JP2010198384A - Communication terminal apparatus - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To enable setting of minute security levels while reducing management data volume as much as possible. <P>SOLUTION: A communication terminal apparatus includes: a storage part for storing a first piece of biological information of a user which is registered beforehand; a biological information input part for inputting a second piece of biological information of the user; and a control part which, when determining that a coincidence degree calculated by collating the first piece of biological information stored in the storage part with the second piece of biological information input to the biological information input part does not satisfy a security level set in association with a function to be used during the execution of an application program, restricts the execution of the application program. <P>COPYRIGHT: (C)2010,JPO&INPIT

Description

  The present invention relates to a communication terminal device that performs biometric authentication.

  In recent years, mobile terminals have become multifunctional, and it is necessary to strengthen their security. Heretofore, a biometric authentication system that performs user authentication using biometric information (information such as a face, fingerprint, and iris) has been developed.

  For example, the personal authentication system described in Patent Document 1 is configured by a client-server system, and the client device reads the fingerprint of the person to be authenticated and transfers it to the server device. The server device has a registered fingerprint registered in advance. The verification level set in the data corresponding to the application used and the fingerprint quality for each individual is read from the table, and it is determined whether or not the comparison result between the transferred fingerprint data and the registered fingerprint data satisfies the verification level. This makes it possible to set a security level for each application.

JP 20045531 A

  However, in the personal authentication system described in Patent Document 1, although the security level can be dynamically changed and set for each application, the amount of data in the table is used when the function is limited in detail according to the application. There is a problem that becomes very large and complicated.

  The present invention has been made in view of the above problems, and an object of the present invention is to provide a communication terminal device that enables a fine security level setting while minimizing the amount of management data.

  In order to solve the above-described problems and achieve the object, a communication terminal device according to the present invention includes a storage unit that stores first biological information of a user registered in advance, and a second biological body of the user. The degree of coincidence calculated by collating the biometric information input unit for inputting information, the first biometric information stored in the storage unit, and the second biometric information input to the biometric information input unit However, when it is determined that the security level set in association with the function that the application program uses at the time of execution is not satisfied, a control unit that restricts the execution of the application program is provided.

  In the communication terminal device according to the present invention, the storage unit associates the function authority flag defining the function used by the application program in association with the application program, and the security level. The stored function authority security table is further stored, and the control unit refers to the function authority security table to obtain the security level corresponding to the function authority flag of the application program, and the degree of coincidence is the security When it is determined that the level is not satisfied, the execution of the application program may be restricted.

  In the communication terminal device of the present invention, the function may be specified by an access type.

  In the communication terminal device of the present invention, the access type may be at least one of data write and read processing.

  In the communication terminal apparatus of the present invention, the access type may be a data acquisition process using a wireless communication unit or a data transmission process using the wireless communication unit.

  In the communication terminal device of the present invention, the access type may be an address book reference process.

  In the communication terminal device of the present invention, the access type may be at least one of data input processing and data output processing by external connection.

  Further, in the communication terminal device of the present invention, when the application program has a plurality of the functions, the control unit sets the security level that requires the highest degree of coincidence among the corresponding plurality of security levels. Based on this, the degree of coincidence may be determined.

  In the communication terminal device of the present invention, the control unit may determine the degree of coincidence when a request for starting the application program is made.

  In the communication terminal device of the present invention, the control unit stores the degree of coincidence calculated based on the first biological information and the second biological information in the storage unit, and requests to start the application program May be determined based on the degree of coincidence stored in the storage unit.

  In the communication terminal device of the present invention, the control unit may control the biometric information input unit so that the second biometric information is input when the power is turned on or the sleep mode is canceled.

  In the communication terminal device of the present invention, the biological information may be at least one of a fingerprint, a face, a vein, an iris, a retina, a vein, a voice print, a handwriting, or a palm shape.

  In the communication terminal device of the present invention, when the control unit determines that the degree of coincidence does not satisfy the security level, the control unit executes the application program by restricting use of the function corresponding to the security level. May be.

  The communication terminal apparatus of the present invention may further include a wireless communication unit that performs wireless communication using the CDMA2000_1x method.

  The present invention makes it possible to set a fine security level while minimizing the amount of management data.

FIG. 1 is a front view of the portable electronic device according to the present embodiment. FIG. 2 is a side view of the portable electronic device according to the present embodiment. FIG. 3 is a diagram illustrating a state in which the portable electronic device according to the present embodiment is closed. FIG. 4 is a block diagram illustrating an example of the configuration of the portable electronic device 1 according to the present embodiment. FIG. 5 is a block diagram showing an example of a logical configuration of software according to the present embodiment. FIG. 6 is a diagram illustrating an example of a conventional security table. FIG. 7 is a diagram showing an example of a function authority security table according to the present embodiment. FIG. 8 is a table showing an example of the function authority defined for each application program. FIG. 9 is a flowchart illustrating an example of processing of the portable electronic device 1 when the user instructs activation of the application program.

  Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings. The present invention is not limited to the following description. In addition, constituent elements in the following description include those that can be easily assumed by those skilled in the art, those that are substantially the same, and those in a so-called equivalent range. For example, in the following, a portable electronic device will be described as an example of a communication terminal device, but the application target of the present invention is not limited to a portable electronic device such as a cellular phone. For example, the present invention includes a PHS (Personal Handyphone System), a notebook personal computer, a PDA (Personal Digital Assistant), a portable navigation device, a car navigation vehicle-mounted device, a data communication device, a portable game machine, a portable TV, a vending machine, and an information communication device. The present invention can also be applied to such terminal devices.

  FIG. 1 is a front view of the portable electronic device according to the present embodiment. FIG. 2 is a side view of the portable electronic device according to the present embodiment. FIG. 3 is a diagram illustrating a state in which the portable electronic device according to the present embodiment is closed. First, the configuration of the portable electronic device will be described. The mobile electronic device 1 is a mobile phone having a wireless communication function. The mobile electronic device 1 is a foldable mobile phone in which a housing 1C is configured to be openable and closable by a first housing 1CA and a second housing 1CB. 1 and 2 show a state in which the portable electronic device 1 is opened, and FIG. 3 shows a state in which the portable electronic device 1 is closed.

  First, the configuration of the mobile electronic device 1 will be described. The first housing 1CA is provided with a main display 2M shown in FIG. Further, the first housing 1CA is provided with a sub-display 2S shown in FIG. The main display 2M and the sub display 2S are respectively arranged on opposing surfaces of the first housing 1CA, and are configured so that the user can visually observe the sub display 2S when the portable electronic device 1 is closed.

  The main display 2M displays a standby image as a predetermined image when the portable electronic device 1 is waiting for reception, or a menu image used to assist the operation of the portable electronic device 1. Or As shown in FIG. 3, the sub display 2 </ b> S displays the remaining battery level of the portable electronic device 1, the reception state of radio waves, and the like in the state where the portable electronic device 1 is closed. In addition, the first housing 1CA is provided with a speaker 6 that emits sound during a call of the mobile electronic device 1 and a camera 10a that captures a still image or a moving image. The camera 10a is, for example, a video camera or a web camera configured by a charge coupled device such as a CCD (Charge Coupled Device) or a COMMOS (Complementary Metal Oxide Semiconductor), a solid-state imaging device, or the like.

The second casing 1CB is provided with a plurality of operation keys 3 for inputting characters at the time of making a telephone call, mail, etc., and selecting and determining menus and screens displayed on the main display 2M. A direction and a determination key 4 are provided for easily executing scrolling and the like. The second housing 1CB is provided with an antenna 7, which is used for transmission and reception between the portable electronic device 1 and the base station. The operation key 3 and the direction / decision key 4 constitute a key operation unit 18 of the portable electronic device 1. The second casing 1CB is provided with a fingerprint sensor 10b. As an example, when the user slides his / her finger on the fingerprint sensor 10b (finger sweep type), the user's fingerprint is read as biometric information. It is configured to be able to. In addition, the second housing 1CB is provided with a microphone 5 that receives audio when the mobile electronic device 1 is in a call.

  As shown in FIG. 2, in this embodiment, one side of the second housing 1CB (one of the surfaces substantially orthogonal to the surface on which the operation key 3, the direction, and the determination key 4 are provided) A communication terminal 8 is provided. The communication terminal 8 stores information from the outside of the second housing 1CB in a storage unit provided in the second housing 1CB, and takes out information stored in the storage unit to the outside of the second housing 1CB. It is used when The information stored in the storage unit is, for example, software, image data, address book data, e-mail data, voice data, or the like used for controlling the mobile electronic device 1.

  The first housing 1CA and the second housing 1CB are connected by a hinge 9. As a result, the first casing 1CA and the second casing 1CB rotate together around the hinge 9 so that they can rotate in a direction away from each other and a direction approaching each other (a direction indicated by an arrow R in FIG. 2). Configured. When the first casing 1CA and the second casing 1CB rotate in a direction away from each other, the portable electronic device 1 opens, and when the first casing 1CA and the second casing 1CB rotate in a direction approaching each other, the portable electronic device 1 opens. Device 1 closes.

  FIG. 4 is a block diagram illustrating an example of the configuration of the portable electronic device 1 according to the present embodiment. As shown in FIG. 4, the portable electronic device 1 is connected to a wireless communication unit 11, a control unit 12, a storage unit 13, a microphone 5 (MIC), and a speaker 6 (SP) connected to an antenna 7. The voice processing unit 14, the biological information input unit 10 connected to the camera 10 a and the fingerprint sensor 10 b, the display unit 2, and the key operation unit 18 are included.

  The wireless communication unit 11 includes an antenna 7 and performs wireless communication with the base station via a channel assigned by any of the base stations. Here, the wireless communication unit 11 may transmit and receive signals using a communication method such as a CDMA (Code Division Multiple Access) 2000_1x method.

  The control unit 12 comprehensively controls the overall operation of the mobile electronic device 1. That is, the control unit 12 performs various processes of the mobile electronic device 1 in an appropriate procedure according to the operation of the key operation unit 18 and the program stored in the storage unit 13 of the mobile electronic device 1. Various functions are realized by controlling operations of the wireless communication unit 11, the display unit 2, and the like. Various processes of the portable electronic device 1 include, for example, voice calls performed via a circuit switching network, creation and transmission / reception of e-mails, browsing of the Internet Web (World Wide Web) site, read / write control of the storage unit 10, etc. Through these various processes, various functions such as voice call function, external device communication function, data communication function, browser communication function, data download function, file sharing function, address book read / write function, database read / write function, etc. The function is realized. Here, examples of operations of the wireless communication unit 11 and the display unit 2 include transmission / reception of signals in the wireless communication unit 11, display of images on the display unit 2, and the operation of the audio processing unit 14 as audio. There are input and output.

Here, FIG. 5 is a block diagram showing an example of a logical configuration of software according to the present embodiment. The control unit 12 is based on programs stored in the storage unit 13 (for example, an operating system (OS) program including a kernel, base software (BREW (registered trademark) manufactured by Qualcomm, etc.), application programs A to C, etc.). To execute the process. That is, as shown in FIG. 5 as an example, the control unit 12 includes a CPU (Central Processing Unit), reads a program, interprets it, and executes various processes according to instructed procedures. For example, when the power is turned on (when the power is turned on), the control unit 12 stores an OS program stored in the storage unit 13, base software that is an upper layer of the OS program, and application program A that is an upper layer of the base software. The instruction codes from .about.C are read sequentially or as necessary, and various processes are executed. The control unit 12 has a function of switching and executing a plurality of application programs A to C and the like. As an application program to be executed, for example, a plurality of application programs such as a voice call application, a game application, and a FeliCa (registered trademark) application are provided. There is an application program.

  Here, returning to FIG. 4, the control unit 12 includes a biometric information registration unit 12a, a biometric information matching unit 12b, a security level determination unit 12c, an application execution restriction unit 12d, and an application execution unit 12e. The

  Of these, the biometric information registration unit 12a controls the user to input biometric information (first biometric information) via the fingerprint sensor 10b of the biometric information input unit 10 during biometric information registration (user registration). The read biometric information is stored in the biometric information registration file 13a.

  In addition, the biometric information collating unit 12b and the biometric information (second biometric information) input by the user via the fingerprint sensor 10b of the biometric information input unit 10 during biometric information collation (user authentication) The degree of coincidence is calculated by collating the biometric information (second biometric information) registered in the registration file 13a. As an example, the degree of coincidence is represented by an authentication level such as an authentication rate in which the degree of coincidence between the first biological information and the second biological information is expressed as a percentage. Here, the biometric information matching unit 12b may store the authentication rate calculated based on the biometric information input via the biometric information input unit 10 in the authentication rate storage file 13d. In addition, the biometric information matching unit 12b may control the biometric information input unit 10 to allow the user to input biometric information when the power is turned on (when the power is turned on), when the sleep mode is canceled, or the like.

  Here, the “sleep mode” means power saving by the control of the control unit 12 in a state where the operation with respect to the operation unit 18 does not occur for a certain period of time, or when the case 1C is in a non-operation state such as a closed state. It is a mode that makes a transition for the purpose. In the sleep mode, the control unit 12 generally leaves only the minimum functional blocks such as monitoring of interrupt signals and stops other functional blocks. For example, during the sleep mode, the control unit 12 performs interrupt monitoring of key operations by the key operation unit 18, interrupt monitoring from a timer, and the like. Specifically, when a key operation via the key operation unit 18 occurs, a change in the key signal occurs, but the control unit 12 determines this as being interrupted and cancels the sleep mode. As an example, even in the sleep mode, the counter unit that counts the clock signal counts a predetermined number of clocks, that is, a timer interrupt signal is generated when a predetermined time has elapsed, and the control of the control unit 12 detects this as an interrupt. Then, the sleep mode is canceled. Such a timer interrupt is used, for example, for an alarm function such as an intermittent reception of a signal from the base station by the wireless communication unit 11 during standby or an alarm clock. In the present embodiment, for example, the biometric information matching unit 12b of the control unit 12 causes the user to input biometric information when interrupted by a key operation or the like via the key operation unit 18. The input unit 10 may be controlled, and the sleep mode may be canceled when the input biometric information is determined to satisfy the security level by the security level determination unit 12c.

In addition, the security level determination unit 12c determines the authentication rate calculated by the biometric information matching unit 12b based on the security level (for example, the threshold of the authentication rate) set in association with the function used by the application program at the time of execution. Make a decision. For example, the function used by the application program at the time of execution is determined by the presence or absence of an access right. The presence or absence of this access right is defined by the access type for a certain resource by a function authority flag or the like. As an example, the access type includes data writing / reading processing, data acquisition / transmission processing via the wireless communication unit 11, address book reference / update processing, data input / output processing by external connection, and the like.

  More specifically, the security level determination unit 12c reads a function authority flag defined for each application program from the application program 13c. Then, the security level determination unit 12c reads the corresponding security level from the function authority security table 13b for the function whose function authority flag is on (authorized), and the authentication rate calculated by the biometric information matching unit 12b is It is determined whether or not the security level is satisfied. Here, when a plurality of function authority flags defined in the application program are turned on, the security level determination unit 12c sets the security level that requires the highest authentication rate among the corresponding security levels. Based on this, the authentication rate may be determined. Here, the security level determination unit 12c may determine the degree of coincidence when the user requests activation of the application program via the key operation unit 18 or the like. In this case, the security level determination unit 12c may read the authentication rate stored in the authentication rate storage file 13d and determine whether the security level corresponding to the function authority of the application program requested to start is satisfied. In addition, when the authentication rate does not satisfy the security level, the security level determination unit 12c may instruct the biometric information matching unit 12b to cause the user to input biometric information again.

  The application execution restriction unit 12d restricts execution of the application program according to the determination result by the security level determination unit 12c. More specifically, the application execution restriction unit 12d prohibits activation of the application when the security level determination unit 12c determines that the authentication rate does not satisfy the security level for the application program. Execution of the application program is restricted by restricting some functions used by the program at the time of execution (for example, a function corresponding to a security level whose degree of coincidence is not satisfied). The function restriction may be realized by temporarily rewriting a function authority flag corresponding to the function to OFF, for example.

  Further, the application execution unit 12e reads the application program 13c and executes the process according to the interpreted procedure when the execution of the application program is instructed by the user via the key operation unit 18. Here, the application execution unit 12e can use a function realized by lower layer base software or the like when the function authority defined in the application program is ON. In addition, when the application execution restriction unit 12d restricts execution of the application program, the application execution unit 12e executes the application program within the restricted range. For example, when application activation itself is prohibited, application program loading is not started, and when some function authority flags are off (no authority), function authority flags are on ( Execute application programs using only authorized functions.

The storage unit 13 includes, for example, a non-volatile storage device (non-volatile semiconductor memory such as ROM: Read Only Memory, a hard disk device, etc.), and a readable / writable storage device (for example, SRAM: Static Random Access Memory, DRAM: Dynamic Random). Access Memory). The storage unit 13 stores various files, tables, programs, databases, and the like (for example, the biometric information registration file 13a to the authentication rate saving file 13d).

  Among these components of the storage unit 13, the biometric information registration file 13a stores the biometric information (first biometric information) of the user registered in advance by the biometric information registration unit 12a.

  The function authority security table 13b is a table in which function authority flags and security levels are associated with each other. The function authority security table may be defined in the base application program. Here, FIG. 6 is a diagram showing an example of a conventional security table. FIG. 7 is a diagram showing an example of a function authority security table according to the present embodiment.

  As shown in FIG. 6, conventionally, in order to make the security level variable according to the application, a table storing the application and the security level in association with each other is used. On the other hand, as shown in FIG. 7, the function authority security table according to the present embodiment stores the function used by the application at the time of execution and the security level in association with each other. This eliminates the need to set the security level each time even if the number of applications increases due to new downloading of applications. In addition, the functions used by the application at the time of execution are limited depending on the hardware and base software of the mobile electronic device, so there is no need to edit the table, and it is possible to increase and complicate the table as before. There is no invitation. Preferably, the security level at the time of activation or when the sleep mode is canceled may be set lower than that at the time of activation of the application. This is inconvenient if the security level is set to “High” at startup or when the sleep mode is canceled, and it is difficult to obtain authentication if you simply want to cancel the startup or sleep mode. This is because the above function can be used without subsequent authentication processing.

  In the application program 13d, a general processing procedure is defined, and a function authority flag defining a function used by the application program at the time of execution is stored. In the function authority flag, for example, the presence / absence of authority to use each function (for example, BREW (registered trademark) access right) is set as a binary item of ON / OFF. Here, FIG. 8 is a table showing an example of the function authority defined in each application program. As shown in FIG. 8, for example, the voice call application has database read / write authority, voice call authority, no data communication authority, no browser communication authority, no data download authority, Insufficient file sharing authority, address book read / write authority, lack of external device communication authority, and the like are defined in binary items of the function authority flag.

  Further, the authentication rate storage file 13d stores the authentication rate calculated based on the biometric information (first biometric information) input at the time of activation, sleep mode release, or the like.

  The audio processing unit 14 performs processing of an audio signal output from the speaker 6 and an audio signal input to the microphone 5. That is, the audio processing unit 14 amplifies the audio input from the microphone 5, performs AD conversion (Analog Digital Conversion), and then performs signal processing such as encoding to convert it into digital audio data and control it. To the unit 12. Further, the audio data sent from the control unit 12 is subjected to processing such as decoding, DA conversion (Digital Analog conversion), and amplification to convert it into an analog audio signal, which is then output to the speaker 6.

The biometric information input unit 10 includes a camera 10a and a fingerprint sensor 10b. For example, when the user slides his / her finger on the fingerprint sensor 10b, a read signal of the fingerprint sensor 10b is supplied to the biometric information input unit 10, and the biometric information input unit 10 recognizes the fingerprint. Similarly, when a person is imaged at the subject position of the camera 10a, the image signal of the camera 10a is supplied to the biometric information input unit 10, and face recognition is performed by the biometric information input unit 10. These recognition results are supplied to the control unit 12 as biometric information, and biometric information registration by the biometric information registration unit 12a and collation for user authentication by the biometric information collation unit 12b are performed. The fingerprint sensor 10b may start reading a fingerprint (scanning in the line direction) in response to a reading start command from the control unit 12.

  The display unit 2 is hidden when the casing 1C of the portable electronic device 1 is closed, and is exposed when the casing 1C is opened. The sub-display 2S is exposed outside the casing 1C even when the casing 1C is closed. It consists of. The main display 2M and the sub display 2S are configured by display devices such as a liquid crystal display panel and an organic EL (Electro Luminescence) panel, for example, and video signals (videos such as standby images and menu images) sent from the control unit 12. Signal, including still images and moving images).

  The key operation unit 18 includes the operation key 3 and the direction / decision key 4 shown in FIG. The operation key 3 is composed of a plurality of keys, and the direction and determination key 4 is composed of a plurality of switches. Various functions necessary for the operation of the portable electronic device 1 such as a power source, a call, a number, a character, a direction, a determination, and a call are assigned to the plurality of keys and the plurality of switches. Then, when the operation key 3, the direction, and the determination key 4 are operated by the user, the operation key 3, the direction, and the determination key 4 generate a signal assigned to the operation content. The generated signal is input to the control unit 12 as a user instruction.

  Next, an example of processing of the portable electronic device according to the present embodiment will be described in detail with reference to FIG. Here, FIG. 9 is a flowchart illustrating an example of processing of the portable electronic device 1 when the user instructs activation of the application program.

  First, as shown in FIG. 9, when the user gives an instruction to start an application via the key operation unit 18 or the like (S101), the security level determination unit 12c determines the function authority defined in the application program 13c. By referring to the flag, information about the presence / absence of the function authority is acquired (S102). For example, when the activation of the FeliCa application is instructed, as shown in FIG. 8, the security level determination unit 12c refers to the function authority flag of the FeliCa application, database read / write authority: yes, voice call authority: no, data Communication authority: Yes, Browser communication authority: No, Data download authority: No, File sharing authority: No, Address book read / write authority: No, External device communication authority: Yes.

  Then, the security level determination unit 12c determines whether the application has a plurality of privilege levels (functional authority) (S103).

  When the security level determination unit 12c determines that there are a plurality of privilege levels (functional authority) (S103: Yes), the security level determination unit 12c searches the functional authority security table 13b for the highest security level (S104). For example, as described above, the FeliCa application has three authorities: a database read / write authority, a data communication authority, and an external device communication authority. The security level determination unit 12c refers to the function authority security table 13b illustrated in FIG. 7, and has the highest security level among the database read / write authority: low, data communication authority: high, and external device communication authority: high (in this case) Get "high").

On the other hand, when there is only one privilege level (function authority) (S103: No), the security level determination unit 12c acquires a security level corresponding to the function authority from the function authority security table 13b (S105). .

  Then, the security level determination unit 12c sets a threshold for authentication based on the acquired security level (S106). For example, the security level is defined as 90% when the security level is “high”, 80% when the security level is “medium”, and 70% when the security level is “low”, and the security level determination unit 12c is based on the specified value. A threshold may be set. Further, the authentication rate history may be stored in the authentication rate storage file 13d, and the security level determination unit 12c may set a threshold based on the distribution of authentication rates stored in the authentication rate storage file 13d. For example, when the security level is “high”, the upper 25% value of the authentication rate distribution is set as a threshold, when “medium” is set, the upper 50% value is set as a threshold, and when the security level is “low”, the lower 25% value is set as a threshold. May be set as

  Then, the biometric information matching unit 12b controls the display unit 2 to display an authentication screen instructing the user to hold the finger over the fingerprint sensor 10b, and the biometric information via the fingerprint sensor 10b of the biometric information input unit 10 Is inputted and compared with the biometric information registered in the biometric information registration file 13a to calculate an authentication rate (a value representing the degree of coincidence as a percentage) (S107). Here, the biometric information matching unit 12b is not limited to comparing digital images, but performs matching by analyzing the fingerprint image and extracting patterns of feature points (such as fingerprint center points, branch points, and deltas), and authenticating. The rate may be calculated. If the authentication rate calculated from the biometric information input by the biometric information matching unit 12b at startup or when the sleep mode is canceled is stored in the authentication rate storage file 13d, this processing is not performed and the subsequent security is performed. You may transfer to the determination process by the level determination part 12c.

  And the security level determination part 12c performs an authentication process by determining whether the said authentication rate is more than a threshold value (S108).

  When the authentication is successful, that is, when the security level determination unit 12c determines that the authentication rate is equal to or higher than the threshold value (S108: Yes), the application execution unit 12e has the application program instructed to start by the user And display the application screen by controlling the display unit 2 (S109).

  On the other hand, when the authentication is not successful, that is, when the security level determination unit 12c determines that the authentication rate is less than the threshold value (S108: No), the application execution restriction unit 12d prohibits the activation of the application program. Alternatively, a part of functions at the time of execution is restricted and the process is terminated. Here, when the authentication is not successful, the biometric information matching unit 12b may display an authentication screen that instructs the user to input biometric information again.

  As described above, according to the present embodiment, an access right (function authority) of a function realized by the base software is associated with an authentication rate such as fingerprint authentication, and thus an authentication process is required for an important application. Instead, it provides high security, and easy-to-use application programs that are not so can be accessed with a light authentication process. That is, it is possible to maintain security that meets the needs of the user.

  In the conventional authentication system, lowering the acceptance rate with emphasis on safety will increase the rejection rate of the person, so the usability will worsen. Conversely, reducing the rejection rate with emphasis on usability will increase the acceptance rate of others and be safe. It had the contradictory property that the property was impaired. On the other hand, according to the present embodiment, high security and accessibility with a light authentication process can be realized according to the use authority of the application, so authentication is performed while considering both usability and safety. be able to.

  Further, according to this embodiment, even if the number of applications increases, it is not necessary to reset the security level, and it is possible to prevent the storage table from increasing or becoming complicated.

  Also, when starting up or canceling sleep mode, the security level is set lower than when starting the application, so even if the biometric state at the time of authentication is somewhat bad (for example, if your hand is dirty and your fingerprint is difficult to read) However, since it is possible to use only a specific function (for example, display of a standby screen) or specific data, it is excellent in convenience.

  Although the embodiments of the present invention have been described so far, the present invention is not limited to the above-described embodiments, but can be applied to various different embodiments within the scope of the technical idea described in the claims. It may be implemented.

  For example, in the mobile electronic device 1, when authentication is performed when the sleep mode is canceled, the security level determination unit 12c may set a higher security level or threshold value than normal. For example, the security level determination unit 12c may request a higher authentication rate than usual by setting a threshold value based on the authentication rate of biometric information input before shifting to the sleep mode.

  Further, for example, in the above-described embodiment, fingerprint authentication or face authentication that reads a user's fingerprint or face as biometric information has been described as an example. However, the biometric authentication method is not limited to this, for example, an iris or a retina. Alternatively, biometric authentication may be performed by reading information such as veins, voiceprints, handwriting, and palm shapes as user biometric information.

  In addition, among the processes described in the embodiment, all or part of the processes described as being automatically performed can be performed manually, or the processes described as being performed manually can be performed. All or a part can be automatically performed by a known method.

  In addition, unless otherwise specified, the processing procedures, control procedures, specific names, information including registration data for each processing, parameters such as search conditions, screen examples, and database configurations shown in the above documents and drawings Can be changed arbitrarily.

  Further, regarding the communication terminal device (mobile electronic device 1), each illustrated component is functionally conceptual and does not necessarily need to be physically configured as illustrated. For example, the processing functions of each device of the communication terminal device (mobile electronic device 1), in particular, the processing functions performed by the control unit 12, all or any part thereof are interpreted and executed by the CPU and the CPU It may be realized by a program to be executed, or may be realized as hardware by wired logic. The program is recorded on a recording medium and is mechanically read by the communication terminal device (portable electronic device 1) as necessary. That is, the storage unit 13 such as ROM or HD stores a computer program for giving various instructions to the CPU in cooperation with the OS and performing various processes. This computer program is executed by being loaded into the RAM, and constitutes a control unit in cooperation with the CPU.

  The computer program (particularly the application program) is stored in an application program server connected to the communication terminal device (mobile electronic device 1) via an arbitrary network (for example, a mobile phone network). It is also possible to download all or part of it if necessary. Moreover, this program can also be stored in a computer-readable recording medium. Here, the “recording medium” includes any portable physical medium such as a flexible disk, a magneto-optical disk, a ROM, an EPROM, an EEPROM, a CD-ROM, an MO, and a DVD.

  The “program” is a data processing method described in an arbitrary language or description method, and may be in any format such as source code or binary code. Note that the “program” is not necessarily limited to a single configuration, and functions are achieved in cooperation with a separate configuration such as a plurality of modules and libraries or a separate program represented by the OS. Including things. In particular, the logical configuration of the OS program and the base software described above can be arbitrarily changed. For example, the OS program and the base software may be integrated into a broad OS program. Note that a well-known configuration and procedure can be used for a specific configuration for reading a recording medium, a reading procedure, an installation procedure after reading, and the like in each device described in the embodiment.

  Furthermore, the specific form of distribution / integration of the devices is not limited to that shown in the figure, and all or a part of them may be functional or physical in arbitrary units according to various additions or according to functional loads. Can be distributed and integrated.

  As described above, the communication terminal apparatus according to the present invention is useful for a communication terminal apparatus that performs biometric authentication such as fingerprint authentication, face authentication, voice authentication, iris authentication, and vein authentication.

DESCRIPTION OF SYMBOLS 1 Portable electronic device 1C housing | casing 1CA 1st housing | casing 1CB 2nd housing | casing 2 Display part 2M Main display 2S Sub display 3 Operation key 4 Direction and decision key 5 Microphone 6 Speaker 7 Antenna 8 Communication terminal 9 Hinge 10 Biometric information input Unit 10a camera 10b fingerprint sensor 11 wireless communication unit 12 control unit 12a biometric information registration unit 12b biometric information matching unit 12c security level determination unit 12d application execution restriction unit 12e application execution unit 13 storage unit 13a biometric information registration file 13b function authority security table 13c application program 13d authentication rate saving file 14 voice processing unit 18 key operation unit

Claims (14)

A storage unit for storing first biometric information of a user registered in advance;
A biometric information input unit for inputting the second biometric information of the user;
A function used by the application program when the degree of coincidence calculated by collating the first biological information stored in the storage unit with the second biological information input to the biological information input unit When it is determined that the security level set in association with is not satisfied, a control unit that restricts execution of the application program;
A communication terminal device comprising: The storage unit
A function authority security table in which the function authority flag defining the function used by the application program in association with the application program and the security level are stored in association with the application program;
The controller is
Referring to the functional authority security table, the security level corresponding to the functional authority flag of the application program is acquired, and when it is determined that the degree of matching does not satisfy the security level, the application program is executed. Limiting,
The communication terminal device according to claim 1. The function is specified by an access type;
The communication terminal device according to claim 1, wherein: The access type is at least one of data write and read processing,
The communication terminal device according to claim 3. The access type is data acquisition processing using a wireless communication unit, data transmission processing using the wireless communication unit,
The communication terminal device according to claim 3. The access type is an address book reference process;
The communication terminal device according to claim 3. The access type is at least one of data input processing and data output processing by external connection;
The communication terminal device according to claim 3. The controller is
If the application program has a plurality of the functions, determining the degree of coincidence based on the security level that requires the highest degree of coincidence among the corresponding plurality of security levels;
The communication terminal device according to any one of claims 1 to 7, wherein: The controller is
Determining the degree of coincidence when a startup request for the application program is made;
The communication terminal apparatus according to any one of claims 1 to 8, wherein The controller is
The degree of coincidence calculated based on the first biological information and the second biological information is stored in the storage unit, and the coincidence stored in the storage unit when an activation request for the application program is made Make a decision based on the degree,
The communication terminal device according to any one of claims 1 to 9, wherein: The controller is
Controlling the biological information input unit so that the second biological information is input when the power is turned on or when the sleep mode is canceled;
The communication terminal device according to any one of claims 1 to 10, wherein: The biological information is at least one of a fingerprint, a face, a vein, an iris, a retina, a vein, a voice print, a handwriting, or a palm shape;
The communication terminal device according to any one of claims 1 to 11, wherein The controller is
Executing the application program by restricting the use of the function corresponding to the security level when it is determined that the degree of coincidence does not satisfy the security level;
The communication terminal device according to any one of claims 1 to 12, wherein A wireless communication unit that performs wireless communication using the CDMA2000_1x method;
The communication terminal device according to claim 1, wherein:

Images