JP5922071B2 - Improving system biometric security - Google Patents

Description

  The present invention relates to biometric security of computer systems.

  When a user of a processor-based system attempts to improve the reliability of the user's system and the data stored in the system, security concerns increase. In order to provide security for such systems, passwords are often established and used often to protect access to the system. Additional passwords can be used to protect access to certain applications and files and interaction with remote sources such as websites accessible by the system. Furthermore, security can be provided by encryption of files and data.

  However, with various uses of the system, users can face increasing passwords and can be lost or confused. Thus, some users can choose a common password for many different types of applications, making security a major risk.

  Some systems provide additional security with certain types of biometric sensors. For example, many processor-based devices are equipped with a fingerprint sensor that functions as an identification device. However, the user simply puts / slides one finger on the sensor once / slides (in any movement direction), and the apparatus executes an identification process. However, for many purposes, this type of security mechanism is not powerful enough.

  An object of the present invention is to provide a technique for improving biometric security of a computer system.

  To solve the above problems, an aspect of the present invention includes receiving an ordered sequence of biometric inputs from a user via a biometric sensor associated with a processing system; and Each matches a corresponding entry stored in a table of non-volatile storage of the processing system, the table containing an ordered sequence of stored biometric inputs corresponding to the user's password pattern And a step of determining if there is a match, allowing the user to access the processing system, and if not, preventing the user from accessing the processing system.

  Another aspect of the invention is that, when executed, the system is an ordered sequence of biometric inputs to a user via a biometric sensor associated with the system, each of the ordered sequences of biometric inputs. Requests to input an ordered sequence of the biometric inputs that provides a direction of finger movement with respect to the biometric sensor, and the ordered sequence of biometric inputs from the user through the biometric sensor in the system And storing each scan of the ordered sequence of biometric inputs, metadata about the direction of movement, and alphanumeric characters of the table entries associated with the user stored in non-volatile memory. About those having machine-accessible storage medium containing instructions that allow.

  Another aspect of the invention receives an ordered sequence of biometric inputs from a user, each of the ordered sequences of biometric inputs stored corresponding to a password pattern of the user. To determine whether the corresponding entry stored in the table containing the ordered sequence matches, and if so, allows the user to access the system; otherwise, the user A processor for executing instructions to prevent access to a system; a biometric sensor connected to the processor and providing an ordered sequence of biometric inputs to the processor; and connected to the processor; Store table A volatile memory, a system with.

  According to the present invention, biometric security of a computer system can be improved.

FIG. 1 is a diagram representing exemplary finger mappings according to one embodiment of the present invention. FIG. 2 is a diagram illustrating mapping of both a finger and a moving direction to a password element according to an embodiment of the present invention. FIG. 3 is a flow diagram of a method for generating a password according to one embodiment of the present invention. FIG. 4 is a flowchart of a method for password authentication according to an embodiment of the present invention. FIG. 5 is a flowchart of a method for generating a password according to an embodiment of the present invention. FIG. 6 is a flow diagram of a method for password authentication according to another embodiment of the present invention. FIG. 7 is a block diagram of a system used in accordance with one embodiment of the present invention.

  Each embodiment provides an enhanced secure identification process, such as for a system having a biometric sensor such as a fingerprint sensor. In order to perform identification according to embodiments of the present invention, the user may place different fingers on the sensor in a predetermined sequence or order (such as a finger or toe). In some implementations, the user may slide the finger in different directions to make the scanning sequence different even when using the same finger. In this way, even if a malicious person confirms the finger placed by the user on the sensor, the order of the specific finger and the sliding direction cannot be recognized, and the password is not known. Identification is more robust than one input style.

  In different implementations, the ordered sequence of different fingers (with or without movement direction) can also constitute a password called a password pattern. In some implementations, the password pattern does not include alphanumeric characters and instead only supports a finger / movement sequence. In other implementations, different mapping methods of biometric information and / or user movement and password elements (such as alphanumeric values) can be implemented. While the scope of the present invention is not so limited, in some implementations, each finger of the user may be mapped to a numeric code such that 10 fingers are mapped to the numbers 0-9. .

  In one embodiment, an ordered sequence of different finger fingerprints may be utilized to represent a purely numeric password. In this way, an existing numeric (and / or alphanumeric) password can be converted into a fingerprint sequence that is specific to a particular user. In this way, previously generated passwords can be converted to biometric-based passwords to improve security robustness. However, as described above in other implementations, the finger and motion sequence may itself constitute a sequenced password without independent mapping to keyboard characters.

  FIG. 1 is a diagram representing an exemplary mapping according to one embodiment of the present invention. In the embodiment of FIG. 1, the fingerprints of the fingers of both the left and right hands represent numbers 0-9. This is an example of a mapping, but the user can use any representation of each fingerprint that is unique to the user. In this way, each embodiment has a stronger physical encryption for passwords because the same password (such as 01234) has a different ordered sequence of different users (corresponding to different user fingerprints, etc.). Provide For example, in one implementation, by mapping different finger passwords to each element, 0123 passwords identify a single sequence of left thumb, index, middle and ring finger fingerprints, as shown in FIG. It may be mapped to a profile.

  In other implementations, combinations of fingers and user movements may be mapped to corresponding elements. For example, thumbs and movement in a given direction (eg, left to right, top to bottom, etc.) may be mapped to a given number or other letter. In some embodiments, the user selects the desired mapping, and in other embodiments, the mapping may be preset by the system. If a combination of each finger and the moving direction (for example, two directions for each finger) is used, 20 characters can be acquired.

  In an implementation where a combination of finger and movement is mapped to a value, an example mapping may be as follows: That is, thumb slide up to down and down to up may be mapped to 0 and 1 (respectively), index finger slide up to down and down to up may be mapped to 2 and 3 (respectively), Middle finger up to down and down to up represent 4 and 5 (respectively). Of course, the user can also represent different elements using different fingers.

In the implementation of FIG. 2, mapping is performed that maps both the finger and the direction of movement to the password element. As shown in FIG. 2, the user presses the thumb on the sensor and slides from left to right for a zero value password element, and a right to left movement represents a one value password element. In this example, the password of “01010” can be expressed by moving the thumb (from the top) left, right, left, right, left, right on the sensor. Other fingers and / or other movements can be mapped to different numbers or more specific meanings specific to different users. For example, if a user speaks American sign language, the user can choose to use a set of fingers and directions that “spel” something meaningful to the user. In general, a user can select any finger gesture from any language and use it to generate a specific easily memorable pattern specific to the user. The software or firmware can provide the user with different guides for setting the password, taking into account the shape and size of the sensor surface. In one implementation, the system may present the user with an instrument layout that allows for the input of a combination of fingerprint and code or sequence. Alternatively, the mapping can be achieved by displaying the dial from the combination lock and tracking the number the dial is rotated and which fingers (and how many fingers) are used to rotate the dial. is there. In yet another implementation where the biometric sensor has a three-dimensional (3D) function, the movement of sliding the 3D surface can be mapped to a display such as a Rubik ^™ cube or other design.

  Referring to FIG. 3, a flow diagram of a method according to one embodiment of the present invention is shown. As shown in FIG. 3, the method 10 may be utilized to map a user's fingerprint and motion or stroke method to allow generation of a password pattern. As shown in FIG. 3, the method begins by starting fingerprint capture one by one (block 20). For example, the system initiates a fingerprint acquisition module to cause the biometric sensor to receive finger input. In one example, a screen display may be provided to guide the user through input of different fingers and movement directions. Specifically, as shown in FIG. 3, at block 30, the system prompts the user to enter an ordered sequence of fingerprints / motions corresponding to the password pattern. The system then scans the fingerprint of a given finger and determines its direction of movement (block 40). For example, the first element of the password pattern corresponds to the left index finger when it moves the biometric sensor from top to bottom. In response to this input, the system stores the fingerprint image and stroke direction in a database table entry (block 50). In one embodiment, this direction may be stored as metadata indicating the direction in which the scan was performed. For example, the combination of fingerprint image and stroke direction is entered into the first entry of a table that may be part of a user password database stored in the system to store the password pattern for that user.

  Still referring to FIG. 3, it is determined at decision block 60 whether the password pattern has been completed (decision block 60). If not, control returns to block 40 for further acquisition and storage of fingerprint / direction scanning. Note that the table may include multiple entries storing corresponding fingerprint images and stroke directions. If so, control passes to block 70 and the database table is completed. Accordingly, FIG. 3 illustrates a method for obtaining a user's fingerprint image and direction of movement corresponding to an ordered sequence of password patterns. In this embodiment, since the password pattern that combines the fingerprint of a specific user and the input moving direction is a completely physical code, it is necessary to map these images / movements to characters that can be used via the keyboard. Note that there is no.

  In order to allow a user to access a system having one or more stored password patterns, the method described with respect to FIG. 4 may be utilized. Referring to FIG. 4, a flow diagram of a method for password authentication according to one embodiment of the present invention is shown. As shown in FIG. 4, the method 100 begins by scanning fingerprints one by one (block 110). Such a scan may be performed by the user entering a specific order of fingers / directions, such as that performed to generate the password pattern described above with respect to FIG. For each input, it may be determined whether a valid fingerprint is obtained (decision block 120). If so, control passes to block 130. If not, control returns to block 110 and a re-entry of the corresponding fingerprint is requested. In some implementations, the system can provide the user with information regarding whether each input has been correctly detected and can request re-entry as needed. Note that in some embodiments, all fingerprints / directions may be scanned before moving to block 130. In some embodiments, the user input may indicate whether the user has completed the input and has been selected by any user.

  Upon receipt of the fingerprint / direction, the scan / movement is compared with a table in the database where each table corresponds to a password pattern stored by the user (block 130). More particularly, in one implementation, the first scan / movement direction input is compared to the first entry in each table to determine if there is a match. The comparison / determination of block 130 and decision block 104 is performed sequentially until a full password pattern is detected that completely matches the scan / movement stored in the table. Control then passes to decision block 140 where it is determined whether the fingerprint sequence and direction match the database table. If an exact match is identified, the identification process has been successfully completed and user access is enabled (decision block 150). Otherwise, control passes to block 160 and access can be denied. Note that the access may generally be for a system, a specific application, a file, etc. Although shown with the implementation in the embodiment of FIG. 4, the scope of the present invention is not limited to this.

  As described above, in other implementations, fingerprint scan user entries (with or without orientation) may be mapped to characters, such as alphanumeric characters on the keyboard. Accordingly, the embodiment for password generation and authentication described above with respect to FIGS. 3 and 4 may be modified to accommodate such mapping. Referring to FIG. 5, another embodiment of a method for generating a password according to an embodiment of the present invention is shown. As shown in FIG. 5, the method 200 may be used to generate a password. In general, the method proceeds as described above with respect to FIG. Specifically, fingerprint capture is initiated (block 210). A fingerprint scan is then performed with or without directional metadata capture (block 220). Thereafter, the fingerprint scan may be mapped to a password element (block 230). In one embodiment, the mapping between password elements (such as alphanumeric characters) and fingerprint scan / direction constitutes an entry stored in the database table, i.e. each entry in the table corresponds to a corresponding scan, character and (possibly ) Including scan direction. The user may select a password element or the computer may do this. Control then passes to decision block 240 to determine if all fingers have been scanned. If all fingers have not been scanned, control returns to block 220 described above.

  Referring to FIG. 5, once the entire finger digit has been scanned, the mapping is stored in non-volatile storage for the user (block 250). For example, a table containing multiple entries, each entry corresponding to a given scan (with or without direction), and a corresponding mapping to characters are stored.

  In one embodiment, the system then allows the user to select a password so that each finger (with or without direction) is mapped to a different character element of the password (block 260). In one embodiment, the mapping may be via an index to the location of the user database table entry for the corresponding character, ie, each entry in the password table is a character and a database table for that character. Stores the index to the position. Thus, this password may be associated with the user mapping and stored, for example, in a non-volatile storage password table (block 270). Although shown in the embodiment of FIG. 5 together with the implementation, the scope of the present invention is not limited to this.

  Similarly, the authentication method may consider such a mapping. Referring to FIG. 6, a flow diagram of an authentication method according to another embodiment of the present invention is shown. As shown in FIG. 6, the method 300 begins as described above with respect to FIG. Specifically, a plurality of fingerprints are scanned one by one (block 310), and it is determined whether each of the images is valid (decision block 320). Each ordered fingerprint image is then checked against a database of tables (each table is for the user and includes scan / direction and character mapping entries) and stored in non-volatile storage Is converted based on the mapping being made (block 330). The above steps are performed for each user input scan. A determination is then made whether the converted characters match the stored password for the user in the password database (decision block 340). If not, it is determined whether a predetermined threshold number of accesses have been attempted (decision block 380). If not attempted, the fingerprint is rescanned. If access has been attempted a predetermined threshold number of times, control passes to block 390 where user access is denied.

  If, at decision block 340, the converted character matches the password, then it is determined whether there is a match of a standard password or a duress password (decision block 350). That is, some embodiments allow users to use other passwords, i.e., allow minimal access to the system and / or force a signal to a third party to warn the compulsion. Allows detection of compulsory passwords entered when there is a password. In these embodiments, the user enters the password with a modified pattern under compulsion and the system responds differently. The system recognizes this input as a panic password, gives (or does not allow) limited access to the system, and / or sends a compulsory alert.

  In decision block 350, if the standard password matches in the decision, control passes to block 370 where identification is successful and user access, ie, normal user access, is allowed. If the match is for a compulsory password, control passes to block 360 where successful identification probably leads to limited user access (or no access) and the initiation of compulsory alarms.

  The method of FIG. 6 may also be used to receive biometric user input for passwords previously stored as purely alphanumeric passwords, allowing backward compatibility to improve robustness. . Although shown with the implementation in the embodiment of FIGS. 5 and 6, the scope of the present invention is not limited to this, and as described above, a fingerprint scan with or without a moving direction can be converted to a character or Passwords may be configured without mapping.

  Many variations are possible. For example, in some implementations, biometric authentication is used as a method for performing secure input of characters (such as alphanumeric characters) where information other than a password is entered directly into a computer without the need for a keyboard. Is available. Therefore, a user in a public place can input information such as credit information without typing on the keyboard, and a secure method for inputting information becomes possible.

  When further individual elements are included in the password, the authentication strength is improved. In some implementations, a different number of password elements can be used to provide variable access levels to the system or information / applications about the system. For example, to unlock a mobile phone to place a call, a single slide of one finger allows it to be unlocked to provide access to phone functions. However, for financial transactions where access to personal information (such as credit card information) is desired, it is possible to request multiple fingers / directions (such as three fingers) instead of using only one finger. It is. In this way, stepwise authentication can be realized.

  In one example, one password pattern may be a first number (20, etc.) of elements. Different parts of the password (starting with the first element etc.) may be used for different authentication levels. For example, only one element is used to gain access to the device, five elements are used to access one type of application, additional elements are used to access secure applications, etc. May be. Other embodiments may allow N of M passwords to be used. In such an implementation, authentication requires at least N elements of an M element password, such as 3 out of 10 or 3 out of 5. When utilized with an embodiment, N out of M are specified by specifying the pattern swipe and the number of fingers that need to be used, making the actual fingers used irrelevant It may be realized. For example, the authentication policy may be to receive at least three different fingers along with the movement pattern. Other implementations may require multiple fingers of both hands.

  There are a lot of passwords in daily life, and some people always forget their passwords and are inconvenienced. Using embodiments of the present invention, people can write their passwords in notebooks without worrying about dangers, allowing access only by entering a password without the physical combination of fingers and movements Not.

  Each embodiment may be mounted on a number of different processing systems. For example, embodiments may be used with mobile Internet devices, smartphones, etc., along with computers from notebooks and desktops to server computers. Any such processing system may have or be associated with a biometric sensor that can be configured or configured in the system as a peripheral device, such as via a USB (Universal Serial Bus) port. In some implementations, rather than a dedicated biometric sensor, the biometric detection function is a touch screen (such as a capacitive detection touch screen) and software, firmware and / or software that converts actions on the touch screen into biometric scans. Alternatively, it can be realized through a combination with logic.

  FIG. 7 is a block diagram of a system used in accordance with one embodiment of the present invention. Each embodiment can be installed in many different processing systems, but in one embodiment, the processing system 400 may be a mobile internet device such as a smartphone. As shown, the system 400 includes an application processor 410 that may be a general purpose or special purpose processor such as a microprocessor, microcontroller, PGA (Programmable Gate Array). The processor 410 may include a plurality of cores 412 and a cache memory 414. The processor 410 may further include an integrated memory controller 430 that may be connected to a system memory 420 (such as a DRAM (Dynamic Random Access Memory)) in one embodiment. The processor 410 may further include an integrated input / output (I / O) controller hub 440. The processor 410 is connected to a video controller 435, which is further connected to a display 437, which may have a capacitive touch screen for receiving user input.

  Flash memory 460 provides a non-volatile storage that includes a biometric base entry for one or more users of the system and has a password table that can be used for comparison with receipt of biometric input from a user seeking access. Further, the baseband processor 450 may control communication over a wireless interface 462 that can be used to communicate over a cellular or other wireless network.

  In addition, biometric sensor 470 may be in the system to allow fingerprints or other scanning to provide security for systems according to embodiments of the present invention. Although shown as an independent component in the example of FIG. 7, it should be understood that in other implementations, the biometric sensor 470 may be configured in a display. Although reference is made to particular components of system 400, it is envisioned that numerous modifications and variations of the disclosed and illustrated embodiments are possible.

  Each embodiment may be implemented in code and stored in a storage medium that stores instructions that can be used to program the system to execute the instructions. The storage medium is not limited to a floppy (registered trademark) disk, an optical disk, an SSD (Solid State Drive), a CD-ROM (Compact Disk Read-Only Memory), a CD-RW (Compact Disk ReWrite), a magneto-optical disk, ROM (Read-Only Memory), DRAM (Dynamic Random Access Memory), etc. RAM, SRAM (Static RAM), EPROM (Erasable Programmable ROM), flash memory, EEPROM (Electrically Deviced EPROM), etc. Or any other type of media suitable for storing electronic instructions It may include a Re of the types of disk.

  Although the present invention has been described with respect to a limited number of embodiments, those skilled in the art will appreciate numerous modifications and variations. The appended claims are intended to cover all such modifications and variations as fall within the true spirit and scope of this invention.

400 processing system 410 processor 460 flash memory 470 biometric sensor

Claims (8)

A computer-implemented method comprising:
A processor of the computer,
Receiving an ordered sequence of biometric inputs from a user via a biometric sensor associated with a processing system , wherein each biometric input of the ordered sequence of biometric inputs is applied to a corresponding finger of the user. Receiving, wherein at least one of the biometric inputs is associated with a direction of movement of the corresponding finger while the corresponding finger is being detected by the biometric sensor ;
Wherein a bio-metric input of the ordered sequence of biometric input and associated moving direction sequence of a non-volatile storage of the processing system tables, stored corresponding to the password of the user selected by the user Determining whether a corresponding entry stored in a table containing an ordered sequence of biometric inputs matches , the table having a plurality of entries, each entry being stored in the table Storing a sequence of biometric inputs and associated movement directions for one of the ordered sequences and a mapping of said biometric inputs and associated movement directions to alphanumeric characters ;
The ordered sequence of biometric inputs is a standard password if the biometric input of the ordered sequence of biometric inputs and the associated sequence of movement directions match a corresponding entry stored in the table. Or determining whether it matches the compulsory password;
Allows the user to access the processing system if the ordered sequence of biometric inputs matches a standard password, and the ordered sequence of biometric inputs matches a compulsory password Providing limited access to the user and issuing a compulsive alarm ;
How to perform.   Allows the user to access a limited portion of the processing system when the number of ordered sequences of the biometric inputs is less than the number of ordered sequences of stored biometric inputs The method of claim 1, further comprising:   The ordered sequence of biometric inputs has a first length N, the ordered sequence of stored biometric inputs has a second length M, and N is less than M The method of claim 1. The step of allowing the response to a single biometric input that matches the first biometric input sequence ordered biometric input that is the storage, the user accesses a first function The method of claim 1, further comprising: The method of claim 4 , wherein the first function is a telephone function of the processing system. The program for making a system perform the method as described in any one of Claims 1 thru | or 5. A processor;
  A biometric sensor connected to the processor;
  A non-volatile memory connected to the processor for storing a program;
A system comprising:
  The said program is a system which makes the said processor implement | achieve the method as described in any one of Claims 1 thru | or 5. A computer-readable storage medium for storing the program according to claim 6.

Images