WO1999009512A1

WO1999009512A1 - Identification in computer systems using inherent characteristics

Info

Publication number: WO1999009512A1
Application number: PCT/US1998/016877
Authority: WO
Inventors: John W. L. Ogilvie
Original assignee: Ogilvie John W L
Priority date: 1997-08-20
Filing date: 1998-08-13
Publication date: 1999-02-25
Also published as: GB2343039A; GB2343039B; GB0002110D0; AU9019898A

Abstract

Methods and systems are provided for identifying users by testing for predetermined inherent characteristics (202), and for identifying inherent characteristics suitable for use in identifying users (200). Examples include tests for visual pattern recognition tendencies, pattern completion preferences, typing rhythms, and other behavorial characteristics. The identification tests described may be used in place of conventional identification tools such as passwords and magnetic ID cards, or the conventional and novel tests may be used in combination.

Description

IDENTIFICATION IN COMPUTER SYSTEMS

USING INHERENT CHARACTERISTICS

FIELD OF THE INVENTION The present invention involves identifying the authorized users of a computer system. More particularly, the invention provides tools for selecting and using inherent personal behavior preferences to identify users of computer networks, standalone computers, embedded systems, and other computer systems.

TECHNICAL BACKGROUND OF THE INVENTION

Businesses, governments, and inventors are continually developing new uses for computers. Many computer systems rely on proper identification of individual human users or particular groups of users. Identification may be used to limit access to financial records, as in an automatic bank teller or credit card processing system. Identification may be used to limit access to confidential information, as in a corporate or governmental network or standalone computer. Identification may be used to limit access to locations such as a laboratory, bank vault, or military facility. At present, and perhaps increasingly in the future, identification requirements may be imposed to limit the use of devices such as cars, boats, planes, and other transports; guns, missiles, and other weapons; and other valuable and/or dangerous items.

Computer systems presently use the following user identification technologies, either alone or in various combinations:

• Passwords. Examples include computer passwords and pass phrases, automatic teller or debit card or telephone card personal identification numbers ("PINs"), and combinations for opening combination locks. Email addresses, zip codes, government or corporate ID numbers, and telephone numbers are sometimes also used as passwords. Passwords are relatively easy to implement and can be entered quickly and easily, using standard computer hardware and software. • Cards. Magnetic, optical, punched, "smart" (embedded circuit), or other encoded identity cards or similar portable devices can also be used quickly by authorized (or by unauthorized) users. Such cards are relatively inexpensive. They can also hold more data than a password, and they are harder to duplicate than a password. Data may be stored in magnetic strips or embedded chips in credit cards, card-key access system cards, or "smart cards"; in optically read patterns on "photo ID" cards such as driver licenses and employee badges; and in digital data structures such as logon certificates, digital certificates, digital tokens, and other data structures which serve to identify a user (a human or a computer task) to a network or other computer system, typically by providing the user ID and permissions in encrypted form to the system for decryption and authentication. • Biometrics. Biometrics rely on distinguishing physical patterns found on or in the human body. For example, biometric systems may include hardware and software for scanning and identifying fingeφrints, retinal or iris patterns, voice patterns, faces, blood type, DNA, and other physical characteristics.

• Encryption keys. Examples include symmetric and public key systems such as those built on the cryptographic techniques described in Applied Cryptography by Bruce Schneier (ISBN 0-471-59756-2, John Wiley & Sons 1994), and in other works on cryptography.

• Witnesses. Examples include a guard, escort, or other official who is present at the entry to a secure facility and who personally recognizes and vouches for the identity of persons that are granted access to the facility.

However, each of these approaches has serious shortcomings:

• Passwords are sometimes difficult to remember, so they tend to be either written down or easier to guess than one would like; in either case, they may be stolen. Even if a password is relatively obscure and not written down, brute force attacks with sufficient computing power may be able to reveal it. Some systems also send passwords over a communication link in unencrypted form, so the passwords can be discovered by tapping into the link. Moreover, nothing "ties" a password to the authorized user other than the fact that the authorized user has kept the password secret from others; once the password is stolen it can be provided to the system just as easily by an unauthorized user as it is by the authorized user. • Cards, like passwords, can be stolen and readily used by the thief to gain unauthorized access. Identification technologies that rely on cards and/or passwords "identify" whoever possesses the card or the password as the rightful owner to whom the card or password was issued. Card readers are also relatively expensive and are standard equipment only on limited classes of computer system, such as automatic teller and telephone systems.

• Biometrics require even more expensive hardware and software. In particular, the hardware needed to scan fingeφrints, retinal or iris patterns, voice patterns, faces, blood type, DNA, and other physical characteristics is not presently a standard component of most computer systems. Nor is it likely to be standard for some time, if ever, because many computer systems simply do not need such scanners to meet the security needs of most users. Although physical body characteristics are much harder to steal than a password or an identity card, they can be imitated or obtained illicitly. Unauthorized copies of fingeφrints or voice recordings can be made by a combination of collection, editing, and synthesis techniques. Skin, hair, or other body parts may be available, through normal shedding or more violent means, to provide DNA samples. Such unauthorized copies can then be used by unauthorized users almost as easily as they are used by their original owner. • Encryption keys are best used to transmit identification information between computer tasks, threads, or other processes. They do not serve well to transmit the identity of a user from the user to the system (unless embedded in a card such as a logon certificate), because in that role they are essentially long, difficult-to-remember passwords. Like passwords, encryption keys can also be stolen, and once stolen can be readily used by the thief.

• Witnesses are expensive. They also add the most value only when they are physically near the prospective user, when they are personally acquainted with the prospective user, and when the witnesses are themselves trustworthy.

In short, improved user identification tools are desirable. For instance, it would be an advancement in the art to provide an identification technology which does not require memorization by either a user or a data structure (unlike passwords and encryption), is not readily used by a thief (unlike passwords, cards, and to some extent, biometrics and encryption), does not require expensive special-puφose hardware (unlike cards and biometrics), and does not require the on-going use of trustworthy witnesses.

It would be an additional advancement to provide such a method and system which can be used either in isolation or in combination with existing approaches such as passwords, cards, biometrics, encryption, and witnesses.

Such a method and system are disclosed and claimed herein.

BRIEF SUMMARY OF THE INVENTION

The present invention provides tools for identifying computer system users by testing their responses to inherent security characteristic tests. The responses are used to narrow the range of possible identities for a given user until the risk of error is sufficiently low for the system at hand. Inherent characteristics can be seen in the preferences people show when asked to perform certain tasks. Many examples are given below, including the way people clasp their hands, the rhythms they use when typing, and the paths they tend to follow when tracing a path on the computer screen.

Because they are inherent, such behavioral characteristics need not be memorized (unlike passwords). Because the tests mask the characteristics being tested and the same test is rarely or never repeated, test results are not easily imitated to gain unauthorized access. Behavioral characteristics, unlike cards or passwords or biometrics, cannot be easily entered into a computer system by anyone except the person who unconsciously manifests them. Unlike cards and biometrics, many inherent characteristics can also be used for identification without expensive special-puφose hardware. Moreover, inherent characteristic tests can be used alone or in combination with existing identification tests. In some embodiments, for instance, the present invention builds on human pattern recognition characteristics. Unlike retinal scanning and other biometric systems which use the pattern recognition capabilities of a machine to recognize essentially static physical features of a prospective user, the present invention looks for distinguishing characteristics in the way humans recognize patterns. People are good at recognizing patterns in clouds or wood grain, for instance, and different people see different patterns. The invention takes advantage of this human ability to find patterns embedded in a surrounding field of "noise" such as dots or lines or random or semi-random sounds or characters or images. Other features and advantages of the present invention will become more fully apparent through the following description.

BRIEF DESCRIPTION OF THE DRAWINGS To illustrate the manner in which the advantages and features of the invention .are obtained, a more particular description of the invention will be given with reference to the attached drawings. These drawings only illustrate selected aspects of the invention and thus do not limit the invention's scope. In the drawings:

Figure 1 is a diagram illustrating one of many networks suitable for use as a computer system according to the present invention.

Figure 2 is a flowchart illustrating methods of the present invention. Figure 3 is one of the many possible visual patterns that may be used for pattern recognition tests according to the present invention.

Figure 4 is another visual pattern suitable for pattern recognition tests according to the present invention.

Figure 5 is yet another visual pattern suitable for pattern recognition tests according to the present invention.

Figure 6 is a visual pattern suitable as a background for pattern recognition tests and also suitable for subjective judgment tests, including halving tests, according to the present invention.

Figure 7 is a visual pattern suitable for pattern completion tests according to the present invention.

Figure 8 is an array of faces suitable for subjective judgment tests according to the present invention. Figure 9 is one of many possible graphs suitable for inherent mathematical ability tests according to the present invention.

Figure 10 is one of many possible images suitable for spatial reasoning ability tests according to the present invention.

Figure 1 1 illustrates the use of three tests to narrow the range of possible identifications by partitioning a population of users according to the present invention. DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

The present invention relates to methods and systems for selecting and using inherent security characteristics for user identification in computer systems. In some patents a clean conceptual line is drawn between the Technical Background, which describes approaches conceded to be part of the prior art, and the Detailed Description, which presents the invention. This is true to some extent in the present document, but it also made sense to discuss some aspects of conventional devices and methods here in the Detailed Description next to particular aspects of the invention. The invention is defined by the claims. The claimed invention includes novel combinations of known elements (including some elements noted in the Technical Background), novel methods using known elements, combinations of known and novel elements, and other inventive approaches.

In describing the architecture of methods, devices, and systems according to the invention, the meaning of several important terms is clarified; the claims must be read with careful attention to these clarifications. Specific examples are given to illustrate aspects of the invention, but those of skill in the relevant art(s) will understand that other examples may also fall within the meaning of the terms used. Terms are defined, either explicitly or implicitly, both here in the Detailed Description and elsewhere in the application file.

Computer System

As used here, a "computer system" includes at least a processor, a memory, an input device, and an output device. The processor may include a general puφose device such as a 80x86, Pentium (mark of Intel), 680x0, or other "off-the-shelf microprocessor. The processor may include a special puφose processing device such as an ASIC, PAL, PLA, PLD, or other customized or programmable device. The memory may include static RAM, dynamic RAM, flash memory, ROM, CD-ROM, disk, tape, magnetic, optical, or other computer storage medium. The input device may include a keyboard, mouse, touch screen, light pen, tablet, microphone, position sensor, pressure sensor, thermal sensor, or other input hardware with accompanying firmware and/or software. The output device may include a monitor or other display, printer, speech or text synthesizer, solenoid, switch, signal line, or other process controller. The most typical computer system configurations suitable for configuration and use according to the invention presently include personal computers, network computers, or other widely used and relatively inexpensive computing devices. However, the present invention may also be used to improve automatic teller systems, point-of-purchase payment systems, embedded systems in cars or other property, secured facility access control systems, and other computer systems.

Embodiments of the invention preferably use standard computer hardware, such as a monitor and an input device such as a keyboard or a mouse. Expensive or special- puφose hardware such as identity card readers and retinal scanners are not required. Indeed, although a graphics monitor (such as a graphical user interface-supporting display) is preferred, a simple character device like a teletype or tty can also be used.

Suitable computer systems include various networks, such as local area networks, wide area networks, metropolitan area networks, and/or various "Internet" or IP networks such as the World Wide Web, a private Internet, a secure Internet, a value-added network, a virtual private network, an extranet, or an intranet. One of the many networks suitable for use with the invention is shown in Figure 1. The network 100 includes a server 102 and several clients 104; other suitable networks may contain other combinations of servers, clients, and/or peer-to-peer nodes, and a given computer may function both as a client and as a server. The computers connected by a suitable network may be work- stations, laptop computers, disconnectable mobile computers, servers, mainframes, network computers or lean clients, personal digital assistants, or a combination thereof.

The network may include communications or networking software such as the software available from Novell, Microsoft, Artisoft, and other vendors, and may operate using TCP/IP, SPX, IPX, and other protocols over twisted pair, coaxial, or optical fiber cables, telephone lines, satellites, microwave relays, modulated AC power lines, and/or other data transmission "wires" known to those of skill in the art. The network may encompass smaller networks and/or be connectable to other networks through a gateway or similar mechanism. Standalone computers (workstations, laptops, personal digital assistants, or others) may also be configured according to the invention; a network may be present in some embodiments but is not required in all embodiments.

As suggested by Figure 1, at least one of the computers is capable of using a floppy drive, tape drive, optical drive, magneto-optical drive, or other means to read a storage medium 106. A suitable storage medium 106 includes a magnetic, optical, or other computer-readable storage device having a specific physical configuration. Suitable storage devices include floppy disks, hard disks, tape, CD-ROMs, PROMs, random access memory, flash memory, and other computer system storage devices. The physical configuration represents data and instructions which cause the computer system to operate in a specific and predefined manner as described herein. Thus, the medium 106 tangibly embodies a program, functions, and/or instructions that are executable by computer(s) to assist user identification substantially as described herein.

Suitable software to assist in implementing the various devices, systems, and methods of the invention is readily provided by those of skill in the pertinent art(s) using the teachings presented here and programming languages and tools such as Java. Pascal, C++, C. database languages. APIs. SDKs, assembly, firmware, microcode, and/or other languages and tools.

Methods Generally

Figure 2 illustrates generally several methods of the present invention. A method may include a step 200 for selecting inherent characteristics, a step 202 for using inherent characteristics, or both. An inherent characteristic (also known as an "inherent security characteristic" or "ISC") has certain qualities. First and foremost, an ISC should be an inherent part of a person's identity, subject to the constraint that computer systems will be used to receive and evaluate the ISC. For instance, how one thinks about patterns in the world is an inherent characteristic. Computer systems cannot read minds directly to determine how one thinks, but they can be used to present patterns and record responses and characterize those responses according to programmed methods and criteria.

Inherency has distinct advantages. Unlike a magnetic card or even a fmgeφrint, inherent aspects of one's way of thinking cannot easily be stolen. Unlike a password, an inherent ability to distinguish certain patterns from surrounding noise takes no particular effort to remember. Unlike witnesses, inherent characteristics are always present when a user needs to be identified (unless the user is sleeping, ill, physically restrained, or otherwise incapacitated). The ISC must also be capable of being used to reliably identify a user. Thus, it must be acceptably consistent for a given person over time and in varied circumstances, and it must be different for different people, at least to some acceptable level of risk.

Other aspects of using an ISC are less critical but nonetheless desirable. The ISC identification procedure preferably allows pattern recognition by a user using various combinations of patterns; this is discussed below in connection with Figure 11. Combining identification tests provides control over the degree of certainty with which a user is identified. More responses to patterns of a given type being matched (for instance, responses to several halving tests of the type discussed in connection with Figure 6), or more types of patterns being matched (for instance, responses to both the finger interlacing orientation test and a halving test), or more reliable patterns being matched (as determined by clinical tests or product beta tests, for example), each correspond to greater certainty and less risk in identifying the user. The situation is roughly analogous to the sort of control provided by using more or fewer bits in an encryption key, since there is a tradeoff between time and certainty. In many circumstances, it is also preferable that ISC tests be language-neutral, visual, and/or rapidly evaluated.

With continued reference to Figure 2, the illustrated step of selecting inherent characteristics includes a group selecting step 204, a candidate characteristic selecting step 206, a testing step 208, and an evaluating step 210. Figure 2 shows a particular order and grouping for the main steps 200 and 202, and for various subsidiary steps. However, those of skill will appreciate that the steps illustrated and discussed in this document may be performed in various orders, except in those cases in which the results of one step are required as input to another step. Likewise, steps may be omitted unless called for in the claims, regardless of whether they are expressly described as optional in this Detailed Description. Steps may also be repeated, or combined, or named differently.

In considering these steps, remember that an ISC must be inherent, preferably testable with standard hardware, and acceptably distinguishing. Unlike a password or card, an inherent characteristic is not easily stolen. Unlike biometrics, an ISC does not routinely require special scanning hardware. (Another advantage of ISCs over biometrics is that ISCs test inherent behavior, which is harder to duplicate than inherent physical metrics; the closest biometrics come to testing behavior is apparently to determine whether blood is flowing through the body part being scanned). A single ISC must divide the population of users into at least two groups, so that a combination of ISCs will distinguish between individual users (or user groups) with an accuracy that is deemed acceptable under the circumstances in view of factors such as the value of access to the system, the use of other identification measures, the need for rapid access, and the details of the computer hardware available.

Group Selecting Step 204

During the group selecting step 204, an ISC group is selected. ISCs belong to one or more of at least the following groups, which are discussed in detail below: Pattern Recognition, Pattern Completion, Subjective Judgment, Orientation, Math, and Music.

Pattern Recognition

Pattern recognition ISCs reflect an individual's inherent abilities and/or tendencies to recognize certain patterns quickly while recognizing other patterns only later or not at all. For instance, Figure 3 shows a pattern that may be inteφreted in different ways by different people. When asked "What letter do you see?" people may identify Y, A, T, or X first. Different characteristics of each letter may be more important in one person's pattern recognition though processes than in another person's. For example, the Y is leftmost, and English readers read left-to-right. However, the A is largest, the T is closest to the center, and the X is most symmetric. For these or other reasons, during a brief test several different members of my family (who did not know the puφose of the test) identified the letters in different orders, such as YAXT versus YTAX or YATX.

Likewise, some people who are asked to describe Figure 4 will see a face, while others will see a dancer. Figure 5 illustrates in turn some of the many possibilities for embedding simple geometric shapes, numbers, letters, faces, line drawings of buildings or tools or plants or animals, and other patterns in a field of background noise. Figure 5 contains a triangle and a square embedded differently so that different people will tend to see one or the other first.

Figure 6 shows background noise which is not as regular as the background in Figure 5. Shapes or other patterns could be embedded in such a background by holding proximity, shape, size, vertex presence, or other visual characteristics constant along the "lines" which define the shape and varying them elsewhere, in a manner similar to holding color constant in a driver's license color-blindness test. Like Rorschach blots, optical illusions, color-blindness eye tests, and color images that emerge from a picture only if one focuses on a point outside the plane of the picture, the images used to test ISCs partition the population of viewers according to what they see (or what they tend to see first).

Although many of these images are familiar, their use in identifying and using inherent security characteristics is new. For example, the driver's license eye tests include tests that ask one to pick out colored shapes such as circles from a field of dots of various colors .and diameters. But the puφose of the eye test is to check for color blindness that would make one an unsafe driver, not to identify one before granting access to digital data or other computer system resources. Similarly, the Rorschach ink-blot and other psychological tests are directed to medical or psychological evaluation, not to user identification for computer security. And familiar word-search puzzles, hidden image puzzles, alternate focus images, optical illusions, and other known pattern recognition or pattern completion devices and methods are all directed to entertainment or intelligence testing, not to the problem of reliably identifying people to a computer system by using inherent characteristics.

Pattern Completion ISCs may also be identified or used by having prospective computer system users complete an appropriate sequence or other partial pattern. Different people may use different inherent rules to complete the pattern in different ways. For instance, Figure 7 shows a sequence of images leading to four possible images, only one of which is selected as "the" next in the sequence. In reality, any of the four possible next images is correct, according to the rule instinctively preferred by the user.

Conventional word association tests, ink blot inteφretation tests, and other conventional psychological tests may be adapted for use in identifying particular individuals according to the present invention. For instance, it may be the case that one person associates warmth with comfort while another associates heat with discomfort. Once this is determined and stored for reference by a computerized test generator according to the invention, providing each person with a series of association tests will help identify the preferences and thus the person. Moreover, intelligence test designers, mathematicians, computer scientists, cognitive scientists, and others have identified many visual, numeric, and musical sequences which (in combination with the teachings of the present invention) will in some cases help identify inherent security characteristics. For example, the following sequence: 1 2 2 3 may be completed in at least two different ways, according to one's inherent preferences: 1, 2, 2, 3, 3, 3, 4, 4, 4, 4, ... 1, 2, 2, 3, 3, 4, 4, 5, 5, 6, ... Pattern completion is closely related to the choice of rules for completing a pattern or otherwise solving a problem. In general, the availability of choices and evidence of divergent approaches by different people suggests ISCs may be involved (acceptable consistency of a given person's responses must also be present). For instance, artificial intelligence researchers have identified various types of "pattern sensitivity" which are present in different people to different degrees but have not applied this to the problem of distinguishing between system users or otherwise recognized that pattern sensitivities may reflect inherent security characteristics. See, for instance, Hofstadter, Fluid Concepts and Creative Analogies. ISBN 0-465-02475-0, at pages 42, 77, 313-318.

Likewise, although it is well understood that certain problems may be solved in a variety of ways (see Polya's classic work How to Solve If), the implications of this fact for computer security systems according to the present invention have not previously been recognized. Where there are alternative approaches, an inherent security characteristic is present if at least some people consistently prefer one type of alternative to another type. Such consistent preferences can be identified and associated with a particular user to help a computer system identify that user with an acceptable degree of accuracy.

Subjective Judgment

Some inherent characteristics are associated with deeply held feelings about abstract concepts such as beauty, equality, and order. For instance, if different people are given a "halving test" which asks them to draw a straight line that equally divides the image of Figure 6, then different lines will often be drawn. Moreover, preferences can be identified and associated with particular people. Some prefer horizontal lines, others prefer vertical lines, a third group tends toward diagonal lines, and a fourth group shows no consistent preferred angle. Some people favor lines that cut through one or more of the filled-in shapes, while others stick to the white space between shapes, and a third group show no consistent preference in this aspect of their responses.

Likewise, when a particular person shown a selection like Figure 8 is asked to choose the face that is "friendliest", "best-looking", or some make a similar subjective judgment, that person may be influenced by predictable personal preferences. For instance, some may prefer open mouths while others prefer closed moths; some may avoid faces in which the mouth is wider than the eyes, some may prefer eyes with pupils, and so forth. These preferences can be identified and associated in computer system administrative files with particular users, in a manner analogous to the way conventional administrative files associate passwords or other credentials with users.

An advantage of using such computer-generated faces is that a large number of different face collections can be presented a the user over time, making it difficult for an observer to determine which preferences are being tested. A somewhat similar approach has been suggested for passwords, such as "Your password is XYZ2 , where the blank is filled by the first two letters of the current day of the week in French, so the password in XYZ2LU on Monday, XYZ2MA on Tuesday, and so forth." However, facial recognition and facial feature preferences are much more deeply ingrained in humans than rules for varying passwords. As noted above, inherency reduces the need for memorization and makes it harder to steal information that provides unauthorized system access. Unlike passwords, faces and many (but not all; see Figure 3) other visual tests for inherent security characteristics are language-independent, alphabet-independent, and even literacy-independent. That is, they work regardless of a prospective user's language skills, alphabet(s), and literacy level.

Orientation

Like biometrics, orientation inherent security characteristics reflect physical characteristics of a user. Unlike biometrics, however, orientation ISCs reflect the way a user acts. Biometrics are basically static rather than behavioral. At most, a biometric security system might be called "kinetic" or "dynamic" when it checks for blood flow, body temperature, or other indication that a live user with the specified fingeφrint, iris pattern or other biometric is present.

By contrast, orientation (and other) ISCs test a user's behavior. For instance, the pattern matching, pattern completion, and subjective judgment tests described above are interactive. Orientation tests are likewise interactive, although they are preferably unobtrusive and combined with tests of other ISCs, because they may be easier to falsify if the user knows they are being tested.

Suitable orientations to test include, without limitation, the user's handedness (left, right, or ambidextrous); natural finger interlacing when the user's hands are clasped together (left thumb on top or right thumb on top); preferred reading direction (in literate users) such as left-to-right and top-to-bottom; preferred natural language (English, French, and so forth, optionally including dialects); and preferred sentence structure (subject- verb-object, subject-object- verb, and so on).

Many familiar books and movies illustrate the importance of behavior as a test of identity. These include stories about escaped prisoners trying to reach friendly territory; about spies or police who use disguises to infiltrate organizations; about an adult and a child (or a man and a woman) who exchange bodies; and about tragically separated lovers who are reunited after one of them returns from the afterlife in another body. But in such stories the goal is entertainment, not computer system security. Handedness may be determined using novel typing tests. For instance, the user could be asked to type "zdfybjkp" three times as quickly as possible using a different finger for each key. The speed of the zdfy portion can then be compared to the speed of the bjkp portion. If the zdfy portion is faster, then the user is probably left-handed; if the bjkp portion is faster, then the user is probably right-handed; if the speeds are nearly equal (where "nearly" is determined by empirical tests on a sample of users) then the user is probably ambidextrous. The selected keys make it awkward for a user to exchange hand positions (typing zdfy with the right hand and bjkp with the left). The request to use a different finger for each key is preferable to an explicit request to use the left hand for the first four keys and the right hand for the last four because it does not expressly raise handedness as an issue with the user being tested. Nevertheless, the test results can be falsified by a knowledgeable and determined user, so this ISC should generally be used in combination with other ISCs and/or other security means such as passwords, cards, biometrics, or witnesses.

Finger interlacing orientation can be tested by analysis of a video image of the user's clasped hands, using vision hardware and software similar to that employed in factories for sorting or in biometric security systems.

The finger interlacing orientation of users who have all the necessary fingers can also be tested by a method such as the following. First, ask the user to clasp hands, to then straighten the little finger of each hand so it extends outward, to rest the clasped hands against their chest or on the edge of a table so that the hands hand move up and down but not sideways, to close their eyes, and to then rapidly type the same key fifty or so times with one of their little fingers.

For a user who interlaced with the right thumb on top, this yields a sequence of keystrokes such as: gggghggggghgggggggghghgghgggggggghgggggggggggtgtgggtgggtgtgtggghghghghghg while for a user who interlaced with the left thumb on top, it yields a sequence such as:

Next, use software to analyze the sequence. One keystroke should appear much more than any other. For instance, in the first (right-on-top) sequence above there are 56 g's, 11 h's and 6 t's, and in the second (left-on-top) sequence there are 60 k's and 21 j's. G is thus the "center" keystroke for the first sequence and k is the center keystroke for the second sequence. In the first sequence, h is a "right-side" keystroke because the h key is to the right of the center key g, and t is a "left-side" keystroke because the t key is slightly to the left of the center key g. In the second sequence, j is a left-side keystroke because the j key is to the left of the center key k, and there .are no right-side keystrokes. Finally, determine whether there are more right-side or left-side keystrokes, preferably weighting keystrokes like the t stroke that are only partially to one side of the center. Giving each t stroke a weight of 1/3 and each h stroke a weight of 1 , the first sequence is 11 right and 2 left, or significantly right-oriented. Similarly, the second sequence is 21 left and zero right, or clearly left-oriented. Left-oriented keystroke sequences correspond to a left-on-top finger interlacing orientation, while right-oriented sequences correspond to a right-on-top orientation. The little finger of the hand that is not on top tends to focus on the center key, and the other keystrokes reveal whether the little finger of the other hand (whose thumb is on top) is to the left or the right of that centered little finger.

Preferred reading direction and sentence structure may be determined by giving the user an initial choice of languages, with each described in its own form (English, Francais, Deutsch, and so forth, including oriental and other languages that use written forms other than a Roman alphabet). Giving users a choice of language is, of course, well-known to make text legible. But to my knowledge this choice has not previously been used to help identify the user for computer system security puφoses.

Preferred sentence structure may also be determined by giving choices based on a sequence of words, a sequence of words and images, or a sequence of images. For instance, the user could be shown a sequence which contains elements capable of serving either as nouns or verbs and capable of serving either as subject nouns or object nouns. For example, an image of flames can mean either the noun "fire" or the verb "burn"; and a face with an O for a mouth and eyes slanted like / and \ could mean either "person" or "cry". Most nouns will serve equally well as subject or object.

The user may also be asked to create a sequence which reflects the sentence structure preferred. For instance, the user may be presented with images of a stick figure m.an facing forward (bilaterally symmetric about a vertical axis), a similar forward-facing monster, and four spears (left-pointing, right-pointing, up-point, and down-pointing). The user is then to drag each image into a designated area to make a "sentence". In general the spear will serve as a verb, the man as subject, and the monster as object to create a sentence such as "man kills monster." The relative order of the images placed by the user will then reveal sentence structure orientation, and possibly reflect reading orientation as well.

Math

Ability in mathematics can also be used as an ISC, but inherent (as opposed to learned) mathematical behavior is difficult to test. The mathematical problems posed should be stated simply, require no formal mathematical training to solve (unless such training is shared by most users), and preferably be capable of being answered in a short time (such as a minute or less). Problems posed by the computer system may be similar to those already used in mathematical tests, and new tests may also be employed. For instance, the system embodying the ISC tests may show a user a graph like the one indicated generally at 900 in Figure 9, which contains points 902 and sides 904, and then instruct the user "Separate this figure into two parts, each containing at least one side, by removing as few point as possible; when a point is removed all sides attached to it are also removed." The system may also give the user a scissors, eraser, gun, or other icon to be used in removing the points.

The user may also be given other mathematical tests. One suitable test includes adaptations of the game in which a user is asked to fit a set of triangles and other simple shapes into an outline as quickly as possible; an example is shown in Figure 10. The user is asked to mentally pick up one of the four pieces, flip it over, set it back down, and then place the four pieces together to form a complete oval. The difficulty lies first in determining which single piece to flip, and then in determining how to arrange the pieces to form the oval. Some people have an inherently better understanding of spatial relationships than others, so this ability (like other principally inherent mathematical abilities but unlike learned abilities) can be used to identify different users of a computer system.

The graph separation test of Figure 9 and the spatial reasoning test of Figure 10 each have the advantage that they are specific instances of a virtually infinite group of similar tests. Given appropriate constraints on complexity, such as "graph connected by four or fewer points" and "at most two pieces to flip and six pieces total to fit together", those of skill can use computer software and hardware to generate many similar puzzles so that a given user rarely or never sees the same puzzle twice. Such variety reduces the risk that users will be bored or annoyed, and makes it harder to falsify responses to gain unauthorized access by posing as someone else.

Music

It might be expected that musical ability testing for the puφose of identifying oneself to a computer security system would require a microphone and a speaker. If these devices become standard at the user sites involved, they can be used to test inherent musical characteristics ranging from the ability to repeat a melody heard once to the ability to duplicate a certain pitch to the ability to sight-read and then sing a given musical selection. However, microphones (and perhaps even speakers) are not yet standard equipment on computers systems that can benefit from the present invention. Thus, it is advantageous to have tests of inherent musical ability that do not require a microphone or speaker. One approach is to use keystrokes to test for an inherent preferred inteφretation of ambiguous representations of rhythm. When faced with a long sequence all at once (whether mathematical or musical), different people will separate the sequence into smaller groups in different ways or otherwise type differently.

For instance, when a user is asked to rapidly type "abk" twenty or so times, some users will put a larger delay between the a and the b than between the b and the k; others will do the opposite, and some users will have approximately equal delays. Likewise, users will tend to show characteristic "delay signatures" when typing other sequences. In longer sequences, users may also introduce characteristic errors, such as a tendency to hit the e key instead of the r key when rapidly typing "abkr". These rhythmic signatures can be measured, recorded in an administrative file, and used by the computer system to help identify users.

ISC Sources

Prior methods and devices not directly related to computer security enforcement but nonetheless of possible interest in identifying ISCs include the Turing test; driver's license eye tests; psychological tests such as ink-blot .and word-association tests; word search puzzles; color or shape or other visual pattern-fields such as clouds or marble or certain random or semi-random floor tile patterns; and optical illusions having multiple visual inteφretations, such as whether one is looking at a stairway from below or above, or whether one is looking a tuning fork with two or three prongs, or whether one is looking at the face of a young woman or an old woman.

The Turing test asks whether a human tester can tell the difference between human and machine test subjects when the only communication link between tester and test subject is through a computer terminal or similar electronic or mechanical path. By contrast, the present invention provides a way for a machine (computer hardware and software) to distinguish between different humans through such a communication path. In particular, the present invention allows a computer system to distinguish between an authorized human user, on the one hand, and cracking or simulation or artificial intelligence software that tries to imitate that human, on the other hand. The present invention takes advantage of the inability of software and hardware to adequately mimic human biology, neurology, and psychology in general, and of a machine's inability to adequately mimic human pattern recognition abilities and tendencies in particular. In this respect, the invention confirms and demonstrates fundamental differences between people and the tools (including software and computer hardware) they create.

Candidate Selecting Step 206

During step 206, one or more candidate characteristics are selected. Selection in this and other selection steps may be at least partially automated, but human judgment will be involved either directly (as when a human reviewer makes the selection based on information that may have been produced with the assistance of automation) or indirectly (as when software programmed by a human makes the selection according to criteria embedded in the software by the programmer). Selection criteria may reflect practical considerations, such as the estimated time and cost needed to determine whether the selected characteristics will function as desired as inherent security characteristics in a computer system; the estimated time and cost for implementing a large number of tests; and policy considerations such as whether the use of a particular characteristic would be offensive or degrading even if it were feasible (this could rule out tests of characteristics such as particular phobias, ethnicity, sexual preferences, and the like). Selection criteria may also reflect more academic considerations, such as theories and experimental results from psychology, psychiatry, neurology, cognitive science, sociology, genetics, and other fields concerned with human behavior. With respect to test implementation, it is best to severely limit repetition of any given test during use of the identification system, so that the characteristic being tested is the ISC and not the ability to memorize or copy someone else's responses to the tests. For instance, Figure 6 should not be used over and over during halving tests that are presented to a given user. After Figure 6 is used in the first halving test, additional figures having different shapes, spacing, density, .and other features should be used in subsequent halving tests presented to that user. Of course, the figures must be suitable for determining preferred line orientation and other halving preferences. The ISC tested normally remains the same; only the specific tests change. Consider an example of the way academic and more practical considerations may interact during step 206. Geneticists use finger interlacing orientation and ear lobe structure (attached or free) as examples of inherited traits. Inherited traits are generally good candidates for ISCs because they are inherent and they partition the population of potential users. As a practical matter, however, testing ear lobe structure in a way that assures reasonably accurate results requires a video camera and sophisticated visual pattern recognition software. By contrast, finger interlacing orientation may be tested using a standard keyboard and relatively simple software, using a method such as the one described above. In one embodiment step 206 would therefore rule out ear lobe structure as a candidate and would select finger interlacing orientation as a candidate.

As another example, consider the faces shown in Figure 8 and similar families of computer-generated faces. To my knowledge, research has not yet determined the extent to which our human preference for particular faces or facial types is inherited and the extent to which it stems from our individual experiences. But it is widely known that a child's face or a very asymmetrical face often evoke strong responses. It is also a common experience for two people to have very different opinions of a third person's attractiveness. These known facts can be combined with the novel teachings herein. To the extent that our facial preferences are inherited, unconscious, or strong emotional reactions based on early experience, they are inherent and thus candidates for use as ISCs if they divide the population of potential users into two or more groups. Other body proportion or feature preferences might also be candidates.

In addition to inherency, facial preferences have the advantage that large numbers of faces with particular proportions or features other can be generated automatically, as has been done with Chernoff faces in data graphs. Thus, step 206 may select "facial preference" generally as a characteristic to test; in subsequent iterations of step 200, step 206 may refine the characteristic to select (as a hypothetical example) "pupil presence" or "open-mouthed smile" or "mouth wider than eyes" as characteristics to test for use as ISCs.

As yet another example, candidate characteristics may be selected based on the available testing equipment, which is preferably limited to standard computer components such as a keyboard, mouse, screen, processor, and memory (speakers and microphones are rapidly becoming standard; a hard disk is standard on many systems). Candidates could be identified by asking "What inherent characteristics might be exhibited when a user types on a keyboard?" This leads to consideration of characteristics such as handedness, preference for certain fingers (like many people, for instance, I rarely use the little finger of either hand while typing), the likelihood of committing certain errors rather than others when typing a given text, rhythms when typing the same text several times in rapid succession, and even spelling preferences ("color" versus "colour") or vocabulary preferences ("gas" versus "petrol").

Likewise, candidates could be identified by asking "what inherent characteristics might be exhibited when a user moves a mouse?" This leads to consideration of characteristics such as a tendency to stay inside a square versus a tendency to hit the corners of the square when asked to rapidly trace several squares, particular ratios between the time spent on certain curves versus the time spent on straight portions when asked to trace an apparently random path, and other behaviors that might serve as ICSs.

Testing Step 208

During step 208, the characteristics selected during step 206 are tested to determine whether they will serve with sufficient accuracy as ISCs. First a test of the characteristic is devised. The test must help determine whether a given person exhibits the characteristic predictably over time in response to different stimuli, and whether different people exhibit the characteristic differently. Although it will often be necessary to physically test a candidate characteristic on a statistically significant population of human users under controlled conditions before the characteristic's suitability as an ISC is determined, in some cases the mere effort to devise tests, or the results of tests run mentally (so-called "gedankenexperiments"), may reveal that a selected candidate will not serve as an ISC.

For example, a preference for favoring pictures of food over pictures of recreational activities would probably not be exhibited consistently by a given person, because hunger would effect that preference and hunger comes and goes (it is not inherent). To give another example, when asked to complete the pattern "X, XX, XXX, " virtually every user will respond "XXXX" so the pattern completion characteristic being tested is not exhibited differently by different people and thus is not suitable as an ISC. The nature of each test will necessarily depend on the candidate characteristic being tested. For example, tests of visual pattern recognition and visual pattern completion characteristics will generally involve showing a statistically significant population of users images (like those in Figures 3-8 or otherwise), requesting some response, and recording the results. Several different images which test the characteristic are preferably shown to each person, possibly interwoven with other images that test other characteristics or no characteristic.

In general, however, tests will follow established standards. The testing techniques and test administration and evaluation methodologies (statistical analysis, responses to questions from the test population, control groups, and so on) of the type normally used with psychological, personality, intelligence, pharmaceutical, or medical research tests are well known. These methodologies are readily adapted for use in testing candidate ISCs.

In particular, in the case of most characteristics a control group is preferably used to ensure that the images presented (or the text to be typed or the other stimuli) reflect the characteristic being tested. The test population should generally not be told what characteristic is being tested, since they will generally not be given that information during commercial use of the invention. Knowing the characteristic being tested often makes it easier to illicitly duplicate someone else's behavior and gain unauthorized computer system access.

The legal requirement that this patent fully describe the invention thus presents a problem. The very act of explaining which characteristics to test and how to test them, as I do here in detail, reduces the effectiveness of those tests with users who have read this document or otherwise learned its contents. In spite of this, I have provided here all of the details that are known to me, as well as the broad architecture of the invention.

Additional specific tests not described here (because no one has yet thought of them) can be developed and used according to the invention based on the general teachings presented here. Such new tests will fall within the scope of the broader claims of this patent, while the narrower claims cover the existing specific tests and ISCs detailed here. Evaluating Step 210

During step 210, the test results are evaluated to determine which candidate characteristics will actually serve as ISCs. Results from tests that were administered, from observations during design of the tests, and from gedankenexperiments may all be considered. Evaluation may be aided by automation, such as correlation studies or other statistical analyses.

The evaluation normally relies on the results of at least one physically administered test. This test is preferably administered using a computer system configured with a prototype of software that implements the tests that will be used in the commercial embodiment of the invention. However, physical administration of visual tests may also be done with display means other than a computer screen, such as drawings on a sheet of paper or a blackboard or a whiteboard, or drawings projected on a wall or a photographic slide screen.

Different evaluation thresholds may be used, since ISCs will be used in environ- ments having a range of different security levels. For instance, a first characteristic may serve for use in low security environments if at least one third of the target user population exhibits the characteristic consistently. By contrast, a second characteristic might be suitable as an ISC in a high-security environment only if virtually every member of the population exhibits it consistently. An example of such a first characteristic is preferred reading direction (not everyone is literate) while an example of such a second characteristic is finger interlacing orientation (virtually everyone has two little fingers and enough other fingers to show a preferred interlacing order that is apparently genetic and thus inherent).

Likewise, acceptable levels of test accuracy may vary. A test that accurately reveals the characteristic only about sixty percent of the time may be acceptable in some environments, such as access to a business' s postage meter when the meter always refuses a request for postage over a predetermined limit anyway. A test that accurately reveals the characteristic at least ninety-eight percent of the time may be needed in other environments, such as with an automatic bank teller machine. As noted, the steps 204 to 210 may be repeated, omitted, or performed in other orders. For instance, someone implementing a system using specific tests presented as examples in this patent may effectively proceed straight to implementing and running tests and evaluating their results.

Inherent Characteristic Use Step 202

Once inherent security characteristics are identified, some or all of them may be used to control access to computer system resources. The use step 202 includes a supplement selecting step 212, an acceptability selecting step 214, .an implementing .and initializing step 216, and an identifying or access controlling step 218. As with the other steps, these may be performed in various orders and combinations.

Supplement Selecting Step 212

During the step 212, zero or more supplemental identification means are associated with the ISC(s) for use during the step 218. For instance, an extremely high- security environment could combine the use of biometric, password, witness, card, and ISC tests, denying access unless tests of each type are passed. Likewise, a mid- level security environment might request that the password be typed five times in twenty seconds or less and then accept the user's alleged identity as correct only if the password is known and if the typing rhythm matches the previously stored rhythm of the user who has the password in question. (The user ID or user name is thus determined implicitly). The supplement selecting step 212 may also combine tests for different ISCs. For instance, a typing rhythm test and a visual pattern recognition test might be used in combination. As noted above, some ISC tests are more accurate than others, and some ISCs are harder to illicitly duplicate than others (even if one knows what is being tested). The weaknesses of a particular ISC test may be offset to some extent by using additional ISCs or conventional tests. The use of a particular combination may also depend on the hardware or other system configuration. For instance, image recognition tests based on color differences will not work on monochrome screens, and tests that track pointer movements cannot be used on systems that lack a mouse, touchpad, or similar tracking device. Acceptability Selecting Step 214

During the step 214, the criteria for accepting the test or the test's results are selected for the system in question. Criteria for a test depend on the system configuration; as just noted, a major constraint is the availability of the necessary hardware (or equivalent hardware - a light pen might be used in place of a mouse). Bandwidth requirements may also be imposed. For instance, graphics needed to test some visual pattern recognition ISCs may be ruled out if it would take too long to download them over a network connection.

Criteria for accepting a test's results reflect the presence of supplements selected during step 212 and the security level of the system. For instance, an ISC test used alone to guard access to a military system would require much greater accuracy than one used in combination with magnetic cards or one used to limit access to a subscribers-only hobby web site.

The user's convenience should also be considered during step 214. Identifying oneself to a computer system using ISC tests will often take longer than it would take to simply enter a short password. Passwords have disadvantages, but one generally positive feature is their ease of use once they are memorized. In some system environments, the added security obtained by using ISC tests will offset the additional user time or effort (such as for typing rhythm tests) needed by those tests. In other environments, the novelty and entertainment value of the ISC tests will reduce or even eliminate user irritation. Many people enjoy solving puzzles, as shown by the popularity of pastimes such as crossword puzzles, riddles, fictional mysteries, logic puzzles, anagrams, mazes, and many others (including at least some aspects of computer programming). ISC tests may be presented as non-threatening puzzles. For instance, the task of drawing a single line that divides the image of Figure 6 in half is simultaneously part of an ISC test and a puzzle for the user to solve. Conversely, ISCs may be reflected in preferences or tendencies exhibited in solving popular puzzles, so popular puzzles are another source of candidates for evaluation during step 200.

Implementing and Initializing Step 216

The step 216 includes implementing software and/or hardware to present the chosen test images, instructions, or other stimuli to users; to receive the resulting input from users; to access administrative files which associate certain characteristics (as evident in the tests and resulting user responses) with certain individual users or groups of users; to analyze the input in view of the administrative files; and to inform the computer system security software of the results ("user identified as user-39", "unknown user", and so forth). Programming and hardware creation and/or configuration can be accomplished using conventional tools, guided by the architecture and detailed examples described here.

A closely related part of step 26 includes initializing and/or updating the administrative files so that they accurately reflect the ISCs of users. The results of mockups (using paper images rather than a computer screen, for instance) or early prototype tests can be used. However, it is better to use the same software and hardware to obtain the initial data identifying the user as will be used afterward to identify the user once the system is configured.

Identifying and Access Controlling Step 218 During step 218 all the preparations described above are put to use. To illustrate this step, consider the following examples:

Example One

A standalone business workstation has only one authorized user (other than the system administrator). Some confidential information is stored on the workstation, but the workstation is located in a physically secure room and the value of the confidential information is minimal to anyone other than the single authorized user.

The workstation is configured with simple ISC identification software. After the workstation boots and a user tries to access it, it displays a prompt like this one: "To gain access, please type your password three times in less than twenty seconds." The authorized user has been told that the message is a trap for unauthorized users, and that system will actually grant access if the user types between twenty and thirty keys in twenty seconds. The authorized user does not know, however, that the system will also consider factors other than the number of keys and the elapsed time. During initialization step 216, the ISC identification software determines that the authorized user consistently tends to respond by starting with the "q" key and typing successive keys from left to right in that same row at least three times without reaching the "p" key. It has been previously determined that other people tend to respond differently, such as by doing three different rows ("qwerty then asdfgh then zxcvbn"), by starting at the right and going left ("poiuytr"), by rapidly typing text that contains recognizable words ("the quick red fox jumped over the lazy brown dog"), by apparently misreading the instructions ("yyyyyyyyyyyyyyyyyyyyy") or by refusing to comply (for instance, by moving the mouse instead of typing). Accordingly, the system grants access to anyone who responds to the prompt by starting with the "q" key and typing successive keys from left to right in that same row at least three times without reaching the "p" key and by typing twenty to thirty characters in twenty seconds. At intervals, the ISC identification software may also provide a second prompt to obtain data to initialize another ISC test, which replaces or supplements the first test at some point after initialization data characterizes the user. For instance, tests could be changed every two months or so with little inconvenience to the user. Thus, after "passing" the first test, the user might be told that the new prompt will be "To gain access, please type your password once forward and once backward in less than ten seconds" and that the system will actually admit any user who types any sequence of at least six characters twice. The system will then note that the user (who is authorized by virtue of passing the first ISC test) consistently responds by typing "zxcvbnm,.zxcvbnm,." Once the user responds consistently, the first prompt and its test can be replaced by the second prompt and its test.

Example Two

Access to a military network is guarded by physical means (a magnetic card and a biometric fmgeφrint test) and by three ISC tests. The user seeking access is presented with one ISC test requiring identification of all letters in a drawing similar to Figure 3; one ISC test requiring an estimate of the number of elements in a drawing similar to

Figure 6 after the drawing is displayed for three seconds and then removed; and one ISC test of typing rhythms or other typing preferences.

In addition, the user's finger interlacing orientation is tested. The user is required to grip a joystick with two hands and fly a virtual ship through several hoops; a hidden video camera snaps an image of the user's hands during the flight and the image is analyzed to determine finger lacing orientation. Incidentally, piloting behaviors which are learned but nonetheless deeply ingrained and thus inherent may also be used as ISCs because they divide the population of pilots according to experience. For instance, helicopter pilots will react differently to the sudden presence of an obstacle than jet fighter pilots because their aircraft have different capabilities. Experience may also be tested by looking for so-called "strong-but-wrong" errors; training (or lack of it) also partitions the population of potential system users. In any case, access is granted to the military network only after all ISC and other identification tests are satisfied.

Partitioning

As discussed, inherent security characteristics can be used to identify users by partitioning the user population and locating a user in one or more partitions. Conventional identification technologies also partition the population, although they use tests other than ISC tests to do so and typically assume that one of the partitions contains a single user. For instance, passwords divide the population into a first group containing those potential users who know the password and a second group containing those who do not. Password systems often presume that the first group is small (typically containing just one member) and that the first group does not change over time (when the first group starts to grow by adding unauthorized members, it's time to change the password). Likewise, the use of magnetic ID cards divides the population into two groups: one that presumably contains only the authorized user(s) of the card, and another that contains everyone else.

Some biometric tests, such as a blood type test or DNA test, are used in legal proceedings to narrow the range of possible identities without fully identifying the tested person. Additional information such as eyewitness testimony is combined with the biometric test results to establish identity with acceptable accuracy. Computer systems, however, typically identify users by using one or more tests, each of which partitions the population to some degree of certainty into an authorized user and everyone else. The present invention allows this approach, but it also allows identification of users by intersecting populations in a multi-step process of elimination.

For example, suppose that a first ISC test divides the population into two groups of roughly three billion members each, a second ISC test divides the population into five groups of which the smallest contains several million people, and a third ISC test divides the population into several million groups ranging in size from one to several thousand members. Then the chance that someone will answer all three ISC tests in a particular way are roughly one in a million. Combining ISC tests that partition the population in different ways can therefore provide sufficiently certain identification even though any individual ISC test fails to distinguish between several thousand (or more) potential users. Figure 11 illustrates partitioning; for clarity of illustration a hypothetical set 1100 containing only a hundred users is shown. A first test divides the users into two groups 1102 and 1104 of roughly equal size. A second test divides the users differently, into six groups ranging in size from ten to twenty-seven members; the first two of these six groups are indicated at 1106 and 1108. A third tests divides the users in yet another way; these divisions are illustrated as light and dark circles, triangles, and squares. The combined test results uniquely identify forty-two of the one hundred users even though the smallest group contains ten members. The combined tests also narrow the identification of the other users, eliminating in each case all but two or three of the hundred users.

ISC tests can also be combined with other tests to provide identifying information. For instance, an ISC test that partitions the population into groups of several thousand or more persons each could be combined with a request for a "weak password." Weak passwords include information such as the user's email address, ZIP code, home telephone number, or other information that is available to a unauthorized user only with significant effort .and that is unlikely to be forgotten by the authorized user.

Stability

Some inherent characteristics, such as finger interlacing orientation, remain unchanged over years or even decades for most users. Other inherent characteristics may change, but tend to do so slowly if at all. For instance, preferred reading direction or sentence structure may change after a user becomes comfortable with a new language or if the user's literacy skills are otherwise transformed. ISC tests should not rely heavily on a user's aptitude for skills that are enhanced by taking the ISC tests. For instance, the speed and accuracy with which a user can add a column of numbers should not be used because addition skills improve notably with practice. In particular, the ISC test should not have a "right" answer, at least with respect to the characteristics being measured (as opposed to the task set for the user). For instance, some responses to the task of dividing the image of Figure 6 in half are better than other answers at equally dividing the image. But criteria such as whether the user favors horizontal lines and whether the user favors lines lying entirely in white space do not impose decisions about which response is best. Thus, there is little risk that a user will learn a "better" response on repeated use of the ISC test or discussion of the test with others.

ISC tests such as the graph separation test of Figure 9 and the spatial reasoning test of Figure 10, which pose tasks that have one or more right answers, should therefore be used sparingly. Alternatively, the identification system can be regularly re-calibrated to reflect the user's increasing skill. This re-calibration can be done in a manner similar to the initialization step 216 introduction of a new prompt, so that re-calibration is done unobtrusively as part of the on-going use of the system.

Summary

In summary, the present invention provides a novel system and method for identifying users of computer systems. The invention may be used in place of, or in combination with, conventional identification means such as cards, witnesses, and biometric scanners. Many implementations of the invention require as I/O devices only a keyboard and a screen capable of displaying characters. Other implementations take advantage of the presence of a mouse or other pointing device, or the presence of a color screen. However, expensive and unusual biometric scanners or other devices are not required. Because the invention uses inherent behavioral characteristics to tell users apart, users need not memorize passwords in order to pass the identity tests that implement the invention. Likewise, users need not worry about losing cards, or having them stolen, because their inherent security characteristics are not separate items and (if tests are implemented correctly) are not easily duplicated by others. Moreover, unlike many conventional identity tests, the tests that implement the present invention can be fun. Although particular methods embodying the present invention are expressly illustrated and described herein, it will be appreciated that apparatus and article embodiments may be formed according to methods of the present invention. Unless otherwise expressly indicated, the description herein of methods of the present invention therefore extends to corresponding apparatus and articles, and the description of apparatus and articles of the present invention extends likewise to corresponding methods. The invention may be embodied in other specific forms without departing from its essential characteristics. The described embodiments are to be considered in all respects only as illustrative and not restrictive. Any explanations provided herein of the scientific principles employed in the present invention are illustrative only. The scope of the invention is, therefore, indicated by the appended claims rather than by the foregoing description. All changes which come within the meaning and range of equivalency of the claims are to be embraced within their scope.

What is claimed and desired to be secured by patent is:

Claims

1. A method for selecting inherent security characteristics, comprising the steps of: selecting a prospective inherent security characteristic; providing computer-implemented means for obtaining a representation of the inherent security characteristic in people; determining that the representation is acceptably consistent for at least one given person over time; and determining that the representation is acceptably different for at least one different person over time, the determining steps providing sufficient certainty regarding the identity of the person who is manifesting the inherent security characteristic.

2. The method of claim 1 , wherein the selecting step selects a pattern recognition inherent security characteristic.

3. The method of claim 2, wherein the pattern recognition inherent security characteristic is a visual pattern recognition inherent security characteristic.

4. The method of claim 3, wherein the method includes creating a visual pattern including a shape embedded in a pattern field, requesting that the user point to or name the shape, and comparing the user's response to predetermined information about the shape.

5. The method of claim 4, wherein two or more different shapes are embedded in the pattern field, and the comparing step involves noting which shape was named or located by the user.

6. The method of claim 4, wherein the shape is a geometric shape.

7. The method of claim 4, wherein the shape represents a face.

8. The method of claim 4, wherein the shape represents an organism.

9. The method of claim 4, wherein the shape is defined by the shared orientation of line segments along edges of the shape, and the field includes line segments at other orientations.

10. The method of claim 4, wherein the shape is defined by the repeated sequence of dot sizes along edges of the shape, and the field includes scattered dots of various sizes.

11. The method of claim 3, wherein the method includes creating a visual pattern including at least two faces, requesting that the user point to or name the face having a specified attribute, and comparing the user's response to predetermined information about the pattern.

12. The method of claim 11, wherein the attribute is one of: most familiar, most friendly, most beautiful, most like your own.

13. The method of claim 11 , wherein the faces are built using a library of graphical components representing eyes, ears, noses, mouths, and similar facial features.

14. The method of claim 2, wherein the pattern recognition inherent security characteristic is an aural pattern recognition inherent security characteristic.

15. The method of claim 1 , wherein the selecting step selects a handedness inherent security characteristic that distinguishes right-handed people from left-handed people.

16. The method of claim 15, wherein the inherent security characteristic also distinguishes ambidextrous people.

17. The method of claim 1 , wherein the selecting step selects a reading direction inherent security characteristic that distinguishes people who normally read left- to-right from people who normally read in a different direction, such as right-to-left or top-to-bottom.

18. The method of claim 1 , wherein the selecting step selects a math aptitude inherent security characteristic that distinguishes mathematically or arithmetic- computationally talented people from other people.

19. The method of claim 1, wherein the selecting step selects an inherent security characteristic that distinguishes people from one another on the basis of their skills, experience, gender, race, sexual preference, prejudices, fears, and/or hopes.

20. The method of claim 1 , wherein the selecting step selects a subjective judgment inherent security characteristic that distinguishes people from one another by asking them to make a subjective judgment about a described situation.

21. In a computer system, the improvement comprising an identifying means for identifying users by testing at least one inherent security characteristic.

22. The system of claim 21, wherein the identifying means includes means for performing a halving test.

23. The system of claim 21 , wherein the identifying means includes means for performing a finger interlacing orientation test.

24. The system of claim 21, wherein the identifying means includes means for performing a pattern recognition test by identifying a letter embedded in a pattern of letters.

25. The system of claim 21 , wherein the identifying means includes means for performing a pattern recognition test by identifying a pattern embedded in a background.

26. The system of claim 21 , wherein the identifying means includes means for performing a pattern completion test.

27. The system of claim 21 , wherein the identifying means includes means for performing a subjective judgment test.

28. The system of claim 21, wherein the identifying means includes means for performing an orientation test.

29. The system of claim 28, wherein the means for performing an orientation test comprises means for testing user handedness.

30. The system of claim 28, wherein the means for performing an orientation test comprises means for testing a user's reading direction preference.

31. The system of claim 28, wherein the means for performing an orientation test comprises means for testing a user's natural language preference.

32. The system of claim 28, wherein the means for performing an orientation test comprises means for testing a user's sentence structure preference.

33. The system of claim 21 , wherein the identifying means includes means for performing a spatial reasoning test.

34. The system of claim 21, wherein the identifying means includes means for performing a graph separation test.

35. The system of claim 21 , wherein the identifying means includes means for performing a test to obtain a user's delay signature.

36. The system of claim 21, wherein the identifying means includes means for performing a test to distinguish a human user from a computer imitation of a user.

37. The system of claim 21 , wherein the identifying means includes means for tracking pointer movements.

38. The system of claim 21, wherein the identifying means tests for behaviors which are not expressly identified to the user being tested.

39. The system of claim 21 , wherein the identifying means includes means for initializing a second test for subsequent use in identifying users.

40. The system of claim 21 , wherein the identifying means partitions a population of potential users into at least two groups and each group contains more than one person.

41. The system of claim 21 , wherein the identifying means partitions a population of potential users into at least two groups and each group contains more than one thousand persons.

42. The system of claim 21, wherein the identifying means comprises at least two testing means, each of which performs an inherent security characteristic test that partitions a population of potential users into at least two groups such that each group contains more than one person.

43. The system of claim 21 , wherein the identifying means performs a test which does not have correct possible responses and incorrect possible responses, but instead has possible responses that are merely different from one another.

44. The system of claim 21 , wherein the identifying means comprises a re- calibration means for re-determining a set of identifying responses if a user's skill level changes.

45. A computer storage medium having a configuration that represents data and instructions which will cause at least a portion of a computer system to perform method steps for identifying users using inherent security characteristics, the method steps comprising the steps of presenting an inherent security characteristic test to a user as a stimulus and then obtaining the user's response.

46. The storage medium of claim 45, wherein the method steps further comprise the computer-implemented step of comparing the user's response to an administrative file to determine if the user is an authorized user of a particular computer system.