JP2019053445A - Authentication system - Google Patents

Abstract

To provide an authentication system and program capable of preventing other person from performing user authentication using an authentication device when the user moves with the authentication device left behind.SOLUTION: The authentication system includes a PC 10 and a mobile terminal 50. The mobile terminal puts its own terminal into an authenticated state capable of transmitting authentication information to the PC within a predetermined distance when user authentication to its own terminal is successful, cancels the authenticated state when receiving a cancellation instruction and prohibits transmitting the authentication information. When the PC receives the authentication information from the mobile terminal within the predetermined distance, the PC transits from an unusable state to a usable state. When no user of the mobile terminal is detected within a first distance range 100 of the mobile terminal or an information processing apparatus, and a predetermined cancellation condition including detection that the mobile terminal and the PC are within the predetermined distance is satisfied, the mobile terminal cancels the authenticated state.SELECTED DRAWING: Figure 2

Description

  The present invention relates to an authentication system that performs user authentication through an authentication device for a user who uses an information processing apparatus.

  In an office or the like, a single PC (Personal Computer) may be shared and used by a plurality of people. Such PCs often perform user authentication for the purpose of information management and the like in order to identify a user who uses the device. Further, depending on the importance of the information to be accessed and the function to be used, the PC may perform user authentication a plurality of times other than at the start of the use of the PC.

  As a user authentication method, in addition to a method of inputting a user ID (Identification) and password on a PC, when an authentication device owned by the user, such as a smartphone or an authentication card, is brought close to the PC, the PC There is a method of performing authentication by reading out personal information of each person by short-range wireless communication. In the latter authentication method, if the authentication device is placed in the vicinity of the PC, it is possible to save the user from having to input a password or the like each time the PC requests user authentication a plurality of times other than at the start of use. .

  However, in the above-described authentication method, even if a person other than the authorized owner of the authentication device brings the authentication device close to the PC, the user authentication is successful, so that the authentication device may be illegally used by others.

  As a method for solving this problem, there is a two-step user authentication method in which a user performs user authentication on an authentication device such as a smartphone, and the authenticated smartphone is brought close to the PC to perform user authentication on the PC. In this method, it is possible to prevent unauthorized authentication of the PC by another person, and even when the PC terminal requests user authentication other than at the start of use, the authentication work by the user can be omitted. .

In this method, the PC terminal can determine that the user has finished using the terminal under the following two conditions.
(1) The authenticated state of the authentication device is released.
(2) The authentication device is out of the range where short-range wireless communication with the PC is possible.
For example, if the PC is returned to the locked state when at least one of (1) and (2) is established, the PC does not transition to the locked state only after a certain period of time without operation, Even when the PC work is resumed after carefully reading the manual or materials during the PC work, it is possible to save the trouble of re-authentication and releasing the PC lock state. Note that the authenticated state of the authentication device is canceled by, for example, an operation of pressing the release button of the authentication device.

  However, the user may leave the authentication device and leave the PC, and in such a case, the unauthorized use of the PC by another user is permitted. In view of this, a method has been proposed for preventing unauthorized use when the user is absent by setting the PC in a locked state when a user's absence is detected using a camera (see Patent Document 1 below).

JP 2008-59575 A

  However, in the method disclosed in Patent Document 1, when the misplaced authentication device is taken away by another person, the authentication device remains in an authenticated state, so that it is possible to perform unauthorized login to another PC using this device. There is a problem.

  The present invention is intended to solve the above problem, and in an authentication system that performs user authentication to an information processing apparatus via an authenticated authentication device, the user moves the authentication device while leaving the authentication device unattended Another object of the present invention is to provide an authentication system and program capable of preventing others from performing user authentication using the authentication device.

  The gist of the present invention for achieving the object lies in the inventions of the following items.

[1] A user authentication unit and a state management unit that transitions the terminal to an authenticated state when user authentication by the user authentication unit is successful and releases the authenticated state when a predetermined authentication cancellation instruction is received And an authentication information transmitting unit that can transmit authentication information to an information processing device within a predetermined distance when the terminal is in the authenticated state, and does not transmit the authentication information when not in the authenticated state. A mobile device,
An information processing apparatus that transitions from an unusable state to a usable state by a user of the portable terminal on condition that the authentication information is received from the portable terminal within the predetermined distance;
A first detection unit that detects whether or not there is a user of the portable terminal within a first distance of the portable terminal or the information processing apparatus;
A second detection unit for detecting whether or not the portable terminal and the information processing apparatus are within a predetermined distance;
A predetermined release condition including detecting that the user of the mobile terminal is not detected by the first detection unit and the mobile terminal and the information processing apparatus are within the predetermined distance by the second detection unit If the authentication is established, an authentication cancellation instruction unit that outputs the authentication cancellation instruction to the mobile terminal;
Having an authentication system.

  In the above invention, if there is no user of the mobile terminal within the first distance of the mobile terminal or the information processing apparatus and a predetermined release condition including that the mobile terminal and the information processing apparatus are within the predetermined distance is satisfied, Cancel the authenticated state of the device. Thereby, when the user moves the mobile terminal while leaving it in the vicinity of the information processing apparatus, it is possible to prevent the other person from using the mobile terminal and using the information processing apparatus illegally.

[2] A third detection unit that detects whether or not there is a user different from the user of the mobile terminal within a second distance of the mobile terminal or the information processing apparatus,
The cancellation condition includes that the third detection unit detects the different user. The authentication system according to [1].

  In the above invention, when the user approaches the portable terminal while leaving the portable terminal in the vicinity of the information processing apparatus, the authenticated state of the portable terminal is canceled. For example, the approach of another person is detected by image analysis by a camera or by detecting the approach of a portable terminal held by another person. You may employ | adopt other detection methods, such as acquisition of entrance / exit information.

[3] The authentication system according to [1] or [2], wherein the release condition includes a state in which a user of the mobile terminal is not detected by the first detection unit for a predetermined time or longer.

  In the above invention, the authenticated state of the mobile terminal is canceled when a certain time has elapsed since the user moved the mobile terminal while leaving it in the vicinity of the information processing apparatus. For example, if the user returns immediately, such as going to pick up a printed matter, the authenticated state of the mobile terminal is maintained. In such a case, the user has to take time to move the mobile terminal to the authenticated state again. It can be omitted.

[4] The authentication cancellation instruction unit outputs a predetermined cancellation instruction to the information processing apparatus when the cancellation condition is satisfied,
When the information processing apparatus receives the predetermined release instruction, the information processing apparatus transitions the usable state to the unusable state by the user of the mobile terminal.
The authentication system according to any one of [1] to [3], wherein:

  In the above invention, when the authenticated state of the mobile terminal is released, the information processing apparatus also transitions the usable state of the user of the mobile terminal to the unusable state, thereby preventing unauthorized use by others.

[5] The information processing apparatus receives the release instruction and transitions to the unusable state, and then receives the authentication information from another mobile terminal within the predetermined distance on the condition that the other mobile terminal The authentication system as set forth in [4], wherein the user transits to a usable state.

  In the above invention, when the information processing apparatus receives the authentication information from another portable terminal after transitioning to the unusable state, the information processing apparatus transitions to a state where the user of the portable terminal can use.

[6] The authentication system according to any one of [1] to [5], wherein the authentication cancellation instruction unit outputs the authentication cancellation instruction when receiving an output instruction from outside.

  In the above invention, the authentication cancellation instruction unit outputs an authentication cancellation instruction when receiving an output instruction from the outside. Thereby, even if it is a case where a user leaves | separates from an information processing apparatus, leaving a portable terminal, the authenticated state of a portable terminal can be cancelled | released from the distant position.

  According to the authentication system of the present invention, when a user moves while leaving the authentication device in the vicinity of the information processing apparatus, another user is prevented from using the authentication device to authenticate the information processing apparatus. be able to.

It is a figure which shows the structural example of the authentication system which concerns on embodiment of this invention. It is a figure which shows the example when a user moves, leaving the mobile ID terminal in the vicinity of the PC. 1 is a block diagram showing a schematic configuration of a PC according to an embodiment of the present invention. It is a block diagram which shows schematic structure of the mobile ID terminal which concerns on embodiment of this invention. It is a flowchart which shows the outline | summary of the process which the authentication system which concerns on embodiment of this invention performs. It is a figure which shows a mode when another user approaches in the state which the user moved, leaving the mobile ID terminal in the vicinity of the PC. It is a figure which shows a mode when fixed time passes since a user moved, leaving a mobile ID terminal in the vicinity of PC. It is a figure which shows a mode when a mobile ID terminal receives the cancellation | release request | requirement mail of an authenticated state in the state which the user moved, leaving the mobile ID terminal in the vicinity of PC. It is a figure which shows a mode when a PC receives the request mail which instruct | indicates the instruction | indication which cancels | releases an authenticated state in the state which the user moved, leaving the mobile ID terminal in the vicinity of the PC. It is a figure which shows a mode that the locked state of PC is cancelled | released by another mobile ID terminal.

  Hereinafter, various embodiments of the present invention will be described with reference to the drawings.

  FIG. 1 is a diagram showing a configuration example of an authentication system 7 according to an embodiment of the present invention. The authentication system 7 includes a PC 10 and a mobile ID terminal 50.

  The mobile ID terminal 50 is a portable terminal that can be carried, such as a smartphone, and plays a role as a portable terminal of the present invention. The mobile ID terminal 50 performs a function of authenticating whether the user is a predetermined user based on the user's biometric information, and outputting a predetermined mobile ID by short-range wireless communication or the like when the authentication is successful. . The mobile ID is identification information unique to the mobile ID terminal 50. The biological information may be arbitrary, such as veins, fingerprints, and pulses. For example, the mobile ID terminal 50 authenticates whether the user is a predetermined user in a state held by the user. The authentication method is not limited to biometric authentication, but may be authentication using a password and a user ID.

  The PC 10 is a computer apparatus such as a PC apparatus and plays a role as an information processing apparatus of the present invention. The PC 10 performs a function of authenticating a user using the mobile ID terminal 50. The PC 10 may be a desktop PC, a notebook PC, or a portable terminal such as a tablet or a smartphone as long as it can perform the above function. In the embodiment of the present invention, the PC 10 is connected to a predetermined network, and can transmit and receive information via the network.

  In the embodiment of the present invention, the PC 10 is in a locked state that cannot be used normally, and only when the user authentication using the mobile ID output from the mobile ID terminal 50 is successful, the locked state is released. The user who has succeeded in the user authentication is permitted to use the device.

  Next, a procedure until the PC 10 releases the lock state in the authentication system 7 will be described. First, the user performs biometric authentication with the mobile ID terminal 50 (T1). If the biometric authentication is successful, the mobile ID terminal 50 transitions to an authenticated state in which authentication information such as a predetermined mobile ID can be output by short-range wireless communication or the like. Next, the user brings the mobile ID terminal 50 in the authenticated state closer to the PC 10 and performs user authentication via the mobile ID terminal 50 on the PC 10 (T2). At the time of the user authentication, the mobile ID terminal 50 transmits authentication information including a predetermined mobile ID to the PC 10 by short-range wireless communication, and the PC 10 performs user authentication using the transmitted authentication information. If the user authentication is successful, the PC 10 releases the lock state of the own device and permits the use of the user who has succeeded in the user authentication (T3).

  Although illustration is omitted, in the authentication system 7 of the present invention, at least one of the mobile ID terminal 50 and the PC 10 is the user of the mobile ID terminal 50 within the first distance of the mobile ID terminal 50 or the PC 10. A first detector for detecting whether or not, a second detector for detecting whether or not the mobile ID terminal 50 and the PC 10 are within a predetermined distance, and a user of the mobile ID terminal 50 is detected by the first detector. And when a predetermined release condition including that the second detection unit detects that the mobile ID terminal 50 and the PC 10 are within a predetermined distance (for example, within a distance where short-range radio is possible) is satisfied. In addition, it serves as an authentication cancellation instructing unit that outputs an authentication cancellation instruction to the mobile ID terminal 50.

  Details of which of the mobile ID terminal 50 and the PC 10 serve as the first detection unit, the second detection unit, and the authentication cancellation instruction unit will be described later.

  That is, in the authentication system 7, when the PC 10 permits the user to use and the user leaves the authenticated mobile ID terminal 50 in the vicinity of the PC 10 and leaves the PC 10, The ID terminal 50 cancels the authenticated state. When the authenticated state is canceled, the mobile ID terminal 50 requests biometric authentication again when it is used next time.

  FIG. 2 shows a state where the user leaves the PC 10 while leaving the authenticated mobile ID terminal 50 in the vicinity of the PC 10 when the PC 10 permits the use of the user. In FIG. 2, since the user is away from the first distance range 100 of the mobile ID terminal 50 or the PC 10, and the mobile ID terminal 50 is left in the vicinity of the PC 10, the first detector detects the mobile ID terminal 50. There is a predetermined release condition including that the user is not detected and the second detection unit detects that the mobile ID terminal 50 and the PC 10 are within a predetermined distance (here, within a distance where short-range radio is possible). To establish. Since the predetermined cancellation condition is satisfied, the authentication cancellation instruction unit transmits a cancellation instruction, and the mobile ID terminal 50 receiving this cancels the authenticated state. Thus, even when the user has left the authenticated mobile ID terminal 50 when moving from the PC 10, unauthorized use of the mobile ID terminal 50 by a third party can be prevented.

  FIG. 3 is a block diagram showing a schematic configuration of the PC 10 user terminal 50. The PC 10 has a CPU (Central Processing Unit) 11 as a control unit that comprehensively controls the operation of the PC 10. The CPU 11 has a ROM (Read Only Memory) 12, a RAM (Random Access Memory) 13, a nonvolatile memory 14, a hard disk device 15, an operation unit 16, a display unit 17, a network communication unit 18, a terminal authentication unit 19, and a status detection unit via a bus. 20 etc. are connected.

  The CPU 11 is based on an OS (Operating System) program, and executes middleware, application programs, and the like. Various programs are stored in the ROM 12, and each function of the server 10 is realized by the CPU 11 executing various processes according to these programs.

  The RAM 13 is used as a work memory for temporarily storing various data when the CPU 11 executes processing based on a program.

  The nonvolatile memory 14 is a memory (flash memory) whose stored contents are not destroyed even when the power is turned off, and is used for storing various setting information.

  The hard disk device 15 is a large-capacity nonvolatile storage device, and stores various programs and data. In the embodiment of the present invention, the hard disk device 15 stores user ID and terminal information such as a mobile ID terminal.

  The display unit 17 functions to display various operation screens, setting screens, and the like. The display unit 17 includes a liquid crystal display. The operation unit 16 functions to receive various operations from the user. The operation unit 16 includes a keyboard that receives input of characters, numbers, symbols, and the like, and a mouse that operates the position of a pointer displayed on the display unit 17.

  The network communication unit 18 functions to communicate with an external device or the mobile ID terminal 50 through a network.

  The terminal authentication unit 19 communicates with the mobile ID terminal 50 by short-range wireless communication. When the authenticated mobile ID terminal 50 obtains the user ID output by short-range wireless communication, user authentication is performed based on the user ID.

  In the embodiment of the present invention, the PC 10 is normally in a locked state that prohibits the use of its own device, and only when the terminal authentication unit 19 has succeeded in user authentication, the PC 10 releases the locked state and uses its own device. Allow. The PC 10 repeatedly requests the mobile ID terminal 50 for user authentication even after successful user authentication. If the user authentication fails, the lock state is restored and the use of the own device is prohibited. For example, when the user takes away the mobile ID terminal 50 and short-range wireless communication with the mobile ID terminal 50 becomes impossible, or when the authenticated state of the mobile ID terminal 50 is canceled, the terminal authentication unit Since the user authentication by 19 fails, the PC 10 immediately shifts to the locked state and prohibits the use of its own device.

  The situation detection unit 20 serves as the first detection unit and the second detection unit described above. The situation detection unit 20 includes a chair 21 with a pressure gauge installed in a seat in front of the PC 10, a camera 22 that captures the situation around the PC 10, an entrance / exit management device 23 in a room in which the PC 10 is installed, and the like. It is possible to communicate with. Then, based on the information transmitted from them, whether there is a user of the mobile ID terminal 50 within the first distance of the mobile ID terminal 50 or the PC 10, and whether the mobile ID terminal 50 and the PC 10 are within the predetermined distance. Detect whether or not there is. A detailed detection method will be described later.

  The CPU 11 has a predetermined release condition including that the status detection unit 20 detects that the user of the mobile ID terminal 50 is not detected within the first distance and that the mobile ID terminal 50 and the PC 10 are within the predetermined distance. When the above is established, the mobile ID terminal 50 plays a role as an authentication cancellation instruction unit that outputs a cancellation instruction of the authenticated state via any one of the network communication unit 18 and the terminal authentication unit 19.

  FIG. 4 is a block diagram showing a schematic configuration of the mobile ID terminal 50. The mobile ID terminal 50 has a CPU 51 as a control unit that controls the operation of the mobile ID terminal 50 in an integrated manner. Connected to the CPU 51 are a ROM 52, a RAM 53, a nonvolatile memory 54, a hard disk device 55, an operation unit 56, a display unit 57, a network communication unit 58, a user authentication unit 59, an inter-device authentication unit 60, a situation detection unit 61, and the like. Yes.

  The CPU 51 is based on the OS program and executes middleware, application programs, and the like. Various programs are stored in the ROM 52, and each function of the mobile ID terminal 50 is realized by the CPU 51 executing various processes in accordance with these programs.

  The RAM 53 is used as a work memory that temporarily stores various data when the CPU 51 executes processing based on a program.

  The nonvolatile memory 54 is a memory (flash memory) whose stored contents are not destroyed even when the power is turned off, and is used for storing various setting information.

  The hard disk device 55 is a large-capacity nonvolatile storage device, and stores various programs and data. In the embodiment of the present invention, the hard disk device 55 stores the terminal information of the own terminal, the user ID, and the like.

  The display unit 17 functions to display various operation screens, setting screens, and the like. The display unit 17 includes a liquid crystal display. The operation unit 16 functions to receive various operations from the user. The operation unit 16 includes a physical screen and a touch screen or the like provided on the display of the display unit 17.

  The network communication unit 58 has a function of communicating with an external device or the PC 10 through the network.

  The user authentication unit 59 performs biometric authentication for a user who uses the terminal. In the embodiment of the present invention, a fingerprint sensor is provided on the physical button of the operation unit 56, and fingerprint authentication using the fingerprint acquired by the fingerprint sensor is performed. Other methods such as retina authentication and face recognition authentication may be used. In addition to biometric authentication, user authentication may be performed by other methods such as input of a user ID and password.

  The inter-device authentication unit 60 communicates with the terminal authentication unit 19 of the PC 10 by short-range wireless communication. When the own terminal is in an authenticated state, the user ID of the user who is using the own device is output. Near field communication uses infrared communication, NFC (Near Field Communication) communication, and the like.

  The situation detection unit 61 serves as the first detection unit and the second detection unit described above. For example, the situation detection unit 61 communicates with the short-range wireless communication device 62 that is always carried by the user, and when communication becomes impossible, the situation detection unit 61 determines that the terminal is away from the user by the first distance or more. Further, whether or not the distance between the terminal and the PC 10 is within a predetermined distance is determined based on whether or not communication with the PC 10 is possible via the inter-apparatus authentication unit 60. The situation detection unit 61 combines these pieces of information to determine whether or not the user of the mobile ID terminal 50 is within the first distance of the mobile ID terminal 50 or the PC 10, and whether the mobile ID terminal 50 and the PC 10 are within the predetermined distance. It is detected whether it is.

  In the embodiment of the present invention, the CPU 51 shifts its own terminal to the authenticated state when the user authentication (biometric authentication) by the user authenticating unit 59 is successful, and the authenticated state when the predetermined authentication cancellation instruction is received. It plays a role as a state management unit for canceling. The user can cancel the authenticated state by operating the operation unit 56.

  FIG. 5 shows a flow of operations performed by the PC 10 and the mobile ID terminal 50 in the authentication system 7. First, biometric authentication is performed with the mobile ID terminal 50 (step S101). When the biometric authentication with the mobile ID terminal 50 has failed (step S102; No), this process ends.

  When the biometric authentication is successful at the mobile ID terminal 50 (step S102; Yes), the mobile ID terminal 50 shifts to an authenticated state (step S103). Thereafter, the mobile ID terminal 50 in which the user has been authenticated is placed near the PC 10 (step S104), and user authentication on the PC 10 is started (step S105).

  At the time of authentication, the authenticated mobile ID terminal 50 transmits authentication information including a predetermined mobile ID to the PC 10. The PC 10 performs user authentication using this authentication information. If the user authentication on the PC 10 has failed (step S106; No), this process ends.

  When the user authentication is successful in the PC 10 (step S106; Yes), the PC 10 permits the use of the own device (step S107). Thereafter, the positional relationship between the PC 10, the mobile ID terminal 50, and the user is monitored, and it is determined whether or not the predetermined release condition described above is satisfied (step S108).

  Until a predetermined release condition is satisfied (step S108; No), the process returns to step S107 and continues. When the predetermined release condition is satisfied (step S108; Yes), the PC 10 shifts to a locked state where the use of the own device is not permitted (step S109) and releases the authenticated state of the mobile ID terminal 50 (step S110). ), This process is terminated.

  In the embodiment of the present invention, as shown in step S109 of FIG. 5, when a predetermined release condition is satisfied, the PC 10 is shifted to the locked state to prevent unauthorized use of the PC 10 by other users. To do.

  Next, the case where the PC 10 serves as the first detection unit, the second detection unit, and the authentication cancellation instruction unit described above and the case where the mobile ID terminal 50 plays a role will be described in detail.

(When PC10 fulfills)
When the PC 10 plays a role as the first detection unit, the status detection unit 20 of the PC 10 is based on information obtained from the chair 21 with the pressure gauge described in FIG. 3, the camera 22, the entrance / exit management device 23, and the like. It is determined whether or not there is a user within a first distance from the own apparatus (and the mobile ID terminal 50 placed in the vicinity of the own apparatus). For example, when receiving a report that the user has left the chair 21 with a pressure gauge in front of the PC 10 or when a report on leaving the user using the PC 10 is received from the entry / exit management device 23, the first distance from the PC 10 It is determined that there is no user within.

  Note that the mobile ID terminal 50 is capable of short-range wireless communication (the mobile ID terminal is in the vicinity of the PC 10), and the mobile ID terminal 50 provides a status detection unit 61 and a short-range wireless communication device 62. Also when receiving a report that communication is impossible, the PC 10 determines that there is no user within the first distance from the own device (or the mobile ID terminal 50).

  When the PC 10 plays a role as the second detection unit, the PC 10 determines whether the mobile ID terminal 50 and the PC 10 are within a predetermined distance depending on whether short-distance wireless communication is possible between the own apparatus and the mobile ID terminal 50. Judging. When short-range wireless communication is possible, it is determined that the mobile ID terminal 50 and the PC 10 are within a predetermined distance.

  The PC 10 determines whether or not a predetermined authentication cancellation condition is satisfied based on the determination results of the first detection unit and the second detection unit. When it is determined that a predetermined authentication cancellation condition is satisfied, an authentication cancellation instruction is transmitted to the mobile ID terminal 50.

(When mobile ID terminal 50 fulfills)
When the mobile ID terminal 50 plays a role as the first detection unit, when the situation detection unit 61 and the short-range wireless communication device 62 cannot communicate with each other by the short-range wireless communication, the mobile ID terminal 50 It is determined that there is no user within one distance.

  When the mobile ID terminal 50 plays a role as the second detection unit, the mobile ID terminal 50 is within a predetermined distance depending on whether short-range wireless communication is possible between the mobile ID terminal 50 and the PC 10. It is judged whether it is in. When short-range wireless communication is possible, it is determined that the mobile ID terminal 50 and the PC 10 are within a predetermined distance.

  The mobile ID terminal 50 determines whether or not a predetermined authentication cancellation condition is satisfied based on the determination results of the first detection unit and the second detection unit. When it is determined that a predetermined authentication cancellation condition is satisfied, the authenticated state of the terminal is canceled.

  In the embodiment of the present invention, either the PC 10 or the mobile ID terminal 50 may serve as the first detection unit, the second detection unit, and the authentication cancellation instruction unit. 2 It is desirable that either one of the roles of the detection unit and the authentication cancellation instruction unit fulfills all of them. Further, an external device other than the PC 10 and the mobile ID terminal 50 may be installed to serve as a first detection unit, a second detection unit, and an authentication cancellation instruction unit.

  Next, predetermined release instruction conditions will be described. The predetermined release instruction condition is that “the user of the mobile ID terminal 50 is not detected by the first detection unit, and that the mobile ID terminal 50 and the PC 10 are within a predetermined distance by the second detection unit”. In addition, various requirements may be included. Hereinafter, the requirements that can be included in the predetermined release instruction condition will be described with three examples.

(Requirement 1, approaching other users)
Requirement 1 is that another user approaches the PC 10. FIG. 6 shows a state where a predetermined authentication cancellation condition is satisfied when the requirement 1 is satisfied. In FIG. 6, in addition to “the first detection unit does not detect the user of the mobile ID terminal 50 and the second detection unit detects that the mobile ID terminal 50 and the PC 10 are within a predetermined distance”, When another terminal 120 other than the mobile ID terminal 50 is detected in the other terminal detection range 101 that is wider than the first distance range 100 from the PC 10, it is determined that another user has approached, and a predetermined release condition is satisfied. Judge that

  For example, when an image obtained by the camera 22 is analyzed to detect the approach of a user who has another terminal 120, or a new terminal that allows the PC 10 or the mobile ID terminal 50 to communicate with a communication means such as Bluetooth (registered trademark). When (other terminal 120) is detected, it is determined that there is another user (other terminal 120) in the other terminal detection range 101. In the embodiment of the present invention, either the PC 10 or the mobile ID terminal 50 serves as a third detection unit that detects the approach of another user. The detection means of other users is not limited to this, and may receive another user's entry report from the entrance / exit management device 23 (see FIG. 3) to detect the approach of the other user.

(Requirement 2, a certain time has passed)
Requirement 2 satisfies the requirement that “the first detection unit does not detect the user of the mobile ID terminal 50 and the second detection unit detects that the mobile ID terminal 50 and the PC 10 are within a predetermined distance”. It is that a certain period of time has passed since this condition was satisfied. FIG. 7 shows a state in which a predetermined authentication cancellation condition is satisfied when the requirement 2 is satisfied.

  For example, every time the user goes back to pick up a printed matter that has been printed out and the mobile ID terminal 50 is released from the authenticated state (and the PC is locked), the user uses the mobile ID terminal 50 each time. Biometric authentication must be performed. Therefore, as described above, the mobile ID terminal 50 can be returned immediately as described above by canceling the authenticated state of the mobile ID terminal 50 only when a certain period of time has passed since the user left the PC 10 with the mobile ID terminal 50 left. This saves you the trouble of re-authentication.

(Requirement 3, received a request for cancellation from the outside)
Requirement 3 satisfies the requirement that “the user of mobile ID terminal 50 is not detected by the first detection unit and that mobile ID terminal 50 and PC 10 are within a predetermined distance by the second detection unit”. Since then, it has received a cancellation request from the outside. FIG. 8 and FIG. 9 show how a predetermined authentication cancellation condition is satisfied when the requirement 3 is satisfied.

  FIG. 8 shows that the requirement that “the first detection unit does not detect the user of the mobile ID terminal 50 and the second detection unit detects that the mobile ID terminal 50 and the PC 10 are within a predetermined distance” is satisfied. In this state, when the mobile ID terminal 50 receives an SMS (Short Message Service) requesting cancellation from the outside, the mobile ID terminal 50 is released from the authenticated state. When the authentication state of the mobile ID terminal 50 is released, the subsequent user authentication by the PC 10 fails, and the PC 10 shifts to the locked state.

  FIG. 9 shows that the requirement that “the user of the mobile ID terminal 50 is not detected by the first detection unit and that the mobile ID terminal 50 and the PC 10 are within a predetermined distance is detected by the second detection unit” is satisfied. In this state, when the PC 10 receives a cancellation request mail from the outside, the PC 10 transmits an authentication cancellation instruction to the mobile ID terminal 50. After transmitting the authentication disclosure instruction, the PC 10 shifts its own device to the locked state.

  As described above, the transmission destination of the cancellation request may be transmitted directly to the mobile ID terminal 50 or may be transmitted to the PC 10. Thereby, even if the user leaves the mobile ID terminal 50 and leaves the PC 10, the authenticated state of the mobile ID terminal 50 can be released from the remote position.

  Next, when the authenticated state of the misplaced mobile ID terminal 50 is canceled and the PC 10 shifts to the locked state, another user releases the locked state of the PC 10 to make it usable. Will be described. FIG. 10 shows a state in which the PC 10 has shifted to the locked state and the use of its own device is prohibited due to the release of the authenticated state of the mobile ID terminal 50 that has been misplaced.

  In the authentication system 7, when another user wants to use the PC 10, the other terminal 120 is brought into the authenticated state, is brought near the PC 10 in the locked state, and the mobile ID is output from the other terminal 120. The PC 10 that has received this mobile ID performs user authentication with the mobile ID, and if successful, releases the lock state and allows the user of the other terminal 120 to use it.

  The embodiment of the present invention has been described with reference to the drawings. However, the specific configuration is not limited to that shown in the embodiment, and there are changes and additions within the scope of the present invention. Are also included in the present invention.

  In the embodiment, the PC 10 serves as the information processing apparatus of the present invention, but the information processing apparatus of the present invention may be another apparatus. For example, it may be a printing machine, a copier, or a multifunction machine. Any device that requires user authentication may be used.

  In the embodiment of the present invention, any one of the PC 10 and the mobile ID terminal 50 serves as a first detection unit, a second detection unit, a third detection unit, and an authentication cancellation instruction unit. Other external devices may be provided to play their roles.

  In the embodiment of the present invention, whether the PC 10 or the mobile ID terminal 50 is capable of short-range wireless communication, the camera 22, the chair 21 with a pressure gauge, the entrance / exit management device 23, etc. Although serving as a detection unit, the position information of the PC 10, the mobile ID terminal 50, and the user of the mobile ID terminal 50 is acquired from a GPS (Global Positioning System) or the like, and it is determined whether a predetermined release condition is satisfied. May be.

  In FIGS. 8 and 9 of the embodiment of the present invention, “the user of the mobile ID terminal 50 is not detected by the first detection unit, and the mobile ID terminal 50 and the PC 10 are within a predetermined distance by the second detection unit. In the state where the requirement “to be detected” is satisfied, when the cancellation request is received from the outside, the authenticated state is canceled, but “the user of the mobile ID terminal 50 is not detected by the first detection unit. Even if the requirement that the mobile ID terminal 50 and the PC 10 are within a predetermined distance by the second detection unit is not satisfied, the authenticated state is always canceled when a cancellation request is received from the outside. You may make it do.

7 ... Authentication system 10 ... PC
11 ... CPU
12 ... ROM
13 ... RAM
DESCRIPTION OF SYMBOLS 14 ... Nonvolatile memory 15 ... Hard disk device 16 ... Operation part 17 ... Display part 18 ... Network communication part 19 ... Terminal authentication part 20 ... Situation detection part 21 ... Chair with a pressure gauge 22 ... Camera 23 ... Entrance / exit management apparatus 50 ... Mobile ID Terminal 51 ... CPU
52 ... ROM
53 ... RAM
54 ... Non-volatile memory 55 ... Hard disk device 56 ... Operation unit 57 ... Display unit 58 ... Network communication unit 59 ... User authentication unit 60 ... Inter-device authentication unit 61 ... Situation detection unit 62 ... Short-range wireless communication device 100 ... First distance range 101 ... Other terminal detection range 120 ... Other terminal

Claims (6)

A user authentication unit, a state management unit that shifts the terminal to an authenticated state when user authentication by the user authentication unit is successful, and releases the authenticated state when a predetermined authentication cancellation instruction is received; A mobile terminal comprising: an authentication information transmitting unit capable of transmitting authentication information to an information processing device within a predetermined distance when the terminal is in the authenticated state, and not transmitting the authentication information when not in the authenticated state; ,
An information processing apparatus that transitions from an unusable state to a usable state by a user of the portable terminal on condition that the authentication information is received from the portable terminal within the predetermined distance;
A first detection unit that detects whether or not there is a user of the portable terminal within a first distance of the portable terminal or the information processing apparatus;
A second detection unit for detecting whether or not the portable terminal and the information processing apparatus are within a predetermined distance;
A predetermined release condition including detecting that the user of the mobile terminal is not detected by the first detection unit and the mobile terminal and the information processing apparatus are within the predetermined distance by the second detection unit If the authentication is established, an authentication cancellation instruction unit that outputs the authentication cancellation instruction to the mobile terminal;
Having an authentication system. A third detector for detecting whether there is a user different from the user of the mobile terminal within the second distance of the mobile terminal or the information processing apparatus;
The authentication system according to claim 1, wherein the release condition includes that the third detection unit detects the different user. The authentication system according to claim 1, wherein the release condition includes a state in which a user of the mobile terminal is not detected by the first detection unit for a predetermined time or longer. The authentication cancellation instruction unit outputs a predetermined cancellation instruction to the information processing apparatus when the cancellation condition is satisfied,
When the information processing apparatus receives the predetermined release instruction, the information processing apparatus transitions the usable state to the unusable state by the user of the mobile terminal.
The authentication system according to any one of claims 1 to 3, wherein: The information processing apparatus is used by a user of the other portable terminal on the condition that the authentication information is received from another portable terminal within the predetermined distance after transitioning to the unusable state in response to the release instruction. The authentication system according to claim 4, wherein the authentication system transitions to a possible state. The authentication system according to any one of claims 1 to 5, wherein the authentication cancellation instruction unit outputs the authentication cancellation instruction when receiving an output instruction from the outside.

Images