JP2005190394A - Terminal and its program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide an authentication system that, for a plurality of terminals connected to one another via a network, enables each of the terminals to log in to the other terminals in which authentication information is yet to be set, provided that authentication information including the same user ID as a user's authentication information is set in either of the terminals. <P>SOLUTION: When a log-in request from a user A is received, the terminal 1 searches its own storage device to determine whether or not authentication information about the user A is stored therein. When the information is determined to be stored, the terminal 1 performs log-in authentication based on the authentication information stored in the storage device. When the authentication information is determined not to be stored in the storage device, the terminal 1 accesses the other terminals 2 (2<SB>1</SB>-2<SB>n</SB>) connected thereto via the network A and searches for the terminal storing the authentication information. The authentication information is obtained from the terminal where it is found as the search result, and log-in authentication is performed based on it. <P>COPYRIGHT: (C)2005,JPO&NCIPI

Description

  The present invention relates to a terminal for authenticating a user and a program thereof, and particularly to a terminal connected to another terminal via a local network and a program thereof.

  In recent years, a plurality of computers are installed in an organization such as a company, and more and more users use each computer. The user can use the computer only when the user ID and password are input to the desired computer and the use permission is given by the authentication work. Therefore, in order to use an arbitrary computer, the user needs to register a user ID and a password for each computer in advance.

Usually, such a registration operation is performed on behalf of a specific administrator. However, it is difficult to perform registration for all computers, and it takes a lot of time and effort, which puts a heavy burden on the administrator. Therefore, in order to reduce such a burden, a technique has been considered in which a user ID and a password are acquired from a registered computer via a network based on an instruction from an administrator, and are automatically set to an unregistered computer. (For example, patent document 1).
Japanese Patent Laid-Open No. 11-137717

  However, for example, a new computer may be introduced irregularly in a predetermined department within the company. In such a case, it is originally necessary to wait for the setting for the newly introduced computer by the administrator. However, when the setting timing is delayed due to the absence of an administrator, the user cannot use the computer immediately even if he / she wants to use the computer in an emergency work.

  The present invention has been made in view of the above situation, and in a plurality of terminals connected to the network, if the user authentication information is set in any terminal, the authentication information is not set to another terminal. The purpose is to realize an authentication system that can log in.

The terminal according to the first aspect of the present invention is:
A terminal connected to another terminal via a network,
Storage means for storing authentication information of a user permitted to use the terminal;
Accepting means for accepting a login request and authentication information for requesting login to the terminal;
It is determined whether or not the authentication information received by the receiving unit substantially matches the authentication information stored in the storage unit, and authentication is performed as to whether or not use of the terminal is permitted. Communication with other terminals connected via the network, the use of the terminal is permitted based on the authentication information stored in the storage means of the other terminal. Authentication means for authenticating whether or not to perform,
It is characterized by providing.

The authentication information includes identification information about the user and collation information corresponding to the identification information,
The authentication unit determines whether or not the identification information included in the authentication information received by the reception unit is stored in the storage unit, and when determining that the identification information is stored, the authentication unit receives the authentication Authentication is performed based on the collation information included in the information and the collation information corresponding to the identification information regarding the user stored in the storage means, and when it is determined that the identification information is not stored, the network is The terminal transmits the signal asking whether or not the identification information related to the user is stored to another terminal connected via the terminal, receives the answer, and indicates to the terminal that sent the answer that the information is stored. A signal requesting transmission of identification information relating to the identification information and matching information corresponding to the identification information, receiving the identification information relating to the user and the matching information corresponding to the identification information, and receiving It is preferable to perform authentication based on the collation information collation information and the reception unit has been received.

  When the authentication unit receives a signal indicating that the identification information about the user is stored from a plurality of terminals, the authentication unit stores authentication information corresponding to the identification information about the user received from the plurality of terminals that transmitted the signal. It is determined whether or not there are a plurality of different authentication information, and if it is determined that one exists, one is selected from the plurality of different authentication information based on a predetermined condition, and the selected authentication information and the receiving unit It is preferable to perform authentication based on the authentication information received by.

The accepting means accepts a change request for requesting a change of collation information corresponding to identification information relating to a user and new collation information corresponding to the identification information,
The storage means updates the stored content based on the change request and new collation information,
The authentication unit preferably transmits the change request received by the receiving unit and the new collation information to another terminal in which identification information about the user is stored.

  The authentication means receives a login request for requesting login from another terminal to the terminal via the network and the authentication information accepted by the other terminal, and the identification information included in the received authentication information includes It is determined whether or not the information is stored in the storage means, and when it is determined that the information is stored, the verification information included in the authentication information received by the reception means and the identification relating to the user stored in the storage means Authentication is performed based on the matching information corresponding to the information, and when it is determined that the identification information is not stored, the identification information about the user is stored in another terminal connected via the network. Identification information about the user and the identification information are transmitted to the terminal of the transmission source of the response that has received the response indicating that the response has been transmitted Transmitting a signal requesting transmission of authentication information corresponding to the information, receiving identification information relating to the user and authentication information corresponding to the identification information, and receiving a plurality of authentication information corresponding to the identification information relating to the user Then, it is preferable to perform authentication only when the plurality of authentication information matches.

  When it is determined that the authentication information does not match, the authentication unit asks whether other authentication information substantially matching the authentication information is stored in another terminal connected via the network. It is preferable to send a signal and receive an answer, and to authenticate whether or not to permit use of the terminal based on the received answer.

The authentication means substantially transmits the authentication information to the terminal of the response transmission source indicating that the authentication information substantially matching the authentication information is stored among the terminals of the response transmission source received. Send a signal requesting transmission of authentication information that matches, and receive the authentication information,
It is preferable that the storage unit further stores authentication information received by the communication unit.

  The authentication means preferably transmits the authentication information received from another terminal and a signal requesting to store the authentication information to a predetermined terminal not storing the authentication information via the network.

  The authentication means receives a signal asking whether or not authentication information substantially matching predetermined authentication information is stored from another terminal connected via the network, and is substantially the same as the predetermined authentication information. It is preferable to determine whether or not the authentication information that coincides with each other is stored in the storage means and transmit the response to the terminal that is the transmission source of the signal.

  When the authentication unit determines that authentication information substantially matching the predetermined authentication information is stored in the storage unit, the authentication unit stores the authentication information stored in the storage unit. It is preferable to transmit to the terminal.

  The authentication means receives a login request for requesting login from another terminal to the terminal via the network and authentication information accepted by the other terminal, and based on the received authentication information, the terminal It is preferable to perform authentication.

The program according to the third aspect of the present invention is:
A device that is connected to other devices via the network
Storage means for storing authentication information of a user permitted to use the terminal;
Accepting means for accepting a login request and authentication information for requesting login to the terminal;
It is determined whether or not the authentication information received by the receiving unit substantially matches the authentication information stored in the storage unit, and authentication is performed as to whether or not use of the terminal is permitted. Communication with other terminals connected via the network, the use of the terminal is permitted based on the authentication information stored in the storage means of the other terminal. Authentication means for authenticating whether or not to perform,
Operating as a device comprising
It is characterized by that.

  According to the present invention, in a plurality of terminals connected to a network, an authentication system capable of logging in to another terminal for which authentication information has not been set is realized if user authentication information is set in any terminal. Is done.

(Embodiment 1)
As shown in FIG. 1, a login authentication system according to an embodiment of the present invention includes a terminal 1 and a plurality of terminals 2 (terminals 2 ₁ to 2 _n ) in a domain D1 connected via a network N, and a domain D1. And a router device 4 for controlling the terminals in the network.

As shown in FIG. 1, the terminal 1 and the terminal 2 (2 ₁ to 2 _n ) in the domain D1 are identification information necessary for login authentication for a predetermined user (hereinafter, user A) to use the terminal. User ID and a password as collation information (hereinafter collectively referred to as authentication information) and a terminal that is not set. The terminal 1 is a terminal that the user A intends to use from now on.

  The terminal 1 is composed of a personal computer or the like, and as shown in FIG. 2, a control device 11, a RAM 12, a storage device 13, a display device 14, a printing device 15, an input device 16, and a communication device 17 are provided. Prepare.

  The control device 11 includes a CPU (Central Processing Unit), a microprocessor, and the like, and controls the entire operation of the terminal 1. The control device 11 performs various processes according to the program read from the storage device 13. In addition, the control device 11 includes a timer (not shown) composed of an RTC (Real Time Clock) or the like, and measures the current date, day of the week, time, and the like.

  A RAM (Random Access Memory) 12 is composed of a semiconductor storage device such as a DRAM (Dynamic Random Access Memory) or an SRAM (Static Random Access Memory), and serves as a work area when the control device 11 performs various processes. The RAM 12 includes a program execution area 12a when the control device 11 operates in accordance with a program read from the storage device 13, and a work area 12b that is a work area for other work.

  The storage device 13 is composed of a hard disk device or the like, and stores various data and programs. The storage device 13 includes a program storage area 13a for storing operation programs and the like, and a data storage area 13b.

  The program storage area 13a stores, for example, an automatic search program used for login authentication processing to be described later. This automatic search program accesses another terminal connected via the network N, and stores authentication information (substantially the same authentication information) including the same user ID as the user ID input to the terminal 1 Is a program for processing operation to retrieve the authentication information from the retrieved terminal.

  For example, a data table such as the user management table 131 shown in FIG. 3 is stored in the data storage area 13b. As shown in the figure, in the user management table 131, in addition to the user ID and password, information such as the user's belonging group and login history is written and stored.

  The display device 14 is composed of a CRT (Cathode Ray Tube), an LCD (Liquid Crystal Display), or the like, and displays an image according to the control of the control device 11.

  The printing device 15 is composed of a printing device such as a printer, and prints and outputs the content according to the control of the control device 11 on a predetermined sheet.

  The input device 16 includes a keypad, a soft key, a selection button, and the like, and receives an input of an instruction signal that instructs the operation of the control device 11 by a key operation from a user.

The communication device 17 includes a communication device such as a predetermined network interface card (NIC), an input / output buffer, and the like, and other terminals 2 (2 ₁ to 2 _n ) connected via the network N. Data transmission / reception performed between the two is controlled.

The terminal 2 (2 _{1 to} 2 _n ) is a terminal connected to the terminal 1 via the network N and having the same configuration as the terminal 1. Therefore, detailed description of the configuration is omitted here.

The router device 4 is a device that relays the connection between the terminal 1 and the terminal 2 (2 ₁ to 2 _n ) in the domain D1 and the outside through the network N. The router device 4 has a predetermined firewall function, and controls transmission and reception of signals and data between the domain D1 and the outside.

(Login authentication processing)
Next, the operation of the authentication system according to the present embodiment will be described with reference to the flowchart of FIG. 4 taking the case where the user A attempts to log in to the terminal 1 as an example.

  When the terminal 1 is turned on or a logout is performed by a user who has used the terminal 1 last time, the control device 11 of the terminal 1 controls the display device 14 to display a predetermined login request screen ( In step S101, an input of a user ID from the user is accepted (step S102). The user A operates the input device 16 according to the screen display and inputs his / her user ID.

  Upon receiving the input user ID, the control device 11 accesses the data storage area 13b of the storage device 13 and determines whether or not the input user ID is stored in the user management table 131 of FIG. 3 ( Step S103).

  When it is determined that the user ID of the user A is stored (step S103: Yes), the process jumps to step S108, and the control device 11 controls the display device 14 to display a predetermined screen for accepting the input of the password, A password input is requested (step S108). The user inputs a password from the input device 16 according to the screen display.

On the other hand, if it is determined that the user ID of the user A is not stored (step S103: No), the control device 11 controls the display device 14 to be another terminal in the same domain connected via the network N. A predetermined screen asking whether or not to perform “automatic search” for searching and acquiring a desired user ID from the terminal 2 (2 _{1 to} 2 _n ) is displayed. Then, the control device 11 waits for input from the user and determines whether or not automatic search is designated (step S104).

  If it is determined that automatic search is not specified (step S104: No), the process jumps to step S113, the control device 11 determines that login by the user A is not permitted (step S113), and a predetermined message indicating that fact. Is displayed on the display device 14.

On the other hand, if it is determined that the automatic search program is designated (step S104: Yes), the other user terminals (2 ₁ to 2 _n ) in the same domain are accessed based on the program, and the input user ID and A terminal in which authentication information including the same user ID is stored is searched (step S105). Details of this authentication information search processing will be described later.

  As a result of performing the authentication information search process in step S105, the control device 11 determines whether authentication information including the same user ID as the user ID received in step S102 has been searched for in any other terminal. Is determined (step S106). If it is determined that the search has not been made (step S106: No), the process jumps to step S113, and the control device 11 determines that login by the user A is not permitted (step S113), and displays a screen including a predetermined message indicating that effect. And displayed on the display device 14.

  On the other hand, if it is determined in step S102 that authentication information including the same user ID as the user ID that received the input has been searched (step S106: Yes), the control device 11 stores the authentication information based on the search result. The authentication information is acquired and stored in the data storage area 13b of the storage device 13 (step S107).

  Next, the control device 11 controls the display device 14 to display a predetermined screen that prompts input of a password, and waits for input of a password from the user (step S108). User A inputs a password from input device 16 in accordance with the screen display.

  The control device 11 determines whether or not the input password matches that of the authentication information stored in the data storage area 13b in step S107 (step S109). If it is determined that they do not match (step S109: No), the process jumps to step S113, and the control device 11 determines that login by the user A is not permitted (step S113), and a screen including a predetermined message indicating that is displayed. It is displayed on the display device 14.

  On the other hand, if it is determined that the passwords match (step S109: Yes), the control device 11 permits the user A to log in to the terminal 1 (step S110) and controls the display device 14 to display a screen after a predetermined login. Let

Next, the control device 11 displays a screen asking whether or not to distribute the authentication information of the user A to a terminal in which the authentication information of the user A is not set among the terminals 2 ₁ to 2 _n in the same domain. The device 14 is controlled and displayed. Then, the control device 11 waits for an input from the user, and determines whether or not the distribution of the authentication information is designated (step S111). If it is determined that the distribution is not specified (step S111: No), the control device 11 ends the process as it is.

  On the other hand, if it is determined that the distribution of the authentication information is designated (step S111: Yes), the control device 11 controls the communication device 17 so that the authentication information of the user A is requested together with a signal for requesting the setting of the authentication information. Then, it is transmitted to the designated delivery destination terminal (step S112).

(Authentication information search process)
Next, an authentication information search process corresponding to step S105 of the login authentication process described above will be described with reference to the flowchart of FIG.

The control device 11 includes the same user ID as the user ID received in step S102 of the login authentication process in the terminal 2 (2 ₁ to 2 _n ) that is another terminal in the same domain connected to the network. A signal asking whether or not the authentication information is stored is transmitted. The control device 11 receives the answer result signal and searches the terminal 2 (2 ₁ to 2 _n ) for a terminal in which authentication information including the same user ID as the input user ID is stored. (Step S201), it is determined whether or not the authentication information is registered in any of the terminals (Step S202). If it is determined that it is not registered in any of the terminals 2 (2 ₁ to 2 _n ) (step S202: No), the control device 11 ends the process as it is.

On the other hand, if it is determined that there is a terminal in which authentication information including the same user ID as the input user ID is registered (step S202: Yes), the control device 11 determines the terminal 2 (2 ₁ in which the authentication information is registered). ˜2 _n ) exist, and it is determined whether or not different authentication information (having the same user ID and different passwords) exists among the plurality of authentication information (step S203). If it is determined that there is no different authentication information (having different passwords) among a plurality of authentication information including the same user ID (step S203: No), the control device 11 ends the authentication information search process, and the flowchart of FIG. The process returns to step S106 of the authentication process.

  On the other hand, when it is determined that there are a plurality of different authentication information (authentication information with different passwords) among a plurality of authentication information including the same user ID (step S203: Yes), the control device 11 accesses the storage device 13 to access the user. The management table 131 is read, and the most recently logged-in authentication information among the plurality of authentication information is preferentially selected (step S204). And it progresses to step S106 of the flowchart (login authentication process) of FIG.

  The authentication system according to the present embodiment is realized by the configuration and processing as described above. As a result, even if the user's authentication information is not set on the terminal to which the user is logging in, the terminal can connect the network from another terminal having authentication information including the same user ID as that user's authentication information. It is possible to perform authentication by acquiring the authentication information through the network.

  Therefore, if user registration is performed for only one terminal, all terminals connected to the terminal through the network can be used. Thereby, for example, when a new terminal is introduced, the terminal can be used immediately.

(Registration change process)
Next, processing when the user A who has logged into the terminal 1 changes part of the set authentication information (for example, a password) will be described with reference to the flowchart of FIG.

  When the user A selects the authentication information change process from the input device 16 in accordance with the screen display of the terminal 1, the control device 11 reads the operation program for changing the authentication information from the program storage area 13a and controls the display device 14. An authentication information change screen (password change screen) as shown in FIG. 7 is displayed. And it waits for the authentication information after a change being input from the user A (step S301).

  The control device 11 determines whether or not the input authentication information has been changed from the previous one (step S302). If it is determined that it has not been changed (step S302: No), the control device 11 ends the process as it is.

On the other hand, if it is determined that the input authentication information has been changed from the previous one (step S302: Yes), the control device 11 transmits another terminal (terminal 2 ₁ to terminal 2) in the same domain connected via the network N. 2 _n ) and searches for a terminal in which authentication information (substantially the same authentication information) including the same user ID as the authentication information of user A to be changed is stored (step S303).

  The control device 11 determines whether a terminal in which authentication information including the same user ID as the authentication information of the user A is set is searched (Step S304). If it is determined that the search has not been performed (step S304: No), the control device 11 ends the process as it is.

  On the other hand, if it is determined that the search has been made (step S304: Yes), the control device 11 reflects the input change contents in the authentication information including the same user ID as the authentication information of the user A found as a result of the search, and originally the user A The new authentication information is transmitted together with a signal for requesting update (re-registration) of the authentication information to the terminal in which the authentication information is stored (step S305).

  The authentication information is changed by the processing as described above. Here, FIG. 7 shows an example of a password change process as an example of the screen, but it is not particularly limited to a password. For example, the user ID itself is changed or the user's personal information (name, address, etc.) is displayed. May be changed.

(Embodiment 2)
The above-described authentication system makes it possible to log in to a terminal for which authentication information is not set, and the authentication information is set to the terminal after login. However, it is convenient to be able to easily set login and authentication information in this way, but there is an uneasy part from the viewpoint of security. Therefore, it is desirable to maintain high security by adding processes such as approval of authentication information by the administrator and formal registration work. The authentication system including the formal registration process by the administrator will be described below.

As shown in FIG. 8, the authentication system according to the present embodiment includes an administrator terminal 5, a terminal 1 in a domain D1, and a plurality of terminals 2 (2 ₁ to 2 _n ) connected via a network L. When constituted with a plurality of terminals ₃ in the domain D2 ₍₃ 1 to 3 _m), the router device _{4 1,} and a router device _{4 2,.} Those different from the authentication system according to the first embodiment of the present embodiment, the terminal 3 and (3 1 _{to 3 m),} the router device 4 ₂ is that it includes a manager terminal 5, a.

The terminal 3 (3 _{1 to} 3 _m ) is a terminal in the domain D2 different from the terminal 1, and has a configuration similar to that of the terminal 1. The router device 4 ₂ is an apparatus having the same configuration as the router device 4 in the first embodiment described above (the router device 41 in the present embodiment), and relays the connection between domains D2 and its outside.

The administrator terminal 5 is an administrator terminal device that manages the entire authentication system, and includes a personal computer or the like. As shown in FIG. 9, the manager terminal 5 includes a control device 51, a RAM 52, a storage device 53, a display device 54, a printing device 55, an input device 56, and a communication device 57. . Further, the manager terminal 5 is configured to be inaccessible from other terminals (terminals 1, 2 ₁ to 2 _n , 3 _{1 to} 3 _m, etc.) connected via the network N and from the outside of the network N. It is protected so that it can be operated only by a predetermined administrator (hereinafter referred to as administrator B) who manages the network N.

  The storage device 53 includes a program storage area 53a and a data storage area 53b. The data storage area 53b stores data such as a host management table 531 indicating information of each terminal as shown in FIG. The configuration of each part (control device 51, RAM 52, display device 54, printing device 55, input device 56, communication device 57) of the administrator terminal 5 other than the storage device 53 is the same as that of the terminal 1 in the first embodiment. Since it is almost the same as the configuration of each part, detailed description thereof is omitted here.

(Login authentication processing)
Next, the operation of the authentication system according to the present embodiment will be described with reference to the flowchart of FIG. 11, taking as an example the case where the user A attempts to log in to the terminal 1.

  When the terminal 1 is turned on or a logout is performed by a user who has used the terminal 1 last time, the control device 11 of the terminal 1 controls the display device 14 to display a predetermined login request screen ( In step S401, an input of a user ID from the user is accepted (step S402). The user A operates the input device 16 according to the screen display and inputs his / her user ID.

  Upon receiving the input user ID, the control device 11 accesses the storage device 13 and determines whether or not the user ID of the user A is stored in the user management table 131 of FIG. 3 (step S403).

  If it is determined that the user ID of the user A is stored (step S403: Yes), the process jumps to step S414, and the control device 11 controls the display device 14 to display a predetermined screen for accepting the input of a password, A password input is requested (step S414). User B inputs a password from input device 56 in accordance with the screen display. The control device 51 determines whether or not the input password is correct (whether or not it matches the one stored in the storage device 13) (step S415). If it is determined that it is not correct (step S415: No), the control device 11 jumps to step S417, and the control device 11 determines that login by the user A is not permitted (step S417), and displays a screen including a predetermined message indicating that. It is displayed on the display device 14. On the other hand, if it is determined that the password is correct (step S415: Yes), the control device 11 permits login by the user A (step S416), and ends this process.

On the other hand, if it is determined that the user ID of the user A is not stored (step S403: No), the control device 11 determines another terminal 2 (2 ₁ in the same domain (domain D1) connected via the network N. ˜2 _n ), it is determined whether or not a predetermined program (automatic search program) for searching for a desired user ID is set (step S404).

  If it is determined that the automatic search program is not set (step S404: No), the process jumps to step S417, and the control device 11 determines that login by the user A is not permitted (step S417). A screen including a message is displayed on the display device 14.

On the other hand, if it is determined that the automatic search program is set (step S404: Yes), the other user equipment 2 (2 ₁ to 2 _n ) is accessed based on the program and the same user ID as the input user ID. The terminal in which the authentication information including is stored is searched (step S405). The details of the authentication information search process are the same as those in the first embodiment, and a description thereof is omitted here.

  As a result of performing the authentication information search process in step S405, the control device 11 determines whether authentication information including the same user ID as the input user ID has been searched for in any other terminal (step S406). ). If it is determined that the search has not been made (step S406: No), the process jumps to step S417, the control device 11 determines that login by the user A is not permitted (step S417), and a screen including a predetermined message indicating that is displayed. And displayed on the display device 14.

  On the other hand, if it is determined that authentication information including the same user ID as the input user ID has been searched (step S406: Yes), the control device 11 authenticates substantially the same as the authentication information of user A based on the search result. The terminal in which the information is stored is accessed, the authentication information is acquired and stored in the storage device 13 as “temporary registration” (step S407).

  Next, the control device 11 controls the display device 14 to display a predetermined screen that prompts input of a password, and waits for input of a password from the user (step S408). User A inputs a password from the input device 16 according to the screen display.

  The control device 11 determines whether or not the input password matches that of the authentication information “provisionally registered” in step S407 (step S409). If it is determined that they do not match (step S409: No), the process jumps to step S417, and the control device 11 determines that login by the user A is not permitted (step S417), and a screen including a predetermined message indicating that is displayed. It is displayed on the display device 14.

  On the other hand, if it is determined that the passwords match (step S409: Yes), the control device 11 allows the user A to log in with “use restriction” to the terminal 1 (step S410), and controls the display device 14 to obtain a predetermined value. Display a screen with usage restrictions. Further, the control device 11 transmits the authentication information of the user A temporarily registered in step S407 to the manager terminal 5 (step S411).

  Next, the control device 11 determines whether or not it is designated to distribute the authentication information of the user A to another terminal for which the authentication information is not set (step S412). If it is determined that the distribution is not designated (step S412: No), the control device 11 ends the process as it is.

  On the other hand, if it is determined that the delivery destination of the authentication information has been designated (step S412: Yes), the control device 11 controls the communication device 17 to send the designated delivery destination information to the administrator terminal 5. Transmit (step S413).

(Official registration process)
Next, a process of officially registering the authentication information temporarily registered by the manager terminal 5 will be described with reference to the flowchart of FIG.

First, whether or not the control device 51 of the manager terminal 5 has received temporary authentication information from a terminal (terminals 1, 2 ₁ to 2 _n , 3 _{1 to} 3 _m, etc.) connected via the network N. Is discriminated (step S501). If it is determined that it has not been received (step S501: No), the control device 51 ends the process as it is.

  On the other hand, if it is determined that the temporary authentication information has been received (step S501: Yes), the control device 51 controls the display device 54 to display a screen requesting the administrator to officially register the temporary authentication information. Wait for formal registration (step S502).

  The control device 51 determines whether or not the administrator has given permission (whether or not an instruction to approve formal registration is input from the administrator via the input device 56) (step S503). If it is determined that the permission from the administrator is not granted (step S503: No), the control device 51 ends the process as it is.

  On the other hand, if it is determined that the permission from the administrator has been granted (step S503: Yes), the control device 51 transmits a signal requesting to change the temporary authentication information to the formal authentication information to the terminal 1, and the terminal 1 According to the signal, the user management table 131 of its own storage device 13 is updated (step S504).

  Next, the control device 51 determines whether or not a request for specifying delivery of authentication information to another terminal has been issued from the terminal that sent the authentication information (step S505). If it is determined that it has not been issued (step S505: No), the process jumps to step S507 described later.

  On the other hand, if it is determined that a distribution designation request has been issued (step S505: Yes), the control device 51 controls the communication device 57 to send the authentication information officially registered in step S504 to the designated distribution destination. Is transmitted (step S506). Then, the use restriction by the user A is released for all terminals that have been officially registered (step S507).

(Authentication information search process for remote access)
Next, the operation of the authentication information search process when the user A attempts to log in to the terminal 1 in the domain D1 from the terminal 3 (3 _{1 to} 3 _m ) in the domain D2 will be described with reference to the flowchart of FIG. To do. Since processing operations other than the authentication information search processing are the same as those in the above-described login authentication processing, description thereof will be omitted here.

  The control device 11 of the terminal 1 that has received the access searches through the communication device 17 for a plurality of other terminals in the domain D1 that is the same domain as itself, and includes an authentication including the same user ID as the input user ID The authentication information is acquired from the terminal in which the information is stored (step S601).

The control device 11 of the terminal 1 searches for a plurality of terminals (3 _{1 to} 3 _m ) in the domain D2 different from its own domain via the communication device 17, and authentication including the same user ID as the input user ID The authentication information is acquired from the terminal in which the information is stored (step S602). Note that the search method is the same as that of the first embodiment described above, and a description thereof is omitted here.

  Next, the control device 11 of the terminal 1 checks the consistency between the authentication information regarding the user A acquired from the terminal within the domain D1 and the authentication information regarding the user A acquired from the terminal within the domain D2 (step S603). It is determined whether or not they match (the same) (step S604).

  When it is determined that they match (step S604: Yes), the control device 11 determines that the retrieved authentication information is valid (step S605). On the other hand, if it is determined that they do not match (step S605: No), the control device 11 determines that the retrieved authentication information is invalid (step S606) and ends the process.

  With the configuration and processing as described above, the authentication system according to the present embodiment is realized. By performing the steps of temporary registration automatically performed and formal registration by an administrator, an authentication system with higher security can be realized as compared with the first embodiment.

(Embodiment 3)
In the first embodiment and the second embodiment described above, an example in which the authentication information includes a user ID (identification information) and a password (collation information) has been described. However, there are authentication methods that use authentication information such as fingerprints and retinas that are not distinguished from identification information and verification information. Hereinafter, an authentication system using fingerprint authentication will be described as an example in which authentication information is not distinguished from identification information and verification information.

The configuration of the authentication system according to the present embodiment is the same as that of the authentication system according to the first embodiment described above. As shown in FIG. 1, a terminal 1 and a plurality of terminals 1 in a domain D1 connected via a network N are provided. Terminal 2 (terminals 2 ₁ to 2 _n ) and a router device 4 that controls the terminals in the domain D1. The authentication system according to the present embodiment is different from that of the first embodiment described above in that the terminal 1 (and other terminals 2 ₁ to 2 _n ) is predetermined for reading the user's fingerprint as shown in FIG. The image reading device 18 is provided.

  The image reading device 18 is configured by a predetermined image input device such as an image scanner, acquires a user's fingerprint image by a user operation, and supplies it to the control device 11.

  Further, a user management table 132 for storing user fingerprint image data (fingerprint data) as shown in FIG. 15 is stored in the data storage area 13b of the storage device 13 of the terminal 1 according to the present embodiment. .

  The terminal 1 performs authentication by comparing the fingerprint image of the user read using the image reading device 18 with the fingerprint data stored in the user management table 132. Therefore, in the first embodiment and the second embodiment, the authentication is performed using the identification information (user ID) and the verification information (password). However, in the present embodiment, the authentication is performed using only the authentication information (fingerprint data). Will do.

  Further, the automatic search program stored in the program storage area 13a accesses another terminal connected via the network N and prints fingerprint data (substantially the same fingerprint) that matches the fingerprint data input to the terminal 1. This is a program for a processing operation of searching for a terminal that stores (data) and acquiring the fingerprint data from the searched terminal.

(Login authentication processing)
Next, processing operations performed by the login authentication system according to the present embodiment will be described with reference to the flowchart of FIG. 16, taking as an example the case where the user A attempts to log in to the terminal 1.

  When the terminal 1 is turned on or a logout is performed by a user who has used the terminal 1 last time, the control device 11 of the terminal 1 controls the display device 14 to display a predetermined login request screen ( In step S701, an input of a fingerprint from the user is accepted (step S702). User A operates the image reading apparatus according to the screen display to read his / her fingerprint.

  Upon receiving the input fingerprint data (fingerprint image), the control unit 11 accesses the data storage area 13b of the storage device 13, and determines whether or not the input fingerprint data is stored in the user management table 131 in FIG. Is discriminated (step S703).

  If it is determined that the user ID of the user A is stored (step S703: Yes), the process jumps to step S708, the control device 11 permits the user A to log in to the terminal 1 (step S708), and the display device 14 To display a screen after a predetermined login.

On the other hand, if it is determined that the user ID of the user A is not stored (step S703: No), the control device 11 controls the display device 14 to be another terminal in the same domain connected via the network N. A predetermined screen asking whether or not to perform “automatic search” for searching and acquiring desired fingerprint data from the terminal 2 (2 _{1 to} 2 _n ) is displayed. Then, the control device 11 waits for an input from the user, and determines whether or not automatic search is designated (step S704).

  If it is determined that automatic search is not specified (step S704: No), the process jumps to step S711, the control device 11 determines that login by the user A is not permitted (step S711), and a predetermined message indicating that fact. Is displayed on the display device 14.

On the other hand, if it is determined that the automatic search program is designated (step S704: Yes), the other fingerprints (2 ₁ to 2 _n ) in the same domain are accessed based on the program, and the inputted fingerprint data and A terminal in which matching (substantially identical) fingerprint data is stored is searched (step S705).

  As a result of searching for fingerprint data in step S705, the control device 11 determines whether fingerprint data that matches the fingerprint data received in step S702 has been searched for in any other terminal (step S706). ). If it is determined that the search has not been made (step S706: No), the process jumps to step S711, where the control device 11 determines that login by the user A is not permitted (step S711), and displays a screen including a predetermined message indicating that effect. And displayed on the display device 14.

  On the other hand, if it is determined in step S702 that fingerprint data that matches the fingerprint data received in the input is found (step S706: Yes), the control device 11 stores the fingerprint data based on the search result. The terminal is accessed, the fingerprint data is acquired and stored in the data storage area 13b of the storage device 13 (step S707).

  Next, the control device 11 allows the user A to log in to the terminal 1 (step S708), and controls the display device 14 to display a predetermined screen after login.

Next, the control device 11 displays a screen asking whether or not to distribute the fingerprint data of the user A to the terminals for which the fingerprint data of the user A is not set among the terminals 2 ₁ to 2 _n in the same domain. The device 14 is controlled and displayed. Then, the control device 11 waits for an input from the user, and determines whether or not the distribution of fingerprint data is designated (step S709). If it is determined that the distribution is not designated (step S709: No), the control device 11 ends the process as it is.

  On the other hand, if it is determined that the distribution of the fingerprint data is designated (step S709: Yes), the control device 11 controls the communication device 17 to send the fingerprint data of the user A together with a signal for requesting setting of the fingerprint data. Then, the data is transmitted to the designated delivery destination terminal (step S710).

  With the configuration and processing as described above, the authentication system according to the present embodiment is realized. In the first embodiment and the second embodiment, the authentication information is composed of identification information (user ID) and verification information (password), and authentication information with the same identification information is substantially the same authentication information. Authentication information was acquired from other terminals. On the other hand, in Embodiment 3 (this embodiment), fingerprint data is used as authentication information that is not distinguished between identification information and verification information, and authentication information is acquired from another terminal when the authentication information completely matches. That is, in the third embodiment, authentication information that is “completely matched” is authentication information that is “substantially the same”.

  The present invention is not limited to the above embodiment, and various modifications and applications are possible. For example, in the second embodiment, the authentication system is composed of the domain D1 and the domain D2. However, the authentication system is not limited to this, and the authentication system may be composed of domains D3, D4,. Good.

  In the first and second embodiments, the authentication information including the user ID (identification information) that matches the input user ID (identification information) is defined as “substantially the same” authentication information. The fingerprint data (authentication information) that completely matches the input fingerprint data (authentication information) is assumed to be “substantially the same” authentication information. However, the meaning of “substantially the same” is not limited to these. In order to be “substantially the same”, it is only necessary that both satisfy a certain relationship. For example, the input authentication information (X) and the information (Y) stored in the terminal are predetermined. A case where the relational expression Y = F (X) is satisfied may be substantially the same.

  In the first embodiment, the user inputs the user ID that is the identification information and the password that is the verification information separately, and the terminal 1 authenticates them separately. However, the present invention is not limited to this, and a configuration in which authentication is performed by simultaneously inputting a user ID and a password is also possible.

  In the second embodiment, the example in which the fingerprint is used as the authentication information as the authentication information that is not distinguished between the identification information and the collation information is shown. However, other authentication information that can identify the person such as the retina and the voiceprint is used. It may be used for authentication.

  Moreover, in the said embodiment, although demonstrated as what acquires authentication information from the terminal in the same domain, it is not limited to this, For example, authentication information is acquired from the terminal which has the same encryption key and decryption key. A configuration is also possible.

  In the above embodiment, it has been described that when a user logs in to a terminal, a predetermined screen after login is displayed. However, this predetermined screen is not limited to a specific one, and for example, a different screen is displayed depending on the user ID. It is good also as such a structure.

  In the authentication information search process of the first embodiment described above, when selecting authentication information from a plurality of substantially the same authentication information (authentication information including the same user ID), the most recently logged-in one is given priority. However, the selection condition is not limited to this. For example, it is possible to adopt a configuration in which authentication information that is logged in most during a certain period is valid. Alternatively, a configuration may be adopted in which authentication information for which a new login setting has been made most recently is selected.

  In the second embodiment described above, an example in which the user A attempts remote access from the terminal 3 in the domain D2 to the terminal 1 in the domain D1 has been described. A configuration that logs in is also possible.

It is a figure which shows the structure of the authentication system which concerns on Embodiment 1 of this invention. It is a figure which shows the structure of the terminal device in the domain D1 of FIG. It is a figure which shows the example of the user management table stored in the memory | storage device of the terminal device of FIG. It is a flowchart for demonstrating operation | movement of the login authentication process which the authentication system of FIG. 1 performs. 5 is a flowchart for explaining an operation of an authentication information search process that is an operation in the login authentication process of FIG. 4. It is a flowchart for demonstrating the processing operation | movement at the time of changing authentication information. It is a figure which shows the example of the screen displayed on a terminal device in the case of the registration change process of FIG. It is a figure which shows the structure of the authentication system which concerns on Embodiment 2 of this invention. It is a figure which shows the structure of the terminal for managers in the authentication system of FIG. It is a figure which shows the example of the host management table stored in the memory | storage device of the terminal for managers of FIG. It is a flowchart for demonstrating operation | movement of the login authentication process which the authentication system of FIG. 8 performs. FIG. 10 is a flowchart for explaining an operation of formal registration processing performed by the manager terminal of FIG. 9. FIG. It is a flowchart for demonstrating operation | movement of the authentication information search process which the authentication system of FIG. 8 performs in the case of remote access. It is a figure which shows the internal structure of the terminal device in the authentication system which concerns on Embodiment 3 of this invention. It is a figure which shows the example of the user management table stored in the memory | storage device of the terminal device of FIG. It is a flowchart for demonstrating operation | movement of the login authentication process which the authentication system of FIG. 14 performs.

Explanation of symbols

  DESCRIPTION OF SYMBOLS 1 ... Terminal, 2 ... Terminal, 3 ... Terminal, 4 ... Router apparatus, 5 ... Administrator terminal, N ... Local network, 11 ... Control apparatus, 12. ..RAM, 12a ... program execution area, 12b ... work area, 13 ... storage device, 13a ... program storage area, 13b ... data storage area, 14 ... display device, 15 ... Printing device, 16 ... Input device, 17 ... Communication device, 18 ... Image reading device, 51 ... Control device, 52 ... RAM, 52a ... Program execution area, 52b ... Work area, 53 ... Storage device, 53a ... Program storage area, 53b ... Data storage area, 54 ... Display device, 55 ... Print device, 56 ... Input device, 57... Communication device, 131. Bull, 132 ... user management table, 531 ... host management table

Claims (12)

A terminal connected to another terminal via a network,
Storage means for storing authentication information of a user permitted to use the terminal;
Accepting means for accepting a login request and authentication information for requesting login to the terminal;
It is determined whether or not the authentication information received by the receiving unit substantially matches the authentication information stored in the storage unit, and authentication is performed as to whether or not use of the terminal is permitted. Communication with other terminals connected via the network, the use of the terminal is permitted based on the authentication information stored in the storage means of the other terminal. Authentication means for authenticating whether or not to perform,
A terminal comprising: The authentication information includes identification information about the user and collation information corresponding to the identification information,
The authentication unit determines whether or not the identification information included in the authentication information received by the reception unit is stored in the storage unit, and when determining that the identification information is stored, the authentication unit receives the authentication Authentication is performed based on the collation information included in the information and the collation information corresponding to the identification information regarding the user stored in the storage means, and when it is determined that the identification information is not stored, the network is The terminal transmits the signal asking whether or not the identification information related to the user is stored to another terminal connected via the terminal, receives the answer, and indicates to the terminal that sent the answer that the information is stored. A signal requesting transmission of identification information relating to the identification information and matching information corresponding to the identification information, receiving the identification information relating to the user and the matching information corresponding to the identification information, and receiving Collating information and the receiving unit performs authentication based on the collation information received,
The terminal according to claim 1. When the authentication unit receives a signal indicating that the identification information about the user is stored from a plurality of terminals, the authentication unit stores authentication information corresponding to the identification information about the user received from the plurality of terminals that transmitted the signal. It is determined whether or not there are a plurality of different authentication information, and if it is determined that one exists, one is selected from the plurality of different authentication information based on a predetermined condition, and the selected authentication information and the receiving unit Authenticate based on the authentication information received by
The terminal according to claim 2. The accepting means accepts a change request for requesting a change of collation information corresponding to identification information relating to a user and new collation information corresponding to the identification information,
The storage means updates the stored content based on the change request and new collation information,
The authentication unit transmits the change request received by the receiving unit and new collation information to another terminal in which identification information about the user is stored.
The terminal according to claim 2 or 3, wherein The authentication means receives a login request for requesting login from another terminal to the terminal via the network and the authentication information accepted by the other terminal, and the identification information included in the received authentication information includes It is determined whether or not the information is stored in the storage means, and when it is determined that the information is stored, the verification information included in the authentication information received by the reception means and the identification relating to the user stored in the storage means Authentication is performed based on the matching information corresponding to the information, and when it is determined that the identification information is not stored, the identification information about the user is stored in another terminal connected via the network. Identification information about the user and the identification information are transmitted to the terminal of the transmission source of the response that has received the response indicating that the response has been transmitted Transmitting a signal requesting transmission of authentication information corresponding to the information, receiving identification information relating to the user and authentication information corresponding to the identification information, and receiving a plurality of authentication information corresponding to the identification information relating to the user Then, authentication is performed only when the plurality of authentication information matches.
The terminal according to claim 2, 3 or 4. When it is determined that the authentication information does not match, the authentication unit asks whether other authentication information substantially matching the authentication information is stored in another terminal connected via the network. Send a signal and receive an answer, and based on the received answer, authenticate whether to allow the use of the terminal,
The terminal according to claim 1. The authentication means substantially transmits the authentication information to the terminal of the response transmission source indicating that the authentication information substantially matching the authentication information is stored among the terminals of the response transmission source received. Send a signal requesting transmission of authentication information that matches, and receive the authentication information,
The storage means further stores authentication information received by the communication means.
The terminal according to claim 6. The authentication means transmits authentication information received from another terminal and a signal requesting to store the authentication information to a predetermined terminal that does not store the authentication information via the network.
The terminal according to claim 6 or 7, characterized by the above. The authentication means receives a signal asking whether or not authentication information substantially matching predetermined authentication information is stored from another terminal connected via the network, and is substantially the same as the predetermined authentication information. Determining whether or not the authentication information that matches is stored in the storage means, and sending a reply to the terminal of the signal transmission source,
The terminal according to claim 6, 7 or 8. When the authentication unit determines that authentication information substantially matching the predetermined authentication information is stored in the storage unit, the authentication unit stores the authentication information stored in the storage unit. Send to your device,
The terminal according to claim 9. The authentication means receives a login request for requesting login from another terminal to the terminal via the network and authentication information accepted by the other terminal, and based on the received authentication information, the terminal Authenticate to
The terminal according to any one of claims 6 to 10, wherein: A device that is connected to other devices via the network
Storage means for storing authentication information of a user permitted to use the terminal;
Accepting means for accepting a login request and authentication information for requesting login to the terminal;
It is determined whether or not the authentication information received by the receiving unit substantially matches the authentication information stored in the storage unit, and authentication is performed as to whether or not use of the terminal is permitted. Communication with other terminals connected via the network, the use of the terminal is permitted based on the authentication information stored in the storage means of the other terminal. Authentication means for authenticating whether or not to perform,
Operating as a device comprising
A program characterized by that.

Images