IC card reader, and the user identification A password requested based on the information is input through the operation panel 200. Here, the user ID uniquely assigned to each user is used as the user identification information, but any information can be used as the user identification information as long as the information can identify the user.

  The collation unit 403 determines whether the user authentication information input through the operation panel 200 satisfies a pre-registered authentication condition. In the present embodiment, the collation unit 403 is registered in advance with an authorized user list in which a user ID of a user who is permitted to use the MFP 100 and a password associated with the user ID are recorded, and an identification information input unit When the user ID input from 421 and the password input from the password input unit 422 are included in the authorized user list, the verification unit 403 determines that the authentication condition is satisfied.

  When the collation unit 403 determines that the authentication condition is satisfied, the user attribute determination unit 404 determines whether the user who has input the user authentication information is an unauthorized user who has performed an abnormal operation. This determination is performed based on the operation history stored in the operation history storage unit 402.

  In this embodiment, the user attribute determination unit 404 classifies the user into any attribute of a legitimate user, a suspect user, and an abnormal user. Note that the suspect user and the abnormal user are unauthorized users.

  A user who has input user authentication information without making a mistake and a user who has performed an operation that can be assumed to be a simple input error are determined to be legitimate users. An operation that can be assumed to be a simple input error is, for example, an operation that satisfies the authentication condition by inputting a password less than the number of times registered in advance (for example, 4 times) for the same user identification information, or a specific user After a partial mismatch of the user identification information or password with respect to the authentication information, an operation that satisfies the authentication condition for the specific user authentication information, after the old password is input for the specific user identification information, For example, an operation that satisfies the authentication condition for specific user identification information.

  In addition, a user who has clearly performed an abnormal operation is determined to be an abnormal user. Clearly abnormal operations include, for example, simultaneous pressing of a plurality of operation buttons, long-time operation button presses (long presses), operation button presses when the main power of the device is turned on, etc. over a predetermined number of times by replacing the operation buttons. This is an operation that satisfies the authentication condition by performing an intentional intrusion such as a repetitive operation or by inputting a password more than the number of times (for example, four times) registered in advance for specific user identification information.

  Further, a user who has performed an operation suspected of being an abnormal operation is determined as a suspect user. An operation suspected of being an abnormal operation is an operation that does not correspond to the above-described abnormal operation, but cannot be assumed to be a simple input error of the user. For example, there are cases where operations such as simultaneous pressing of a plurality of operation buttons, long pressing of the operation buttons, operation button pressing when the apparatus main power is turned on are executed a plurality of times less than a predetermined number of times. The suspected user can also be determined based on the operation, but in this embodiment, from the viewpoint of ensuring security, as described later, the user does not correspond to a legitimate user and does not correspond to an abnormal user. Is determined to be a suspicious user.

  If the user attribute determination unit 404 determines that the user is an unauthorized user (abnormal user, suspect user), the user attribute determination unit 404 registers the determination result in the user attribute storage unit 406 in association with user authentication information that satisfies the authentication condition. As described above, since the determination by the user attribute determination unit 404 is made when the collation unit 403 determines that the authentication condition is satisfied, at this time, the unauthorized user obtains user authentication information that satisfies the authentication condition. Yes. That is, after that, by inputting the user authentication information, the multifunction peripheral 100 can be used in place of a legitimate user who should originally use the user authentication information. In order to disable such use, user authentication information used by an unauthorized user is registered in the user attribute storage unit 406. Although not particularly limited, in the present embodiment, the user attribute storage unit 406 holds information indicating the determination result as a table associated with user identification information used by an unauthorized user.

  When the verification unit 403 determines that the authentication condition is satisfied and the user attribute determination unit 404 determines that the user is not an unauthorized user, the authentication unit 405 performs user authentication processing (login processing) based on information that satisfies the authentication condition. ) To allow the user to use the multifunction peripheral 100 (generation of image data in the image reading unit 120, printing of image data in the image forming unit 140, access to stored document image data, etc.). Although not particularly limited, in this embodiment, the operation control unit 407 generates image data in the image reading unit 120 based on a user instruction through the operation panel 200 recognized by the operation recognition unit 401, and in the image forming unit 140. The authentication unit 405 is configured to execute printing of image data, access to stored document image data via the document management unit 411, and the authentication unit 405 cancels the operation restriction of the operation control unit 407, so that the composite by the user is performed. The use of the machine 100 is permitted.

  FIG. 5 is a flowchart illustrating an example of a user authentication procedure executed by the multifunction peripheral 100. The procedure starts with, for example, the main power source of the multifunction peripheral 100 being turned on.

  As described above, in the present embodiment, only the user authentication information is allowed to be input through the operation panel 200 in a situation where the login process is not performed. Under the circumstances, when the operation recognizing unit 401 recognizes an operation through the operation panel 200, the operation recognizing unit 401 stores the operation in the operation history storage unit 402 (step S501 Yes). For example, when any key belonging to the numeric keypad 210 is pressed to input a user ID, information indicating the pressed button and time information are stored in the operation history storage unit 402 as an operation history (No in steps S502 and S503). ). When a plurality of buttons are pressed in order, the operation recognition unit 401 sequentially stores information indicating the pressing of each button and time information in the operation history storage unit 402 (No in steps S501, S502, and S503).

  In this embodiment, the operation recognition unit 401 recognizes a series of user IDs input from the identification information input unit 421 and a series of passwords input from the password input unit 422, and compares the recognized user ID and password with a verification unit. Also input to 403.

  As described above, in the present embodiment, the operation panel 200 functions as the identification information input unit 421 and the password input unit 422. Therefore, the operation recognition unit 401 recognizes information input in a state where the operation panel 200 functions as the identification information input unit 421 (a state where the user is requested to input a user ID) as a user ID, Information input in a state where the operation panel 200 functions as the password input unit 422 (a state where the user is requested to input a password) is recognized as a password. Here, until the collation unit 403 determines that the authentication condition is satisfied, the user includes the “Enter” key included in the numeric keypad 210 or the software keyboard displayed on the display 201 as necessary. Each time the “Enter” key is pressed, the identification information input unit 421 and the password input unit 422 are switched.

  For example, when a user ID is input with the numeric keypad 210 and an “Enter” button included in the numeric keypad 210 is pressed to indicate completion of input, an operation for each button is stored in the operation history storage unit 402 as an operation history. . When the user ID input completion is recognized by pressing the “Enter” button, the operation recognition unit 401 displays a series of information input in a state where the operation panel 200 functions as the identification information input unit 421. The ID is input to the verification unit 403. Further, when the “Enter” button is pressed, the operation panel 200 functions as the password input unit 422.

  In this state, for example, when a password is input with the numeric keypad 210 and an “Enter” button included in the numeric keypad 210 is pressed to indicate the completion of input, an operation for each button is stored in the operation history storage unit 402 as an operation history. Stored. When the password input completion is recognized by pressing the “Enter” button, the operation recognition unit 401 verifies a series of information input in a state where the operation panel 200 functions as the password input unit 422 as a password. Input to the unit 403.

  When the user ID and password are input, the collation unit 403 determines whether or not the input user ID and password satisfy the authentication conditions (Yes in steps S503 and S504). When the input user ID and password are included in the authorized user list, the collation unit 403 determines that the authentication condition is satisfied, and inputs the fact to the user attribute determination unit 404 (Yes in step S504). The collation unit 403 determines that the authentication condition is not satisfied when the input user ID and password are not included in the authorized user list, and requests input of user authentication information again (No in steps S504 and S501). . Here, the collation unit 403 sets the operation panel 200 to function as the identification information input unit 421.

  The user attribute determination unit 404 that has received a notification that the authentication condition is satisfied from the verification unit 403 is based on the operation history stored in the operation history storage unit 402. It is determined whether or not the user is a valid user (step S505). FIG. 6 is a flowchart illustrating an example of a user attribute determination procedure executed by the user attribute determination unit 404.

  First, the user attribute determination unit 404 extracts an operation history used for determination from the operation history storage unit 402 (step S601). The operation history extracted at this time is an operation presumed to have been performed by a user who performed an operation (user ID input, password input) that satisfied the authentication condition. Here, a history of operations for inputting user authentication information performed within a predetermined time interval is extracted before the operation including operations that satisfy the authentication conditions. The operation for inputting user authentication information is an operation performed in a state where the operation panel 200 functions as the identification information input unit 421 and the password input unit 422.

  The user attribute determination unit 404 determines whether the extracted operation history is a normal operation based on the extracted operation history (step S602). As described above, normal operation means, for example, an operation in which user authentication information is input without error or an operation with a simple input error. When these operations are recorded in the extracted operation history, the user attribute determination unit 404 determines that the extracted operation history is a normal operation, and determines that a user who has performed an operation that satisfies the authentication condition is a valid user ( Step S602 Yes, S607).

  On the other hand, when the extracted operation history is not a normal operation, the user attribute determination unit 404 determines whether or not the operation history includes an abnormal operation (No in steps S602 and S603). As described above, the abnormal operation means an operation that intentionally attempts to enter or a brute force input operation. When these operations are recorded in the extracted operation history, the user attribute determination unit 404 determines that the extracted operation history includes an abnormal operation, and includes a user who performed an operation that satisfies the authentication condition as an unauthorized user. It is determined that the user is an abnormal user (steps S603 Yes, S606).

  If the extracted operation history is not a normal operation and no abnormal operation is included, the user attribute determination unit 404 determines that the user who performed the operation that satisfies the authentication condition is a suspect user included in the unauthorized user. (Steps S603 No, S604). An operation that is not a normal operation and does not include an abnormal operation is an operation that does not correspond to the above-described abnormal operation but cannot be assumed to be a simple input error of the user.

  When it is determined that the user who has performed an operation that satisfies the authentication condition is an unauthorized user (abnormal user, suspect user), the user attribute determination unit 404 displays the determination result as described above in the user attribute storage unit 406. (Step S605).

  The user attribute determination unit 404 that has performed the user attribute determination as described above notifies the authentication unit 405 of the determination result. When the authentication by the user attribute determination unit 404 is a valid user, the authentication unit 405 that has received the notification determines whether the user authentication information determined to be a valid user has been previously determined as an unauthorized user by the user attribute determination unit 404 Confirm whether or not. The confirmation can be executed based on whether or not the user authentication information determined to be a valid user is stored in the user attribute storage unit 406. If the user authentication information determined to be a legitimate user is not stored in the user attribute storage unit 406, the authentication unit 405 performs a user authentication process and allows the user who has performed an operation that satisfies the authentication condition to use the MFP 100. (Step S506 Yes, S510).

  In addition, when the determination by the user attribute determination unit 404 is an abnormal user, or the determination by the user attribute determination unit 404 is a valid user, the user authentication information determined to be a valid user is stored in the user attribute storage unit 406 as an abnormal user. If stored, the authentication unit 405 does not execute the user authentication process, and prohibits an operation by a user who has performed an operation that satisfies the authentication condition (step S506 No, S507 Yes, S509).

  Further, when the determination by the user attribute determination unit 404 is not a legitimate user and an abnormal user (that is, when the user attribute determination unit 404 is a suspect user), or the determination by the user attribute determination unit 404 is a valid user, it is determined as a suspect user in the past, When the user authentication information determined to be a legitimate user is stored in the user attribute storage unit 406 as a suspect user, the authentication unit 405 executes a special authentication process instead of the normal authentication process (steps S506 No, S507 No, S508). .

  In the present embodiment, the special authentication process performed by the authentication unit 405 is an authentication process in which operation authority is limited. That is, security management (confirmation that the user has access qualification in this case) is required, such as access to a print job designated by a printer already input to the multifunction peripheral 100 and access to stored document image data. The authentication process is performed in a state where the function of the MFP 100 cannot be used. For this reason, a user who has been subjected to special authentication processing as a suspect user can use only functions that do not require security management, such as copying or outputting a print job for which no printer is specified.

  As described above, in the MFP 100, an unauthorized user is identified based on the operation history stored in the operation history storage unit 402, and selectively authenticated for an authorized user who does not correspond to the unauthorized user. Processing is executed. And since an authentication process is implemented with respect to the legitimate user who does not correspond to such a legitimate user, security can be ensured without impairing the use convenience of the legitimate user.

  Further, in this multifunction device 100, the user attribute determination unit 404 determines that a user who has clearly performed an abnormal operation is an abnormal user belonging to an unauthorized user. If the user is an abnormal user, the authentication unit 405 prohibits the operation without executing the authentication process. Therefore, even if the authentication condition is unfortunately satisfied by a brute force operation by an abnormal user, it is possible to reliably prevent the user from operating the multifunction device 100.

  Furthermore, in this multifunction device 100, the user attribute determination unit 404 determines that a user who has performed an operation suspected of being an abnormal operation is a suspect user belonging to an unauthorized user. If the user is a suspect user, the authentication unit 405 executes a special authentication process, which is an authentication process in which the operation authority is limited, instead of the normal authentication process. As a result, for the suspect user, access to a print job or stored document image data is restricted, so that security can be ensured. In addition, by providing a user attribute of a suspected user, flexible security settings can be realized, and the possibility that a legitimate user is erroneously determined as an abnormal user is reduced, and use by an abnormal user is reliably excluded. be able to.

  These effects can be obtained even when the multi-function device 100 is not connected to the network and is used stand-alone.

  Note that in the above-described multifunction peripheral 100, the original user identified by the user authentication information determined as an abnormal user once cannot use the multifunction peripheral 100. In addition, the original user specified by the user authentication information determined as the suspect user once can use only a part of the functions of the multifunction device 100. Therefore, in order to use the multifunction device 100, the original user makes an application to the administrator of the multifunction device 100, for example, and deletes the registration as an unauthorized user stored in the user attribute storage unit 406. There is a need. At this time, at least the password needs to be changed. More preferably, by registering new user authentication information (user identification information and password) in the multifunction peripheral 100 without deleting registration as an unauthorized user stored in the user attribute storage unit 406, It is preferable that the MFP 100 can be used by the original user.

  By the way, in the said embodiment, the authentication process which restrict | limits use authority was demonstrated as an example of a special authentication process. In this form, as described above, the user ID determined as the suspect user can use only a part of the functions. Such a form is difficult to apply to a user authentication process for permitting use only to a very limited person such as a shift to a maintenance mode. For example, when the use authority is restricted in the authentication process for transition to the maintenance mode, the transition to the maintenance mode cannot be performed substantially. In addition, since there is no higher authority to cancel the suspected user determination for the user ID, as a result, maintenance of the multifunction peripheral 100 cannot be performed.

  In order to eliminate such a situation, in the modified example of the present embodiment, the authentication unit is configured to cause the collation unit 403 to collate the strong authentication condition different from the above-described authentication condition as the special authentication process.

  FIG. 7 is a functional block diagram showing a configuration of a multi-function peripheral 700 that is a modification of the present embodiment. In FIG. 7, elements having the same functions and functions as those of the multifunction machine 100 shown in FIG. 4 are denoted by the same reference numerals, and detailed description thereof will be omitted.

  The multi-function device 700 includes an authentication unit 705. When the operator is a suspect user, the authentication unit 705 causes the verification unit 403 to verify the strong authentication condition instead of the normal authentication condition as the special authentication process. That is, in step S508 in FIG. 5, the special authentication process performed by the authentication unit 705 is an authentication process based on the strong authentication condition. For example, as described above, in a case where a user ID and one password input corresponding to the user ID are requested as user authentication conditions, a configuration in which another password is requested as a strengthened authentication condition in addition to the one password. Can be adopted. That is, the password strength is increased by requesting the other password.

  This operation is performed as follows. That is, when the determination by the user attribute determination unit 404 is not a legitimate user and an abnormal user (that is, when the user is a suspect user), or the determination by the user attribute determination unit 404 is a legitimate user, the user authentication determined to be a legitimate user When the information is stored in the user attribute storage unit 406 as the suspect user, the authentication unit 705 requests the collation unit 403 to collate the strong authentication condition. At this time, the collation unit 403 requests the password input unit 422 (operation panel 200) to input an additional password. Here, in the collation unit 403, an additional password is registered in advance in association with each user ID registered in the above-described permitted user list, and the additional password input from the password input unit 422 is used in the permitted user list. If it is included, the collation unit 403 determines that the strong authentication condition is satisfied. Note that it is preferable that the user attribute determination unit 404 also determines whether or not the user is an unauthorized user even when an additional password constituting the strong authentication condition is input.

  As described above, in this modified example, the suspect user is additionally confirmed as a valid user. Therefore, even when the original user is recognized as the suspect user for some reason, an opportunity to log in as a legitimate user can be given. If the suspect user is not the original user, use by the suspect user is not permitted unless the strong authentication condition is satisfied. Therefore, security can be ensured without impairing the convenience of use for authorized users.

  Further, in this configuration, for example, when the additional password is input by the above-described normal operation, a configuration in which the record of the suspect user recorded in the user attribute storage unit 406 may be adopted. As a result, when the possibility of being a legitimate user is high, the authorization of the suspect user is automatically canceled.

  Furthermore, although the configuration in which the strong authentication condition is collated only for the suspect user is used here, a configuration in which the strong authentication condition is collated also for the abnormal user can be adopted. As a result, it is possible to reliably prevent the legitimate user from being locked out due to the action of the abnormal user and becoming unusable by the original user. Also in this case, when the additional password is input by the normal operation described above, a configuration may be adopted in which the abnormal user record recorded in the user attribute storage unit 406 is deleted. In addition, when collating the strong authentication conditions with respect to an abnormal user, it may be configured such that the strong authentication conditions are collated for the first time when a specific operation button operation (input of a hidden command) designated in advance is performed.

  In addition, although the structure which requests | requires one additional password was demonstrated here as a strong authentication condition, the structure which requests | requires several additional passwords may be sufficient. Further, in a configuration in which a user ID and a plurality of passwords corresponding to the user ID are requested as user authentication conditions, for example, when it is determined that the user is an unauthorized user when the first password is input. A configuration may be employed in which the password strength of a password to be input after the second of the plurality of passwords is increased. For example, the password strength can be increased by increasing the number of characters constituting the password. Such a configuration can be easily realized by, for example, registering a low-strength password and a high-strength password in the collation unit 403 in advance.

  As described above, according to the present invention, high security can be ensured without impairing the convenience of use for authorized users.

  In the above-described embodiment, an operation that satisfies the authentication condition is included, and a history of operations for inputting user authentication information performed within a predetermined time interval before the operation satisfies the authentication condition. Extracted as a history of operations performed by the user who performed the operation. However, an operation that is presumed to have been performed by a user who performed an operation that satisfies the authentication condition can be extracted by another method. For example, a history of operations performed while the operation panel 200 functions as the identification information input unit 421 and the password input unit 422 may be extracted within a predetermined time before the operation that satisfies the authentication condition. Further, in a multi-function peripheral having a sensor for detecting the presence or absence of an operator in front of the apparatus, an operation history while the sensor recognizes the same person may be extracted. Further, in a multifunction device having a function of shifting to a power saving mode for reducing power consumption during standby, the operation panel 200 is used as the identification information input unit 421 and the password input unit 422 after returning from the power saving mode to the normal mode. A history of operations performed in a functioning state may be extracted.

  The above-described embodiments do not limit the technical scope of the present invention, and various modifications and applications other than those already described are possible within the scope of the present invention. For example, in the above-described embodiment, the description has been made based on the operation through the operation panel of the multifunction peripheral that is the image processing apparatus. However, the multifunction peripheral is connected via an information processing terminal such as a personal computer that is communicably connected to the multifunction peripheral. An operation may be performed. In this case, the function of the display 201 of the operation panel 200 in the above-described embodiment is provided by display means such as a display and input means such as a keyboard provided in the information processing terminal.

  Further, in the flowcharts shown in FIGS. 5 and 6, the order of the steps can be appropriately changed within a range in which equivalent actions are achieved. For example, the same effect can be obtained even when the determination order of the legitimate user and abnormal user in FIG. 5 and the determination order of normal operation and abnormal operation in FIG. 6 are switched.

  Moreover, in the said embodiment, although three classifications, a legitimate user, a suspicious user, and an abnormal user, were used as a user attribute, two classifications, a legitimate user and a suspicious user (invalid user), and a legitimate user and an abnormal user (invalid user) 2 classifications) may be used. Alternatively, more user attributes than three categories can be used.

  Further, in the above description, the identification information and the password are input based on the user authentication information. However, the present invention can be applied to a configuration in which only the password is input as the user authentication information.

  In the above description, the present invention is embodied as a digital multi-function peripheral. However, the present invention is not limited to a digital multi-function peripheral and can be applied to any image processing apparatus such as a printer or a copier.

  In addition, in the above description, the MFP as the image processing apparatus has a configuration including all of the operation unit, the operation history storage unit, the collation unit, the user attribute determination unit, and the authentication unit. However, each unit is appropriately separated. The image processing system may be configured and connected through a network or the like. For example, an authentication device including the above-described collation unit, user attribute determination unit, and authentication unit is an image processing device, an operation device that inputs information for user authentication, and an operation history storage device that stores a history of operations on the operation device Even when configured separately from the above, it is possible to obtain the same effects as those of the multifunction machine of the above embodiment. In such an image processing system, for example, an authentication apparatus can be shared by a plurality of image processing apparatuses. In addition, it is possible to provide only an authentication device including an operation unit.

  According to the present invention, high security can be ensured without impairing the usability of a legitimate user, and it is useful as an image processing device, an image processing system, and an authentication device.

100, 700 MFP 200 Operation panel (operation unit)
401 operation recognition unit 402 operation history storage unit 403 collation unit 404 user attribute determination unit 405, 705 authentication unit 406 user attribute storage unit 407 operation control unit 411 document management unit 421 identification information input unit 422 password input unit

Claims (9)

An image processing apparatus having a user authentication function,
An operation unit having a plurality of operation buttons for inputting information for user authentication;
An operation history storage unit for storing an operation history for the operation unit;
A verification unit that determines whether information input through the operation unit satisfies a pre-registered authentication condition;
If it is determined that the verification unit satisfies the authentication condition, whether or not the user who has input the information is an unauthorized user who has performed an abnormal operation is determined based on the operation history stored in the operation history storage unit. A user attribute determination unit for determining;
If the collation unit determines that the authentication condition is satisfied and the user attribute determination unit determines that the user is not an unauthorized user, an authentication unit that executes an authentication process based on information that satisfies the authentication condition;
An image processing apparatus comprising: The user attribute determination unit determines that a user who has clearly performed an abnormal operation is an abnormal user belonging to the unauthorized user,
The image processing apparatus according to claim 1, wherein when the user attribute determination unit determines that the user is an abnormal user, the authentication unit prohibits an operation without executing an authentication process. The user attribute determination unit determines a user who has performed an operation suspected of being an abnormal operation as a suspect user belonging to the unauthorized user,
The image processing apparatus according to claim 1, wherein when the user attribute determination unit determines that the user is a suspect user, the authentication unit executes a special authentication process instead of a normal authentication process.   The image processing apparatus according to claim 3, wherein the special authentication process is an authentication process that causes the collation unit to collate a strong authentication condition instead of the authentication condition.   The image processing apparatus according to claim 3, wherein the special authentication process is an authentication process in which operation authority is limited.   The image processing apparatus includes a normal mode for performing image processing and a maintenance mode for apparatus maintenance, and the authentication process is an authentication process for shifting from the normal mode to the maintenance mode. 6. The image processing apparatus according to any one of items 1 to 5.   The image processing apparatus according to claim 1, wherein the information for authentication includes identification information for identifying a user and a password associated with the identification information. An image processing device;
An operation device having a plurality of operation buttons for inputting information for user authentication;
An operation history storage device for storing an operation history for the operation device;
A verification unit that determines whether information input through the controller device satisfies a pre-registered authentication condition;
If it is determined that the verification unit satisfies the authentication condition, whether or not the user who has input the information is an unauthorized user who has performed an abnormal operation is determined based on the operation history stored in the operation history storage device. A user attribute determination unit for determining,
An authentication unit that executes an authentication process based on information that satisfies the authentication condition, when the verification unit determines that the authentication condition is satisfied and the user attribute determination unit determines that the user attribute determination unit is not an unauthorized user;
An authentication device comprising:
An image processing system comprising: An operation unit having a plurality of operation buttons for inputting information for user authentication;
An operation history storage unit for storing an operation history for the operation unit;
A verification unit that determines whether information input through the operation unit satisfies a pre-registered authentication condition;
If it is determined that the verification unit satisfies the authentication condition, whether or not the user who has input the information is an unauthorized user who has performed an abnormal operation is determined based on the operation history stored in the operation history storage unit. A user attribute determination unit for determining;
If the collation unit determines that the authentication condition is satisfied and the user attribute determination unit determines that the user is not an unauthorized user, an authentication unit that executes an authentication process based on information that satisfies the authentication condition;
An authentication device comprising:

Images