US 2002/0141586 Al
`
`Oct. 3, 2002
`
`13
`
`any combination of two or more functionalities to provide
`authentication in conjunction with an authenticator 1153,
`designated by a lock symbol, typically at least partially using
`a Bluetooth communication protocol.
`
`[0265] As seen in FIG. 11F, wireless smart card 1152
`provides cryptographic authentication functionality and
`communicates with authenticator 1153, typically at least
`partially using a Bluetooth communication protocol.
`
`[0266] Additionally or alternatively wireless smart card
`1152, which may be of conventional design and construc(cid:173)
`tion, provides authentication employing authentication func(cid:173)
`tionality, which forms part of a Bluetooth communication
`protocol.
`
`[0267] Additionally or alternatively cellular phone having
`an associated camera or scanner 1152 provides biometric
`authentication functionality employing typically facial and/
`or fingerprint recognition and communicates with authenti(cid:173)
`cator 1153, typically at least partially using a Bluetooth
`communication protocol.
`
`[0268] Additionally or alternatively cellular phone 1152,
`which may be of conventional design and manufacturing,
`provides password based authentication functionality and
`communicates with authenticator 1153, typically at least
`partially using a Bluetooth communication protocol.
`
`[0269] Additionally or alternatively cellular phone 1152,
`which may be of conventional design and construction,
`provides authentication employing authentication function(cid:173)
`ality, which forms part of a Bluetooth communication pro(cid:173)
`tocol.
`
`[0270]
`It is appreciated that authentication may be pro(cid:173)
`vided in the embodiment of FIG. 11F by any one or more
`of
`the
`authentication devices and/or
`functionalities
`described hereinabove.
`
`[0271] Reference is now made to FIG. 14F, which illus(cid:173)
`trates the authentication functionalities shown in FIG. 11F.
`As seen in FIG. 14F, a user employs the functionalities of
`FIGS. 13C and 13D typically in series in order to provide
`authentication. The user preferably negotiates with an
`authenticator to determine whether the functionality of FIG.
`13C is employed prior to that of FIG. 13D or vice versa.
`
`[0272] Reference is now made to FIGS. 12A, 12B and
`12C, which are simplified pictorial illustrations of combi(cid:173)
`nations of authentication functionalities appropriate for
`three different types of multi-tier authentication systems.
`
`[0273] FIG. 12A illustrates four different authentication
`functionalities for a PC with associated camera or scanner,
`here designated by reference numeral 1200, four different
`authentication functionalities for a personal digital assistant
`with suitable touch screen functionality and/or an associated
`camera or scanner, here designated by reference numeral
`1202 and two different authentication functionalities for a
`wireless smart card, here designated by reference numeral
`1204. The ten different functionalities may be combined in
`any combination of two or more functionalities to provide
`multi-tier authentication in conjunction with an authentica(cid:173)
`tor 1205, designated by a lock symbol, typically at least
`partially using a Bluetooth communication protocol.
`
`[0274] As seen in FIG. 12A a PC having an associated
`camera or scanner 1200, provides biometric authentication
`
`functionality using typically fingerprint recogmtlon and
`communicates with authenticator 1205, typically at least
`partially using a Bluetooth communication protocol.
`[0275] Additionally or alternatively, the PC 1200, which
`may be of conventional design and manufacturing, provides
`password based authentication functionality and communi(cid:173)
`cates with authenticator 1205, typically at least partially
`using a Bluetooth communication protocol.
`
`[0276] Additionally or alternatively, the PC 1200 with
`associated USB token provides cryptographic authentication
`functionality utilizing USB token based key and communi(cid:173)
`cates with authenticator 1205, typically at least partially
`using a Bluetooth communication protocol.
`[0277] Additionally or alternatively, the PC 1200, which
`may be of conventional design and manufacturing, provides
`cryptographic authentication functionality utilizing memory
`based key authentication and communicates with authenti(cid:173)
`cator 1205, typically at least partially using a Bluetooth
`communication protocol.
`
`[0278] Additionally or alternatively, personal digital assis(cid:173)
`tant having suitable touch screen functionality and/or an
`associated camera or scanner 1202 provides biometric
`authentication functionality utilizing fingerprint recognition
`and communicates with authenticator 1205, typically at least
`partially using a Bluetooth communication protocol.
`[0279] Additionally or alternatively personal digital assis(cid:173)
`tant 1202, which may be of conventional design and con(cid:173)
`struction, provides password based authentication function(cid:173)
`ality and communicates with authenticator 1205, typically at
`least partially using a Bluetooth communication protocol.
`
`[0280] Additionally or alternatively personal digital assis(cid:173)
`tant 1202, which may be of conventional design and con(cid:173)
`struction, provides cryptographic authentication functional(cid:173)
`ity and communicates with authenticator 1205, typically at
`least partially using a Bluetooth communication protocol.
`[0281] Additionally or alternatively personal digital assis(cid:173)
`tant 1202, which may be of conventional design and con(cid:173)
`struction, provides authentication employing authentication
`functionality, which forms part of a Bluetooth communica(cid:173)
`tion protocol.
`[0282] Additionally or alternatively wireless smart card
`1204 provides cryptographic authentication functionality
`and communicates with authenticator 1205, typically at least
`partially using a Bluetooth communication protocol.
`[0283] Additionally or alternatively, wireless smart card
`1204 provides authentication employing authentication
`functionality, which forms part of a Bluetooth communica(cid:173)
`tion protocol.
`
`[0284]
`It is appreciated that multi-tier authentication may
`be provided in the embodiment of FIG. 12A by any one or
`more combinations of the authentication devices and/or
`functionalities described hereinabove.
`
`[0285] FIG. 12B illustrates four different authentication
`functionalities for a personal digital assistant with suitable
`touch screen functionality and/or associated camera or scan(cid:173)
`ner, here designated by reference numeral 1210, four dif(cid:173)
`ferent authentication functionalities for a cellular phone with
`an associated camera or scanner, here designated by refer(cid:173)
`ence numeral 1212 and two different authentication func-
`
`Canon Exhibit 1019, Page 59
`
`

`

`US 2002/0141586 A1
`
`Oct. 3, 2002
`
`14
`
`tionalities for an electronic wallet, here designated by ref(cid:173)
`erence numeral1214. The ten different functionalities may
`be combined in any combination of two or more function(cid:173)
`alities to provide multi-tier authentication in conjunction
`with an authenticator 1215, designated by a lock symbol,
`typically at least partially using a Blue tooth communication
`protocol.
`
`[0286] As seen in FIG. 12B personal digital assistant
`having suitable touch screen functionality and/or an associ(cid:173)
`ated camera or scanner 1210 provides biometric authenti(cid:173)
`cation functionality utilizing fingerprint recognition and
`communicates with authenticator 1215, typically at least
`partially using a Bluetooth communication protocol.
`
`[0287] Additionally or alternatively personal digital assis(cid:173)
`tant 1210, which may be of conventional design and con(cid:173)
`struction, provides password based authentication function(cid:173)
`ality and communicates with authenticator 1215, typically at
`least partially using a Bluetooth communication protocol.
`
`[0288] Additionally or alternatively personal digital assis(cid:173)
`tant 1210, which may be of conventional design and con(cid:173)
`struction, provides cryptographic authentication functional(cid:173)
`ity and communicates with authenticator 1215, typically at
`least partially using a Bluetooth communication protocol.
`
`[0289] Additionally or alternatively personal digital assis(cid:173)
`tant 1210, which may be of conventional design and con(cid:173)
`struction, provides authentication employing authentication
`functionality, which forms part of a Bluetooth communica(cid:173)
`tion protocol.
`
`[0290] Additionally or alternatively cellular phone with
`associated camera, here designated by reference numeral
`1212, provides authentication using facial recognition and
`communicates with an authenticator 1215, designated by a
`lock symbol, typically at least partially using a Bluetooth
`communication protocol.
`
`[0291] Additionally or alternatively, a cellular phone,
`which may be of conventional design and construction, here
`designated by reference numeral 1212, provides password
`based authentication and communicates with authenticator
`1215, typically at least partially using a Bluetooth commu(cid:173)
`nication protocol.
`
`[0292] Additionally or alternatively, cellular phone, which
`may be of conventional design and construction, here des(cid:173)
`ignated by reference numeral 1212, provides cryptographic
`authentication and communicates with authenticator 1215,
`typically at least partially using a Blue tooth communication
`protocol.
`
`[0293] Additionally or alternatively, cellular phone, which
`may be of conventional design and construction, here des(cid:173)
`ignated by reference numeral1212, provides authentication
`employing authentication functionality, which forms part of
`a Bluetooth communication protocol.
`
`tion employing authentication functionality, which forms
`part of a Bluetooth communication protocol.
`[0296]
`It is appreciated that multi-tier authentication may
`be provided in the embodiment of FIG. 12B by any one or
`more combinations of the authentication devices and/or
`functionalities described hereinabove.
`[0297] FIG. 12C illustrates four different authentication
`functionalities for a cellular phone with suitable touch
`screen functionality and/or associated camera or scanner,
`here designated by reference numeral 1220, four different
`authentication functionalities for a personal digital assistant
`with a suitable touch screen and/or an associated camera or
`scanner, here designated by reference numeral 1222, four
`different authentication functionalities for a PC with a
`suitable touch screen and an associated camera or scanner,
`here designated by reference numeral1224, and two differ(cid:173)
`ent authentication functionalities for a wireless smart card,
`here designated by reference numeral 1226. The fourteen
`different functionalities may be combined in any combina(cid:173)
`tion of two or more functionalities to provide multi -tier
`authentication in conjunction with an authenticator 1227,
`designated by a lock symbol, typically at least partially using
`a Bluetooth communication protocol.
`[0298] As seen in FIG. 12C cellular phone with associ(cid:173)
`ated camera, here designated by reference numeral 1220,
`provides authentication using facial recognition and com(cid:173)
`municates with an authenticator 1227, designated by a lock
`symbol, typically at least partially using a Bluetooth com(cid:173)
`munication protocol.
`[0299] Additionally or alternatively, a cellular phone,
`which may be of conventional design and construction, here
`designated by reference numeral 1220, provides password
`based authentication and communicates with authenticator
`1227, typically at least partially using a Bluetooth commu(cid:173)
`nication protocol.
`[0300] Additionally or alternatively, cellular phone, which
`may be of conventional design and construction, here des(cid:173)
`ignated by reference numeral 1220, provides cryptographic
`authentication and communicates with authenticator 1227,
`typically at least partially using a Blue tooth communication
`protocol.
`[0301] Additionally or alternatively, cellular phone, which
`may be of conventional design and construction, here des(cid:173)
`ignated by reference numeral1220, provides authentication
`employing authentication functionality, which forms part of
`a Bluetooth communication protocol.
`[0302] Additionally or alternatively, personal digital assis(cid:173)
`tant having suitable touch screen functionality and/or an
`associated camera or scanner 1222 provides biometric
`authentication functionality utilizing fingerprint recognition
`and communicates with authenticator 1227, typically at least
`partially using a Bluetooth communication protocol.
`
`[0294] Additionally or alternatively, electronic wallet,
`here designated by reference numeral1214, provides cryp(cid:173)
`tographic authentication and communicates with an authen(cid:173)
`ticator 1215, typically at least partially using a Bluetooth
`communication protocol.
`
`[0303] Additionally or alternatively personal digital assis(cid:173)
`tant 1222, which may be of conventional design and con(cid:173)
`struction, provides password based authentication function(cid:173)
`ality and communicates with authenticator 1227, typically at
`least partially using a Bluetooth communication protocol.
`
`[0295] Additionally or alternatively, electronic wallet,
`which may be of conventional design and construction, here
`designated by reference numeral1214, provides authentica-
`
`[0304] Additionally or alternatively personal digital assis(cid:173)
`tant 1222, which may be of conventional design and con(cid:173)
`struction, provides cryptographic authentication functional-
`
`Canon Exhibit 1019, Page 60
`
`

`

`US 2002/0141586 A1
`
`Oct. 3, 2002
`
`15
`
`ity and communicates with authenticator 1227, typically at
`least partially using a Bluetooth communication protocol.
`[0305] Additionally or alternatively personal digital assis(cid:173)
`tant 1222, which may be of conventional design and con(cid:173)
`struction, provides authentication employing authentication
`functionality, which forms part of a Bluetooth communica(cid:173)
`tion protocol.
`[0306] Additionally or alternatively the PC having an
`associated camera or scanner 1224, provides biometric
`authentication functionality using typically fingerprint rec(cid:173)
`ognition and communicates with authenticator 1227, typi(cid:173)
`cally at least partially using a Bluetooth communication
`protocol.
`[0307] Additionally or alternatively, PC 1224, which may
`be of conventional design and manufacturing, provides
`password based authentication functionality and communi(cid:173)
`cates with authenticator 1227, typically at least partially
`using a Bluetooth communication protocol.
`[0308] Additionally or alternatively, PC 1224, which may
`be of conventional design and manufacturing, provides
`cryptographic authentication functionality utilizing suitable
`key diskette authentication and communicates with authen(cid:173)
`ticator 1227, typically at least partially using a Bluetooth
`communication protocol.
`[0309] Additionally or alternatively, PC 1224, which may
`be of conventional design and manufacturing, provides
`authentication employing authentication
`functionality,
`which forms part of a Bluetooth communication protocol.
`[0310] Additionally or alternatively wireless smart card
`1226 provides cryptographic authentication functionality
`and communicates with authenticator 1227, typically at least
`partially using a Bluetooth communication protocol.
`[0311] Additionally or alternatively, wireless smart card
`1226 provides authentication employing authentication
`functionality, which forms part of a Bluetooth communica(cid:173)
`tion protocol.
`[0312]
`It is appreciated that multi-tier authentication may
`be provided in the embodiment of FIG. 12C by any one or
`more combinations of the authentication devices and/or
`functionalities described hereinabove.
`[0313] Reference is now made to FIGS. 15A, 15B, 15C,
`15D and 15E, which are simplified flow charts of methods
`for obtaining authentication information for five different
`types of authentication devices.
`[0314] FIG. 15A illustrates methods for obtaining authen(cid:173)
`tication information suitable for a personal digital assistant.
`As seen in FIG. 15A depending on the facilities available in
`or in association with the personal digital assistant, one of
`the following authentication functionalities which require
`obtaining authentication information may be selected:
`[0315] biometric utilizing fingerprint recognition;
`[0316] biometric utilizing facial recognition;
`[0317] password based; and
`[0318] cryptographic key based.
`
`[0319]
`If the biometric authentication functionality utiliz(cid:173)
`ing fingerprint recognition is selected, the personal digital
`assistant captures the user's fingerprint data.
`
`[0320]
`If the biometric authentication functionality utiliz(cid:173)
`ing facial recognition is selected, the personal digital assis(cid:173)
`tant captures the user's facial features.
`[0321]
`If the password based authentication functionality
`is selected, the personal digital assistant captures the user
`password input.
`[0322]
`If the cryptographic key based authentication func(cid:173)
`tionality selected, the personal digital assistant employs a
`cryptographic key typically stored in its memory.
`[0323] FIG. 15B illustrates methods for obtaining authen(cid:173)
`tication information suitable for a wireless smart card. As
`seen in FIG. 15B depending on the facilities available in or
`in association with the wireless smart card, one of the
`following authentication functionalities which require
`obtaining authentication information may be selected:
`
`[0324] cryptographic key based.
`
`[0325]
`If the cryptographic key based authentication func(cid:173)
`tionality selected, the wireless smart card employs a cryp(cid:173)
`tographic key typically stored in its memory.
`[0326] FIG. 15C illustrates methods for obtaining authen(cid:173)
`tication information suitable for a cellular phone. As seen in
`FIG. 15C depending on the facilities available in or in
`association with the cellular phone, one of the following
`authentication
`functionalities which
`require obtaining
`authentication information may be selected:
`
`[0327] biometric utilizing fingerprint recognition;
`
`[0328] biometric utilizing facial recognition;
`
`[0329] password based; and
`
`[0330] cryptographic key based.
`
`[0331]
`If the biometric authentication functionality utiliz(cid:173)
`ing fingerprint recognition is selected, the cellular phone
`captures the user's fingerprint data.
`[0332]
`If the biometric authentication functionality utiliz(cid:173)
`ing facial recognition is selected, the cellular phone captures
`the user's facial features.
`
`[0333]
`If the password based authentication functionality
`is selected, the cellular phone captures the user password
`input.
`[0334]
`If the cryptographic key based authentication func(cid:173)
`tionality selected, the cellular phone employs a crypto(cid:173)
`graphic key typically stored in its memory.
`[0335] FIG. 15D illustrates methods for obtaining authen(cid:173)
`tication information suitable for an electronic wallet. As
`seen in FIG. 15D depending on the facilities available in or
`in association with the electronic wallet, one of the follow(cid:173)
`ing authentication functionalities which require obtaining
`authentication information may be selected:
`
`[0336] cryptographic key based.
`
`[0337]
`If the cryptographic key based authentication func(cid:173)
`tionality selected, the electronic wallet employs a crypto(cid:173)
`graphic key typically stored in its memory.
`[0338] FIG. 15E illustrates methods for obtaining authen(cid:173)
`tication information suitable for a PC. As seen in FIG. 15E
`depending on the facilities available in or in association with
`
`Canon Exhibit 1019, Page 61
`
`

`

`US 2002/0141586 A1
`
`Oct. 3, 2002
`
`16
`
`the PC, one of the following authentication functionalities
`which require obtaining authentication information may be
`selected:
`
`[0339] biometric utilizing fingerprint recognition;
`
`[0340] biometric utilizing facial recognition;
`
`[0341] password based;
`
`[0342] cryptographic utilizing a memory based key;
`
`[0343] cryptographic utilizing a USB toke n based
`key;
`
`[0344] cryptographic utilizing a smart card based
`key; and
`
`[0345] cryptographic utilizing a diskette based key.
`
`[0346]
`If the biometric authentication functionality utiliz(cid:173)
`ing fingerprint recognition is selected, the PC captures the
`user's fingerprint data.
`[0347]
`If the biometric authentication functionality utiliz(cid:173)
`ing facial recognition is selected, the PC captures the user's
`facial features.
`[0348]
`If the password based authentication functionality
`is selected, the PC captures the user password input.
`[0349]
`If the cryptographic memory based key authenti(cid:173)
`cation functionality is selected, the PC employs a crypto(cid:173)
`graphic key typically stored in its memory.
`[0350]
`If the cryptographic USB token based key authen(cid:173)
`tication functionality is selected, the PC employs a crypto(cid:173)
`graphic key typically stored in the associated USB key.
`[0351]
`If the cryptographic smart card based key authen(cid:173)
`tication functionality is selected, the PC employs a crypto(cid:173)
`graphic key typically stored in the associated smart card.
`[0352]
`If the cryptographic diskette based key authentica(cid:173)
`tion functionality is selected, the PC employs a crypto(cid:173)
`graphic key typically stored in the associated key diskette.
`[0353] Reference is now made to FIGS. 16A, 16B and
`16C, which are simplified flow charts of different multi-tier
`and non multi-tier authentication using different communi(cid:173)
`cation modes between an authenticating device and an
`authenticator.
`[0354] FIG.16A illustrates a non multi-tier authentication
`using a direct communication mode between an authenti(cid:173)
`cating device and an authenticator. As seen in FIG. 16A, an
`authentication device such as a personal digital assistant, a
`wireless smart card, a cellular phone, an electronic wallet or
`a PC negotiates with an authenticator an authentication
`functionality. Depending on the facilities available in or in
`association with the authentication device, either a Blue(cid:173)
`tooth based authentication functionality or non-Bluetooth
`based authentication functionality may be used.
`
`[0355]
`If a non-Bluetooth authentication is selected, the
`authentication device obtains authentication information
`employing at least one of the functionalities of FIGS.
`15A-15E. The authentication device than communicates
`authentication information to the authenticator using at least
`partially the Bluetooth communication protocol. In response
`to receipt of such information, the authenticator may authen(cid:173)
`ticate the user.
`
`[0356]
`If the Bluetooth authentication functionality is
`selected, the authentication device carries out Bluetooth
`authentication in conjunction with a Bluetooth hub. If the
`authentication is successful,
`the authentication device
`requests that the Bluetooth hub send an authentication
`confirmation to the authenticator. In response to receipt of
`the confirmation, the authenticator determines whether the
`hub, which sent the confirmation, is certified to do so.
`
`[0357]
`If authentication of the user and/or device is suc(cid:173)
`cessful, indicating that the user and/or device is authorized,
`a determination is made as to whether additional authenti(cid:173)
`cation functions are required. If so, the authentication device
`and the authenticator negotiate the next authentication func(cid:173)
`tionality and proceed as described hereinabove. If no addi(cid:173)
`tional authentication functions are required, the authentica(cid:173)
`to
`the
`tor
`transmits an authentication confirmation
`authentication device.
`
`[0358]
`If authentication of the user and/or device is not
`successful at any stage, indicating that the user and/or device
`is not authorized, the authenticator transmits a non-authen(cid:173)
`tication message to the authentication device.
`
`[0359] FIG. 16B illustrates a multi-tier authentication in
`which an authentication device and an authenticator employ
`a second device for communication. As seen in FIG. 16B an
`authentication device such as a personal digital assistant, a
`wireless smart card, a cellular phone, an electronic wallet or
`a PC negotiates with an authenticator an authentication
`functionality communicating through said second device,
`which may be a personal digital assistant, a cellular phone
`or a PC. Depending on the facilities available in or in
`association with the authentication device, either a Blue(cid:173)
`tooth based authentication functionality or non-Bluetooth
`based authentication functionality may be used.
`
`[0360]
`If a non-Bluetooth authentication is selected, the
`authentication device obtains authentication information
`employing at least one of the functionalities of FIGS.
`15A-15E. The authentication device than communicates
`authentication information to the authenticator using at least
`partially the Bluetooth communication protocol and com(cid:173)
`municating through said second device. In response to
`receipt of such information, the authenticator may authen(cid:173)
`ticate the user.
`
`[0361]
`If the Bluetooth authentication functionality is
`selected, the authentication device carries out Bluetooth
`authentication in conjunction with a Bluetooth hub. If the
`authentication is successful,
`the authentication device
`requests that the Bluetooth hub send an authentication
`confirmation to the authenticator communicating through
`said second device. In response to receipt of the confirma(cid:173)
`tion, the authenticator determines whether the hub, which
`sent the confirmation, is certified to do so.
`
`[0362]
`If authentication of the user and/or device is suc(cid:173)
`cessful, indicating that the user and/or device is authorized,
`a determination is made as to whether additional authenti(cid:173)
`cation functions are required. If so, the authentication device
`and the authenticator negotiate the next authentication func(cid:173)
`tionality communicating through said second device and
`proceed as described hereinabove. If no additional authen(cid:173)
`tication functions are required, the authenticator transmits an
`authentication confirmation to the authentication device
`communicating through said second device.
`
`Canon Exhibit 1019, Page 62
`
`

`

`US 2002/0141586 A1
`
`Oct. 3, 2002
`
`17
`
`[0363]
`If authentication of the user and/or device is not
`successful at any stage, indicating that the user and/or device
`is not authorized, the authenticator transmits a non-authen(cid:173)
`tication message to the authentication device communicat(cid:173)
`ing through said second device.
`
`[0364] FIG. 16C illustrates a multi-tier authentication in
`which an authentication device employ a proxy to commu(cid:173)
`nicate with an authenticator. As seen in FIG. 16C an
`authentication device such as a personal digital assistant, a
`wireless smart card, a cellular phone, an electronic wallet or
`a PC negotiates with an authenticator an authentication
`functionality, said negotiation employing a proxy, which
`may be a personal digital assistant, a cellular phone or a PC,
`to communicate with the authenticator. Depending on the
`facilities available in or in association with the authentica(cid:173)
`tion device, either a Bluetooth based authentication func(cid:173)
`tionality or non-Bluetooth based authentication functionality
`may be used.
`
`[0365]
`If a non-Bluetooth authentication is selected, the
`authentication device obtains authentication information
`employing at least one of the functionalities of FIGS.
`15A-15E. The authentication device transmits authentica(cid:173)
`tion information to the proxy. The proxy then transmits the
`data to the authenticator. One or more of the transmissions
`use at least partially the Bluetooth communication protocol.
`In response to receipt of such information, the authenticator
`may authenticate the user.
`[0366]
`If the Bluetooth authentication functionality is
`selected, the authentication device carries out Bluetooth
`authentication in conjunction with a Bluetooth hub. If the
`authentication
`is successful,
`the authentication device
`requests that the Bluetooth hub send an authentication
`confirmation to the proxy. The proxy then sends the confir(cid:173)
`mation to the authenticator. In response to receipt of the
`confirmation, the authenticator determines whether the hub,
`which sent the confirmation, is certified to do so.
`[0367]
`If authentication of the user and/or device is suc(cid:173)
`cessful, indicating that the user and/or device is authorized,
`a determination is made as to whether additional authenti(cid:173)
`cation functions are required. If so, the authentication device
`and the authenticator negotiate the next authentication func(cid:173)
`tionality, said negotiation employing a proxy, and proceed as
`described hereinabove. If no additional authentication func(cid:173)
`tions are required, the authenticator transmits an authenti(cid:173)
`cation confirmation to the proxy. The proxy then transmits
`the confirmation to the authentication device.
`[0368]
`If authentication of the user and/or device is not
`successful at any stage, indicating that the user and/or device
`is not authorized, the authenticator transmits a non-authen(cid:173)
`tication message to the proxy. The proxy then transmits the
`non-authentication message to the authentication device.
`
`[0369] Reference is now made to FIGS. 17A, 17B and
`17C, which are simplified flow charts of different multi-tier
`and non multi-tier authentication employing different com(cid:173)
`binations of authentication devices.
`
`[0370] FIG. 17 A illustrates a non multi-tier authentication
`employing a single authentication device. As seen in FIG.
`17 A, a user who requests access to a resource protected by
`an authenticator may employ an authentication device. The
`authentication device may employ any one of the function(cid:173)
`alities of FIGS. 16A-16C to perform authentication with the
`
`authenticator. When the authentication device receives a
`confirmation message or a non-authentication message, the
`authentication device displays a suitable message to the user.
`[0371] FIG.17B illustrates a non multi-tier authentication
`employing multiple authentication devices. As seen in FIG.
`17B, a user who requests access to a resource protected by
`an authenticator negotiates with said authenticator an
`authentication device. The authentication device may
`employ any one of the functionalities of FIGS. 16A-16C to
`perform authentication with the authenticator.
`[0372]
`If authentication of the user and/or device is suc(cid:173)
`cessful, indicating that the user and/or device is authorized,
`a determination is made as to whether additional authenti(cid:173)
`cation devices are required. If so, the user and the authen(cid:173)
`ticator negotiate the next authentication device and proceed
`as described hereinabove. If no additional authentication
`devices are required, an authentication is granted.
`
`[0373]
`If authentication of the user and/or device is not
`successful at any stage, authentication is not granted.
`
`[0374] FIG. 17C illustrates a multi-tier authentication
`employing an enabling device. As seen in FIG. 17C, a user
`who requests access to a resource protected by an authen(cid:173)
`ticator may employ an authentication device. The authenti(cid:173)
`cator may require the authentication device to be enabled for
`authentication by an enabling device. The enabling device
`may employ any one of the functionalities of FIGS. 16A-
`16C to perform authentication with the authenticator.
`[0375]
`If the enabling device is successfully authenticated,
`the authentication device may employ any one of the func(cid:173)
`tionalities of FIGS. 16A-16C to perform authentication with
`the authenticator. When the authentication device receives a
`confirmation message or a non-authentication message, the
`authentication device displays a suitable message to the user.
`[0376]
`It will be appreciated by persons skilled in the art
`that the present invention is not limited by what has been
`particularly shown and described hereinabove. Rather the
`scope of the present invention includes both combinations
`and subcombinations of the various features described here(cid:173)
`inabove as well as variations and modifications which would
`occur to persons skilled in the art upon reading the speci(cid:173)
`fication a