EP0935221A2 - Remote authentication system - Google Patents
Remote authentication system Download PDFInfo
- Publication number
- EP0935221A2 EP0935221A2 EP98123757A EP98123757A EP0935221A2 EP 0935221 A2 EP0935221 A2 EP 0935221A2 EP 98123757 A EP98123757 A EP 98123757A EP 98123757 A EP98123757 A EP 98123757A EP 0935221 A2 EP0935221 A2 EP 0935221A2
- Authority
- EP
- European Patent Office
- Prior art keywords
- authentication
- user
- information
- biometrics
- acquisition
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07C—TIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
- G07C9/00—Individual registration on entry or exit
- G07C9/20—Individual registration on entry or exit involving the use of a pass
- G07C9/22—Individual registration on entry or exit involving the use of a pass in combination with an identity check of the pass holder
- G07C9/25—Individual registration on entry or exit involving the use of a pass in combination with an identity check of the pass holder using biometric data, e.g. fingerprints, iris scans or voice recognition
- G07C9/257—Individual registration on entry or exit involving the use of a pass in combination with an identity check of the pass holder using biometric data, e.g. fingerprints, iris scans or voice recognition electronically
Definitions
- the present invention relates to a remote authentication system in which identification of an individual by biometrics and decision of presence or absence of access right to the information of the individual and application are made intensively by a single authentication terminal.
- an operation of identifying an individual to decide access permission and inhibition of the individual i.e., authentication is required.
- an automatic teller machine of a bank or the like generally carries out authentication for identification of an individual and accessing to transaction information of the individual such as balance of the deposit. Authentication of an individual is also carried out for arrival or departure to a research place with high security and member's club.
- the authentication i.e. identification of an individual and recognition of qualification, is carried out using a magnetic card or IC card which has the same function as an ID cared, individual's memory such as a password or a combination thereof.
- the password may be forgotten. It may happen that the magnetic card or IC card cannot be authenticated because of loosing or breakage.
- the individual other than a person in question may be authenticated as the person in question because of steal of the card or leakage of the information of the password.
- the person in question must be surely authenticated as himself or herself.
- OTP one-time password
- memorizing is difficult correspondingly, or the operation of authentication itself becomes complicate.
- authentication information must be managed intensively.
- biometrics information which represents living-body characteristics of an individual such as information relative to a fingerprint, a handprint, handwriting, retina, etc. removes the complication and also makes "posing" difficult. If the authentication by biometrics information is required in a wide region, intensive management and authentication are required for the same reason and protection of privacy. When the authentication by biometrics information is executed intensively, it is important to select a suitable method of authentication according to a security level such as a matter, place or system requiring authentication as well as each user, thereby acquiring the authentication information.
- the RADIUS server which is described by RFC 2138 (Remote Authentication Dial In User Service, hereinafter referred to as RADIUD, renewal of the previous RFC 2058) which is registered in RFC (Request For Comment) of IETF (Internet Engineering Task Force), in response to a request from a RADIUS client, performs the authentication processing intensively to send back the result of authentication.
- RADIUD Remote Authentication Dial In User Service
- RADIUD Remote Authentication Dial In User Service
- RADIUD Remote Authentication Dial In User Service
- JP-A-9-81518 One example of such a prior art is an "authentication method on a network" disclosed in JP-A-9-81518.
- the application server when a user host accesses to an application server, the application server requests an authentication server to make authentication of a user using fixed authentication means and authentication information and receives the result of authentication.
- the biometrics information is efficient to discriminate an individual from other persons. However, it gives rise to problems of privacy protection and sanitary acquisition when a biometrics acquisition device itself involves dirtiness and unpleasantness.
- the present invention has been accomplished to solve the problem as described above, and intends to provide a remote authentication system and remote authentication method which can surely identify an individual and decide the presence or absence of an access right thereof when the individual is authenticated using biometrics information and also can improve ease of usage.
- One of the present invention provides a remote authentication system having a network which is connected to an authentication server, an authentication client and a user terminal, in which authentication of the user accessing the authentication client is made through the user terminal, comprising one or plural kinds of biometrics acquisition devices connected to the user terminal, and one or plural authentication information acquisition softwares stored in said authentication server according to the user terminal and/or a user, wherein in accordance with the operation of a prescribed authentication acquisition software corresponding to the user terminal and/or user, which is downloaded from the authentication server in authentication, biometrics information acquired by one or plural kinds of biometrics acquisition devices and/or keyed-in user discrimination information are used.
- the present invention also a remote authentication system having a network which is connected to an authentication server, and a user terminal are connected, in which authentication of the user accessing said user terminal is made, comprising one or plural kinds of biometrics acquisition device connected to said user terminal, and one or plural authentication information acquisition softwares stored in said authentication server according to the user terminal and/or a user, wherein in accordance with the operation of a prescribed authentication acquisition software corresponding to the user terminal and/or user, which is downloaded from the authentication server in authentication, biometrics information acquired by one or plural kinds of biometrics acquisition devices and/or keyed-in user discrimination information are used.
- the present invention also provides a remote authentication system comprising an authentication information acquisition software including a procedure for the user selecting which of said plural biometrics acquisition devices connected to said user terminal should be used to input the biometrics information.
- Fig. 1 shows a configuration of the first embodiment when the present invention is applied to a Web system.
- a network 2 is connected to an authentication server terminal 3, an authentication client terminal 4 (Web server terminal in this embodiment) and a user terminal 5, etc.
- the Web server 4 when it is accessed through the user terminal 5 from a user, receives individual authentication of the user from the authentication server terminal 3, and on the basis of the result, provides service to the user.
- the authentication server terminal 3 is a computer device such as a personal computer, workstation, etc. (which may include a CPU, memory, disk, communication control unit, etc. as described hereinafter ) which stores an authentication control unit 3A, authentication information data base 3B and authentication information acquisition software pool 3C (hereinafter, software will be referred to S/W).
- the Web server terminal 4 is a computer device such as a personal computer, workstation, etc. in which a Web server data base 4A, authentication request unit 4B and a Web server S/W 4C requiring authentication of a user are operated.
- the user terminal device 5 is composed of a browser for displaying information of the Web server terminal 4 and a computer device such as a personal computer or workstation in which authentication information acquisition S/W 5B are operated.
- the user terminal device 5 is connected to a biometrics acquisition device 6.
- the biometrics acquisition device 6 includes a fingerprint acquisition device 7 and a handprint acquisition device 8 which acquire a fingerprint and handprint of a living body as biometrics information, respectively, through image processing, a letter recognition tablet 9 for acquiring handwriting information written by a user as biometrics information, a retina information acquisition device 10 for acquiring retina information of a living body as biometrics information by scanning of an eyeground.
- FIG. 2 A processing flow of authentication in such a Web system is shown in Fig. 2.
- a user accesses the information of the Web server data base 4A with a high secret degree in the Web server terminal 4 which is a client of authentication, using the browser 5A which is an application operating in the user terminal device 5 (SP1).
- the Web server S/W 4C which is an application making access control of the information with a high secret degree must make user authentication in order to decide whether the user has an access right (SP10).
- the Web server S/W 4C in the Web server terminal 4 informs the authentication request unit 4B of necessity of the user authentication as well as a client ID (identifier of the authentication request unit), an application ID (identifier of the Web server S/W 4C which is an application requiring authentication) and an access data class (secret level of the data accessed by the user) (SP11).
- the authentication request unit 4B transmits the authentication request of the user inclusive of the above information to the authentication server terminal 3.
- the authentication control unit 3A in the authentication server terminal 3 which has received the authentication request from the user selects an authentication information acquisition S/W 11 from the authentication client ID, application ID and access data type (SP20).
- the authentication information acquisition S/W 11 acquires a predetermined item of information. It may acquire a plurality of items of authentication information.
- the authentication control unit 3A transfers the selected authentication information acquisition S/W 11 to the Web server terminal 4 which is a client of authentication (SP21).
- the authentication request unit 4B in the Web server terminal 4 delivers the transferred authentication information acquisition S/W 11 to the Web server S/W 4C, instructs it to acquire the authentication information from the user. On the basis of this instruction, the authentication information acquisition S/W 11 is transferred from the Web server S/W 4C to the user terminal 5 (SP12).
- the browser 5A in the user terminal 5 receives the transferred authentication information acquisition S/W 11 and operates it as an authentication information S/W 5B (SP2).
- the authentication information S/W spontaneously acquires a user ID (name, firm, member number, address, belonging, telephone number, or ID allotted for an individual by the system), biometrics information such as information relative to a fingerprint, a handprint, handwriting, retina, and authentication information which is used normally in a conventional computer system, such as a password, one-time password, etc. In this case, it may operate in cooperation with the other S/W such as a driver acquiring the authentication information.
- the authentication information acquisition S/W 5B transfers the acquired user ID and authentication information to the Web server terminal 4 through the browser 5A (SP3).
- the authentication request unit 4B in the Web server terminal 4 transfers the user ID and authentication information acquired from the user to the authentication server terminal 3 through the Web server S/W 4C (SP13).
- the authentication control unit 3A in the authentication server terminal 3 executes the user authentication using the transferred user ID and authentication information (SP22).
- the authentication information such as the transferred biometrics information is checked against the individual information initially stored in the authentication information database 3B in the authentication server terminal 3. If a decision of being a person in question is made as results of checking all items of transferred authentication information, the result is informed of the Web server terminal which is an client of identification. If at least one of the results of checking is not right, a decision of not being a person in question is made. This is informed of the Web server terminal (SP23).
- the Web server S/W 4C decides permission or inhibition of access to the information with a high secret degree in the Web server data base 4A for the user (SP14). For example, the operation for user access such as displaying the secret information is done.
- encryption between the user terminal 5 (authentication information acquisition S/W 5B) and Web server terminal 4 and between the Web server terminal 4 and authentication server terminal 3 (authentication control unit 3A) permits the authentication information to be concealed and a menace of posing to be reduced.
- encryption between the user terminal 5 (authentication information acquisition S/W 5B) and authentication server terminal 3 (authentication control unit 3A), but not between the individual terminals, also permits a menace of posing to be reduced.
- the authentication information database 3B in Fig. 3 includes items of user ID, user level and authentication as information allotted to an individual user.
- the user ID includes a name, firm, member number, address, belonging, telephone number, or any matter allotted for an individual by the system.
- the user level represents an access level to secret information.
- the authentication information is biometrics information such as information relative to a fingerprint, a handprint, handwriting, retina, and authentication information such as a password, one-time password, etc.
- the authentication information acquisition S/W pool stores authentication information acquisition S/Ws 11 of acquiring information of both fingerprint and retina; acquiring fingerprint information of two fingers and acquiring information of both fingerprint and retina, etc.
- the authentication information acquisition S/W pool 3C describes the selectable authentication information acquisition S/W 11 corresponding to secret levels and data class.
- the authentication client ID corresponding to an identifier of the authentication request unit 4B is set at 15, and the application ID corresponding to the identifier of the Web server S/W 4C is set at 25.
- the Web server S/W 4C informs the authentication request unit 4B of necessity of user authentication.
- the user request unit 4B transmits the authentication request of the user, inclusive of the above items of information of the data class of 17, authentication client ID of 15 and application ID of 25, to the authentication server terminal 3.
- the authentication server terminal 3 receives the authentication request inclusive of these items of information.
- the authentication control unit 3A in the authentication server terminal 3 notices a selectable candidate of the authentication information acquisition S/W 11 not lower than level 2 on the basis of the database in the authentication information acquisition S/W pool 3C in Fig. 4 and that the data class due to the authentication request is level 2.
- FIG. 5 and 6 an explanation will be given of another embodiment of a part of the authentication information database corresponding to that shown in Fig. 3.
- the authentication control unit 3A in the authentication server terminal 3 notices candidates of the authentication information acquisition S/Ws 11 selectable from the authentication client ID and from the application ID. Therefore, on the basis of the data class, A, B, C, D, E, F are selected as candidates; on the authentication client ID, C, D, and E are selected as candidates; and on the basis of the application ID, A, D, E, and E are selected as candidates. Finally, either D or E will be selected.
- the S/W selected at random or fixedly defined from candidates of the selectable authentication information acquisition S/Ws by the authentication server terminal 3 is selected by means of normal selection or sequential selection.
- the authentication means and authentication information can be flexibly selected according to the environment such as the data class which is access information, authentication request unit 4B operating in a device which is a client of authentication and Web server S/W 4C which is an using application.
- the Web server terminal 4 acquires a user ID (name, firm, member number, address, belonging, telephone number, or ID allotted for an individual by the system), and requests the authentication request unit 4B to make authentication of the user with the acquired user ID, client ID (identifier of the authentication request unit 4B), application ID (identifier of the We server S/W 4C which is an application requiring authentication) and access data class (secret level of the data accessed by the user).
- a user ID name, firm, member number, address, belonging, telephone number, or ID allotted for an individual by the system
- client ID identifier of the authentication request unit 4B
- application ID identifier of the We server S/W 4C which is an application requiring authentication
- access data class secret level of the data accessed by the user.
- the authentication information database shown in Fig. 7, in addition to that shown in Fig. 3, includes information allotted for an individual such as a type of the user (data manager or general user), usable authentication client ID, usable application ID, application control information which is delivered to an application when authentication of being a person in question is made, and checking logs (past selection status of the authentication information acquisition S/W to the prescribed number of authentication and checking rate), total number of times of authentication, selection condition, etc.
- the authentication server terminal 3 receives the request of authentication inclusive of the above information.
- A, B, C, D, E, F are selected as candidates; on the authentication client ID, C, D, and E are selected as candidates; and on the basis of the application ID, A, D, E, and E are selected as candidates.
- either D or E will be selected.
- Other Examples
- the authentication information database 3B if the authentication client ID and application ID which are usable for each user are designated, access control such as sending the authentication information acquisition S/W 11 to user only if the designated authentication client ID and application ID are designated can be realized. Now, since the usable client ID includes 15, and the usable application IS includes 25, sending of the authentication information acquisition S/W 11 is permitted.
- Permission or inhibition of the authentication information acquisition S/W 11 can be decided on the basis of the user type shown in Fig. 7. Like to the user, if a secret level is allotted for the authentication client and application, the authentication server terminal 3 can select the authentication information acquisition S/W 11 on the basis of the levels of the authentication client, application and access data class. For example, control of selecting the authentication information S/W with the highest level in three levels or higher can be made.
- the total number of times of authentication as an example of the checking rate in Fig. 7 was used as the selection condition.
- the checking evaluation is used as the selection condition, of the authentication information acquisition S/Ws 11 with the level of 2 or higher, the one with the highest checking evaluation in the past is looked for from the checking logs of the user and selected. Now, E which has the highest checking evaluation at the last time is selected.
- the authentication acquisition S/W 11 previously acquired by the Web server terminal 4 may be transferred from the authentication server terminal 3 to the Web server terminal 4 without transferring the authentication information acquisition S/W.
- the authentication information acquisition S/W which dynamically acquires the information required for authentication is selected in accordance with the environment (user having made access, data class which is access information, authentication request unit 4B operating in the Web server terminal 4 which is a client of authentication, Web server S/W 4C which is an using application, etc.) and authentication history (i.e. status at the time of authentication).
- the environment user having made access
- data class which is access information
- authentication request unit 4B operating in the Web server terminal 4 which is a client of authentication
- Web server S/W 4C which is an using application, etc.
- authentication history i.e. status at the time of authentication
- the second embodiment of the present invention is a simplification of the first embodiment.
- the user terminal which acquires the biometrics information is the same as the terminal of the authentication client.
- An example of an application requiring authentication is an database retrieval application 5E for executing the database retrieval.
- the user terminal 5 includes a local database 5C which is used by the database retrieval application 5E, authentication request unit 5D, and a computer (personal computer or workstation) in which the database retrieval application 5E and authentication information acquisition S/W 11 are operated.
- the biometrics acquisition device 6 is connected to the user terminal 6, and has entirely the same configuration as that in the first embodiment.
- the authentication server terminal 3 has entirely the same configuration as that in the first embodiment.
- the database application retrieval application 5E when it accesses the secret information in the local database 5C (SP5), first acquires a user ID (name, firm, member number, address, belonging, telephone number, or ID allotted for an individual by the system) (SP6), and requests the authentication request unit 5D to make authentication of the user with the acquired user ID, client ID (identifier of the authentication request unit 5D), application ID (identifier of the database retrieval application 5E which is an application requiring authentication) and access data class (secret level of the data accessed by the user (SP7).
- SP5 user ID
- client ID identifier of the authentication request unit 5D
- application ID identifier of the database retrieval application 5E which is an application requiring authentication
- access data class secret level of the data accessed by the user
- the authentication server terminal 3 executes the same operation of authentication as in the first embodiment.
- the authentication request unit 5D of the user terminal 5, having received the result of authentication informs the database retrieval application 5E of the result of authentication.
- the database retrieval application 5E decides permission or inhibition of access to the highly secret information in the local database 5C by the user (SP8). In this case, for example, the operation to user access such as displaying the secret information will be made. In such a configuration in which the user terminal 5 issues a request of authentication, the same effect as in the first embodiment may be obtained.
- a procedure (SP2B, SP12A) is proposed in which a user rejects the authentication information acquisition S/W when the individual authentication information specified by the authentication information acquisition S/W 11 transferred from the authentication server 3 does not coincide with an user's intention (SP2B, SP12).
- the authentication server terminal 3 having suffered the rejection of acquisition selects another authentication information acquisition S/W again (SP20A). However, this is limited to the case where there is another authentication information acquisition S/W which can be selected again as described in connection to Fig. 4.
- biometrics is used as authentication information of an individual, it is necessary for a user to reject a specified biometrics acquisition device 6 involving dirtiness and unpleasantness. Specifically, although the biometrics is efficient to discriminate an individual from other persons, it gives rise to problems of privacy protection and sanitation as described above. For this reason, it is necessary for the user to reject or change the biometrics acquisition.
- the user may have an intention of specifying the other information than the biometrics, i.e. alternative means such as one-time password (OTP) even if it is complicate.
- OTP one-time password
- the authentication information acquisition S/W which dynamically acquires the information for authentication can be selected to identify an individual and decide the presence or absence of the access right of the individual according to the environment surely.
- This embodiment as means for obtaining the same effect as in the third embodiment, includes the mechanism of selecting the acquired authentication information in the authentication information acquisition S/W itself in the first and second embodiments.
- the authentication information S/W itself can select authentication D by both fingerprint and handwriting and that E by only the fingerprint.
- the authentication server transfers the authentication information acquisition S/W capable of acquiring both D and E.
- the configuration and operation procedure in the Web system 1 itself are the same as in the first and second embodiments.
- the displayed image of the authentication information acquisition S/W on the side of the user is shown in Fig. 12.
- the user selects either D or E to acquire authentication means and authentication information for himself.
- select button 12A or 12B the authentication information acquisition S/W is operated to acquire the authentication information actually selected.
- the authentication server terminal 3 can decide the type of the received authentication information and if authentication can be made using a set of the received information. Thus, the same effect as in the third embodiment can be obtained.
- the authentication information to be acquired has been determined by the authentication S/W.
- the authentication information to he acquired may be only displayed on a screen. For example, at the number of times of authentication in the detailed database in the first embodiment, transfer of the fingerprint information and handwriting information is displayed on the screen.
- the user spontaneously operates the software for acquiring the authentication information in accordance with the displayed contents, and transfers the authentication information thus acquired to the authentication server terminal 3.
- the transfer may not be concretely displayed, but previous transfer of the authentication information may be displayed.
- the user spontaneously operates the software for acquiring the authentication information to acquire all the items of information noticed previously from a manager in accordance with the user's memory and transfers the acquired authenticated information to the authentication server.
- the same effect as the first embodiment can be realized.
- the means for acquiring the authentication information is used in a fashion of a password. Therefore, security in acquisition of the authentication information can be improved remarkably.
- the authentication of a user individual was made by the Web server terminal 4.
- the present invention should not be limited to this, but may be widely applied to a general controller requires a user's individual such as an arrival/departure terminal device connected to a network.
- the authentication server when authentication should be made using the biometrics information, the authentication server freely selects and acquires the biometrics acquisition device and authentication information in accordance with the acquisition environment of the biometrics information by the user.
- a remote authentication system capable of identification of a user and decision of the presence or absence of the access right of the user can be surely realized.
- the authentication information designated is not satisfactory for the user, he can change the authentication information to be acquired and reject its acquisition. Even when the biometrics acquisition device itself involves dirtiness and unpleasantness, or device for acquiring the biometrics information is not reliable, the identification of the user and decision of the presence or absence of the access right of the user can be made by an alternative means.
Abstract
Description
- The present invention relates to a remote authentication system in which identification of an individual by biometrics and decision of presence or absence of access right to the information of the individual and application are made intensively by a single authentication terminal.
- Conventionally, in an information processing system connected to a network, for security, an operation of identifying an individual to decide access permission and inhibition of the individual, i.e., authentication is required. Further, an automatic teller machine of a bank or the like generally carries out authentication for identification of an individual and accessing to transaction information of the individual such as balance of the deposit. Authentication of an individual is also carried out for arrival or departure to a research place with high security and member's club.
- The authentication, i.e. identification of an individual and recognition of qualification, is carried out using a magnetic card or IC card which has the same function as an ID cared, individual's memory such as a password or a combination thereof. However, the password may be forgotten. It may happen that the magnetic card or IC card cannot be authenticated because of loosing or breakage. The individual other than a person in question may be authenticated as the person in question because of steal of the card or leakage of the information of the password. In order to keep high security, the person in question must be surely authenticated as himself or herself. In this case, if the means of complicating the password or one-time password (OTP) is adopted, memorizing is difficult correspondingly, or the operation of authentication itself becomes complicate. Further, if authentication by memory is executed in a wide area (plural stores of the bank), authentication information must be managed intensively.
- On the other hand, authentication by biometrics information, which represents living-body characteristics of an individual such as information relative to a fingerprint, a handprint, handwriting, retina, etc. removes the complication and also makes "posing" difficult. If the authentication by biometrics information is required in a wide region, intensive management and authentication are required for the same reason and protection of privacy. When the authentication by biometrics information is executed intensively, it is important to select a suitable method of authentication according to a security level such as a matter, place or system requiring authentication as well as each user, thereby acquiring the authentication information.
- Now, the RADIUS server, which is described by RFC 2138 (Remote Authentication Dial In User Service, hereinafter referred to as RADIUD, renewal of the previous RFC 2058) which is registered in RFC (Request For Comment) of IETF (Internet Engineering Task Force), in response to a request from a RADIUS client, performs the authentication processing intensively to send back the result of authentication. In this case, the authentication means and authentication information are fixedly defined for each user. For this reason, if the biometrics information is to be acquired, according to its acquisition environment, the authentication means and authentication information cannot be changed dynamically.
- One example of such a prior art is an "authentication method on a network" disclosed in JP-A-9-81518. In this method, when a user host accesses to an application server, the application server requests an authentication server to make authentication of a user using fixed authentication means and authentication information and receives the result of authentication.
- The biometrics information is efficient to discriminate an individual from other persons. However, it gives rise to problems of privacy protection and sanitary acquisition when a biometrics acquisition device itself involves dirtiness and unpleasantness.
- The present invention has been accomplished to solve the problem as described above, and intends to provide a remote authentication system and remote authentication method which can surely identify an individual and decide the presence or absence of an access right thereof when the individual is authenticated using biometrics information and also can improve ease of usage.
- One of the present invention provides a remote authentication system having a network which is connected to an authentication server, an authentication client and a user terminal, in which authentication of the user accessing the authentication client is made through the user terminal, comprising one or plural kinds of biometrics acquisition devices connected to the user terminal, and one or plural authentication information acquisition softwares stored in said authentication server according to the user terminal and/or a user, wherein in accordance with the operation of a prescribed authentication acquisition software corresponding to the user terminal and/or user, which is downloaded from the authentication server in authentication, biometrics information acquired by one or plural kinds of biometrics acquisition devices and/or keyed-in user discrimination information are used.
- The present invention also a remote authentication system having a network which is connected to an authentication server, and a user terminal are connected, in which authentication of the user accessing said user terminal is made, comprising one or plural kinds of biometrics acquisition device connected to said user terminal, and one or plural authentication information acquisition softwares stored in said authentication server according to the user terminal and/or a user, wherein in accordance with the operation of a prescribed authentication acquisition software corresponding to the user terminal and/or user, which is downloaded from the authentication server in authentication, biometrics information acquired by one or plural kinds of biometrics acquisition devices and/or keyed-in user discrimination information are used.
- Further, the present invention also provides a remote authentication system comprising an authentication information acquisition software including a procedure for the user selecting which of said plural biometrics acquisition devices connected to said user terminal should be used to input the biometrics information.
-
- Fig. 1 is a block diagram of the first embodiment of a Web system to which the remote authentication system according to the present invention is applied.
- Fig. 2 is a timing chart for explaining processing of authentication in the Web system in Fig. 2.
- Fig. 3 is a graph for explaining a first example of an authentication information database in the authentication server terminal in Fig. 1.
- Fig. 4 is a graph for explaining a first example of an authentication information database in the authentication server terminal in Fig. 1.
- Fig. 5 is a graph for explaining a second example of an authentication information database in the authentication server terminal in Fig. 1.
- Fig. 6 is a graph for explaining a third example of an authentication information database in the authentication server terminal in Fig. 1.
- Fig. 7 is a graph for explaining a third example of an authentication information database in the authentication server terminal in Fig. 1.
- Fig. 8 is a timing chart for explaining the authentication processing of the third example in the Web system shown in Fig. 1.
- Fig. 9 is a block diagram of the second embodiment of the Web system to which a remote authentication system according to the present invention is applied.
- Fig. 10 is a timing chart for explaining the authentication processing in the Web system shown in Fig. 9.
- Fig. 11 is a timing chart for explaining the case where rejection occurs as the third embodiment of the Web system in Fig. 1.
- Fig. 12 is a schematic view of the fourth embodiment of the Web system in Fig. 1.
-
- Now referring to the drawings, an explanation will be given of embodiments of the present invention.
- Fig. 1 shows a configuration of the first embodiment when the present invention is applied to a Web system. A
network 2 is connected to anauthentication server terminal 3, an authentication client terminal 4 (Web server terminal in this embodiment) and auser terminal 5, etc. In such aWeb system 1, theWeb server 4, when it is accessed through theuser terminal 5 from a user, receives individual authentication of the user from theauthentication server terminal 3, and on the basis of the result, provides service to the user. - The
authentication server terminal 3 is a computer device such as a personal computer, workstation, etc. (which may include a CPU, memory, disk, communication control unit, etc. as described hereinafter ) which stores anauthentication control unit 3A, authenticationinformation data base 3B and authentication informationacquisition software pool 3C (hereinafter, software will be referred to S/W). TheWeb server terminal 4 is a computer device such as a personal computer, workstation, etc. in which a Webserver data base 4A,authentication request unit 4B and a Web server S/W 4C requiring authentication of a user are operated. - The
user terminal device 5 is composed of a browser for displaying information of theWeb server terminal 4 and a computer device such as a personal computer or workstation in which authentication information acquisition S/W 5B are operated. Theuser terminal device 5 is connected to abiometrics acquisition device 6. Thebiometrics acquisition device 6 includes afingerprint acquisition device 7 and ahandprint acquisition device 8 which acquire a fingerprint and handprint of a living body as biometrics information, respectively, through image processing, aletter recognition tablet 9 for acquiring handwriting information written by a user as biometrics information, a retinainformation acquisition device 10 for acquiring retina information of a living body as biometrics information by scanning of an eyeground. - A processing flow of authentication in such a Web system is shown in Fig. 2. First, an explanation will be given of the case where a user accesses the information of the Web
server data base 4A with a high secret degree in theWeb server terminal 4 which is a client of authentication, using thebrowser 5A which is an application operating in the user terminal device 5 (SP1). The Web server S/W 4C which is an application making access control of the information with a high secret degree must make user authentication in order to decide whether the user has an access right (SP10). - Namely, the Web server S/
W 4C in theWeb server terminal 4 informs theauthentication request unit 4B of necessity of the user authentication as well as a client ID (identifier of the authentication request unit), an application ID (identifier of the Web server S/W 4C which is an application requiring authentication) and an access data class (secret level of the data accessed by the user) (SP11). Theauthentication request unit 4B transmits the authentication request of the user inclusive of the above information to theauthentication server terminal 3. - The
authentication control unit 3A in theauthentication server terminal 3 which has received the authentication request from the user selects an authentication information acquisition S/W 11 from the authentication client ID, application ID and access data type (SP20). The authentication information acquisition S/W 11 acquires a predetermined item of information. It may acquire a plurality of items of authentication information. Theauthentication control unit 3A transfers the selected authentication information acquisition S/W 11 to theWeb server terminal 4 which is a client of authentication (SP21). - The
authentication request unit 4B in theWeb server terminal 4 delivers the transferred authentication information acquisition S/W 11 to the Web server S/W 4C, instructs it to acquire the authentication information from the user. On the basis of this instruction, the authentication information acquisition S/W 11 is transferred from the Web server S/W 4C to the user terminal 5 (SP12). - The
browser 5A in theuser terminal 5 receives the transferred authentication information acquisition S/W 11 and operates it as an authentication information S/W 5B (SP2). The authentication information S/W spontaneously acquires a user ID (name, firm, member number, address, belonging, telephone number, or ID allotted for an individual by the system), biometrics information such as information relative to a fingerprint, a handprint, handwriting, retina, and authentication information which is used normally in a conventional computer system, such as a password, one-time password, etc. In this case, it may operate in cooperation with the other S/W such as a driver acquiring the authentication information. The authentication information acquisition S/W 5B transfers the acquired user ID and authentication information to theWeb server terminal 4 through thebrowser 5A (SP3). - The
authentication request unit 4B in theWeb server terminal 4 transfers the user ID and authentication information acquired from the user to theauthentication server terminal 3 through the Web server S/W 4C (SP13). Theauthentication control unit 3A in theauthentication server terminal 3 executes the user authentication using the transferred user ID and authentication information (SP22). The authentication information such as the transferred biometrics information is checked against the individual information initially stored in theauthentication information database 3B in theauthentication server terminal 3. If a decision of being a person in question is made as results of checking all items of transferred authentication information, the result is informed of the Web server terminal which is an client of identification. If at least one of the results of checking is not right, a decision of not being a person in question is made. This is informed of the Web server terminal (SP23). - The
authentication request unit 4B in theWeb server terminal 4 having received the result of authentication, which is a client of authentication, informs the Web server S/W 4C of the result of authentication. On the basis of the result of authentication, the Web server S/W 4C decides permission or inhibition of access to the information with a high secret degree in the Webserver data base 4A for the user (SP14). For example, the operation for user access such as displaying the secret information is done. - Additionally, encryption between the user terminal 5 (authentication information acquisition S/
W 5B) andWeb server terminal 4 and between theWeb server terminal 4 and authentication server terminal 3 (authentication control unit 3A) permits the authentication information to be concealed and a menace of posing to be reduced. Likewise, encryption between the user terminal 5 (authentication information acquisition S/W 5B) and authentication server terminal 3 (authentication control unit 3A), but not between the individual terminals, also permits a menace of posing to be reduced. - Referring to Figs. 3 and 4, an explanation will be given of a simple example of the database structure and selection processing of the authentication information acquisition S/
W 5B. Theauthentication information database 3B in Fig. 3 includes items of user ID, user level and authentication as information allotted to an individual user. The user ID includes a name, firm, member number, address, belonging, telephone number, or any matter allotted for an individual by the system. The user level represents an access level to secret information. The authentication information is biometrics information such as information relative to a fingerprint, a handprint, handwriting, retina, and authentication information such as a password, one-time password, etc. - As seen from Fig. 4, the authentication information acquisition S/W pool stores authentication information acquisition S/
Ws 11 of acquiring information of both fingerprint and retina; acquiring fingerprint information of two fingers and acquiring information of both fingerprint and retina, etc. The authentication information acquisition S/W pool 3C describes the selectable authentication information acquisition S/W 11 corresponding to secret levels and data class. - Taking as an example the case where a user accesses the information of the
Web server database 4 of the data class of 17, an explanation will be given of a mechanism of selecting the authentication information acquisition S/W 11 in theauthentication server terminal 3. In this case, the authentication client ID corresponding to an identifier of theauthentication request unit 4B is set at 15, and the application ID corresponding to the identifier of the Web server S/W 4C is set at 25. When access to the data class of 17 occurs, the Web server S/W 4C informs theauthentication request unit 4B of necessity of user authentication. Theuser request unit 4B transmits the authentication request of the user, inclusive of the above items of information of the data class of 17, authentication client ID of 15 and application ID of 25, to theauthentication server terminal 3. In response to this, theauthentication server terminal 3 receives the authentication request inclusive of these items of information. - The
authentication control unit 3A in theauthentication server terminal 3 notices a selectable candidate of the authentication information acquisition S/W 11 not lower thanlevel 2 on the basis of the database in the authentication information acquisition S/W pool 3C in Fig. 4 and that the data class due to the authentication request islevel 2. - Referring to Figs. 5 and 6, an explanation will be given of another embodiment of a part of the authentication information database corresponding to that shown in Fig. 3. These figures describe the selectable authentication information acquisition S/
Ws 11 for each authentication client ID and for each application ID, respectively. Theauthentication control unit 3A in theauthentication server terminal 3 notices candidates of the authentication information acquisition S/Ws 11 selectable from the authentication client ID and from the application ID. Therefore, on the basis of the data class, A, B, C, D, E, F are selected as candidates; on the authentication client ID, C, D, and E are selected as candidates; and on the basis of the application ID, A, D, E, and E are selected as candidates. Finally, either D or E will be selected. - The S/W selected at random or fixedly defined from candidates of the selectable authentication information acquisition S/Ws by the
authentication server terminal 3 is selected by means of normal selection or sequential selection. In this embodiment, the authentication means and authentication information can be flexibly selected according to the environment such as the data class which is access information,authentication request unit 4B operating in a device which is a client of authentication and Web server S/W 4C which is an using application. Thus, identification of an individual and decision on presence or absence of the access right of the individual can be surely made according to the environment. - An explanation will be given of the case where an user ID is included in an authentication request and the authentication information data base shown in Fig. 3 is set in detail as shown in Fig. 7. The flow of processing in this embodiment is shown in Fig. 8 in which like reference numerals refer to like parts in Fig. 2. First, the
Web server terminal 4 acquires a user ID (name, firm, member number, address, belonging, telephone number, or ID allotted for an individual by the system), and requests theauthentication request unit 4B to make authentication of the user with the acquired user ID, client ID (identifier of theauthentication request unit 4B), application ID (identifier of the We server S/W 4C which is an application requiring authentication) and access data class (secret level of the data accessed by the user). - The authentication information database shown in Fig. 7, in addition to that shown in Fig. 3, includes information allotted for an individual such as a type of the user (data manager or general user), usable authentication client ID, usable application ID, application control information which is delivered to an application when authentication of being a person in question is made, and checking logs (past selection status of the authentication information acquisition S/W to the prescribed number of authentication and checking rate), total number of times of authentication, selection condition, etc.
- Where the authentication request includes the user ID, the authentication information acquisition S/W will be selected in accordance with the selection condition for the user in question. For example, if the user ID is 1, and the other conditions are the same in the previous example (i.e., data class = 17, authentication client ID = 15 and application ID = 25), the
authentication request unit 4B transmits, to theauthentication server terminal 3, the authentication request of user as the above information inclusive of the user ID =1, data class = 17, authentication client ID = 15 and application ID = 25. - The
authentication server terminal 3 receives the request of authentication inclusive of the above information. Like the above embodiment, on the basis of the data class, A, B, C, D, E, F are selected as candidates; on the authentication client ID, C, D, and E are selected as candidates; and on the basis of the application ID, A, D, E, and E are selected as candidates. Finally, either D or E will be selected. Further, the user ID = 1, theauthentication control unit 3A executes the selection in the total number of times of authentication. Selection will be made in such a fashion that the first selection is D, second is E, third is E, forth is E , .... Now, in the total number of times of authentication is 20 with the user ID = 1, this time is 21th. Therefore, D of the authentication information acquisition S/W 11 will be selected. Other Examples - Further, as shown in Fig. 7, in the
authentication information database 3B, if the authentication client ID and application ID which are usable for each user are designated, access control such as sending the authentication information acquisition S/W 11 to user
only if the designated authentication client ID and application ID are designated can be realized. Now, since the usable client ID includes 15, and the usable application IS includes 25, sending of the authentication information acquisition S/W 11 is permitted. - Permission or inhibition of the authentication information acquisition S/
W 11 can be decided on the basis of the user type shown in Fig. 7. Like to the user, if a secret level is allotted for the authentication client and application, theauthentication server terminal 3 can select the authentication information acquisition S/W 11 on the basis of the levels of the authentication client, application and access data class. For example, control of selecting the authentication information S/W with the highest level in three levels or higher can be made. - The processing after sending the authentication information acquisition S/
W 11 is different from the example described above in that only the authentication information is sent because the user ID has been acquired. Further, using Key = 1 which is control information which is delivered to the application when authentication of the person in question is Fig. 7 is made, theWeb server terminal 4 can realize a variety of access controls. - In the above example, the total number of times of authentication as an example of the checking rate in Fig. 7 was used as the selection condition. In place of it, if the checking evaluation is used as the selection condition, of the authentication information acquisition S/
Ws 11 with the level of 2 or higher, the one with the highest checking evaluation in the past is looked for from the checking logs of the user and selected. Now, E which has the highest checking evaluation at the last time is selected. - There is also an example of omitting the transfer of the authentication acquisition S/W from the
authentication server 3 to the authentication client. Namely, where the authentication information acquisition S/W is determined fixedly by the Web server terminal which is an authentication client in the case of theWeb system 1 as described above, the authentication acquisition S/W 11 previously acquired by theWeb server terminal 4 may be transferred from theauthentication server terminal 3 to theWeb server terminal 4 without transferring the authentication information acquisition S/W. - As described above, where the authentication is executed using the biometrics information in the
Web system 1, the authentication information acquisition S/W which dynamically acquires the information required for authentication is selected in accordance with the environment (user having made access, data class which is access information,authentication request unit 4B operating in theWeb server terminal 4 which is a client of authentication, Web server S/W 4C which is an using application, etc.) and authentication history (i.e. status at the time of authentication). In this way, identification of an individual and decision of the presence or absence of the access right of the individual can be surely made according to the environment. - The second embodiment of the present invention is a simplification of the first embodiment. In Fig. 9 in which like reference numerals refer to like parts in Fig. 1, the user terminal which acquires the biometrics information is the same as the terminal of the authentication client. An example of an application requiring authentication is an
database retrieval application 5E for executing the database retrieval. Theuser terminal 5 includes alocal database 5C which is used by thedatabase retrieval application 5E,authentication request unit 5D, and a computer (personal computer or workstation) in which thedatabase retrieval application 5E and authentication information acquisition S/W 11 are operated. Thebiometrics acquisition device 6 is connected to theuser terminal 6, and has entirely the same configuration as that in the first embodiment. Theauthentication server terminal 3 has entirely the same configuration as that in the first embodiment. - An explanation will be given of the operation of the remote authentication system according to the second embodiment of the present invention. In Fig. 10 in which like reference numerals refer to like parts in Figs. 2 and 8, the database
application retrieval application 5E, when it accesses the secret information in thelocal database 5C (SP5), first acquires a user ID (name, firm, member number, address, belonging, telephone number, or ID allotted for an individual by the system) (SP6), and requests theauthentication request unit 5D to make authentication of the user with the acquired user ID, client ID (identifier of theauthentication request unit 5D), application ID (identifier of thedatabase retrieval application 5E which is an application requiring authentication) and access data class (secret level of the data accessed by the user (SP7). - The
authentication server terminal 3 executes the same operation of authentication as in the first embodiment. Theauthentication request unit 5D of theuser terminal 5, having received the result of authentication informs thedatabase retrieval application 5E of the result of authentication. Thedatabase retrieval application 5E, on the basis of the result of authentication, decides permission or inhibition of access to the highly secret information in thelocal database 5C by the user (SP8). In this case, for example, the operation to user access such as displaying the secret information will be made. In such a configuration in which theuser terminal 5 issues a request of authentication, the same effect as in the first embodiment may be obtained. - In Fig. 11 in which like reference numeral refer to like parts in Figs. 2 and 8, a procedure (SP2B, SP12A) is proposed in which a user rejects the authentication information acquisition S/W when the individual authentication information specified by the authentication information acquisition S/
W 11 transferred from theauthentication server 3 does not coincide with an user's intention (SP2B, SP12). Theauthentication server terminal 3 having suffered the rejection of acquisition selects another authentication information acquisition S/W again (SP20A). However, this is limited to the case where there is another authentication information acquisition S/W which can be selected again as described in connection to Fig. 4. - Where the biometrics is used as authentication information of an individual, it is necessary for a user to reject a specified
biometrics acquisition device 6 involving dirtiness and unpleasantness. Specifically, although the biometrics is efficient to discriminate an individual from other persons, it gives rise to problems of privacy protection and sanitation as described above. For this reason, it is necessary for the user to reject or change the biometrics acquisition. - Where the
biometrics acquisition device 6 is not trusted in security, the user may have an intention of specifying the other information than the biometrics, i.e. alternative means such as one-time password (OTP) even if it is complicate. In such a case, in accordance with the user's intention of rejection or changing, the authentication information acquisition S/W which dynamically acquires the information for authentication can be selected to identify an individual and decide the presence or absence of the access right of the individual according to the environment surely. - This embodiment, as means for obtaining the same effect as in the third embodiment, includes the mechanism of selecting the acquired authentication information in the authentication information acquisition S/W itself in the first and second embodiments. In the first embodiment, the authentication information S/W itself can select authentication D by both fingerprint and handwriting and that E by only the fingerprint. In this case, the authentication server transfers the authentication information acquisition S/W capable of acquiring both D and E.
- The configuration and operation procedure in the
Web system 1 itself are the same as in the first and second embodiments. The displayed image of the authentication information acquisition S/W on the side of the user is shown in Fig. 12. The user selects either D or E to acquire authentication means and authentication information for himself. When he pushes eitherselect button authentication server terminal 3 can decide the type of the received authentication information and if authentication can be made using a set of the received information. Thus, the same effect as in the third embodiment can be obtained. - In the first to fourth embodiments, the authentication information to be acquired has been determined by the authentication S/W. However, instead of this, the authentication information to he acquired may be only displayed on a screen. For example, at the number of times of authentication in the detailed database in the first embodiment, transfer of the fingerprint information and handwriting information is displayed on the screen. Thus, the user spontaneously operates the software for acquiring the authentication information in accordance with the displayed contents, and transfers the authentication information thus acquired to the
authentication server terminal 3. - The transfer may not be concretely displayed, but previous transfer of the authentication information may be displayed. In this case, the user spontaneously operates the software for acquiring the authentication information to acquire all the items of information noticed previously from a manager in accordance with the user's memory and transfers the acquired authenticated information to the authentication server. In this way, the same effect as the first embodiment can be realized. In the above case of the previous transfer of the authentication information, which is not displayed concretely, the means for acquiring the authentication information is used in a fashion of a password. Therefore, security in acquisition of the authentication information can be improved remarkably.
- In the first to fourth embodiments, the authentication of a user individual was made by the
Web server terminal 4. The present invention, however, should not be limited to this, but may be widely applied to a general controller requires a user's individual such as an arrival/departure terminal device connected to a network. - As described above, in accordance with the present invention, when authentication should be made using the biometrics information, the authentication server freely selects and acquires the biometrics acquisition device and authentication information in accordance with the acquisition environment of the biometrics information by the user. Thus, a remote authentication system capable of identification of a user and decision of the presence or absence of the access right of the user can be surely realized.
- If the authentication information designated is not satisfactory for the user, he can change the authentication information to be acquired and reject its acquisition. Even when the biometrics acquisition device itself involves dirtiness and unpleasantness, or device for acquiring the biometrics information is not reliable, the identification of the user and decision of the presence or absence of the access right of the user can be made by an alternative means.
Claims (4)
- A remote authentication system having a network which is connected to an authentication server, an authentication client and a user terminal, in which authentication of the user accessing the authentication client is made through the user terminal, said system comprising:one or plural kinds of biometrics acquisition devices connected to said user terminal; andone or plural authentication information acquisition softwares stored in said authentication server according to the user terminal and/or a user;wherein in accordance with the operation of a prescribed authentication acquisition software corresponding to the user terminal and/or user, which is downloaded from the authentication server in authentication, biometrics information acquired by one or plural kinds of biometrics acquisition devices and/or keyed-in user discrimination information are used.
- A remote authentication system having a network which is connected an authentication server and a user terminal, in which authentication of the user accessing said user terminal is made, said system comprising:one or plural kinds of biometrics acquisition device connected to said user terminal; andone or plural authentication information acquisition softwares stored in said authentication server according to the user terminal and/or a user, wherein in accordance with the operation of a prescribed authentication acquisition software corresponding to the user terminal and/or user, which is downloaded from the authentication server in authentication, biometrics information acquired by one or plural kinds of biometrics acquisition devices and/or keyed-in user discrimination information are used.
- A remote authentication system according to claim 1, further comprising an authentication information acquisition software including a procedure for the user selecting which of said plural biometrics acquisition devices connected to said user terminal should be used to input the biometrics information.
- A remote authentication system according to claim 2, further comprising an authentication information acquisition software including a procedure for the user selecting which of said plural biometrics acquisition devices connected to said user terminal should be used to input the biometrics information.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2422598 | 1998-02-05 | ||
JP10024225A JPH11224236A (en) | 1998-02-05 | 1998-02-05 | Remote authentication system |
Publications (3)
Publication Number | Publication Date |
---|---|
EP0935221A2 true EP0935221A2 (en) | 1999-08-11 |
EP0935221A3 EP0935221A3 (en) | 2000-02-02 |
EP0935221B1 EP0935221B1 (en) | 2005-11-02 |
Family
ID=12132338
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP98123757A Expired - Lifetime EP0935221B1 (en) | 1998-02-05 | 1998-12-14 | Remote authentication system |
Country Status (3)
Country | Link |
---|---|
EP (1) | EP0935221B1 (en) |
JP (1) | JPH11224236A (en) |
DE (1) | DE69832145T2 (en) |
Cited By (25)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2001009807A1 (en) * | 1999-08-02 | 2001-02-08 | E-Mark Systems Inc. | Electronic settlement system, and settlement device and terminal |
WO2001059580A1 (en) * | 2000-02-09 | 2001-08-16 | Nobuyoshi Ochiai | Personal authentication system |
WO2001071462A2 (en) * | 2000-03-21 | 2001-09-27 | Widcomm, Inc. | System and method for secure biometric identification |
WO2001082190A1 (en) * | 2000-04-26 | 2001-11-01 | Global Transaction Company | Multi-tiered identity verification authority for e-commerce |
WO2001088782A1 (en) * | 2000-05-19 | 2001-11-22 | E-Mark Systems Inc. | Electronic settlement system, settlement device and terminal |
WO2001040982A3 (en) * | 1999-12-01 | 2002-03-21 | Iridian Technologies | System and method of fast biometric database searching using digital certificates |
EP1199623A2 (en) * | 2000-10-17 | 2002-04-24 | Siemens Aktiengesellschaft | Method and system for user identification |
EP1239629A2 (en) * | 2001-03-05 | 2002-09-11 | Telefonaktiebolaget L M Ericsson (Publ) | Method for the safe use and transmission of biometric data for authentication purposes |
GB2391992A (en) * | 2002-08-12 | 2004-02-18 | Domain Dynamics Ltd | Method of authentication |
WO2004015552A2 (en) * | 2002-08-12 | 2004-02-19 | Domain Dynamics Limited | Method of authentication |
EP1426845A1 (en) * | 2001-09-14 | 2004-06-09 | Sony Computer Entertainment Inc. | Method for authentication of computer program stored in medium |
EP1085454A3 (en) * | 1999-09-14 | 2004-06-09 | Fujitsu Limited | Personal authentication system using biometrics information |
DE102005003208A1 (en) * | 2005-01-24 | 2006-07-27 | Giesecke & Devrient Gmbh | End device user authenticating method for e.g. mobile network, involves transmitting authentication data to authentication server by communication network for purpose of authentication of user, where authentication is executed by server |
US7523067B1 (en) | 2000-08-02 | 2009-04-21 | Softbankbb Corporation | Electronic settlement system, settlement apparatus, and terminal |
US7559084B2 (en) | 2003-02-14 | 2009-07-07 | Fujitsu Limited | Authentication information processing method |
US7665122B2 (en) | 2003-01-29 | 2010-02-16 | Canon Kabushiki Kaisha | Authentication apparatus, method and program |
CN102111271A (en) * | 2009-12-25 | 2011-06-29 | 林茂聪 | Network security authentication method and device as well as authentication method of hand-held electronic device |
CN102385766A (en) * | 2011-06-23 | 2012-03-21 | 哈尔滨工业大学深圳研究生院 | Palmprint-based authentication unlocking method, terminal and system |
CN102800138A (en) * | 2011-05-26 | 2012-11-28 | 中兴通讯股份有限公司 | Method and device for realizing entrance guard control |
US8340293B2 (en) | 2002-02-07 | 2012-12-25 | Minolta Company, Ltd. | Verification system, server, and electronic instrument |
US8387155B2 (en) | 1997-06-11 | 2013-02-26 | Prism Technologies Llc | System for managing access to protected computer resources |
US8863259B2 (en) | 2009-09-18 | 2014-10-14 | Fujitsu Limited | Method of controlling biometric authentication system, non-transitory, computer readable storage medium and biometric authentication system |
WO2018011559A1 (en) * | 2016-07-11 | 2018-01-18 | Lookiimedia (UK) Limited | Providing access to structured stored data |
US10389710B2 (en) | 2014-02-28 | 2019-08-20 | Alibaba Group Holding Limited | Method and system for extracting characteristic information |
US10572875B2 (en) | 2000-04-24 | 2020-02-25 | Visa International Service Association | Online account authentication service |
Families Citing this family (50)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP3490350B2 (en) * | 1999-08-30 | 2004-01-26 | 沖電気工業株式会社 | Electronic payment system |
US7249093B1 (en) | 1999-09-07 | 2007-07-24 | Rysix Holdings, Llc | Method of and system for making purchases over a computer network |
JP2001216270A (en) * | 2000-01-31 | 2001-08-10 | Netmarks Inc | Authentication station, authentication system and authentication method |
JP2001245342A (en) | 2000-02-28 | 2001-09-07 | Nec Corp | Mobile communication system and method for operating the mobile communication system |
JP4950384B2 (en) * | 2000-03-28 | 2012-06-13 | 株式会社東芝 | Medical diagnostic imaging apparatus and security management method thereof |
US7409543B1 (en) | 2000-03-30 | 2008-08-05 | Digitalpersona, Inc. | Method and apparatus for using a third party authentication server |
US7698565B1 (en) | 2000-03-30 | 2010-04-13 | Digitalpersona, Inc. | Crypto-proxy server and method of using the same |
JP2002112340A (en) * | 2000-09-28 | 2002-04-12 | Toshiba Corp | Personal authentication system for mobile device and its method |
US6819219B1 (en) * | 2000-10-13 | 2004-11-16 | International Business Machines Corporation | Method for biometric-based authentication in wireless communication for access control |
PL357564A1 (en) | 2000-11-10 | 2004-07-26 | Ntt Docomo, Inc. | Authentication system, authentication agent apparatus, and terminal |
JP2002163234A (en) * | 2000-11-28 | 2002-06-07 | Asahi Bank Ltd | User authentication system and processing method therefor, and recording medium recorded with the program therefor |
JP2002236667A (en) * | 2001-02-09 | 2002-08-23 | Sony Corp | Authentication method, authentication system, authentication device, and module for authentication |
JP4390122B2 (en) * | 2001-03-14 | 2009-12-24 | 富士通株式会社 | User authentication system using biometric information |
KR100442118B1 (en) * | 2001-07-31 | 2004-07-27 | 김유진 | Method of user authentication based on the web using biometrics technology |
KR100408835B1 (en) * | 2001-08-07 | 2003-12-06 | 구홍식 | Method For Division Saving A Living Body Information |
KR20030014946A (en) * | 2001-08-13 | 2003-02-20 | 구홍식 | Method For Integrated Authentication To Many Living Body Information Authentication Programs |
US20060053296A1 (en) * | 2002-05-24 | 2006-03-09 | Axel Busboom | Method for authenticating a user to a service of a service provider |
EP1563628A4 (en) * | 2002-11-06 | 2010-03-10 | Ibm | Confidential data sharing and anonymous entity resolution |
KR100445333B1 (en) * | 2002-11-11 | 2004-08-18 | 현대정보기술주식회사 | Method for providing mobile contents services by using biometric mobile system |
KR20040048115A (en) * | 2002-12-02 | 2004-06-07 | 주식회사 시큐아이티 | Apparatus and method for transmitting/receiving multi-biological information for authentication in mobile communication network |
KR20040048048A (en) * | 2002-12-02 | 2004-06-07 | 한국전자통신연구원 | An Authentication Method Using Multi-Biometric Data and USB Key Apparatus |
KR20040048114A (en) * | 2002-12-02 | 2004-06-07 | 주식회사 시큐아이티 | Authentication method and device using multi biological identification in portable radiotelephone |
JP2004213128A (en) * | 2002-12-27 | 2004-07-29 | Panasonic Communications Co Ltd | Documentation management device and documentation management method |
JP4531374B2 (en) * | 2003-01-10 | 2010-08-25 | 富士フイルム株式会社 | Information holding device |
JP2004240645A (en) * | 2003-02-05 | 2004-08-26 | Ufj Bank Ltd | Personal identification system and method |
KR20040082848A (en) * | 2003-03-20 | 2004-09-30 | (주)이바이오이미지 | Biometric information recognition mobile phone and biometric information recognition authentication method |
EP1631908A4 (en) | 2003-03-24 | 2012-01-25 | Ibm | Secure coordinate identification method, system and program |
JP2005165808A (en) * | 2003-12-04 | 2005-06-23 | Fuji Xerox Co Ltd | Authentication device, authentication method, and program thereof |
US7810143B2 (en) * | 2005-04-22 | 2010-10-05 | Microsoft Corporation | Credential interface |
JP4802670B2 (en) * | 2005-11-10 | 2011-10-26 | 日本電気株式会社 | Cardless authentication system, cardless authentication method used in the system, and cardless authentication program |
KR100759813B1 (en) | 2005-12-12 | 2007-09-20 | 한국전자통신연구원 | Method for authenticating user using biometrics information |
KR100787114B1 (en) * | 2006-06-20 | 2007-12-21 | 연세대학교 산학협력단 | Method of transforming biometric data and verification system thereof |
JP2007305140A (en) * | 2007-06-01 | 2007-11-22 | Fujitsu Ltd | User terminal authentication program |
KR100915589B1 (en) | 2007-07-12 | 2009-09-07 | 엔에이치엔비즈니스플랫폼 주식회사 | Security authentication system and method |
JP4777951B2 (en) * | 2007-09-10 | 2011-09-21 | 株式会社富士通エフサス | Data authentication method |
JP2008047140A (en) * | 2007-09-10 | 2008-02-28 | Fujitsu Fsas Inc | Data authentication method |
JP4583428B2 (en) * | 2007-09-25 | 2010-11-17 | 株式会社東芝 | Management server device and program |
JP5145003B2 (en) * | 2007-10-03 | 2013-02-13 | 京セラドキュメントソリューションズ株式会社 | Electronic device, authentication processing method thereof, and authentication processing program |
JP5387414B2 (en) * | 2007-12-11 | 2014-01-15 | 日本電気株式会社 | Authentication device, authentication system, authentication method and program |
JP5317596B2 (en) * | 2008-09-10 | 2013-10-16 | 情報技術開発株式会社 | User authentication server and user authentication method |
JP5302665B2 (en) * | 2008-12-25 | 2013-10-02 | 日本電信電話株式会社 | Authentication server presentation method, service providing system, service providing apparatus, and service providing program |
JP2011181063A (en) * | 2010-02-02 | 2011-09-15 | Ricoh Co Ltd | Image forming apparatus, input control method, input control program, and storage medium |
JP5345585B2 (en) * | 2010-04-23 | 2013-11-20 | 日本電信電話株式会社 | Authentication system, authentication method and program |
JP6160401B2 (en) * | 2013-09-25 | 2017-07-12 | 大日本印刷株式会社 | Entrance / exit management device, entrance / exit management method, and program |
CN104951940B (en) * | 2015-06-05 | 2018-07-03 | 西安理工大学 | A kind of mobile payment verification method based on personal recognition |
JP6122924B2 (en) * | 2015-09-11 | 2017-04-26 | ヤフー株式会社 | Providing device, terminal device, providing method, providing program, and authentication processing system |
JP6159840B1 (en) * | 2016-03-16 | 2017-07-05 | 株式会社三井住友銀行 | Payment authentication system, method, and program |
JP6240349B2 (en) * | 2017-01-26 | 2017-11-29 | ヤフー株式会社 | Providing device, providing method, providing program, and authentication processing system |
JP2020201857A (en) * | 2019-06-13 | 2020-12-17 | 株式会社東海理化電機製作所 | Authentication system and authentication method |
JP7045646B2 (en) * | 2019-08-14 | 2022-04-01 | 日本電気株式会社 | Information processing equipment, information processing methods and programs |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JPH0981518A (en) | 1995-09-08 | 1997-03-28 | Kiyadeitsukusu:Kk | Authentication method on network |
Family Cites Families (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
GB2204971A (en) * | 1987-05-19 | 1988-11-23 | Gen Electric Co Plc | Transportable security system |
JPH08329010A (en) * | 1995-03-27 | 1996-12-13 | Toshiba Corp | Computer network system, its access administrating method, and individual authorization device used for same |
EP0762261A3 (en) * | 1995-09-08 | 1999-12-22 | Cadix Inc. | A verification server and authentication method for use in authentication on networks |
AU722257B2 (en) * | 1995-10-16 | 2000-07-27 | British Telecommunications Public Limited Company | Remote access data visualisation system |
US6292782B1 (en) * | 1996-09-09 | 2001-09-18 | Philips Electronics North America Corp. | Speech recognition and verification system enabling authorized data transmission over networked computer systems |
US5930804A (en) * | 1997-06-09 | 1999-07-27 | Philips Electronics North America Corporation | Web-based biometric authentication system and method |
-
1998
- 1998-02-05 JP JP10024225A patent/JPH11224236A/en active Pending
- 1998-12-14 DE DE69832145T patent/DE69832145T2/en not_active Expired - Fee Related
- 1998-12-14 EP EP98123757A patent/EP0935221B1/en not_active Expired - Lifetime
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JPH0981518A (en) | 1995-09-08 | 1997-03-28 | Kiyadeitsukusu:Kk | Authentication method on network |
Cited By (48)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8387155B2 (en) | 1997-06-11 | 2013-02-26 | Prism Technologies Llc | System for managing access to protected computer resources |
US9413768B1 (en) | 1997-06-11 | 2016-08-09 | Prism Technologies Llc | Method for managing access to protected computer resources |
US9544314B2 (en) | 1997-06-11 | 2017-01-10 | Prism Technologies Llc | Method for managing access to protected computer resources |
US9369469B2 (en) | 1997-06-11 | 2016-06-14 | Prism Technologies, L.L.C. | Method for managing access to protected computer resources |
US8898746B2 (en) | 1997-06-11 | 2014-11-25 | Prism Technologies Llc | Method for managing access to protected computer resources |
US7865401B2 (en) | 1999-08-02 | 2011-01-04 | Softbank Bb Corporation | Electronic settlement system, settlement apparatus, and terminal |
US7448540B2 (en) | 1999-08-02 | 2008-11-11 | Softbankbb Corporation | Electronic settlement system, settlement apparatus and terminal |
US7571117B1 (en) | 1999-08-02 | 2009-08-04 | Softbankbb Corporation | Electronic authentication system, authentication apparatus, and terminal |
US7657490B1 (en) | 1999-08-02 | 2010-02-02 | Softbankbb Corporation | Electronic settlement system, settlement device, and terminal |
WO2001009807A1 (en) * | 1999-08-02 | 2001-02-08 | E-Mark Systems Inc. | Electronic settlement system, and settlement device and terminal |
US7457782B2 (en) | 1999-08-02 | 2008-11-25 | Softbankbb Corporation | Electronic settlement system, settlement apparatus and terminal |
EP1085454A3 (en) * | 1999-09-14 | 2004-06-09 | Fujitsu Limited | Personal authentication system using biometrics information |
US7974448B2 (en) | 1999-09-14 | 2011-07-05 | Fujitsu Limted | Personal authentication system using biometrics information |
US7020308B1 (en) | 1999-09-14 | 2006-03-28 | Fujitsu Limited | Personal authentication system using biometrics information |
WO2001040982A3 (en) * | 1999-12-01 | 2002-03-21 | Iridian Technologies | System and method of fast biometric database searching using digital certificates |
WO2001059580A1 (en) * | 2000-02-09 | 2001-08-16 | Nobuyoshi Ochiai | Personal authentication system |
WO2001071462A2 (en) * | 2000-03-21 | 2001-09-27 | Widcomm, Inc. | System and method for secure biometric identification |
WO2001071462A3 (en) * | 2000-03-21 | 2003-05-15 | Widcomm Inc | System and method for secure biometric identification |
US10572875B2 (en) | 2000-04-24 | 2020-02-25 | Visa International Service Association | Online account authentication service |
WO2001082190A1 (en) * | 2000-04-26 | 2001-11-01 | Global Transaction Company | Multi-tiered identity verification authority for e-commerce |
WO2001088782A1 (en) * | 2000-05-19 | 2001-11-22 | E-Mark Systems Inc. | Electronic settlement system, settlement device and terminal |
US7523067B1 (en) | 2000-08-02 | 2009-04-21 | Softbankbb Corporation | Electronic settlement system, settlement apparatus, and terminal |
EP1199623A2 (en) * | 2000-10-17 | 2002-04-24 | Siemens Aktiengesellschaft | Method and system for user identification |
EP1199623A3 (en) * | 2000-10-17 | 2006-05-31 | Siemens Aktiengesellschaft | Method and system for user identification |
EP1239629A2 (en) * | 2001-03-05 | 2002-09-11 | Telefonaktiebolaget L M Ericsson (Publ) | Method for the safe use and transmission of biometric data for authentication purposes |
WO2002073542A3 (en) * | 2001-03-05 | 2003-10-09 | Ericsson Telefon Ab L M | Method for the safe use and transmission of biometric data for authentication purposes |
EP1239629A3 (en) * | 2001-03-05 | 2003-08-20 | Telefonaktiebolaget L M Ericsson (Publ) | Method for the safe use and transmission of biometric data for authentication purposes |
WO2002073542A2 (en) * | 2001-03-05 | 2002-09-19 | Telefonaktiebolaget Lm Ericsson (Publ) | Method for the safe use and transmission of biometric data for authentication purposes |
EP1426845A4 (en) * | 2001-09-14 | 2008-12-24 | Sony Computer Entertainment Inc | Method for authentication of computer program stored in medium |
EP1426845A1 (en) * | 2001-09-14 | 2004-06-09 | Sony Computer Entertainment Inc. | Method for authentication of computer program stored in medium |
US8340293B2 (en) | 2002-02-07 | 2012-12-25 | Minolta Company, Ltd. | Verification system, server, and electronic instrument |
GB2391992A (en) * | 2002-08-12 | 2004-02-18 | Domain Dynamics Ltd | Method of authentication |
WO2004015552A2 (en) * | 2002-08-12 | 2004-02-19 | Domain Dynamics Limited | Method of authentication |
WO2004015552A3 (en) * | 2002-08-12 | 2004-07-08 | Domain Dynamics Ltd | Method of authentication |
US7665122B2 (en) | 2003-01-29 | 2010-02-16 | Canon Kabushiki Kaisha | Authentication apparatus, method and program |
US7559084B2 (en) | 2003-02-14 | 2009-07-07 | Fujitsu Limited | Authentication information processing method |
DE102005003208B4 (en) * | 2005-01-24 | 2015-11-12 | Giesecke & Devrient Gmbh | Authentication of a user |
DE102005003208A1 (en) * | 2005-01-24 | 2006-07-27 | Giesecke & Devrient Gmbh | End device user authenticating method for e.g. mobile network, involves transmitting authentication data to authentication server by communication network for purpose of authentication of user, where authentication is executed by server |
US8863259B2 (en) | 2009-09-18 | 2014-10-14 | Fujitsu Limited | Method of controlling biometric authentication system, non-transitory, computer readable storage medium and biometric authentication system |
CN102111271B (en) * | 2009-12-25 | 2015-07-29 | 卡巴斯克 | Network security certification method and device thereof |
CN102111271A (en) * | 2009-12-25 | 2011-06-29 | 林茂聪 | Network security authentication method and device as well as authentication method of hand-held electronic device |
CN102800138B (en) * | 2011-05-26 | 2016-01-13 | 中兴通讯股份有限公司 | A kind of method and device realizing access control |
CN102800138A (en) * | 2011-05-26 | 2012-11-28 | 中兴通讯股份有限公司 | Method and device for realizing entrance guard control |
CN102385766A (en) * | 2011-06-23 | 2012-03-21 | 哈尔滨工业大学深圳研究生院 | Palmprint-based authentication unlocking method, terminal and system |
US10389710B2 (en) | 2014-02-28 | 2019-08-20 | Alibaba Group Holding Limited | Method and system for extracting characteristic information |
WO2018011559A1 (en) * | 2016-07-11 | 2018-01-18 | Lookiimedia (UK) Limited | Providing access to structured stored data |
RU2751095C2 (en) * | 2016-07-11 | 2021-07-08 | Лукиимидиа (Юк) Лимитед | Providing access to structured stored data |
US11075920B2 (en) | 2016-07-11 | 2021-07-27 | Lookiimedia (UK) Limited | Providing access to structured stored data |
Also Published As
Publication number | Publication date |
---|---|
DE69832145T2 (en) | 2006-07-20 |
EP0935221A3 (en) | 2000-02-02 |
DE69832145D1 (en) | 2005-12-08 |
JPH11224236A (en) | 1999-08-17 |
EP0935221B1 (en) | 2005-11-02 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP0935221B1 (en) | Remote authentication system | |
US11546325B2 (en) | Proximity-based system for object tracking | |
US6219439B1 (en) | Biometric authentication system | |
US7475812B1 (en) | Security system for access control using smart cards | |
US20180019998A1 (en) | Proximity-Based System for Automatic Application or Data Access and Item Tracking | |
KR960012656B1 (en) | Keyring metaphor for user's security keys on a distributed multiprocess data system | |
US7793109B2 (en) | Random biometric authentication apparatus | |
US7174458B2 (en) | Method of and apparatus for authenticating client terminal by making use of port access | |
US7757943B2 (en) | Combined payment/access-control instrument | |
US8069157B2 (en) | System and method for providing context-aware computer management using smart identification badges | |
US20090172812A1 (en) | Two factor token identification | |
EP1603003A1 (en) | Flexible method of user authentication | |
US20020059521A1 (en) | Method and system for identifying a user | |
US20020147588A1 (en) | Method and system for interacting with a biometric verification system | |
WO1998041947A1 (en) | Use sensitive tokenless identification system | |
US20050273444A1 (en) | Access administration system and method for a currency compartment | |
US20050154920A1 (en) | Method and apparatus for biometric template data management | |
JP3587045B2 (en) | Authentication management device and authentication management system | |
JP2001014276A (en) | Personal authentication system and method therefor | |
Spender | Identifying computer users with authentication devices (tokens) | |
US20020146154A1 (en) | Method and system for mitigating distortive effects in biometric samples in a biometric verification system | |
JP2006163453A (en) | Authentication system using biometrics | |
US7430667B2 (en) | Media router | |
KR100394370B1 (en) | Preservation Unit Using IC Card and Method | |
US20020147921A1 (en) | Method and system for migrating dynamic master templates in a biometric verification system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
AK | Designated contracting states |
Kind code of ref document: A2 Designated state(s): DE FR GB |
|
AX | Request for extension of the european patent |
Free format text: AL;LT;LV;MK;RO;SI |
|
PUAL | Search report despatched |
Free format text: ORIGINAL CODE: 0009013 |
|
AK | Designated contracting states |
Kind code of ref document: A3 Designated state(s): AT BE CH CY DE DK ES FI FR GB GR IE IT LI LU MC NL PT SE |
|
AX | Request for extension of the european patent |
Free format text: AL;LT;LV;MK;RO;SI |
|
17P | Request for examination filed |
Effective date: 20000322 |
|
AKX | Designation fees paid |
Free format text: DE FR GB |
|
17Q | First examination report despatched |
Effective date: 20020416 |
|
GRAP | Despatch of communication of intention to grant a patent |
Free format text: ORIGINAL CODE: EPIDOSNIGR1 |
|
GRAS | Grant fee paid |
Free format text: ORIGINAL CODE: EPIDOSNIGR3 |
|
GRAA | (expected) grant |
Free format text: ORIGINAL CODE: 0009210 |
|
AK | Designated contracting states |
Kind code of ref document: B1 Designated state(s): DE FR GB |
|
REG | Reference to a national code |
Ref country code: GB Ref legal event code: FG4D |
|
PGFP | Annual fee paid to national office [announced via postgrant information from national office to epo] |
Ref country code: FR Payment date: 20051129 Year of fee payment: 8 |
|
REF | Corresponds to: |
Ref document number: 69832145 Country of ref document: DE Date of ref document: 20051208 Kind code of ref document: P |
|
PGFP | Annual fee paid to national office [announced via postgrant information from national office to epo] |
Ref country code: GB Payment date: 20051214 Year of fee payment: 8 |
|
PGFP | Annual fee paid to national office [announced via postgrant information from national office to epo] |
Ref country code: DE Payment date: 20051230 Year of fee payment: 8 |
|
RAP2 | Party data changed (patent owner data changed or rights of a patent transferred) |
Owner name: MITSUBISHI DENKI KABUSHIKI KAISHA |
|
ET | Fr: translation filed | ||
PLBE | No opposition filed within time limit |
Free format text: ORIGINAL CODE: 0009261 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: NO OPPOSITION FILED WITHIN TIME LIMIT |
|
26N | No opposition filed |
Effective date: 20060803 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: DE Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20070703 |
|
GBPC | Gb: european patent ceased through non-payment of renewal fee |
Effective date: 20061214 |
|
REG | Reference to a national code |
Ref country code: FR Ref legal event code: ST Effective date: 20070831 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: GB Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20061214 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: FR Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20070102 |