Computer security is fast becoming an important issue. With the proliferation of computers and computer networks into all aspects of business and daily life—financial, medical, education, government, and communications—the concern over secured file access is growing. Using passwords is a common method of providing security. Password protection and/or combination type locks are employed for computer network security, automatic teller machines, telephone banking, calling cards, telephone answering services, houses, and safes. These systems generally require the knowledge of an entry code that has been selected by a user or has been pre-set.
Pre-set codes are often forgotten, as users have no reliable method of remembering them. Writing down the codes and storing them in close proximity to an access control device (i.e. the combination lock) results in a secured access control system with a very insecure code. Alternatively, the nuisance of trying several code variations renders the access control system more of a problem than a solution.
Password systems are known to suffer from other disadvantages. Usually, a user specifics passwords. Most users, being unsophisticated users of security systems, choose passwords that are relatively insecure. As such, many systems protected by passwords are easily accessed through a simple trial and error process.
A security access system that provides substantially secured access and does not require a password or access code is a biometric identification system. A biometric identification system accepts unique biometric information from a user and identifies the user by matching the information against information belonging to registered users of the system. One such biometric identification system is a fingerprint recognition system.
In a fingerprint input transducer or sensor, a finger tip is usually pressed against a flat surface, such as a side of a glass plate. The ridge and valley pattern of the finger tip is sensed by a sensing means such as an interrogating light beam. Fingerprint characterization is well known and involves many aspects of fingerprint analysis.
An example of the use of fingerprint for securing access to a protected system is provided by the U.S. Pat. No. 5,229,764 to Matchett et al. There is disclosed a method of continuously analyzing biometric data from a biometric input device at intermittent intervals and selectively granting or denying access to a particular protected system based on the biometric input. The system is a continuous biometric authentication, which reads from a variety of biometric personal identification devices. The system acts as a continuously functioning “gate” between a protected system and a prospective user. Biometric data pertaining to a prospective user is stored for reference within the system. Upon a prospective user wishing to gain access to the protected system the user must interface with the system, which compares the prospective user's biometric data to the stored reference data. This comparison must not only be acceptably close in similarity in order to gain access to the protected system, it must also continue to be close in subsequent comparisons in order for access to the protected system or device to continue.
Computer networks typically store information such as user profiles, user authorization for access and vast amounts of data. End user terminals are a critical component of the computer network, in that they provide external access to the network by offering a means of transmitting input data to the network and by offering a means of reading information from the network. Each of these terminals poses a security risk to data stored on the network and controlling unauthorized access to the data stored on the network is of critical importance. Though biometric authentication is a secured means of identifying a user, it has not penetrated the marketplace sufficiently to be implemented on most desktop computers. Furthermore, most end user terminals are not equipped with a biometric data input device. Since most forms of biometric authentication require specialized hardware, market penetration is slow and requires both acceptance of the new hardware and a pressing need.
Typical uses of user authentication include system access, user identification, and access to a secured key database. Often a secured key database is encrypted with a key that is accessible through user authentication or identification.
Key management systems are well known. One such system, by Entrust® Technologies Limited, is currently commercially available. Unfortunately, current key management systems are designed for installation on a single computer for use with a single fixed user authorization method and for portability between computers having a same configuration. As such, implementation of enhanced security through installation of biometric input devices is costly and greatly limits portability of key databases. Password based protection of key databases is undesirable because of the inherent insecure nature of most user selected passwords.
In the past, a system was provided with a single available security system. Typically, prior art systems require a password. Alternatively, a system could require a password and a biometric, or another predetermined combination of user authorization information. Unfortunately, passwords are inherently insecure. Further, because of the limited number of workstations equipped with biometric scanners and so forth, it is difficult to implement a system secured with biometrics.
One variation in the above systems is access from external locations. Typically, organisations have a further security process for remote access to their sites, the further process required passing through a gateway into their sites. Thus, a user wishing remote access to a system must pass a first level of security to gain access to the network and another level of security to gain access to data stored therein. Both of these security processes are fixed and are implemented automatically when users try to pass through secured access gateways.
It would be advantageous to provide a method of user authorization that is flexible enough to work on different workstations and to accommodate user needs of different users at those different workstations. It is therefore an object of the invention to determine an authorization procedure for execution on a workstation based upon stored policy data.