The present invention is directed to an authentication system that dynamically optimizes system authentication processing based on biometric information in an IT system through drawing upon distribution of user usage of terminals, thereby achieving a performance improvement of the authentication processing.
Prior art authentication in IT systems based on biometric information typically involves replacing password-based authentication of the identity of a user such as a user ID with authentication based on some characteristic inherent to the user, such as fingerprints or retina patterns or other characteristics as is known to the art. These inherent characteristics are commonly called “biometrics”. In this context, the authentication processing takes the form of so-called “1:1 authentication”, in which biometric data of the user is compared at the time of an authentication process with registered data of the same, single user.
According to recent trends of increasing requirement of high level of security to the IT system, high accuracy authentication on biometric authentication is important.
However, these type of high accuracy authentication, biometric authentication require also system CPU power cost for operation and sometimes results in long authentication time. Because the biometric authentication requires comparison of input and the data between difference data, so the calculation load for such process is high and the authentication time is long.
In some environments, a single terminal might be used by many users in a shared manner. For example, cash registers at a supermarket or check-in terminals at an airport might be used by more than one cashier or airline clerk.
The identification of users in such a shared environment could be done by having each user sign out when they leave the terminal, and requiring each new user to sign in before they can use the terminal. If each user has to input their ID prior to the biometric authentication, this type of authentication is termed “1:1 type authentication”. In this case, authentication would be done by matching between data specified, and result in a constant load transaction.
Requiring the users to log in and out frequently can be problematic in shared terminal environments, where cashiers or airline clerks or the like may swap in and out on a single terminal many times in an effort to keep customer lines moving. In this case, it is desirable not to have each user log on and log off, but rather to use a single common account to log in the terminal, rather than a single user, and then to use biometric authentication of each user as they begin to use the already logged-on terminal. The number of potential registered users for any terminal in such an environment might be in the hundreds, all using the single common account. Performing authentication of the users on the common account is termed “1:N type authentication”, where one account has “N” potential users.
It will be appreciated from the very nature of authentication that relies on biometric data derived from the users, needs to be quickly performed if there is to be a performance improvement from just requiring the traditional user-id based log on and log off for each user. Moreover, this process has to be performed while the system is in a heavily loaded state compared with standard 1:1 authentication, which understandably and inevitably causes delays in the required processes.
Since this type of usage requires high-speed authentication, there is a need for high speed processing using biometric authentication.
Many existing schemes realize acceleration in 1:N authentication through various approaches. In the following explanations, existing inventions directed to 1:N authentication acceleration approaches are classified into those that have relevance to the present invention and those of little or no relevance to the present invention. These existing systems may fall into the following classes:
Acceleration based on authentication logic: Acceleration by parallel authentication processing to carry out multiple authentication processes, multi-stage authentication by creation of representative data, etc. The authentication acceleration in parallel processing is not intended for reducing the entire system load associated with authentication. Acceleration through representative data does not consider the uneven distribution of the user authentication processes and tasks. Whether or not the representative data can be created depends on variations found in the user biometric authentication.
Techniques related to biometric authentication data: Features associated with increasing accuracy of biometric authentication data and providing additional information for the primary purpose of improvement in the biometric authentication accuracy among multiple entities. The primary purpose is to improve the authentication accuracy at the time of performing 1:N authentication rather than authentication acceleration as such.
Reducing the range of data by means of unique information: Acceleration by reducing the range of authentication data by content of operational processes and tasks for each user using the service and terminal ID of the terminal used in the service. The scheme of acceleration and screening for each user using the service and on a per-terminal basis will not be satisfactory as an acceleration scheme because users will not consciously take into account the constraint of the very idea of unique terminals in an environment envisaged this time where common accounts are used on multiple shared terminals.
Optimization by similarity: Scores are calculated on the basis of the similarity in the obtained biometric information to achieve discontinuation and acceleration of authentication. Use of the similarity is a scheme of acceleration that depends on the biometric information held by the users, which is versatile but does not involve any effects significant in the context of this case.
Existing exemplary cases of schemes and the problems of the schemes of the respective existing inventions include the following:
Authentication acceleration through switching between 1:1 authentication and 1:N authentication: This method is directed to a scheme of acceleration by discrimination and switching between processes of 1:1 authentication and 1:N authentication. The existing acceleration scheme through switching between 1:1 and 1:N authentications is implemented under the determination condition to determine presence or absence of any input of an ID to be subjected to the authentication which is input by the user as the condition for using 1:1 authentication. In the environment for which acceleration should be achieved, it is assumed that accesses are made by users using the common account.
Acceleration through grouping: The acceleration approach through grouping is a scheme that realizes acceleration by performing grouping for numerous pieces of data subjected to the authentication and manages the priority in the order of authentication and the like. This approach can be characterized as follows:
A) To be used in reducing the range of data to be searched for in the subsequent rounds of authentication by simply creating a list of pieces of information whose authentication has been successful. This has a problem in the common-account, multiple user environment, where it is assumed that all users subjected to 1:N authentication perform the authentication on a daily basis, and simple successful authentication results cannot be used in screening for acceleration in the principle.
B) Carrying out predetermined grouping at the time of authentication registration. The target environment is an environment where further acceleration is required between or among grouped users. Accordingly, acceleration by sorting at the time of authentication registration is not satisfactory as acceleration in the target environment.
C) Scheme related to re-configuration of grouped data. This is a scheme associated with maintaining optimization of the configuration of the group data and does not make much contribution to an environment where the target groups are substantially fixed.
D) Scheme related to screening by characteristics data in grouping. Effective for significant variations in the features of biometric authentication data in face authentication and the like, but only involves limited effects in finger vein authentication and the like.
Promoting efficiency by grouping of authentication data of the same person in 1:N authentication. Contributes to increase in the authentication data of the same person but only involves limited effects in increasing the group data.
Approaches for acceleration by grouping and 1:N switching and other relevant approaches abound depending upon the problems the respective problems addressed by prior-art inventions.
However, these existing patent publications are often dependent upon the specific problems to which they are applied, and do not necessarily provide a versatile solution that covers all conceivable cases.