Recently, biometric authentication using the biometric information of humans is widely used in computer security for authentication that is more reliable than the conventionally used ID cards and passwords. Fingerprints, faces, irises, retinas, veins, palm shape, DNA, voice, signatures, ear auricles and the like are used as biometric information for biometric authentication. Among these methods, the practical application of biometric authentication technology mounted in mobile telephones and notebook PCs using fingerprints has advanced the most.
False user acceptance errors in which the authentication is mistakenly determined despite the user being a false user occur stochastically in biometric authentication. Aiming to stochastically cause a false acceptance error by attempting to increase the frequency of false acceptance (so-called “brute force attacks”) by using a huge amount of biometric information is conceivable.
To reduce brute force attacks, the number of authentication re-tries over a fixed time period is generally limited for multiple errors in authentication in password authentication and the like.
Conversely, a case may occur in biometric authentication in which an authentication failure (true user refusal) may occur despite the user being the true user due to a variation in the obtained biometric information or environmental changes during authentication, and the true user is authenticated after several attempts during authentication. Thus, when an authentication error frequency limit for reducing brute force attacks is applied as-is to biometric authentication, there may be users who have difficulty being authenticated thus reducing the convenience for the user.
When storing biometric information of a failed authentication and the biometric information input at the time of the authentication failure demonstrates sameness with previously input biometric information, the number of authentication errors is not counted as authentication re-tries from the same location of the user, and the number of authentication errors is counted when sameness is not demonstrated. Limiting the authentication re-tries when the limitation has been reached is discussed in, for example, Japanese Laid-open Patent Publication No. 2006-79537.