The invention disclosed broadly relates to computer systems and more particularly relates to security features in computer systems.
There are many processes for initial authentication of a user to verify the identity of the user or the user""s eligibility to access particular resources in a stand alone computer system or in a computer network. Different system administrators may have different security requirements according to the business needs of the systems they administer and they may require different types of authentication mechanisms. For example, some systems may only require presenting a simple userid and password. Other systems may be more sophisticated and require the user to employ authentication mechanisms such as a smart card, a token card, or a fingerprint scanner.
Other examples of user authentication processes include presenting an ATM debit card number and PIN, presenting a smart card""s account number and a symmetric Message Authentication Code (MAC), presenting a smart card""s account number and an asymmetric digital signature, presenting a user""s digital signature and digital certificate, presenting a user""s digital certificate and matching asymmetric digital signature, presenting a user""s account number and a symmetric MAC or asymmetric digital signature, presenting a user""s account number and an asymmetric digital signature.
Biometric authentication processes include finger print scanning, graphical signature scanning, dynamic hand-force sensing while executing a signature, iris and retinal scanning, voice print scanning, and many other techniques. Fingerprint scanning is currently the most proven form of biometric authentication. Other developing biometric authentication processes include retina and iris scanning, hand and face geometry scanning, body odor profiling, and vein scanning. Computerized facial recognition converts a face into a sequence of numbers by component analysis and three-dimensional imaging technology. The iris is rich in features such as fibers, striations, freckles, rifts, pits and other details which contribute to an identity which is more complex than a fingerprint. Body odor profiling recognizes the chemicals that make up a person""s individual smell, and separates them to build up a template. Behavioral biometrics measure how a person does something. The two most advanced behavioral biometric authentication processes are signature and voice recognition. Signature recognition authentication is used in credit card and other banking applications. Voice recognition or voice print authentication processes work by isolating characteristics that produce speech, rather than by recognizing the tone of the voice itself.
Such diverse authentication mechanisms require different kinds of authentication data from the user. Different authentication mechanisms have distinctive logic and interface requirements to handle the authentication data. What is needed is a flexible way to provide diverse user authentication mechanisms and processes for a stand alone computer system or for a computer network.
This need becomes particularly acute for a user attempting to logon to a large, distributed system. In typical distributed system environments, a user must access many database systems, network systems, operating systems and mainframe applications. In order to use these systems and applications, the user must typically issue a separate sign-on command for each specific system or application. Each of these sign-ons may, in turn, have a different pair of user ids and passwords, or different smart card authentication processes, or different biometric authentication processes. The problem of coordinating multiple system sign-on requirements has been addressed by the single sign-on (SSO) invention disclosed in the above-referenced patent applications. The single sign-on (SSO) system described in the above referenced patent applications, enables authorized users to perform one initial sign-on to access a variety of networks, systems and applications. However, what is needed now is a flexible way to provide diverse initial authentication mechanisms and processes for such a single sign-on system.
The invention is a system, method, program, and method of doing business for flexibly providing diverse user authentication mechanisms and processes for a stand alone computer system or for a distributed computer network. An authentication framework subsystem is disclosed for enabling a computer system to authenticate a user with a selected one of a plurality of authentication processes. Each of the authentication processes has a distinct sequence of steps and a unique input/output (I/O) interface for exchanging authentication information with the computer system.
The invention includes an authentication framework in the computer system. An application program interface in the authentication framework provides an interface to an I/O component, such as a graphical user interface (GUI), of the computer system.
A first authentication module interfaces with the framework. It has a first conversation function driver defining a first programmed sequence of steps to authenticate a user with a first authentication process, which could be, for example, a simple userid and password process. A second authentication module also interfaces with the framework. It has a second conversation function driver defining a second programmed sequence of steps different from the first sequence, to authenticate a user with a second authentication process, which could be, for example, a smart card process.
The first conversation function driver in the first authentication module, has access to first information, such as display panels for menus, help screens, and error messages. This information is used during the first authentication process, to configure the I/O component for the first authentication process. The second conversation function driver in the second authentication module, has access to second information, such as a different set of display panels for menus, help screens, and error messages. This second information is used during the second authentication process, to configure the I/O component for the second authentication process.
A conversation function in the application program interface, defines a programmed sequence of steps for controlling the I/O component in response to generic instructions that have the same format, whether or not they are received from the first conversation driver or from the second conversation driver. The conversation function can selectively receive generic instructions and the first information from the first conversation driver, to perform suitable I/O functions for the first authentication process. Alternately, the conversation function can selectively receive a different sequence of generic instructions and the second information from the second conversation driver, to perform suitable I/O functions for the second authentication process.
The generic conversation function provides a generic instruction format for diverse authentication processes, which is adapted to control the unique operational characteristics of multiple types of I/O components. Each instance of the generic conversation function is implemented in a corresponding external API that controls a particular I/O component. The implementation of the generic conversation function for a GUI, for example, contains all of the details pertaining to the unique display characteristics of that component. Unique implementations of the generic conversation function can be applied to control a graphical user interface, a local object interface, a network object interface, a command line interface, and the like. The generic conversation function is invoked by a conversation function driver within each authentication module, the driver being customized for each respective authentication process. Instruction tokens are passed from a conversation function driver for a particular authentication process, into the authentication framework as input parameters to the generic conversation function implemented in a particular external API controlling a particular I/O component. Before the generic conversation function is invoked, each authentication module determines what data will be displayed to the user and it composes that data, which it passes to the generic conversation function by means of linked lists. The data is composed as a linked list of key value attributes, where each key represents a specific data field to the user. The generic conversation function implementation in the external API uses these key attributes to access the data, which determines the style or format of the final presentation to the user. The generic conversation function can also obtain authentication data from the user, such as a pin number or a userid, which is passed back to the authentication module by returning the linked list.
In one embodiment of the invention, an authentication method enables the computer system to authenticate a user with an authentication process. The method includes defining a programmed sequence of steps in the authentication process to authenticate the user with a conversation function driver in the authentication module. The method further includes configuring a display component, for example, to be customized for the authentication process, by means of using information provided by the conversation function driver. The method further includes defining a programmed sequence of steps in the conversation function in the application program interface for controlling the display component, for example, in response to generic instructions and the information received from the conversation driver. And the method further includes providing authentication data to host processes with the authentication module. The conversation function controlled by the conversation function driver can cause a display of a authentication dialog to be presented on the display component, for example. The authentication module can provide credentials derived from the authentication process to a host process, such as a single sign-on system.
In alternate embodiments of the invention, the conversation function driver in the authentication module can also implement various types of biometric authentication processes, such as fingerprint scanning, iris and retinal scanning, voice print scanning, hand and face geometry scanning, body odor profiling, vein scanning, signature recognition, and the like, in which case the authentication module coordinates the operation of the corresponding biometric input device.
In this manner, diverse user authentication mechanisms and processes can be selectively provided for a stand alone computer system or for a distributed computer network.