JP2016129066A - Application authentication policy for plural computing devices - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide security and a common user experience across disparate devices.SOLUTION: The present invention includes a method for launching an application authentication policy (AAP) application on a computing device. If a user is authenticated by the AAP application, the device is enabled for use as a personal device of a user. If not authenticated, the device is enabled for use as a non-personal device that provides only basic functionality, but other users' personal data and applications are protected.SELECTED DRAWING: Figure 2

Description

  As the types of devices that users use for computing, communication, media delivery, and the like increase, computing systems are evolving. Rather than being tied to a desktop personal computer (PC), an ever-increasing number of users have been able to deliver live media broadcasts and on-demand content delivered to tablet computers, smartphones, and connected consumer devices. There is a need for new device types and form factors, such as the terminology used, multi-screen television (TV). These devices have been adopted by many major computing / consuming devices, which are limited to telephone and live / on-demand content viewing limited to voice calls and short message services (SMS) It is not limited to conventional use such as TV.

  Instead, these computing devices are connected to the Internet today, and various family members can use the Internet for social networking, web browsing, calling, video on demand (VOD) services, and Such a device can be used for other uses that were limited only to PC clients until just a few years ago. However, providing security and a common user experience across these disparate devices is problematic.

FIG. 4 shows a block diagram of various modules of an application authentication policy configuration according to one embodiment of the present invention. Figure 2 shows a flow diagram of a method according to one embodiment of the invention. FIG. 4 shows a flow diagram of operations associated with user profile management according to one embodiment of the present invention. FIG. 4 shows a flow diagram of a method for performing further authentication operations according to one embodiment of the present invention. FIG. 2 shows a block diagram of a software architecture for a smartphone platform according to one embodiment of the present invention. FIG. 3 shows a stack diagram of a security engine stack and an application stack according to one embodiment of the present invention. 1 shows a block diagram of an exemplary system according to one embodiment of the present invention. 1 shows a block diagram of a network according to one embodiment of the present invention.

  In various forms, an application authentication policy (AAP) can be provided to users of various computing devices such as smartphones, tablet computers, netbooks, mobile internet devices, and multi-screen TVs. This allows these devices to identify users and retain access privilege levels such as selected profiles, user settings, and parental controls. In addition to providing an application authentication profile similar to multi-user mode, based on a secure authentication mechanism, providing seamless user profile management and configuration to other connected devices that the user will use it can. By providing this policy, application profile customization can be provided for each user, and application profile customization can be protected by an authentication mechanism. As a result, other users using any device under the influence of the policy cannot access the past user's profile / personal data.

  It should also be noted that any device can operate without user authentication, new users of the device may use basic functions and may install applications, depending on device settings. . In a form using a cloud-based mechanism, user profiles of multiple devices can be accessed via a single device. The profile can also be managed through this device. Management includes, for example, the act of remotely deleting one or more such profiles.

  In one form, the application authentication policy includes user authentication for one or more selected user applications as a single sign-on. Once authenticated, the user is free to use all applications associated with the user in personal device mode. Some forms may also be provided for cloud storage of application authentication policies. As a result, the user profile can be reproduced on another device on the go. In addition, a portable device or dongle such as a universal serial bus (USB) thumb drive or other mechanism can be used to provide this policy.

  Some forms may be used to set a predetermined amount of functionality on the device regardless of whether the user is authenticated according to an authentication policy. For example, the basic level functionality of the device may be available to all users in the family. In connection with tablet computers, smartphones, TVs or other internet-connected devices, these functions are for selected Internet site browsing, selected TV channel viewing, calls in selected areas, and selected games. May include playing etc.

  Alternatively, policy-based personal applications may be available only to users who are authenticated on the device. Although the scope of the present invention is not limited to these, such applications may be used for social networking, electronic commerce (e-commerce) usage used to purchase applications, or marketplace store credit cards and e-mail. / Use of chat application etc. may be included. Such policy-based applications may also include management / policies that set privileges for TV channels, VOD, personal applications, games, and the like. It is also desirable to allow basic device functions and advanced features such as multi-screen TV, or allow a premium media experience only when any user is securely authenticated on the device. Can be extended to such smartphones and other connected devices.

  According to one form, an authentication policy is available, followed by an AAP setup and configuration module (ASCM), a user profile and personality manager (UPPM), an AAP user authentication interface (AUAI) and an application management module (AMM). The authentication policy may be accessed by a combination of. Here, FIG. 1 shows a block diagram of various modules of an application authentication policy configuration according to one embodiment of the present invention. As shown in FIG. 1, configuration 100 may be implemented as a persistent computer-readable storage medium that includes instructions for performing an authentication operation in accordance with one embodiment of the present invention. Although implemented as such media in one embodiment, the scope of the present invention is not so limited, and in other implementations, configuration 100 can be implemented as various modules of hard-coded logic or hardware processors. It should be understood that it may be implemented. Also, a master version of this configuration, which may be accessible to various end users via the Internet or the like, may be stored in a primary location, but at least a partial copy of this configuration may be sent to users from public devices. It can be stored on a variety of devices such as public devices that allow access to their personal user profile and devices that are personal to the user.

  As shown, the configuration 100 includes an AAP setup and configuration module (ASCM) 110. As further shown below, the module 110 is for generating a user profile, and for updating the profile further, and for setting various policies for the entire device when active in an administrative account. May be used.

  In one form, the ASCM 110 may be available as an application. Once installed on the device, any user may be authenticated if first authorized to create a user profile for the administrative account. This management account may be a primary account having a role of starting a device and a role of setting a user policy. ASCM initial setup allows the use of tablets for computer browsing of the Internet, the use of Voice over Internet Protocol (VoIP), and the use of TV for basic television channels rated to G / PG-13 etc. The user can be allowed to use basic device functions such as allowing.

  A user may use the ASCM 110 to initiate / generate a user profile. If the user does not do so, the device may continue to operate normally with the default ASCM basic device function. However, the user's profile / application may be protected based on the corresponding policy and may not be accessible to this unauthenticated user. Thus, some forms may provide a single sign-on that, when authenticated, allows the user to access all applications associated with the user in personal mode. Also, using the ASCM, the user may set one or more applications that are personal to the user. This allows these applications to be stored on the computing device but remain hidden to different users. Alternatively, the user can make such an application available to other users (although the user's personal data for that application remains hidden).

  Also, using the ASCM 110, the user can download the application, and the application can be set personal to the user so that other users cannot access the application. Alternatively, for an application already stored on the device, the user can update the application's profile, thereby making the application's profile personal to the user.

  In some cases, the application may be virtualized. That is, authorization may be set to allow a plurality of users to access a single application once stored on the computing platform. However, if the user is authenticated, only personal data for the user may be displayed for each authenticated user of the application. In other settings where the user does not want other users to access their version of the application, the second user is stored on the computing platform and is associated with the second user's personal application. Different instances of can be downloaded.

  Still referring to FIG. 1, a user profile and personality manager (UPPM) 120 may be used for user profile control management. This can be stored in cloud-based storage, for example for information about user profiles in conjunction with ASCM 110, and for storing and accessing user profiles on a variety of other devices on the local device or via remote access to user profiles. Includes providing information for related control management operations. Thus, in one form, UPPM 120 enables backup of user profile settings to a remote location, such as via a cloud-based service. In various forms, the user profile includes many different types of information. For purposes of illustration and not limitation, user profile information may include user personal email, social networking site information, user credit card information, user phone book / address details, HuluPlus®, User VOD service such as Netflix (registered trademark), and other user-set personal details may be included. In some forms, UPPM data may be encrypted with a user personal identification number (PIN) / password or other secure token, and may be stored remotely.

  This remote backup / storage via UPPM 120 allows users to access their user profile settings from a different device than the original device from which the user profile settings were generated. Thus, the user can remotely access the user profile via secure authentication, and the user profile can be stored on the local device as requested by the user. For example, if a user logs in to a TV and is authenticated as an authenticated user, the user will be able to access his user profile and store the user profile on the local device as needed. May be. In some forms, via UPPM 120, for example, using a cloud-based service, multiple devices with their own user profile stored locally can be viewed, and the locally stored profile can be deleted. Remote commands can be sent and the profile can be wiped out permanently. Alternatively, the user profile may be automatically deleted from at least a specific device after use, such as when the device is not the user's personal device.

  Still referring to FIG. 1, an AAP user authentication interface (AUAI) 130 may further be provided in this configuration. The interface may provide a graphical user interface (GUI) so that the user can interact with the AAP to provide an authentication operation including a username and password. In one form, the AUAI 130 may be part of an AAP application and may be part of an application profile security engine that runs on the device. The AAP application cannot be uninstalled by the user. However, if no user is using this application on the device, the AAP application may be set to an invalid mode. According to one form, the AUAI 130 may be initialized and authenticated when the user is about to use any of the personalized applications specified in the AAP application profile.

  Still referring to FIG. 1, the configuration 100 may further include an application management module (AMM) 140. In general, module 140 may allow an authenticated user to configure an application as desired for that user. The setting includes setting the user's access to the application in addition to setting the appearance of the application on the display and the type of information included in the application. In one form, the AMM 140 allows the user to set up applications that are under the influence of AAP shared by other users. The application can be installed by any user, and once the application is installed, that user can be configured to be accessed by the selected user. Instead, it should be noted that the user may set the application to personal, in which case the application is not available to other users on the same device. In general, if an application is set to be shared, the application is made public, but the data associated with launching the application is private and personal and not shared.

  Some forms thus allow multi-user support on client devices that are not personal computers, such as Internet-connected TVs in hotel rooms, temporary smartphones rented / rented in various geographic locations, etc. A user profile management system is provided that allows a user profile to be used remotely from a device. Such a use case can be realized by making the user profile accessible via cloud-based secure authentication. As such, there is no need for local configuration of the user profile. While the various modules of FIG. 1 are coupled together as shown, it should be understood that each of the modules may interact directly with other modules.

  FIG. 2 shows a flow diagram of a method according to one embodiment of the present invention. As shown in FIG. 2, method 200 may be performed when a user initiates an operation on any device. As noted herein, the device may be any type of internet connection device connected to a TV or the like, from a smartphone to a tablet computer.

  As shown, the method 200 may begin by activating the device, such as by turning on power (block 210). Next, at diamond 215, it may be determined whether the user wants to use the device as a personalized device. As used herein, the terms “personal device” and “personalized device” are used interchangeably and may refer to a computing device that is under the private and permanent control of any user. For example, a smartphone, tablet computer, laptop computer, desktop computer, television, or the like that is owned and under the control of the user can be considered such a personal device. On the other hand, publicly available computing devices such as platforms, devices shared in the workplace, etc. that users can access in public places such as hotels, restaurants or other venues are considered personal devices. I can't.

  Still referring to FIG. 2, the scope of the present invention is not limited to this, but in one form, the determination in diamond 215 is that the user has activated AAP and that the user (or its device) It may be based on using the application to customize one or more applications running on the device. If it is determined that the user is not seeking use as a personalized device, control proceeds to block 220. There, the device can be used for its basic functions. Although the scope of the present invention is not limited to this aspect, such basic functionality is determined by the prescribed device, and if the device is a tablet or other Internet-connected device, web browsing (at least public Website) or for basic media usage such as basic broadcast, cable TV channel or basic VoIP functionality.

  Alternatively, if the diamond 215 determines that the user wants to use the device as a personalized device, control proceeds to block 230. There, an AAP application may be launched. This activation may be in response to the user selecting an icon for the AAP application on the device's graphical user interface (GUI). Control then proceeds to diamond 235. There, it may be determined whether an AAP application has been set for the user. This determination may be based on access control information. If it is determined that AAP is not set for any user, control proceeds to block 240. There, the AAP can be set for the user. Thus, the user may set an authentication policy and a corresponding user profile. If such setting is successful, control proceeds to block 260. Note that the diamond 250 also proceeds to block 260 if the user is authenticated against the configured AAP. In diamond 250, if the user is not authenticated, control proceeds to block 220 for use of basic device functions, as noted above.

  In block 260, the device may be enabled for use as a user's personal device. Although the scope of the present invention is not so limited, this personal use may include arranging a user interface such as a GUI to conform to the configuration information set in the user profile. Various applications personal to the user may be displayed on the GUI. In this way, the user can use an application loaded on the device with personal specifications. For example, social networking applications, electronic commerce applications, media on demand applications, etc. can all be accessed by the user in a personal specification. Thereby, the user's personal information can be used to execute various actions such as electronic commerce transactions and to allow the user to access a contract content service or the like.

  Control proceeds to diamond 270 after a user session in which the device is configured for use with a personal device. There, it may be determined whether it is desired to delete the user profile from the device. This determination may be made, for example, whether the device is a user's private device, i.e., under the user's control, such as a smartphone, tablet computer or TV owned by the user, or a restaurant, hotel or Internet It may be based on whether the user is using a publicly accessible device such as a personal computer or other device in a public facility such as a cafe. If the device is public, control proceeds to block 275. There, the profile may be deleted from the device so that other users cannot access the user profile or other users' private information. Control then proceeds to block 280. There, the device may be closed.

  Here, FIG. 3 shows a flowchart of operations related to user profile management according to one embodiment of the present invention. As shown in FIG. 3, method 300 may begin by generating a user profile on a first device (block 310). For example, the user can generate a user profile including various information including authentication information such as a user name or a password via the ASCM and UPPM of the application authentication policy configuration. Also, various certification information such as a hash, an authentication key, or a hash-based message authentication code (HMAC) may be generated from such information and stored in the user profile. In addition, various personal information including credit card information, account information, personal data, etc. may also be stored as part of this user profile.

  Next, at block 320, the user profile may be stored in secure storage of the device. That is, the secure storage can be accessed only within the secure execution mode of the device and may be in various locations in various forms. For example, in some forms secure hardware may be provided that includes secure storage that is accessible only in secure execution mode. In other forms, for example, if there is a shortage of such secure hardware devices, the user profile can be any solid state storage such as flash storage or mass storage devices such as hard drives or other devices It may be stored in the non-volatile storage. Since such devices can be accessed in an insecure environment, user profile information may be stored in an encrypted form.

  Still referring to FIG. 3, after generating such a user profile, normal operations may be performed. Accordingly, at block 330, the application may be accessed using the user authentication information. At diamond 340, it may be determined whether the user authentication information is valid. While the scope of the present invention is not so limited, in some forms the authentication process may request user authentication information, such as a username and password combination, and generate a hash therefrom. This generated hash is then stored with the hash associated with the user (eg, stored in application data stored in a secure location) for the particular application that is being accessed. May be compared. If the hash values match, the user is authenticated and, as a result, control proceeds to block 360. There, advanced functions of the first device may be activated. More specifically, an application that is an object of the authentication protocol may be activated. As indicated at block 370, the application may be configured according to user profile information for the user, whereby the user may perform application operations using the user profile information. For example, in connection with a bank or other financial transaction, secure financial information from the user profile may be accessed and used to execute the transaction. Alternatively, for a social networking application such as Facebook, the user's personal data may be loaded to provide the user's desired perspective.

  Still referring to FIG. 3, instead, if it is not determined that the user authentication information can access the application, control proceeds to block 350. There, the basic functions of the device are activated.

  Still referring to FIG. 3, control proceeds from block 370 to block 380. There, the application may be closed when the user completes the desired process, so that the user profile information can be protected. For example, user profile information that is accessed and used may be deleted from the volatile storage of the device. Changes to the user profile or application personal data may also be backed up to an appropriate secure storage. Thus, the method 300 continues to block 390. At block 390, the generated user profile may be stored in a cloud-based location. Note that this operation may be arbitrary. Thus, in situations where the user wants to access user profile information on a different device, the generated user profile may be uploaded to a cloud-based location or other location such as a storage device in the data center. Good. In various forms, communication of user profile information may be performed securely. In some forms, the cloud-based location may also act as a central point to maintain user profile consistency across various devices. Thus, when a user profile is first generated, the user profile may be stored in a cloud-based location. Then, if there is an update at any device, such update may be communicated to the cloud-based location for storage at the central location. In certain implementations, when the central user profile is updated, notification of the update may be provided to various devices where the user profile is stored. However, the actual provision of user profile updates for such devices is not made unless an update request is received from the device. Although a specific embodiment in the form of FIG. 3 is shown, it should be understood that the scope of the invention is not limited thereto.

  Turning now to FIG. 4, a flow diagram of a method for performing further authentication operations according to one embodiment of the present invention is shown. As shown in FIG. 4, method 400 may be performed using various modules of an application authentication policy application. Such operations may be used to access applications that are subject to authentication policies, and also to control the management of remote user profiles. As shown, the method 400 may begin by launching an application authentication policy application on the first device (block 410). This activation may be performed by selecting an icon for the authentication policy application on the display of the device. In diamond 420, this activation may cause the application to request user authentication. There, it may be determined whether the user is authenticated. As noted above, the user may enter a username and password and / or other authentication information that can be used by AUAI to generate a hash to be compared to the stored hash. If the user has not been authenticated, control proceeds to block 425. There, the basic functions of the device may be activated. However, the user is not allowed to access a specific application or perform advanced functions.

  Still referring to FIG. 4, instead, if the user is authenticated, control proceeds to diamond 430. There, it may be determined whether a user profile for this user is stored locally. This determination may be made by comparing at least some of the user authentication information with a list of locally stored user profiles. If the user profile is not stored locally, control proceeds to block 450. There, the user profile may be accessed from a cloud-based location. As noted above, in some forms, cloud-based user profile communication may be performed by secure communication. This user profile may be stored locally in a temporary storage or the like within a secure execution environment when downloaded to the device.

  Alternatively, if the user profile is stored locally, the user profile may be accessed from its local storage (block 440). As further shown in FIG. 4, control proceeds from blocks 440 and 450 to block 460. There, the application authentication policy application may be executed using this user profile information. For example, access to a particular application may occur under the influence of this policy, or the user may perform configuration activities or user profile updates, etc. in this secure execution environment.

  Yet another example of an activity that may be performed may be remote user profile management, such as using APM application UPPM. Thus, as shown in FIG. 4, it may be determined in diamond 470 whether the user has requested to delete the user profile on the remote device. If the user has requested, control proceeds to block 480. There, a command may be sent to the remote device via cloud-based communication to delete this user profile. For example, it may be assumed that a user accesses a user profile on a public device that is available at a hotel, airport or other public location and actually downloads the user profile to that device. In addition, it can be assumed that the user forgets to delete the profile before ending use of the device. Thus, this cloud-based communication allows the user to send a command to delete the remote user profile. In other cases, a similar operation may be performed for remote deletion of a user profile.

  Furthermore, cloud-based communication allows the user to visualize the user profile on the remote device. For example, it can be assumed that the user has a plurality of devices such as smartphones, tablet computers, and connected televisions. By visualizing according to one form of the present invention, the user can visualize the user profiles present on these different devices at one location.

  Still referring to FIG. 4, consider further usage scenarios. For example, user profile updates may be adapted, as further shown in FIG. Specifically, it may be determined by diamond 475 whether a request to update user profile information has been received. If so, the user profile may be updated on the first device. The updated user profile may also be sent to update the user profile stored in the cloud-based location to maintain user profile consistency across the various computer platforms (block 490). ). In this way, cloud-based storage of user profiles may continue to be a central point for consistency. This can provide an indicator of update availability so that the user can access the updated user profile information from the cloud-based storage when the user is trying to access the user profile at the remote device. Although a specific embodiment in the form of FIG. 4 is shown, it should be understood that the scope of the invention is not limited thereto.

  Some forms may be implemented in many different systems. For illustration purposes, the architecture of an AAP application associated with a smartphone, ie an Android-based smartphone, is shown in FIG. As shown, FIG. 5 shows a block diagram of a software architecture 500 for an Android-based platform. As shown, the architecture 500 includes an application layer 510 on which various user applications execute. One such application may be an AAP application 515 according to one embodiment of the present invention. Various other user applications may also belong to the application layer 510, such as communication applications, computing applications and email applications.

  Application framework 520 runs under application layer 510. The application framework 520 may include various managers to manage smartphone functions. Similarly, various services, agents, native libraries, and runtimes may be executed under the application framework 520. In the form shown in FIG. 5, such components may include an application profile security engine 530 that may execute at least a portion of the AAP. Various native libraries 540 may also be provided to handle different services. The runtime 550 may also include a core virtual library 552 and a process virtual machine 554 such as Dalvik VM. As further shown in FIG. 5, all of the above components can be executed on a kernel 560, the Linux kernel. Such a kernel may include various drivers for hardware interactions, networking interactions, and the like.

  See FIG. 6 for a further description of the configuration of the AAP application and security engine. As shown, FIG. 6 shows a stack diagram of a security engine stack 620 and an AAP application stack 660. As shown, the security engine stack 620 may include a UPPM 635, a user authentication module 640, and an AMM 650. The AAP application stack 660 may also include an ASCM 670, an AUAI 675, and an AMM 680. As shown, in some forms, a mix of various modules of the application authentication profile application may be implemented between the security engine and the AAP application itself.

  Thus, some forms may be used in many different environments. Now referring to FIG. 7, a block diagram of an exemplary system 700 that can be used in embodiments is shown. As shown, system 700 may be a smartphone or other wireless communication device. As shown in the block diagram of FIG. 7, system 700 may include a baseband processor 710 in which AAP applications may be executed. In general, the baseband processor 710 may perform various signal processing related communications and may perform computing operations on the device. The baseband processor 710 may also be coupled to a user interface / display 720 that may be implemented in some form by a touch screen display. The baseband processor 710 may also be coupled to a memory system including a non-volatile memory or flash memory 730 and a system memory or dynamic random access memory (DRAM) 735 in the form of FIG. As further illustrated, the baseband processor 710 may also be coupled to a capture device 740, such as an imaging device capable of recording moving images and / or still images.

  Various circuits may be coupled between the baseband processor 710 and the antenna 780 to enable communication to be transmitted and received. Specifically, a radio frequency (RF) transceiver 770 and a wireless local area network (WLAN) transceiver 775 may be provided. In general, the RF transceiver 770 may be used to transmit and receive wireless data, such as Code Division Multiple Access (CDMA), Global System for Mobile Communications (GSM), Long Term Evolution (LTE). Alternatively, communication is performed according to an arbitrary wireless communication protocol such as a third-generation (3G) or fourth-generation (4G) wireless communication protocol, such as one that complies with other protocols. Other wireless communications such as transmission / reception of wireless signals such as AM / FM or Global Positioning Searchlight (GPS) signals may also be provided. In addition, local wireless signals such as those conforming to the Bluetooth (registered trademark) standard or the Institute of Electrical and Electronics Engineers (IEEE) 802.11 standard such as IEEE 802.11a / b / g / n are transmitted via the WLAN transceiver 775. It may also be realized. Although the configuration of FIG. 7 shows a high level, it should be understood that the scope of the present invention is not limited thereto.

  FIG. 8 shows a block diagram of a network according to one embodiment of the present invention. As shown in FIG. 8, the network 800 is used to allow a user to access a user profile on a variety of different types of devices, and further to allow downloading of AAP applications. Can be. As shown, the network 800 may correspond to any type of communication network and may include many different types of computing devices interconnected via any network, such as the Internet 820.

  Cloud storage 810 may be provided to provide cloud-based storage of AAP applications and to enable cloud-based storage of user profiles. This cloud storage may be part of a data center that includes various computing devices, storage devices, and the like. As one example, the cloud storage 810 may be a storage device that includes a disk and a plurality of storage members such as optical or semiconductor-based storage. Cloud storage 810 may function as a storage location for master copies of various applications, including AAP applications. Specifically, in the form of FIG. 8, AAP application storage 814 may be used to store one or more AAP applications. The cloud storage 810 may also include a user profile storage 812 that may be used to store a master copy of the user profile for various users of the service. These user profiles may be protected using a username and password so that only authorized users can access any profile.

  Thus, as further shown in FIG. 8, the cloud AAP server 815 may be coupled to the cloud storage 810 at the same location, such as as part of the same data center. In various forms, a user can remotely access any user profile and remotely access other devices to provide user control of that user's user profile on the mote device. As can be done, the cloud AAP server 815 may be used to execute various modules of the AAP application.

Specifically, various user devices such as user devices 830 ₁ and 830 ₂ may be provided as shown in FIG. Such a user device may be any user's personal device such as a smartphone, tablet computer or desktop computer. Other devices such as public computing devices 840 ₁ and 840 ₂ may also be provided. As noted above, one user profile can exist on all of these devices. Further, remote management of these user profiles can be allowed so that the user can control the user profiles on other devices, such as at any one of these devices. Such controls may include user profile visualization and profile deletion. Updates to user profiles that exist in the cloud storage can also be performed from any of these devices and notify other computing devices that have a copy of the user profile to indicate the usefulness of the update. Can send. Although the configuration of FIG. 8 shows a high level, it should be understood that the scope of the present invention is not limited thereto.

  Some forms may be implemented in code and may be stored on at least one storage medium that stores instructions that may be used to program the system to execute the instructions. The storage medium may be any type of persistent storage medium. This includes, but is not limited to, floppy disk, optical disk, solid state drive (SSD), compact disk read only memory (CD-ROM), rewritable compact disk (CD-RW), and magneto-optical. Any type of disk, including disks, random access memory (RAM) such as read only memory (ROM), dynamic random access memory (DRAM) and static random access memory (SRAM), erasable programmable read only memory (EPROM), flash Memory, semiconductor device such as electrically erasable programmable read only memory (EEPROM), magnetic or optical card, or any other type suitable for storing electronic instructions Including the media.

While the present invention has been described in a limited number of forms, many modifications and variations will occur to those skilled in the art. The appended claims are intended to cover all such modifications and variations as fall within the true spirit and scope of this invention.
[Claim 1]
Launching an application authentication policy application on a computing device;
A non-personal device that provides basic functionality when a user is authenticated by the application authentication policy application and enables use of the user as a personal device to the computing device and is not authenticated Enabling use for the computing device;
With
The computing device is a non-personal computer-based computing device.
[Claim 2]
Determining whether the application authentication policy application is configured for the user;
Setting the application authentication policy application for the user if the user is not set for the application authentication policy application;
The method of claim 1, further comprising:
[Claim 3]
Using as the personal device includes using a social networking application including personal information of the user obtained from the user profile of the user;
The method of claim 1 or 2, wherein the personal information is accessible after the user is authenticated to the social networking application.
[Claim 4]
Using as the personal device includes performing an electronic commerce transaction using the user's private information obtained from the user profile of the user;
The method of claim 1 or 2, wherein the private information is accessible after the user is authenticated for the electronic commerce transaction.
[Claim 5]
3. A method according to claim 1 or 2, wherein the basic function of the device comprises performing web browsing of a publicly accessible website.
[Claim 6]
Further comprising accessing a remote location using the computing device to obtain a user profile of the user stored in cloud-based storage;
The user profile is accessible by a plurality of computing devices;
3. The method of claim 1 or 2, wherein each of the plurality of computing devices is a non-personal computer based computing device.
[Claim 7]
Accessing the remote location using the computing device to identify a plurality of devices on which the user profile is stored;
Using the computing device to delete the user profile on at least one of the plurality of devices;
The method of claim 6, further comprising:
[Claim 8]
Customizing a first application for execution on the computing device according to the user profile of the user;
Customizing the first application for execution on the computing device according to a second user profile of the second user when a second user is authenticated by the application authentication policy application The method according to claim 1, further comprising:
[Claim 9]
Enabling the user to use personal data in the user profile during execution of the first application;
The method of claim 8, further comprising: prohibiting the second user from accessing the personal data in the user profile of the first user.
[Claim 10]
On the computer,
An application authentication policy application having a stack including a setting module, a user authentication module, and an application management module via a user authentication module of the application authentication policy application and a computing device having a stack including the application management module Authenticating a user on the computing device by utilizing a security engine;
In response to the authentication, launching a first application under the influence of the application authentication policy application and customizing the first application for the user based on a user profile of the user Enabling for
If the second user is not authenticated by the application authentication policy application, the second user is allowed to access basic functions of the computing device, and the second user Access to the user's application and the user profile of the user;
A program for running
[Claim 11]
Claims for further executing for the computing device to obtain the user profile from storage at a cloud-based location and to store the user profile locally on the computing device. Item 13. The program according to item 10.
[Claim 12]
Claim further for enabling the computing device to access the cloud-based location to determine whether the user profile is stored on another computing device. Item 12. The program according to Item 11.
[Claim 13]
Further enabling the computing device to send a request to delete the user profile stored on at least one of the other computing devices to the cloud-based location;
The program of claim 12, wherein the at least one of the other computing devices is a publicly accessible device located remotely from the computing device.
[Claim 14]
If the second user is authenticated by the application authentication policy application;
Launching the first application under the influence of the application authentication policy application and customizing the first application for the second user based on a second user profile of the second user Enabling the second user to
Prohibiting the second user from accessing the user's personal data for the first application;
The program according to claim 10, further causing the program to be executed.
[Claim 15]
Further performing updating the user profile of the user and enabling the computing device to send updated information about the user profile to a cloud-based location where the user profile is stored. The program according to claim 10, for causing the program to occur.
[Claim 16]
Processor means for executing instructions;
Wireless transceiver means for wirelessly transmitting and receiving information; and
A system comprising storage with instructions,
The instructions are for the system:
Allowing the user to execute at least one application using personal data of the user profile of the user held in secure storage in response to user authentication by an application authentication policy application;
If the user is not authenticated by the application authentication policy application, enabling the basic functionality for the system prohibits the user from executing the at least one application, Is prohibited from accessing your user profile,
And execute
The system is a non-personal computer based computing device.
[Claim 17]
The system of claim 16, further comprising instructions for enabling the user to delete the user profile from the secure storage after authentication of the user.
[Claim 18]
18. The instruction of claim 16 or 17, further comprising instructions for enabling the user to generate the user profile via the application authentication policy application and to store the user profile in the secure storage. system.
[Claim 19]
The system of claim 18, further comprising instructions for enabling the system to communicate the user profile to the cloud-based location for secure storage of the user profile at a cloud-based location. .
[Claim 20]
Updating the user profile via the application authentication policy application and maintaining the user profile stored in the cloud-based location consistent with the user profile stored in the secure storage of the system The system of claim 19, further comprising instructions for enabling the system to communicate the update to the user profile to the cloud-based location.
[Claim 21]
10. An instruction set residing on at least one storage medium, wherein the instruction set is executed by a computing device to perform the method of any one of claims 1, 2, 7, and 9. Instruction set.
[Claim 22]
A computing device comprising a processor for executing the program according to any one of claims 10 to 15.

Claims (23)

Launching an application authentication policy application on a computing device;
A non-personal device that provides basic functionality when a user is authenticated by the application authentication policy application and enables use of the user as a personal device to the computing device and is not authenticated Enabling use for the computing device;
Accessing a remote location using the computing device to obtain a user profile of the user stored in cloud-based storage;
Accessing the remote location using the computing device to identify a plurality of devices on which the user profile is stored;
Using the computing device to delete the user profile on at least one of the plurality of devices;
The user profile is accessible by a plurality of computing devices.   The method of claim 1, wherein the computing device is a non-personal computer-based computing device. Determining whether the application authentication policy application is configured for the user;
The method according to claim 1, further comprising: setting the application authentication policy application for the user when the user is not set for the application authentication policy application. Using as the personal device includes using a social networking application including personal information of the user obtained from the user profile of the user;
4. A method according to any one of the preceding claims, wherein the personal information is accessible after the user is authenticated against the social networking application. Using as the personal device includes performing an electronic commerce transaction using the user's private information obtained from the user profile of the user;
The method according to any one of claims 1 to 4, wherein the private information is accessible after the user is authenticated for the electronic commerce transaction.   6. A method according to any one of the preceding claims, wherein the basic function of the device comprises performing web browsing of publicly accessible websites.   The method of any one of claims 1 to 6, wherein each of the plurality of computing devices is a non-personal computer-based computing device.   The program for making a computer perform the method of any one of Claim 1 to 7. On the computer,
Launching an application authentication policy application on a computing device;
A non-personal device that provides basic functionality when a user is authenticated by the application authentication policy application and enables use of the user as a personal device to the computing device and is not authenticated Enabling use for the computing device;
Customizing a first application for execution on the computing device according to the user profile of the user;
Customizing the first application for execution on the computing device according to a second user profile of the second user when a second user is authenticated by the application authentication policy application To do
Enabling the user to use personal data in the user profile during execution of the first application;
A program for causing the second user to be prohibited from accessing the personal data in the user profile of the user.   A computer readable medium storing the program according to claim 8 or 9. On the computer,
An application authentication policy application having a stack including a setting module, a user authentication module, and an application management module via a user authentication module of the application authentication policy application and a computing device having a stack including the application management module Authenticating a user on the computing device by utilizing a security engine;
In response to the authentication, launching a first application under the influence of the application authentication policy application and customizing the first application for the user based on a user profile of the user Enabling for
If the second user is not authenticated by the application authentication policy application, the second user is allowed to access basic functions of the computing device, and the second user And a program for executing access to the user profile of the user is prohibited.   Claims for further executing for the computing device to obtain the user profile from storage at a cloud-based location and to store the user profile locally on the computing device. Item 12. The program according to Item 11.   Claim further for enabling the computing device to access the cloud-based location to determine whether the user profile is stored on another computing device. Item 13. The program according to item 12. Further enabling the computing device to send a request to delete the user profile stored on at least one of the other computing devices to the cloud-based location;
The program of claim 13, wherein the at least one of the other computing devices is a publicly accessible device that is remote from the computing device. If the second user is authenticated by the application authentication policy application;
Launching the first application under the influence of the application authentication policy application and customizing the first application for the second user based on a second user profile of the second user Enabling the second user to
The program according to claim 11, further causing the second user to be prohibited from accessing the personal data of the user for the first application.   Further performing updating the user profile of the user and enabling the computing device to send updated information about the user profile to a cloud-based location where the user profile is stored. The program according to any one of claims 11 to 15, for causing the program to occur.   A computer readable medium for storing the program according to claim 11. Processor means for executing instructions;
Wireless transceiver means for wirelessly transmitting and receiving information; and
A system comprising storage with instructions,
The instructions are for the system:
Allowing the user to execute at least one application using personal data of the user profile of the user held in secure storage in response to user authentication by an application authentication policy application;
If the user is not authenticated by the application authentication policy application, enabling the basic functionality for the system prohibits the user from executing the at least one application, Is prohibited from accessing your user profile,
Generating the user profile via the application authentication policy application and enabling the user to store the user profile in the secure storage.   The system of claim 18, wherein the system is a non-personal computer based computing device.   20. A system according to claim 18 or 19, further comprising instructions for enabling the user to delete the user profile from the secure storage after authentication of the user.   21. Any of claims 18-20, further comprising instructions for enabling the system to communicate the user profile to the cloud-based location for secure storage of the user profile at a cloud-based location. The system according to claim 1.   Updating the user profile via the application authentication policy application and maintaining the user profile stored in the cloud-based location consistent with the user profile stored in the secure storage of the system 23. The system of claim 21, further comprising instructions for enabling the system to communicate the update to the user profile to the cloud-based location for: A computing device comprising the computer for executing the program according to any one of claims 11 to 16.

Images