Electrical computers and digital processing systems: support – System access control based on user identification by... – Using record or token
Reexamination Certificate
1999-03-09
2001-07-03
Trammell, James P. (Department: 2731)
Electrical computers and digital processing systems: support
System access control based on user identification by...
Using record or token
C713S152000
Reexamination Certificate
active
06256737
ABSTRACT:
BACKGROUND OF THE INVENTION
1. Field of the Invention
The present invention relates generally to a system, method and computer program product for allowing access to enterprise resources, and more particularly to the utilization of biometric measurements for the authentication of users, and thus access, to enterprise resources.
2. Related Art
Enterprise resources include computers, applications and data. Computers are often connected using one or more networks. There are many types of computer networks. Various types of networks include, but are not limited to, local-area networks (LAN), wide-area networks (WAN), the Internet and intranets. In general, a computer network may or may not be private. A typical private network is centrally controlled.
The resulting connectivity provided by a network enables several features such as sharing of data and other resources on the network. For example, networks enable applications such as electronic mail, network file systems (sharing of data using disks accessed over networks), distributed processing (different computers executing different parts of a program, generally in parallel) and sharing of printers and servers. These applications usually result in enhanced communication capabilities, efficient use of resources, and/or faster processing of data, thereby leading to productivity gains within an enterprise.
Provision of network connectivity and applications generally entails the operation of several network elements implemented according to predefined interfaces. Network elements include, but are not limited to, hardware circuits/devices and software entities (e.g., a software object, a process or a thread) which may operate according to interface specifications to provide the network connectivity or applications. The interfaces may be based on open protocols or proprietary protocols.
An open interface is public. Examples of open interfaces are Transmission Control Protocol/Internet Protocol (TCP/IP) and IEEE 802 family of protocols, both of which are commonly used in the networking community. Alternately, a proprietary interface is privately owned and controlled. An example of a proprietary interface is System Network Architecture (SNA) implemented mostly at IBM. Following is a brief description of the various types of networks.
A LAN connects computers that are geographically close together (e.g., in the same building). LANS are typically private networks being owned and controlled by an enterprise.
A WAN connects computers that are farther apart geographically and are connected by telephone lines or radio waves (e.g., in multiple offices and distant geographies). WANS are also typically private networks owned and controlled by an enterprise. Multiple LANs can be connected by a WAN.
The Internet is a global network connecting millions of computers. As of 1998, the Internet has more than 100 million users worldwide, and that number is growing rapidly. More than 100 countries are linked into exchanges of data, news and opinions. Unlike private networks which are centrally controlled, the Internet is decentralized by design. Each Internet computer, called a host, is independent. Users can choose which Internet services to use and which local services to make available to the global Internet community. There are a variety of ways to access the Internet. Most online services, such as America Online, offer access to some Internet services. It is also possible to gain access through a commercial Internet Service Provider (ISP).
An ISP is a company that provides access to the Internet. For a monthly fee, the ISP gives you a software package, username, password and access phone number. Equipped with a modem, a user can then log on to the Internet and browse the World Wide Web and USENET, and send and receive e-mail. In addition to serving individuals, ISPs also serve large individual enterprises, providing a direct connection from the enterprise's networks to the Internet. ISPs themselves are connected to one another through Network Access Points (NAPs).
An intranet is a privately owned and controlled network. An intranet's host sites may look and act just like any other host site, but a firewall surrounding an intranet fends off unauthorized access. Like the Internet itself, intranets are used to share information (i.e. data). Secure intranets are now the fastest-growing segment of the Internet because they are much less expensive to build and manage than private networks based on proprietary protocols.
As enterprise resources grow so does the complexity and importance of protecting them. In general, the administration of resource protection involves determining the type of identification mechanism to protect enterprise resources, maintaining the integrity of the chosen identification mechanism, managing users, determining which enterprise resources to protect and determining alternative ways of allowing a user access to enterprise resources when the normal way of authentication is faulty. The administration of resource protection in a network is not only a complex and expensive task, but it may conflict with the desired productivity the networking of resources provides.
As discussed above, one of the results of networking together enterprise resources is the increase in productivity through enhanced communication and more efficient use of the resources. While this increase in productivity is important to any enterprise, so is the protection of its resources. While a network works to provide easier access to enterprise resources, an authentication mechanism for protecting the same resources works to restrict access to them. Therefore, so as to not offset the increase in productivity a network provides to an enterprise, an enterprise needs to balance adequate resource protection with an efficient means of administering such protection.
SUMMARY OF THE INVENTION
The present invention is directed to a system, method and computer program product that utilizes biometric measurements for the authentication of users to enterprise resources. The system includes a biometric server that stores the engine and collections of data required by the system to authenticate users. The collections of data include biometric templates, biometric policies, biometric groups, biometric device IDs, user IDs, computer IDs and application IDs. In the present invention, the biometric policies determine the way or method in which a user is to be authenticated by the system. The execution of the biometric policies involves the use of one or more biometric templates. One unique biometric template is created and stored in the biometric server each time a user enrolls in a different biometric device. Biometric devices utilize a scientific technique to identify a user based on compared measurements of unique personal characteristics. These measurements, called biometric measurements, may include, but are not limited to, measurements of finger and hand geometry, retina and facial images, weight, DNA data, breath, voice, typing stroke and signature.
The types of data stored in the biometric server are partially determined through the operations of an enrollment station and an administration station. The enrollment station is used to enroll users into biometric system. The administration station is used to perform overall management duties and to initially setup the data in biometric server. A satellite enrollment station can be used to enroll users into biometric system at remote locations. Finally, an alternate biometric server is a backup or standby server to biometric server. The alternate biometric server ensures that the system is always available to authenticate users.
The biometric policies of the present invention provide flexibility to the level of protection for individual enterprise resources. The pre-defined biometric polices include an OR policy, an AND policy, a CONTINGENT policy, a RANDOM policy and a THRESHOLD policy. This is done through the layering of both biometric devices and non-biometric devices. The layering of devices allows for the combin
Bianco Peter Garrett
Boon William Taylor
Sterling Robert Brewster
Ware Karl Roger
BioNetrix Systems Corporation
Elisca Pierre E.
Sterne Kessler Goldstein & Fox P.L.L.C.
Trammell James P.
LandOfFree
System, method and computer program product for allowing... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with System, method and computer program product for allowing..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and System, method and computer program product for allowing... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2487600