Electrical computers and digital processing systems: support – System access control based on user identification by... – Using record or token
Reexamination Certificate
1999-07-06
2003-09-09
Hayes, Gail (Department: 2131)
Electrical computers and digital processing systems: support
System access control based on user identification by...
Using record or token
C709S225000, C709S229000, C713S152000, C713S152000, C713S152000
Reexamination Certificate
active
06618806
ABSTRACT:
FIELD OF THE INVENTION
The present invention relates to security systems and methods for controlling access to computers.
BACKGROUND INFORMATION
The WINDOWS NT operating system (or “WINDOWS NT”) from Microsoft Corporation of Redmond, Washington provides a set of windowed utilities that allows easy setup-and administration of a security system. The WINDOWS NT operating system itself is secure and makes its security system available to all applications through a standard Win32 security API.
An important aspect of the WINDOWS NT security system is that it is user-centric. Each line of code that attempts to access a secure object (file, printer, pipe, service, etc.) must be associated with a particular user. A user must identify himself to WINDOWS NT using a user ID and a password, via a log-on function. Each security check is made against the user's identification.
As a result, it is not possible, for example, to write code that prevents an application (e.g., Microsoft EXCEL) that is running under WINDOWS NT from accessing an object. For instance, an object can be secured against access from user Joe running EXCEL, but if user Carla is allowed to access the object, she can do so using EXCEL or any other application. All Carla has to do is identify herself to WINDOWS NT using her password.
Thus the entire validity of the WINDOWS NT security system is based on accurate identification of the user. WINDOWS NT user authentication is based on user IDs and passwords. Once a password is compromised, a general collapse of the security system can occur. There is therefore a need for a capability that adds a second factor to password-based authentication mechanisms such as that of WINDOWS NT. Such a capability should also ensure robustness while improving end-user convenience.
Not only do passwords present a security risk, they are also costly to administer. To provide an acceptable level of security, it is not uncommon to require changing corporate users' passwords every 30 to 60 days. This is not only an annoyance to the user, it is a major resource drain on system administrators. Surveys have shown that over 50% of the calls received by internal corporate hotlines are password related. Adding to this the lost productivity of professional office workers' trying to figure out what their correct current password is, or requesting to be reinstated on the network, leads to an estimated annual cost of maintaining passwords of as high as $300 per user.
Saflink Corporation, with funding from the U.S. Department of Defense, has developed a Human Authentication application program interface (API), or HA-API, which allows applications to work with multiple biometric technologies presently available today and to integrate with new technologies in the future without requiring changes to the applications. The HA-API specification provides a set of standard program names and functions that enable various biometric technologies to be implemented easily into application programs for network user identification and authentication. It is foreseen that HA-API will be used both by application/product developers who wish to integrate biometric technology into their applications as well as by biometric vendors who wish to adapt their technologies for use within open system application environments.
FIG. 1
is a block diagram illustrating the architecture of HA-API. HA-API provides two interfaces. The first interface is an application API
101
consisting of functions
103
to determine which biometric technology (finger image, voice, facial image, etc.) is available to the application
10
and a set of functions
105
to authenticate a user's identity via any of the available technologies. The HA-API authentication functions
105
hide the unique characteristic of each biometric from the application
10
. The second interface is a Biometric Service Provider (BSP) Interface
111
which provides a common interface for biometric technology providers to “plug-in” their unique modules
150
. BSP modules
150
contain the capture, extraction (converting biometric features into a digital representation called a Biometric Identifier Record), and matching capabilities of a biometric vendor.
The full text of the Human Authentication API has been published by the Biometric Consortium (available at www.biometrics.org).
SUMMARY OF THE INVENTION
The present invention provides a rule based biometric user authentication method and system in a computer network environment. Multiple authentication rules can exist in the computer network. For example, there may be a default system-wide rule, and a rule associated with a particular user trying to log in. There may be other rules such as one associated with a remote computer from which the user is logging in, one associated with a group to which the user belongs, or one associated with a system resource to which the user requires access such as an application program or a database of confidential information. An order of precedence among the rules are then established which is used to authenticate the user.
In operation, a user identification such as a password is received. If an authentication rule associated with the user exists, the system according to the present invention authenticates the user with a captured biometric information and a previously stored biometric information according to the authentication rule associated with the user. If not, the system authenticates the user with the captured biometric information and the previously stored biometric information according to a system default rule. In that embodiment, the user rule has a higher precedence than the system default rule.
REFERENCES:
patent: 4827518 (1989-05-01), Feustel et al.
patent: 5229764 (1993-07-01), Matchett et al.
patent: 5272754 (1993-12-01), Boerbert
patent: 5280527 (1994-01-01), Gullman et al.
patent: 5430827 (1995-07-01), Rissanen
patent: 5534855 (1996-07-01), Shockley et al.
patent: 5613012 (1997-03-01), Hoffman et al.
patent: 5682478 (1997-10-01), Watson et al.
patent: 5719950 (1998-02-01), Osten et al.
patent: 5848231 (1998-12-01), Teitelbaum et al.
patent: 6016476 (2000-01-01), Maes et al.
patent: 6038315 (2000-03-01), Strait et al.
patent: 6067623 (2000-05-01), Blakley, III et al.
patent: 6317544 (2001-11-01), Diehl et al.
patent: 6400806 (2002-06-01), Uppaluru
patent: 6434259 (2002-08-01), Hamid et al.
patent: WO0111845 (2001-02-01), None
patent: WO02056138 (2002-07-01), None
patent: WO02077819 (2002-10-01), None
Anonymous, Microsoft Windows NT Resource Kit, 1985-1993, Microsoft Press, 34-49.*
Gibbs, Mark, VINES 5.5 receives long-awaited recognition for network security, 1993, Network World, pp. 22 and 25.*
Backman, Dan, Guarding the flank with RADIUS & TACACS+, Feb. 1998, Network Computing, pp. 1-4.*
Sullivan, Thomas, Open enterprise networks demand the security enhancements in Windows 2000, May 2000, Ent, p. 1.*
Anderson et al, NOSes enhance Internet accessibility, May 2000, Network Computing, pp. 1-15.*
Doherty, Sean, Iridian Technologies' Private ID 2.0 let users' eyes secure their access, Dec. 2001, Network Computing, pp. 1-3.*
Fratto, Mike, PremierAccess heads a pedestrian pack, Sep. 2002, Network Computing, pp. 1-8.*
Anonymous,NRI Introduces Finger-Image-Enabled User Authentication for Windows NT Operating System, NRI Product Write-Up, Nov. 1996 (3 pages).
Komando, Kim,PC Security Now Just a Fingerprint Away, Aug. 1998, Denver Post, pp. 1-2.
Anonymous,Identicator Unveils Suite of Fingerprint Indentification Products for the PC, Nov. 1998, Business Wire, pp. 1-3.
Anonymous,LogonUser, 1997, Microsoft, pp. 1-3.
Microsoft Computer Dictionary, 2002, Microsoft Press, Fifth Edition, p. 427.
R. Gallery and T.I.P. Trew,An Architecture For Face Classification, 1992, pp. 1-5.
Cole, George,Biometrics and its benefits, Oct. 1996, Financial Times Information Limited, pp. 1-4.
Anonymous,Entrust Technologies Teams with Schlumberger and American Biometric Company to Provide Enhanced Security for Today's Mobile Workforce, Dec. 1998.
Anonymous,Biometric Identif
Brown Timothy J.
Nelson Dan
Rivers Rodney
Hayes Gail
Moorthy Aravind
Saflink Corporation
LandOfFree
System and method for authenticating users in a computer... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with System and method for authenticating users in a computer..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and System and method for authenticating users in a computer... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3091752