(12) INTERNATIONAL APPLICATION PUBLISHED
`
`UNDER THE PATENT COOPERATION TREATY (PCT)
`
`(19) World Intellectual Property Organization
`International Bureau
`
`AQUATA
`
`
`
`(10) International Publication Number
`(43) International Publication Date
`WO 01/29731 Al
`26 April 2001 (26.04.2001)
`
`
`(51) International Patent Classification’:
`
`GO6F 17/60
`
`CROFT, Kenneth, A.; 2159 South Hannibal Street, Salt
`Lake City, UT 84106 (US).
`
`(21) International Application Number:=PCT/US00/28387
`(74) Agents: MASCHOFF,Eric,L.et al.; Workman, Nydeg-
`ger & Seeley, 1000 Eagle Gate Tower, 60 East South Tem-
`ple, Salt Lake City, UT 84111 (US).
`
`(22) International Filing Date: 13 October 2000 (13.10.2000)
`
`(25) Filing Language:
`
`(26) Publication Language: ~
`
`English
`
`English
`
`(30) Priority Data:
`09/422,621
`
`21 October 1999 (21.10.1999)
`
`US
`
`(71) Applicant: 3COM CORPORATION [US/US]; 5400
`Bayfront Plaza, Santa Clara, CA 95052-8145 (US).
`
`(72) Inventors: THOMPSON, Curtis, Duane, 1481 West
`Bluemont Drive, Taylorsville, UT 84123-6666 (US).
`
`(81) Designated States (national): CN, DE, FI, GB, JP, SE.
`
`(84) Designated States (regional): European patent (AT, BE,
`CH,CY, DE, DK, ES, FI, FR, GB, GR,IE, IT, LU, MC,
`NL,PT, SE).
`
`Published:
`— With international search report.
`
`For two-letter codes and other abbreviations, refer to the "Guid-
`ance Notes on Codes andAbbreviations" appearing at the begin-
`ning ofeach regular issue ofthe PCT Gazette.
`
`
`
`(54) Title: ACCESS CONTROL USING A PERSONAL DIGITAL ASSISTANT-TYPE
`
`110
`
`"SOFTWAREACCESS
`
`[
`4
` HAROWAREcae
`| |Ea AEM i
`
`a "ae is|PROGRAMS o ACCOUNTSwada is|
`PROFILE
`14
`mf}
`J
`
`i{
`L
`
` PDA
`
`O01/29731Al
`
`100
`
`Je“tds
`
`(57) Abstract: An access control system combining PDA functionality with user authentication so that only the authorized user or
`users may obtain access control codes from a PDA device for an access control point. The access control point can be a computer
`horization point, a gate, or othcr situation wherein high security is
`terminal (108), a computerfile, a door, a checkstand, a visa aut
`attaches to a computer (108) via a PDA cradle (104) and transmits
`desirable. In a preferred embodiment, the access control system
`access control codes that include a series of authentication codes or identification codes having encoded data stored within a PDA
`database. In another form of the invention, user authentication is obtained by comparing biometric data such as a fingerprint with
`digitally stored data of the authorized user. A decision to grant access affects the release, an electronic release or electronic strike,
`or electronic software hold. If desired, a write feature can be included into the system whereby each access control point accessed
`or attempted to be accessed by a PDA userwill be recorded on the PDA to determine where access has been attempted. Additional
`records could be maintained along with the authentication LD. including checking accountinformation, credit card information,
`membershipinformation, network information, user profile information (120), e-mail information (118), and personal information.
`
`4
`
`APPLE 1006
`
`1
`
`APPLE 1006
`
`

`

`WO 01/29731
`
`PCT/US00/28387
`
`ACCESS CONTROL USING A PERSONAL DIGITAL ASSISTANT-TYPE
`
`1
`
`BACKGROUND OF THE INVENTION
`
`1.
`
`The Field of the Invention
`This invention relates to a method for authorizing access control using a PDA
`device. More particularly, the invention relates to an access control system that uses a
`PDA device to reference secured data, which thereby facilitates implementation of a
`selective access policy by a service controller in communication with the PDA device.
`
`2.
`
`Description of the Prior Art
`Oneofthe challenges of the modern consumeris to maintain a respectable size
`of their wallet without discarding any required information. As such an individual may
`be required to carry with their planner, a drivers license, a plurality of credit cards and gas
`cards, social security numbers, photographs of the family, personal identification,
`checkbooks, check ledgers, bank account numbers, a telephonelist of frequent contacts,
`various business cards, business notes and other necessities. The net result is a wallet
`that no longerfits within the constraints ofthe user's purse or pocket.
`Personal Digital Assistant (PDA) devices, like the 3Com PalmPilot®, provide a
`user with an easy, compact device that can hold all of a user's daily essentials in one
`place. A PDA device provides a user with quick and easy access to multiple applications
`customized to meet the individual user's needs. A successful PDA deviceis lightweight
`enoughto carry everywhere and small enoughtofit into a pocket, as a user won't use the
`PDA device if they don't carry it. Other desirable features found on a PDA device
`include instant information access, intuitive construction for easy use, conservative
`energy cell consumption, extensive personal calendaring features, a customized address
`book,a digital memo pad, an expense calculator, desktop e-mail connectivity, Internet
`compatibility, and local or remote database synchronization. While the development of
`PDAdevices has dramatically reduced digital complexity for the user, holding thousands
`of addresses and hundreds of notes or e-mail messages in one portable device, PDA
`devices have not provided improved access control for the user. Security features in
`modern PDA devices focus on the data security, data backup, or access security to the
`specific PDA device. Whatis needed is a PDA device that provides access control codes
`to multiple security outlets or service controllers, including access to: desktop computers
`for boot up,selective computer data or programs, mechanical hardware such as electronic
`doors, and service identification numbers such as credit card numbers and checking
`accounts.
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`2
`
`

`

`WO 01/29731
`
`PCT/US00/28387
`
`2
`
`The development of new digital device features are driven by the need for the
`digital device to perform a specific function. As a result, access control issues are
`virtually a non-existent factor in the overall design of a digital device. Traditionally,
`physical security may have been present, but the single user nature ofearly digital devices
`did not require exhaustive security methods within the digital device itself. While PDA
`devices continue to operate in predominately single user environments, other digital
`devices require more emphasis on access control. With the developmentof multiple user
`operating systems, segregated work groups containing multiple users, and personalized
`desktops varying each computer display from one user to the next; access controlis a
`desirable quality for a computer system.
`Examples of computer data felt to require access control include secure files,
`personalized e-mail accounts, specific user profiles, specific network profiles, and access
`to licensed programs. A secure file may be created by a user encrypting the file with a
`password. E-mail accounts obtain limited security by archiving data into personalized
`data structures or by password protecting e-mail access. Access to specific user profiles
`and network profiles are often controlled by operating system passwords. Manylicensed
`programs require that only a specific quantity of users within a company be granted
`access and that additional users are not allowed access to these program. This regulation
`is generally accomplishedby either assigning an access control code to each authorized
`user or the licensed program may regulate a hard quantity limitation on the total number
`of copies ofthe program that can be running from a serverat any one time. By focusing
`on access control mechanisms surrounding the files, productivity and efficiency are
`reduced. These problems are enhancedif an individual user regularly switches work
`station locations to different access points within the company. Hence, a portable system
`which providesall file, user, network,or licensing authentication for a particular user
`would be useful for a corporation in managing its computer usageor license usages and
`would increase the efficiency and productivity of the user. Not to mention the added
`benefit of no longer needing to remember all the passwords used for each "secure"
`
`application.
`A variety of access control systems and devices presently exist, however; these
`access control systems do not interface or coordinate with PDA devices. Specifically, a
`user attempting to gain access to various resources within a companyis often required to
`carry an access card, an access key, or an I.D. access badge. The user may be required
`to know an access number, a PIN number, a combination, a password, or to provide a
`computer authorization number. In addition to these standard electronic and mechanical
`access control devices, some high security areas require an individual to provide specific
`3
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`3
`
`

`

`WoO01/29731
`
`PCT/US00/28387
`
`3
`
`biometric information such as fingerprint verification or a retinal scan. A system that
`provides all of the necessary access control information using a PDA device as a
`substitute for the aforementioned keys, cards, or passwords would considerably lessen
`the security delays and inefficiencies created by the multiple verification devices
`presently required to obtain site access authorization, not to mention the additional
`benefit of drastically reducing the extent and magnitude of security access devices
`necessary for any oneindividual to carry with them.
`Another area presently mired by the excessive numbers associated with access
`control are commercialtransactions for goods orservices. Unless a participant is using
`cash, the service provider or supplier will likely be required to obtain a purchase order
`number, a credit card, or a check. To complete the transaction, additional physical
`identification may be required in the form ofa drivers license, a passport, a purchase
`order, a check verification card, or a credit card authorization number. Once again, a
`system that could maintain these access controls within the parameters of a PDA device
`would be a marked improvement overthe present state of the art.
`
`
`SUMMARY AND OBJECTS OF THE INVENTION
`
`The foregoing problems in the prior state of the art have been successfully
`overcome by the present invention which is directed to a system and method for
`coordinating the production of access control codes by a PDA device to multiple security
`outlets or service controllers. The system and methodof the present invention is scalable
`in that the PDA device can be adapted to accommodate an unlimited variety of access
`control codes for a variety of electronic, mechanical, or electrical controllers.
`Furthermore, the invention allows for the attachment ofidentification access cards either
`to program the PDA device to produce the access control codes, to work in conjunction
`with the PDA device, or to function independentof but attached to the PDA device.
`The system and methodofthe presentinvention utilize a PDA device to provide
`improved access control for a user. According to the present invention, a PDA device is
`programmed to provide various access control codes to multiple security outlets or
`service controllers, specifically including access codes for: desktop computers during the
`boot up process, selective secured computer datafiles, protected or licensed programs,
`mechanical hardware such as those used with electronic latch doors, and service
`
`identification numbers such as credit card numbers and checking accounts.
`The present invention supports an access control process that may be summarized
`as follows. A user enters access control information into a database in orderto allow a
`PDA device to selectively retrieve the information for service controllers or security
`4
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`4
`
`

`

`WO 01/29731
`
`PCT/US00/28387
`
`4
`
`outlets. The user may also enter the access control information directly to the PDA
`device through an interface device. The access control information mcludes access
`control codes used to enable the boot-up process for a connected digital device. These
`codes may also be used to authorize the transfer of funds in a commercial transaction.
`Access control codes can instruct the PDA device to produce the enabling or disabling
`signal for an electronic lock on items as diverse as a door and a secured computerfile.
`Just as there are many different types of access control codes, there are multiple methods
`of delivering the codesto a service controller or security outlet. One methodis through
`the I/O cradle attached to the PDA device andthe digital device.
`I/O cradles are usually
`attached to either the serial RS-232 port or the parallel port. Another interface method
`is between a PDA Infra-Red (IR) port and an I/O module attachedto the digital device
`with a IR interface. A preferred embodimentof the presentinvention utilizes wireless
`transceiver, built into the PDA device to communicate with a receiver. Finally traditional
`interface parts, coils, or transmissions may beeffectively used. These interfaces include
`RF, Wegand, magnetic, USB, or laser communication. A final potential embodiment
`includes integrating an IC chip into the digital device providing access control codes
`
`faster.
`
`In one embodiment, the system and methodofthe present invention providesall
`the file, user, network, or licensing authentication necessary for a particular user. Once
`the PDA device is plugged into an I/O cradle, all of the necessary passwordverification
`or authentication is supplied by the PDA device. A less memory intensive approachcalls
`for the storage ofa solitary password within the PDA access control database which
`downloads a user profile from a network location. Additional security checks could be
`implementedto verify that the PDA device holderis the actual user without negatively
`affecting the efficiency and productivity of the user because of the overall reduction in
`the number of access control codes. Another embodiment maintains communication
`
`between the PDA device and the digital device through an I/O module, such as a wireless
`transceiver or IR port. Ifa wireless transceiver is used, the PDA device can download
`information from the user's workstation at any time or from any location. The wireless
`PDA device embodimentcould alert a user when someoneis attempting unauthorized
`access to the user's computer. Another embodimentutilizes the PDA device to provide
`the access control codes for a user and thenretrieves a customized user desktop setting
`
`for the user specified by the PDA device. This feature allows an individual user to attach
`to any computer within a company's network and obtain their customized desktop. This
`feature allowsfor incredible flexibility and versatility, not to mention the added benefit
`of no longer needing to rememberall the passwords used for each “secure” application.
`5
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`5
`
`

`

`WO 01/29731
`
`PCT/US00/28387
`
`5
`
`Analternative embodiment accepts access cards, security cards, or hard coded
`interface devices so that the PDA device may be used as a programmable access control
`device. The identification access card could be addedas a clip-on, or built into the plastic
`ofthe PDA device. Access control functionality could even be added using an encoded,
`integrated circuit added to the PDA device's printed circuit board. The identification
`access card could utilize a variety of interfaces with the PDA device, including: bar code,
`USB, IR, laser, Wegand, RF, or magnetic interfaces. The significance of the PDA
`interface is that external reading is easily accomplished using the PDA deviceor security
`card reader. With this versatility, the PDA device mayact as either the security device
`itself or the access control device. Access information is sent out from the I.D. card or
`
`from the I.D. card to the PDA device and then from the PDA deviceitself.
`
`Another embodiment comprising the system and methodof the present invention
`programs a PDA deviceto act as a substitute for the access keys, cards, combinations, or
`passwords currently associated with building security. By allowing the PDA deviceto
`either provide the authorization codes or the identification information, the security
`delays and inefficiencies created by the multiple verification devices presently required
`to obtain site access authorizationis drastically lessened, not to mention the additional
`benefit of drastically reducing the sheer quantity of security access devices necessary for
`any one individual to carry with them.
`Yet another embodiment of the system and method of the present invention
`allows the PDA device to present the access control numbersassociated with commercial
`transactions for goods or services. A properly programmed PDA device can provide the
`merchant with the desired purchase order number, credit card number, or check
`information. In the preferred embodiment, the PDA device can either produce orverify
`additional physical identification, such as a digitally stored photo identification or
`biometric identification.
`For example, a PDA device could provide a merchant ID
`station with the owner's fingerprint, if the user of the PDA device doesn't have the same
`fingerprint the ID station could reject the transaction. A variation on this approach would
`have the PDA device provide the ID station with a preprogrammedpersonal identification
`number (PIN), if the user cannot match this PIN then the transaction may be voided. A
`photographic embodiment of the present invention allows the PDA device to send a
`digital imageof the user to the ID station for the attendantto verify.
`The present invention provides access control codes to multiple security outlets
`or service controllers through a PDA device. If the codes are acceptedthe digital device
`releases access to a requested resource. This release includes access to: desktop
`computers for boot up, selective computer data or programs, mechanical hardware such
`6
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`6
`
`

`

`WO 01/29731
`
`PCT/US00/28387
`
`6
`
`as electronic doors, andservice identification numbers such as credit card numbers and
`checking accounts. Additionally, one embodimentof the invention is a portable system
`which providesall file, user, network,or licensing authentication for a particular user.
`Accordingly, it is a primary object of this invention to provide a system and
`method for coordinating the production of access control codes to access outlets or
`controllers using a PDA device. Other objects of the present invention include:
`providing a system and methodfor coordinating the production ofaccess control codes
`that allows a user to access a secured digital device or an electronic readable file;
`providing a system and methodfor coordinating the production of access control codes
`that uses a control repository ofinformation to collect access controls; providing a system
`and method for coordinating the production of access control codes that acts as a
`substitute for keys, cards, passwords, photographic, and biometric identification, and
`providing a system and methodfor coordinating the production of access control codes
`that interfaces with an external identification access card.
`Additional objects and advantages of the invention will be set forth in the
`description which follows andin part will be obvious from the description, or may be
`learned by the practice ofthe invention. The objects and advantagesofthe invention may
`be realized and obtained by means of the instruments and combinations particularly
`printed out in the appended claims. These and other objects andfeatures of the present
`invention will become more fully apparent from the following description and appended
`claims, or may be learned by the practice of the invention as set forth herinafter.
`
`10
`
`15
`
`20
`
`
`
`BRIEFDESCRIPTIONOFTHEDRAWINGS
`
`25
`
`30
`
`35
`
`In order that the manner in which the above-recited and other advantages and
`objects of the invention are obtained, a more particular description of the invention
`briefly described abovewill be rendered by reference to a specific embodiment thereof
`whichis illustrated in the appended drawings. Understanding that these drawings depict
`only a typical embodiment ofthe invention and are not therefore to be considered to be
`limiting of its scope, the invention will be described and explained with additional
`specificity and detail through the use ofthe accompanying drawings in which:
`Figure 1
`is a top level diagram of one embodiment of the present invention
`depicting access control for a computer;
`Figure 2 is a flow chart of one embodimentofthe present invention,illustrating
`access control at computer bootand login security;
`Figure 3 is a flow chart of one embodimentof the present invention depicting
`access control used to secure computerfiles or e-mail;
`7
`
`7
`
`

`

`WO 01/29731
`
`PCT/US00/28387
`
`7
`
`Figure 4 is a flow chart of one embodiment of the present invention depicting
`access control requiring a PIN and/orphotoidentification; and
`Figure 5 is a top level diagram of one embodimentof the present invention.
`
`DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS
`
`10
`
`15
`
`Figure 1 provides an overview illustrating the use of a PDA device to control
`software and hardware accesselectronically connected to a digital device. A PDA 100
`interfaces with an I.D. access card 102. The I.D. access card 102 may be in permanent,
`removable, or flexible communication with the PDA 100. A permanent connectionis
`demonstrated by the addition of a chip whichis installed within the PDA 100. The chip
`methodhas been established in other applications, but it has not been applied to PDA
`devices specifically in regards to access control or security features.
`If an IC chip is
`added to the PDA 100, the IC chip will have access to the PDA interfaces to the outside
`world through the PDA's processor. One embodiment would use the PDA's processor
`to read access numbers from the security chip and transmit the number to the device
`making the query. The querying device could then compare the transmitted number to
`its database to see if it was an acceptable number. Upon comparison of the devices the
`querying device could either accept or refuse accessto its function e.g., building entry,
`computeraccess, transactional support, or purchasing.
`Removable communication generally involves attaching the I.D. access card 102
`to an interface on the PDA 100 for a limited time period to either download access
`control database or to program an access control extension. Examples would include
`serial cables, PDA cradles, hard coded memory cards, PCMCIA cards, disks, Wegand
`devices, or other encoding equipment. Once the I.D. access card 102 contacts the PDA
`100,it provides either secured data structures or an encrypted I.D. database that can be
`verified later by local controller access points. One embodimentuses the I.D. access card
`102 by attaching the card or similar device to the PDA 100 throughaclip-on method.
`Appropriate hardware and software could be added so that when a query was made on
`the interface to the outside world, the PDA's processor would read the number from the
`security card and transmit to the device making the query. The querying device could
`authorize the PDA request based on a successful comparison of the transmitted number
`to the querying device’s database. Examples of some PDA access control requests
`include: building entry, computeraccess, car entry, purchasing transactions, goods,etc.
`Flexible connections can be created when no physical electronic contact is required
`between the ID. access card 102 and the PDA 100, such as IR pulses, RF transmissions,
`Weganddevices, and wireless transceivers. Alternatively, the I.D. badge or clip-on PDA
`8
`
`20
`
`25
`
`30
`
`35
`
`8
`
`

`

`WO 01/29731
`
`PCT/US00/28387
`
`8
`
`interface previously mentioned, could function merely to hold the badge or I.D. card and
`not require the I.D. access card 102 to electronically interface with the PDAatall, just
`physically interface as a means of condensing and consolidating the access cards. In one
`variation of this non-interactive embodiment, the removal ofthe card or badge from the
`badge PDA interface either completely disables the PDA from functioning or limits
`operation of the PDAto a limited subset ofthe normal functions.
`In addition to receiving information from an I.D. access card 102, the PDA
`interface devices can be usedto facilitate communication between the PDA 100 and a
`digital device 108. Various PDAinterface devices are employed to communicate with
`devices in the outside world including, but not limited to, the standard serial RS-232
`port, a parallel port, an IR port, a PDA cradle connection, a RF bandwidth transceiver,
`Wegand device, magnetic codingor sensor, bar code reader, USB,wirelesstransceiver,
`and laser communication. Oncean interface device is selected by the PDA 100, it can
`
`either interface with an I/O module 106 or with a PDA cradle 104. These interface
`
`input/output transceivers are in electronic communication with digital device 108. Once
`the digital device 108 has access to the PDA 100,it can verify whether access should be
`granted to a user for software access 110 or hardware access 112.
`In one embodiment,special booting softwareis installed on a computerso that
`ifthe PDA deviceis notin the cradle, the computer can not be accessed. An access card
`code interface could also be used for protecting e-mail and communications between
`computers by requiring the PDA device to be in its cradle or near its receptor before
`access control would be allowed. This system would addsecurity by controlling access
`to all things controlled or accessed by the PDA device, without requiring unnecessary
`security to impede the process. Various software access 110 features include inquiring
`whether the individual has approval to use licensed programs 114, whether approval
`exists to secured files 116, whether access should be granted to personal e-mail accounts
`118, whether a specific user profile 120 should replace the standard desktopprofile, and
`if a networkprofile 122 exists for a particular user. The network profile 122 could be
`stored on a central computer and, upon verification of a PDA 100 within an I/O cradle
`108 at a particular digital device 108 access andrights andprivileges to network,drives,
`data, and resources could be grantedto the individual user, thereby allowing him to use
`local printers, fax machines, and other local facilities but also providing him with access
`to printers at his homelocation.
`In essence, the user would only needto plug his PDA
`100 into V/O cradle 104 or interface with I/O module 106 to obtain personalized access
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`throughout a company's LAN or WAN network.
`
`9
`
`

`

`WO 01/29731
`
`PCT/US00/28387
`
`9
`
`In addition to software access 110, one ofthe significant features of the present
`invention is the ability to regulate hardware access 112. Hardware access 112 focuses
`primarily on boot control 124 of the digital device 108 andrestrictive resource access to
`attached devices 126. By checking boot control 124, the digital device can determine
`whether the individual is even allowed to operate the machine. This feature is similar to
`utilizing a key, however, multiple digital codes could be utilized. Essentially, a traveler
`from another city could work on a computer at an out of town site and receive the
`authorization to boot the machine through his PDA. Whereas, a key required that a
`specific key be used onaspecific machine, boot control 124 is applied to the entire
`computer network. Hardware access 112 also extends to attached devices 126 electrically
`10
`linked or controlled by digital device 108. Attached devices 126 may includelocal
`printers,
`local modems,
`local network access,
`local e-mail access,
`local infra-red
`transceivers and various other attached devices like scanners, digital cameras, wireless
`
`15
`
`20
`
`25
`
`30
`
`35
`
`links, main frame connections, etc.
`Figure 2 is a flow chart that outlines how the PDAin a preferred embodiment can
`secure a computer at boot up or log in. Execution block 200 represents the restart or start
`ofthe computer. Execution block 202 requires that the computer look at the boot options
`stored in the boot sector or in the bootable prompt section. Decision block 204
`determines whether the bootsecurity bit is on. If the security bit in decision block 204
`is not turned on, then protocolwill jump immediately to execution block 216 and allow
`the computer to boot. Ifthe bit is turned on, then decision block 206 queries whetherthe
`PDAis connected to the machine.
`Ifthe PDA is not connected execution block 208
`
`prompts the user to connect the PDA before proceeding further. If the PDA is connected,
`execution block 210 reads the identification code provided from the PDA. Decision
`block 212 determines whether or not an authorized I.D.is provided by the PDA device.
`Ifthe correct device is not provided or the 1.D. provided is not authorizedaccess to this
`computer, execution block 214 does not allow the machineto boot. Ifthe correct I.D. has
`been provided, execution block 216 allows the computer to boot as normal now that the
`access has beenverified.
`
`Figure 3 is a block diagram of an access control protocol that can be applied to
`software or hardware access. The access control protocolis initiated in execution block
`300 whenever there is a request to access of an access control protocolthat can be applied
`to software or hardware access. A protected software or hardware resource, such as e-
`mail or a protectedfile. At this point, a subprotocolinitiates the security confirmation
`protocol which prevents the program from providing access or from loading further until
`the PDA has been verified.
`In decision block 302, the protocol discovers whether the
`10
`
`10
`
`

`

`WO 01/29731
`
`PCT/US00/28387
`
`10
`
`PDAis connected. Ifthe authorized PDAis not connected, execution block 304 prompts
`the user to connected the appropriate PDA to the computer. Once the PDAis connected,
`execution block 306 exchanges of identification information. Decision block 308
`determines whether the exchangedidentification information is valid. If the information
`is valid, then execution block 310 allows access to thefile, e-mail, or other computer
`software or hardware resource.
`Ifit is not valid, then the access control protocol ends
`without giving access to thefile. This access control protocol allows users to access their
`files on a common computer shared with multiple users. E-mail files are optionally
`loaded directly down to the PDA oncetheidentification authorization has been made.
`Additionally, a user could use a traveling work station in which he was only required to
`carry his PDA containing the appropriate identification information to request from the
`network server the user's standard desktop and access to the user's e-mail files. As a
`result, a traveler could go to a foreign office or another work site location, plug his PDA
`into the control port and be granted access to the computer with the samerestrictions and
`limitations that he may have hadat his workstation at home.
`Figure 4 provides a flow chart depicting the use of a personal identification
`number (PIN) and photo identification to provide various commercial services or
`computer services. While these functions can be performed separately, this figure
`demonstrates how each layer can be chained together. For example, the PDA boot
`restriction depicted in figure 2 and the PDA attachmentfunction in figure 3 could also
`e applied to figure 4 without deviating from the spirit of the invention.
`In fact such a
`chain represents oneof the preferred embodiments. Execution block 400 requires the
`PDA to link to the identification station.
`Execution block 402 represents the
`identification station making a request for information from the PDA. Once this
`information has been provided,
`the decision block 404 determines if the PDA
`identification is correct. If it is not, the program will abruptly end and the user may be
`required to re-initialize. Ifthe PDA identification is correct then the confirmation system
`could require in decision block 406 queries whether a PIN is required for use of this PDA
`I.D. number if no PIN is necessary with this PDA identification number. Ifa PIN is
`necessary, then execution block 408 requests a PIN from either the PDA or from the user
`through a user interface located on the I.D. station. Decision block 410 determines
`whether the PIN entered or received is valid. If the PIN is notvalid, then decision block
`
`414 prompts for the PDA to reconnect to determine whether another PIN should be
`attempted. Ifthe PIN is valid, then a review ofthe requested service is made in execution
`block 412. Decision block 416 queries whether or not the requested services are
`available. If the services are not availab