Computer security in a shared environment—e.g., healthcare or manufacturing—is essential for preventing unauthorized intruders from accessing sensitive or classified information within a computer system. One common authentication method is the use of a password selected by a particular user and stored in the system. Each new log-on session generates a prompt for the user to enter a log-in name and her password; the user is granted access to the computer system and/or network only when the provided information matches the pre-stored data. Although common, the log-in name/password scheme suffers from a variety of security vulnerabilities. For example, the stored information may be insufficiently protected (e.g., by encryption or hashing); and it may be retrieved, and thereafter used, by intruders seeking access to the system. Additionally, if a user is careless with his log-in name and/or password (e.g., by writing the log-in name and/or password in an accessible location, giving this information to an untrustworthy person, or choosing an easily-identifiable password), that carelessness may allow a third party to obtain unauthorized access to the system.
Another authentication method frequently used in computer security is the challenge authentication protocol, which provides a series of challenges and responses that must be correctly answered by a user in order to gain access to the computer system and/or network. However, the challenge and response pairs typically remain unchanged over a long period of time and are generated in the same sequence from session to session. An unauthorized user surreptitiously observing a user during a log-on event can often guess or deduce the proper responses.
Furthermore, authentication methods using either a log-in name and/or password approach or challenge protocols may be time-consuming and frustrating. For example, in healthcare, a doctor on rounds might access her institution's electronic medical records (EMR) system from a computer in the nursing station, from a bedside computer in a patient's room, or from a mobile smart phone/tablet that she carries, and then may proceed to perform a procedure. This sequence is repeated each time the clinician needs access to the EMR and thus demands a cumulatively large amount of time.
A traditional method for accelerating secure computer access requires a user to present a unique identifier (e.g., a radio-frequency identification (RFID) card or a fingerprint) to the computer. This approach, however, requires deployment of a suitable reader for every computer and an identifier card for every user; the cost of the system thereby escalates quickly for enterprises or institutions. Moreover, this and the other authentication methodologies discussed above depend on communications through a network, e.g., an institution's local area network (LAN) or the Internet. If a computer to which access is desired is temporarily or permanently disconnected from the network, authentication may be impossible for a particular user or require unique, local log-in procedures.
Accordingly, there is a need for an authentication approach that provides safe, easy and fast access to the computer, is inexpensive to implement, and can be designed to avoid the need for network communications via the computer to be accessed.