JP5659731B2 - Authentication system, management apparatus, information processing apparatus, processing method thereof, and program - Google Patents

Description

The present invention is an authentication system, the management apparatus, an information processing apparatus and processing method and a program related to authentication when using the information processing apparatus.

  In recent years, as security awareness in offices has increased, security related to multifunction devices, which are information output parts, has been required.

  Therefore, products and various technologies related to authentication for specifying user information for use in multifunction devices as well as PCs have been devised.

  In particular, recently, due to the high usability, an authentication mechanism using an IC card has been used in multi-function peripherals. As disclosed in Patent Document 1, this authentication mechanism includes keyboard authentication based on a user name and a password so that a user who has forgotten the IC card can log in in addition to the authentication based on the IC card.

JP 2006-99714 A

  By using the above authentication mechanism, it becomes possible to specify the user of the multifunction machine as with the PC. However, although authentication with an IC card has high usability, there is a concern that information may be leaked when the card is lost because the user logs in only by holding the IC card.

  Generally, when an IC card is lost, it is necessary to contact the administrator of the authentication server that manages the IC card and stop the IC card. However, there are users who do not contact immediately after the IC card is lost, which is a security problem. There are users who do not contact immediately after IC card loss, “may have forgotten at home” “may be found soon” “is troublesome to contact the administrator” “no need to take responsibility It comes from various factors such as.

  In addition to the above, when the IC card is lost, the administrator of the authentication server must deal with the loss of the IC card (maintenance of the authentication table of the authentication server), which takes time for the administrator. I got it.

  For this reason, when the IC card is lost, the IC card is less likely to be stopped at an appropriate timing, and there are many cases where there is a risk of information leakage when the IC card is lost.

The present invention, first identification information used when the log of the first authentication method by performing an information processing apparatus for authenticating according to the identification information input in accordance with an operation of the user, in the first authentication method Providing a mechanism for improving the security by using the information processing apparatus by restricting the use of the read target medium having the second identification information used for authentication of the second authentication method associated with the With the goal.

The present invention includes a management device for managing in association with the second identification information of the first identification information and reading target medium to identify the user, the first authentication by the input of the first identification information by the user method, and an authentication system comprising a one authentication but available information processing apparatus of the second authentication method by reading the reading target medium, wherein the information processing apparatus, acquired by the first authentication method , first identification information inputted in accordance with an operation of the user, or the identification information output means for outputting a second identity of the second authentication method by the acquired reading target medium to the management device, the first Or the authentication result receiving means for receiving the authentication result of the second identification information and the authentication result received by the authentication result receiving means indicate that the authentication is not successful. Limiting the login to broadcast processing apparatus, the authentication result received authentication result received by means, to indicate that the authentication is successful, a login control means for executing login to the information processing apparatus, wherein The management device is configured to receive the first identification information or the second identification information from the information processing device, the first identification information acquired by the identification information reception unit , or the first identification information Authentication executing means for performing authentication using the identification information of 2 and when authentication by the first identification information is successful by the authentication executing means, according to the first authentication method using the first identification information to execute the login, and a second identification information managed in association with the first identification information to which the authentication is successful, to limit the login by the second identification information, limits set Includes a restriction setting unit that, the authentication result transmitting means for transmitting the authentication result authenticated by the authentication execution unit, the authentication-result transmitting means, the second identification information accepted by said identification information reception unit, the restriction When the restriction is set by the setting means, an authentication result indicating that the authentication is not successful is transmitted, while the first identification information received by the identification information receiving means is successfully authenticated by the authentication executing means. Or when the second identification information received by the identification information receiving means is not restricted by the restriction setting means and authentication is successful by the authentication execution means. Therefore, an authentication result indicating that the authentication is successful is transmitted.

Further, the information processing apparatus, by the restriction setting unit, when the second identification information is restricted set, further the identification information acquiring means for acquiring first identification information entered in accordance with the operation of the user wherein the management apparatus, by the authentication execution unit, acquired by the identification information acquisition unit, if the authentication by the first identification information obtained we were from the information processing apparatus is successful, the first identification information It further comprises a restriction setting canceling means for canceling the restriction setting of the second identification information corresponding to.

The management device further includes release information output means for transmitting release information indicating release when the restriction setting is released, and the information processing device receives the release information from the management device. comprising a release information accepting means, said log control means in accordance with releasing information accepted by the release information receiving means and that you run the log by the reading target medium that accepts

The information processing apparatus further includes a reading unit that reads the reading target medium, and a reading target medium acquisition unit that acquires second identification information obtained by reading the reading target medium by the reading unit, The identification information output means outputs the second identification information to authenticate in the second authentication method using the second identification information of the read target medium read by the reading means, In the management apparatus, when the second identification information received by the identification information receiving unit is set to be limited by the limit setting unit, the authentication result transmitting unit is set to limit the second identification information. An authentication result including information indicating that is transmitted .

Further, when the authentication result receiving unit receives an authentication result including information indicating that the second identification information is set to be restricted, the authentication result receiving unit notifies that the authentication by the second authentication method is restricted. And a notification means for performing the operation.

In addition, the management apparatus determines whether the predetermined time has passed by the deletion determination unit that determines whether or not the second identification information that is set to be restricted has passed a predetermined time. , and further comprising a deleting means for deleting the second identification information the restriction setting.

The management apparatus and the information processing apparatus are the same housing .

Further, the information processing apparatus is an image forming apparatus .

According to the present invention, more use authentication method for authenticating according to the identification information input in accordance with a user operation, by limiting the use of the reading target medium used for authentication, the security when using the information processing apparatus Can be improved.

The figure which shows the structure of the system of embodiment of this invention. The figure which shows the hardware constitutions of client PC100 of embodiment of this invention, and the authentication server 200 The figure which shows the hardware constitutions of the multi-function apparatus 300 of embodiment of this invention. Functional block diagram showing the configuration of the system according to the present invention The flowchart which shows an example of an authentication process in embodiment of this invention. Flowchart 1 showing an example of creation and output of encrypted printing in an embodiment of the present invention Flowchart 2 showing an example of creation and output of encrypted printing in the embodiment of the present invention Flowchart 3 showing an example of creation and output of encrypted printing in the embodiment of the present invention The figure which shows the authentication table managed in the authentication server 200 An image diagram showing an example of a keyboard authentication screen displayed on the touch panel of the multifunction machine 300 An image diagram showing an example of an IC card authentication screen displayed on the touch panel of the multifunction machine 300 An image diagram showing an example of a lockout notification screen displayed on the touch panel of the multifunction machine 300 An image diagram showing an example of a lockout release screen displayed on the touch panel of the multifunction machine 300 An image diagram showing an example of a lockout release error screen displayed on the touch panel of the MFP 300 An image diagram showing an example of a successful lockout release displayed on the touch panel of the multifunction machine 300 The flowchart which shows an example of the authentication process in Embodiment 2 of this invention. The flowchart which shows an example of the lockout card deletion process in Embodiment 2 of this invention. The figure which shows the authentication table managed in the authentication server 200 in Embodiment 2 of this invention. The figure which shows the lockout setting file managed in the authentication server 200 in Embodiment 2 of this invention. An image diagram showing an example of a lockout release screen (when login is successful) displayed on the touch panel of the MFP 300

  Hereinafter, preferred embodiments of an authentication system according to the present invention will be described in detail with reference to the accompanying drawings.

  FIG. 1 is a system configuration diagram showing an example of the configuration of the present authentication system using a multifunction machine 300 (image forming apparatus), a card reader 500, an authentication server 200 (management apparatus), and a client PC 100 according to the present invention. The MFP 300, the authentication server 200, and the client PC 100 are connected via a LAN 400 so that each device can communicate.

  The authentication server 200 is an authentication server that holds an IC card number (manufacturing number) used by a user, a user name and a password, and has a function of searching (authenticating) the user from the card number or user name and password of the IC card. is there.

  The multifunction device 300 transmits the card number of the IC card (storage medium used for authentication) read by the card reader 500 (reading unit) to the authentication server 200, and when the authentication is obtained, the IC card with which the authentication is obtained. The user corresponding to (storage medium) logs in to the multifunction device 300 and executes various functions of the multifunction device 300.

  Hereinafter, the hardware configuration of the information processing apparatus applicable to the client PC 100 and the authentication server 200 illustrated in FIG. 1 will be described with reference to FIG.

  In FIG. 2, reference numeral 2001 denotes a CPU that comprehensively controls each device and controller connected to the system bus 2004. Further, the ROM 2003 or the external memory 2011 is necessary to realize a BIOS (Basic Input / Output System) or an operating system program (hereinafter referred to as an OS) which is a control program of the CPU 2001, and a function executed by each server or each PC. Various programs are stored.

  Reference numeral 2002 denotes a RAM that functions as a main memory, work area, and the like of the CPU 2001. The CPU 2001 implements various operations by loading a program or the like necessary for execution of processing from the ROM 2003 or the external memory 2011 to the RAM 2002 and executing the loaded program.

  An input controller 2005 controls input from a keyboard (KB) 2009 or a pointing device such as a mouse (not shown). A video controller 2006 controls display on a display device such as a CRT display (CRT) 2010. In FIG. 2, although described as CRT2010, the display may be not only a CRT but also other display such as a liquid crystal display. These are used by clients as needed.

  A memory controller 2007 is connected to the hard disk (HD), flexible disk (FD), or PCMCIA card slot for storing a boot program, various applications, font data, user files, editing files, various data, etc. via an adapter. The access to the external memory 2011 such as a compact flash (registered trademark) memory is controlled.

  A communication I / F controller 2008 is connected to and communicates with an external device via a network (for example, the LAN 400 shown in FIG. 1), and executes communication control processing in the network. For example, communication using TCP / IP is possible.

  Note that the CPU 2001 enables display on the CRT 2010 by executing outline font rasterization processing on a display information area in the RAM 2002, for example. Further, the CPU 2001 enables a user instruction with a mouse cursor (not shown) on the CRT 2010.

  Various programs that operate on the hardware are recorded in the external memory 2011, and are executed by the CPU 2001 by being loaded into the RAM 2002 as necessary. Furthermore, definition files and various information tables used when executing the program are also stored in the external memory 2011.

  Next, the hardware configuration of the controller unit that controls the multifunction peripheral 300 as the information processing apparatus of the present invention will be described with reference to FIG.

  FIG. 3 is a block diagram illustrating a hardware configuration example of the controller unit 5000 of the multifunction machine 300.

  In FIG. 3, a controller unit 5000 is connected to a scanner 5015 functioning as an image input device and a printer 5014 functioning as an image output device, and a local area network such as the LAN 400 shown in FIG. By connecting to a public line (WAN) such as ISDN, image data and device information are input and output.

  As shown in FIG. 3, the controller unit 5000 includes a CPU 5001, a RAM 5006, a ROM 5002, an external storage device (hard disk drive (HDD)) 5007, a network interface (Network I / F) 5003, a modem (Modem) 5004, an operation unit interface ( Operation unit I / F) 5005, external interface (external I / F) 5009, image bus interface (IMAGE BUS I / F) 5008, raster image processor (RIP) 5010, printer interface (printer I / F) 5011, scanner interface (Scanner I / F) 5012, an image processing unit 5013, and the like.

  A CPU 5001 is a processor that controls the entire system.

  A RAM 5006 is a system work memory for the CPU 5001 to operate, and is a program memory for recording a program and an image memory for temporarily storing image data.

The ROM 5002 stores a system boot program and various control programs.

An external storage device (hard disk drive HDD) 5007 stores various programs for controlling the system, image data, and the like.

  An operation unit interface (operation unit I / F) 5005 is an interface unit with the operation unit (UI) 5018, and outputs image data to be displayed on the operation unit 5018 to the operation unit 5018.

  The operation unit I / F 5005 serves to transmit information (for example, user information) input by the system user from the operation unit 5018 to the CPU 5001. Note that the operation unit 5018 includes a display unit having a touch panel, and various instructions can be given by a user pressing (touching with a finger or the like) a button displayed on the display unit.

  A network interface (Network I / F) 5003 is connected to a network (LAN) and inputs / outputs data.

A modem (MODEM) 5004 is connected to a public line and inputs / outputs data such as FAX transmission / reception.

  An external interface (external I / F) 5009 is an interface unit that accepts external inputs such as USB, IEEE 1394, printer port, and RS-232C. In the present embodiment, a card reader for reading an IC card required for authentication is used. 500 is connected.

Then, the CPU 5001 can control reading of information from the IC card by the card reader 500 via the external I / F 5009, and can acquire information read from the IC card. Note that the storage medium is not limited to an IC card, and any storage medium that can identify a user may be used. In this case, identification information for identifying the user is stored in the storage medium. This identification information may be a production number of the storage medium or a user code given by the user within the company.
The above devices are arranged on the system bus.

  On the other hand, an image bus interface (IMAGE BUS I / F) 5008 is a bus bridge that connects a system bus 5016 and an image bus 5017 that transfers image data at high speed and converts a data structure.

  The image bus 5017 is configured by a PCI bus or IEEE1394. The following devices are arranged on the image bus 5017.

  A raster image processor (RIP) 5010 develops, for example, vector data such as a PDL code into a bitmap image.

  A printer interface (printer I / F) 5011 connects the printer 5014 and the controller unit 5000, and performs synchronous / asynchronous conversion of image data.

  A scanner interface (scanner I / F) 5012 connects the scanner 5015 and the controller unit 5000, and performs synchronous / asynchronous conversion of image data.

  An image processing unit 5013 corrects, processes, and edits input image data, and performs printer correction, resolution conversion, and the like on print output image data. In addition to this, the image processing unit 5013 performs rotation of image data and compression / decompression processing such as JPEG for binary image data and JBIG, MMR, MH for binary image data.

  A scanner 5015 connected to the scanner I / F 5012 illuminates an image on paper as a document and scans it with a CCD line sensor, thereby converting it into an electrical signal as raster image data. The original paper is set on the tray of the original feeder, and when the apparatus user gives a reading start instruction from the operation unit 5018, the CPU 5001 gives an instruction to the scanner, and the feeder feeds the original paper one by one to read the original image. I do.

  A printer 5014 connected to the printer I / F 5011 is a part that converts raster image data into an image on paper. The method is an electrophotographic method using a photosensitive drum or a photosensitive belt, and ink is supplied from a micro nozzle array. There is an ink jet method for ejecting and printing an image directly on a sheet, but any method may be used. The printing operation is started in response to an instruction from the CPU 5001. Note that the printer unit 5014 has a plurality of paper feed stages so that different paper sizes or different paper orientations can be selected, and has a paper cassette corresponding thereto.

  An operation unit 5018 connected to the operation unit I / F 5005 includes a liquid crystal display (LCD) display unit. A touch panel sheet is affixed on the LCD and displays a system operation screen. When a displayed key is pressed, the position information is transmitted to the CPU 5001 via the operation unit I / F 5005. The operation unit 5018 includes, for example, a start key, a stop key, an ID key, a reset key, and the like as various operation keys.

  Here, the start key of the operation unit 5018 is used when starting a document image reading operation. There are green and red LEDs in the center of the start key, and indicates whether or not the start key can be used depending on the color. The stop key of the operation unit 5018 serves to stop the operation being performed. The ID key of the operation unit 5018 is used when inputting the user ID of the user. The reset key is used when initializing settings from the operation unit 5018.

  A card reader 500 connected to the external I / F 5009 reads information stored in an IC card (for example, Sony FeliCa (registered trademark)) under the control of the CPU 5001, and reads the read information to the external I / F 5009. The CPU 5001 is notified via F5009.

  Next, functions of the client PC 100, the authentication server 200, and the MFP 300 according to the present invention will be described with reference to FIG.

  FIG. 4 is a block diagram showing a schematic configuration of a system according to the embodiment of the present invention. The system according to the embodiment of the present invention has a configuration in which a client PC 100, an authentication server 200, and a multifunction peripheral 300 are connected via a predetermined communication medium capable of bidirectional communication, for example, a LAN 400. A card reader 500 is connected to the multifunction device 300.

Since the operation flow between the respective functions will be described later, an explanation of functional block diagrams described in various terminals will be given here.
First, functional units of the client PC 100 will be described.

The print data generation unit 150 on the client PC can generate print data (job) based on the data received from the application program, and can transmit the print data to the MFP 300 or the like.
Next, functional units of the authentication server 200 will be described.

  The MFP communication unit 250 on the authentication server has a function of receiving an authentication request from the MFP 300 and returning the authentication result of the authentication unit 251 to the MFP 300 again.

  The authentication unit 251 receives an authentication request from the MFP communication unit 250, accesses the authentication table of FIG. 9 managed on the authentication server, and searches for user information associated with the card number or user name and password requested for authentication. The authentication result is returned to the multi-function peripheral communication unit 250.

Further, at the time of keyboard authentication, the card lockout management unit 252 appropriately performs lock / release processing on the card information of the user.
Next, functional units of the multifunction machine 300 will be described.

The card reader control unit 351 on the multifunction peripheral acquires card information (manufacturing number) held over the card reader 500. The authentication server communication unit 352 has a function of transmitting an authentication request to the authentication server 200 using the card number and receiving an authentication result returned from the authentication server 200.

  It is assumed that the authentication unit 350 permits the use of the multifunction device using the user name in accordance with the authentication result returned from the authentication server 200.

  Detailed description of the processing in the present embodiment will be described with reference to the flowcharts of FIGS.

  First, each step will be described with reference to FIG. FIG. 5 is a flowchart illustrating an example of a method (card lockout) for performing keyboard authentication and logging in to the MFP 300 according to the embodiment of this invention.

  Note that in steps S100 to S103 and steps S113 to S120, the CPU 5001 of the multi-function device 300 executes processing of each step, and in steps S104 to S111, the CPU 2001 of the authentication server 200 executes processing of each step.

  In step S100, the authentication unit 350 of the MFP 300 displays a keyboard authentication screen (FIG. 10) and accepts a user name and password.

  In step S101, the authentication unit 350 of the MFP 300 detects that the login button 6000 on the keyboard authentication screen has been pressed.

  In step S102, the authentication unit 350 of the MFP 300 acquires the user name and password input on the keyboard authentication screen of FIG. 10 (acquires user information).

  In step S103, the authentication server communication unit 352 of the MFP 300 transmits an authentication request command to the authentication server 200 (user information output). The authentication request command includes the user name and password acquired in step 102.

  In step S104, the MFP communication unit 250 of the authentication server 200 receives the authentication request command sent from the MFP 300 (accepts user information).

  In step S105, the authentication unit 251 of the authentication server 200 searches (authenticates) whether the user name and password included in the authentication request command acquired in step S104 are included in the authentication table of FIG. If the user exists, the process proceeds to step S106, and if the user does not exist, the process proceeds to step S112.

  In step S106, the authentication unit 251 of the authentication server 200 performs the user information searched in step S105. The user information to be acquired includes the user name, e-mail address, card number of which the lock flag is FALSE (not locked out), etc. in FIG.

  In step S107, the authentication unit 251 of the authentication server 200 includes the card information in the user information acquired in step S106, that is, whether there is a card number that can be used by the user (not locked out). Judging. If the card number is included, the process proceeds to step S108. If the card number is not included, the process proceeds to step S110.

  In step S108, the card lockout management unit 252 of the authentication server 200 sets the lock flag corresponding to the card number searched in step S107 to TRUE (locks out the card) (limit setting). The lockout is to restrict the IC card corresponding to the card number that is locked out. For example, even if it is held over the card reader 500, the authentication is not OK and the MFP 300 cannot be logged in. .

  In this embodiment, lockout will be described. However, not only lockout but also login to the MFP 300 can be performed, but functions available in the MFP 300 can be limited. In this case, authority information (for example, copying is permitted) when the lock flag is TRUE is acquired from the external memory 2011, and the authority information is transmitted to the multi-function apparatus 300. The multifunction device 300 restricts the use of the functions of the multifunction device 300 after login in accordance with the authority information.

  In step S109, the authentication unit 251 of the authentication server 200 acquires the card number locked out in step S108.

  In step S110, the authentication unit 251 of the authentication server 200 generates an authentication OK result command. This command includes the user name and e-mail address acquired in step S106 and the locked-out card number (first restriction information) acquired in step S109. That is, a card number that is restricted so that it cannot be used for login of the MFP 300 is acquired and transmitted in step S111.

  In step S111, the MFP communication unit 250 of the authentication server 200 transmits an authentication result command (authentication OK / authentication NG) to the MFP 300 (output of restriction information).

  In step S112, since authentication could not be performed, the authentication unit 251 of the authentication server 200 generates an authentication NG result command. In the case of authentication NG, the card number is not included or a NULL value is included.

  In step S113, the authentication server communication unit 352 of the MFP 300 receives the authentication result command sent from the authentication server 200 (restriction information reception).

  In step S114, the authentication unit 350 of the MFP 300 analyzes the authentication result command acquired in step S113. In the case of authentication OK, the process proceeds to step S115, and in the case of authentication NG, the process proceeds to step 119.

  In step S115, the authentication unit 350 of the MFP 300 acquires the user information from the authentication result command acquired in step S114. The user information includes a user name and an email address. In addition, when the user's card is locked out, the card number is also included.

  In step S116, the authentication unit 350 of the multifunction peripheral 300 determines whether the user information acquired in step S115 includes card information (card number). If card information is included, the process proceeds to step S117. If card information is not included, the process proceeds to step S120.

  In step S117, the authentication unit 350 of the MFP 300 displays the lockout notification screen of FIG. 12 indicating that the authentication has been performed and that the card has been locked out (indicating that the use of the card has been restricted). Yes (notification). The card number acquired in step S115 is displayed on the screen.

  In step S118, the authentication unit 350 of the MFP 300 detects that the OK button on the lockout notification screen in FIG. 12 has been pressed.

  In step S119, the authentication unit 350 of the MFP 300 displays an authentication error screen (not shown).

  In step S120, the authentication unit 350 of the multifunction device 300 performs a login process for making the multifunction device 300 available to the user, using the user information acquired in step S115. After logging in, the MFP transitions to a function screen such as a copy screen. The login process is realized, for example, by storing in a predetermined area of the RAM 5006 or the HDD 5007 managed by the multifunction machine 300.

  Next, each step will be described with reference to FIGS. 6 to 8 are flowcharts illustrating an example of a method of performing IC card authentication and logging in (and releasing lockout) to the multifunction device 300 according to the embodiment of the present invention.

  In step S200, step S201, step S204 to step S206, and step S215 to step S221 in FIG. 6, the CPU 5001 of the multi-function device 300 executes the process of each step, and step S207 to step S214 are performed by the CPU 2001 of the authentication server 200. The process of each step is executed.

  Further, in steps S222 to S225 and steps S236 to S238 in FIG. 7, the CPU 5001 of the multi-function device 300 executes processing of each step, and in steps S226 to S235, the CPU 2001 of the authentication server 200 executes processing of each step. .

  Further, in steps S239 to S245 and steps S255 to S258 in FIG. 8, the CPU 5001 of the multi-function device 300 executes processing of each step, and in steps S246 to S254, the CPU 2001 of the authentication server 200 executes processing of each step. .

  In step S200, the authentication unit 350 of the MFP 300 displays the IC card authentication screen in FIG. 11 and waits for reading of the IC card.

  In step S <b> 201, the card reader control unit 351 of the multifunction machine 300 transmits a card reading start command to the card reader 500. That is, a polling start instruction command for reading the IC card is sent to the card reader 500.

  In step S202, the card reader 500 enters the IC card reading state upon receiving the polling start instruction command in step S201.

  In step S <b> 203, the card reader 500 detects that the IC card is held over and transmits a card event to the multi-function device 300. This card event stores the card number held up. The card number may be a card manufacturing number stored in the IC card, or any number that can be arbitrarily stored in the IC card, a serial card name, etc., for identifying the user. May be.

  In step S <b> 204, the card reader control unit 351 of the multifunction machine 300 receives a card event from the card reader 500.

  In step S205, the authentication unit 350 of the MFP 300 acquires a card number from the card event received in step S204.

  In step S206, the authentication server communication unit 352 of the MFP 300 transmits an authentication request command to the authentication server 200 (storage medium information output). The authentication request command includes the card number acquired in step S205.

  In step S207, the MFP communication unit 250 of the authentication server 200 receives the authentication request command transmitted from the MFP 300 (storage medium information reception).

  In step S208, the authentication unit 251 of the authentication server 200 searches (authenticates) whether the card number included in the authentication request command acquired in step 207 exists in the authentication table of FIG. If the card number is registered, the process proceeds to step S209. If the card number is not registered, the process proceeds to step S211.

  In step S209, the card lockout management unit 252 of the authentication server 200 determines the lock flag of the card number used in step S208 (limit setting determination). If the lock flag is TRUE (lockout), the process proceeds to step S210. If the lock flag is FALSE (not locked out), the process proceeds to step S212.

  In step S210, the card lockout management unit 252 of the authentication server 200 selects a list of card numbers whose lock flag is TRUE among the card numbers associated with the user information hit in step S208, or in step S209. Get card number determined to be locked out. This is called lockout information (second restriction information).

  In step S211, the authentication unit 251 of the authentication server 200 generates an authentication NG result command. If the card is locked out (step S209 is TRUE), the lockout information (second restriction information) generated in step S210 is included in this command. .

  In step S212, the authentication unit 251 of the authentication server 200 acquires the user information searched in step S208. The acquired user information includes a user name and an email address.

  In step S213, the authentication unit 251 of the authentication server 200 generates an authentication OK result command. This command includes the user name and mail address acquired in step S212.

  In step S214, the MFP communication unit 250 of the authentication server 200 transmits an authentication result command (authentication OK / authentication NG) to the MFP 300. That is, lockout information (second restriction information) is output in step S214.

  In step S215, the authentication server communication unit 352 of the MFP 300 receives the authentication result command sent from the authentication server 200 (restriction information reception). That is, lockout information (second restriction information) is accepted in step S215.

  In step S216, the authentication unit 350 of the MFP 300 analyzes the authentication result command acquired in step S215. If the authentication is OK, the process proceeds to step 217. If the authentication is NG, the process proceeds to step 219.

  In step S217, the authentication unit 350 of the MFP 300 analyzes the authentication result command acquired in step S215, and acquires the user information. The user information includes a user name and an email address.

  In step S218, the authentication unit 350 of the multi-function device 300 performs a login process using the user information acquired in step 217. After logging in, the MFP transitions to a function screen such as a copy screen. The login process is the same process as step S120.

  In step S219, the authentication unit 350 of the MFP 300 analyzes the authentication result command acquired in step S215, and determines whether lockout information is included. If lockout information is included (authentication error due to lockout), the process proceeds to step S221. If lockout information is not included, the process proceeds to step S220.

  In step S220, the authentication unit 350 of the MFP 300 displays an authentication error screen (not shown).

  In step S221, the authentication unit 350 of the MFP 300 displays the lockout release screen in FIG. The card number constituting the lockout information is displayed on the screen (notification). If only the card number currently held over the card reader 500 is canceled, the card number acquired in step S205 is displayed (notification). Note that FIG. 13 has an area for prompting the user name, password, and domain to be input to release the lockout (requesting input of user information).

  In step S222, the authentication unit 350 of the MFP 300 detects that the cancel button 6001 on the screen has been pressed. If it has been pressed, the process proceeds to step S200. If not, the process proceeds to step S223.

  In step S223, the authentication unit 350 of the MFP 300 detects that the lockout release button 6002 on the screen has been pressed. If it has been pressed, the process proceeds to step S224. If not pressed, the user waits for instructions.

  In step S224, the authentication unit 350 of the MFP 300 acquires the user name and password input on the lockout release screen in FIG.

  In step S225, the authentication server communication unit 352 of the MFP 300 transmits a lockout release request command to the authentication server 200 (release request output). The lockout release request command includes the user name and password acquired in step S224 and the card number (storage medium information) acquired in step S205.

  In step S226, the MFP communication unit 250 of the authentication server 200 receives the lockout release request command sent from the MFP 300 (release request reception).

  In step S227, the authentication unit 251 of the authentication server 200 searches (authenticates) whether the user name and password included in the lockout release request command acquired in step S226 are included in the authentication table of FIG. If the user exists, the process proceeds to step S228. If the user does not exist, the process proceeds to step S230.

  In step S228, the card lockout management unit 252 of the authentication server 200 determines whether the card number acquired in step S226 is associated with the user searched in step S227. If not tied, the process proceeds to step S230, and if tied, the process proceeds to step S229.

  In step S229, the card lockout management unit 252 of the authentication server 200 determines the lock flag of the card number searched in step S228. When the lock flag is TRUE (during lockout), the process proceeds to step S231, and when the lock flag is FALSE, the process proceeds to step S230.

  In step S230, the authentication unit 251 of the authentication server 200 generates a lockout release failure command.

  In step S231, the card lockout management unit 252 of the authentication server 200 sets the lock flag of the card number searched in step S228 to FALSE (lockout release) (limit setting release). Thereby, the lockout of the card is released.

  In step S232, the authentication unit 251 of the authentication server 200 acquires the user information of the user searched in step 227.

  In step S233, the card lockout management unit 252 of the authentication server 200 acquires the card number of which the lock flag is TRUE (locked out) from the card information associated with the user searched in step S227.

  In step S234, the authentication unit 251 of the authentication server 200 generates a lockout release success command (release information indicating release) indicating lockout. This command includes the user name, e-mail address acquired in step S232, and the locked-out card number acquired in step S233.

  In step S235, the MFP communication unit 250 of the authentication server 200 transmits a lockout release result command to the MFP 300 (release information output).

  In step S236, the authentication server communication unit 352 of the MFP 300 receives the lockout release result command sent from the authentication server 200 (reception information reception).

  In step S236-2, the authentication unit 350 of the MFP 300 analyzes the lockout release result command acquired in step S236. If the release is successful, the process proceeds to step S238. If the release is unsuccessful, the process proceeds to step S237.

  In step S237, the authentication unit 350 of the MFP 300 displays the lockout release error screen in FIG. This screen configuration is the same as the lockout release screen of FIG. 13, and the lockout process can be canceled or retried.

  In step S238, the authentication unit 350 of the MFP 300 displays the lockout release success screen in FIG. The locked card number acquired in step S236 is displayed on the screen.

  Here, it is also possible to continue the card lockout release. In this case, the lockout release request command is transmitted by holding the card of the card number displayed on the lockout release success screen in FIG. 15 over the card reader 500. Thus, even for a user who uses a plurality of cards, the lockout can be released by inputting the user information once instead of inputting the user name for each card. This process is described as a process after step S242.

  In step S239, the authentication unit 350 of the MFP 300 detects that the return button 6003 on the lockout release success screen in FIG. 15 is pressed. If it has been pressed, the process proceeds to step S200.

  In step S240, the authentication unit 350 of the MFP 300 detects that the login button 6004 on the lockout cancellation success screen in FIG. 15 has been pressed. If it has been pressed, the process proceeds to step S241.

  In step S241, the authentication unit 350 of the MFP 300 performs a login process using the user information acquired in step S236. After logging in, the MFP transitions to a function screen such as a copy screen. The process of step S241 is the same process as steps S120 and S218.

  In step S <b> 242, the card reader control unit 351 of the multi-function peripheral 300 waits until a card event is received from the card reader 500. If an event has been received, the process proceeds to step S243.

  In step S 243, the card reader control unit 351 of the multifunction device 300 receives a card event from the card reader 500.

  In step S244, the authentication unit 350 of the MFP 300 acquires a card number from the card event received in step S243.

  In step S245, the authentication server communication unit 352 of the multifunction machine 300 transmits a lockout release request command to the authentication server 200. The lockout release request command includes the user name and password acquired in step S224 and the card number acquired in step 244.

  In step S246, the multifunction device communication unit 250 of the authentication server 200 receives the lockout release request command sent from the multifunction device 300.

  In step S247, the authentication unit 251 of the authentication server 200 searches (authenticates) whether the user name and password included in the lockout release request command acquired in step S246 are included in the authentication table of FIG. If the user exists, the process proceeds to step S248, and if the user does not exist, the process proceeds to step S249-2.

  In step S248, the card lockout management unit 252 of the authentication server 200 determines whether the card number acquired in step S246 is associated with the user searched in step S247. When it is not tied, it progresses to step S259, and when it is tied, it progresses to step S249.

  In step S249, the card lockout management unit 252 of the authentication server 200 determines the lock flag of the card number searched in step S248. When the lock flag is TRUE (during lockout), the process proceeds to step S249, and when the lock flag is FALSE, the process proceeds to step S249-2.

  In step S249-2, the authentication unit 251 of the authentication server 200 generates a lockout release failure command.

  In step S250, the card lockout management unit 252 of the authentication server 200 sets the lock flag of the card number searched in step S248 to FALSE (lockout release).

  In step S251, the authentication unit 251 of the authentication server 200 acquires the user information of the user searched in step S247.

  In step S252, the card lockout management unit 252 of the authentication server 200 acquires the card number whose lock flag is TRUE (locked out) from the card information associated with the user information searched in step S247. .

  In step S253, the authentication unit 251 of the authentication server 200 generates a lockout release success command. This command includes the user name, e-mail address acquired in step S247, and the locked-out card number acquired in step S252.

  In step S254, the multifunction device communication unit 250 of the authentication server 200 transmits a lockout release result command to the multifunction device 300.

  In step S <b> 255, the authentication server communication unit 352 of the MFP 300 receives the lockout release result command sent from the authentication server 200.

  In step S256, the authentication unit 350 of the MFP 300 analyzes the lockout release result command acquired in step S236. If the release is successful, the process proceeds to step S257, and if the release is unsuccessful, the process proceeds to step S258.

  In step S257, the authentication unit 350 of the MFP 300 displays the lockout release success screen in FIG. The locked-out card number acquired in step S255 is displayed on the lockout release success screen.

  In step S258, the authentication unit 350 of the MFP 300 displays the lockout release error screen in FIG. This screen configuration is the same as the lockout release in FIG. 13, and the lockout process can be canceled or retried.

  5 to 8, a list of print data matching the user name of the logged-in user stored in the HDD 5007 of the multi-function device 300 is displayed.

  In the present embodiment, the authentication server 200 is configured as a separate unit from the multifunction device 300, but the function of the authentication server 200 may be provided in the multifunction device 300. In this case, an authentication table is stored in the HDD 5007 of the multi-function device 300, and authentication processing, lockout, and lockout release processing are performed. That is, the present embodiment can also be realized by making the authentication server 200 and the multifunction machine 300 the same housing. Further, when the authentication server 200 and the multifunction device 300 are the same, the multifunction device 300 executes the processing of the authentication server 200 in FIGS.

  Next, the authentication table of FIG. 9 stored in the external memory 2011 of the authentication server 200 will be described.

  The authentication table has a user name, password, card information, and mail address. Note that authority information for restricting functions that can be used by the MFP 300 may be included.

The card information stores one or more card numbers used by the user and has a lock flag for determining whether or not to use the IC card. The use of the card is restricted by setting this lock flag to TRUE or FALSE (limit setting). Further, a card name or the like may be registered corresponding to each card number.
Next, FIGS. 10 to 15 will be described.

  10 to 15 are screen examples displayed on the panel of the operation unit 5018 of the multifunction machine 300.

  FIG. 10 is a keyboard authentication screen that allows a user name, password, and domain to be input in accordance with a user instruction. A button for switching between IC card authentication and keyboard authentication is provided. A screen for executing IC card authentication is shown in FIG.

  FIG. 11 shows an IC card authentication screen, which is displayed by default on the operation unit 5018 of the multifunction machine 300.

  FIG. 12 shows a lockout notification screen, which is displayed when keyboard authentication is successful. On the lockout notification screen, a locked out card number, a card name, and the like are displayed.

  FIG. 13 is a lockout release screen, which is displayed when IC card authentication is performed. On the lockout release screen, the card number and card name of the IC card held over the card reader 500 are displayed. In addition, a user name, a password, and a domain that are input to release the lockout can be input.

  FIG. 14 is a lockout cancellation error screen indicating that the lockout could not be performed. The user name, password, and domain can be input again.

  FIG. 15 is a lockout release success screen, showing that the lockout has been released. Further, the card number and card name of the IC card whose lockout is not released are displayed on the lockout release success screen.

  As described above, according to the present embodiment, the use of the storage medium used for authentication is restricted according to the use of the authentication method (for example, keyboard authentication) that does not use the storage medium (for example, IC card) used for authentication. By doing so, security when using the image forming apparatus (multifunction machine) can be improved.

  When there is a possibility of IC card loss, the burden on the administrator of authentication server 200 can be reduced by easily stopping (locking out) the user's IC card at an appropriate timing.

  Further, even when an IC card is found, the burden on the administrator of the authentication server 200 can be reduced by easily releasing the IC card from being stopped (lockout is released).

  That is, it is possible to provide an authentication system with high security by easily locking out and unlocking the IC card at an appropriate timing.

It should be noted that the configuration and contents of the various data described above are not limited to this, and it goes without saying that the various data and configurations are configured according to the application and purpose.
Next, Embodiment 2 according to the present invention will be described.

  In the first embodiment, the mechanism for locking out the user's card when performing keyboard authentication has been described.

  In the second embodiment, in addition to the first embodiment, when the IC card authentication is successful, there is a lock when there is a card locked out by another IC card of the user associated with the card information of the IC card that has been successfully authenticated. A mechanism for notifying card information of an out card and a mechanism for deleting the card information from the server when the card information has been locked out for a certain period of time will be described.

  Hereinafter, embodiments of the present invention will be described in detail with reference to FIGS.

  9 in the first embodiment is replaced with FIG. FIG. 16 is a process in place of FIG. 6 in the first embodiment. Processes that are not specified are the same as those in the first embodiment, and a description thereof is omitted.

  FIG. 20 is a lockout release screen (when authentication is successful) displayed in the second embodiment, but is a screen having the same processing as in FIG. 15 of the first embodiment. Accordingly, the processing after step S307 is step S239 of the first embodiment.

  First, authentication processing in the embodiment of the present invention will be described with reference to FIG.

  In step S300, the card lockout management unit 252 of the authentication server 200 acquires a list of card numbers whose lockout flag is TRUE among the card numbers associated with the user information hit in step S208.

  In step S301, the authentication unit 251 of the authentication server 200 generates an authentication OK result command. This command includes a list of the user name and mail address acquired in step S212 and the lockout card number acquired in step S300.

  In step S302, the MFP communication unit 250 of the authentication server 200 transmits an authentication result command (authentication OK / authentication NG) to the MFP 300 (authentication permission information transmission).

  In step S303, the authentication server communication unit 352 of the MFP 300 receives the authentication result command transmitted from the authentication server 200 (receives authentication permission information). That is, in the second embodiment, even when authentication is successful, a list of the lockout card numbers of the user is sent.

  In step S304, the authentication unit 350 of the MFP 300 analyzes the authentication result command acquired in step S303, and determines whether authentication is OK or authentication NG. In the case of authentication OK, the process proceeds to step 305, and in the case of authentication NG, the process proceeds to step 219.

  In step S305, the authentication unit 350 of the MFP 300 analyzes the authentication result command acquired in step S303, and acquires the user information. The user information includes a list of user names, e-mail addresses, and lockout card numbers.

  In step S306, the authentication unit 350 of the MFP 300 determines whether the lockout card number list information is included in the user information acquired in step S305. If the lockout card number is included, the process proceeds to step S307. If the lockout card number is not included, that is, if there is no locked card information associated with the user information, the process proceeds to step S218.

  In step S307, the authentication unit 350 of the MFP 300 displays the lockout release screen (when authentication is successful) in FIG. The locked card number acquired in step S305 is displayed on the screen (the storage medium information included in the authentication permission information is displayed).

  Next, the lockout card deletion process according to the embodiment of the present invention will be described with reference to FIG.

  Note that the processing in FIG. 17 is performed, for example, at a timing (predetermined time) when the day changes.

  In step S400, the card lockout management unit 252 of the authentication server 200 acquires the lockout setting file shown in FIG. The lockout setting file contains a lockout deletion flag that determines whether or not to delete the card if the lockout state continues for a certain period of time, and the lockout valid days that determine the number of days until deletion. .

  In step S401, the card lockout management unit 252 of the authentication server 200 acquires the lockout deletion flag described in the lockout setting file acquired in step S400. If the flag is TRUE, the process proceeds to step S402, and if it is FALSE, the process ends. If it is FALSE, that is, the lockout card deletion process is not performed.

  In step S402, the card lockout management unit 252 of the authentication server 200 acquires the current date and time registered in the system.

  In step S403, the card lockout management unit 252 of the authentication server 200 calculates the deletion target date and time by subtracting the lockout valid days acquired in step S400 from the current date and time acquired in step S402.

  In step S404, the card lockout management unit 252 acquires one record of card information from the authentication table of FIG.

  In step S405, the card lockout management unit 252 determines whether the lockout date / time of the card information acquired in step S404 is earlier than the deletion target date / time, and determines whether the card information is to be deleted. That is, it is determined whether or not a predetermined time has elapsed since the lockout. If it is determined that the card information is to be deleted, the process proceeds to step S406. If it is determined that the card information is not to be deleted, the process proceeds to step S407.

  In step S406, the card lockout management unit 252 deletes the card information record determined to be deleted from the authentication table of FIG.

  In step S407, the card lockout management unit 252 determines whether there is still card information in the authentication table of FIG. 18 that has not been determined whether the card information is to be deleted. If there is card information, the process proceeds to step S404. If all card information has been processed, it is determined that there is no card information, and this process ends.

  According to the present embodiment, image formation is performed by restricting the use of the storage medium used for authentication according to the use of the authentication method (for example, keyboard authentication) that does not use the storage medium (for example, IC card) used for authentication. Security when using the device (multifunction device) can be improved.

  In addition, since the card locked out for a predetermined time can be deleted, security when using the image forming apparatus (multifunction machine) can be improved.

  Furthermore, for example, in an environment where one person has multiple cards, authentication can be performed by IC card authentication. If there is an IC card that is locked out other than the authenticated IC card, log in immediately. Therefore, since the screen that enables the lockout to be released is displayed, the input of user information in the keyboard authentication is reduced, and the lockout process can be performed efficiently.

  Although one embodiment has been described above, the present invention can take an embodiment as, for example, a system, apparatus, method, program, or recording medium, and specifically includes a plurality of devices. The present invention may be applied to a system including a single device.

  The program according to the present invention is a program that allows a computer to execute the processing methods of the flowcharts shown in FIGS. 5 to 8. Is remembered. The program in the present invention may be a program for each processing method of each apparatus in FIGS.

  As described above, a recording medium that records a program that implements the functions of the above-described embodiments is supplied to a system or apparatus, and a computer (or CPU or MPU) of the system or apparatus stores the program stored in the recording medium. It goes without saying that the object of the present invention can also be achieved by executing the reading.

  In this case, the program itself read from the recording medium realizes the novel function of the present invention, and the recording medium storing the program constitutes the present invention.

  As a recording medium for supplying the program, for example, a flexible disk, hard disk, optical disk, magneto-optical disk, CD-ROM, CD-R, DVD-ROM, magnetic tape, nonvolatile memory card, ROM, EEPROM, silicon A disk, solid state drive, or the like can be used.

  Further, by executing the program read by the computer, not only the functions of the above-described embodiments are realized, but also an OS (operating system) operating on the computer based on an instruction of the program is actually It goes without saying that a case where the function of the above-described embodiment is realized by performing part or all of the processing and the processing is included.

  Furthermore, after the program read from the recording medium is written to the memory provided in the function expansion board inserted into the computer or the function expansion unit connected to the computer, the function expansion board is based on the instructions of the program code. It goes without saying that the case where the CPU or the like provided in the function expansion unit performs part or all of the actual processing and the functions of the above-described embodiments are realized by the processing.

  Further, the present invention may be applied to a system composed of a plurality of devices or an apparatus composed of a single device. Needless to say, the present invention can be applied to a case where the present invention is achieved by supplying a program to a system or apparatus. In this case, by reading a recording medium storing a program for achieving the present invention into the system or apparatus, the system or apparatus can enjoy the effects of the present invention.

  Furthermore, by downloading and reading a program for achieving the present invention from a server, database, etc. on a network using a communication program, the system or apparatus can enjoy the effects of the present invention.

  In addition, all the structures which combined each embodiment mentioned above and its modification are also included in this invention.

100 Client PC100
200 Authentication server 300 Multi-function machine 400 LAN
500 Card reader 2001 CPU
2002 RAM
2011 External memory 5001 CPU
5006 RAM
5007 HDD
5018 Operation unit

Claims (16)

A management device that associates and manages first identification information for identifying a user and second identification information of a medium to be read, a first authentication method based on input of the first identification information by the user, and An authentication system including an information processing apparatus that can be used for any authentication of the second authentication method by reading a read target medium,
The information processing apparatus includes:
The first identification information input according to the user's operation acquired by the first authentication method or the second identification information of the read target medium acquired by the second authentication method is output to the management apparatus. Identification information output means;
Authentication result receiving means for receiving an authentication result of the first identification information or the second identification information;
When the authentication result received by the authentication result receiving unit indicates that the authentication has not been successful, the login to the information processing apparatus is restricted, and the authentication result received by the authentication result receiving unit is successful. Login control means for executing login to the information processing device when indicating that
The management device
Identification information receiving means for receiving the first identification information or the second identification information from the information processing apparatus;
Authentication executing means for executing authentication using the first identification information acquired by the identification information receiving means or the second identification information ;
When authentication by the first identification information is successful by the authentication execution means, login by the first authentication method using the first identification information is executed, and the first identification in which the authentication is successful a second identification information managed in association to the information, to limit the login by the second identification information, and limit setting means for limiting setting,
Authentication result transmitting means for transmitting the authentication result authenticated by the authentication execution means ,
The authentication result transmitting means transmits an authentication result indicating that the authentication has not succeeded when the second identification information received by the identification information receiving means is restricted by the restriction setting means, On the other hand, when the first identification information received by the identification information receiving unit is successfully authenticated by the authentication execution unit, or the second identification information received by the identification information receiving unit is set by the limit setting unit. An authentication system that transmits an authentication result indicating that the authentication is successful so that the information processing apparatus can be used when authentication is successful by the authentication execution unit . The information processing apparatus includes:
Wherein the restriction setting unit, when the second identification information is restricted set further comprises identification information acquiring means for acquiring first identification information entered in accordance with a user operation,
The management device
By the authentication execution unit, it said acquired by the identification information acquisition unit, the information processing apparatus if the resulting et authentication by the first identification information is successful, the second corresponding to the first identification information The authentication system according to claim 1, further comprising restriction setting releasing means for releasing the restriction setting of the identification information . The management device
A release information output means for transmitting release information indicating release when the restriction setting is released;
The information processing apparatus includes:
A release information receiving means for receiving the release information from the management device;
The login control means executes login with the read target medium in accordance with the release information received by the release information receiving means.
Authentication system according to claim 2, wherein the this. Before Symbol information processing apparatus,
Reading means for reading the medium to be read;
Further comprising a <br/> the reading target medium acquisition means acquires the second identification information obtained by reading the reading target medium by the reading means,
Said identification information output means, in order to authenticate the said second authentication method by using the second identification information to be read medium read by the reading means, and outputting the second identification information,
The management device
The authentication result transmitting unit, information indicating that the second identification information accepted by said identification information reception unit when it is restricted set by the restriction setting unit, the second identification information is restricted set The authentication system according to any one of claims 1 to 3 , wherein an authentication result including: is transmitted . Before SL authentication result receiving means, when receiving an authentication result containing information indicating that the second identification information is restricted set, to notify that the authentication by the second authentication method is limited The authentication system according to claim 4, further comprising notification means. The management device
A deletion determination means for determining whether or not the predetermined second identification information has passed the limit;
If it is determined that the predetermined time has elapsed by the deletion determining unit, according to claim 1 to 5, further comprising a <br/> and deleting means for deleting the second identification information the restriction set The authentication system according to any one of the above.   The authentication system according to claim 1, wherein the management apparatus and the information processing apparatus are the same casing.   The authentication system according to claim 1, wherein the information processing apparatus is an image forming apparatus. Identification information output for outputting, to the management device, first identification information input according to a user's operation acquired by the first authentication method or second identification information of the read target medium acquired by the second authentication method The authentication result received by the authentication result receiving means, the authentication result receiving means for receiving the authentication result of the first identification information or the second identification information, and the authentication result received by the authentication result receiving means. The first identification information by the user including login control means for restricting login, and executing login when the authentication result received by the authentication result receiving means indicates that authentication is successful . first authentication method by the input, and, which can communicate with any authentication but available information processing apparatus of the second authentication method by reading the reading target medium, for identifying a user A management apparatus for managing in association with the second identification information of the first identification information and the reading target medium,
Identification information receiving means for receiving the first identification information or the second identification information from the information processing apparatus;
Authentication executing means for executing authentication using the first identification information acquired by the identification information receiving means or the second identification information ;
When authentication by the first identification information is successful by the authentication execution means, login by the first authentication method using the first identification information is executed, and the first identification in which the authentication is successful a second identification information managed in association to the information, to limit the login by the second identification information, and limit setting means for limiting setting,
Authentication result transmitting means for transmitting the authentication result authenticated by the authentication execution means ,
The authentication result transmitting means transmits an authentication result indicating that the authentication has not succeeded when the second identification information received by the identification information receiving means is restricted by the restriction setting means, On the other hand, when the first identification information received by the identification information receiving unit is successfully authenticated by the authentication execution unit, or the second identification information received by the identification information receiving unit is set by the limit setting unit. When the authentication is successful by the authentication execution unit , the management apparatus transmits an authentication result indicating that the authentication is successful so that the information processing apparatus can be used . First identification information from the information processing apparatus, or an identification information receiving means for receiving second identification information, the first identification information acquired by the identification information reception means, or by using the second identification information An authentication execution unit that executes authentication, and when the authentication execution unit succeeds in the authentication by the first identification information, the login by the first authentication method using the first identification information is executed, and a second identification information authentication is managed in association with the first identification information has succeeded, to limit the login by the second identification information, and limit setting means for limiting setting, the identification information reception unit If the second identification information received in step 2 is restricted by the restriction setting unit, an authentication result indicating that the authentication has not succeeded is transmitted, while the second identification information received by the identification information receiving unit If the identification information is successfully authenticated by the authentication execution unit, or the second identification information received by the identification information reception unit is not set by the restriction setting unit and authentication is performed by the authentication execution unit. If successful, in order to use the information processing apparatus, and a verification result transmitting means for transmitting an authentication result indicating that authentication is successful, the first identification information and the reading target medium to identify the user Either of the first authentication method by inputting the first identification information by the user and the second authentication method by reading the read target medium, which can communicate with the management apparatus that manages the second identification information in association with each other. An information processing device that can be used for authentication,
The first identification information input according to the user's operation acquired by the first authentication method or the second identification information of the read target medium acquired by the second authentication method is output to the management apparatus. Identification information output means;
Authentication result receiving means for receiving an authentication result of the first identification information or the second identification information;
When the authentication result received by the authentication result receiving unit indicates that the authentication has not been successful, the login to the information processing apparatus is restricted, and the authentication result received by the authentication result receiving unit is successful. An information processing apparatus comprising: a login control unit that executes login to the information processing apparatus when indicating that the information processing has been performed . A management device that associates and manages first identification information for identifying a user and second identification information of a medium to be read, a first authentication method based on input of the first identification information by the user, and A processing method of an authentication system including an information processing apparatus that can be used in any authentication of the second authentication method by reading a read target medium,
The information processing apparatus is
The first identification information input according to the user's operation acquired by the first authentication method or the second identification information of the read target medium acquired by the second authentication method is output to the management apparatus. An identification information output step;
An authentication result receiving step of receiving an authentication result of the first identification information or the second identification information;
When the authentication result received by the authentication result receiving step indicates that the authentication has not succeeded, the login to the information processing apparatus is restricted, and the authentication result received by the authentication result receiving step is successful. A login control step for executing login to the information processing apparatus, and
The management device is
An identification information receiving step for receiving the first identification information or the second identification information from the information processing apparatus;
An authentication execution step of executing authentication using the first identification information acquired in the identification information reception step or the second identification information ;
When authentication by the first identification information is successful by the authentication execution step, login by the first authentication method using the first identification information is executed, and the first identification by which the authentication is successful a second identification information managed in association to the information, to limit the login by the second identification information, and limit setting step of limiting setting (e.g., step S108)
Performing an authentication result transmission step of transmitting the authentication result authenticated by the authentication execution step ;
The authentication result transmitting step transmits an authentication result indicating that the authentication has not succeeded when the second identification information received in the identification information receiving step is restricted by the restriction setting step. On the other hand, when the first identification information received in the identification information reception step is successfully authenticated by the authentication execution step, or the second identification information received in the identification information reception step is set by the restriction setting step. When the authentication is successful in the authentication execution step without being performed, an authentication result indicating that the authentication is successful is transmitted so that the information processing apparatus can be used . Identification information output for outputting, to the management device, first identification information input according to a user's operation acquired by the first authentication method or second identification information of the read target medium acquired by the second authentication method The authentication result received by the authentication result receiving means, the authentication result receiving means for receiving the authentication result of the first identification information or the second identification information, and the authentication result received by the authentication result receiving means. The first identification information by the user including login control means for restricting login, and executing login when the authentication result received by the authentication result receiving means indicates that authentication is successful . first authentication method by the input, and, which can communicate with any authentication but available information processing apparatus of the second authentication method by reading the reading target medium, for identifying a user A processing method of a management apparatus for managing in association with the second identification information of the first identification information and the reading target medium,
The management device is
An identification information receiving step for receiving the first identification information or the second identification information from the information processing apparatus;
An authentication execution step of executing authentication using the first identification information acquired in the identification information reception step or the second identification information ;
When authentication by the first identification information is successful by the authentication execution step, login by the first authentication method using the first identification information is executed, and the first identification by which the authentication is successful a second identification information managed in association to the information, to limit the login by the second identification information, and limit setting step of limiting setting,
Performing an authentication result transmission step of transmitting the authentication result authenticated by the authentication execution step ;
The authentication result transmitting step transmits an authentication result indicating that the authentication has not succeeded when the second identification information received in the identification information receiving step is restricted by the restriction setting step. On the other hand, when the first identification information received in the identification information reception step is successfully authenticated by the authentication execution step, or the second identification information received in the identification information reception step is set by the restriction setting step. When the authentication is successful in the authentication execution step without being performed, an authentication result indicating that the authentication is successful is transmitted so that the information processing apparatus can be used . First identification information from the information processing apparatus, or an identification information receiving means for receiving second identification information, the first identification information acquired by the identification information reception means, or by using the second identification information An authentication execution unit that executes authentication, and when the authentication execution unit succeeds in the authentication by the first identification information, the login by the first authentication method using the first identification information is executed, and a second identification information authentication is managed in association with the first identification information has succeeded, to limit the login by the second identification information, and limit setting means for limiting setting, the identification information reception unit If the second identification information received in step 2 is restricted by the restriction setting unit, an authentication result indicating that the authentication has not succeeded is transmitted, while the second identification information received by the identification information receiving unit If the identification information is successfully authenticated by the authentication execution unit, or the second identification information received by the identification information reception unit is not set by the restriction setting unit and authentication is performed by the authentication execution unit. If successful, in order to use the information processing apparatus, and a verification result transmitting means for transmitting an authentication result indicating that authentication is successful, the first identification information and the reading target medium to identify the user Either of the first authentication method by inputting the first identification information by the user and the second authentication method by reading the read target medium, which can communicate with the management apparatus that manages the second identification information in association with each other. The processing method of the information processing apparatus that can be used even in the authentication of
The information processing apparatus is
The first identification information input according to the user's operation acquired by the first authentication method or the second identification information of the read target medium acquired by the second authentication method is output to the management apparatus. An identification information output step;
An authentication result receiving step of receiving an authentication result of the first identification information or the second identification information;
When the authentication result received by the authentication result receiving step indicates that the authentication has not succeeded, the login to the information processing apparatus is restricted, and the authentication result received by the authentication result receiving step is successful. A log-in control step for executing log-in to the information processing apparatus when it is indicated that the information processing has been performed. A management device that associates and manages first identification information for identifying a user and second identification information of a medium to be read, a first authentication method based on input of the first identification information by the user, and An authentication system program including an information processing apparatus that can be used for any authentication of the second authentication method by reading a read target medium,
The information processing apparatus;
The first identification information input according to the user's operation acquired by the first authentication method or the second identification information of the read target medium acquired by the second authentication method is output to the management apparatus. Identification information output means;
Authentication result receiving means for receiving an authentication result of the first identification information or the second identification information;
When the authentication result received by the authentication result receiving unit indicates that the authentication has not been successful, the login to the information processing apparatus is restricted, and the authentication result received by the authentication result receiving unit is successful. to indicate that the, to function as a login control means for executing login to the information processing apparatus,
The management device,
Identification information receiving means for receiving the first identification information or the second identification information from the information processing apparatus;
Authentication executing means for executing authentication using the first identification information acquired by the identification information receiving means or the second identification information ;
When authentication by the first identification information is successful by the authentication execution means, login by the first authentication method using the first identification information is executed, and the first identification in which the authentication is successful a second identification information managed in association to the information, to limit the login by the second identification information, and limit setting means for limiting setting (e.g., step S108)
Function as an authentication result transmission means for transmitting an authentication result authenticated by the authentication execution means ,
The authentication result transmitting means transmits an authentication result indicating that the authentication has not succeeded when the second identification information received by the identification information receiving means is restricted by the restriction setting means, On the other hand, when the first identification information received by the identification information receiving unit is successfully authenticated by the authentication execution unit, or the second identification information received by the identification information receiving unit is set by the limit setting unit. A program characterized by transmitting an authentication result indicating that authentication is successful in order to use the information processing apparatus when authentication is successful by the authentication execution means without being performed . Identification information output for outputting, to the management device, first identification information input according to a user's operation acquired by the first authentication method or second identification information of the read target medium acquired by the second authentication method The authentication result received by the authentication result receiving means, the authentication result receiving means for receiving the authentication result of the first identification information or the second identification information, and the authentication result received by the authentication result receiving means. The first identification information by the user including login control means for restricting login, and executing login when the authentication result received by the authentication result receiving means indicates that authentication is successful . first authentication method by the input, and, which can communicate with any authentication but available information processing apparatus of the second authentication method by reading the reading target medium, for identifying a user A program management apparatus for managing in association with the second identification information of the first identification information and the reading target medium,
The management device,
Identification information receiving means for receiving the first identification information or the second identification information from the information processing apparatus;
Authentication executing means for executing authentication using the first identification information acquired by the identification information receiving means or the second identification information ;
When authentication by the first identification information is successful by the authentication execution means, login by the first authentication method using the first identification information is executed, and the first identification in which the authentication is successful a second identification information managed in association to the information, to limit the login by the second identification information, and limit setting means for limiting setting,
Function as an authentication result transmission means for transmitting an authentication result authenticated by the authentication execution means ,
The authentication result transmitting means transmits an authentication result indicating that the authentication has not succeeded when the second identification information received by the identification information receiving means is restricted by the restriction setting means, On the other hand, when the first identification information received by the identification information receiving unit is successfully authenticated by the authentication execution unit, or the second identification information received by the identification information receiving unit is set by the limit setting unit. A program characterized by transmitting an authentication result indicating that authentication is successful in order to use the information processing apparatus when authentication is successful by the authentication execution means without being performed . First identification information from the information processing apparatus, or an identification information receiving means for receiving second identification information, the first identification information acquired by the identification information reception means, or by using the second identification information An authentication execution unit that executes authentication, and when the authentication execution unit succeeds in the authentication by the first identification information, the login by the first authentication method using the first identification information is executed, and a second identification information authentication is managed in association with the first identification information has succeeded, to limit the login by the second identification information, and limit setting means for limiting setting, the identification information reception unit If the second identification information received in step 2 is restricted by the restriction setting unit, an authentication result indicating that the authentication has not succeeded is transmitted, while the second identification information received by the identification information receiving unit If the identification information is successfully authenticated by the authentication execution unit, or the second identification information received by the identification information reception unit is not set by the restriction setting unit and authentication is performed by the authentication execution unit. If successful, in order to use the information processing apparatus, and a verification result transmitting means for transmitting an authentication result indicating that authentication is successful, the first identification information and the reading target medium to identify the user Either of the first authentication method by inputting the first identification information by the user and the second authentication method by reading the read target medium, which can communicate with the management apparatus that manages the second identification information in association with each other. An information processing apparatus program that can be used for authentication of
The information processing apparatus;
The first identification information input according to the user's operation acquired by the first authentication method or the second identification information of the read target medium acquired by the second authentication method is output to the management apparatus. Identification information output means;
Authentication result receiving means for receiving an authentication result of the first identification information or the second identification information;
When the authentication result received by the authentication result receiving unit indicates that the authentication has not been successful, the login to the information processing apparatus is restricted, and the authentication result received by the authentication result receiving unit is successful. A program characterized by causing a log-in control unit to execute log-in to the information processing apparatus when it indicates that it has been performed .

Images