JP4508786B2 - Authentication system and image processing apparatus with authentication function - Google Patents

Description

The present invention relates to a user authentication system for an apparatus with an authentication function such as an image processing apparatus, and more particularly to an authentication system capable of limiting use opportunities by a person other than an authenticated user.

  In general, when using a device that is subject to user restrictions, the device is used after the use restriction is removed by a method such as inputting an ID for personal authentication or setting a key card. After using the device, it will be in a restricted state by using used inputs or removing the key card, etc. Even if you forget this operation, it will automatically be in a restricted state when the device has not been used for a certain period of time. In general, the time-out function works (see, for example, Patent Document 1).

The digital copying machine described in Patent Document 1 judges that a set key card has been left for a long time when a predetermined reference time is exceeded, invalidates the key card, and temporarily prohibits its use. can do.
Japanese Patent Laid-Open No. 11-174920

  However, in the conventional technology including Patent Document 1, there is a condition that the reference time is exceeded, and the effect of preventing unauthorized use or prevention of misuse is not achieved within the reference time. There is a problem. In other words, until someone times out, the device can be operated by another person, which may cause unauthorized use.

  The present invention has been made in view of the above circumstances, and has a function with an authentication function that can reduce the time during which unauthorized use or misuse can be performed when a user is authenticated to restrict use. It is another object of the present invention to provide an external device that can be externally connected thereto.

The present invention is constituted by the following technical means in order to solve the above-described problems.
The first technical means authorizes the user by using ID input or setting a key card directly on the device and permits the use, and restricts subsequent use when the device is not used for a predetermined time-out period in the permitted state. user management table external device, such as a plurality of PC is connected to the authentication function image processing apparatus having an authentication function, said image processing apparatus, including a pre-user information and the address information of the external device of the external device to the provided, with reference to the management table to authenticate the user, when permitting the use, in an external device which the user uses, and notifies the license information on the basis of the address information of the management table, When the authentication is canceled due to the elapse of the time-out period, when the authentication is canceled by the user's authentication cancellation operation, the external device is notified of the authentication cancellation, and the external device Equipment, the transmits the authentication release instruction to the image processing device when the external device is operated before receiving the deauthentication notification, the image processing apparatus releases the authentication by receiving the cancellation instruction It features an authentication system.

The second technical means authorizes the user by using ID input or setting a key card directly on the device, etc., and permits the use, and restricts the subsequent use when the device is not used for a predetermined timeout period in the permitted state. user management table external device, such as a plurality of PC is connected to the authentication function image processing apparatus having an authentication function, said image processing apparatus, including a pre-user information and the address information of the external device of the external device to the provided, with reference to the management table to authenticate the user, when permitting the use, in an external device which the user uses, and notifies the license information on the basis of the address information of the management table, When the authentication is canceled due to the elapse of the timeout time, or when the authentication is canceled by the user's authentication cancellation operation, the external device is notified of the authentication cancellation. Thus, when the authentication of another user is permitted before the time-out period elapses, the authentication system releases the authentication of the user and notifies the external device of the user of the authentication cancellation. To do.

The third technical means is characterized by an image processing apparatus with an authentication function that constitutes the authentication system of the first and second technical means.

  ADVANTAGE OF THE INVENTION According to this invention, when authenticating a user and restricting use, the time which can be used illegally or misused can be reduced.

Authentication system according to the present invention, apart from the user authentication function device that has been authenticated, such as to set the ID input or key cards, by detecting a state that does not use a device with the authentication function, come timeout and the authentication function-equipped device to use restriction state before, in which reducing unauthorized opportunities (time).
Hereinafter, as the authentication function devices will be described by taking a digital MFP that combines a plurality of functions as an example, the printer is not limited to the digital MFP, copier, scanner, facsimile machine (FAX) single-function machine, etc., etc. The present invention can be applied to various image processing apparatuses and information processing apparatuses such as computers.

FIG. 1 is a diagram illustrating a configuration example of an image processing apparatus such as a digital multifunction peripheral and an external connection device for explaining an authentication system of the present invention. In FIG. 1, 1 is a digital multifunction peripheral, 2 is a telephone line network, 3 is a manager's facsimile machine (fax for manager), 4 is a network, 5 is an Internet network, 6 is an Internet FAX, 7 is an external personal computer ( External PC), 8 and 9 are terminal PCs, 8a is a PC8 keyboard, 8b is a PC8 mouse, 9a is a PC9 keyboard, 9b is a PC9 mouse, 11 is an image reading unit, 12 is an operation unit, and 13 is image formation , 14 is a device control unit, 15 is a FAX modem, 16 is a communication unit, 17 is a hard disk (HD), 18 is an erasure processing unit, 19 is a management unit, and 20 is a timer.

  A digital MFP 1 illustrated in FIG. 1 is connected to a FAX 3 used by, for example, an administrator via a telephone line network 2, and via a network 4 such as a LAN (Local Area Network) or a WAN (Wide Area Network). A plurality of terminal PCs 8, 9,. . . Further, it is connected to the Internet FAX 6 or the external PC 7 outside the network 4 via the Internet network 5.

  The digital multifunction peripheral 1 includes an image reading unit 11, an operation unit 12, an image forming unit 13, a device control unit 14, a FAX modem 15, a communication unit 16, an HD 17, an erasing processing unit 18, a management unit 19, a timer 20, and the like. The However, the configuration of the digital multifunction peripheral 1 according to the present invention and the connection form with the external device are not limited to this example, and any external device may be connected and each unit of the present invention described later may be provided. . It is not necessary for all means to be described later to be configured by hardware. A program for causing a device with an authentication function such as the digital multifunction peripheral 1 to function as those means is incorporated in a control unit such as the device control unit 14 and the like. It can also be easily implemented by running it.

  The operation unit 12 includes a touch panel that includes a display unit 12b that displays an operation screen and an input unit 12a that allows a user to input various settings based on the display. The image reading unit 11 detects the presence or absence of a document by a document detection sensor 11b based on an operation on the operation unit 12, and reads the document by a CCD (charge coupled device) 11a and outputs it as image data. The FAX modem 15 is a modem for performing facsimile communication with the administrator FAX 3. The communication unit 16 controls communication with an external device of the digital multi-function peripheral 1 connected via the network 4.

  The image forming unit 13 temporarily stores the image data read by the image reading unit 11 and the received data received by the FAX modem 15 or the communication unit 16 in the memory 13b, and from the printing unit 13a equipped with a laser scanner unit (LSU). An image is formed on a medium such as paper. In the image forming unit 13, it is possible to encrypt data such as image data stored in the memory 13b in the encryption processing unit 13c and store it in the HD 17, and conversely, the encrypted data stored in the HD 17 Can be decoded and output to an external device via the memory 13b via the network 4 or the like, or can be printed out as a medium by the printing unit 13a. The erasure processing unit 18 performs a process of erasing the data stored in the HD 17 in order to maintain security or secure storage capacity.

Device control unit 14 is a main control unit which is connected to the units described above, overall control of the operation of the digital multifunction peripheral 1. The management unit 19 manages a later-described user management table shown in FIGS. 2 and 3 , the IP address of the own device 1, and the like. The timer 20 measures the time of the digital multifunction device 1 in the standby state, and notifies the device control unit 14 of this time .

  As described above, the digital multifunction device 1 is provided with the input unit 12 a and the display unit 12 b in the operation unit 12, and ID input can be performed in addition to the function instruction operation of the digital multifunction device 1. In addition to the ID input, the digital multifunction peripheral 1 may include an ID card reader that inputs an ID card and reads the information. The digital multi-function peripheral 1 according to the present invention includes some kind of authentication means. Any authentication means may be used as long as it authenticates the user based on the user information and enables the user's own machine 1 to be used. The digital multifunction peripheral 1 first limits the user by this authentication means.

Further, the digital multifunction peripheral 1, the communication unit 16, two-way data communication with an external device (for example, a PC terminal) will rows. The digital multi-function peripheral 1 is assumed to include such communication means, and the device control unit 14 is a user of an external device connected to the own device 1 (a user who has been authenticated by the authentication means). by addition to confirm the usage, it is assumed that a function for restricting the use of the user external device own machine and usage is confirmed in 1 by. Here, the restriction may be determined as appropriate according to the usage mode of the present invention, such as de-authentication or restriction on the use of a specific function.

Further, the authentication information indicating that the user authenticated by the authentication means has been authenticated, notifying to that user available externally connected external device (all external devices such as this) . In the notification, the notification destination of the externally connected external device that can be used by the user is set in advance in the digital multifunction device 1 in correspondence with the user information. After the authentication notification is, the external device information indicating that it has been used by the user, received as information indicating the use of the external device.

  The reception method may be acquired by accessing an external device, or simply receiving information transmitted from the external device. In addition, the information indicating that it has been used may be determined based on the driving state of the external device. For example, when the external device is a PC, the CPU operation rate or the screen saver has been started but has not started. Alternatively, the determination may be made based on signals operated by various input devices such as a keyboard and a mouse.

Furthermore, the implementation form of the invention, Ru comprises together a time limit means for enabling timeout cleared. This time restriction means is a means for restricting the use of the own device 1 at that time when it is confirmed that the use of the own device 1 is permitted and left for a predetermined time. By combining the time restriction means, the use restriction means restricts the use of the own device 1 when the user information from the external device is confirmed before confirmation of being left for a predetermined time or longer.

The embodiment described above will be described below with reference to FIGS. In the following description, it is assumed that the authentication means is performed in response to input of an ID (authentication code), and a PC is connected to the digital multi-function peripheral 1 as an external device, and the usage status of the PC is determined by operation with a mouse or a keyboard. It is illustrated as what to do.

  FIG. 2 is a diagram showing an example of a user management table in which a user authentication code (ID) and an IP (Internet Protocol) address of a PC are registered. FIG. 3 shows an IP address of the digital multifunction peripheral (own device). It is a figure which shows the example of a table showing a mode currently hold | maintained at the own machine. 2, 30 is a user management table of the digital multi-function peripheral 1, 31 is an authentication code column, 32 is a notification destination column, 33 is a user name column, and in FIG. 3, 40 is an IP address table of the own device 1, Reference numeral 41 denotes an IP address column.

  The user management table 30 illustrated in FIG. 2 registers information in the management unit 19 by the device control unit 14 by inputting the authentication code and the notification destination IP address from the input unit 12a and confirming the input content on the display unit 12b. be able to. The IP address of own device 1 can be registered in the same manner. When executing user restriction according to the present invention, information such as the user management table 30 and information identifying the own device such as the IP address such as the IP address table 40 are registered in the digital multifunction peripheral 1 in advance. There is a need.

  FIG. 4 is a diagram for explaining an example of the flow of data exchanged between the digital multifunction peripheral and the PC in FIG. 1 together with the movement (operation / movement) of the user at that time. Hereinafter, the movement of the user (person) and the flow of data will be described using numbers (a) to (e) in the figure.

  The movement of the user (person) and the data flow described in FIG. 4 is a flow related to the digital multi-function peripheral 1 having the time-out clear process, and exemplifies a case where there is a PC operation before the time-out.

(A) digital multifunction device 1 in the disabled state, it is assumed that the user is waiting to perform a go with ID input to the installation site. Moreover, the the user is available PC, the digital MFP 1 and using notifications and limiting notification (hereinafter, exemplified by release notification) in advance by operating software that can recognize between each other and the like. This software may be included in security software or the like, and is preferably set to automatically start after the PC is started. This software is a program that can be transmitted to the digital multi-function peripheral 1 when a user performs some operation on the external device, and the external device is not limited to the PC and has the same function. It is preferable.

  (B) A user inputs an ID to the digital multifunction device 1. The digital multi-function peripheral 1 checks whether or not the input ID is in the user management table 30, and if it does not exist, it remains unusable. On the other hand, if the input ID is in the user management table 30, the digital multifunction device 1 is put into a usable state. For example, if the ID “3929” is input, the digital MFP 1 “IP 192.168.168.yy.” is used for the notification destination “IP 192.168..xxx.xxx” in the user management table 30. To be notified. When two or more PCs are used like ID “3722”, the PC “IP 192.168..xx.xox” is sent to all notification destinations registered in the user management table 30 for the ID. And the PC “IP 192.168..xx.oo” are notified that the digital MFP 1 “IP 192.168..yy.yyy” has been used.

  (C) After using the digital multifunction device 1, the user leaves the digital multifunction device 1 without releasing the ID. The digital multi-function peripheral 1 is left in a state where it can be used by the user of the input ID.

(D) Any operation of the PC, such as moving the mouse or pressing the any key on the keyboard, or if there is one action, the digital multifunction device 1 from the PC indicates that the user has left the own device 1 ID cancellation is automatically notified. When two or more PCs are connected, if there is one action on any one of the PCs, the digital MFP 1 is automatically notified of the ID release and the digital MFP 1 cannot be used. To. At the same time, the notification of releasing the ID is automatically made to the remaining one via the digital multi-function peripheral 1. For example, when ID release is automatically notified from the PC “IP 192.168..xx.xox” as in ID 3722, the digital multifunction peripheral 1 becomes unusable and at the same time, the remaining PC “IP 192.168..xx.ooo”. On the other hand, it automatically notifies that the ID is released.

(E) If an ID release notification is received from the PC before the time-out notification is received from the timer 20, the digital multi-function peripheral 1 cancels the input ID and makes it unusable. At this time, in the user management table 30 of FIG. 2, the authentication code and the notification destination IP address are registered as a pair, and the digital multifunction device 1 uses it before the ID cancellation due to timeout from the own device 1 side. An ID cancellation notification may be received from the user's PC that was in the middle, but an ID cancellation notification from an IP address that does not correspond to the ID being used may be ignored .

  In addition, even if the user is using the digital multi-function device 1 and the ID is canceled due to somebody touching the user's PC due to some mistake, the user cannot use the device once. For example, it is possible to return to the state shown in FIG.

  As described above, according to this embodiment, since it is not left in a usable state until the timeout time, it is possible to prevent unauthorized use and misuse of others, and when used in a billing management system, Reliability is improved.

Hereinafter, an improved example of the present embodiment will be described with reference to FIGS. In the following description, the same premise as the embodiment described with reference to FIGS.

  FIG. 5 is a diagram for explaining another example of the flow of data exchanged between the digital multifunction peripheral and the PC in FIG. 1 together with the movement (operation / movement) of the user at that time. Hereinafter, the movement of the person and the flow of data will be described using numbers (A) to (F) in the figure.

In the present embodiment, the digital multifunction peripheral shall ignore the received information indicating the use of the external device after the release message is supplied. Also in this case, the notification destination of the externally connected external device that can be used by the user is registered in advance in the digital multifunction peripheral 1 in correspondence with the user information .

  The user's (person) movement and data flow described in FIG. 5 are flows related to the digital multi-function peripheral 1 having a timeout clear process, and illustrate a case where a PC operation is performed after the timeout. Therefore, (A) to (C) in FIG. 5 are the same as (a) to (c) described in FIG.

The user leaves the digital multi-function peripheral, the time-out time elapses without the PC being operated, and a time- out notification is received from the timer 20 in (D).

  (E) The digital multi-function peripheral 1 releases the input ID to make it unusable, and at the same time notifies the PC that the digital multi-function peripheral 1 has been de-IDed and is unusable. Further, after user A does not cancel the ID “3929” after the operation is completed and the user B inputs the ID “1974” of B while the digital multifunction peripheral 1 is left unattended, the ID is automatically set. “3929” is released, and an automatic ID release notification is sent to the user A's PC “IP 192.168..xxx.xxx”. Further, the PC “IP 192.168..xx.oox” of B is notified that the digital multifunction peripheral 1 “IP 192.168..yy.yy” has been used.

  (F) Although the user performs a PC operation and an action on the mouse and keyboard, since the ID cancellation notification has already been received from the digital multi-function peripheral 1, no ID cancellation notification is issued from the PC.

Digital MFP 1, when the timeout of the timer 20 has elapsed releases the the ID input to the digital multifunction peripheral 1, the state of disablement digital multifunction peripheral 1 for that ID, and notifies the disablement simultaneously PC . On the other hand, if an ID release notification is received from the PC before the time-out time of the timer 20 elapses, the digital multi-function peripheral 1 is disabled. If another person's ID is input to the digital multifunction peripheral 1 before the timer 20 time-out period elapses and before the ID cancellation notification is received from the PC, the ID cancellation notification is sent to the previous user's PC and the current By notifying the ID input person's PC of the use, it is possible to correctly recognize the change of the operating user.

  As described above, according to the present embodiment, it is possible to prevent unauthorized use and misuse of others, because it is not left in a usable state until the timeout time without receiving an unnecessary ID release notification. When used in a management system, its reliability is improved.

1 is a diagram illustrating an example of a system configuration including an externally connected device for explaining a digital multifunction peripheral according to an embodiment of the present invention. It is a figure which shows the example of the user management table which registered the user's authentication code and the IP address of PC. It is a figure which shows the example of a table showing a mode that the IP address of a digital multifunctional device (own device) was hold | maintained at the own device. FIG. 1 is a diagram for explaining an example of a flow of data exchanged between the digital multi-function peripheral and a PC in FIG. 1 (an example in the case where a PC operation is performed before a time-out) together with the movement of the user at that time. It is. 1 is a diagram for explaining another example of the data flow exchanged between the digital multi-function peripheral and the PC in FIG. 1 (example in the case where there is a PC operation after a timeout) together with the movement of the user at that time. It is.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 ... Digital compound machine, 2 ... Telephone line network, 3 ... Facsimile machine for managers (FAX for managers), 4 ... Network, 5 ... Internet network, 6 ... Internet FAX, 7 ... External personal computer (external PC), 8, 9 ... Terminal PC, 8a, 9a ... Keyboard, 8b, 9b ... Mouse, 11 ... Image reading unit, 11a ... CCD, 11b ... Document detection sensor, 12 ... Operation unit, 12a ... Input unit, 12b ... Display unit, 13a ... Printing unit (LSU), 13b ... Memory, 13c ... Cryptographic processing unit, 13 ... Image forming unit, 14 ... Device control unit, 15 ... FAX modem, 16 ... Communication unit, 17 ... Hard disk (HD), 18 ... Erasing Processing unit, 19: management unit, 20 ... timer, 30 ... user management table, 31 ... authentication code column, 32 ... notification destination column, 33 ... user name column, 40 ... IP of own device Dress table, 41 ... IP address field.

Claims (3)

Authentication with an authentication function that permits user authentication by directly entering an ID or setting a key card on the device, permitting use, and restricting subsequent use when the device is not used for a specified timeout period External devices such as multiple PCs are connected to the image processing device with functions,
The image processing apparatus in advance includes a user management table that includes the user information and the address information of the external device of the external device, by referring to the management table to authenticate the user, when permitting the use, the Notifying the external device used by the user of permission information based on the address information of the management table,
When the authentication is canceled due to the elapse of the timeout time, the external device is notified of the cancellation of the authentication when the authentication is canceled by the user's authentication cancellation operation,
The external device transmits the deauthentication instruction to the image processing apparatus when the external device is operated before receiving the deauthentication notification,
An authentication system, wherein the image processing apparatus cancels the authentication by receiving the cancellation instruction. Authentication with an authentication function that permits user authentication by directly entering an ID or setting a key card on the device, permitting use, and restricting subsequent use when the device is not used for a specified timeout period External devices such as multiple PCs are connected to the image processing device with functions,
The image processing apparatus in advance includes a user management table that includes the user information and the address information of the external device of the external device, by referring to the management table to authenticate the user, when permitting the use, the Notifying the external device used by the user of permission information based on the address information of the management table,
When the authentication is canceled due to the elapse of the time-out period, the external device is notified of the cancellation of the authentication when the authentication is canceled by the authentication cancellation operation by the user,
An authentication system characterized by canceling authentication of the user and notifying the external device of the user when the authentication of another user is permitted before the timeout time elapses. An image processing apparatus with an authentication function that constitutes the authentication system according to claim 1.

Images