`
`(19) World Intellectual Property Organization
`International Bureau
`
`l||||||l|||||||||l|||||||||||l||||||||l|||illlllllllllllllllll
`
`Illllllllllllll
`
`26 April 2001 (26.04.2001)
`
`(43) International Publication Date
`
`(10) International Publication Number
`WO 01/29731 A1
`
`
`(51) International Patent Classification7:
`
`G06F 17/60
`
`CROFT, Kenneth, A.; 2159 South Hannibal Street, Salt
`Lake City, UT 84106 (US).
`
`(21) International Application Number:
`
`PCT/USOO/28387
`
`22
`
`(
`
`)
`
`t'
`I t
`n erna Iona
`
`lF'l' D t : 130 b
`1 mg
`a e
`cto er
`
`2000 13.10.2000
`(
`
`)
`
`(74) Agents: MASCHOFF, Eric, L. et al.; Workman, Nydeg—
`ger & Seeley, 1000 Eagle Gate Tower, 60 East South Tem-
`ple, Salt Lake City, UT 84111 (US).
`
`(25) “mg Language‘
`
`EnghSh
`
`(31) Designated States (national): CN, DE, FI, GB, JP, SE.
`
`(26) Publication Language:
`
`English
`
`(30) Priority Data:
`09/422,621
`
`21 October 1999 (21.10.1999)
`
`US
`
`(84) Designated States (regional): European patent (AT, BE,
`CH, CY, DE, DK, ES, FI, FR, GB, GR, IE, IT, LU, MC,
`NL, PT, SE).
`
`Published:
`
`(71) Applicant: 3C0M CORPORATION [US/US]; 5400 — With international search report.
`Bayfront Plaza, Santa Clara, CA 95052—8 145 (US).
`
`(72) Inventors: THOIWPSON, Curtis, Duane; 1481 West
`Bluemont Drive, Taylorsville, UT 84123-6666 (US).
`
`For two-letter codes and other abbreviations, refer to the "Guid-
`ance Notes on Codes andAbbreviations " appearing at the begin-
`ning ofeach regular issue ofthe PCT Gazette.
`
`
`
`(54) Title: ACCESS CONTROL USING A PERSONAL DIGITAL ASSISTANT-TYPE
`
`‘
`
`m\
`I,_.._._._ __._.___._
`lICEIISED
`E
`secure»
`g
`PRDGIAIIS
`FILES
`-
`a
`m
`in
`
`sormaucctss
`amt
`Accounts
`m
`
`I
`
`usn
`MOHLE
`m
`
`mum E
`name
`1
`1
`m
`i
`
`HARDWARE ACCESS
`I001
`AWACNED
`GOHIIOL
`DEVICES
`a
`a
`
`1
`
`i
`E
`g,
`
`
`
`01/29731A1
`
`(57) Abstract: An access control system combining PDA functionality with user authentication so that only the authorized user or
`users may obtain access control codes from a PDA device for an access control point. The access control point can be a computer
`terminal (108), a computer file, a door, a checkstand, a visa authorization point, a gate, or other situation wherein high security is
`desirable. In a preferred embodiment, the access control system attaches to a computer (108) via a PDA cradle (104) and transmits
`access control codes that include a series of authentication codes or identification codes having encoded data stored within a PDA
`database. In another form of the invention, user authentication is obtained by comparing biometric data such as a fingerprint with
`digitally stored data of the authorized user. A decision to grant access affects the release, an electronic release or electronic snike,
`or electronic software hold. If desired, a write feature can be included into the system whereby each access control point accessed
`0 or attempted to be accessed by a PDA user will be recorded on the PDA to determine where access has been attempted. Additional
`records could be maintained along with the authentication I.D. including checking account information, credit card information,
`membership information, network information, user profile information (120), e-mail information (118), and personal information.
`
`1
`
`APPLE 1006
`
`1
`
`APPLE 1006
`
`
`
`W0 01/2973]
`
`PCT/IJSOfl/28387
`
`ACCESS CONTROL USING A PERSONAL DIGITAL ASSISTANT-TYPE
`
`l
`
`BACKGROUND OF THE INVENTION
`
`1.
`
`The Field of the Invention
`
`This invention relates to a method for authorizing access control using a PDA
`
`device. More particularly, the invention relates to an access control system that uses a
`
`PDA device to reference secured data, which thereby facilitates implementation of a
`
`selective access policy by a service controller in communication with the PDA device.
`
`10
`
`2.
`
`Description of the Prior An
`
`One of the challenges of the modern consumer is to maintain a respectable size
`
`of their wallet without discarding any required information. As such an individual may
`
`be required to carry with their planner, a drivers license, a plurality of credit cards and gas
`
`cards, social security numbers, photographs of the family, personal identification,
`
`Checkbooks, check ledgers, bank account numbers, a telephone list of frequent contacts,
`
`various business cards, business notes and other necessities. The net result is a wallet
`
`that no longer fits within the constraints of the user's purse or pocket.
`
`Personal Digital Assistant (PDA) devices, like the 3Com PalmPilot®, provide a
`
`user with an easy, compact device that can hold all of a user‘s daily essentials in one
`
`place. A PDA device provides a user with quick and easy access to multiple applications
`
`customized to meet the individual user's needs. A successful PDA device is lightweight
`
`enough to carry everywhere and small enough to fit into a pocket, as a user won't use the
`
`PDA device if they don't carry it. Other desirable features found on a PDA device
`
`include instant information access, intuitive construction for easy use, conservative
`
`energy cell consumption, extensive personal calendaring features, a customized address
`
`book, a digital memo pad, an expense calculator, desktop e-mail connectivity, Internet
`
`compatibility, and local or remote database synchronization, While the development of
`
`PDA devices has dramatically reduced digital complexity for the user, holding thousands
`
`of addresses and hundreds of notes or e—mail messages in one portable device, PDA
`
`devices have not provided improved access control for the user. Security features in
`
`modern PDA devices focus on the data security, data backup, or access security to the
`
`specific PDA device. What is needed is a PDA device that provides access control codes
`
`to multiple security outlets or service controllers, including access to: desktop computers
`
`for boot up, selective computer data or programs, mechanical hardware such as electronic
`
`doors, and service identification numbers such as credit card numbers and checking
`accounts.
`
`15
`
`20
`
`25
`
`3O
`
`35
`
`2
`
`
`
`W0 01/2973]
`
`PCT/USOO/28387
`
`2
`
`The development of new digital device features are driven by the need for the
`
`digital device to perform a specific function. As a result, access control issues are
`
`virtually a non-existent factor in the overall design of a digital device. Traditionally,
`
`physical security may have been present, but the single user nature of early digital devices
`
`did not require exhaustive security methods Within the digital device itself. While PDA
`
`devices continue to operate in predominately single user environments, other digital
`
`devices require more emphasis on access control. With the development of multiple user
`
`operating systems, segregated work groups containing multiple users, and personalized
`
`desktops varying each computer display from one user to the next; access control is a
`
`10
`
`desirable quality for a computer system
`
`Examples of computer data felt to require access control include secure files,
`
`personalized email accounts, specific user profiles, specific network profiles, and access
`
`to licensed programs. A secure file may be created by a user encrypting the file with a
`
`password. E-mail accounts obtain limited security by archiving data into personalized
`
`data structures or by password protecting e-mail access. Access to specific user profiles
`
`and network profiles are often controlled by operating system passwords. Many licensed
`
`programs require that only a specific quantity of users within a company be granted
`
`access and that additional users are not allowed access to these program. This regulation
`
`is generally accomplished by either assigning an access control code to each authorized
`user or the licensed program may regulate a hard quantity limitation on the total number
`
`of copies ofthe program that can be running fiom a server at any one time. By focusing
`
`on access control mechanisms surrounding the files, productivity and efficiency are
`
`reduced. These problems are enhanced if an individual user regularly switches work
`
`station locations to different access points within the company. Hence, a portable system
`
`which provides all file, user, network, or licensing authentication for a particular user
`
`would be useful for a corporation in managing its computer usage or license usages and
`
`would increase the efficiency and productivity of the user. Not to mention the added
`
`benefit of no longer needing to remember all the passwords used for each "secure"
`
`application.
`
`A variety of access control systems and devices presently exist, however; these
`
`access control systems do not interface or coordinate with PDA devices. Specifically, a
`
`user attempting to gain access to various resources within a company is often required to
`
`carry an access card, an access key, or an ID. access badge. The user may be required
`
`to know an access number, a PIN number, a combination, a password, or to provide a
`
`computer authorization number. In addition to these standard electronic and mechanical
`
`access control devices, some high security areas require an individual to provide specific
`3
`
`15
`
`20
`
`25
`
`3O
`
`35
`
`3
`
`
`
`WO 01/29731
`
`PCT/USOO/28387
`
`3
`
`biometric information such as fingerprint verification or a retinal scan. A system that
`
`provides all of the necessary access control information using a PDA device as a
`
`substitute for the aforementioned keys, cards, or passwords would considerably lessen
`
`the security delays and inefficiencies created by the multiple verification devices
`
`presently required to obtain site access authorization, not to mention the additional
`
`benefit of drastically reducing the extent and magnitude of security access devices
`
`necessary for any one individual to carry with them
`
`Another area presently mired by the excessive numbers associated with access
`
`control are commercial transactions for goods or services. Unless a participant is using
`
`cash, the service provider or supplier will likely be required to obtain a purchase order
`
`number, a credit card, or a check. To complete the transaction, additional physical
`
`identification may be required in the form of a drivers license, a passport, a purchase
`
`order, a check verification card, or a credit card authorization number. Once again, a
`
`system that could maintain these access controls within the parameters of a PDA device
`
`would be a marked improvement over the present state of the art.
`
`SUMMARY AND OBJECTS OF THE INVENTION
`
`The foregoing problems in the prior state of the art have been successfully
`
`overcome by the present invention which is directed to a system and method for
`
`coordinating the production of access control codes by a PDA device to multiple security
`
`outlets or service controllers. The system and method of the present invention is scalable
`
`in that the PDA device can be adapted to accommodate an unlimited variety of access
`
`control codes for a variety of electronic, mechanical, or electrical controllers.
`
`Furthermore, the invention allows for the attachment of identification access cards either
`
`to program the PDA device to produce the access control codes, to work in conjunction
`
`with the PDA device, or to function independent of but attached to the PDA device.
`
`The system and method of the present invention utilize a PDA device to provide
`
`improved access control for a user. According to the present invention, a PDA device is
`
`programmed to provide various access control codes to multiple security outlets or
`
`service controllers, specifically including access codes for: desktop computers during the
`
`boot up process, selective secured computer data files, protected or licensed programs,
`
`mechanical hardware such as those used with electronic latch doors, and service
`
`identification numbers such as credit card numbers and checking accounts.
`
`The present invention supports an access control process that may be summarized
`
`as follows. A user enters access control information into a database in order to allow a
`
`PDA device to selectively retrieve the information for service controllers or security
`4
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`4
`
`
`
`WO 01/29731
`
`PCT/USO0/28387
`
`4
`
`outlets. The user may also enter the access control information directly to the PDA
`
`device through an interface device. The access control information includes access
`
`control codes used to enable the boot-up process for a connected digital device. These
`
`codes may also be used to authorize the transfer of funds in a commercial transaction.
`
`Access control codes can instruct the PDA device to produce the enabling or disabling
`
`signal for an electronic lock on items as diverse as a door and a secured computer file.
`
`Just as there are many different types of access control codes, there are multiple methods
`
`of delivering the codes to a service controller or security outlet. One method is through
`
`the I/O cradle attached to the PDA device and the digital device.
`
`I/O cradles are usually
`
`attached to either the serial RS-232 port or the parallel port. Another interface method
`
`is between a PDA Infra—Red (IR) port and an I/O module attached to the digital device
`
`with a IR interface. A preferred embodiment of the present invention utilizes wireless
`
`transceiver, built into the PDA device to communicate with a receiver. Finally traditional
`
`interface parts, coils, or transmissions may be effectively used. These interfaces include
`
`RF, Wegand, magnetic, USB, or laser communication. A final potential embodiment
`
`includes integrating an IC chip into the digital device providing access control codes
`
`faster.
`
`In one embodiment, the system and method of the present invention provides all
`
`the file, user, network, or licensing authentication necessary for a particular user. Once
`
`the PDA device is plugged into an I/O cradle, all of the necessary password verification
`
`or authentication is supplied by the PDA device. A less memory intensive approach calls
`
`for the storage of a solitary password Within the PDA access control database which
`
`downloads a user profile fi'om a network location. Additional security checks could be
`
`implemented to verify that the PDA device holder is the actual user without negatively
`
`affecting the efficiency and productivity of the user because of the overall reduction in
`
`the number of access control codes. Another embodiment maintains communication
`
`between the PDA device and the digital device through an I/O module, such as a wireless
`
`transceiver or IR port. If a wireless transceiver is used, the PDA device can download
`
`information from the user's workstation at any time or from any location. The wireless
`
`PDA device embodiment could alert a user when someone is attempting unauthorized
`
`access to the user's computer. Another embodiment utilizes the PDA device to provide
`
`the access control codes for a user and then retrieves a customized user desktop setting
`
`for the user specified by the PDA device. This feature allows an individual user to attach
`
`to any computer within a company's network and obtain their customized desktop. This
`
`feature allows for incredible flexibility and versatility, not to mention the added benefit
`
`of no longer needing to remember all the passwords used for each "secure" application.
`5
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`5
`
`
`
`WO 01/29731
`
`PCT/US00/28387
`
`5
`
`An alternative embodiment accepts access cards, security cards, or hard coded
`
`interface devices so that the PDA device may be used as a programmable access control
`
`device. The identification access card could be added as a clip-on, or built into the plastic
`
`of the PDA device. Access control functionality could even be added using an encoded,
`
`integrated circuit added to the PDA device's printed circuit board. The identification
`
`access card could utilize a variety of interfaces with the PDA device, including: bar code,
`
`USB, IR, laser, Wegand, RF, or magnetic interfaces. The significance of the PDA
`
`interface is that external reading is easily accomplished using the PDA device or security
`
`card reader. With this versatility, the PDA device may act as either the security device
`
`10
`
`itself or the access control device. Access information is sent out from the ID. card or
`
`from the ID. card to the PDA device and then fiom the PDA device itself.
`
`Another embodiment comprising the system and method of the present invention
`
`programs a PDA device to act as a substitute for the access keys, cards, combinations, or
`
`passwords currently associated with building security, By allowing the PDA device to
`
`either provide the authorization codes or the identification information, the security
`
`delays and inefficiencies created by the multiple verification devices presently required
`
`to obtain site access authorization is drastically lessened, not to mention the additional
`
`benefit of drastically reducing the sheer quantity of security access devices necessary for
`
`any one individual to carry with them.
`
`Yet another embodiment of the system and method of the present invention
`
`allows the PDA device to present the access control numbers associated with commercial
`
`transactions for goods or services. A properly programmed PDA device can provide the
`
`merchant with the desired purchase order number, credit card number, or check
`
`information. In the preferred embodiment, the PDA device can either produce or verify
`
`additional physical identification, such as a digitally stored photo identification or
`
`biometric identification.
`
`For example, a PDA device could provide a merchant ID
`
`station with the owner's fingerprint, if the user of the PDA device doesn't have the same
`
`fingerprint the 1]) station could reject the transaction. A variation on this approach would
`
`have the PDA device provide the ID station with a preprogramrned personal identification
`
`number (PIN), if the user cannot match this PIN then the transaction may be voided. A
`
`photographic embodiment of the present invention allows the PDA device to send a
`
`digital image of the user to the ID station for the attendant to verify.
`
`The present invention provides access control codes to multiple security outlets
`
`or service controllers through a PDA device. If the codes are accepted the digital device
`
`releases access to a requested resource. This release includes access to: desktop
`
`computers for boot up, selective computer data or programs, mechanical hardware such
`6
`
`15
`
`20
`
`25
`
`30
`
`35
`
`6
`
`
`
`W0 Ill/29731
`
`PCT/USOO/28387
`
`6
`
`as electronic doors, and service identification numbers such as credit card numbers and
`
`checking accounts. Additionally, one embodiment of the invention is a portable system
`
`which provides all file, user, network, or licensing authentication for a particular user.
`
`Accordingly, it is a primary object of this invention to provide a system and
`
`method for coordinating the production of access control codes to access outlets or
`
`controllers using a PDA device. Other objects of the present invention include:
`
`providing a system and method for coordinating the production of access control codes
`
`that allows a user to access a secured digital device or an electronic readable file;
`
`providing a system and method for coordinating the production of access control codes
`
`that uses a control repository of information to collect access controls; providing a system
`
`and method for coordinating the production of access control codes that acts as a
`
`substitute for keys, cards, passwords, photographic, and biometric identification; and
`
`providing a system and method for coordinating the production of access control codes
`
`that interfaces with an external identification access card.
`
`Additional objects and advantages of the invention will be set forth in the
`
`description which follows and in part will be obvious from the description, or may be
`
`learned by the practice ofthe invention. The objects and advantages of the invention may
`
`be realized and obtained by means of the instruments and combinations particularly
`
`printed out in the appended claims. These and other objects and features of the present
`
`invention will become more fully apparent from the following description and appended
`
`claims, or may be learned by the practice of the invention as set forth herinafter.
`
`W
`
`In order that the manner in which the above-recited and other advantages and
`
`objects of the invention are obtained, a more particular description of the invention
`
`briefly described above will be rendered by reference to a specific embodiment thereof
`
`which is illustrated in the appended drawings. Understanding that these drawings depict
`
`only a typical embodiment of the invention and are not therefore to be considered to be
`
`limiting of its scope, the invention will be described and explained with additional
`
`specificity and detail through the use of the accompanying drawings in which:
`
`Figure 1
`
`is a top level diagram of one embodiment of the present invention
`
`depicting access control for a computer;
`
`Figure 2 is a flow chart of one embodiment of the present invention, illustrating
`
`access control at computer boot and login security;
`
`Figure 3 is a flow chart of one embodiment of the present invention depicting
`
`access control used to secure computer files or e-mail;
`7
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`7
`
`
`
`WO 01/29731
`
`PCT/USOll/28387
`
`7
`
`Figure 4 is a flow chart of one embodiment of the present invention depicting
`
`access control requiring a PIN and/or photo identification; and
`
`Figure 5 is a top level diagram of one embodiment of the present invention.
`
`DETAILED DESCRIPTION OF Tfl E PREFERRED EMBODIMENTS
`
`Figure 1 provides an overview illustrating the use of a PDA device to control
`
`software and hardware access electronically connected to a digital device. A PDA 100
`
`interfaces with an I.D. access card 102. The I.D. access card 102 may be in permanent,
`
`removable, or flexible communication with the PDA 100. A permanent connection is
`
`demonstrated by the addition of a chip which is installed within the PDA 100. The chip
`
`method has been established in other applications, but it has not been applied to PDA
`
`devices specifically in regards to access control or security features.
`
`If an IC chip is
`
`added to the PDA 100, the IC chip will have access to the PDA interfaces to the outside
`
`world through the PDA's processor. One embodiment would use the PDA’s processor
`
`to read access numbers from the security chip and transmit the number to the device
`
`making the query. The querying device could then compare the transmitted number to
`
`its database to see if it was an acceptable number. Upon comparison of the devices the
`
`querying device could either accept or refuse access to its function e.g., building entry,
`
`computer access, transactional support, or purchasing.
`
`Removable communication generally involves attaching the I.D. access card 102
`
`to an interface on the PDA 100 for a limited time period to either download access
`
`control database or to program an access control extension. Examples would include
`
`serial cables, PDA cradles, hard coded memory cards, PCMCIA cards, disks, Wegand
`
`devices, or other encoding equipment. Once the I.D. access card 102 contacts the PDA
`
`100, it provides either secured data structures or an encrypted I.D. database that can be
`
`verified later by local controller access points. One embodiment uses the I.D. access card
`
`102 by attaching the card or similar device to the PDA 100 through a clip-on method.
`
`Appropriate hardware and software could be added so that when a query was made on
`
`the interface to the outside world, the PDA's processor would read the number from the
`
`security card and transmit to the device making the query. The querying device could
`
`authorize the PDA request based on a successful comparison of the transmitted number
`
`to the querying device's database. Examples of some PDA access control requests
`
`include: building entry, computer access, car entry, purchasing transactions, goods, etc.
`
`Flexible connections can be created when no physical electronic contact is required
`
`between the I.D. access card 102 and the PDA 100, such as IR pulses, RF transmissions,
`
`Wegand devices, and wireless transceivers. Alternatively, the I.D. badge or clip-on PDA
`8
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`8
`
`
`
`W0 01/2973]
`
`PCT/U800/28387
`
`8
`
`interface previously mentioned, could function merely to hold the badge or ID. card and
`
`not require the ID. access card 102 to electronically interface with the PDA at all, just
`
`physically interface as a means of condensing and consolidating the access cards. In one
`
`variation of this non-interactive embodiment, the removal of the card or badge fiom the
`
`badge PDA interface either completely disables the PDA from functioning or limits
`
`operation of the PDA to a limited subset of the normal functions.
`
`In addition to receiving information from an ID. access card 102, the PDA
`
`interface devices can be used to facilitate communication between the PDA 100 and a
`
`digital device 108. Various PDA interface devices are employed to communicate with
`
`devices in the outside world including, but not limited to, the standard serial RS-232
`
`port, a parallel port, an IR port, a PDA cradle connection, a RF bandwidth transceiver,
`
`Wegand device, magnetic coding or sensor, bar code reader, USB, wireless transceiver,
`
`and laser communication. Once an interface device is selected by the PDA 100, it can
`
`either interface with an I/O module 106 or with a PDA cradle 104. These interface
`
`input/output transceivers are in electronic communication with digital device 108. Once
`
`the digital device 108 has access to the PDA 100, it can verify whether access should be
`
`granted to a user for software access 110 or hardware access 112.
`
`In one embodiment, special booting software is installed on a computer so that
`
`ifthe PDA device is not in the cradle, the computer can not be accessed. An access card
`
`code interface could also be used for protecting e-mail and communications between
`
`computers by requiring the PDA device to be in its cradle or near its receptor before
`
`access control would be allowed. This system would add security by controlling access
`
`to all things controlled or accessed by the PDA device, without requiring unnecessary
`
`security to impede the process. Various software access 110 features include inquiring
`
`whether the individual has approval to use licensed programs 114, whether approval
`
`exists to secured files 116, whether access should be granted to personal e—mail accounts
`
`118, whether a specific user profile 120 should replace the standard desktop profile, and
`
`if a network profile 122 exists for a particular user. The network profile 122 could be
`
`stored on a central computer and, upon verification of a PDA 100 within an I/O cradle
`
`108 at a particular digital device 108 access and rights and privileges to network, drives,
`
`data, and resources could be granted to the individual user, thereby allowing him to use
`
`local printers, fax machines, and other local facilities but also providing him with access
`
`to printers at his home location.
`
`In essence, the user would only need to plug his PDA
`
`100 into I/O cradle 104 or interface with 1/0 module 106 to obtain personalized access
`
`throughout a company's LAN or WAN network.
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`9
`
`
`
`WO 01/29731
`
`PCT/USOO/28387
`
`9
`
`In addition to software access 110, one of the significant features of the present
`
`invention is the ability to regulate hardware access 112. Hardware access 112 focuses
`
`primarily on boot control 124 of the digital device 108 and restrictive resource access to
`
`attached devices 126. By checking boot control 124, the digital device can determine
`
`whether the individual is even allowed to operate the machine. This feature is similar to
`
`utilizing a key, however, multiple digital codes could be utilized. Essentially, a traveler
`
`from another city could work on a computer at an out of town site and receive the
`
`authorization to boot the machine through his PDA. Whereas, a key required that a
`
`specific key be used on a specific machine, boot control 124 is applied to the entire
`
`computer network. Hardware access 112 also extends to attached devices 126 electrically
`
`linked or controlled by digital device 108. Attached devices 126 may include local
`
`printers,
`
`local modems,
`
`local network access,
`
`local e—mail access,
`
`local infra-red
`
`transceivers and various other attached devices like scanners, digital cameras, wireless
`
`links, main frame connections, etc.
`
`Figure 2 is a flow chart that outlines how the PDA in a preferred embodiment can
`
`secure a computer at boot up or log in. Execution block 200 represents the restart or start
`
`of the computer. Execution block 202 requires that the computer look at the boot options
`
`stored in the boot sector or in the bootable prompt section. Decision block 204
`
`determines whether the boot security bit is on. If the security bit in decision block 204
`
`is not turned on, then protocol will jump immediately to execution block 216 and allow
`
`the computer to boot. Ifthe bit is turned on, then decision block 206 queries whether the
`
`PDA is connected to the machine.
`
`If the PDA is not connected execution block 208
`
`prompts the user to connect the PDA before proceeding further. If the PDA is connected,
`
`execution block 210 reads the identification code provided from the PDA. Decision
`
`block 212 determines whether or not an authorized ID. is provided by the PDA device.
`
`Ifthe correct device is not provided or the ID. provided is not authorized access to this
`
`computer, execution block 214 does not allow the machine to boot. If the correct ID. has
`
`been provided, execution block 216 allows the computer to boot as normal now that the
`
`access has been verified.
`
`Figure 3 is a block diagram of an access control protocol that can be applied to
`
`software or hardware access. The access control protocol is initiated in execution block
`
`300 whenever there is a request to access of an access control protocol that can be applied
`
`to software or hardware access. A protected software or hardware resource, such as e-
`
`mail or a protected file. At this point, a subprotocol initiates the security confirmation
`
`protocol which prevents the program fiom providing access or from loading further until
`
`the PDA has been verified.
`
`In decision block 302, the protocol discovers whether the
`1 0
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`10
`
`
`
`WO 01/29731
`
`PCT/USOO/28387
`
`10
`
`PDA is connected. If the authorized PDA is not connected, execution block 304 prompts
`
`the user to connected the appropriate PDA to the computer. Once the PDA is connected,
`
`execution block 306 exchanges of identification information. Decision block 308
`
`determines whether the exchanged identification information is valid. If the information
`
`is valid, then execution block 310 allows access to the file, e-mail, or other computer
`
`software or hardware resource. If it is not valid, then the access control protocol ends
`
`without giving access to the file. This access control protocol allows users to access their
`
`files on a common computer shared with multiple users. E-mail files are optionally
`
`loaded directly down to the PDA once the identification authorization has been made.
`
`Additionally, a user could use a traveling work station in which he was only required to
`
`carry his PDA containing the appropriate identification information to request from the
`
`network server the user's standard desktop and access to the user's e—mail files. As a
`
`result, a traveler could go to a foreign office or another work site location, plug his PDA
`
`into the control port and be granted access to the computer with the same restrictions and
`
`limitations that he may have had at his workstation at home.
`
`Figure 4 provides a flow chart depicting the use of a personal identification
`
`number (PIN) and photo identification to provide various commercial services or
`
`computer services. While these fimctions can be performed separately, this figure
`
`demonstrates how each layer can be chained together. For example, the PDA boot
`
`restriction depicted in figure 2 and the PDA attachment function in figure 3 could also
`
`e applied to figure 4 without deviating from the spirit of the invention.
`
`In fact such a
`
`chain represents one of the preferred embodiments. Execution block 400 requires the
`
`PDA to link to the identification station.
`
`Execution block 402 represents the
`
`identification station making a request for information from the PDA. Once this
`
`information has been provided,
`
`the decision block 404 determines if the PDA
`
`identification is correct. If it is not, the program will abruptly end and the user may be
`
`required to re—initialize. Ifthe PDA identification is correct then the confirmation system
`
`could require in decision block 406 queries whether a PIN is required for use of this