Computers and other devices, as well as secure facilities, often contain proprietary and/or sensitive information, which could be compromised if accessed by unauthorized individuals. Thus, computer devices and secure facilities often incorporate security techniques, such as database access control mechanisms, to prevent unauthorized users from accessing, obtaining or altering the proprietary and/or sensitive information. Authentication techniques allow users to prove their identity and obtain authorized access to a given device or secure facility.
A number of authentication protocols have been developed to prevent the unauthorized access of such devices or locations. For example, access control mechanisms typically utilize some variation of an alphanumeric personal identification number (PIN) or password, that is presumably known only to the authorized user. Upon attempting to access a given device or physical location, the user enters the appropriate password, to establish his or her authority. Many users select a PIN or password that is easy to remember. Thus, there is a significant risk that such passwords may be guessed or otherwise compromised, in which case an attacker can access the given device or location.
To minimize the risk that a password will be compromised, the number of login attempts that may be attempted are often limited, so that an attacker cannot keep trying different passwords until successful. In addition, users are often encouraged or required to change their password periodically. One-time passwords have also been proposed to further increase security, where users are assigned a secret key that may be stored, for example, on a pocket token or a computer-readable card. Upon attempting to access a desired device or location, a random value, referred to as a “challenge,” is issued to the user. The pocket token or computer-readable card then generates a “response” to the challenge by encrypting the received challenge with the user's secret key. The user obtains access to the device or location provided the response is accurate. In order to ensure that the pocket token or computer-readable card is utilized by the associated authorized user, the user typically must also manually enter a secret alphanumeric PIN or password.
In further variations, access control mechanisms have secured access to devices or secure locations by evaluating biometric information, such as fingerprints, retinal scans or voice characteristics. For a more detailed discussion of one such biometric-based access control system, see, for example, U.S. Pat. No. 5,897,616, entitled “Apparatus and Methods for Speaker Verification/Identification/Classification Employing Non-Acoustic and/or Acoustic Models and Databases,” U.S. patent application Ser. No. 09/008,122, filed Jan. 16, 1998, entitled “A Portable Information and Transaction Processing System and Method Utilizing Biometric Authorization and Digital Certificate Security,” and U.S. patent application Ser. No. 09/417,645, filed Oct. 14, 1999, entitled “Point of Sale and Vending Service Payment via Portable Communication Device”, each assigned to the assignee of the present invention and incorporated by reference herein.
While such authentication tools reduce the unauthorized access of equipment or a secure facility, they suffer from a number of limitations, which if overcome, could dramatically increase the utility and effectiveness of such tools. For example, there is currently no mechanism to ensure that a person associated with a given password is physically present at the location where the password is utilized. A need therefore exists for an access control mechanism that uses the global positioning system to verify the location of a person who is requesting access to a secured device or location.