Magnetic strip cards have been widely used for controlling access by individuals to information, rooms and financial transaction instruments. Typically, the individual must “swipe” the card through a magnetic strip reader and provide a personal identification number (PIN) in order to be identified as an authorized user of the card. This system suffers from several disadvantages, including the tendency of individuals to forget an assigned PIN number, or to seriously compromise the security of an assigned PIN number by writing it down in close proximity to the card. Similarly, individuals have a tendency to select PIN numbers that are easily remembered and that often have a personal significance, such as a birth date, which PIN numbers are easily guessed by an unauthorized individual. Accordingly, magnetic strip cards are convenient, but do not provide a high level of security.
In order to provide increased control, security, and fault tolerance, many organizations implement their security access functionality on a server. Thus, each time an individual authenticates within a network environment, the individual provides authentication data that is then transmitted to the server securely for authentication thereby. In this fashion, security data is not transmitted from the server and the maintenance and fault tolerance of the system relies on a single computer, which can be maintained at intervals and can be backed up. When used with passwords of 8 characters each, a server must receive 8 characters, retrieve 8 characters and compare the two sets of 8 characters. Then the result is transmitted to the workstation to one of authenticate, identify, and neither authenticate nor identify the individual. Thus for each authentication process approximately 25 operations are performed. For a 1 GHz processor, this allows up to 10 million users for a network specification allowing a delay up to 0.25 second. This is more than enough for nearly all applications.
When the same server is used with a biometric identification process, the server receives considerably more data. For example, for a fingerprint an image having 250,000 pixels is provided. If the pixels have a depth of 1 bit, this results in about 30 KB of data. This data must be received in a secure fashion, decoded, analyzed to extract a core thereof, analyzed to extract features relative to the core, and then the features are analyzed to extract data relating thereto. The extracted data is then compared to stored template data to determine a likelihood of an accurate match. Such a process may take 0.1 seconds or more. Unfortunately, as organizations grow, the single security server approach to biometric identification becomes limiting. When 36,000 workstations are coupled to a single server the maximum delay is approximately one hour. Even for 3,600 workstations, the maximum delay is 6 minutes—far above the 0.25 sec specification set out above. Thus, there is a need for more flexible verification techniques to support centralized management and performance requirements of larger organizations.
One technique to enhance performance while maintaining the centralized server architecture is to add security processors to the network. Unfortunately, even if the biometric identification process was limited to 0.01 seconds, to meet the 0.25 second requirement allows only 25 users per server. This is both costly and presents a management problem in managing a large number of servers. It is highly advantageous to have a single server solution to reduce back-up and redundancy costs and to facilitate management of the server.
It is therefore an object of the instant invention to provide a method of identifying an individual for execution on a server for serving many workstations that overcomes some of the limitations of the prior art.