Field
This invention relates to the field of user authentication and authorization, and more particularly to a cognitive-based logon process for accessing a computing device and its systems, applications, directories, or files.
Prior Art
Authentication is the process of verifying a user's identity. In the context of a computer system logon, authentication is typically a two-step process. First, the user will enter a username, user ID, or other unique sequence of characters that identifies the user. In many cases, this information is known not only to the user, but also to others through a directory listing or other source. To complete the process, the user must then enter a pre-selected or pre-assigned password, passphrase, passkey, PIN number, or other unique sequence of characters that is secret and known only to the user and the computer system. If the two pieces of logon information successfully correspond, the user is authenticated, since ostensibly the user is the only individual who could know both pieces of information.
Authorization, meanwhile, is a mechanism by which a computer system determines what level of access an authenticated user should be granted to secure resources within the system. For example, a system might be designed to provide certain users with unrestricted access to all directories and files within the system, while other users are permitted to access only certain directories and files. Similarly, a database management system might provide certain users with the ability to read, write, edit, delete, or upload files, while other users are limited to read-only access.
Because passwords may be stolen or divulged, thereby rendering the computer system susceptible to unauthorized access, some systems use additional or alternate methods of authentication and/or authorization. For example, a system may require the presence of a physical token, such as a card with a magnetic strip that can be swiped by the user and read by the system. Other systems may rely on the use of biometrics, or characteristics (either physiological or behavioral) that can be used to distinguish one individual from another through the use of digital equipment. Examples of biometrics that may be used to authenticate a user's identity include 2D face, 3D face, hand geometry, single fingerprint, palm, full hand, signature, finger vein, iris, retina, ear, DNA, typing rhythm, gait, and voice. The use of biometrics signals an important shift in the authentication field in that rather than simply verifying an object possessed by the user, such as a secret password or a physical token, the system is able to analyze and verify the inherent traits and characteristics of the user himself.
Both authentication and authorization are useful for controlling access to computer systems and areas within those systems where sensitive information is stored. However, in an environment where many computer-based job functions require a high degree of skill, dexterity, alertness, focus, and/or concentration, the mere verification of a user's identity may not be enough. In many cases, it is important for an employer to verify not only that a user is who he says he is, and that he has a certain job title or security clearance level, but also that he is able to perform up to his usual abilities at that particular time. Similarly, many users of personal computers suffer from some degree of impairment to their memory, language, or other mental functions due to age, illness, trauma, and/or degenerative conditions such as Alzheimer's. These persons (and their caretakers) should want to ensure that they are mentally alert and aware enough to perform basic tasks before logging onto a computer where, absent supervision, they might enter into financial transactions, share personal information, or engage in other potentially harmful activities.
These concerns are addressed by an efficient and economical method of authentication and/or authorization that measures the user's cognitive function prior to allowing the user to have full access to a computing device. Cognition, a term which refers to both the mind and the brain, is defined as the “application of the process of thought to knowing” to create new knowledge. A user's cognitive function, or the brain mechanisms involved with thinking, reasoning, learning, and remembering, can be determined through his responses to certain prompts that measure, among other things, his attention, awareness, comprehension, concentration, decision making, executive function, judgment, logical thinking, long-term memory, math skills, perception, planning, problem-solving, short-term memory, symbolic thinking, and visio-spatial recognition. Questions that measure an individual's cognitive function have been used for years in the fields of psychology, psychiatry, education, and human resource management for a variety of purposes, but have yet to be used as a basis for authenticating or authorizing the user of a computer system as described herein.
In the short term, a user's responses to cognitive-based prompts will enable the computer to determine whether the user demonstrates the required level of cognitive function to proceed with the current logon session. If the user responds in a satisfactory manner, he will be granted access to all or part of the system. If not, he will be denied access to all or part of the system. Over the longer term, meanwhile, the user's responses across multiple logon sessions will allow the computer to determine whether the user's level of cognitive function has generally improved, diminished, or remained static. This capability is particularly useful in the case of persons with degenerative mental conditions. Additionally, the user's pattern of responses to certain types of questions will, over time, provide a basis for authenticating the user through cognitive biometrics (also known as “cognimetrics”), or the specific response of that user's brain to certain stimuli.
It is important to note that true cognitive-based prompts should not be confused with cognitive passwords, which have been used for many years and routinely serve as secondary layers of security or secondary forms of access. Cognitive password systems are merely a form of knowledge-based authentication in which a user is required to answer questions about something he already intrinsically knows in order to verify his identity. For example, a cognitive password system might require the user to answer a factual question such as “What was the name of your first dog?” or a preference question such as “What is your favorite color?” In each case, the user has already provided the answer to the computer system and is simply required to recall that answer at the time of logon. While cognitive password systems are useful, they fail to provide the same benefits as systems that introduce true cognitive-based prompts.