JP2007095022A - Computer control method and computer control system using externally connected device - Google Patents

Abstract

PROBLEM TO BE SOLVED: To set an authentication authority by a combination of a plurality of users, authority of an application or an operation unit when an operation of a computer is controlled by an authentication result by biometric information such as a fingerprint using an external connection device such as a USB memory Provided is a computer control method that enables setting.
In an externally connected device such as a USB memory, authentication conditions for biometric authentication required for each application or operation unit are stored together with biometric information of a plurality of users requiring biometric authentication. When using an external computer such as a dispatch destination, an external connection device is connected to the computer to perform biometric authentication, and when a predetermined operation requiring biometric authentication is performed on the computer, The presence or absence of biometric authentication is confirmed according to the authentication conditions set for the operation stored in the external device, and when the authentication condition is satisfied, the operation is normally executed.
[Selection] Figure 1

Description

  The present invention relates to a computer control method and a computer control system for controlling the operation of a computer based on an authentication result based on biometric information such as a fingerprint using an external connection device such as a USB memory.

  When a computer is used for management of important information in a company or the like, in order to prevent information leakage or the like due to an unauthorized operation of the computer by a third party, setting operation authority to the computer is widely performed. The most common method is to set a password for the computer user and give the operation authority only to the user who has been authenticated with the same password. It is difficult to eliminate the risk of forgiveness. Therefore, in recent years, biometric information such as fingerprints has been increasingly adopted as a safer personal authentication means.

  In order to perform authentication using biometric information, biometric information of a user who has been given authority to use in advance is registered on the computer side, and biometric information read by a sensor from a part of the user's body is registered when the computer is used It is checked whether the operator is authorized by checking the biometric information and whether or not they match. In this case, if a user who has authority to use is fixed for each computer, biometric information may be registered in the computer main body. If the network is a closed network such as an in-house LAN, the management server It is only necessary to register biometric information of users who have authority to use in the network.

  However, in a computer used in a stand-alone manner or a computer used outside a closed network, if it is not possible to specify in advance a user who is authorized to use the computer, the biometric information is previously stored in the computer as described above. I cannot register and manage the operation authority. As a technology that can cope with such a case, it is possible to carry biometric information freely by recording biometric information in a USB memory, and it is possible to manage the use authority of external computers by biometric authentication. A possible invention is disclosed (for example, see Patent Document 1).

JP 2005-128741 A

  According to the invention described in Patent Document 1, fingerprint information of a user who has operating authority is stored in a USB memory, and the USB memory is provided with a fingerprint collation mechanism. By connecting and configuring such that software that can be operated by the computer is sent out when personal authentication is performed, only authorized users can operate the computer.

  As described above, according to the invention described in Patent Document 1, it is possible to manage the computer so that only authorized users can use the computer by issuing the USB memory for each user who is authorized to operate the computer. . According to the present invention, the operation authority is given for each user, and the operation that can be controlled by the computer is controlled by software or the like sent from the USB memory. It will be limited to connection.

  On the other hand, for example, the following case can be considered as an example where it is desired to set the use authority in a computer outside the normally used closed network. When dispatching multiple staff members from one company to another company, all staff members can use the dispatched computer, and sales are provided if the dispatcher includes a designated responsible person. Assumes a case where you want to use the software to manage (for example, if only registered staff is dispatched, you can use only word processing software, but if you include a manager, you can also use accounting software) To do.

  However, in the invention described in Patent Document 1, since authority is set for each user, it is not possible to cope with a case where authority is set by a combination of a plurality of users as in this case. Although it can handle computer startup and network connection control, as in this case, it is possible to use application settings such as a word processor that can be used but accounting software cannot be used, and other files that can be accessed. Cannot be set in units of files such as cannot be accessed, or in units of operations such that a certain file can be read but cannot be written.

  The present invention has been made to cope with such problems, and a computer control method for controlling the operation of a computer based on an authentication result based on biometric information such as a fingerprint using an externally connected device such as a USB memory, and An object of the present invention is to provide a computer control system that can set an authentication authority by a combination of a plurality of users and an authority for each application or operation unit.

  In the present invention, an external connection device such as a USB memory connected to a computer stores authentication conditions in units of applications and operations together with biometric information such as fingerprints related to a plurality of users used for biometric authentication. When operating the computer, connect the external connection device, perform biometric authentication of the target user from the biometric information stored in the external connection device, start the computer and log on, or start a predetermined application program When the agent program detects a predetermined operation, it confirms whether the result of biometric authentication satisfies the authentication condition stored in the externally connected device, and logs on when the computer starts up, the operation of the application program, In addition, execution of predetermined operations is controlled.

  In the present invention, the above-described biometric information and authentication conditions are required to be stored in an externally connected device. There is no limitation on whether a computer or an externally connected device is provided. In other words, the biometric information reading sensor may be provided in either a computer (or another external device connected to the computer) or an externally connected device. The biometric information collation program may be stored in either a computer (or an external storage device connected to the computer) or an externally connected device, and the computation processing for collation is performed in the main memory of the computer. Alternatively, it may be performed by a dedicated memory or the like provided in the external connection device.

  1st invention which solves the subject concerning this application is a computer control method which connects the external connection apparatus which can memorize | store biometric information to a computer, and controls operation | movement of the said computer, Comprising: The said external connection The device stores at least biometric information of a plurality of users used for authentication by the computer, and authentication conditions for the user to cause the computer to execute a predetermined operation. A step of accepting a log-on request, a step in which the computer specifies biometric information of a plurality of users stored in the externally connected device, and a verification result of biometric information read from the plurality of users, and the computer The authentication condition stored in the externally connected device is read and the authentication condition is read from the authentication condition. Identifying the authentication conditions for logging on to the computer, and determining whether the computer matches the authentication conditions for logging on to the computer, wherein the verification result includes: The computer control method is characterized in that the computer does not execute the logon process to the computer when the authentication condition for logging on to the computer does not match.

  In the externally connected device, passwords set for each of the plurality of users are stored, and the collation result identified in the step of identifying the collation result is combined with the collation result of the biometric information, A password verification result of each of a plurality of users stored in the external device and a password verification result input by each of the plurality of users may be included.

  When the verification result matches an authentication condition for logging on to the computer, the computer requests the user who made the logon request to input a password; and Receiving the entered password, and the computer determining whether the password matches a password specified for the user stored in the computer or the externally connected device. When the password received in the step of accepting the password matches the password specified for the user, the computer may execute a process of logging on to the computer.

  In the first invention, by storing the biometric information such as fingerprints for a plurality of users and the authentication conditions for logging on to the computer in an external connection device such as a USB memory, when the computer is started and logged on, The use authority of the computer can be controlled according to the combination of the authentication results of a plurality of users as well as the use authority for each user. In the first invention, the logon may be permitted at the timing when the biometric authentication defined in the authentication condition can be confirmed, or the password for confirming the match between the password entered by the user and the password stored in the external device. Biometric authentication may be performed after authentication, and logon may be permitted after confirming whether these authentication results satisfy the authentication condition. Alternatively, after confirming that the result of biometric authentication satisfies the authentication condition, password authentication may be executed to allow logon.

  In the first invention, when logon processing to the computer is executed, the computer stores the verification result and the authentication condition read from the external device in a predetermined storage area of the computer. When the application program stored in the computer is started, the application program acquires the authentication condition set for the application program from the predetermined storage area, and the verification result is set for the application program. If the authentication condition is satisfied, the computer is caused to execute normal processing by the application program. If the verification result does not match the authentication condition set for the application program, the computer is configured to execute the application process. It may be characterized by executing a process for performing a predetermined limit for application programs.

  Furthermore, in the first invention, when the logon process to the computer is executed, the computer stores the verification result and the authentication condition read from the external device in a predetermined storage area of the computer. When the agent program stored in the computer is activated, the agent program includes an operation including at least one of writing or reading a specific file or writing or reading a specific application for which the computer has received a request. The authentication condition set for the operation is acquired from the predetermined storage area, and when the verification result matches the authentication condition set for the operation, the computer is caused to execute normal processing related to the operation. The verification result matches the authentication condition set for the operation. When it has may be characterized in that to execute a process for performing a predetermined limit for the operation to the computer.

  In this way, the biometric information collation result and the authentication condition specified at the time of logon are stored in a predetermined area of the computer, for example, a main memory, a predetermined file, etc. Other predetermined operations such as application operations and file reading and writing can be controlled by setting conditions for permitting operations as authentication conditions.

  A second invention for solving the problem according to the present application is a computer control method for controlling an operation of the computer by connecting an external connection device capable of storing biological information to the computer, the external connection being The device stores at least biometric information of a plurality of users used for authentication in the computer, and authentication conditions for the user to cause the computer to execute a predetermined application program. A step of accepting activation of an application program stored in the computer, and a step in which the computer specifies biometric information of a plurality of users stored in the externally connected device and biometric information read from the plurality of users. The computer is stored in the external connection device. A step of reading the authentication condition and identifying the authentication condition set for the application program from the authentication condition; and the step of determining whether the computer matches the authentication condition set for the application program When the verification result matches the authentication condition set for the application program, the computer executes normal processing by the application program, and the verification result is for the application program. The computer control method is characterized in that when the set authentication condition is not met, the computer executes a process for performing a predetermined restriction on the application program.

  In the second invention, a predetermined application program is started on the computer by storing biometric information such as fingerprints related to a plurality of users and authentication conditions for restricting the operation of the application program in an externally connected device such as a USB memory. In this case, it is possible to control the range in which the application program is operated according to the combination of the authentication results of a plurality of users as well as the use authority for each user.

  A third invention for solving the problem according to the present application is a computer control method for controlling an operation of the computer by connecting an external connection device capable of storing biological information to the computer, the external connection being The device stores at least biometric information of a plurality of users used for authentication by the computer, and authentication conditions for the user to cause the computer to execute a predetermined operation. A step of receiving an operation request including at least one of writing or reading and writing or reading of a specific application; and a plurality of users' biometric information stored in the externally connected device, and the plurality of users. The step of specifying the verification result of the biometric information read from the computer, and the computer Reading the authentication condition stored in the step, and specifying the authentication condition set for the operation from the authentication condition, and the computer determines whether the verification result matches the authentication condition set for the operation And when the verification result matches the authentication condition set for the operation, the computer executes a normal process for the operation, and the verification result is for the operation. The computer control method is characterized in that if the set authentication condition is not met, the computer executes a process for performing a predetermined restriction on the operation.

  In the third invention, an external device such as a USB memory stores biometric information such as fingerprints related to a plurality of users and an authentication condition for restricting a predetermined operation in the computer, so that the agent corresponding to this in the computer When a predetermined request, such as reading or writing a file, is made to the computer by operating the program, the predetermined operation is performed not only according to the usage authority for each user but also according to the combination of the authentication results of multiple users Whether or not to execute can be controlled.

  The present invention can also be specified as a control system including an externally connected device and a computer for executing each control method corresponding to the computer control method according to the first to third inventions.

  That is, the computer control system corresponding to the first invention is a computer control system comprising an external connection device capable of storing biological information and a computer connected to the external connection device, wherein the external connection The apparatus includes at least authentication information storage means for storing biometric information of a plurality of users used for authentication in the computer and authentication conditions for allowing the user to execute a predetermined operation by the computer. Includes a logon request accepting unit that accepts a request to log on to the computer, biometric information of a plurality of users stored in the externally connected device, and a biometric that specifies a collation result of biometric information read from the plurality of users. Read the authentication conditions stored in the information specifying means and the external connection device, and Authentication condition specifying means for specifying an authentication condition for logging on to the computer from a matter, and a determination means for determining whether the verification result matches an authentication condition for logging on to the computer, The computer control system is characterized in that when the collation result does not match an authentication condition for logging on to the computer, the computer does not execute logon processing to the computer.

  The authentication information storage unit of the externally connected device stores a password set for each of the plurality of users, and the verification result specified by the biometric information specifying unit matches the verification result of the biometric information. In addition, a password verification result of each of a plurality of users stored in the authentication method storage means and a password verification result input by each of the plurality of users may be included.

  The computer includes password request means for requesting a user who has requested the logon when the collation result matches an authentication condition for logging on to the computer, and a password of the user. Password receiving means for receiving the input password, and password determining means for determining whether the password matches a password specified for the user stored in the computer or the external connection device, When the password received by the password receiving unit matches the password specified for the user, the computer may execute a process of logging on to the computer.

  The computer stores authentication information holding means for storing and holding the verification result and the authentication condition read from the externally connected device in a predetermined storage area of the computer when logon processing to the computer is executed. The application program stored in the computer acquires an authentication condition set for the application program from the predetermined storage area when the application program is started, and the verification result is the application program. When the authentication condition set for the program is met, the computer is caused to execute normal processing by the application program, and when the verification result does not match the authentication condition set for the application program, It may be characterized by executing a process for performing a predetermined limit for the application program on the computer.

  The computer is provided with authentication information storage means for storing the verification result and the authentication condition read from the externally connected device in a predetermined storage area of the computer when logon processing to the computer is executed. The agent program stored in the computer includes at least one of writing or reading a specific file or writing or reading a specific application for which the computer has received a request when the agent program is activated. For the operation, the authentication condition set for the operation is acquired from the predetermined storage area, and when the collation result matches the authentication condition set for the operation, the normal processing related to the operation is performed on the computer. The verification result is set for the operation. If you do not meet the condition may be characterized in that to execute a process for performing a predetermined limit for the operation to the computer.

  A computer control system corresponding to the second invention is a computer control system comprising an external connection device capable of storing biological information and a computer connected to the external connection device. Comprises at least authentication information storage means for storing biometric information of a plurality of users used for authentication in the computer and authentication conditions for allowing the user to execute a predetermined application program on the computer. Specifies an application activation accepting unit that accepts activation of an application program stored in the computer, biometric information of a plurality of users stored in the external connection device, and a collation result of biometric information read from the plurality of users Biometric information specifying means for performing the external connection An authentication condition specifying means for reading an authentication condition stored in the device and specifying an authentication condition set for the application program from the authentication condition; and an authentication condition for which the computer sets the verification result for the application program Authentication condition determining means for determining whether the application program matches, and if the collation result matches the authentication condition set for the application program, the computer performs normal processing by the application program. If the verification result does not match the authentication condition set for the application program, the computer executes a process for performing a predetermined restriction on the application program. A motor control system.

  A computer control system corresponding to a third invention is a computer control system comprising an external connection device capable of storing biological information and a computer connected to the external connection device. Comprises at least authentication information storage means for storing biometric information of a plurality of users used for authentication by the computer and authentication conditions for allowing the user to execute a predetermined operation by the user. An operation request receiving means for receiving an operation request including at least one of writing or reading a specific file, writing or reading a specific application, biometric information of a plurality of users stored in the externally connected device, Biometric information specifying means for specifying the verification results of biometric information read from a plurality of users, and the external connection An authentication condition stored in the device is read, and an authentication condition specifying means for specifying the authentication condition set for the operation from the authentication condition, and whether the verification result matches the authentication condition set for the operation Authentication condition determination means, and when the verification result matches the authentication condition set for the operation, the computer executes normal processing for the operation, and the verification result is If the authentication condition set for the operation is not met, the computer executes a process for performing a predetermined restriction on the operation.

  According to the present invention, biometric information such as fingerprints of multiple users and authentication conditions for each application or operation unit are registered in an externally connected device such as a USB memory, and these authentication conditions are met when a predetermined operation is executed on a computer. By confirming the above, it becomes possible to set an authentication authority by a combination of a plurality of users and an authority for each application or operation unit.

  For example, when dispatching a plurality of staff members to operate a computer at the dispatch destination, the fingerprint information of the staff members is registered in one USB memory to authenticate the person, and a normal file using word processing software or the like In reading and writing, only the operator's identity is confirmed. On the other hand, when starting up accounting software and accessing important information, not only the operator but also the manager of the dispatcher is authenticated. It is possible to set authority according to the combination of dispatchers and operation contents, such as on the condition.

  The best mode for carrying out the present invention will be described below in detail with reference to the drawings. The embodiment described below is an example in the case of carrying out the present invention, and the configuration of a sensor that reads biometric information, the processing device that performs the biometric authentication calculation process, and whether the biometric authentication result satisfies the authentication condition. Embodiments such as the timing of confirming are not limited to the following examples.

  1 to 3 are diagrams showing first to third embodiments to which a computer control system according to the present invention is applied, respectively. FIG. 4 is a block diagram showing the configuration of a terminal for registering externally connected devices and biometric information for operating the computer control system according to the present invention. FIG. 5 is a block diagram showing a configuration of a computer control system according to the present invention. FIG. 6 is a diagram showing an example of authentication conditions stored in the external device in the computer control system according to the present invention. FIG. 7 is a diagram showing an example of the authentication result held in the memory in the computer control system according to the present invention. FIG. 8 is a flowchart showing a processing flow for confirming authority at the time of logon of the computer in the computer control system according to the present invention. FIG. 9 is a flowchart showing a processing flow for performing authority confirmation when an application is started on the computer in the computer control system according to the present invention. FIG. 10 is a flowchart showing a processing flow in which the agent resident in the computer confirms the authority of each operation in the computer control system according to the present invention.

  1 to 3, a computer control system using an external connection device according to the present invention is applied to perform biometric authentication in an external computer (in these examples, biometric authentication is performed using fingerprint information). )), An embodiment for controlling the use authority of the computer will be described. FIG. 1 shows an embodiment in which fingerprint information of a user registered in a terminal is stored in an external device. FIG. 2 shows that fingerprint information of a user not registered in the terminal is registered in a computer and authentication is required. FIG. 3 shows an embodiment in which user fingerprint information is written in the external connection device, and FIG. 3 shows an embodiment in which user fingerprint information requiring authentication is directly written in the external connection device.

  In FIG. 1, it is assumed that manager A, B, and C 2 registered staff are dispatched to an external office. A terminal X is installed at the office where the staff is dispatched. It is assumed that a terminal Y used for business is installed at an external office that is a dispatch destination, and biometric authentication is required to log on the terminal Y and operate a predetermined application program. . The fingerprint information of the manager of the dispatch source and the registered staff is registered in the terminal X. When dispatching three persons A, B, and C, the fingerprint information of the three persons is written in the external connection device, and the dispatch destination Bring it to your office. It is assumed that an external connection device is connected to the terminal Y at the dispatch destination office, and each manager and staff perform biometric authentication to operate the terminal Y.

  When the fingerprint information is written in the externally connected device at the terminal X, the authentication conditions for logon and application activation at the terminal Y are also registered in the externally connected device by operating the terminal X. As an example of the authentication condition, “Logon to the terminal Y is permitted if any one of the operators A, B, and C has been subjected to biometric authentication of its own. In the case where B and C are operated, the condition is that not only the self-authentication but also the biometric authentication of the manager A is performed. Such conditions may be such that conditions registered in the terminal X in advance are read out, or may be set by operating the terminal X at each registration, according to the combination of members to be dispatched.

  When three persons A, B, and C are dispatched to a dispatch destination office, an external connection device in which biometric information is written is connected to the terminal Y, and each staff performs biometric authentication. In order to perform authentication, a sensor that reads the fingerprint information of the operator and a program that performs biometric authentication by comparing the read fingerprint information with the registered fingerprint information are required. It may be provided in any of the connected device and the terminal Y (or a peripheral device connected to the terminal Y).

  When the logon operation is executed from the dedicated screen at the terminal Y, when the connection of the externally connected device is detected, biometric authentication is performed for the three persons A, B, and C whose fingerprint information is stored in the externally connected device. In the case of the previous example, it is said that the self-biometric authentication should be performed as the authentication condition at the time of logon. For example, if B is trying to log on, refer to the result of B biometric authentication. To determine whether or not to log on. On the other hand, when an application program that requires A's biometric authentication as an authentication condition is started, the authentication result of A is referred to together with the authentication result of B, and both are confirmed to be the person. Will be allowed to start the application.

  For example, if a dedicated USB memory is used for the external connection device, a fingerprint reading sensor is provided in the USB memory, and an authentication program is stored in a part of the memory, the terminal Y can read fingerprints. Even when a verification mechanism is not provided, management by biometric authentication can be performed. Further, by providing a dedicated chip equipped with an arithmetic device in the USB memory, the biometric authentication may be performed only with the USB memory without using the main memory or CPU of the terminal Y. It is preferable that the fingerprint information written in the memory can be erased or overwritten, so that even if the number of staff dispatched or the pattern of authentication conditions increases, one USB memory can be used. The USB memory preferably has a sufficient storage capacity.

  Regarding the registration of fingerprint information at the terminal X, when fingerprint information is not set in the external connection device, new fingerprint information may be registered without any particular limitation. It is also possible to set some condition as follows. In addition, when fingerprint information of some people is set in the external device, it is preferable to prevent the fingerprint information from being illegally changed and used. Some authentication conditions may be set for adding new fingerprint information. However, if no unique conditions are set, biometric authentication of at least one user who has registered fingerprint information is performed. These operations can be executed on condition that the terminal can be operated.

  FIG. 2 is similar to FIG. 1 in that the manager and staff dispatched at the terminal Y of the dispatch destination perform biometric authentication, but of the three persons A, D, and E dispatched, Assume that two persons are newly registered staff members and no fingerprint information is registered in the terminal X. In this case, a new fingerprint information registration operation for D and E is performed at the terminal X, and the fingerprint information of A that has already been registered is written in the external connection device. The authentication condition is also set by an operation on the terminal X and written to the externally connected device.

  3 is similar to FIG. 1 in that the manager and staff dispatched at the terminal Y as the dispatch destination perform biometric authentication, but the manager who dispatches the terminal X without registering and managing the fingerprint information. And fingerprint information of staff are registered every time they are dispatched. In this case, for example, fingerprint information may be directly written in the USB memory using the fingerprint reading sensor provided in the USB memory described in the example of the externally connected device. Even in this case, the authentication condition is written in the external device by operating the terminal X.

  As described with reference to FIGS. 1 to 3, by applying the present invention and using an externally connected device for which not only biometric information but also authentication conditions are registered for authentication, a plurality of managers and staff members can be used. In the case where the computer is dispatched to the office of the company and the computer is operated at the dispatch destination, not only the authority to use the computer is given depending on the presence or absence of biometric authentication for each individual, but also according to the combination of multiple managers and staff dispatched In addition, it is possible to individually set the use authority according to the operation contents of the computer.

  FIG. 4 shows the configuration of an external connection device and a terminal for registering biometric information and the like for operating the computer control system according to the present invention. The terminal 10 for registering biometric information and authentication conditions is configured to be able to connect to the external connection device 20. The terminal 10 is a personal computer or the like, and includes a CPU 11, RAM 12, ROM 13, HDD 14, and USB port 15. The HDD 14 stores a biometric information registration program 141 that controls reading and writing of biometric information. The biometric information storage unit 142 includes biometric information such as fingerprint information of a person who has the authority to use a computer with identification information. Stored. The authentication condition storage unit 143 stores authentication conditions by biometric authentication required for the operation of each computer.

  In order to execute predetermined processing by the biometric information registration program 141 or other application programs stored in the HDD 14, various basic programs for hardware control such as input control and output control stored in the ROM 13 are started. Then, while the RAM 11 functions as a work area for the application program, the CPU 11 performs arithmetic processing, whereby processing necessary for each application is executed.

  A USB memory or the like is used as the external connection device 20 and includes a memory 21, a biometric information matching unit 22, and a biometric information reading sensor 23. The memory 21 includes at least a biometric information storage unit 211 and an authentication condition storage unit 212, and the biometric information and authentication conditions acquired from the terminal 10 are written therein. As for the biological information, the information read from the biological information reading sensor 23 may be directly written in the biological information storage unit 211. For the biometric information matching unit 22, a dedicated chip or the like having a function of executing a calculation process for biometric authentication is used. The biometric information reading sensor 23 has a function of reading biometric information such as fingerprint information. The biometric information read is compared with the biometric information stored in the biometric information storage unit 211 in the biometric information collating unit 22, and biometric authentication is performed. Is configured to be performed.

  Writing of biometric information and the like to the external connection device 20 is performed by connecting the external connection device 20 to the USB port 15 of the terminal 10. The biometric information storage unit 142 stores biometric information of a person who has the authority to use a computer with identification information of a registrant such as an employee code, among which a plurality of members dispatched to an external office When the identification information is designated, biometric information corresponding to the designated identification information is read out and sent to the external connection device 20 via the USB port 15. In the external device 20, each received biometric information is stored in the biometric information storage unit 211 together with the identification information. In addition, when requesting password authentication at the time of logging on to a computer or the like, a password corresponding to each identification information is stored in the biometric information storage unit 142, and the biometric information storage unit is combined with the biometric information. It is good also as storing in 211 grade | etc.,.

  Along with the writing of the biometric information, an authentication condition corresponding to the operation content of the computer operated at the dispatch destination is written in the external connection device 20. Such an authentication condition is selected by the operator of the terminal 10, but a condition registered in advance in the authentication condition storage unit 143 may be selected, or a condition may be set by operating individually at the time of writing. Also good. The selected authentication condition is sent to the external device 20 via the USB port 15. In the external device 20, the received authentication condition is stored in the authentication condition storage unit 212.

  Regarding the writing of the biometric information, not the biometric information stored in the terminal 10 but the one read from the biometric information reading sensor 23 may be directly stored in the biometric information storage unit 211. However, also in this case, the identification information attached when the external connection device 20 is connected to the USB port 15 of the terminal 10 and the read biometric information is stored in the biometric information storage unit 211 when the biometric information is written is the administrator. Is sent from the terminal 10 by the operation of. Similarly, authentication conditions and passwords sent from the terminal 10 are stored in the authentication condition storage unit 212 and the biometric information storage unit 211, respectively.

  FIG. 6 shows an example of authentication conditions stored in the external device 20. In addition to logging on to the computer, conditions for starting a specific application program and conditions such as reading a document file controlled by the agent program are specified. As the contents of the authentication conditions, the conditions for the members that need to be authenticated are specified by using the identification information that identifies each of A, B, C, and D.

  That is, when authentication conditions are set as in the example of FIG. 6, when any one of A, B, C, and D logs on to the computer, biometric authentication and password authentication for the person are performed. This is a condition for allowing logon. Regarding the activation of the application program X, A, B, and C can be activated if biometric authentication and password authentication are performed for the person, but D cannot be activated even if authentication is performed. become. Regarding the activation of the application program Y, A can be activated if only the user's biometric authentication and password authentication are performed, but B and C can be activated by the manager in addition to the biometric authentication and password authentication of the individual. It is a condition for activation that biometric authentication of a certain A is also performed (if staff B and C operate, the manager A may perform biometric authentication as if it were a checkmark. Used when necessary.) Regarding operations such as reading and writing of a document file using word processing software or the like, these operations are monitored by the agent program, and the execution of the operations is permitted when the conditions specified for each are met.

  As described above, when the biometric information or the like is written in the external connection device 20 in the terminal 10, the staff moves to the dispatch destination office with the external connection device 20 after writing. A method of biometric authentication at a business site of a dispatch destination will be described with reference to FIG.

  FIG. 5 shows a configuration of a computer control system according to the present invention in which an external connection device is connected and control is performed by biometric authentication. A terminal 30 such as a personal computer is installed at the business office of the dispatch destination, and the dispatched staff connects the external connection device 20 brought to the terminal 30. The terminal 30 includes a CPU 31, a RAM 32, a ROM 33, an HDD 34, and a USB port 35. The HDD 34 stores an application program 341 and an agent program 342, and an authentication information storage unit 343 is provided.

  In order to execute a predetermined process by the application program 341 and the agent program 342 stored in the HDD 34, as in the case of the terminal 10, the basics for hardware control such as input control and output control stored in the ROM 33 are performed. Necessary processing is executed by the CPU 31 performing arithmetic processing while starting various programs and causing the RAM 32 to function as a work area for the application program.

  When the external connection device 20 is connected to the terminal 30, biometric authentication of the staff using the terminal 30 is requested at the timing of logging on to the terminal 30 or connecting the external connection device 20. For example, if four persons A, B, C, and D are dispatched, biometric authentication for four persons is requested, and identification information such as an employee code is designated, and fingerprint information is provided to the biometric information reading sensor 23. When the biometric information is read, it is confirmed whether the biometric information matches the corresponding biometric information stored in the biometric information storage unit 211, and it is confirmed whether the dispatched person is the registrant. The biometric information collation is performed in the biometric information collation unit 22, but is not limited to such a configuration. For example, a collation program is stored in the HDD 34 of the terminal 30 and the terminal 30 performs the collation processing. You may comprise so that a calculation process may be performed. Further, instead of the biometric information reading sensor 23, a reading sensor provided in the terminal 30 or another peripheral device including a reading sensor connected to the terminal 30 may be used.

  The result of the authentication performed in this way is held in the virtual memory area of the RAM 32 or the HDD 34 of the terminal 30. Alternatively, it may be stored in the authentication information storage unit 343 in the form of a file or the like. In any case, in the format shown in the example of FIG. 7, information that can quickly specify whether each person has been authenticated by biometric authentication is held in the terminal 30. Such information on the authentication result may include a result of password authentication.

  In addition to the identification of the result of biometric authentication, the authentication condition for executing a predetermined operation on the terminal 30 is read from the authentication condition storage unit 212 of the external connection device 20, and the RAM 32 or the HDD 34 of the terminal 30 is also read. Authentication conditions are also stored in the virtualized memory area or in the authentication information storage unit 343 in the form of a file or the like. When a predetermined operation is performed on the terminal 30, the authentication condition is referred to, and if authentication is required, the authentication result is referred to whether the specified condition is satisfied, and the authentication result satisfies the authentication condition. If it is, the execution of the operation is permitted.

  For example, when the condition that biometric authentication is required is set in the application program 341, a staff member who needs biometric authentication is identified with reference to the authentication condition stored in the RAM 32, and the result of biometric authentication of the identified staff member Is confirmed with reference to the authentication result held in the RAM 32.

  In the example of FIGS. 6 and 7, if B starts the application Y, it is a condition that A biometric authentication, B biometric authentication and password authentication are performed based on the authentication conditions. , A and B authentication results are referred to. Since it is recorded that biometric authentication has been completed for any authentication result, password authentication is requested for B, and if the passwords match, the application Y operates without restriction. Or, if it is defined in the authentication conditions that it is necessary to execute the authentication other than the operator again, the biometric authentication of A is required in addition to the password authentication of B. It is possible to confirm and check that the person is B person on the spot.

  On the other hand, if C activates the application Y, it is a condition that the biometric authentication of A and the biometric authentication and password authentication of C are performed based on the authentication condition. Refer to In this case, since the biometric authentication record for the C authentication result has not been made, the application Y is stopped or some operation is restricted. Alternatively, a message requesting C to perform biometric authentication may be displayed. If D activates the application Y, the use of the application Y is restricted for the D based on the authentication condition, so the application Y is stopped or some operation is restricted.

  In addition to the above example, in order to control individual operations such as reading / writing to a file, an agent program is made resident in the terminal 30 to determine whether each operation satisfies the authentication condition while monitoring the operation. It is good. In this case, when the terminal 30 is activated, the agent program 342 is read into the RAM 12 and it is monitored that a predetermined calculation process is executed in the RAM 12. When a predetermined calculation process such as update of a document file is detected, a manager or a staff who needs biometric authentication is identified with reference to an authentication condition held in the RAM 32, and a result of biometric authentication of the identified manager or staff Is confirmed with reference to the authentication result held in the RAM 32.

  In the example of FIGS. 6 and 7, if B executes update of a document file, it is a condition that A's biometric authentication and B's biometric authentication and password authentication are performed based on the authentication condition. Therefore, reference is made to the authentication results of A and B. Since it is recorded that biometric authentication has been completed for any authentication result, password authentication is requested for B, and if the passwords match, the update of the document file becomes valid. Alternatively, if it is defined in the authentication condition that it is necessary to execute authentication other than the operator again, in addition to B password authentication, A biometric authentication is requested again, and B password authentication and A When biometric information is performed, the update of the document file becomes valid. The same applies when D executes update of the document file. On the other hand, if C performs the update of the same document file, A and C are required because the biometric authentication of A and the biometric authentication and password authentication of C are performed based on the authentication condition. Refer to the authentication result of. In this case, since the biometric authentication record for the C authentication result has not been made, the update process of the document file is stopped or some operation is restricted. Alternatively, a message requesting C to perform biometric authentication may be displayed.

  As for the identification method of the authentication condition and the authentication result, as described above, biometric authentication of each staff may be performed in advance at the time of logon or the like, and may be held in the RAM 12, the authentication information storage unit 343, or the like. When the application program or agent program that requires biometric authentication is started, authentication conditions are acquired from the authentication condition storage unit 212, and biometric authentication of managers and staff required from the authentication conditions is requested to perform verification processing. It may be carried out.

  With reference to the flowchart of FIG. 8, a processing flow for confirming authority at the time of computer logon in the computer control system according to the present invention will be described. As a premise, multiple managers and temporary staff bring an external connection device that stores the authentication conditions defined for each biometric information and computer operation to the dispatched office, etc. It is assumed that the external connection device is set in the provided computer.

  When an external connection device that stores biometric information of a plurality of managers and staff members and authentication conditions for a predetermined operation is connected to the computer and the computer is turned on (S01), a dedicated logon screen is displayed on the computer operation screen. It is displayed (S02). The computer checks whether the external connection device used in the present invention is connected to the USB port or the like by the operation of the OS (S03). If the external connection device is attached, the biometric information and the authentication condition are It is confirmed whether it has been registered (S04). When it is determined that the registration has been completed, the biometric authentication process is executed as follows.

  In order to confirm whether the computer operator is a staff member dispatched, the operator is requested to read biometric information, and from a biometric information reading device such as a biometric information reading sensor provided in an external connection device. The read biological information is acquired (S05). The acquired biometric information is checked against the biometric information registered in the externally connected device (S06), and if it matches, the identity is confirmed.

  When the identity verification is performed in this way, it is subsequently confirmed whether or not the authentication conditions for logon registered in the externally connected device are met (S07). For example, if it is a condition that only one operator is permitted to log on, the authentication condition is met. However, if authentication of the manager in addition to the operator is required, the authentication condition is changed. The biometric authentication of the manager is performed to confirm that it is satisfied (or the authentication result is acquired when the biometric authentication of the manager has already been completed).

  When it is confirmed that the authentication condition is satisfied, a password input screen for logging on is displayed (S08), and the password input by the operator to the computer and the biometric information are stored in the external connection device. It is confirmed whether the password specified for the operator matches (S09). If they match, the logon process is continued, and the authentication result of the biometric authentication and the authentication condition read from the external device (for the authentication condition, all conditions are read when the first staff member logs on) May be recorded in a temporary storage area such as a computer memory, and the process is terminated.

  If the external connection device is not connected to the computer, biometric information or authentication conditions are not registered in the external connection device, the biometric authentication results do not match, the authentication conditions for the biometric authentication performed If the password is not satisfied or the password verification result does not match, the logon process is not continued in either case, and the display returns to the initial dedicated logon screen. However, in these cases, other processing may be performed such as performing error processing or requesting collation when the collation results are inconsistent, and there is no particular limitation.

  In the above flow, after performing biometric authentication and confirming that the authentication condition is satisfied, a logon screen requiring password input is displayed. However, before confirming that the authentication condition matches, biometric authentication is performed. In addition, password authentication may be performed. In this case, which of biometric authentication and password authentication is performed first is not particularly limited, and if both match, it is treated that personal authentication has been performed for the staff or the like.

  With reference to the flowchart of FIG. 9, a processing flow for confirming authority at the time of application activation in the computer in the computer control system according to the present invention will be described. As a premise here, the authentication result of biometric authentication performed at the time of logon to the computer and the authentication condition (including the authentication condition for the application program) read from the external device are temporarily stored in the memory of the computer or the like. It is assumed that it is held in the area.

  When the computer accepts the activation of the application program (S11), it is confirmed whether a biometric authentication result and an authentication condition are stored in a predetermined storage area such as a memory of the computer (S12). If these pieces of information are not stored, the application is not executed and waits until the authentication result and the authentication condition are confirmed (S15).

  If these pieces of information are stored, it is determined whether the authentication result satisfies the authentication condition for operating the application program as usual (S13). If the authentication condition is satisfied, the application program is executed in a normal operation (S14). If the authentication condition is not satisfied, execution of biometric authentication for satisfying the authentication condition is requested (S16), and the process waits until a new authentication result is confirmed (S15).

  In the case where it is not confirmed that the authentication condition is satisfied, error processing is performed and the application program is stopped, or the application program is operated in a state where a predetermined restriction is added, and there is no restriction. Other processing than the normal operation may be performed.

  The flow in FIG. 9 is based on the premise that biometric authentication is performed at the time of logon to the computer and the authentication result stored in the memory is referred to, but logon to the computer is permitted by normal password input or the like. Then, when a predetermined application program that requests biometric authentication is activated, biometric authentication for each staff may be performed. In this case, at the time of starting the application program, the same processing as the biometric authentication and authentication condition verification (S03 to S07) described in FIG. 8 is executed.

  A processing flow in which an agent resident in a computer confirms authority of each operation in the computer control system according to the present invention will be described with reference to the flowchart of FIG. Here, as in the case of FIG. 9, the authentication result of the biometric authentication performed at the time of logon to the computer and the authentication condition read from the external device (including the authentication condition related to the predetermined operation controlled by the agent program) are included in the computer. It is assumed that it is held in a temporary storage area such as a memory.

  An agent program is a program for monitoring operations executed by an application program or the like (writing or reading of a specific file, writing or reading of a specific application program, activation of a screen saver, etc.). (S21) and resides in a computer to monitor data on the memory.

  When the agent program monitors the predetermined operation and detects an execution request for the operation that requires authentication, the authentication result and the authentication condition of the biometric authentication stored in the predetermined storage area such as the memory of the computer are It is determined whether it is applicable to the operation detected by the program (S22). If it is determined that the operation is applicable, normal execution of the operation is permitted (S23). If it is determined that the operation is not applicable, some restriction is imposed on the execution of the operation by the agent program (S24). . The content of the restriction is not particularly limited, and the execution of the requested operation may be stopped, or the execution may be permitted with certain functions being restricted.

  The monitoring of the predetermined operation by the agent program is continued until the end flag indicating that the monitoring by the agent program is no longer necessary is set, and it is confirmed that the end flag is turned on (S25). Ends monitoring by the agent program. Note that there is no particular limitation as to which program manages the end flag for such an agent program.

  The flow in FIG. 10 is also based on the premise that biometric authentication is performed when logging on to a computer and the like, and the authentication result stored in a memory or the like is referred to. It is also possible to perform biometric authentication for each manager or staff at the timing when the agent program is activated by permitting by input or the like. In this case, at the time of starting the agent program, the same processing as the biometric authentication and authentication condition verification (S03 to S07) described in FIG. 8 is executed.

It is a figure which shows the 1st Example to which the control system of the computer concerning this invention is applied. It is a figure which shows the 2nd Example to which the control system of the computer concerning this invention is applied. It is a figure which shows the 2nd Example to which the control system of the computer concerning this invention is applied. It is a block diagram which shows the structure of the terminal which registers an external connection apparatus, biometric information, etc. for operating the control system of the computer concerning this invention. It is a block diagram which shows the structure of the control system of the computer concerning this invention. It is a figure which shows an example of the authentication conditions memorize | stored in the external connection apparatus in the control system of the computer concerning this invention. It is a figure which shows an example of the authentication result hold | maintained on memory in the control system of the computer concerning this invention. 6 is a flowchart showing a processing flow for performing authority confirmation when a computer logs on in the computer control system according to the present invention. 6 is a flowchart showing a processing flow for performing authority confirmation when an application is started on a computer in the computer control system according to the present invention. 5 is a flowchart showing a processing flow in which an agent resident in a computer confirms authority of each operation in the computer control system according to the present invention.

Explanation of symbols

10 Terminal 11 CPU
12 RAM
13 ROM
14 HDD
141 Biometric information registration program 142 Biometric information storage unit 143 Authentication condition storage unit 15 USB port 20 Externally connected device 21 Memory 211 Biometric information storage unit 212 Authentication condition storage unit 22 Biometric information matching unit 23 Biometric information reading sensor 30 Terminal 31 CPU
32 RAM
33 ROM
34 HDD
341 Application program 342 Agent program 343 Authentication information storage unit 35 USB port

Claims (8)

A computer control method for controlling an operation of the computer by connecting an external connection device capable of storing biological information to the computer,
The externally connected device includes at least biometric information of a plurality of users used for authentication in the computer, a password set for each of the plurality of users, and the user causing the computer to execute a predetermined application program Authentication conditions for
The computer accepting activation of an application program stored in the computer;
The computer includes biometric information of a plurality of users stored in the external connection device, a verification result of biometric information read from the plurality of users, and passwords of the plurality of users stored in the external connection device, Identifying a password verification result entered by each of the plurality of users;
The computer reads out the authentication condition stored in the externally connected device, and specifies the authentication condition set for the application program from the authentication condition;
Determining whether the verification result of the biometric information and the verification result of the password match the authentication condition set for the application program,
When the verification result of the biometric information and the verification result of the password match the authentication condition set for the application program, the computer executes normal processing by the application program,
When at least one of the verification result of the biometric information and the verification result of the password does not match the authentication condition set for the application program, the computer executes a process for performing a predetermined restriction on the application program And a computer control method. A computer control method for controlling an operation of the computer by connecting an external connection device capable of storing biological information to the computer,
The external connection device stores at least biometric information of a plurality of users used for authentication in the computer, and authentication conditions for causing the computer to execute a predetermined application program.
The computer accepting activation of an application program stored in the computer;
The computer specifying biometric information of a plurality of users stored in the external device and biometric information read from the plurality of users;
The computer reads the authentication conditions stored in the external connection device, and specifies the authentication conditions set for the application program from the authentication conditions;
The computer includes a step of determining whether the verification result matches an authentication condition set for the application program,
In the step of determining whether or not the authentication condition is met, if the verification result matches the authentication condition set for the application program,
The computer requesting the user who has started the application program to enter a password;
The computer accepting a password entered by the user;
The computer determining whether the password matches a password specified for the user stored in the computer or the external device;
When the computer accepts the password accepted in the step of accepting the password and a password specified for the user, and executes a normal process by the application program; and
In the step of determining whether or not the authentication condition is met, if the verification result does not match the authentication condition set for the application program, or the password received in the step of accepting the password is a password specified for the user If they do not match, the computer executes a process for performing a predetermined restriction on the application program. A computer control method for controlling an operation of the computer by connecting an external connection device capable of storing biological information to the computer,
The externally connected device includes at least biometric information of a plurality of users used for authentication in the computer, a password set for each of the plurality of users, and the user causing the computer to execute a predetermined operation. Authentication conditions are stored,
The computer accepting a request for an operation including at least one of writing or reading a specific file and writing or reading a specific application;
The computer includes biometric information of a plurality of users stored in the external connection device, a verification result of biometric information read from the plurality of users, and passwords of the plurality of users stored in the external connection device, Identifying a password verification result entered by each of the plurality of users;
The computer reads the authentication condition stored in the externally connected device, and specifies the authentication condition set for the operation from the authentication condition;
Determining whether the verification result of the biometric information and the verification result of the password match the authentication condition set for the operation;
If the verification result of the biometric information and the verification result of the password match the authentication conditions set for the operation, the computer executes normal processing for the operation,
If at least one of the verification result of the biometric information and the verification result of the password does not meet the authentication condition set for the operation, the computer executes a process for performing a predetermined restriction on the operation A computer control method characterized by the above. A computer control method for controlling an operation of the computer by connecting an external connection device capable of storing biological information to the computer,
The externally connected device stores at least biometric information of a plurality of users used for authentication in the computer and authentication conditions for causing the computer to execute a predetermined operation.
The computer accepting a request for an operation including at least one of writing or reading a specific file and writing or reading a specific application;
The computer specifying biometric information of a plurality of users stored in the external device and biometric information read from the plurality of users;
The computer reads the authentication condition stored in the externally connected device, and specifies the authentication condition set for the operation from the authentication condition;
The computer has a step of determining whether the verification result matches an authentication condition set for the operation, and
If the verification result matches the authentication condition set for the operation,
Requesting the user to input a password to the user who started the application program for requesting the operation;
The computer accepting a password entered by the user;
The computer determining whether the password matches a password specified for the user stored in the computer or the external device;
When the computer accepts the password accepted in the step of accepting the password and a password specified for the user, and executes a normal process by the application program; and
In the step of determining whether or not the authentication condition is met, if the verification result does not match the authentication condition set for the operation, or the password received in the password receiving step matches the password specified for the user If not, the computer executes a process for performing a predetermined restriction on the operation. A computer control system comprising an external connection device capable of storing biological information and a computer connected to the external connection device,
The externally connected device includes at least biometric information of a plurality of users used for authentication in the computer, a password set for each of the plurality of users, and the user causing the computer to execute a predetermined application program Authentication information storage means for storing authentication conditions for
The computer includes
Application activation accepting means for accepting activation of an application program stored in the computer;
The biometric information of a plurality of users stored in the external connection device, the collation result of the biometric information read from the plurality of users, the passwords of the plurality of users stored in the external connection device, and the plurality of Biometric information specifying means for specifying a password verification result entered by each of the users;
An authentication condition specifying means for reading the authentication condition stored in the external device and specifying the authentication condition set for the application program from the authentication condition;
Authentication condition determination means for determining whether the verification result of the biometric information and the verification result of the password match an authentication condition set for the application program, and
When the verification result of the biometric information and the verification result of the password match the authentication condition set for the application program, the computer executes normal processing by the application program,
When at least one of the verification result of the biometric information and the verification result of the password does not match the authentication condition set for the application program, the computer executes a process for performing a predetermined restriction on the application program A control system for a computer. A computer control system comprising an externally connected device capable of storing biological information and a computer connected to the externally connected device,
The external connection device includes at least authentication information storage means for storing biometric information of a plurality of users used for authentication in the computer and authentication conditions for allowing the user to execute a predetermined application program on the computer. And
The computer includes
Application activation accepting means for accepting activation of an application program stored in the computer;
Biometric information specifying means for specifying biometric information of a plurality of users stored in the externally connected device and biometric information read from the plurality of users;
An authentication condition specifying means for reading the authentication condition stored in the external device and specifying the authentication condition set for the application program from the authentication condition;
An authentication condition determining means for determining whether the computer matches the authentication condition set for the application program;
A password requesting unit that requests the user who has started the application program to input a password when the verification result matches the authentication condition set for the application program in the authentication condition determining unit;
Password accepting means for accepting a password entered by the user;
Password determination means for determining whether the password received by the password reception means matches a password specified for the user stored in the computer or the external connection device, and
If the passwords match in the password determination means, the computer executes normal processing by the application program,
If the verification result does not match the authentication condition set for the application program in the authentication condition determination unit, or if the password does not match in the password determination unit, the computer restricts the application program to a predetermined limit. A control system for a computer, characterized by executing processing for performing the processing. A computer control system comprising an external connection device capable of storing biological information and a computer connected to the external connection device,
The externally connected device includes at least biometric information of a plurality of users used for authentication in the computer, a password set for each of the plurality of users, and the user causing the computer to execute a predetermined operation. Authentication information storage means for storing the authentication conditions of
The computer includes
An operation request receiving means for receiving an operation request including at least one of writing or reading a specific file and writing or reading a specific application;
The biometric information of a plurality of users stored in the external connection device, the collation result of the biometric information read from the plurality of users, the passwords of the plurality of users stored in the external connection device, and the plurality of Biometric information specifying means for specifying a password verification result entered by each of the users;
An authentication condition specifying means for reading the authentication condition stored in the external device and specifying the authentication condition set for the operation from the authentication condition;
Authentication condition determination means for determining whether the verification result of the biometric information and the verification result of the password match an authentication condition set for the operation, and
If the verification result of the biometric information and the verification result of the password match the authentication conditions set for the operation, the computer executes normal processing for the operation,
If at least one of the verification result of the biometric information and the verification result of the password does not meet the authentication condition set for the operation, the computer executes a process for performing a predetermined restriction on the operation A computer control system. A computer control system comprising an external connection device capable of storing biological information and a computer connected to the external connection device,
The external connection device includes at least authentication information storage means for storing biometric information of a plurality of users used for authentication in the computer and authentication conditions for allowing the user to perform a predetermined operation on the computer. ,
The computer includes
An operation request receiving means for receiving an operation request including at least one of writing or reading a specific file and writing or reading a specific application;
Biometric information identifying means for identifying biometric information of a plurality of users stored in the externally connected device and biometric information read from the plurality of users;
An authentication condition specifying means for reading the authentication condition stored in the external device and specifying the authentication condition set for the operation from the authentication condition;
Authentication condition determination means for determining whether the verification result matches an authentication condition set for the operation;
A password requesting unit that requests the user who has requested the operation to input a password when the verification result matches the authentication condition set for the operation in the authentication condition determining unit;
Password accepting means for accepting a password entered by the user;
Password determination means for determining whether the password received by the password reception means matches a password specified for the user stored in the computer or the external connection device, and
If the passwords match in the password determination means, the computer executes normal processing for the operation,
When the authentication condition determination unit does not match the verification condition set for the operation, or when the password does not match the password determination unit, the computer performs a predetermined restriction on the operation. A computer control system characterized by executing the following process.