JP6256057B2 - Authentication system, server, authentication method and authentication program - Google Patents

Description

  The present invention relates to an authentication system, a server, an authentication method, and an authentication program, and more particularly to an authentication system, a server, an authentication method, and an authentication program for authenticating a user using a server.

  In recent years, a technique for remotely controlling an image forming apparatus typified by a multifunction peripheral from a portable information device such as a PDA (Personal Digital Assistants) has been known. For example, Japanese Unexamined Patent Application Publication No. 2004-029938 discloses print transmission data receiving means for receiving print transmission data, and printer position information detection for detecting printer position information for specifying the location where the printer is installed. Means for acquiring printer position information from the printer position information detecting means, and based on the printer position information to compensate for variations in the printer position information acquired by the printer position information acquiring means. When the compensation printer position information generating means for generating the compensation printer position information and a secret key are generated using a passphrase including at least the compensation printer position information, the print transmission data can be decrypted with the secret key. If the printing based on the print transmission data is executed and cannot be decoded, the mark is printed. Printer, characterized in that it comprises a selection print execution means not to execute printing based on the transmission data, a is described.

  On the other hand, a technique for restricting users in order to ensure security is known for an image forming apparatus. For example, the image forming apparatus is remotely controlled on the condition that user authentication is successful.

However, when there are a plurality of image forming apparatuses, it is necessary to register users who are permitted to use for each of the plurality of image forming apparatuses, and the work of registering usable users for each image forming apparatus is complicated. . In addition, by using a server for authentication, user authentication can be executed by the server, but when authenticated by the server, all use of a plurality of image forming apparatuses is permitted. The use of some of the plurality of image forming apparatuses cannot be restricted. In addition, although it is possible to limit the image forming apparatuses that are allowed to be used by the server, it is complicated to register an image forming apparatus that can be used for each user in the server.
JP 2004-029938 A

  The present invention has been made to solve the above-described problems, and one of the objects of the present invention is to provide an authentication system capable of restricting devices that can be used depending on the position of the user at the time of authentication. That is.

  Another object of the present invention is to provide a server capable of restricting devices that can be used depending on the position of the user at the time of authentication.

  Still another object of the present invention is to provide an authentication method capable of restricting devices that can be used depending on the position of a user at the time of authentication.

  Still another object of the present invention is to provide an authentication program capable of restricting devices that can be used depending on the position of the user at the time of authentication.

In order to achieve the above-described object, according to an aspect of the present invention, an authentication system is an authentication system including a server, a plurality of processing execution devices, and a portable information device, and the server is a portable information device. Authentication means for authenticating using the authentication information in response to acquiring authentication information for authenticating the user, and position information acquisition means for acquiring position information indicating the current position of the portable information device from the portable information device And when the authentication by the authentication means is successful, temporary authentication information generating means for generating temporary authentication information including mobile identification information for identifying the mobile information device, and a predetermined area including the acquired position information Provisional authentication information transmitting means for transmitting the generated temporary authentication information to an existing process execution device, and each of the plurality of process execution devices has a predetermined distance from the portable information device. The short-range wireless communication means capable of wireless communication within the range of, and the temporary authentication information acquired from the server in response to the short-range wireless communication means being able to communicate with the portable information apparatus And a permitting means for permitting use on condition that the same mobile identification information as the information is included, and the mobile information device is device identification information of an unregistered device that is a process execution device different from the plurality of process execution devices Unregistered information acquisition means for acquiring the request from the unregistered apparatus, and issuance request means for transmitting an issuance request including the apparatus identification information of the unregistered apparatus to the server, the server responding to the acquisition of the issuance request. And a position confirmation means for acquiring position information indicating the position of the unregistered apparatus from the unregistered apparatus specified by the apparatus identification information included in the issue request, and the temporary authentication information transmitting means is obtained from the portable information apparatus. An unregistered device that transmits temporary authentication information to an unregistered device on the condition that the location specified by the location information and the location specified by the location information acquired from the unregistered device belong to the same area Including transmission means .

According to this aspect, when the authentication using the authentication information acquired from the portable information device is successful by the server, the temporary authentication information is generated and the process exists in the area including the position information acquired from the portable information device. The temporary authentication information is transmitted to the execution device. In addition, each of the plurality of processing execution devices is permitted to use the provisional authentication information on the condition that the temporary authentication information includes the mobile identification information of the mobile information device in response to being able to communicate with the mobile information device. For this reason, since temporary authentication information is transmitted to the processing execution device existing in the area including the location information acquired from the portable information device, the processing execution device that can be used depending on the position of the user of the portable information device at the time of authentication Can be limited. As a result, it is possible to provide an authentication system capable of restricting devices that can be used depending on the position of the user at the time of authentication.
In addition, an issuance request including device identification information acquired from an unregistered device is transmitted to the server by the portable information device, and in response to acquiring the issuance request by the server, location information is acquired from the unregistered device, Temporary authentication information is transmitted to the unregistered device on condition that the position of the portable information device and the position of the unregistered device belong to the same area. For this reason, use of a device existing within a predetermined range from the portable information device can be permitted.

  Preferably, the temporary authentication information generation unit generates temporary authentication information further including an expiration date, and the permission unit permits the use on the condition that it is within the expiration date included in the temporary authentication information.

  According to this aspect, use is permitted on the condition that it is within the expiration date included in the temporary authentication information. The user's position may be changed after a predetermined time has elapsed since the user was authenticated. For this reason, it is possible not to permit use when the user moves the position.

  Preferably, the temporary authentication information generating unit generates temporary authentication information further including user identification information for identifying the authenticated user, and the permission unit is a user specified by the user identification information included in the temporary authentication information. Allow the use of.

  According to this aspect, since the use of the user specified by the user identification information included in the temporary authentication information is permitted, the user does not need to input the user identification information again to the device to be used.

  Preferably, the temporary authentication information transmitting means includes a predetermined position information acquired from among the plurality of processing execution devices, using device arrangement information indicating an area where each of the plurality of processing execution devices is installed. Device specifying means for specifying a processing execution device existing in the area is included.

  Preferably, the server obtains device arrangement information indicating a region including a position specified by the position information acquired as the region where the unregistered device is arranged in response to the acquisition of the position information by the position confirmation unit. Device registration means for generating.

  According to this aspect, a device that is not registered in the server can be automatically registered.

According to another aspect of the present invention, the server obtains authentication information for authenticating the user from the portable information device, and authenticates using the authentication information. Temporary authentication information generation for generating position information acquisition means for acquiring position information indicating the current position of the information apparatus and temporary authentication information including portable identification information for identifying the portable information apparatus when authentication by the authentication means is successful And the same portable information as the portable identification information included in the generated temporary authentication information in the processing execution device existing in a predetermined area including the position specified by the acquired position information among the plurality of processing execution devices. to permit the use when it becomes possible to portable information devices and short-range radio communication of the identification information, the temporary authentication information transmitting means for transmitting the temporary authentication information generated, a plurality of process execution In response to acquiring an issuance request including device identification information of an unregistered device, which is a processing execution device different from the device, from the unregistered device specified by the device identification information included in the issuance request. Position verification means for acquiring position information indicating the position of the unregistered device, and the temporary authentication information transmitting means is acquired from the position specified by the position information acquired from the portable information device and from the unregistered device. On the condition that the position specified by the position information belongs to the same region, an unregistered apparatus transmitting means for transmitting temporary authentication information to the unregistered apparatus is included .

  According to this aspect, when the authentication using the authentication information acquired from the portable information device is successful, temporary authentication information is generated and the processing execution device existing in the area including the position information acquired from the portable information device is provided. Temporary authentication information is transmitted. For this reason, since temporary authentication information is transmitted to the processing execution device existing in the area including the location information acquired from the portable information device, the processing execution device that can be used depending on the position of the user of the portable information device at the time of authentication Can be limited. As a result, it is possible to provide a server that can limit the devices that can be used depending on the location of the user at the time of authentication.

Preferably, the temporary authentication information generation unit generates temporary authentication information further including an expiration date.
Preferably, the temporary authentication information generating unit generates temporary authentication information further including user identification information for identifying the authenticated user.
Preferably, the temporary authentication information transmitting means includes a predetermined position information acquired from among the plurality of processing execution devices, using device arrangement information indicating an area where each of the plurality of processing execution devices is installed. Device specifying means for specifying a processing execution device existing in the area is included.
Preferably, an apparatus for generating apparatus arrangement information indicating an area including a position specified by position information acquired as an area where an unregistered apparatus is arranged in response to the acquisition of position information by a position confirmation unit Registration means.

According to still another aspect of the present invention, an authentication method includes: an authentication step for authenticating using authentication information in response to acquiring authentication information for authenticating a user from a portable information device; Temporary authentication for generating temporary authentication information including mobile identification information for identifying the mobile information device when authentication is successful in the location information acquisition step for acquiring location information indicating the current location of the mobile information device and the authentication step Information generation step, and mobile identification information included in the generated temporary authentication information in the processing execution device existing in a predetermined area including the position specified by the acquired position information among the plurality of processing execution devices; Temporary authentication information transmission that transmits the generated temporary authentication information to allow use when short-range wireless communication with a portable information device of the same portable identification information becomes possible. A step, by the plurality of processing execution apparatus according to obtain the issuance request including the device identification information of the unregistered device is another process executing apparatus from the portable information device, identified by device identification information included in the issuance request A position confirmation step for acquiring position information indicating the position of the unregistered device from the unregistered device is executed by the server, and the temporary authentication information transmission step is specified by the position information acquired from the portable information device An unregistered device transmission step of transmitting temporary authentication information to the unregistered device is included on the condition that the position and the position specified by the position information acquired from the unregistered device belong to the same area .

  If this aspect is followed, the authentication method which can restrict | limit the apparatus which can be used with the position of the user at the time of authenticating can be provided.

Preferably, the temporary authentication information generation step includes a step of generating temporary authentication information further including an expiration date.
Preferably, the temporary authentication information generating step includes a step of generating temporary authentication information further including user identification information for identifying the authenticated user.
Preferably, the provisional authentication information transmitting step includes predetermined position information acquired from among the plurality of processing execution devices using device arrangement information indicating an area where each of the plurality of processing execution devices is installed. A device specifying step for specifying a processing execution device existing in the area is included.
Preferably, an apparatus for generating apparatus arrangement information indicating an area including a position specified by position information acquired as an area in which an unregistered apparatus is arranged in response to acquisition of position information in the position confirmation step The registration step is further executed by the server.

According to still another aspect of the present invention, an authentication program causes a computer to execute the above authentication method .

  If this aspect is followed, the authentication program which can restrict | limit the apparatus which can be used with the position of the user at the time of authenticating can be provided.

It is a figure which shows an example of the whole outline | summary of the authentication system in embodiment of this invention. It is a block diagram which shows an example of the hardware constitutions of the server in this Embodiment. It is a block diagram which shows the outline | summary of the hardware constitutions of the portable information device in this Embodiment. 2 is a block diagram illustrating an example of a hardware configuration of an MFP according to the present embodiment. FIG. is there. It is a block diagram which shows an example of the outline | summary of the function of CPU with which the server in 1st Embodiment is provided. It is a figure which shows an example of a registration apparatus table. It is a block diagram which shows an example of the function of CPU with which the portable information device in 1st Embodiment is provided. 3 is a block diagram illustrating an example of functions of a CPU provided in the MFP according to the first embodiment. FIG. It is a flowchart which shows an example of the flow of the server side authentication process in 1st Embodiment. It is a flowchart which shows an example of the flow of the portable side authentication process in 1st Embodiment. It is a flowchart which shows an example of the flow of the apparatus side authentication process in 1st Embodiment. It is a block diagram which shows an example of the outline | summary of the function of CPU with which the server in 2nd Embodiment is provided. It is a block diagram which shows an example of the function of CPU with which the portable information device in 2nd Embodiment is provided. FIG. 10 is a block diagram illustrating an example of functions of a CPU provided in an MFP according to a second embodiment. It is a flowchart which shows an example of the flow of the server side authentication process in 2nd Embodiment. It is a flowchart which shows an example of the flow of the portable side authentication process in 2nd Embodiment. It is a flowchart which shows an example of the flow of the apparatus side authentication process in 2nd Embodiment.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings. In the following description, the same parts are denoted by the same reference numerals. Their names and functions are also the same. Therefore, detailed description thereof will not be repeated.

<First Embodiment>
FIG. 1 is a diagram showing an example of an overall outline of an authentication system according to an embodiment of the present invention. Referring to FIG. 1, authentication system 1 includes a server 300, a plurality of MFPs (Multi Function Peripherals) 100, 100A, 100B, 100C, 100D, and 100E that function as processing execution devices, and portable information device 200. Including.

  The server 300 is a general computer and is connected to the Internet 5. MFPs 100, 100 </ b> A, and 100 </ b> B are arranged at A site 7 and are connected to a local area network (hereinafter referred to as LAN) 2. The LAN 2 is connected to the Internet 5 via a gateway (hereinafter referred to as G / W) 3. The LAN 2 is connected to a wireless LAN base station 4. MFPs 100C, 100D, and 100E are disposed at B site 9, and each is connected to LAN 2A. The LAN 2A is connected to the Internet 5 via the G / W 3A. The LAN 2A is connected to a wireless LAN base station 4A.

  MFP 100 includes a document reading function for reading a document, an image forming function for forming an image on a recording medium such as paper based on image data, and a facsimile transmission / reception function for transmitting / receiving facsimile data. In the present embodiment, MFPs 100 and 100A to 100E will be described as an example of the processing execution device. However, instead of MFPs 100 and 100A to 100E, any device having a function of executing processing may be used. It may be a printer, a scanner, a personal computer, or the like.

  The portable information device 200 is used by being carried by a user, such as a PDA or a smartphone, and has a wireless LAN function and a short-range wireless communication function.

  The connection form of the networks 2 and 2A may be wired or wireless. The LANs 2 and 2A are not limited to local connections, but may be a network using a public switched telephone network or a wide area network (WAN) such as the Internet.

  MFPs 100, 100 A, and 100 B can send and receive data to and from server 300 via network 2 and GW 3. MFPs 100C, 100D, and 100E can transmit and receive data to and from server 300 via networks 2A and GW 3A.

  Note that MFPs 100, 100A to 100Eno have the same hardware configuration and functions, and therefore MFP 100 will be described as an example unless otherwise specified.

  FIG. 2 is a block diagram illustrating an example of a hardware configuration of the server according to the present embodiment. Referring to FIG. 2, the server 300 includes a central processing unit (CPU) 301 for controlling the entire server 300, a ROM (Read Only Memory) 302 that stores a program to be executed by the CPU 301, A RAM (Random Access Memory) 303 used as a work area, an HDD (Hard Disk Drive) 304 that stores data in a nonvolatile manner, a communication unit 305 that connects the CPU 301 to the Internet 5, and a display unit 306 that displays information And an operation unit 307 that receives an input of a user's operation, and an external storage device 309.

  The ROM 302 stores a program executed by the CPU 301 or data necessary for executing the program. The RAM 303 is used as a work area when the CPU 301 executes a program.

  The display unit 306 is a display device such as a liquid crystal display device (LCD) or an organic ELD (Electro-Luminescence Display), and displays an image. The operation unit 307 includes a hard key composed of a plurality of keys, and accepts input of various instructions, data such as characters and numbers by user operations corresponding to the keys.

  The communication unit 305 is an interface for connecting the server 300 to the Internet 5. CPU 301 communicates with portable information device 200 and MFPs 100, 100 </ b> A to 100 </ b> D via communication unit 305 to transmit / receive data.

  The external storage device 309 is loaded with a CD-ROM (Compact Disk ROM) 309A. The CPU 301 can access the CD-ROM 309A via the external storage device 309. The CPU 301 loads the program recorded on the CD-ROM 309A mounted on the external storage device 309 into the RAM 303 and executes it. The medium for storing the program executed by the CPU 301 is not limited to the CD-ROM 309A, but an optical disc (MO (Magnetic Optical Disc) / MD (Mini Disc) / DVD (Digital Versatile Disc)), IC card, optical card, It may be a semiconductor memory such as a mask ROM, EPROM (Erasable Programmable ROM), or EEPROM (Electrically EPROM).

  The program executed by the CPU 301 is not limited to the program recorded on the CD-ROM 309A, and the program stored in the HDD 304 may be loaded into the RAM 303 and executed. In this case, another computer connected to the Internet 5 may rewrite the program stored in the HDD 304 of the server 300, or may add a new program and write it. Further, the server 300 may download a program from another computer connected to the Internet 5 and store the program in the HDD 304. The program here includes not only a program directly executable by the CPU 301 but also a source program, a compressed program, an encrypted program, and the like.

  FIG. 3 is a block diagram showing an outline of the hardware configuration of the portable information device according to the present embodiment. Referring to FIG. 3, portable information device 200 includes a CPU 201 for controlling the entire portable information device 200, a camera 202, a flash memory 203 for storing data in a nonvolatile manner, a calling unit 205, and a calling unit. 205, a wireless communication unit 204 connected to 205, a display unit 206 that displays information, an operation unit 207 that accepts input of user operations, a wireless LAN interface (I / F) 208, an external storage device 209, and a short A distance wireless communication unit 210 and a GPS sensor 211 are included.

  The wireless communication unit 204 performs wireless communication with a mobile phone base station connected to a telephone communication network. The wireless communication unit 204 connects the portable information device 200 to a telephone communication network and enables a call using the call unit 205. The radio communication unit 204 decodes a voice signal obtained by demodulating the radio signal received from the mobile phone base station and outputs the decoded signal to the call unit 205. Further, the wireless communication unit 204 encodes the voice input from the call unit 205 and transmits it to the mobile phone base station. The call unit 205 includes a microphone and a speaker, outputs the voice input from the wireless communication unit 204 from the speaker, and outputs the voice input from the microphone to the wireless communication unit 204. Further, the wireless communication unit 204 is controlled by the CPU 201 and transmits / receives data via the mobile phone base station, and for example, connects the mobile information device 200 to the Internet 5. Therefore, the portable information device 200 can communicate with the server 300 via the wireless communication unit 204.

  The camera 202 includes a lens and a photoelectric conversion element such as a CMOS (Complementary Metal Oxide Semiconductor) sensor, and focuses light collected by the lens on a CMOS sensor. The CMOS sensor photoelectrically converts the received light to convert image data. It outputs to CPU201. In place of the CMOS sensor, a CCD (Charge Coupled Devices) may be used.

  The display unit 206 is a display device such as a liquid crystal display (LCD) or an organic ELD, and displays an instruction menu for the user, data received from the outside, and the like. The operation unit 207 includes a plurality of keys, and accepts input of various instructions, data such as characters and numbers by user operations corresponding to the keys.

  The operation unit 207 includes a touch panel 207A. Touch panel 207 </ b> A detects a position designated by the user on the display surface of display unit 206. The touch panel 207A is provided on the upper surface or the lower surface of the display unit 206, and outputs the coordinates of the position designated by the user to the CPU 201. Touch panel 207A is a multi-touch screen panel, and outputs a plurality of coordinates respectively corresponding to a plurality of positions designated by the user to CPU 201 when a plurality of positions are designated by the user at the same time. The touch panel 207 </ b> A is preferably the same size or larger than the display surface of the display unit 206. Since the touch panel 207A is provided so as to overlap with the display unit 206, the touch panel 207A can be placed at one or more positions designated by the user on the display surface of the display unit 206 when the user indicates the display surface of the display unit 206. One or more corresponding coordinates are output to the CPU 201. For the touch panel 207A, for example, a resistive film method, a surface acoustic wave method, an infrared method, an electromagnetic induction method, or a capacitance method can be used, and the method is not limited.

  The wireless LAN I / F 208 is an interface for communicating with the base station 4 or the base station 4A of the wireless LAN and connecting the portable information device 200 to the LANs 2 and 2A. When the wireless LAN I / F 208 communicates with the base station 4, the portable information device 200 can communicate with the MFPs 100, 100 </ b> A, and 100 </ b> B, and can communicate with the server 300 via the G / W 3. In addition, when the wireless LAN I / F 208 communicates with the base station 4A, the portable information device 200 can communicate with the MFPs 100C, 100D, and 100E, and can communicate with the server 300 via the G / W 3A.

  The external storage device 209 is detachable from the portable information device 200, and a CD-ROM 209A storing a remote operation program can be attached thereto. The CPU 201 can access the CD-ROM 209A via the external storage device 209. The CPU 201 can load a remote operation program recorded on the CD-ROM 209A attached to the external storage device 209 into a RAM included in the CPU 201 and execute it.

  The program recorded in the flash memory 203 or the CD-ROM 209A has been described as a program executed by the CPU 201. However, a program in which another computer connected to the Internet 5 rewrites the program stored in the flash memory 203. Alternatively, it may be a new program written additionally. Further, the portable information device 200 may be a program downloaded from another computer connected to the Internet 5. The program here includes not only a program directly executable by the CPU 201 but also a source program, a compressed program, an encrypted program, and the like.

  The medium for storing the program executed by the CPU 201 is not limited to the CD-ROM 209A, and may be a semiconductor memory such as an optical disk (MO / MD / DVD), IC card, optical card, mask ROM, EPROM, or EEPROM. Good.

  Short-range wireless communication unit 210 wirelessly communicates with an apparatus within the communicable range among MFPs 100 and 100A to 100E. The communicable distance of the short-range wireless communication unit 210 is limited to a predetermined distance and is not particularly limited, but is preferably within a few meters. The short-range wireless communication unit 210 is not limited to a communication medium. For example, the short-range wireless communication unit 210 performs wireless communication using a communication standard such as IrDA (Infrared Data Association) or a communication standard such as Bluetooth (registered trademark). The short-range wireless communication unit 210 detects the MFP 100 and becomes communicable with the MFP 100 when, for example, the MFP 100 exists as a communication partner device within the communicable distance range.

  The GPS sensor 211 detects the current position of the MFP 100 based on radio waves received from a GPS (Global Positioning System) satellite. The GPS sensor 211 outputs position information indicating the detected current position to the CPU 201.

  FIG. 4 is a block diagram showing an example of the hardware configuration of the MFP according to the present embodiment. Referring to FIG. 4, MFP 100 includes a main circuit 110, a document reading unit 130 for reading a document, an automatic document feeder 120 for transporting a document to document reading unit 130, and a document reading unit 130. An image forming unit 140 for forming an image on a sheet or the like based on image data output by reading the image, a sheet feeding unit 150 for supplying the sheet to the image forming unit 140, an operation panel 160 as a user interface, Short-range wireless communication unit 170.

  The main circuit 110 includes a CPU 111, a communication interface (I / F) unit 112, a ROM 113, a RAM 114, an EEPROM (Electrically Erasable and Programmable ROM) 115, a hard disk drive (HDD) 116 as a mass storage device, A facsimile unit 117 and an external storage device 119 on which a CD-ROM (Compact Disc-Read Only Memory) 119A is mounted are included. CPU 111 is connected to automatic document feeder 120, document reading unit 130, image forming unit 140, sheet feeding unit 150 and operation panel 160, and short-range wireless communication unit 170, and controls the entire MFP 100.

  The ROM 113 stores a program executed by the CPU 111 or data necessary for executing the program. The RAM 114 is used as a work area when the CPU 111 executes a program. The RAM 114 temporarily stores read data (image data) continuously sent from the document reading unit 130.

  Operation panel 160 is provided on the upper surface of MFP 100. Operation panel 160 includes a display unit 161 and an operation unit 163. The display unit 161 is a display device such as a liquid crystal display (LCD) or an organic ELD (Electro-Luminescence Display), and displays an instruction menu for the user, information about acquired image data, and the like. The operation unit 163 includes a plurality of keys and accepts input of various instructions, data such as characters and numbers, by user operations corresponding to the keys. The operation unit 163 further includes a touch panel 165 that detects the position of the display surface of the display unit 161. The touch panel 165 is provided on the upper surface or the lower surface of the display unit 161, and outputs the coordinates of the position instructed by the user to the CPU 111.

  Communication I / F unit 112 is an interface for connecting MFP 100 to LAN 2. CPU 111 communicates with other MFPs 100A and 100B or base station 4 connected to LAN 2 via communication I / F unit 112 to transmit and receive data. The communication I / F unit 112 can communicate with the server 300 connected to the Internet 5 via the G / W 3.

  The facsimile unit 117 is connected to a public switched telephone network (PSTN) and transmits / receives facsimile data. The facsimile unit 117 converts image data read by the document reading unit 130 or data stored in the HDD 116 into facsimile data, and transmits the facsimile data to a facsimile machine connected to the PSTN. In addition, the facsimile unit 117 stores the received facsimile data in the HDD 116 or causes the image forming unit 140 to form an image of the facsimile data on a sheet.

  The external storage device 119 is loaded with a CD-ROM 119A. The CPU 111 can access the CD-ROM 119A via the external storage device 119. The CPU 111 loads the program recorded on the CD-ROM 119A attached to the external storage device 119 into the RAM 114 and executes it. Note that the program executed by the CPU 111 is not limited to the program recorded on the CD-ROM 119A, and the program stored in the HDD 116 may be loaded into the RAM 114 and executed. In this case, another computer connected to the network may rewrite the program stored in HDD 116 of MFP 100 or may write a new program. Further, MFP 100 may download a program from another computer connected to LAN 2 or Internet 5 and store the program in HDD 116. The program here includes not only a program directly executable by the CPU 111 but also a source program, a compressed program, an encrypted program, and the like.

  The medium for storing the program executed by the CPU 111 is not limited to the CD-ROM 119A, and may be a semiconductor memory such as an optical disk (MO / MD / DVD), IC card, optical card, mask ROM, EPROM, or EEPROM. Good.

  The short-range wireless communication unit 170 performs wireless communication with the short-range wireless communication unit 210 of the portable information device 200 when the portable information device 200 exists within a communicable range. The short-range wireless communication unit 170 can detect the portable information device 200 and communicate with the portable information device 200 when the portable information device 200 exists as a communication partner device within the communicable distance range, for example. It becomes a state.

  FIG. 5 is a block diagram illustrating an example of an overview of the functions of the CPU provided in the server according to the first embodiment. The functions illustrated in FIG. 5 are functions formed in the CPU 301 when the CPU 301 included in the server 300 according to the first embodiment executes an authentication program stored in the ROM 302, the HDD 304, or the CD-ROM 309. Referring to FIG. 5, the CPU 301 acquires an authentication information acquisition unit 351 that acquires authentication information, an authentication unit 353 that authenticates a user based on the authentication information, and a position information acquisition unit 355 that acquires position information indicating the current position. A temporary authentication information generating unit 357 for generating temporary authentication information, a temporary authentication information transmitting unit 359 for transmitting temporary authentication information, an issue request acquiring unit 363 for acquiring a request for issuing temporary authentication information, and an apparatus location confirmation unit 365 and a device registration unit 361.

  The authentication information acquisition unit 351 acquires authentication information from the portable information device 200. When the communication unit 305 receives the authentication information from the portable information device 200, the authentication information is acquired from the communication unit 305. The authentication information acquisition unit 351 outputs the authentication information acquired from the portable information device 200 to the authentication unit 353. The authentication information is information for authenticating the user, and includes information for identifying the user and information for authenticating the user. Here, a case where user identification information is used as information for identifying the user and a password is used as information for authenticating the user will be described as an example. The authentication information may be biometric information instead of a password. The biological information may be, for example, an image obtained by capturing a fingerprint, an iris, a vein, or the like.

  The authentication unit 353 authenticates the user based on the authentication information. The authentication unit 353 performs authentication on the condition that the same authentication information as the authentication information input from the authentication information acquisition unit 351 is registered. A person having authority to operate the server 300 may register predetermined user authentication information in the server 300. The authentication unit 353 authenticates if the same authentication information as the authentication information input from the authentication information acquisition unit 351 is registered, and does not authenticate if it is not registered. If the authentication is successful, the authentication unit 353 outputs a generation instruction including the user identification information of the authenticated user to the temporary authentication information generation unit 357. If the authentication is not successful, the authentication unit 353 outputs nothing to the temporary authentication information generation unit 357. Do not output. Further, the authentication unit 353 transmits the authentication result to the device that has transmitted the authentication information, here, the portable information device 200 via the communication unit 305. The authentication result includes an authentication result indicating that the authentication has succeeded and an authentication result indicating that the authentication has failed.

  The position information acquisition unit 355 acquires position information from the portable information device 200. When the communication unit 305 receives position information from the portable information device 200, the position information is acquired from the communication unit 305. Although details of the position information transmitted by the portable information device 200 will be described later, this is information indicating the geographical position of the portable information device 200 when the user inputs authentication information to the portable information device 200. The position information is determined by, for example, latitude and longitude. Also, the altitude may be included. The position information acquisition unit 355 determines a set of the position information acquired from the portable information device 200 and portable identification information for identifying the portable information device 200 that has transmitted the position information as the temporary authentication information generation unit 357 and the device position. The data is output to the confirmation unit 365.

  The temporary authentication information generation unit 357 receives position information and mobile identification information from the position information acquisition unit 355, and receives a generation instruction from the authentication unit 353. The temporary authentication information generation unit 357 generates temporary authentication information in response to a generation instruction input from the authentication unit 353, and sets the generated temporary authentication information and position information as a temporary authentication information transmission unit 359 and The data is output to the device position confirmation unit 365. The temporary authentication information includes user identification information included in the generation instruction, portable identification information of the portable information device 200, and an expiration date. The expiration date is determined based on the date and time when the authentication of the user is successful by the authentication unit 353, and is a predetermined period from the date and time. The user identification information included in the generation instruction is information for identifying the user authenticated by the authentication unit 353. The portable identification information input together with the position information from the position information acquisition unit 355 is information for identifying the portable information device 200 carried by the user authenticated by the authentication unit 353.

  Temporary authentication information transmission unit 359 transmits temporary authentication information to one or more of MFPs 100, 100 </ b> A to 100 </ b> E in response to input of a pair of temporary authentication information and position information from temporary authentication information generation unit 357. The temporary authentication information transmission unit 359 includes a device specifying unit 371. The device specifying unit 371 specifies a device to which temporary authentication information is to be transmitted from among previously registered devices. The temporary authentication information transmission unit 359 transmits temporary authentication information to the device specified by the device specifying unit 371 via the communication unit 305.

  The device specifying unit 371 specifies a device using a registered device table stored in advance in the HDD 304.

  FIG. 6 is a diagram illustrating an example of a registration device table. Referring to FIG. 6, the registered device table includes a registered device record including a registered device item and an area item for each device registered in server 300. In the item of registered device, device identification information of a device registered in the server 300 is set. In the area item, area information indicating an area to which a geographical position where the apparatus identified by the apparatus identification information set in the registered apparatus item belongs is set. Here, a case will be described as an example in which the device identification information of MFPs 100 and 100A to 100C is MFP-0 to MFP-5, and MFPs 100 and 100A to 100C are registered in server 300. Further, the area information indicating the A base 7 is referred to as area information A, and the area information indicating the B base 9 is referred to as area information B. In this case, the registered device table includes a registered device record including device identification information “MFP-0” of MFP 100 and region information “region information A” indicating A site 7, and device identification information “MFP-1” of MFP 100A. A registration apparatus record including area information “area information A” indicating the A base 7; a registration apparatus record including apparatus identification information “MFP-2” of the MFP 100B; and area information “area information A” indicating the A base 7. , Registration device record including device identification information “MFP-3” of MFP 100C and region information “region information B” indicating B site 9, and region information indicating device identification information “MFP-4” of MFP 100D and B site 9. And a registration device record including “area information B”.

  Returning to FIG. 5, the device specifying unit 371 sets the region information of the region including the position information input from the temporary authentication information generating unit 357 among the plurality of registered device records included in the registered device table as the item of the region. The set registration device record is extracted, and the device identified by the device identification information set in the registration device item of the one or more extracted registration device records is specified. For example, if the position specified by the position information received from the portable information device 200 is within the A base 7, the MFP 100, 100A, 100B is specified and the position specified by the position information received from the portable information device 200 If B is in B site 9, MFPs 100C and 100D are specified.

  More specifically, when the user who operates the portable information device 200 inputs the authentication information to the portable information device 200, the user who operates the portable information device 200 is located in the A base 7. Temporary authentication information including the user identification information and the portable identification information of portable information device 200 is transmitted to MFPs 100, 100 A, and 100 C arranged at A base 7. In addition, when the user who operates the portable information device 200 inputs the authentication information to the portable information device 200, when the portable information device 200 is located in the B base 9, the user identification information of the user who operates the portable information device 200 And temporary authentication information including portable identification information of portable information device 200 are transmitted to MFPs 100 </ b> C and 100 </ b> D disposed at B site 9.

  The issue request acquisition unit 363 acquires an issue request from the portable information device 200. When the communication unit 305 receives the issuance request from the portable information device 200, the issuance request is acquired from the communication unit 305. Details of the issue request transmitted by the portable information device 200 will be described later, but include device identification information of a device not registered in the server 300. Here, a case will be described as an example where MFP 100E located at B site 9 is not registered in server 300. In this case, when portable information device 200 can communicate with MFP 100E, portable information device 200 acquires device identification information from MFP 100E and transmits an issuance request including the device identification information to server 300. When the communication unit 305 receives an issue request from the portable information device 200, the issue request acquisition unit 363 includes a set of device identification information included in the issue request acquired from the communication unit 305 and the portable identification information of the portable information device 200. Is output to the apparatus position confirmation unit 365. Note that the mobile identification information and the device identification information may be IP (Internet Protocol) addresses.

  The device location confirmation unit 365 receives a set of temporary authentication information and location information from the temporary authentication information generation unit 357, and receives a set of device identification information and mobile identification information from the issue request acquisition unit 363. When a set of device identification information and mobile identification information is input from the issue request acquisition unit 363, the mobile identification input from the issue request acquisition unit 363 in the temporary authentication information input from the temporary authentication information generation unit 357. On the condition that temporary authentication information including the same mobile identification information as the information exists, the geographical position where the device specified by the device identification information input from the issue request acquisition unit 363 is arranged is confirmed. This is for confirming that the issue request is transmitted from the portable information device 200 operated by the user authenticated by the authentication unit 353. Device position confirmation unit 365 transmits a request for transmitting position information to MFP 100E specified by the device identification information included in the issue request via communication unit 305, and acquires position information returned by MFP 100E. In other words, the device position confirmation unit 365 receives the issue request from the portable information device 200 operated by the user authenticated by the authentication unit 353, and is specified by the device identification information included in the issue request. The position information indicating the geographical position where is placed is acquired. Further, device position confirmation unit 365 has a position in which the position specified by the position information acquired from MFP 100E and the position specified by the position information of portable information device 200 input from position information acquisition unit 355 are within the same region. It is determined whether or not. If the position where MFP 100E is disposed and the position of portable information device 200 are within the same region, device position confirmation unit 365 outputs a transmission instruction including device identification information of MFP 100E to temporary authentication information transmission unit 359. Then, a registration instruction including the apparatus identification information of MFP 100E and the position information acquired from MFP 100E is output to apparatus registration unit 361.

  The device registration unit 361 generates a new device registration record in response to a registration instruction input from the device position confirmation unit 365, and adds the generated device registration record to the device registration table stored in the HDD 304. . The device identification information included in the registration instruction is set in the item of the registration device, and the region information indicating the region including the position specified by the position information included in the registration instruction is set in the region item. Generate. Here, a new registration device record is generated in which the device identification information of MFP 100E is set in the item of registration device, and the region information indicating B site 9 is set in the region item. Thereby, MFP 100E is registered in server 300.

  The temporary authentication information transmission unit 359 further includes an unregistered device transmission unit 373. In response to the input of the transmission instruction from the apparatus position confirmation unit 365, the unregistered apparatus transmission unit 373 sends temporary authentication information to the MFP 100E identified by the apparatus identification information included in the transmission instruction via the communication unit 305. The temporary authentication information input from the generation unit 357 is transmitted.

  FIG. 7 is a block diagram illustrating an example of functions of the CPU provided in the portable information device according to the first embodiment. The functions shown in FIG. 7 are functions formed in the CPU 201 when the CPU 201 included in the portable information device 200 executes a program stored in the flash memory 203 or the CD-ROM 209A. Referring to FIG. 7, CPU 201 included in portable information device 200 includes a position detection unit 251, a position information transmission unit 253, an authentication information reception unit 255 that receives input of authentication information by a user, and authentication information to server 300. An authentication information transmission unit 257 for transmission, a short distance control unit 259 for controlling the short-range wireless communication unit 210, and an issue request unit 265 are included.

  The position detection unit 251 controls the GPS sensor 211 and acquires the current position of the portable information device 200 detected by the GPS sensor 211. The position detection unit 251 outputs position information indicating the acquired current position to the position information transmission unit 253. The position information transmission unit 253 transmits the position information input from the position detection unit 251 to the server 300 via the wireless LAN I / F 208.

  The authentication information receiving unit 255 receives authentication information input to the operation unit 207 by the user. For example, an authentication screen for inputting user identification information and a password is displayed on the display unit 206, and the user identification information and password that the user inputs to the operation unit 207 according to the authentication screen are received. The authentication information reception unit 255 outputs the received user identification information and password as authentication information to the authentication information transmission unit 257.

  The authentication information transmission unit 257 transmits the authentication information to the server 300 via the wireless LAN I / F 208. A network address assigned to the server 300 in the Internet 5 may be stored in advance. Since the server 300 that receives the authentication information returns an authentication result, the authentication information transmission unit 257 acquires the authentication result received by the wireless LAN I / F 208 from the server 300 and outputs the authentication result to the short distance control unit 259. .

  The short distance control unit 259 controls the short distance wireless communication unit 210. The short distance control unit 259 includes a device information transmission unit 261 and an unregistered information acquisition unit 263. When the authentication information indicating that the authentication is successful is input from the authentication information transmitting unit 257, the device information transmitting unit 261 is a device that can communicate with the short-range wireless communication unit 210 among the MFPs 100 and 100A to 100E. The device information is transmitted. The device information includes mobile identification information for identifying the mobile information device 200. For example, the short-range wireless communication unit 210 can communicate with the MFP 100 when the MFP 100 exists within the range of the distance that the short-range wireless communication unit 210 can communicate. In other words, when the distance between the user who operates portable information device 200 and MFP 100 is within a predetermined distance, portable information device 200 transmits portable identification information to MFP 100.

  Of the MFPs 100, 100A to 100E, the device that receives the device information returns a login result. Unregistered information acquisition unit 263 acquires a login result received by short-range wireless communication unit 210 from a device that receives device information among MFPs 100 and 100A to 100E. The login result includes a result indicating that login is permitted and a result indicating that login is not permitted. For example, when MFPs 100, 100 </ b> A to 100 </ b> C are registered in server 300 and MFP 100 </ b> E is not registered, the user of portable information device 200 is authenticated by server 300 in a state of being located at B site 9. In the case of the MFP 100C, 100D, 100E arranged at the base B 9, the MFP 100C, 100D receives a login result indicating that login is permitted, but the MFP 100E receives a login result indicating that login is not permitted. Receive.

  When the short-range wireless communication unit 210 receives a result indicating that login is not permitted from the MFP 100E, the unregistered information acquisition unit 263 acquires device identification information of the MFP 100E. Unregistered information acquisition unit 263 requests MFP 100E to transmit device identification information via short-range wireless communication unit 210, and acquires device identification information received by short-range wireless communication unit 210 from MFP 100E. When the short-range wireless communication unit 210 can communicate with the MFP 100E, if the device identification information is acquired from the MFP 100E, the device identification information may be used. Unregistered information acquisition unit 263 outputs the acquired device identification information of MFP 100 </ b> E to issue request unit 265.

  The issuance request unit 265 transmits an issuance request including the device identification information of the MFP 100E to the server 300 via the wireless LAN I / F 208 in response to the device identification information of the MFP 100E being input from the unregistered information acquisition unit 263. To do.

  FIG. 8 is a block diagram illustrating an example of the functions of the CPU provided in the MFP according to the first embodiment. The functions shown in FIG. 8 are functions formed in CPU 111 when CPU 111 provided in MFP 100 executes programs stored in ROM 113, EEPROM 115, HDD 116, and CD-ROM 119A. Referring to FIG. 8, CPU 111 includes a communication control unit 51 that controls communication I / F unit 112, a device-side short-range control unit 53 that controls short-range wireless communication unit 170, and permission unit 55. .

  The communication control unit 51 controls the communication I / F unit 112. Communication control unit 51 includes a position confirmation reception unit 56, a position information transmission unit 57, and a temporary authentication information acquisition unit 59. When the communication I / F unit 112 receives the temporary authentication information from the server 300, the temporary authentication information acquisition unit 59 outputs the temporary authentication information to the apparatus-side short distance control unit 53.

  The position confirmation receiving unit 56 outputs a transmission instruction to the position information transmitting unit 57 when the communication I / F unit 112 receives a position information transmission request from the server 300. Position information transmission unit 57 transmits position information indicating the geographical position where MFP 100 is located to server 300 via communication I / F unit 112 in response to a transmission instruction being input. Position information indicating the geographical position where the MFP 100 is located may be stored in the HDD 116 in advance.

  The device-side short-range control unit 53 controls the short-range wireless communication unit 170. The device-side short distance control unit 53 includes a device information acquisition unit 61 and a device information transmission unit 63. The device information acquisition unit 61 controls the short-range wireless communication unit 170. When the short-range wireless communication unit 170 can communicate with the portable information device 200, the short-range wireless communication unit 170 receives the portable identification information from the portable information device 200. Receive the mobile identification information. For example, when the short-range wireless communication unit 170 can communicate with the portable information device 200, the portable information device 200 exists within the range of the distance that the short-range wireless communication unit 170 can communicate. In other words, when the distance between the user who operates portable information device 200 and MFP 100 is within a predetermined distance, device information acquisition unit 61 acquires portable identification information from portable information device 200. The device information acquisition unit 61 outputs the mobile identification information of the mobile information device 200 to the permission unit 55.

  The permission unit 55 receives temporary authentication information from the temporary authentication information acquisition unit 59 and mobile identification information from the device information acquisition unit 61. The permission unit 55 determines whether or not to permit login of the user who operates the portable information device 200 based on the temporary authentication information in response to the input of the portable identification information. The permission unit 55 outputs a permission signal to the device information acquisition unit 61 when permitting login, and outputs a non-permission signal to the device information acquisition unit 61 when login is not permitted. When permitting the log-in, the permission unit 55 accepts an operation input to the operation unit 163, and sets the process to a state in which processing can be executed according to the accepted operation.

  The permission unit 55 extracts temporary authentication information including the same mobile identification information as the mobile identification information input from the device information acquisition unit 61 from the temporary authentication information input from the temporary authentication information acquisition unit 59. The permission unit 55 includes a time limit determination unit 71 and a user identification unit 73.

  The time limit judgment unit 71 permits login on condition that the temporary authentication information extracted from the temporary authentication information input from the temporary authentication information acquisition unit 59 is valid. The expiration date determining unit 71 determines that the temporary authentication information is valid if the current date and time is within the expiration date set in the item of the expiration date of the temporary authentication information. Judge as invalid.

  The user specifying unit 73 permits the login of the user specified by the user identification information included in the temporary authentication information extracted from the temporary authentication information input from the temporary authentication information acquiring unit 59. For example, when user data for specifying a user who is permitted to use MFP 100 is stored in HDD 116 of MFP 100, login may be permitted using the user data. For example, when user data restricts usable functions among a plurality of functions of MFP 100, only unrestricted functions can be used. In addition, if the user specified by the user identification information included in the temporary authentication information is not registered in the user data, login is permitted as a guest user, and only the functions permitted for the guest user can be used. You may make it. When the permission unit 55 permits login, the CPU 111 accepts an operation input to the operation unit 163 as an operation input by the user by the user specifying unit 73.

  When the permission signal is input from the permission unit 55, the device information acquisition unit 61 logs in to the portable information device 200 that has transmitted the mobile identification information via the short-range wireless communication unit 170. Send the result. When a non-permission signal is input from the permission unit 55, the device information acquisition unit 61 transmits a login result indicating that login is not permitted to the portable information device 200 via the short-range wireless communication unit 170.

  When device information acquisition unit 61 transmits a login result indicating that login is not permitted, portable information device 200 may transmit a transmission request for device identification information to MFP 100. Device information transmission unit 63 controls short-range wireless communication unit 170. When short-range wireless communication unit 170 receives a transmission request for device identification information from portable information device 200, short-range wireless communication is performed on the device identification information of MFP 100. The information is transmitted to the portable information device 200 via the unit 170.

  In the present embodiment, the temporary authentication information includes the user identification information of the user authenticated by the server 300, the portable identification information of the portable information device 200 operated by the user, and the expiration date. However, only the mobile identification information of the mobile information device 200 operated by the authenticated user may be included. In this case, the time limit determining unit 71 and the user specifying unit 73 are unnecessary, and the permission unit 55 uses the temporary authentication information including the mobile identification information of the mobile information device 200 that the short-range wireless communication unit 170 can communicate with. In the case of receiving from the server 300, login is permitted. In other words, when the portable information device 200 is authenticated by the server 300 in a state where the portable information device 200 is located at the A site 7 where the MFP 100 is disposed, the short-range wireless communication unit 170 of the MFP 100 communicates with the portable information device 200. Allow login when possible.

  The temporary authentication information may include only the user identification information of the user authenticated by the server 300 and the portable identification information of the portable information device 200 operated by the user. In this case, the time limit determination unit 71 is unnecessary, and the permission unit 55 receives temporary authentication information including the mobile identification information of the mobile information device 200 with which the short-range wireless communication unit 170 can communicate from the server 300. In this case, the user who operates the portable information device 200 is permitted to log in. In other words, when the portable information device 200 is authenticated by the server 300 in a state where the portable information device 200 is located at the A site 7 where the MFP 100 is disposed, the short-range wireless communication unit 170 of the MFP 100 communicates with the portable information device 200. If possible, the user who carries the portable information device 200 is permitted to log in as the user authenticated by the server 300.

  Further, the temporary authentication information may include only the mobile identification information of the mobile information device 200 operated by the user authenticated by the server 300 and the expiration date. In this case, the user specifying unit 73 is unnecessary, and the permission unit 55 receives temporary authentication information including the mobile identification information of the mobile information device 200 that the short-range wireless communication unit 170 can communicate from the server 300. If the current date and time are within the expiration date, login is permitted. In other words, when the portable information device 200 is authenticated by the server 300 in a state where the portable information device 200 is located at the A site 7 where the MFP 100 is disposed, the short-range wireless communication unit 170 of the MFP 100 communicates with the portable information device 200. If the permitted time is within a predetermined period from the time of authentication by the server 300, login is permitted.

  FIG. 9 is a flowchart illustrating an example of the flow of server-side authentication processing according to the first embodiment. The server-side authentication process is a process executed by the CPU 301 when the CPU 301 included in the server 300 executes an authentication program stored in the ROM 302, the HDD 304, or the CD-ROM 309. Referring to FIG. 9, CPU 301 determines whether or not authentication information has been received from portable information device 200 (step S01). If communication unit 305 has received the authentication information, the process proceeds to step S02; otherwise, the process proceeds to step S09. The authentication information includes user identification information for identifying a user who operates portable information device 200.

  In step S02, authentication is performed based on the authentication information. If the same authentication information as the received authentication information is stored in HDD 304, the user who operates portable information device 200 is authenticated as a genuine user. Otherwise, authentication is not performed. If the user who operates portable information device 200 is authenticated, the process proceeds to step S03. If not authenticated, the process proceeds to step S15. In step S15, an error signal indicating that the authentication has failed is transmitted to portable information device 200, and the process returns to step S01.

  In step S03, position information is acquired from portable information device 200 operated by a user who has been successfully authenticated. The communication unit 305 acquires position information received from the portable information device 200. The position information indicates the geographical position of the portable information device 200. And temporary authentication information is produced | generated (step S04). The temporary authentication information includes user identification information for identifying the user who has been successfully authenticated in step S02, portable identification information for identifying the portable information device 200 that has transmitted the position information, and an expiration date. The expiration date is a predetermined period from the date and time when the authentication is successful. In the next step S05, the generated temporary authentication information is associated with the position information acquired in step S03, and the process proceeds to step S06. For example, a set of temporary authentication information and position information is stored in the HDD 304. In step S06, a signal indicating that the authentication is successful is transmitted to portable information device 200, and the process proceeds to step S07.

  In step S07, a device to which temporary authentication information is transmitted is specified. Using the registered device table stored in the HDD 304, a device to which temporary authentication information is to be transmitted is specified. Here, a case where MFPs 100 and 100A to 100C are registered in server 300 will be described as an example. In this case, the registration device table shown in FIG. From the five registration device records included in the registration device table shown in FIG. 6, the registration device record in which the region information of the region including the position information acquired in step S03 is set in the region item is extracted, The device identified by the device identification information set in the registered device item of the one or more extracted registered device records is specified as the device to which the temporary authentication information is transmitted. For example, if the position specified by the position information received from the portable information device 200 is within the A base 7, the MFP 100, 100A, 100B is specified and the position specified by the position information received from the portable information device 200 If B is in B site 9, MFPs 100C and 100D are specified.

  In step S08, the temporary authentication information generated in step S04 is transmitted via the communication unit 305 to the device specified in step S07. Specifically, when authenticating a user who operates portable information device 200 in a state where portable information device 200 is located in A site 7, server 300 includes MFPs 100 and 100A to D registered in server 300. Temporary authentication information is transmitted to MFPs 100, 100 A, 100 B arranged in A base 7. Thereby, the user who operates portable information device 200 can use MFPs 100, 100 </ b> A, and 100 </ b> B when located in A site 7. In addition, when the server 300 authenticates a user who operates the portable information device 200 in a state where the portable information device 200 is located in the B base 9, the server 300 uses the MFPs 100 and 100A to 100D registered in the server 300. Temporary authentication information is transmitted to MFPs 100 </ b> C and 100 </ b> D disposed in B site 9. As a result, the user operating portable information device 200 can use MFPs 100 </ b> C and 100 </ b> D when located within B base 9. Since MFP 100E is not registered in server 300 and the registered device record of MFP 100E is not registered in the registered device table, server 300 does not transmit temporary authentication information to MFP 100E.

  In step S09, it is determined whether an issue request is received from portable information device 200. If an issue request is received, the process proceeds to step S10. If not, the process returns to step S01. When communication unit 305 receives an issue request from portable information device 200, it is determined that the issue request has been received. The issue request transmitted by the portable information device 200 includes device identification information of a device that is not registered in the server 300. In the state where the registration device table shown in FIG. 6 is stored in the HDD 304, the MFP 100 </ b> E arranged at the B site 9 is not registered in the server 300. In this case, when portable information device 200 can communicate with MFP 100E, portable information device 200 acquires device identification information from MFP 100E and transmits an issuance request including the device identification information.

  In step S10, temporary authentication information including the same portable identification information as the portable identification information of portable information device 200 that has transmitted the issue request received in step S09 exists among the temporary authentication information generated in step S04. Judge whether to do. If such temporary authentication information exists, the process proceeds to step S11. If not, the process returns to step S01. Even if temporary authentication information including the same mobile identification information as the mobile identification information of mobile information device 200 exists, if the temporary authentication information has expired, the temporary authentication information does not exist. Judgment is made and the process returns to step S01.

  In step S11, the target device is specified. The device specified by the device identification information included in the issue request received in step S09 is specified as the target device. Here, MFP 100E is specified as the target device. Then, the position information is acquired from the MFP 100E specified as the target device (step S12). Specifically, a position information transmission request is transmitted to MFP 100E via communication unit 305, and position information returned by MFP 100E is acquired.

  In the next step S13, it is determined whether portable information device 200 and MFP 100E specified as the target device exist in the same area. The position of portable information device 200 is a position where the temporary information device including the portable identification information is specified by the position information associated in step S05, and the position of MFP 100E specified as the target device is determined from MFP 100E in step S12. The position is specified by the acquired position information. If the position of portable information device 200 and the position of MFP 100E specified as the target device are both included in the same area, the process proceeds to step S14. If not, the process returns to step S01.

  In step S14, MFP 100E specified as the target device is registered, and the process ends. Specifically, the device identification information of MFP 100E is set in the item of registration device, a registration device record in which region information B indicating B base 9 is set in the region information item is generated, and the generated registration device record is Add to the registered device table stored in the HDD 304.

  When portable information device 200 exists at B site 9 and can communicate with MFP 100E, portable information device 200 transmits an issuance request to server 300. In this case, a user operating portable information device 200 If the mobile information device 200 is operated in the state of being located at the B base 9 and is authenticated by the server 300, the MFP 100E is registered in the server 300.

  In the next step S15, the temporary authentication information generated in step S04, which includes the same mobile identification information as the mobile identification information of the mobile information device 200 that has transmitted the issue request received in step S09. Is transmitted via the communication unit 305 to the MFP 100E specified as the target apparatus in step S11, and the process returns to step S01. As a result, the user who operates portable information device 200 can use MFP 100 </ b> E when located in B site 9.

  FIG. 10 is a flowchart illustrating an example of the flow of the portable-side authentication process in the first embodiment. The portable side authentication process is a process executed by the CPU 201 when the CPU 201 included in the portable information device 200 executes a program stored in the flash memory 203 or the CD-ROM 209A. Referring to FIG. 10, CPU 201 provided in portable information device 200 determines whether or not authentication information has been received (step S41). An authentication screen for inputting user identification information and a password is displayed on display unit 206, and user identification information and a password that the user inputs to operation unit 207 according to the authentication screen are received. The process waits until authentication information is accepted (NO in step S41). If authentication information is accepted, the process proceeds to step S42.

  In step S42, the authentication information accepted in step S01 is transmitted to server 300 via wireless LAN I / F 208. Then, it is determined whether or not the authentication by the server 300 is successful (step S43). The wireless LAN I / F 208 makes a determination based on the authentication result received from the server 300 that transmitted the authentication information. If the authentication result indicates that the authentication has succeeded, the process proceeds to step S44. If the authentication result indicates that the authentication has failed, the process proceeds to step S56. In step S56, the user is notified that the user authentication has failed, and the process returns to step S41. For example, an error message indicating that the authentication has failed is displayed on the display unit 206.

  In step S44, the current position is detected. The GPS sensor 119 is controlled, and the current position of the MFP 100 detected by the GPS sensor 119 is acquired. In the next step S45, the acquired position information is transmitted to the server 300 via the wireless LAN I / F 208.

  In step S46, it is determined whether or not there is a device with which short-range wireless communication unit 210 can communicate. Here, it is determined whether or not communication with any of MFPs 100, 100A to 100E is possible. The apparatus stands by until communication with any of MFPs 100, 100A to 100E is possible (NO in step S46). If communication with any of MFPs 100, 100A to 100E is possible, the process proceeds to step S47. In step S47, portable identification information for identifying portable information device 200 is transmitted to the device that can communicate in step S46 via short-range wireless communication unit 210, and the process proceeds to step S48. For example, if communication with MFP 100 is possible, mobile identification information is transmitted to MFP 100.

  In step S48, it is determined whether or not login is permitted in the device that transmitted the mobile identification information. The short-range wireless communication unit 210 makes a determination based on the login result received from the device that transmitted the mobile identification information. If the login result indicates that login is permitted, it is determined that login is permitted. If the login result indicates that login is not permitted, it is determined that login is not permitted. If login is permitted, the process returns to step S46. If login is not permitted, the process proceeds to step S49. For example, when MFPs 100, 100 </ b> A to 100 </ b> C are registered in server 300 and MFP 100 </ b> E is not registered, the user of portable information device 200 is authenticated by server 300 in a state of being located at B site 9. In the case of the MFP 100C, 100D, 100E arranged at the base B 9, the MFP 100C, 100D receives a login result indicating that login is permitted, but the MFP 100E receives a login result indicating that login is not permitted. Receive.

  The case where the process proceeds to step S49 is a case where login is not permitted in the device that transmitted the mobile identification information. Here, an example will be described in which a login result indicating that login is not permitted is received from MFP 100E.

  In step S49, the user is notified that the login has failed, and the process proceeds to step S50. For example, an error message indicating that the login has failed is displayed on the display unit 206. In step S50, device identification information of MFP 100E is acquired from MFP 100E that is not permitted to log in. Specifically, the MFP 100E is requested to transmit device identification information via the short-range wireless communication unit 210, and the short-range wireless communication unit 210 acquires the device identification information received from the MFP 100E. If the short-range wireless communication unit 210 is able to communicate with the MFP 100E in step S46, if the device identification information is acquired from the MFP 100E, the device identification information may be used.

  In the next step S51, an issue request is transmitted to the server 300, and the process proceeds to step S52. The issuance request including the device identification information of MFP 100E acquired in step S50 is transmitted to server 300 via wireless LAN I / F 208. Then, a reconnection confirmation message is displayed on the display unit 206, and the process proceeds to step S53. For example, a message “Do you want to reconnect?” Is displayed. In the next step S53, it is determined whether a reconnection instruction has been accepted. It is determined whether or not a reconnection instruction input to the operation unit 207 by the user has been detected. If a reconnection instruction is detected, the process proceeds to step S54; otherwise, the process returns to step S46.

  In step S54, portable identification information for identifying portable information device 200 is transmitted to MFP 100E capable of communicating in step S46 via short-range wireless communication unit 210, and the process proceeds to step S55. Since the issue request is transmitted to the server 300 in step S51, login may be permitted based on the mobile identification information received from the mobile information device 200 in the MFP 100E.

  In step S55, it is determined whether or not login is permitted in MFP 100E that transmitted the mobile identification information. The short-range wireless communication unit 210 determines that the login is permitted if the login result received from the M100E that transmitted the mobile identification information indicates that the login is permitted, and permits the login if the login result indicates that the login is not permitted. Judge that it was not. If login is permitted, the process returns to step S46. If login is not permitted, the process returns to step S41.

  FIG. 11 is a flowchart illustrating an example of a flow of apparatus side authentication processing according to the first embodiment. The apparatus-side authentication process is a process executed by CPU 111 when CPU 111 provided in each of MFPs 100, 100A to 100E executes programs stored in ROM 113, EEPROM 115, HDD 116, and CD-ROM 119A. Here, a case where CPU 111 of MFP 100 executes the program will be described as an example.

  Referring to FIG. 11, CPU 111 determines whether or not provisional authentication information has been received (step S21). If communication I / F unit 112 receives temporary authentication information from server 300, the process proceeds to step S22. If not, the process proceeds to step S23. In step S22, the received temporary authentication information is temporarily stored in HDD 116, and the process proceeds to step S23.

  In step S23, it is determined whether short-range wireless communication unit 170 can communicate with portable information device 200 and has received portable identification information. If mobile identification information has been received, the process proceeds to step S24; otherwise, the process returns to step S21. In step S24, it is determined whether temporary authentication information including the same mobile identification information as the mobile identification information received in step S23 is stored in HDD 116 or not. If such temporary authentication information is stored, temporary authentication information including the same mobile identification information as the mobile identification information received in step S23 is read from HDD 116, and the process proceeds to step S25. To step S30.

  In step S25, it is determined whether it is within the expiration date. If it is within the expiration date included in the temporary authentication information read in step S24, the process proceeds to step S26, but if not within the expiration date, the process proceeds to step S29. In step S29, temporary authentication information including the same mobile identification information as the mobile identification information received in step S23 is erased from HDD 116, and the process proceeds to step S30.

  In step S26, it is determined whether the same user identification information as the user identification information included in the temporary authentication information read in step S24 is registered. For example, when user data including user identification information of a user who is permitted to use MFP 100 is stored in HDD 116 of MFP 100, the same user identification as the user identification information included in the temporary authentication information read in step S24. It is determined whether or not user data including information exists. If such user data exists, the process proceeds to step S27; otherwise, the process proceeds to step S28. In step S27, the login of the user specified by the user identification information included in the temporary authentication information read in step S24 is permitted, and the process ends. For example, when user data restricts usable functions among a plurality of functions of MFP 100, only unrestricted functions can be used. On the other hand, in step S28, login as a guest user is permitted, and the process ends. Enable only the functions allowed for guest users.

  If the process proceeds to step S30, if temporary authentication information including portable identification information of portable information device 200 has not been received from server 300, such temporary authentication information has been received, but the expiration date has passed. It is a case. In step S <b> 30, a login result indicating that login is not permitted is transmitted to portable information device 200 via short-range wireless communication unit 170. Then, it is determined whether short-range wireless communication unit 170 has received a transmission request for device information from portable information device 200 (step S31). If a transmission request is received, the process proceeds to step S32. If not, the process ends. In step S32, the device identification information of MFP 100 is transmitted to portable information device 200 via short-range wireless communication unit 170, and the process proceeds to step S33.

  In the next step S <b> 33, the communication I / F unit 112 determines whether or not it has received a position information transmission request from the server 300. If a transmission request is received, the process proceeds to step S34; otherwise, the process returns to step S21. In step S34, position information indicating the geographical position where MFP 100 is located is transmitted to server 300 via communication I / F unit 112, and the process returns to step S21.

  As described above, the server 300 according to the first embodiment generates temporary authentication information when the authentication using the authentication information acquired from the portable information device 200 succeeds, and the MFPs 100 and 100A to 100E Temporary authentication information is transmitted to a device existing in an area including the position information acquired from the portable information device 200. Each of the plurality of MFPs 100, 100 </ b> A to 100 </ b> E is used on the condition that the temporary authentication information includes the mobile identification information of the mobile information device 200, for example, when the MFP 100 becomes communicable with the mobile information device 200. Allow. For this reason, since temporary authentication information is transmitted to the process execution device existing in the area including the position information acquired from the portable information device 200, the process execution that can be used depending on the position of the user of the portable information device at the time of authentication. The device can be limited.

  Further, MFP 100 permits the use on the condition that it is within the expiration date included in the temporary authentication information received from server 300. Since the position of the user may be changed after a predetermined time has elapsed from the time when the user is authenticated, it is possible not to permit the use when moving the position from the time when the user is authenticated.

  When MFP 100 can communicate with portable information device 200, MFP 100 permits the use of the user specified by the user identification information included in the temporary authentication information, so that the user inputs the user identification information to the device to be used again. There is no need.

  When portable information device 200 can communicate with unregistered MFP 100E other than MFPs 100, 100A to 100C registered in server 300, portable information device 200 obtains device identification information of MFP 100E and issues the device identification information of MFP 100E. The request is transmitted to the server 300, and the server 300 acquires the position information from the MFP 100E in response to acquiring the issuance request from the MFP 100E, and confirms that the position of the portable information device 200 and the position of the MFP 100E belong to the same area. As a condition, temporary authentication information is transmitted to the MFP 100E. Therefore, use of MFP 100E can be permitted even when unregistered MFP 100E that is not registered in server 300 exists within a predetermined range from portable information device 200.

  Further, since server 300 generates and stores device arrangement information corresponding to MFP 100E, the device arrangement information corresponding to MFP 100E can be automatically registered in the server.

<Second Embodiment>
In the authentication system 1 according to the first embodiment, the user is installed in an apparatus arranged in the same area as the area where the portable information device 200 carried by the authenticated user among the MFPs 100 and 100A to 100E from the server 300 is located. Temporary authentication information is transmitted when is authenticated. In authentication system 1A according to the second embodiment, server 300 determines whether or not to permit use of a device that can communicate with portable information device 200 among MFPs 100 and 100A to 100E without transmitting temporary authentication information. Is determined according to an inquiry from the device.

  Hereinafter, the authentication system 1A according to the second embodiment will be described mainly with respect to differences from the authentication system 1 according to the first embodiment, and overlapping description will not be repeated.

  FIG. 12 is a block diagram illustrating an example of an overview of functions of the CPU 301A included in the server 300 according to the second embodiment. The function shown in FIG. 12 is different from the function shown in FIG. 5 in that the temporary authentication information generation unit 357 is changed to the temporary authentication information generation unit 357A, the issue request acquisition unit 363, the device location confirmation unit 365, and the device The registration unit 361 and the temporary authentication information transmission unit 359 are deleted, and the confirmation request acquisition unit 381, the server side permission unit 383, and the permission signal transmission unit 385 are added. The other functions are the same as those shown in FIG. 5, and therefore description thereof will not be repeated here.

  The temporary authentication information generation unit 357A receives position information and mobile identification information from the position information acquisition unit 355, and receives a generation instruction from the authentication unit 353. The temporary authentication information generation unit 357A generates temporary authentication information in response to a generation instruction input from the authentication unit 353, and outputs the generated temporary authentication information to the server side permission unit 383. The temporary authentication information includes user identification information included in the generation instruction, portable identification information of the portable information device 200, an expiration date, and position information input from the position information acquisition unit 355. The expiration date is determined based on the date and time when the authentication of the user is successful by the authentication unit 353, and is a predetermined period from the date and time. The user identification information included in the generation instruction is information for identifying the user authenticated by the authentication unit 353. The portable identification information input together with the position information from the position information acquisition unit 355 is information for identifying the portable information device 200 carried by the user authenticated by the authentication unit 353.

  Confirmation request acquisition unit 381 acquires a confirmation request from one of MFPs 100 and 100A to 100E. When the communication unit 305 receives a confirmation request from any of the MFPs 100 and 100A to 100E, the communication unit 305 acquires the confirmation request from the communication unit 305 and the device identification information of the device that has transmitted the confirmation request. Details of the case where each of MFPs 100, 100A to 100E transmits a confirmation request will be described later. For example, MFP 100 transmits a confirmation request when communication with portable information device 200 via short-range wireless communication unit 117 becomes possible. To do. The confirmation request includes portable identification information for identifying portable information device 200 that can communicate with MFP 100 that has transmitted the confirmation request. The confirmation request acquisition unit 381 outputs to the server-side permission unit 383 a set of the mobile identification information included in the acquired confirmation request and the device identification information of the device that has transmitted the confirmation request.

  The server-side permission unit 383 receives the temporary authentication information from the temporary authentication information generation unit 357 and the pair of the mobile identification information and the device identification information from the confirmation request acquisition unit 381. The server-side permission unit 383 allows the user who carries the portable information device 200 specified by the portable identification information in response to the input of the pair of the portable identification information and the device identification information from the confirmation request acquisition unit 381. It is determined whether or not the use of the device specified by the identification information is permitted.

  The server-side permission unit 383 determines whether temporary authentication information including the same mobile identification information as the mobile identification information input from the confirmation request acquisition unit 381 is input from the temporary authentication information generation unit 357. The server-side permission unit 383 includes temporary authentication information including the same mobile identification information as the mobile identification information input from the confirmation request acquiring unit 381 in the temporary authentication information input from the temporary authentication information generation unit 357. Based on the temporary authentication information, it is determined whether or not to permit use of the device that has transmitted the confirmation request to the user carrying the portable information device 200 specified by the portable identification information.

  The server-side permission unit 383 includes an area determination unit 391, a time limit determination unit 393, and a user specification unit 395. The area determination unit 391 includes the position specified by the position information included in the temporary authentication information including the same mobile identification information as the mobile identification information input from the confirmation request acquisition unit 381, and the device input from the confirmation request acquisition unit 381. It is determined whether or not the position where the device specified by the identification information is arranged is included in the same area. When determining that the two positions are in the same region, the region determination unit 391 permits the user carrying the portable information device 200 to use the device specified by the device identification information. The device specified by the device identification information input from confirmation request acquisition unit 381 is the device that has transmitted the confirmation request among MFPs 100 and 100A to 100E. Here, a case where a confirmation request is received from MFP 100 will be described as an example. The area determination unit 391 specifies a position where a device that has been stored in advance in the HDD 304 and has transmitted a confirmation request is registered using a registered device table.

  For example, when the registration apparatus table shown in FIG. 6 is stored in the HDD 304, when a confirmation request is received from the MFP 100, the area indicated by the area information A is specified as the position where the MFP 100 is disposed. When the position specified by the position information received from the portable information device 200 is within the A base 7 identified by the area information A, in other words, the area determination unit 391 places the portable information device 200 in the A base 7. If it exists, if the user carrying portable information device 200 is authenticated by server 300, use of MFP 100 is permitted. However, when the position specified by the position information received from the portable information device 200 is in the B base 9, in other words, the region determination unit 391 is a server in the case where the portable information device 200 exists in the B base 9. If the user carrying portable information device 200 is authenticated in 300, use of MFP 100 is not permitted.

  The time limit determination unit 393 permits login on condition that temporary authentication information including the same mobile identification information as the mobile identification information input from the confirmation request acquisition unit 381 is valid. The expiration date determination unit 393 determines that the temporary authentication information is valid if the current date and time is within the expiration date set in the expiration date field of the temporary authentication information. Judge as invalid.

  The user specifying unit 395 permits the login of the user specified by the user identification information included in the temporary authentication information including the same mobile identification information as the mobile identification information input from the confirmation request acquisition unit 381.

  The server-side permission unit 383 outputs a permission transmission instruction to the permission signal transmission unit 385 when the user carrying the portable information device 200 identified by the portable identification information is permitted to use the device identified by the device identification information. To do. The permission transmission instruction includes user identification information included in temporary authentication information including the same mobile identification information as the mobile identification information input from the confirmation request acquisition unit 381.

  The permission signal transmission unit 385 transmits a permission signal via the communication unit 305 to the device that has transmitted the confirmation request among the MFPs 100 and 100A to 100E, for example, the MFP 100. The permission signal includes user identification information included in the permission transmission instruction.

  It should be noted that the position specified by the position information received from the portable information device 200 at the time when the authentication information is received from the portable information device 200 by registering information that defines the area that can be used by the user in the server 300. However, the authentication may be performed on the condition that it is within the area defined as the usable area.

  Further, in the registered device table stored in the HDD 304, a user that can be used for each device is determined in advance, and the device that has transmitted the confirmation request is a device that is set to be usable by an authenticated user. Only the permission signal may be transmitted.

  In the present embodiment, the temporary authentication information indicates the user identification information of the user authenticated by the server 300, the portable identification information of the portable information device 200 operated by the user, and the position of the portable information device 200. The location information and the expiration date are included, but only the mobile identification information and location information of the mobile information device 200 operated by the authenticated user may be included. In this case, the time limit determining unit 393 and the user specifying unit 395 are not necessary, and the server-side permission unit 383 permits the permission transmission instruction that does not include the user identification information when the use is permitted by the area determination unit 391. The signal is output to the signal transmission unit 385.

  The temporary authentication information includes only the user identification information of the user authenticated by the server 300, the portable identification information of the portable information device 200 operated by the user, and the position information indicating the position of the portable information device 200. You may make it. In this case, the time limit determination unit 71 is not necessary, and the server-side permission unit 383 outputs a permission transmission instruction including user identification information to the permission signal transmission unit 385 when the use is permitted by the area determination unit 391. To do.

  The temporary authentication information may include only the mobile identification information of the mobile information device 200 operated by the user authenticated by the server 300, the location information indicating the location of the mobile information device 200, and the expiration date. In this case, the user specifying unit 73 is unnecessary, and when the temporary determination information is determined to be valid by the time limit determination unit 393 and the use is permitted by the region determination unit 391, permission transmission that does not include the user identification information The instruction is output to the permission signal transmission unit 385.

  FIG. 13 is a block diagram illustrating an example of functions of the CPU 201A included in the portable information device 200 according to the second embodiment. Referring to FIG. 13, the difference from the function shown in FIG. 7 is that short distance control unit 259 is changed to short distance control unit 259A and issue request unit 265 is deleted. The short distance control unit 259A is different from the short distance control unit 259 shown in FIG. 7 in that the unregistered information acquisition unit 263 is not included. The other functions are the same as those shown in FIG. 7, and thus description thereof will not be repeated here.

  FIG. 14 is a block diagram illustrating an example of functions of the CPU 111A provided in the MFP 100 according to the second embodiment. The functions shown in FIG. 14 are functions formed in CPU 111A when CPU 111A provided in MFP 100 in the second embodiment executes programs stored in ROM 113, EEPROM 115, HDD 116, and CD-ROM 119A. Referring to FIG. 14, CPU 111 includes a communication control unit 51 </ b> A, a device-side short-range control unit 53 </ b> A that controls short-range wireless communication unit 170, confirmation unit 81, and device-side permission unit 83.

  The communication control unit 51A controls the communication I / F unit 112. The apparatus-side short-range control unit 53A controls the short-range wireless communication unit 170. The device-side short distance control unit 53A includes a device information acquisition unit 61. The device information acquisition unit 61 controls the short-range wireless communication unit 170. When the short-range wireless communication unit 170 can communicate with the portable information device 200, the short-range wireless communication unit 170 receives the portable identification information from the portable information device 200. Receive the mobile identification information. For example, when the short-range wireless communication unit 170 can communicate with the portable information device 200, the portable information device 200 exists within the range of the distance that the short-range wireless communication unit 170 can communicate. In other words, when the distance between the user who operates portable information device 200 and MFP 100 is within a predetermined distance, device information acquisition unit 61 acquires portable identification information from portable information device 200. The device information acquisition unit 61 outputs the mobile identification information of the mobile information device 200 to the confirmation unit 81.

  The confirmation unit 81 transmits a confirmation request to the server 300 via the communication control unit 51 </ b> A in response to input of the mobile identification information from the device information acquisition unit 61. In other words, the confirmation unit 81 transmits a confirmation request to the server 300 via the communication I / F unit 112. The confirmation request includes mobile identification information input from the device information acquisition unit 61. As described above, the server 300 that receives the confirmation request returns a permission signal when the use is permitted. The confirmation unit 81 acquires the permission signal received from the server 300 by the communication I / F unit 112 via the communication control unit 51A. The confirmation unit 81 outputs the acquired permission signal to the device-side permission unit 83.

  Device-side permission unit 83 permits use of MFP 100 in response to the permission signal input from confirmation unit 81. Specifically, an operation input to the operation unit 163 is received, and processing is executed according to the received operation.

  The device side permission unit 83 includes a user specifying unit 85. The permission signal may include user identification information. The user specifying unit 85 allows the user specified by the user identification information included in the permission signal to log in and enables use. For example, when user data for specifying a user who is permitted to use MFP 100 is stored in HDD 116 of MFP 100, login may be permitted using the user data. For example, when user data restricts usable functions among a plurality of functions of MFP 100, only unrestricted functions can be used. In addition, if the user specified by the user identification information included in the temporary authentication information is not registered in the user data, login is permitted as a guest user, and only the functions permitted for the guest user can be used. You may make it.

  FIG. 15 is a flowchart illustrating an example of the flow of server-side authentication processing according to the second embodiment. The server side authentication process is a process executed by the CPU 301A when the CPU 301A included in the server 300 in the second embodiment executes an authentication program stored in the ROM 302, the HDD 304 or the CD-ROM 309. Referring to FIG. 9, CPU 301A determines whether or not authentication information has been received from portable information device 200 (step S61). If communication unit 305 has received the authentication information, the process proceeds to step S62; otherwise, the process proceeds to step S67. The authentication information includes user identification information for identifying a user who operates portable information device 200.

  In step S62, authentication is performed based on the authentication information. If the same authentication information as the received authentication information is stored in HDD 304, the user who operates portable information device 200 is authenticated as a genuine user. Otherwise, authentication is not performed. If the user who operates portable information device 200 is authenticated, the process proceeds to step S63. If not authenticated, the process proceeds to step S75. In step S75, an error signal indicating that the authentication has failed is transmitted to portable information device 200, and the process returns to step S61.

  In step S63, position information is acquired from portable information device 200 operated by a user who has been successfully authenticated. The communication unit 305 acquires position information received from the portable information device 200. The position information indicates the geographical position of the portable information device 200. And temporary authentication information is produced | generated (step S64). The temporary authentication information includes user identification information for identifying the user who has been successfully authenticated in step S62, portable identification information for identifying the portable information device 200 that has transmitted the position information, and the position acquired in step S63. Information and expiration date. The expiration date is a predetermined period from the date and time when the authentication is successful. In the next step S65, the generated temporary authentication information is stored in the HDD 304, and the process proceeds to step S66. In step S66, a signal indicating that the authentication is successful is transmitted to portable information device 200, and the process proceeds to step S67.

  In step S67, it is determined whether a confirmation request has been received. If communication unit 305 receives a confirmation request from any of MFPs 100, 100A to 100E, the process proceeds to step S68; otherwise, the process returns to step S61. Here, a case where a confirmation request is received from MFP 100 will be described as an example. The confirmation request includes portable identification information for identifying portable information device 200 that can communicate with MFP 100 that has transmitted the confirmation request.

  In step S68, it is determined whether or not temporary authentication information including the same mobile identification information as the mobile identification information included in the confirmation request exists in the temporary authentication information stored in HDD 304 in step S65. If temporary authentication information including the same mobile identification information as the mobile identification information included in the confirmation request exists, the temporary authentication information is read and the process proceeds to step S69. If not, the process proceeds to step S74.

  In step S69, the position specified by the position information included in the temporary authentication information read in step S68 and the position where the device that has transmitted the confirmation request, in this case, MFP 100 is located are included in the same area. To determine whether or not If it is determined that the two positions are within the same region, the process proceeds to step S70; otherwise, the process proceeds to step S74.

  In step S70, it is determined whether or not the same user identification information as the user identification information included in the temporary authentication information read in step S68 is registered. For example, in the registered device table stored in the HDD 304, a user that can be used for each device is determined in advance, and the device that has transmitted the confirmation request is a device that is set to be usable by an authenticated user. Judge whether or not. If the device is set to be usable, the process proceeds to step S71; otherwise, the process proceeds to step S74. Further, user data including user identification information of a user permitted to use each MFP 100, 100A to 100E is stored in the HDD 304 of the server 300, and the user identification included in the temporary authentication information read in step S68 is stored. It may be determined whether there is user data including the same user identification information as the information.

  In step S71, it is determined whether or not the current date and time is within the expiration date included in the temporary authentication information read in step S68. If the current date is within the validity period, the process proceeds to step S72; otherwise, the process proceeds to step S73.

  In step S72, a permission signal indicating that login is permitted is transmitted to the apparatus that has transmitted the confirmation request, in this case, MFP 100, via communication unit 305, and the process returns to step S61. The permission signal includes user identification information included in the temporary authentication information read in step S68. In step S73, the temporary authentication information read in step S68 is deleted from HDD 304, and the process proceeds to step S74.

  On the other hand, in step S74, a non-permission signal indicating that login is not permitted is transmitted to the apparatus that has transmitted the confirmation request, here MFP 100, via communication unit 305, and the process returns to step S61.

  FIG. 16 is a flowchart illustrating an example of the flow of the mobile-side authentication process in the second embodiment. The difference from the mobile-side authentication process in the second embodiment shown in FIG. 10 is that steps S50 to S55 are deleted. Since the process of step S41-step S49 is the same as the process shown in FIG. 10, description is not repeated here.

  FIG. 17 is a flowchart illustrating an example of a flow of apparatus side authentication processing according to the second embodiment. The apparatus-side authentication process is a process executed by CPU 111A when CPU 111A included in each of MFPs 100, 100A to 100E in the second embodiment executes programs stored in ROM 113, EEPROM 115, HDD 116, and CD-ROM 119A. It is. Here, a case where CPU 111A of MFP 100 executes the program will be described as an example.

  Referring to FIG. 17, CPU 111A determines whether short-range wireless communication unit 170 can communicate with portable information device 200 and has received portable identification information (step S81). The process waits until mobile identification information is received (NO in step S81). If mobile identification information is received (YES in step S81), the process proceeds to step S82.

  In step S <b> 82, the confirmation request is transmitted to server 300 via communication I / F unit 112. Then, it is determined whether or not communication I / F unit 112 has received a permission signal from server 300 (step S83). If the permission signal is received, the process proceeds to step S84; otherwise, the process proceeds to step S87.

  In step S84, it is determined whether or not the user specified by the user identification information included in the permission signal is registered in MFP 100. For example, when user data including user identification information of a user permitted to use MFP 100 is stored in HDD 116 of MFP 100, user data including the same user identification information as the user identification information included in the permission signal exists. Judge whether or not. If such user data exists, the process proceeds to step S85; otherwise, the process proceeds to step S86. In step S85, the login of the user specified by the user identification information included in the permission signal is permitted, and the process ends. For example, when user data restricts usable functions among a plurality of functions of MFP 100, only unrestricted functions can be used. On the other hand, in step S86, login as a guest user is permitted, and the process ends. Enable only the functions allowed for guest users.

  In step S87, a login result indicating that login is not permitted is transmitted to portable information device 200 via short-range wireless communication unit 170, and the process ends.

As described above, the server 300 according to the second embodiment is acquired from the mobile identification information of the mobile information device 200 and the mobile information device when the authentication using the authentication information acquired from the mobile information device 200 is successful. Temporary authentication information including the generated position information is generated, and a confirmation request is acquired from an apparatus that can communicate with the portable information apparatus 200 within a predetermined distance of the MFPs 100, 100A to 100C, for example, the MFP 100. Accordingly, temporary authentication information including the same mobile identification information as the mobile identification information included in the confirmation request is generated, and the position specified by the position information included in the temporary authentication information and the confirmation request are transmitted. On the condition that the location where the MFP 100 is placed is included in the same area, use of the MFP 100 that has transmitted the confirmation request is permitted. For this reason, since the use of the MFP 100 existing in the area including the position information acquired at the time of authentication from the portable information device 200 is permitted, the processing execution device that can be used depending on the position of the user of the portable information device 200 at the time of authentication. Can be limited.
Further, the server 300 permits the use on the condition that it is within the expiration date included in the temporary authentication information. The user's position may be changed after a predetermined time has elapsed since the user was authenticated. For this reason, it is possible not to permit use when the user moves the position.

  In addition, since the server 300 permits the use of the user specified by the user identification information included in the temporary authentication information, the user does not need to input the user identification information again to the device to be used.

  In the above-described embodiment, the authentication systems 1 and 1A have been described as an example. However, the server 300 performs an authentication method for causing the server 300 to execute the processing illustrated in FIG. 9 or FIG. It goes without saying that the invention can be specified as an authentication program to be executed by the CPU 301 provided.

  The embodiment disclosed this time should be considered as illustrative in all points and not restrictive. The scope of the present invention is defined by the terms of the claims, rather than the description above, and is intended to include any modifications within the scope and meaning equivalent to the terms of the claims.

<Appendix>
(1) The temporary authentication information generation unit generates temporary authentication information further including an expiration date,
The temporary authentication information transmitting means transmits the generated temporary authentication information to allow the process execution device to use the data, on the condition that the temporary authentication information is within an expiration date included in the temporary authentication information. Item 13. The server according to any one of Items 10 to 12.
(2) The temporary authentication information generation unit generates temporary authentication information further including user identification information for identifying the authenticated user,
The temporary authentication information transmitting unit transmits the generated temporary authentication information to the processing execution device in order to permit use of a user specified by user identification information included in the temporary authentication information. -12 and the authentication system in any one of (1).
(3) The temporary authentication information transmitting unit includes the position information acquired from the plurality of processing execution devices using device arrangement information indicating an area where each of the plurality of processing execution devices is installed. The server according to any one of claims 10 to 12, (1), and (2), comprising device specifying means for specifying a processing execution device existing in a predetermined area.
(4) Device identification included in the issuance request in response to acquiring from the portable information device an issuance request including device identification information of an unregistered device that is a processing execution device different from the plurality of processing execution devices. Position confirmation means for acquiring position information indicating the position of the unregistered device from the unregistered device specified by the information,
The temporary authentication information transmitting means includes a position specified by the acquired position information in a predetermined area including the acquired position information, and includes portable identification information of the portable information device The server according to claim 10, further comprising: an unregistered device transmission unit configured to transmit the temporary authentication information to the unregistered device on condition that temporary authentication information is generated.
(5) Device location information indicating a region including a location specified by the acquired location information as a region where the unregistered device is arranged in response to the location information being acquired by the location confirmation unit. The server according to (4), further comprising device registration means for generating.
(6) The temporary authentication information generation unit generates temporary authentication information further including an expiration date,
The server according to claim 11, wherein the server-side permission unit permits the use of the processing execution apparatus that has transmitted the confirmation request, on the condition that the expiration date included in the temporary authentication information is within the expiration date.
(7) The temporary authentication information generation unit generates temporary authentication information further including user identification information for identifying the authenticated user,
When permitting use of the process execution device that has transmitted the confirmation request, the server-side permission means allows the process execution device to permit use by a user identified by the user identification information. The server according to claim 11, further comprising permission signal transmission means for transmitting user identification information included in the temporary authentication information.

1, 1A authentication system, 2, 2A network, 3.3A G / W, 4, 4A base station, 5 Internet, 100, 100A to 100E MFP, 200 portable information device, 300 server, 110 main circuit, 111 CPU, 112 Communication I / F unit, 113 ROM, 114 RAM, 115 EEPROM, 116 HDD, 117 facsimile unit, 119 external storage device, 119A CD-ROM, 120 automatic document feeder, 130 document reading unit, 140 image forming unit, 150 Paper section, 160 Operation panel, 161 Display section, 163 Operation section, 165 Touch panel, 170 Short-range wireless communication section, 200 Portable information device, 201 CPU, 202 Camera, 203 Flash memory, 204 Wireless communication section, 205 Call section, 206 Display unit, 207 operation unit, 07A touch panel, 208 wireless LAN I / F, 209 external storage device, 210 short-range wireless communication unit, 211 GPS sensor, 301 CPU, 302 ROM, 303 RAM, 304 HDD, 305 communication unit, 306 display unit, 307 operation unit, 309 External storage device, 309A CD-ROM, 51, 51A communication control unit, 53, 53A device side short distance control unit, 55 permission unit, 56 position confirmation receiving unit, 57 position information transmitting unit, 58 position confirmation receiving unit, 59 Authentication information acquisition unit, 61 Device information acquisition unit, 63 Device information transmission unit, 71 Expiration date determination unit, 73 User identification unit, 81 Confirmation unit, 83 Device side permission unit, 85 User identification unit, 251 Position detection unit, 253 Position information Transmission unit, 255 Authentication information reception unit, 257 Authentication information transmission unit, 259, 259A Short distance control unit, 26 DESCRIPTION OF SYMBOLS 1 Device information transmission part, 263 Unregistered information acquisition part, 265 Issuance request part, 300 Server, 351 Authentication information acquisition part, 353 Authentication part, 355 Location information acquisition part, 357, 357A Temporary authentication information generation part, 359 Temporary authentication information Transmission unit, 361 device registration unit, 363 issue request acquisition unit, 365 device position confirmation unit, 371 device identification unit, 373 unregistered device transmission unit, 381 confirmation request acquisition unit, 383 server side permission unit, 385 permission signal transmission unit, 391 area determination unit, 393 time limit determination unit, 395 user identification unit.

Claims (16)

An authentication system including a server, a plurality of processing execution devices, and a portable information device,
The server is configured to authenticate using the authentication information in response to obtaining authentication information for authenticating a user from the portable information device;
Position information acquisition means for acquiring position information indicating the current position of the portable information device from the portable information device;
If authentication by the authentication means is successful, temporary authentication information generating means for generating temporary authentication information including mobile identification information for identifying the mobile information device;
Provisional authentication information transmitting means for transmitting the generated temporary authentication information to a processing execution apparatus existing in a predetermined area including the acquired position information,
Each of the plurality of processing execution devices includes a short-range wireless communication unit capable of wireless communication with a portable information device within a predetermined distance range,
The temporary authentication information acquired from the server in response to the short-range wireless communication means being able to communicate with the portable information device includes the same portable identification information as the portable identification information of the portable information device. The condition includes a permission means for permitting use ,
The portable information device is a non-registered information acquisition unit that acquires device identification information of an unregistered device that is a process execution device different from the plurality of process execution devices;
An issue request means for sending an issue request including device identification information of the unregistered device to the server,
The server further includes a position confirmation unit that obtains position information indicating a position of the unregistered apparatus from an unregistered apparatus specified by the apparatus identification information included in the issuance request in response to obtaining the issuance request. Prepared,
The temporary authentication information transmitting means is provided on the condition that the position specified by the position information acquired from the portable information device and the position specified by the position information acquired from the unregistered device belong to the same area. An authentication system including unregistered device transmission means for transmitting the temporary authentication information to the unregistered device . The temporary authentication information generating means generates temporary authentication information further including an expiration date,
The authentication system according to claim 1, wherein the permission unit permits the use on the condition that it is within an expiration date included in the temporary authentication information. The temporary authentication information generating means generates temporary authentication information further including user identification information for identifying the authenticated user,
The authentication system according to claim 1, wherein the permission unit permits use of a user specified by user identification information included in the temporary authentication information.   The temporary authentication information transmitting means is predetermined including the position information acquired from among the plurality of processing execution devices using device arrangement information indicating an area where each of the plurality of processing execution devices is installed. The authentication system according to any one of claims 1 to 3, further comprising device specifying means for specifying a processing execution device existing in the area.   In response to the location information being acquired by the location confirmation unit, the server is a device placement information indicating a region including a location specified by the obtained location information as a region where the unregistered device is placed. The authentication system according to claim 1, further comprising: device registration means for generating An authentication means for authenticating using the authentication information in response to acquiring authentication information for authenticating the user from the portable information device;
Position information acquisition means for acquiring position information indicating the current position of the portable information device from the portable information device;
If authentication by the authentication means is successful, temporary authentication information generating means for generating temporary authentication information including mobile identification information for identifying the mobile information device;
The same mobile identification as the mobile identification information included in the generated temporary authentication information, in a processing execution apparatus existing in a predetermined area including a position specified by the acquired position information among a plurality of processing execution apparatuses Temporary authentication information transmitting means for transmitting the generated temporary authentication information in order to allow use when short-range wireless communication with a portable information device of information becomes possible;
In response to acquiring an issuance request including device identification information of an unregistered device, which is a processing execution device different from the plurality of process execution devices, from the portable information device, the device identification information included in the issue request is specified. Position confirmation means for acquiring position information indicating the position of the unregistered device from the unregistered device ,
The temporary authentication information transmitting means is provided on the condition that the position specified by the position information acquired from the portable information device and the position specified by the position information acquired from the unregistered device belong to the same area. A server comprising unregistered device transmitting means for transmitting the temporary authentication information to the unregistered device . The server according to claim 6, wherein the temporary authentication information generation unit generates temporary authentication information further including an expiration date. The server according to claim 6 or 7, wherein the temporary authentication information generation unit generates temporary authentication information further including user identification information for identifying the authenticated user. The temporary authentication information transmitting means is predetermined including the position information acquired from among the plurality of processing execution devices using device arrangement information indicating an area where each of the plurality of processing execution devices is installed. The server according to any one of claims 6 to 8, further comprising device specifying means for specifying a processing execution device existing in the area. An apparatus for generating apparatus arrangement information indicating an area including a position specified by the acquired position information as an area in which the unregistered apparatus is arranged in response to acquisition of position information by the position confirmation unit The server according to claim 6, further comprising registration means. An authentication step of authenticating using the authentication information in response to obtaining authentication information for authenticating the user from the portable information device;
A position information acquisition step of acquiring position information indicating a current position of the portable information device from the portable information device;
If authentication is successful in the authentication step, a temporary authentication information generating step for generating temporary authentication information including mobile identification information for identifying the mobile information device;
The same mobile identification as the mobile identification information included in the generated temporary authentication information, in a processing execution apparatus existing in a predetermined area including a position specified by the acquired position information among a plurality of processing execution apparatuses A temporary authentication information transmission step of transmitting the generated temporary authentication information in order to allow use when short-range wireless communication with a portable information device of information becomes possible;
In response to acquiring an issuance request including device identification information of an unregistered device, which is a processing execution device different from the plurality of process execution devices, from the portable information device, the device identification information included in the issue request is specified. A position confirmation step for acquiring position information indicating the position of the unregistered device from the unregistered device ,
The temporary authentication information transmitting step is performed on the condition that the position specified by the position information acquired from the portable information device and the position specified by the position information acquired from the unregistered device belong to the same area. An authentication method including an unregistered device transmission step of transmitting the temporary authentication information to the unregistered device . The authentication method according to claim 11, wherein the temporary authentication information generation step includes a step of generating temporary authentication information further including an expiration date. The authentication method according to claim 11 or 12, wherein the temporary authentication information generation step includes a step of generating temporary authentication information further including user identification information for identifying the authenticated user. The temporary authentication information transmission step is performed in advance using the device arrangement information indicating the area where each of the plurality of process execution devices is installed, and includes the position information acquired from the plurality of process execution devices. The authentication method according to claim 11, further comprising a device specifying step of specifying a processing execution device existing in the area. An apparatus for generating apparatus arrangement information indicating an area including a position specified by the acquired position information as an area in which the unregistered apparatus is arranged in response to acquisition of position information in the position confirmation step The authentication method according to claim 11, further causing the server to execute a registration step. The authentication program which makes a computer perform the authentication method in any one of Claims 11-15 .

Images