SYSTEM FOR LOGGING INTO MULTIPLE NETWORK SYSTEMS
BACKGROUND OF THE INVENTION
This invention relates to computer network systems, and more particularly to
a method and system for logging a computer user into multiple computer network
operating systems upon inputting a single piece of biometrics information (e.g., a single
fingerprint, retinal or voice image) or a single password.
It is not uncommon for a single computer workstation to be configured for
multiple network operating systems. Typically, each network operating system requires
its own authentication information such as a username and password. Thus, to gain
access to the multiple network operating systems, the user will be required to enter
multiple sets of username and password information. This means that the user must
remember the multiple sets of username and password combinations. Moreover, the
user is required to remember which network operating system is associated with a
particular username and password.
The user could set each password for each network operating system to the
same value. However, this presents a problem where a user is required to change one
password due to system administration requirements. The user must then change all of
the remaining passwords to keep them consistent. This is burdensome to the user.
Moreover, if the user forgets to change a password, then the passwords will diverge and
the user must remember multiple passwords once again. This can be an inconvenience
to the computer user.
The use of multiple passwords may also result in security problems. When faced with multiple username and password combinations, the typical computer user may write down the username and password information for each network operating system on a sheet of paper. By obtaining access to the sheet of paper, an unauthorized user can obtain access to all of the network operating systems. The unauthorized user could damage and/or destroy the authorized user's account, workstation and possibly the computer network itself.
Accordingly, there is a need for an integrated system for logging a computer user into multiple network operating systems. It would be desirable to arrange the system such that a user can log into multiple systems upon inputting only a single piece of information. This will decrease the inconvenience to the user while improving overall system security.
In addition, it would be desirable to launch frequently used computer applications on a network operating system immediately after a user has successfully logged into the network. In the prior art, some of these frequently used applications require a password before the user can access them. This means that the user must remember additional passwords. Moreover, the user must enter the password every time the application is launched. The prior art system is inconvenient and could lead to the same security problems identified above. Accordingly, it would be desirable to launch frequently used computer applications automatically and to provide authentication information to such applications after the user is successfully logged into a network operating system and without further interaction of the user.
SUMMARY OF THE INVENTION
The present invention provides a user of a computer system with the ability to log into multiple network operating systems upon entering a single piece of biometrics information. The present invention also provides a user of a computer system with the ability to log into multiple network operating systems upon entering a single password.
According to another aspect of the invention, frequently used computer applications are launched and authentication information is provided to the applications without the interaction of the user. In a preferred embodiment of the invention, a desktop locking Screensaver is provided. The screensaver may be unlocked by an authorized computer user upon entering a single piece of biometrics and/or other information.
According to yet another aspect of the invention, requested computer applications are launched and authentication information is provided to the computer applications at the request of the user and upon inputting single biometrics or password information.
The present invention relates to a method for logging a computer user into multiple computer network operating systems. The method includes inputting information identifying the user. The information may be biometrics information (e.g., fingerprint, retinal or voice information), a single password, or other information. The method determines if the user is an authorized user of the computer system based on the input information. If it is determined that the user is an authorized user, the user is logged into a first operating system based on the input information, authentication
information is retrieved for remaining operating systems based on the input information, and the user is logged into the remaining operating systems using the retrieved authentication information and without further user interaction or involvement. According to another aspect of the invention, at least one computer application associated with the user is launched without further interaction with the user. Further, authentication information is provided to one of the at least one launched computer application if necessary to access the application. The authentication information may be provided without further user interaction. In a preferred embodiment of the invention, a desktop locking screensaver is launched automatically. If desired, the screensaver may be unlocked only when an authorized computer user enters registered biometrics information or password information. The present invention should not be limited, however, to the preferred embodiments shown and described herein. In another aspect of the invention, a computer program launches a computer application and provides authentication information to the application upon a request of the user. The user request may be correlated to biometrics or password information inputted by the user.
The present invention also relates to a computer system for logging a user into multiple operating systems. The system includes a programmed processor for inputting information identifying the user, and for determining if the user is an authorized user based on the input information. If it is determined that the user is an authorized user, the user may be logged into a first operating system based on the input
information. In addition, authentication information for remaining operating systems may be retrieved based on the input information. The retrieved authentication information may be used to log the user into the remaining operating systems without further user interaction. BRIEF DESCRIPTION OF THE DRAWINGS
The foregoing and other advantages and features of the invention will become more apparent from the detailed description of preferred embodiments given below with reference to the accompanying drawings, in which:
FIG. 1 illustrates a computer network system constructed in accordance with an embodiment of the present invention;
FIG. 2 illustrates a computer workstation used in the system illustrated in FIG. 1;
FIG. 3 illustrates in flowchart form a one touch login process performed by the system illustrated in FIG. 1; FIG. 4 illustrates in flowchart form a user tool process performed by the system illustrated in FIG. 1; and
FIG. 5 illustrates in flowchart form a one password login process performed by the system illustrated in FIG. 1.
DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS Referring to FIG. 1, an exemplary computer network system constructed in accordance with an embodiment of the present invention is shown. As will become apparent, the system will allow a user to login into multiple network operating systems
(NOS) by entering a single piece of biometrics information (e.g., a fingerprint) or a
single password. In the illustrated system, a fingerprint scanning device 40 is used to obtain the biometrics information. However, it should be readily apparent that other biometrics information and/or biometrics devices may be used to practice the invention. That is, the present invention could utilize voice or retina image information to identify a user. Similarly, the invention could utilize a voice processing system or retinal scanner to obtain the user's biometrics information.
The system shown in FIG. 1 includes a computer workstation 10 connected to the fingerprint scanning device 40. The computer workstation 10 is preferably configured with a network operating system such as a WINDOWS 9x, NT or 2000 operating system (OS) by MICROSOFT®. As used herein, the term "computer workstation" encompasses any computer, personal computer, lap top computer or computer system that may be connected to a network and configured for multiple network operating systems.
The workstation 10 may be a computer system, a process control system, or a system employing a processor and associated memory, or another suitable system. The workstation 10 shown in FIG. 2 includes a central processing unit (CPU) 302, e.g., a microprocessor, that communicates with a random access memory (RAM) circuit 308 and an input/output (I/O) device 304 over a bus 320. The bus 320 may be a series of buses and bridges commonly used in a processor-based system, but for convenience purposes only, the bus 320 has been illustrated as a single bus. A second I/O device
306 may also be used, if desired. The I/O devices 304, 306 may include a keyboard, mouse or a display terminal. The workstation 10 also includes a read-only memory
(ROM) circuit 310, and there may be peripheral devices such as a floppy disk drive 312
and a compact disk (CD) ROM drive 314. If desired, the peripheral devices may communicate with the CPU 302 over the bus 320. If desired, the CPU 302 can be combined on a single chip with one or more RAM memory circuits 308 and ROM circuits 310. The illustrated workstation 10 is configured to communicate with multiple network operating systems. Some network operating systems, such as WINDOWS NT, require a user to enter a username and password to obtain login access. Since there are multiple NOSs, the user would need to enter multiple username and password combinations to log into each NOS. The present invention, however, allows a user to login into the multiple network operating systems by entering a single piece of biometrics information (e.g., a fingerprint) or a single password.
A suitable scanning device 40 may include the SacCat Reader by SAC. In a preferred embodiment, the system will include a plurality of workstations 10 with each workstation 10 being connected to an associated scanning device 40. It should be appreciated that any number of workstations 10 and scanning devices 40 may be used to practice the invention.
In the illustrated system, the workstation 10 has a suitable biometrics interface 12. The scanning device 40 is connected to the interface 12. The biometrics interface 12 serves as an interface between the fingerprint scanning device 40 and other components of the system. The biometrics interface 12 initiates an open application program interface (API) 14 that interfaces with an administrative tool 16 and a user tool 18. The functions performed by the biometrics interface 12 and API 14 may be implemented using dynamic link libraries (DLL) (not illustrated) and OLE custom
controls (OCX). The libraries and/or controls are supported by the OS running on the workstation computer 10. The biometrics interface 12 and API 14 operate as a client interface when communicating with other components of the system.
The biometrics interface 12 is connected to a plurality of network login components 20a, 20b (collectively referred to herein as "login components 20") located on the computer workstation 10. These login components 20 allow a registered user to log into the multiple network operating systems by using a fingerprint (i.e., "one touch login") or a common dialog display (i.e., "one password login"). The login components 20 will access fingerprint or user profile information respectively stored on fingerprint and user profile databases 52, 54 to authenticate the user and automatically log the user into all of the desired network operating systems.
The login components 20 may be network providers (NPs) if the workstation is running a WINDOWS 9x operating system. A network provider is installed on a computer workstation running a WINDOWS 9x OS to provide an interface between the workstation OS and another network OS. A network provider, among other things, allows a user to logon to the associated NOS with a username and password. Each network provider communicates with a multiple provider router (MPR) DLL. The MPR routes network requests to the appropriate network provider so that the appropriate NOS handles the request. If the workstation operating system is a WINDOWS NT or 2000 OS, a
WINDOWS logon function or handler (currently entitled "Winlogon") communicates with a graphical identification and authentication (GINA) DLL to perform identification and authentication for user interactions in a manner similar to the
WINDOWS 9x OS. The present invention can make use of the MPR, NP and GINA DLLs (depending upon the operating system) so that the login components 20 are biometrics and/or one password login enabled. That is, as will be explained below with reference to FIGS. 3-5, with modification of the MPR, NP and GINA DLLs software or registry files, the login components 20 will have the capability to log a user into multiple network operating systems by entering a single piece of biometrics information (e.g., a fingerprint) or a single password. Hereinafter, for simplicity purposes, the MPR and WINDOWS login function will be referred to as an "OS login handler" and the NP and GINA are referred to as login components 20. In FIG. 1, the first login component 20a is illustrated as a GINA and the second login component 20b is illustrated as an NP. It should be noted that only one login component 20 may be required and that the two components 20a, 20b are illustrated merely to show the available alternatives. The operation of the login components 20 will be described below in more detail with reference to FIGS. 3-5. The biometrics interface 12 may be connected to a database server 50 via a communication network 30. The server 50 is connected to the fingerprint database 52 and the user profile database 54. The network 30 may be a TCP/IP network, or other suitable network. The server 50 may reside at a local or remote location from the computer workstation 10. The biometrics interface 12 provides secure communications with the database server 50. If the network 30 is a TCP/IP network, then the server 50 communicates with the biometrics interface 12 via a TCP/IP socket connection. The connection is requested by the client processes on the workstation (i.e., the biometrics interface 12 and API 14) when one of the system components needs to access the
fingerprint or user profile databases 52, 54. The databases 52, 54 reside on a computer readable storage medium and may be part of, or connected to, the server 50. If desired, the databases 52, 54 may reside on the same computer readable storage medium. The fingerprint database 52 contains the fingerprint information associated with registered users of the system. The entries in the fingerprint database 52 are indexed by username and/or other suitable index.
The user profile database 54 contains a user profile for each registered user of the system. The entries in the database 54 are cross-indexed with the entries of the fingerprint database 52. That is, the fingerprints stored in the fingerprint database 52 are linked (via username or like index) to the user profiles stored in the user profile database 54. This way, once a fingerprint is identified and associated with a registered user, the appropriate user profile may be retrieved even though it is not stored in the same database.
The administration tool 16 ensures that the two databases 52, 54 are properly cross-indexed. The administration tool 16, which in a preferred embodiment may only be accessed by a system administrator or other qualified individual, will create, maintain and delete user profiles. Moreover, the administration tool 16 may be used to register users and their fingerprints. The administration tool 16 may be used to associate a user's fingerprint information with his or her user profile. This way, when the system identifies a registered fingerprint, it will be able to retrieve the appropriate user profile.
It is desirable that the administration tool 16 comprise a graphical user interface (GUI) so that the system administrator may efficiently register and maintain users and their entries into the fingerprint and user profile databases 52, 54.
The administration tool 16 is capable of entering into the databases 52, 54 additional information required by the system. The tool 16 may also be used to generate reports concerning the user profiles (if desired). If a network operating system requires that the user change his or her password, then the administration tool 16 will change and enter the new password into the user profile. According to a preferred embodiment of the invention, this can be done with or without the user's knowledge and is application specific. Thus, new passwords can be implemented without requiring the user to remember them, in contrast to prior art systems. Thus, each user profile may contain a username and password associated with every network operating system that the user may log into and for which the workstation is configured.
After the user is automatically logged into the network operating systems, the user tool 18 will automatically start all applications that have been requested to be launched during the startup process. These applications will hereinafter be referred to as "startup applications." The period in which the startup applications are launched will be referred to as "workstation initialization." Each user profile will contain a list of startup applications for each network operating system. The list of startup applications is entered into the user profile via the administration tool 16. In addition, the user profile will contain an indicator (e.g., a software flag) associated with each startup application in the list that indicates whether the application requires a password. As will be discussed below, during the workstation initialization process, the user tool 18 retrieves the information from the user profile, starts the appropriate startup applications ) and if a password is required, gives the password to the application. The user gains access to the startup application automatically and without entering a username and password.
If desired, the user tool 18 can provide a user interface to the scanning device 40 (via the biometrics interface 12 and API 14) for entering username and password information for applications launched after the workstation initialization process. That is, any application launched by the user that requires a username and password will be supplied with the username and password by the user tool 18 based on the user's fingerprint. To do so, each user profile may also contain username and password combination for predefined applications that the user may launch after initialization. Moreover, the user profile can contain a generic username and password. The generic username and password can be used for new applications that are not listed in the user profile. This way, the user can always supply a username and password using the fingerprint scanning device 40 to any application launched after the workstation initialization process.
In a preferred embodiment of the invention, the user tool 18 has a desktop locking screensaver function. After a predetermined period of user inactivity, the user tool 18 will initiate a screensaver program. The screensaver program will deny access to the workstation 10 unless the correct username and password are entered. Moreover, the user tool 18 provides an interface in which the username and password required to unlock the desktop are provided based on the user's fingerprint. Each user profile may contain a screensaver username and password that the user tool 18 can retrieve based on the user's fingerprint information. A desktop locking screensaver will prevent an unauthorized user from accessing the network operating systems that the user is logged into when the user has walked away from the workstation. Thus, the present invention provides increased security for the user workstation and network. Moreover, the
security is further bolstered if the desktop can only be unlocked by the user's biometrics information.
FIG. 3 illustrates in flowchart form an exemplary one touch login method 100 performed in accordance with the present invention. Preferably, the method 100 is implemented in software and executed on the workstation 10. The method 100 will run whenever the workstation 10 is powered-on, restarted or any time after a user has logged out of the workstation 10 without turning off its power or rebooting it. The method 100 begins when the OS login handler launches the appropriate biometrics enabled login component stored on the workstation (step 102). As noted earlier, the OS login handler and the login component are dependent upon the operating system installed on the workstation. At step 104, the login component inputs the user's biometrics information. In the illustrated example, the biometrics information is the user's fingerprint information.
At step 106, the login component is connected to the database server (via the biometrics interface). Once connected, the login component compares the input fingerprint information to the fingerprint information stored on the fingerprint database. At step 108, the login component authenticates the user. That is, the login component determines if the input fingerprint information matches stored fingerprint information. If there is a match, then the user is authenticated and logged into the OS running on the workstation. Otherwise, the user is not authenticated.
If the user is not authenticated at step 108, then the method continues at step 110, where unauthorized user processing is performed. Unauthorized user processing can include allowing the user to re-enter his or her fingerprint information,
alerting security personnel that an unauthorized user is attempting to access the system or any other process deemed suitable.
If the user is authenticated at step 108, then the method continues at step 112. At this point, the user is logged into the first network operating system and must be logged into the remaining network operating systems. At step 112, the username and password combinations for the remaining NOSs are retrieved from the user profile database based upon the input fingerprint information. At step 114, the retrieved username and password combinations are passed to the OS login handler, which then automatically logs the user into the remaining NOSs (step 116) without further user interaction. The method in which the OS login handler automatically logs the user into the remaining NOSs is dependent upon the OS installed on the workstation. For a WINDOWS 9x system, the MPR will pass the username and password information to the respective NP residing on the workstation. For a WINDOWS NT or 2000 system, the WINDOWS logon function handles the remaining logins. After the login process, the user tool workstation initialization process is initiated (step 120). FIG. 4 illustrates an exemplary user tool method 120 performed in accordance with the present invention. At step 122, the user tool retrieves the user profile associated with the user (via the fingerprint). It should be noted that if the user were logged into the system using the one password feature of the present invention (described below with reference to FIG. 5), the user tool would retrieve the user's user profile based on the username. At step 124, the user tool launches each startup application listed in the user profile. If the user profile indicates that a username and password is required for the application, the user tool passes the appropriate username
and password. After the workstation initialization, the user tool will be capable of performing other functions such as launching the screensaver or providing an interface between the fingerprint scanning device and database server (discussed above with reference to FIG. 1). FIG. 5 illustrates in flowchart form an exemplary one password login method
200 performed in accordance with the present invention. Preferably, the method 200 is implemented in software and executed on the workstation. The method 200 will run whenever the workstation is powered-on, restarted or any time after a user has logged out of the workstation without turning off its power or rebooting it. The method 200 begins when the OS login handler launches the appropriate login component stored on the workstation (step 202). As noted earlier, the OS login handler and the login component are dependent upon the operating system installed on the workstation. At step 204, the login component inputs the user's username and password information.
At step 206, the login component is connected to the database server (via the biometrics interface). Once connected, the login component compares the input username and password information to the username and password information stored on the user profile database. At step 208, the login component authenticates the user. That is, the login component determines if the input username and password information match stored username and password information. If there is a match, then the user is authenticated and logged into the OS running on the workstation.
Otherwise, the user is not authenticated.
If the user is not authenticated at step 208, then the method continues at step 210, where unauthorized user processing is performed. As in the system of FIG. 3,
unauthorized user processing can include allowing the user to re-enter his or her fingerprint information, which may alert security personnel that an unauthorized user is attempting to access the system.
If the user is authenticated at step 208, then the method continues at step 212. At this point, the user must be logged into the remaining network operating systems. At step 212, the username and password combinations for the remaining NOSs are retrieved from the user profile database based upon the input username and password information. At step 214, the retrieved username and password combinations are passed to the OS login handler, which then automatically logs the user into the remaining NOSs (step 216) without further user interaction. The method in which the OS login handler automatically logs the user into the remaining NOSs is dependent upon the OS installed on the workstation. For a WINDOWS 9x system, the MPR will pass the username and password information to the respective NP residing on the workstation. For a WINDOWS NT or 2000 system, the WINDOWS logon function can be used to handle the remaining logins. After the login process, the user tool workstation initialization process is initiated (step 120). The user tool initialization process is described above with reference to FIG. 4.
Thus, the present invention allows a user to log into multiple network operating systems with the single touch of a fingerprint scanning device or by entering a single password. As such, the present invention speeds up the login process, reduces the inconvenience to the user, yet provides improved system security.
While the invention has been described in detail in connection with the preferred embodiments known at the time, it should be readily understood that the
invention is not limited to such disclosed embodiments. Rather, the invention can be modified to incorporate any number of variations, alterations, substitutions or equivalent arrangements not heretofore described, but which are commensurate with the spirit and scope of the invention. Accordingly, the invention is not to be seen as limited by the foregoing description, but is only limited by the scope of the appended claims.
What is claimed is: