The present invention generally relates to the field of security and, more specifically, to providing a method and device for providing an identity verification.
With the advent of computers and computer networks and necessity to prevent access to the computers or networks, numerous methods of verifying the identity of a user have been developed that insures the user is authorized to access the computer, network and/or the data stored. For example, in a hospital environment, hospital accounting staff may be authorized to access the computer system but not be authorized to access patient information. Similar, doctors and nurses may be authorized to access the computer system to access patient data but not authorized to access financial data.
The computer logon process is typically the first step in preventing unauthorized access to computer systems. In the log-in or logon process, a user typically enters a keyword or password that is set by a computer system administrator or by the user. To provide maximum protection, security protocol often requires the keywords or passwords to have minimum level of complexity (e.g., a minimum number of alpha-numeric values with a mix of upper and lower case values). In addition, instructions may be provided to the user on a regular basis to change keyword or password. This creates a burden for the user as the user is burdened to create, change and retain the new passwords. In addition, the passwords may not be applicable to different systems to which the user has access, as the different systems may have different security protocols.
Another solution for allowing access to computer systems is for a user to enter a coded card into a slot accessible by the computer system. For example, a card or memory may be connected to a Universal Serial Port (USB), or serial port on the computer system. The card or memory may include a code or user identification. In another aspect of this method, the computer system receiving the code or user identification may respond to the receipt of the user information and may require the user to enter a keyword or password to verify that the card or memory is being inserted by the user authorized to use the card or memory. In another aspect, the card or memory may include a wireless transmitter, wherein a code or user information contained on the card or memory is wirelessly transmitted to the computer system. Again, the computer system may respond to receipt of user information stored on the card or memory by requesting the entry of a password or code.
Wireless identification or identity cards or badges are well-known in the art to contain an embedded passive RFID (Radio Frequency Identification) that operate in a close range (in the order of less than 4 or 5 cm) to provide a log-in or log-on capability. Longer range RFID tags may also be used to provide log-on capability. However such longer range RFID tags exhibit a present location ambiguity as the RF signals may penetrate walls or scatter off metal objects. Hence, an access may be allowed by the computer system when no access has been intentionally requested.
Numerous methods have been developed and researched to determine the position of a wirelessly transmitting identification badge to insure that the badge is proximately located to the system to which access is required. For example, Roy Want, Andy Hopper, Veronica Falcao and Jonathan Gibbons at the Olivetti Cambridge Research Labs have developed a long range active badge with an IR transmitter that periodically broadcasts an optical signal indicating a badge identification number. The badge, preferably, utilizes a tilt switch and accelerometer for switching the device on rather than a standard on-off power switch. The badge includes a light sensor to detect when the badge is in a drawer or pocket, causing the badge to stop transmitting and, thus, saving power. However, this device could also be used as a pointing device, but the technology used by the device requires the badge to be disconnected from the user and swept about in a large volume.
Another device is a personal Alert badge, produced by the company Versus, which combines infrared and RFID technology for computer system access and is further equipped with a call/alert button. Versus claims that U.S. Pat. Nos. 4,906,853; 5,017,794; 5,027,314; 5,119,104; 5,276,496; 5,355,222; 5,387,993; 5,548,637; 5,572,195; 6,104,295; 6,154,139; and 6,838,992, teach one or more aspects of the technology incorporated into the Alert badge. For example, U.S. Pat. No. 6,838,992 teaches a method and system for locating subjects and providing event notification within a tracking environment and a badge for use therein. The '992 patent further teaches that each badge transmits an infrared and RF signals of different strengths to determine the location of each badge.
U.S. Pat. No. 7,180,420 teaches a triangulation method using RF/Low Frequency (LF) and infrared signals for tracking the badges.
Cricket, a system developed by MIT (Massachusetts Institute of Technology), is another indoor location system for sensor-based computing environments. Cricket provides fine-grained location information—e.g., space identifiers, position coordinates, and orientation—to applications operational on handheld devices, laptop computers and sensor nodes. Cricket uses a combination of RF and ultrasound technologies to provide location information at attached host devices.
However, the problem associated with these methods of access to computer systems requires either the badge be removed from the user's person or that significant processing is expended to determine the location of the device.
Although the methods described above relate to allowing authorized log-on to a computer system, another potential breach in security can occur when a user leaves a computer system in which a user has been allowed authorized access, without first logging off the system. In this case, there occurs a situation wherein unauthorized access to the computer system may be achieved. Accordingly, security protocols have been developed wherein access is prohibited, i.e., locked out, after inactivity of the use of the computer has been determined for a known period of time. However, timeouts that are too short are annoying as the user may be in close proximity to the computer system and investigating a data item on the computer screen. On the other hand, if the timeout is too long, then a window of opportunity is created for a security breach (i.e., access by an unauthorized user). See, for example, “Proximity Activated Computer Console Lock,” IBM Technical Disclosure Bulletin, Vol. 35, No. 6, November 1992.
In another aspect of computer systems, there arise situations wherein a user may enter the appropriate authorization codes to access one computer system in a network of computer systems and then have to again access the computer or a remote computer on the network. With the current security protocols described above, the user is again required to enter the authorization codes. For example, in a hospital situation, a health profession may be granted access to a computer system in one area and after leaving the area, to answer an emergency, for example, without logging-off, the security protocols lock out the user after a predetermined time period of inactivity and the health professional is required to re-enter the authorization codes so as to be granted access to the computer system. This is an additional burden on an already stressed individual.
As can be seen, there is a need in the industry for a security protocol method, system and device that enables a user to easily log-on to a computer system, while enabling the computer system to monitor and maintain the status of the user's need to have continued access to a computer system.