Consider a situation, such as described in FIG. 1, where a computer network (100) is formed from one or more remote clients [e.g., computers (101-103)] interacting over communication links (500-506) [e.g., telephone lines, hard wire, satellite links, IR, etc.] The Network wants authorized clients (e.g., 104) to gain access easily and unauthorized clients (e.g., 400) to be totally prevented from gaining access. [Note that this diagram is intended only to represent known elements of a computer network and its security system. In particular, it is intended to show the basic topology of these parts. Also, it is not intended to be an exhaustive example of current computer networks or their security systems. Consequently, items such as routers, firewalls, gateways and the like have not been explicitly displayed.]
The Authentication Process is the means by which the system stops unauthorized access to the Network. The Authentication Process constitutes the security measures protecting the Network. Typically, in the Prior Art, the Authentication Process is a multistep sequence based on User Credentials and the Network Authentication Server (200).
“User Credentials” are information, such as access codes and user ID's, that are assigned by the Network to all authorized users (i.e., people who have authorized access to the Network.) The Authentication Server is the part of the Network that reviews the credentials of a user when access is requested. Here the term “Authentication Server” is meant to represent whatever network hardware and software is used for this purpose.
The following is a typical Authentication Process sequence executed when a user wishes to gain access to the network, (See FIG. 2):                1) The user uses his client computer, and its specialized network software, to request access to the network.        2) The software prompts the user to enter his credentials into a certain location on a “Network LogOn” screen. This could include, for example, his user ID and access code (123, XYZ)        3) The client's Network software translates the credentials into digital information, i.e., a digital version of the user's credentials.        4) The client then creates an electronic message that includes the digitized credentials and transmits it to the Authentication Server. [Diagram 1 is meant to represent this electronic message.]        
Diagram 1| | 1 | 2 | 3 | X | Y | Z | | | |                 5) The Authentication Server converts the electronic message into digital information, i.e., a digital version of the user's credentials.        6) The Authentication Server has in its database a list of digitized credentials for all authorized users. When the electronic message from the client arrives, the Authentication Server takes the user's digitized credentials and compares these to the credentials it has stored in its database for this particular user. If they match, access to the network is granted to the user. If they don't match [e.g., (123, XZZ)] then access is denied.        
Unauthorized users can gain access to the Network by defeating the security measures, i.e., the Authentication Process. The source of this problem is that current Authentication Processes are based on analyzing digital information sent from the client to the Authentication Server. It is only the electronic signal itself that is analyzed. Security is based on analysis of this signal. Neither the physical client, nor its human operator, is analyzed directly. This same problem exists for all credentials data as long as the Authentication Process remains the same.
Computer hackers break through this type of security just by mimicking valid digital credentials in the electronic message (See Diagram 1) sent to the Authentication Server by the client. This only requires a computer (client), a communication link, and a valid set of credentials. The first two are readily available and the last can be obtained by a variety of means such as: guess work, simple theft, etc. That is, the hurdles (technological, financial, etc.) to unauthorized entry are fairly low.
The electronic message containing the credentials does not come with any indelible indicators of the actual person or client who has sent it because it is just a series of computer generated electronic impulses and is therefore susceptible to hackers.
To illustrate this point, consider the following analogy:                Imagine a situation where physical access to a building is protected by an “Authentication Process” based on analysis of a person's handwriting. And the actual process only requires that a person wishing to access the building give the guard a piece of paper with handwriting on it. The handwriting is compared to that on file for the name that was given. If they match, the person is emitted.        But a sample of the handwriting could be stolen or forged, thus allowing an unauthorized person admission to the building. Here, as in the computer network case, it was information supposedly about the person that was analyzed. It was not the person themselves, or even information known to have come from the person, that is analyzed.        
The above network Authentication Process is based on traditional User Credentials. It could be argued that more modem credentials exist. These would include client CPU Chips with ID's (such as the Pentium III with Processor Serial Number from Intel) and User Biometrics (such as thumb prints, facial scans, etc. which are used, for example, by the BioNetrix Systems Corporation of Vienna, Va., USA) But these modem credentials, although useful, are still employed in the same type of authentication process. And therefore, the network is susceptible to the same type of unauthorized user, i.e., the hacker.
To see this, consider the employment of the user's thumbprint as a means of authenticating a network user. In this case, the user's client has a special scanner connected to it. The Authentication Process would be a sequence similar to the following (See FIG. 3):                1) The user uses his client computer, and its Network software, to request access to the Network.        2a) The client software prompts the user to enter his credentials into a certain location on a “Network LogOn” screen. This could include, for example, his user ID and access code: (123, XYZ)        2b) Thumb Print Scan                    The client's software also prompts the user to place his thumb on the scanner. The client then scans the thumb. Scanning “digitizes” an image of the thumbprint. That is, it turns the physical thumb print into a set of pixels containing digital information that characterize the thumbprint.                        3) The client's software translates the credentials into digital information.        4) The client then creates an electronic message that includes the digitized credentials and the digital thumb print. The client then transmits these to the Authentication Server. [Diagram 2 is meant to represent this electronic message.]        
Diagram 2                5) The Authentication Server receives the electronic message and translates it back to digital information.        6) The Authentication Server has in its database a list of digitized credentials and digitized thumbprints for all authorized users. When the electronic message from the client arrives, the Authentication Server takes the user's digitized credentials and thumb print and compares these to the credentials and thumb prints it has stored in its database for this particular user. If they match, access to the network is granted to the user. If they don't match then access is denied.        
Note that not only is the actual thumb not being analyzed, but neither is a physical thumbprint (such as on a law enforcement finger print card) being analyzed. Rather it is only the digitized version of the thumbprint created by the client that is analyzed. And this gives a hacker a way of breaking into the system. For example, if he were to obtain a copy of a user's thumbprint, he could digitize it and then use that digital version to send to the Authentication Server when the request came for the thumbprint.
Therefore, the three types of authentication data:                User Credentials        User Biometrics        Client Brandingall suffer from the same problem. They are all turned into digital messages by the client. This “client formed digital message” is then analyzed in the Authentication Process. And it is the nature of a “client formed digital message” that it can be hacked with readily available, and inexpensive, technology. In addition, the skills needed to overcome this type of security system are within the expertise of the traditional hacker.        
Finally, it should be pointed out that one of the additional weaknesses of this type of authentication process is that when a Network decides to make its authentication process more difficult for the hacker to break through, it also becomes more of an irritant for the legitimate user to access the Network. The Process is non-transparent to the legitimate user.
In summation, current authentication processes are based on having the user's client take user credentials, form them into a digital message and then transmit this message to the Network Authentication Server where it is this digital message that is analyzed. This approach has several weaknesses and deficiencies that include the following:                1. it relies on data digitized and transmitted by the user's client.        2. it analyzes digital representations of information about the client/user and not the client/user themselves. [For example, it analyzes a digital representation of a thumbprint and not a thumb print itself, let alone a thumb.]        3. it presents a low hurdle, both in expense and technical skills necessary, to an unauthorized user.        4. it is an irritant to the legitimate user (i.e., it is non-transparent)        5. it can be overcome by traditional hacking, i.e., software and readily available computer and telecommunications technology.        
Finally, the enormity of the computer network security problem cannot be over estimated. Computers are pervasive in our society. The national defense itself is tied inseparably to them. Unauthorized access to critical mission computers (e.g. those controlling the Ballistic Missile System) could jeopardize our national existence.
There is a need for an authentication process which will uniquely identify the originator of a network access request and which includes the following:                1. it doesn't just rely on messages created by the requesting client        2. it analyzes information empirically obtained about the client, not just information sent from the client.        3. it raises the hurdles, in both expense and technical skills needed, to gain unauthorized access to the system        4. it is transparent to the legitimate user        5. it cannot be overcome by hacking        