WO2004025495A1 - Credential promotion - Google Patents
Credential promotion Download PDFInfo
- Publication number
- WO2004025495A1 WO2004025495A1 PCT/US2002/029166 US0229166W WO2004025495A1 WO 2004025495 A1 WO2004025495 A1 WO 2004025495A1 US 0229166 W US0229166 W US 0229166W WO 2004025495 A1 WO2004025495 A1 WO 2004025495A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- credential
- user
- application
- retrieved
- emolhnent
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/41—User authentication where a single sign-on provides access to a plurality of computers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/102—Entity profiles
Definitions
- the present invention relates generally to identity authentication
- An enrollment session typically requires users
- an enrollment device receives, or "captures,” the submitted authentication credentials
- the enrollment credential may
- a Biometric Identification Record (BIR) is an example of a preferred embodiment
- a BIR generally comprises an electronically stored file
- BIR biometric fingerprints
- voice recognition voice recognition
- hand geometry facial, retinal/iris characteristics
- exemplary behavioral characteristics generally include electronic signatures, keystroke pattern and gait.
- BIR techniques can further relieve users from having to remember passwords or carrying tokens, while discouraging credential theft, borrowing and other suspect security deviations.
- establishment of a reliable enrollment credential is fundamental.
- Conventional BIR enrollment processes require users to repetitively resubmit capture BIR data after an initial submission in order to create an acceptable enrollment BIR. For instance, a typical fingerprint enrollment process may require a user to re-accomplish the same fingerprint submission over eight times.
- Enrollment software may subsequently process the multiple submissions into a combined, single enrollment BIR. That is, the software may combine the submissions, in some instances by programmatically "stitching" them into a larger- scale fingerprint that defines more mathematical and statistical matching points. While such repetitious submission may be accomplished relatively easily in the context of passwords and tokens, BIR capture techniques pose more of a hardship and inconvenience to users and administrators establishing enrollment in an application. This burden is compounded exponentially where the same user must enroll in several such applications. That is, every application requires its own, respective enrollment process. Each of those processes, moreover, mandates the requisite, repetitive re-submission of BIR data particular to the application. As such, enrollment practices may represent a significant drain on time, efficiency, energy and other user and system resources.
- Negative perceptions associated with enrollment practices may often translate into a reluctance for users and administrators to avail themselves of available BIR practices and other protective security measures.
- the same vexations and inefficiencies that plague users who are initially enrolling into an application may also apply to those user who are already enrolled in the application.
- currently enrolled users may be periodically required to re-accomplish enrollment processes to ensure accurate, up-to-date BIR's.
- changes to the physical features of users can render previously stored enrollment data less accurate or obsolete. Therefore, it is sound security practice to periodically re-enroll a user into every application for which there is current access to ensure that the stored enrollment BIR most accurately reflects any physical changes. Given the demanding requirements for enrollment, such updates may present an additional burden to users.
- users may be less prone to update their BIR data, which may become stale as a consequence.
- the present invention provides an improved apparatus, program product and method for automatically establishing and updating enrollment credentials across multiple computer applications in a manner that addresses the above described shortcomings of conventional enrollment practices.
- an authenticated user who is already enrolled into a first computer application may automatically transfer the enrollment credential of the first computer application to a second application.
- the user may enroll in the second application without having to accomplish conventional enrollment processes. Rather than having to repetitiously resubmit authentication credentials, if that user has enrolled into the first application using authenticated data, their enrollment credential from the first application transfers to the second application.
- automatic enrollment of the user is achieved.
- matching processes include retrieval of the capture credential.
- a suitable capture credential may be submitted by the user at the client computer or other enrollment device. For instance, a user may provide a fingerprint signature to an electronic pad configured to receive the BIR.
- Another credential promotion sequence in accordance with the principles of the present invention may alternatively include the capture credential being retrieved from memory. Such may be the case where a user has only recently submitted a capture BIR for the first application. Where so configured, the recently stored capture BIR may be downloaded directly for comparison against the enrollment BIR.
- features of the present invention may obviate the need for the user to submit a capture credential in order to be enrolled. In any case, where a match is determined, the enrollment credential of the first application is stored as the enrollment credential for the second application.
- a user may simultaneously be enrolled in multiple, different applications in similar fashion. That is, processes configured to successively or simultaneously store a retrieved enrollment credential as the new enrollment credential for a plurality of applications may be automatically initiated. In this manner, a single authentication credential may be simultaneously promoted to several applications, thus enrolling the user instantly in a multitude of applications. Such a feature of the present invention may thus mitigate lengthy time demands associated with conventional enrollment practices.
- One or more enrollment credentials correlated to a user may be automatically updated in response to the user updating an enrollment credential in another application.
- aspects of the present invention can enable further time savings and efficiencies.
- Processes used to locate and determine the appropriateness of the enrollment credential and/or the first application associated therewith may be automatic, as well as stipulated by an application, system mandate, or user input, among other directives. Selection of the application/enrollment credential may further implicate evaluation of local, user, global and other policies. Optionally, the fact that a promotion process was accomplished for the user may be recorded for accountability and security purposes.
- Fig. 1 is a block diagram of a client-server computer system consistent
- Fig. 2 is a network system suited to execute credential promotion
- Fig. 3 is a dialog box having application within the network
- Fig. 4 is a flowchart outlining method steps suited for execution within
- Fig. 5 is a flowchart having steps configured to initiate programmatic
- Fig. 4 is a flowchart having method steps configured to determine an enrollment BIR as applied in the flowchart of Fig. 3;
- Fig. 7 is a dialog box having application within the process steps of
- Fig. 8 is a flowchart having method steps suited for updating authentication credentials within the network environments of Figs. 1 and 2.
- Fig. 1 illustrates a client-server based computer system
- a client-server system 10 configured to establish enrollment credentials across different applications of a network.
- the system 10 may similarly affect updates throughout the network for all applications in which the user is already involved. To this end, the system 10 may automatically enroll into a second computer application a user who is already enrolled into a first application.
- the system 10 may initially locate the first application within a designated trust network or other set of predefined user devices and applications.
- An authentication credential used to enroll the user in the first application may then be downloaded into memory of the second application.
- the second application may store the downloaded authentication credential as its new enrollment credential correlated to the user.
- the user may subsequently access the second application using the same authentication credential used in the first application.
- updates to the stored enrollment credential of the second application may be affected to reflect those changes made in the first application.
- System 10 includes at least one apparatus, e.g., one or more client computers 12 and one or more server computers 14.
- each computer 12, 14 may represent practically any type of controller, computer system, cell phone, personal digital assistant (PDA) or other programmable electronic device capable of functioning as a client and/or server in a client-server environment.
- each computer 12, 14 may be implemented using one or more networked computers or other controllers, e.g., in a cluster or other distributed computing system.
- Computer 12 typically includes a central processing unit 16 including at least one microprocessor coupled to a memory 18, which may represent the random
- RAM random access memory
- memories e.g., programmable or flash memories
- read-only memories etc. hi
- memory 18 may be considered to include memory storage physically located elsewhere in computer 12, e.g., any cache memory in a processor in CPU 16, as well
- Computer 12 also typically receives a number of inputs and outputs for
- computer 12 typically includes a user interface 22 incorporating one or more user input devices (e.g., a keyboard, a mouse, a trackball, a joystick, a touch pad, smart
- user input devices e.g., a keyboard, a mouse, a trackball, a joystick, a touch pad, smart
- a microphone e.g., a microphone, among others
- a display e.g., a CRT monitor, an LCD display panel,
- user input may be received via another
- computer 12 may also include one or more mass
- storage devices 20 e.g., a floppy or other removable disk drive, a hard disk drive, a
- DSD direct access storage device
- optical drive e.g., a CD drive, a DND drive
- computer 12 may include an
- interface 24 with one or more networks e.g., a LAN, a WAN, a wireless network,
- computer 12 typically includes suitable analog and/or digital interfaces between CPU 16 and each
- computer 14 includes a CPU 26, memory 28, mass storage 30, user interface 32 and network interface 34.
- CPU 26 main memory 22
- mass storage 30 main memory 22
- user interface 32 user interface 32
- network interface 34 user interface 34
- computer 14 will be implemented using a multi-user computer such as a server
- Computers 12, 14 are generally interfaced with one another via a network 36, which may be public and or private, wired and/or wireless, local and/or wide-area, etc. Moreover, network 36 may represent multiple, interconnected
- network 36 may include the
- Each computer 12, 14 operates under the control of an operating
- BioAPI 49 regards an exemplary programming interface supplied by
- biometric service providers that provides enrollment and verification services for installed biometric devices.
- various applications, components, programs, objects, modules, etc. may also execute on one or more processors in another
- server computing environment whereby the processing required to implement the functions of a computer program may be allocated to multiple computers over a
- Program code typically comprises one or more instructions that are
- signal bearing media include but are not limited to
- recordable type media such as volatile and non-volatile memory devices, floppy and
- hard disk drives magnetic tape
- optical disks e.g., CD-ROMs
- embodiments consistent with the invention may be configured to promote credentials using applets and other such layers of software via an active hypertext document.
- applets may be used to generate active hypertext documents through which clients may supply input data for transmission to a server 14.
- credential promotion operations may be implemented by embedding one or more instructions within the active hypertext document to initiate the performance of the promotion by the client computer 12.
- One or more applets may be configured for execution by an engine 44 resident on the server computer 14.
- the engine 44 may process the applets to generate one or more active hypertext documents for transmission to a client by a web server 46 that is also resident on the server 14.
- Such active hypertext documents are downloaded to client devices/computers, e.g., as illustrated at block 48 in Fig. 1.
- such active hypertext documents may be processed by a client-side web browser 50, which renders the documents on a client display.
- the web browser further generates requests to the server 14 that supply input data to the server 14 in response to user input in a manner well known in the art.
- Fig. 1 is not intended to limit the present invention. Indeed, those skilled in the art will recognize that other alternative hardware and/or software environments may be used without departing from the scope of the invention.
- One such exemplary environment is illustrated in Fig. 2.
- the network system 80 of Fig. 2 may be configured to automatically enroll a user who is already enrolled into a first application into a second application.
- the system 80 may support any number and manner of users attempting to enroll into multiple computer applications 84-91.
- the applications 84-91 maybe either dispersed or concentrated throughout the network 80, as may be the respective user enrollment devices 100-108.
- a suitable application may comprise an operating system, domain, network, component, program, object, module, program, library, memory, sequence of instructions or virtually any function having underlying programmatic code that may relate to enrollment practices.
- each user is already enrolled in one or more of the applications 84-91.
- each user may have accomplished requisite credential authentication processes associated with at least one application 84-91.
- Such authentication processes may include repeated submission of one or more credentials, including a password, a BIR, or an authentication token.
- Each user may have accomplished the prior enrollment at a myriad of
- enrollment devices to include computer terminals 100-102, 105 and 107. Other users
- a cell phone 103 may enroll using a cell phone 103, a palm pilot 108 or another handheld device.
- Suitable user enrollment devices 100-108 for purposes of an embodiment of this invention need merely comprise a controller configured to receive and process instructions relating to authentication data.
- controllers/user devices 100-108 need not even connect to a network, nor have an authenticating capture device located therewith.
- those embodiments of the present invention that permit a user to promote an authentication credential without first requiring submission of a capture authentication credential may enable the user or administrator to initiate the promotion processes
- such a scenario may involve the retrieval
- a user at a client terminal 100 may be enrolled in a first
- credential promotion processes of the present invention whether or not the first application 84 resides at the client computer 100, as credential promotion may occur as between networked devices.
- the same user may subsequently require or desire access to a second application 85.
- the user would be required by the second application 85 to repetitively re-enroll the BIR or other authentication credential, hi an embodiment of the present invention, however, the program code 42 resident within the client computer 100 may alternatively initiate credential promotion processes.
- Typical credential promotion processes may involve retrieving an enrollment credential from the first application 84.
- the retrieved enrollment credential is usually correlated to the user's enrollment in the first application 84.
- the program code 42 may then retrieve a capture authentication credential correlated to the user. For instance, the program code 42 may prompt the user to submit a capture BIR.
- the program code 42 may then determine if the capture BIR received from the user matches the retrieved enrollment BIR within predetermined parameters.
- a suitable capture credential may additionally comprise a BIR or other credential retrieved from cached memory or sampled from an electronic transmission.
- the retrieved enrollment BIR may be correlated to the user's enrollment in the second application 85.
- the user may be automatically enrolled in the second application 85 without having to go through the typical biometric enrollment process.
- the user of another or the same embodiment of the present invention may simultaneously be enrolled in multiple different applications. That is, the program code 42 may successively or simultaneously initiate processes configured to store the retrieved enrollment BIR as the new enrollment BIR for a plurality of applications.
- the program code 42 may simultaneously update one or more enrollment credentials correlated to a user in response to the user updating an enrollment credential in another application.
- update features of the present invention can enable further time savings and efficiencies.
- a successful match between the capture and enrollment authentication credentials may further result in the user having immediate access to the second application(s) 85. That is, the user may be automatically logged into the second application 85 by the program code 42.
- the program code 42 may prompt the user to first verify that they wish for the Credential promotion processes to occur.
- the browser window 70 as shown in Fig. 3 may solicit direction from the client.
- Affirmative input from the user at field 71 of Fig. 3 may initiate subsequent storage of the first enrollment credential as discussed above.
- a negative response from the user at field 72 of Fig. 3 may have the same affect as if no match was established as between the capture and enrollment credentials.
- this affect may mean the program code 42 at the client computer 100 relegates the user to accomplishing conventional enrollment processes as per the normal operating procedures of the second application 85. For example, the user must repeat multiple BIR captures to establish an enrollment BIR. Similarly, should credential promotion be unavailable as per a system, application or local policy, among other criteria discussed below, then alternative enrollment processes may commence.
- Credential promotion processes may include a determination of one or more programmatically defined trust networks.
- a trust network may include one or more applications that run on a single, or multiple client devices.
- Embodiments of the present invention typically, but do not necessarily, include predetermined designations of trust networks. Where desirable, some designations of trust networks may be stored in a database or on local hardware/computer registers.
- the program code 42 may dynamically determine a trust according to network connectivity, as well overarching user and/or administrative input.
- a trust network may comprise hardware supporting a selected field of applications from which an enrollment credential may be located.
- System 80 policy may dictate and define trust membership. For instance, an administrator may include within a predefined trust network consistent with the principles of the invention only clusters of terminals known to be of a requisite security level. In this manner, the network system 80 of Fig. 2 may comprise one or more such trust networks, hi another embodiment, the system 80 may account for only a part of a more comprehensive trust network.
- alternative enrollment processes may be initiated as the program code 42 aborts credential promotion processes.
- the program code 42 may initiate location of a suitable enrollment credential from within the applications of the determined trust network. That is, the program code 42 may search the trust network for an enrollment credential of a first application 84 into
- the program code 42 may determine where to
- Factors affecting from where an enrollment credential is retrieved may include a designation or programmatic preference for a particular application and/or
- enrollment credential Such a designation may be made in certain instances by an administrator, the user, or the second application into which the user desires
- the administrator may store an address of an application 84 having a preferred enrollment BIR within a designated memory field that is accessible
- the enrollment BIR of the designated application 84 may be
- the second application 85 may instruct a web
- the program code 42 may then process
- the program code 42 of another or the same embodiment may use the BIR enrollment
- the program code 42 may retrieve the application 84 address
- the user may designate their own preferred address for an
- the user may enter an application name or other
- the program code 42 may then evaluate the appropriateness of the designated application and associated credentials. For instance, one embodiment may programmatically determine which, if any, designated enrollment authentication credentials is best suited for promotion to the second application(s) 85. The determination may include considerations relating to local, user and overarching system mandates, as well as assigned confidence ratings. Other considerations can include hardware availability at the local machine 100 of the user, as well as user preference and prior usage of the authenticating equipment. Thus, embodiments consistent with the principles of the present invention may rely on hierarchical layers of evaluation to determine a suitable enrollment BIR.
- the evaluation processes of one embodiment may prompt the program code 42 to access memory to see if a preference for one of the available applications/enrollment BIR's has been designated.
- a database field associated with an account of the user and/or network system 80 may indicate a mathematical preference for an application linked to the field. Preferences may permeate other layers of evaluation, as well. For example, where more than enrollment BIR is available for a located application, another preference may weight selection towards a preferred enrollment credential, such as a BIR produced by a retinal scanner, h the absence of other input, the preference may act as a default choice of the program code 42. As discussed below, such a preference may be set prior to, during, or subsequent to an enrollment session.
- a suitable preference in one embodiment may include a confidence rating.
- An exemplary confidence rating may be assigned by an administrator in view of reliability and security considerations. Confidence ratings may be assigned to either or both an application and a specific type of authentication credential.
- an administrator may assign a higher confidence rating to an application
- the program code 42 may select the application having the higher
- the program code 42 may select a credential having the highest confidence rating. For example, the program code 42
- a fingerprint BIR may select a fingerprint BIR over a smart card enrollment credential.
- Selection of an appropriate application may be accomplished in part in view of a local policy. More particularly, the program code 42 may initially access a
- local policy may include a preprogrammed preference or mandate for an application, a
- the local policy may be
- policy may further be stored on the local hard drive, or be accessible via the network
- a user BIR policy may be preset in a database field associated with a relevant account of the user.
- the field or other indicator may mandate one or more applications and/or enrollment credential types that are suitable for enrollment with regard to the user. Such a setting
- the computer can act as a default or statistical preference for a particular user, directing the computer to select a single or ordered group of applications and/or enrollment BIR's from the trust network.
- An exemplary system policy may
- an account manager or other administrator can designate groupings of
- Tags relating to these requirements or settings may be programmatically attached to a database field associated with the designated machines/users.
- program code 42 may then access these database fields to obtain applicable security settings and preferences.
- the database fields/tags may link to a listing
- the program code 42 may make an accounting of which biometric or other authentication devices are. currently installed on the computer 100 from which the user seeks to enroll into the second application 85. For instance, the
- local computer 100 of the user maybe equipped with both fingerprint and retinal
- biometric testing devices (including BioAPI code 49) place a marker within a registry of the computer 100 upon installation and de-installation. This registry provides a
- embodiment may rely on processes that enumerate available devices in real time, or at the time of transcription, thus providing the program code 42 with an accounting of appropriate devices.
- the program code 42 may alternatively check a server 112 to obtain status
- an embodiment of the software may look to another application.
- Another embodiment may, as above, relegate the user to enrollment using conventional enrollment processes, if the option is available.
- policies may be omitted, altered and supplanted with others in accordance with the principles of the present invention. While some such policies may be discriminating,
- the program code 42 of still another embodiment may afford the user a choice of applications and/or enrollment credentials based upon availability and
- the program code 42 may retrieve the enrollment credentials from a database or other memory accessible to the first
- the enrollment credentials may be compared
- the program code 42 may prompt the user to submit capture authentication credentials.
- the user may be
- An exemplary sequence may include a displayed user interface
- a fingerprint authentication application may prompt the user, "Please place your finger
- the capture credential may alternatively be retrieved from memory in
- the program code 42 may download the recently stored capture
- retrieved authentication credential may be stored as the current enrollment credential
- the same authentication credential comprises the
- code 42 may first verify with the user their intent to have the enrollment credential
- credential promotion processes may span entire networks and are not typically limited to those applications incident on a single machine 100.
- the same user accessing an application 85 that executes at client terminal 100 may additionally enroll in another application 91 present at another client terminal 105.
- embodiments consistent with the invention accommodate and complement known Internet 110 and server 112 processes. The mechanics of such browser and web server interaction is better illustrated in the client-server block diagram of Fig. 1.
- the browser 50, or other interface program of Fig. 1 may send a hypertext transfer protocol (HTTP) request to the server 14.
- HTTP hypertext transfer protocol
- the HTTP request may embody a "get" command and/or an instruction to access the second application 91.
- Processing of the HTTP request at the server 14 may result in the invocation of an applet on the server 14.
- the applet may generate an active hypertext document and transmit the resultant HTML page/document to the browser 50 via an HTTP response of its own.
- the document may then be displayed by the web browser 50 at the client computer 12.
- the HTTP response from the server 46 may include an applet program configured to prompt a BIR.
- the HTTP response may include emoUment processes particular to the application 91 into which enrollment is sought.
- the program code 42 executing on the browser 50 may initiate the BIR enrollment process applet conveyed in the HTTP response, and initiate its own Credential promotion processes, accordingly.
- Credential promotion code may determine and retrieve BIR enrollment data from a designated or otherwise determined application 84.
- the browser 50 may match the enrollment BIR of the first application 84 with a capture BIR submitted by, stored in relation to, or otherwise correlated to the user. hi determining a match, the browser 50 may send another HTTP command to the server 14.
- the command response may include an indicator that communicates to the server 14 that the user should be authenticated, hi another embodiment, the browser 50 may transmit to the server 14 bitstream or other data indicative of the actual enrollment BIR retrieved from the first application 84.
- the program code 42 incident at the remote computer 14 and/or additional application 91 may store the retrieved enrollment BIR as its own. Where enrollment data cannot be stored as such, the server 14 may generate an error message that is transmitted back to the browser 50.
- the invention is not limited to particular server or client-side program code implementations. As such, these and other exemplary embodiments in accordance with the principles of the present invention are described herein for exemplary purposes.. Moreover, although networked computers are shown in Figs. 1 and 2 for the purpose of illustrating the functionality of an exemplary application of the invention, other embodiments consistent with the principals of the present invention may suitably include machines isolated from any network connection.
- the flowchart of Fig. 4 shows exemplary method steps suited for execution with the hardware environments of Figs. 1 and 2. That is, the illustrative steps of Fig. 4 may enable a user enrolled in a first application 84 to enroll in a second application 85 using enrollment authentication credentials of the first application 84.
- a user may initiate enrollment processes for the second application 85 at block 140. That is, the user may access a keypad, mouse, microphone, electronic notepad/palm pilot or some other input device to select an interface option of a display.
- the second application 85 may conventionally prompt the user to provide data and credentials necessary for enrollment at block 142.
- Credential promotion processes initialized at block 146 of one embodiment may generally include or precede a determination of a trust network at block 148.
- Trust networks maybe defined according to physical connectivity, system policy, user preferences, and/or application requirements, among other requirements.
- Trust networks typically include a grouping of networked devices having at least limited two-way connectivity. Trust networks may alternatively and/or additionally include independent, non-networked devices, such as found in a distributed Public
- trust network listings may be statically stored or dynamically generated depending upon system 80 capability and policy.
- the program code 42 may search a database having a field correlated to the user desiring access to the second application 85.
- the program code 42 may correlate that field to stored listings of networks and/or devices retrieved from the database and maintained in a linked relationship.
- Some such trust listings may be stored in associative relationship with a confidence rating assigned by a network administrator.
- An exemplary confidence rating may reflect perceived security in the respective trust network. For instance, a network administrator may assign a low confidence rating to a trust network having components located outside of their internal organization, as opposed to a network consisting only of users in that organization.
- Other trust networks may be determined from an evaluation of hardware registers and stored addresses retrieved from a user hard drive 146.
- program code 42 fails to locate a trust network associated with the user, application and/or local machine 100 at block 150, the user may be relegated to alternative enrollment processes at block 151. These alternative enrollment processes may include the repetitive credential submissions associated with conventional enrollment processes.
- program code 42 consistent with the principles of the invention may determine from where to retrieve a suitable enrollment BIR.
- exemplary program code 42 may determine the location of an application 84 in which the user has already completed enrollment processes.
- such location processes may involve the program code 42 accessing a designated application address stored in a local or network level register.
- Another embodiment may retrieve enrollment information from the local application 84 from which the user originally launched their request to enroll in the second application 85.
- the program code 42 of still another embodiment may permit the user to enter an address or other
- the new application 85 itself, may indicate a
- designated applications may be configured to accommodate different network
- the program code 42 at block 154 may then determine if the
- the application designated at block 152 is available and/or desirable. Such processes may include verifying that requisite permissions are in place for the user with regard to both the first and possibly the second applications.
- the program code 42 may then retrieve a single or a set of enrollment credentials used and stored in
- program code 42 may be
- program code 42 may further access
- the program code 42 may select only the enrollment credential associated with a highest confidence rating.
- an administrator may assign a higher confidence rating to a biometric authenticating credential than to a less correlative, conventional password credential.
- embodiment may select only one or two of the available authenticating credentials matching those types compatible with the second application 85. Still another
- embodiment may retrieve all authenticating credentials in anticipation of distinguishing between or sequencing through all available credentials at a later time.
- the program code 42 may retrieve capture credentials
- program code 42 may retrieve software associated with the designated biometric in preparation of the biometric challenge at
- the software may then launch an appropriate biometric test according to the preset parameters of the biometric verification sequence. For example, the software may initiate and display a user interface screen configured to cause the user to provide the capture credential.
- the capture credential may be of the type
- a voice authentication application may prompt the user, "Please speak into the
- program code 42 may determine a most appropriate
- the program code 42 may receive the capture data at block 158.
- some devices suited to receive such data can include a fingerprint or retinal scanner, DNA sampler, camera, radiation detector, microphone,
- comparison processes may
- match may be elevated or diminished at block 160 according to confidence ratings
- type of enrollment credential may affect correlation standards.
- the program code 42 may initiate the display of the exemplary browser window of Fig. 3 at block 162. In some instances, the program code 42 may cause the user to confirm their intent using an authentication credential process. For instance, the program code 42 may initiate the display of the exemplary browser window of Fig. 3 at block 162. In some instances, the program code 42 may cause the user to confirm their intent using an authentication credential process. For instance, the program code 42 may initiate the display of the exemplary browser window of Fig. 3 at block 162. In some instances, the program code 42 may cause the user to confirm their intent using an authentication credential process. For
- a user may be prompted to submit a capture fingerprint signature in response
- the enrollment credential retrieved from the first application 84 may now be stored as the enrollment
- the second application 85 may store
- an embodiment of the present invention may record at block 168 the fact that a promotion process was accomplished for the user for accountability and security purposes. Additionally, the user may be required to submit another capture authenticating credential at block 170 prior to gaining access to the application at block 176. Similarly, it should be recognized by one skilled in the art that any of the method steps of Fig. 4 may be interchanged, augmented,
- Initializing credential promotion processes at block 144 of Fig. 4.
- Initialization options/headings shown at blocks 200, 216 and 226 of Fig. 5 exemplify certain presets that may be available to a network administrator configuring the program code 42
- the options 200, 216 and 226 may represent
- Initial screening processes to determine the applicability of credential promotion.
- Initialization of the processes in one embodiment may be automatic and/or keyed to an application or user.
- an embodiment may enable automatic initialization of
- system administrator or local user may request such promotion processes.
- the system administrator or local user may request such promotion processes.
- a user's selection of an icon corresponding to a new application may automatically initiate
- program code 42 may be configured to determine
- the program code 42 may check a
- credential promotion processes are, in principle, compatible with all known authentication applications, a network administrator or code designer may nonetheless designate
- such designations can be stored within program code 42 incident at either or both the local machine 100 and the device having the new
- an embodiment may relegate the user to alternative
- system policy at block 204 may nonetheless preclude initiation of the program code 42. Such a system policy may be established for an
- system policies may apply to groupings or clusters of machines and/or particular users. While the motivations behind system policies may vary as
- a determination at block 206 that system policy precludes credential promotion processes may initiate alternative enrollment processes at block 151.
- embodiments may precede a hardware appraisal at the local machine 100 at block
- the program code 42 may determine whether an appropriate
- promotion processes may require a device configured to capture data corresponding to the retinal scan enrollment credential of the second application 85.
- the program code 42 at block 210 may subsequently determine whether a retinal scanner or acceptable alternative is available at the local machine.
- the program code 42 may merely establish at block 210 if any (type-nonspecific) biometric enrollment device is present at the local machine 100, while the program code 42 of another
- embodiment may alternatively look for a specific type of authentication equipment
- a next phase of Credential promotion code may be initiated at block 146.
- the second application 85 of another embodiment may launch program
- the program code 42 may determine if a suitable enrollment
- program code 42 may further initiate an evaluation of an individual user policy.
- a user policy may reflect an individual user's directive not to activate credential promotion.
- any number of additional checks and policies may be implemented into the exemplary sequence of the steps shown in Fig. 5. To this end, processes included in the flowchart may be
- a next phase of credential promotion may commence at block 146.
- the credential promotion processes associated with determining a trust network may be
- the program code 42 may alternatively or additionally determine the
- the user. may click on a button, or check a dialog box labeled "BIR
- the button or other command mechanism may link to programmed
- the user initiated sequence beginning at block 226 may include policy and hardware checks similar or identical to those discussed in conjunction with blocks 201-206.
- the program code 42 may recognize at block 146 of Fig. 4 that
- credential promotion has been enabled. Regarding blocks 144 and 146 of Fig. 4, some computers and systems may not require such initialization processes, and may rather allow the user to proceed directly to block 148. Should it be determined that credential promotion is disabled or otherwise unavailable for the computer at block 148.
- Fig. 6 shows sequenced steps useful in determining from where to
- FIG. 6 shows exemplary programming options 282 - 288 that may be available to a network administrator or user configuring their promotion
- the application determination options 282 - 288 shown in Fig. 6 are included for exemplary purposes only.
- a network administrator may
- an administrator or user may alternatively configure the
- program code 42 to look toward the application 84 from which the user is attempting to access the second application 85 in order to find a suitable enrollment credential.
- embodiment at block 288 may take direction from the application 85 into which the user wishes to enroll for locating a suitable enrollment credential.
- program code 42 may retrieve a stored address from a database or register accessible to the client computer 100 that is executing the program code 42.
- the retrieved address may correspond to a predetermined application 84 from which it is desirable to retrieve the enrollment credential.
- the designation of the application 84 may be made by the user or a network administrator, and may be substituted with another address as necessary.
- the program code 42 may then locate the application and/or enrollment credential at block 292.
- the program code 42 may verify that the enrollment credential is accessible at block 294. Should the program code 42 fail to locate or gain permission to the designated application at block 294, the program code 42 may look to a second address, if available at block 296.
- the program code 42 may evaluate the type of enrollment credential that is available in the second application to determine if it conforms with a system policy.
- a system policy may represent a rule set by a network administrator for an entire network regarding acceptable types of credentials. For instance, a network, and consequently, credential promotion processes executing within that network, may be configured to deny enrollment credentials that comprise voice recognition code.
- the local user at block 300 in addition to the application that they wish to enroll in at block 302, may place constraints on what types of enrollment credentials are permitted. Thus, program code 42 may conduct evaluations in view of these local and application policies at blocks 300 and 302, respectively.
- the program code 42 may select a most appropriate enrollment credential from those located at block 292 by accessing confidence ratings.
- Exemplary confidence ratings may be assigned by a user or network administrator to each type of credential and/or each application in a trust network.
- the confidence rating of one embodiment maybe indicative of the level of perceived security associated with its respective application or credential type. For instance, a higher confidence rating may be assigned to a fingerprint BIR than is assigned to a password of a user, by virtue of the BIR being more highly correlated to the user.
- a network administrator may assign a higher confidence rating to an application that is under their own supervision and maintenance than to a second application having less familiar and uncertain security practices.
- the program code 42 may process the confidence ratings assigned to available credentials at block 307 to determine a mathematical preference. That is, the program code 42 may analyze the confidence ratings of each enrollment credential of a located application 84 to determine a preferred enrollment credential. Such analysis may include combining different confidence ratings assigned to different attributes of the same enrollment credential. For instance, an iris scan may have both a first confidence rating of "8.5" by virtue of its credential type and a second confidence rating of "7.0,” derived from the first application in which the user originally enrolled.
- the program code 42 of one embodiment may take some product or other weighted function of the two confidence ratings to arrive at single confidence rating. The code may alternatively focus on only the one assignment of the two deemed more significant from a security standpoint, for instance.
- Confidence ratings for purposes of this specification, should be understood to include mere user/network preferences, and thus should not be limited to applications involving security considerations. Such ratings may have equal applicability with regard to processing considerations, personal tastes and conveniences, among other factors.
- One skilled in the art should appreciate that numerous other tests and evaluations may be implemented to suit application requirements, and while any of these may be omitted, other suitable application selection processes may be added in accordance with the principles of the present invention.
- One such additional selection process is shown at block 306.
- the program code 42 at block 306 may determine from registers located on the user's current machine whether credential capture devices installed on the machine align with the type of credential data stored at the location designated at block 290.
- the user may be relegated to an alternative enrollment process at block 151, or a second address at block 296.
- Another embodiment may respond to a policy failure by transistioning to another enrollment credential determination option at blocks 284 - 288.
- the program code 42 may retrieve the designated enrollment credential at block 156. As discussed herein, such retrieval processes may involve downloading of bitstream or other data descriptive of the enrollment credential to the local machine 100 of the user.
- Another enrollment option represented at block 284 of Fig. 6 may access enrollment credential data corresponding to the application 84 from which the user is attempting to enroll into the second application 85.
- the program code 42 may look to registers of the local computer 100 to determine at block 308 what application 84 the user is utilizing. Having retrieved the applicable address from local memory at block 308, the program code 42 may locate the application 84 and, more particularly, where the enrollment BIR is stored at block 309. The program code 42 may evaluate the stored enrollment credential in consideration of system policies as discussed above at block 310, as well as local policies at block 312. Where the located enrollment BIR conforms with the exemplary policies of blocks 310 and 312, the program code 42 may initiate retrieval of the enrollment BIR corresponding to the local application at block 156.
- the system, local, application and other policies discussed in the context of Fig. 6 may be accomplished alternatively at other points along the flowchart of Fig. 4. Another embodiment may omit them altogether, while still according with the principles of the present invention.
- another or the same embodiment may allow the user to designate from which application the enrollment credential should be retrieved.
- the program code 42 may prompt the user to enter an address or other identifier correlated to an application 84 in which they are already biometrically enrolled. The prompt may originate from the program code 42 in connection with the application that the user desires to enroll in. hi one embodiment, a drop-down list of applications into which the user is already enrolled may be displayed at the user terminal.
- the program code 42 at block 314 may order at the top of the list those applications into which the user has most recently enrolled. Such arrangement may encourage retrieval of the most up-to-date authentication credentials of the user.
- An administrator may set the number of applications displayed according to system policy and performance considerations.
- Fig. 7 shows a suitable dialog box 74 having such a text field 77 and drop-down box 75.
- the user may scroll down the drop-down box to select the name of a desired application at block 316. If the name of the desired application is not displayed by the computer 100 at block 314 of Fig. 6, the embodiment may present the user with the option of typing the name of the application into a text field 77.
- the user may submit the name of the application by depressing the button
- the user may alternatively end a credential promotion session by
- the program code 42 may then locate at block 317 of Fig. 6 the user- designed enrollment credential and/or application. Presuming the program code 42 succeeds in locating the user-designated address at block 317, system and local level
- the user may also set a preference for future enrollment sessions at block 323. For instance, a user may stipulate a preference for using an enrollment BIR from a particular application. Should such a preference be designated at block 323.
- program code 42 can recall the preference at block 316 of a subsequent promotion
- the user may not wish to set a preference at block 323, or an administrator may disable such an option, altogether.
- This second, desired application 85 may instruct the program code 42 to look to a predetermined field or register at block 290.
- a predetermined field may be generic to all applications/computers anticipated to interact with the second application 85.
- a suitable address or field designated by the second application 85 may include one that corresponds to the enrollment credential of the application that the user is currently accessing.
- the program code 42 may retrieve the address and locate the identified enrollment credential/application at block 290.
- An embodiment may scrutinize the application-designated enrollment credential using local and system policies at blocks 294 and 296 prior to retrieving the approved enrollment credential at block 156.
- the sequence beginning at block 288 may additionally include an evaluation of BIR enrollment device
- the present invention may accommodate such updates as may be made to existing enrollment authentication data. For instance, where a user updates an enrollment credential for a first application 84, that updated enrollment credential may be automatically transferred to the second application 85 for use as its own enrollment credential, hi this manner, a single update may be used to simultaneously update two or more applications using promotion processes.
- Fig. 8 shows one such scenario consistent with the principles of the present invention.
- the enrollment credential of the first application 84 has been stored as the enrollment credential for the second application 85, as discussed in the text describing Figs. 1-3.
- the user may initiate an event 402-406 that may affect the enrollment credential of the first
- the user may re-register, or update, their enrollment BIR at block 402.
- the program code 42 may store the newly registered
- the user may enroll a new enrollment credential type in
- enrollment BIR may additionally store a BIR directed to a cranial measurement.
- the program code 42 may store the additional enrollment credential at block 408.
- the user may alternatively substitute a new type of enrollment credential for their existing enrollment BIR at block 406. After accomplishing the new type of
- the old type of enrollment BIR maybe deleted at block 408 with the new enrollment credential being stored in its place.
- the same user at block 410 may subsequently seek and be granted access to the second application at blocks 410-414.
- the second application may verify the identity of the user at block 412 by utilizing the enrollment BIR originally stored at block 400.
- an embodiment may call for the
- program code 42 to determine if a change to the enrollment BIR of the first
- the program code 42 may monitor registers
- the program code 42 may
- a subsequent response received from the user may cause the program code 42 to download the newly-registered credential from the first application 84 at block 420.
- the original enrollment credential may be retained at block 417.
- the program code 42 may ask the user to confirm their desire with a submission of a capture credential. The capture credential may be matched against the existing enrollment credential.
- the program code 42 may allow a user or network administrator to disable the verification processes of blocks
- Still another scenario consistent with the principles of the present invention may automatically update the enrollment credential of a second application in response to the user updating their credential in the first application.
- the newly stored credential of the first application 84 may be downloaded to the local computer 100 of the user.
- the downloaded credential from the first application 84 may not yet be stored as the enrollment credential for the second application 85.
- the program code 42 of such an embodiment may first prompt the user to authenticate against the downloaded authentication credential. Such precaution may guard against security risks, while ensuring that the user will continue to have access to the second application 85.
- the program code 42 may prompt the user to submit a new capture credential at block 424.
- the new capture credential will be the same type of enrollment credential as that of the enrollment credential retrieved from the first application.
- the program code 42 of another or the same embodiment may include tests at block 423 designed to determine the appropriateness of the downloaded enrollment credential. Such tests may include system and local policy instructions, as
- block 422 may cause the program code 42 to store the new enrollment credential as the enrollment credential for the second application at block 400.
- features of the present invention allow a user who is authenticated in one application to enroll in a different application without having to accomplish conventional enrollment processes. That is, an authenticated user who is
- already enrolled into a first computer application 84 may automatically transfer the enrollment credential of the first computer application 84 to a second application 85.
- the user may enroll in the second application 85 without having to repetitively resubmit capture credentials to create an enrollment credential for a single application
- enrollment credentials may be automatically established
- the application 84 then becomes available for matching against a capture credential that is correlated to the user. While a capture credential submitted by a user will suffice, the capture credential used to establish an enrollment credential may alternatively be retrieved from memory. Where so configured, a recently stored capture BIR may be
- inventions may obviate the need for the user to submit a capture credential in order to be enrolled.
- the enrollment credential of the first application 84 is stored
- a single authentication credential may be simultaneously promoted to several applications, thus enrolling the user instantly in a multitude of applications.
- Such a feature of the present invention may mitigate lengthy time demands associated with conventional enrollment practices. As discussed above, similar features of the
- embodiments of the present invention can enable further time savings and efficiencies.
- identification information may be encrypted at any step delineated in the above
- a program that locally stores BIR data in response to a successful login/enrollment may be complimented by features of the present invention.
- program may cause an accessing user to provide capture BIR data to a local computer
- the present invention may
- Such enrollment data may have application for facilitating enrollment for remote
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
Description
Claims
Priority Applications (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US10/398,355 US20040059590A1 (en) | 2002-09-13 | 2002-09-13 | Credential promotion |
PCT/US2002/029166 WO2004025495A1 (en) | 2002-09-13 | 2002-09-13 | Credential promotion |
AU2002326897A AU2002326897A1 (en) | 2002-09-13 | 2002-09-13 | Credential promotion |
EP02761650A EP1540509A1 (en) | 2002-09-13 | 2002-09-13 | Credential promotion |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/US2002/029166 WO2004025495A1 (en) | 2002-09-13 | 2002-09-13 | Credential promotion |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2004025495A1 true WO2004025495A1 (en) | 2004-03-25 |
Family
ID=31989880
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/US2002/029166 WO2004025495A1 (en) | 2002-09-13 | 2002-09-13 | Credential promotion |
Country Status (3)
Country | Link |
---|---|
EP (1) | EP1540509A1 (en) |
AU (1) | AU2002326897A1 (en) |
WO (1) | WO2004025495A1 (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112883360A (en) * | 2021-01-29 | 2021-06-01 | 平安科技(深圳)有限公司 | Intelligent registration method and device of application program, computer equipment and storage medium |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6266664B1 (en) * | 1997-10-01 | 2001-07-24 | Rulespace, Inc. | Method for scanning, analyzing and rating digital information content |
US6269371B1 (en) * | 1998-02-27 | 2001-07-31 | Kabushiki Kaisha Toshiba | Computer system, and file resources switching method applied to computer system |
US6275825B1 (en) * | 1997-12-29 | 2001-08-14 | Casio Computer Co., Ltd. | Data access control apparatus for limiting data access in accordance with user attribute |
-
2002
- 2002-09-13 WO PCT/US2002/029166 patent/WO2004025495A1/en not_active Application Discontinuation
- 2002-09-13 AU AU2002326897A patent/AU2002326897A1/en not_active Abandoned
- 2002-09-13 EP EP02761650A patent/EP1540509A1/en not_active Withdrawn
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6266664B1 (en) * | 1997-10-01 | 2001-07-24 | Rulespace, Inc. | Method for scanning, analyzing and rating digital information content |
US6275825B1 (en) * | 1997-12-29 | 2001-08-14 | Casio Computer Co., Ltd. | Data access control apparatus for limiting data access in accordance with user attribute |
US6269371B1 (en) * | 1998-02-27 | 2001-07-31 | Kabushiki Kaisha Toshiba | Computer system, and file resources switching method applied to computer system |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112883360A (en) * | 2021-01-29 | 2021-06-01 | 平安科技(深圳)有限公司 | Intelligent registration method and device of application program, computer equipment and storage medium |
CN112883360B (en) * | 2021-01-29 | 2023-10-17 | 平安科技(深圳)有限公司 | Intelligent registration method and device for application program, computer equipment and storage medium |
Also Published As
Publication number | Publication date |
---|---|
AU2002326897A1 (en) | 2004-04-30 |
EP1540509A1 (en) | 2005-06-15 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US20040059590A1 (en) | Credential promotion | |
US20130133042A1 (en) | Biometric authentication | |
US20040015702A1 (en) | User login delegation | |
US10565383B2 (en) | Method and apparatus for secure credential entry without physical entry | |
US8549317B2 (en) | Authentication method, authentication apparatus and authentication program storage medium | |
US20170126655A1 (en) | Computer Security System And Method | |
US20060021003A1 (en) | Biometric authentication system | |
KR100464755B1 (en) | User authentication method using user's e-mail address and hardware information | |
US6338138B1 (en) | Network-based authentication of computer user | |
US8225103B2 (en) | Controlling access to a protected network | |
US20070300077A1 (en) | Method and apparatus for biometric verification of secondary authentications | |
EP1777641A1 (en) | Biometric authentication system | |
US20060112279A1 (en) | Method and system for biometric identification and authentication having an exception mode | |
US8065662B1 (en) | Compatibility testing of an application programming interface | |
US20090240907A1 (en) | Remote storage access control system | |
JP5003749B2 (en) | Information processing apparatus, information processing method, and information processing program | |
CN100418033C (en) | Computer system of bottom identity identification and method therefor | |
WO2001080017A1 (en) | System for logging into multiple network systems | |
JP2005208993A (en) | User authentication system | |
EP1430372B1 (en) | Biometric authentication | |
WO2004025495A1 (en) | Credential promotion | |
JP3974070B2 (en) | User authentication device, terminal device, program, and computer system | |
EP1481304A1 (en) | User login delegation | |
EP1505795B1 (en) | Network device and method for use under non-security mode | |
KR20010087034A (en) | Security Keyboard and Network Security Method by Using the Security Keyboard |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
WWE | Wipo information: entry into national phase |
Ref document number: 10398355 Country of ref document: US |
|
AK | Designated states |
Kind code of ref document: A1 Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ OM PH PL PT RO RU SD SE SG SI SK SL TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A1 Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR IE IT LU MC NL PT SE SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
WWE | Wipo information: entry into national phase |
Ref document number: 2002761650 Country of ref document: EP |
|
WWP | Wipo information: published in national office |
Ref document number: 2002761650 Country of ref document: EP |
|
NENP | Non-entry into the national phase |
Ref country code: JP |
|
WWW | Wipo information: withdrawn in national office |
Country of ref document: JP |