ACCESS CONTROL SYSTEMS AND METHODS
Related Application Data The present application is a continuation-in-part of application 09/343,104, filed June 29, 1999. This application is also a continuation-in-part of application 09/198,022, filed November 23, 1998, which is a continuation of application 08/763,847, filed December 4, 1996 (now patent 5,841,886), which is a continuation of application 08/512,993, filed August 9, 1995, now abandoned.
The present assignee's application 09/563,663 also relates to access control systems.
Background and Summary of the Invention Access badges are familiar, and are used in a variety of corporate and government facilities. One popular card is printed with a picture of the bearer, and includes communication means (e.g., mag stripe or RF ID) for communicating with a reader device adjacent locked doorways.
While satisfactory in some contexts, such badges are unsatisfactory in others. For example, visitors to a facility are commonly issued a generic, passive badge that offers little functionality, and rarely any security. In accordance with one aspect of the present invention, a badge for use by a visitor to a facility is produced by the visitor himself or herself, at a location remote from the facility. The badge can include a photograph of the visitor (e.g., obtained from an image database maintained by a state or federal agency, such as a state department of motor vehicles), and can also include a machine-readable access code. This code, provided to the visitor in advance of their visit, defines certain privileges that the visitor is authorized to enjoy at the facility, including unescorted access to certain areas, access to certain computer resources, etc.
The foregoing and additional features and advantages of the present invention will be more readily apparent from the following detailed description.
Detailed Description In copending application 09/571,422, the present assignee discloses a variety of systems that permit digital data to be conveyed by physical objects, including cards and badges, permitting such objects to trigger various responses from compliant digital devices. In systems employing optical encoding of the digital data (e.g., digital watermarks), the reading devices can employ optical sensors, such as web cams. The optical encoding can be manifested, e.g., by ink applied to a substrate by an ink jet printer.
(A variety of watermarking techniques are known and are suitable in such applications. Exemplary watermarking technologies are detailed in the present assignee's patent 5,862,260, and pending application 09/09/503,881.)
In many embodiments detailed in the '422 application, the digital data includes an index that identifies a (remote) database record from which additional information relating to the encoded object can be retrieved, e.g., for purposes of display, to control further device action, etc. The present assignee offers a service, termed Digimarc
MediaBridge, that employs such principles to permit users to link from physical objects (e.g., magazine pages or mailings) to corresponding web sites. (I.e., a user shows the object to a web cam-equipped device, which decodes the data embedded with the object, and consults a corresponding database record to determine the appropriate URL.) In the following discussion, the information payload that is encoded by an object is termed Digimarc MediaBridge data.
To illustrate an embodiment according to the present invention, consider an employment candidate who will be interviewing at a new employer. The candidate's visit is expected, but she is not recognized by the building's security personnel. In this, and many other applications, arrangements like the following can be used:
The employer e-mails or otherwise sends the candidate an access code. (The code can be encrypted for transmission.) The code is valid only for a certain time period on a given date (e.g., 9:00 a.m. - 11:00 a.m. on June 28, 1999).
Upon receipt of the access code, the candidate downloads from the web site of the state Department of Motor Nehicles the latest copy of her driver's license photo.
The DMN has already encoded this photo with watermark data. This data identifies the electronic address of a state-run DMN server, and a particular record on that server
corresponding to the photograph/candidate. This DMN computer record, in turn, includes a text string indicating the name of the person depicted by the photograph. (The data encoded in the DMN photo can be Digimarc MediaBridge data that identifies a Digimarc MediaBridge database record, which in turn provides the address of the DMN server, and identifies the particular record on that server corresponding to the photograph.)
The candidate incorporates this photo into an access badge. Using a software application (which may be provided especially for such purposes, e.g., as part of an office productivity suite), the photo is dragged into an access badge template. The access code emailed from the employer is also provided to this application. On selecting "Print," an ink-jet printer associated with the candidate's computer prints out an access badge that includes the candidate's DMN photo and her name, and is also provided with the employer-provided access code in some machine-readable form (e.g., by digital watermark, barcode, etc.). Desirably, the name printed on the badge is not typed by the candidate, but is obtained (by the candidate's computer) from the DMN's server, in response to the data encoded in the DMN photograph. (In this application, unlike some, the photograph is not scanned as part of a watermark reading process. Instead, the photograph is already available in digital form, so watermark decoding can proceed directly from the digital representation.)
For security purposes, in cases where the access code is encoded on the card using digital watermarking of the printed badge, the watermarking format employed can be non-standard to deter hackers. The embedding of this access code can span the entire face of the card, or can be limited to certain regions (e.g., excluding the region occupied by the photograph).
On the appointed day the candidate presents herself at the employer's building. At the exterior door lock, the candidate presents the badge to an optical sensor device, which reads the embedded building access code, checks it for authenticity and, if the candidate arrived within the permitted hours, unlocks the door. The optical sensor can also capture and store a picture of the person presenting the access card, if desired. Inside the building the candidate may encounter a security guard. Seeing an unfamiliar person, the guard may visually compare the photo on the badge with the
candidate's face. Additionally, the guard can present the badge to a portable Digimarc MediaBridge device, or to one of many MediaBridge systems scattered through the building (e.g., at every telephone). The Digimarc MediaBridge system extracts the MediaBridge data from the card (e.g., from the DMN photograph), interrogates the DMN's server record corresponding to this data (again, typically through an intervening Digimarc MediaBridge database record), and receives in reply the name of the person depicted in the photograph. (If the Digimarc MediaBridge device is a telephone device, the name may be displayed on a small LCD display commonly provided on telephones.) The guard checks the name returned by the Digimarc MediaBridge system with the name printed on the badge. On seeing that the printed and MediaBridge-decoded names match (and optionally checking the door log to see that a person of that name was authorized to enter and did so), the security guard can let the candidate pass. It will be recognized that the just-described arrangement offers very high security, yet this security is achieved with without the candidate ever previously visiting the employer, without the employer knowing what the candidate looks like, and by use of an access badge produced by the candidate herself.
A number of variants on the arrangement just described are, of course, possible. For example, the badge can additionally be encoded with the identity of the person to be visited. Or this person's name can be associated with the access code encoded on the candidate's badge (e.g., in a data record maintained by the access control computer system used by the employer). In either event, once the badge is sensed at the facility, email and/or voice mail can be dispatched to that person being visited (or that person's administrative assistant), notifying them that the visitor has arrived.
Likewise, the access code can permit multiple visits - not just one. The authorized visits can be specified, e.g., by dates and times. Or the access code can permit a predetermined number of visits (e.g., 5), without regard to specifics. Or combinations of such approaches can be employed (e.g., authorizing up to 5 visits, but none after 12/31/2000).
The access code can convey other privileges to the visitor. For example, certain visitors may be authorized to access certain parts of the facility unescorted. Other
visitors may be authorized to access certain resources on the company's computer network, using the badge as a network logon credential. Again, these privileges may be limited in time.
In many of the above-described arrangements, it is contemplated that the access control computer system used by the employer has a data record associated with each access code, in which associated information, such as the dates and times of permitted visits, the name of the person being visited, the phone extension of that person, escort requirements, computer privileges, etc., etc. is specified. In other arrangements, such information is not associated with the access code, but is otherwise indicated by the badge. For example, the information can be steganographically encoded on the badge. Or such data can be associated with data - other than the access code - that is encoded on the badge.
The badge described above can lose its authorization with the passage of time (e.g., not valid after 11 :00 a.m. on June 29, 1999), or with any other event or circumstance (e.g., upon display of the badge to an access control device when exiting the building). The termination of authorization does not physically change the badge, but rather is manifested in data maintained by the access control computer used by the employer.
While reference was made to a database of images maintained by the state department of motor vehicles, this is not essential. Any trusted repository of personal image data can be employed. Desirably, access to any such repository is controlled, by suitable security techniques, to assure that a person's image is not freely available to the public, but is accessible only to that person, and perhaps appropriate government users. In other applications, documents not employing photographs can be created and utilized according to the principles detailed above. Authentication of the user may be performed by means other than photographic identification, e.g., biometrics, shared secrets, etc., that are encoded on the document (or are stored elsewhere and can be linked-to using data stored on the card) While the focus of the foregoing discussion was on badges for use at government and corporate facilities, the principles are more broadly applicable. For example, identity documents may similarly be provided for residences, schools,
businesses, institutions, theme parks, etc. Similarly, the principles are not limited for use with badges or access cards, but with any high security document.
The foregoing description does not belabor specifics of access control systems, such as details of the access control computer, the solenoid-controlled door latches, etc., that are familiar to those skilled in the art.
It should be recognized that the particular combinations of elements and features in the above-detailed arrangements are exemplary only; the interchanging and substitution of these teachings with other teachings in this and the incorporated-by- reference patents and applications are also contemplated. Moreover, there are numerous opportunities to combine elements of the systems detailed above with other access control technologies for high security applications. For example, specific permissions may be granted to selected persons who would otherwise have only general access privileges. The technology can serve to centralize permissions management in a secure access systems, while simultaneously facilitation convenience and economy in distributing/communicating privileges to users.
In view of the wide variety of embodiments to which the principles and features discussed above can be applied, it should be apparent that the detailed embodiments are illustrative only and should not be taken as limiting the scope of the invention. Rather, we claim as our invention all such modifications as may come within the scope and spirit of the following claims and equivalents thereof.