WO2015114215A1 - Authentication system and method for authenticating a user - Google Patents

Authentication system and method for authenticating a user Download PDF

Info

Publication number
WO2015114215A1
WO2015114215A1 PCT/FI2015/050057 FI2015050057W WO2015114215A1 WO 2015114215 A1 WO2015114215 A1 WO 2015114215A1 FI 2015050057 W FI2015050057 W FI 2015050057W WO 2015114215 A1 WO2015114215 A1 WO 2015114215A1
Authority
WO
WIPO (PCT)
Prior art keywords
mobile device
user identity
identity data
authentication system
tag
Prior art date
Application number
PCT/FI2015/050057
Other languages
French (fr)
Inventor
Markkku RAITANEN
Original Assignee
Idcontrol Oy
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Idcontrol Oy filed Critical Idcontrol Oy
Publication of WO2015114215A1 publication Critical patent/WO2015114215A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06KGRAPHICAL DATA READING; PRESENTATION OF DATA; RECORD CARRIERS; HANDLING RECORD CARRIERS
    • G06K7/00Methods or arrangements for sensing record carriers, e.g. for reading patterns
    • G06K7/10Methods or arrangements for sensing record carriers, e.g. for reading patterns by electromagnetic radiation, e.g. optical sensing; by corpuscular radiation
    • G06K7/10009Methods or arrangements for sensing record carriers, e.g. for reading patterns by electromagnetic radiation, e.g. optical sensing; by corpuscular radiation sensing by radiation using wavelengths larger than 0.1 mm, e.g. radio-waves or microwaves
    • G06K7/10366Methods or arrangements for sensing record carriers, e.g. for reading patterns by electromagnetic radiation, e.g. optical sensing; by corpuscular radiation sensing by radiation using wavelengths larger than 0.1 mm, e.g. radio-waves or microwaves the interrogation device being adapted for miscellaneous applications
    • G06K7/10415Methods or arrangements for sensing record carriers, e.g. for reading patterns by electromagnetic radiation, e.g. optical sensing; by corpuscular radiation sensing by radiation using wavelengths larger than 0.1 mm, e.g. radio-waves or microwaves the interrogation device being adapted for miscellaneous applications the interrogation device being fixed in its position, such as an access control device for reading wireless access cards, or a wireless ATM
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/32Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices
    • G06Q20/327Short range or proximity payments by means of M-devices
    • G06Q20/3276Short range or proximity payments by means of M-devices using a pictured code, e.g. barcode or QR-code, being read by the M-device
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07CTIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
    • G07C9/00Individual registration on entry or exit
    • G07C9/20Individual registration on entry or exit involving the use of a pass
    • G07C9/22Individual registration on entry or exit involving the use of a pass in combination with an identity check of the pass holder
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07CTIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
    • G07C9/00Individual registration on entry or exit
    • G07C9/30Individual registration on entry or exit not involving the use of a pass
    • G07C9/38Individual registration on entry or exit not involving the use of a pass with central registration
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07CTIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
    • G07C9/00Individual registration on entry or exit
    • G07C9/20Individual registration on entry or exit involving the use of a pass
    • G07C9/22Individual registration on entry or exit involving the use of a pass in combination with an identity check of the pass holder
    • G07C9/23Individual registration on entry or exit involving the use of a pass in combination with an identity check of the pass holder by means of a password
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/69Identity-dependent
    • H04W12/77Graphical identity

Definitions

  • the invention relates to a method and system for authenticating a user. Especially the invention relates to a method and system for authenticating a user by a mobile device by reading a tag.
  • Plurality of systems for authenticating users are known from prior art, such as reading different kinds of magnetic or RFID bonus or access card or providing ID information of the user by a mobile device, such as mobile or smart phone, for example via a radio communication link, like via Bluetooth or RFID link, or displaying a number or barcode or the like via a display of the device, where it is read by a reader of the end relating the authenticating system, such as cash-register systems or access point systems.
  • a reader of the end relating the authenticating system such as cash-register systems or access point systems.
  • cash-register systems or access point systems There are however some disadvantages relating to the known prior art. For example different cash-register systems or access point systems must have a suitable and dedicated reading systems, namely a different kind of reader is required for reading e.g. a displayed barcode than for reading information transferred via the radio link.
  • An object of the invention is to alleviate and eliminate the problems relating to the known prior art.
  • Especially the object of the invention is to provide a method and system for authenticating a user in different environments so that the user can be authenticated via one user related device and especially independently of the type of the reared used in the end relating the authenticating system, such as cash-register systems or access point systems.
  • the invention relates to an authentication system for authenticating a user according to claim 1.
  • the invention relates to an authentication method for authenticating a user according to claim 17, as well as to a computer program product according to claim 25.
  • the authentication system relates for authenticating a user at a first end, such as at a cash-register or bonus systems at the commercial end system; or an access point system, such as a closed environment system having e.g. locked door or other locked system, which can be opened after successful authorization of the user.
  • the user identity data may relate to a membership or loyal customer data, whereupon a permission to a certain act after authorization may be an access to a bonus, discount or account arrangement related to said membership or loyal customer data.
  • the permission to a certain act may be e.g. a manipulation of the locked port (e.g. opening the port) based on the authentication.
  • the first end comprises a reader for reading a user identity data.
  • the reader type may be chosen freely and can be e.g. 1 D or 2D barcode reader, RFID or NFC reader, Bluetooth or any other type of reader known from prior art.
  • the authentication system comprises a tag arranged at a first end, such as cash-register terminal or access point system (hereinafter the first end).
  • the tag advantageously comprises information related to a format in which said user identity data is to be communicated to the authentication system, such as to the first end's reader.
  • the format may be for example 1 D barcode or 2D barcode format communicated via a display means, or a radio code communicated via a radio communication connection, such as RFID or NFC or Bluetooth readable code for example, depending on the type of the reader at the first end so what kind of format the reader is able to read (these are only examples and the invention is however not limited only to those).
  • the tag as such is advantageously configured to be read by the mobile device, whereupon the tag may be implemented e.g. by a NFC or RFID, Bluetooth, or 1 D or 2D barcode or a smart code techniques.
  • the mobile device advantageously selects and communicates, such as displays the user identity data in the format identified by the tag to the authentication system via said reader of the first end.
  • the mobile device is advantageously provided by a user identity data, such as data related to a membership or loyal customership of the store system or access code related to the access point system, at least in the format required by the first end.
  • the user identity data may be stored beforehand into the memory means of the mobile device.
  • the mobile device comprises the user identity data in many different formats and the format identified by the tag in question is selected by the mobile device and communicated to the first end.
  • the user identity data may be stored beforehand into an external memory means where the mobile device has an access, advantageously wireless access via internet or mobile communication network.
  • the mobile device comprises an application or a user identity data managing system for storing and managing said user identity data.
  • the user identity data may be provided to the mobile device by an external user identity data managing system, which advantageously sends the user identity data in the format identified by the tag to the mobile device as a response to a query sent by the mobile device after reading the tag and knowing the format required by the first end.
  • the external user identity data managing system may be implemented e.g. at an external server or cloud system. It is to be noted that according to an embodiment the user identity data may be provided only when the tag is read by the mobile device, for example by the application of the mobile device.
  • the use or communication of the user identity data may be secured by a PIN code or the like, for example the user may be asked to enter the PIN code before sending the user identity data to the reader of the first end.
  • the user identity data is communicated to the first end by the mobile device in the format identified by the tag and again to an authentication portion of the authentication system.
  • the authentication portion is configured to authenticate said user based on the user identity data provided by the mobile device and based on the authentication configured to determine permission to a certain act at said first end.
  • the mobile device may also communicate the user identification information to the authentication system being external of the first end, whereupon the external authentication system authenticates the user, determine the permission and then communicates the information related to the permission e.g. directly to the first end or alternatively to the mobile device, which again may communicate it to the first end, and again advantageously in the format identified by the tag.
  • the first end may be provided by identification information related to the first end, such as e.g. cash#3 or door#21 , or IP address or the like whereupon also the identification information of the first end may be sent to the authentication system.
  • identification information related to the first end such as e.g. cash#3 or door#21 , or IP address or the like
  • the tag or data communication means of the first end may comprise said first end identification information, whereupon the first end may send its identification information to the authentication system, such as to the authentication portion after reading the user identity data in the suitable format from the mobile device.
  • the first end identification information can be read by the mobile device for example from the tag, especially if the mobile device communicates the user identification information to the external authentication system (so not directly to the first end reader), whereupon the mobile device advantageously communicates both the user identification information as well as first end identification information to the external authentication system.
  • the mobile device comprises own application for different types of the first ends, such as for different chain stores (for example S-store, K-store, etc.) or for different types of access points.
  • the application advantageously comprises the user identity data in different format or has access to or comprises portion of the user data managing system, as well as possibly also other types of data related to the user and to the chain store in question.
  • the suitable application corresponding to the first end type may be selected either manually by the user or alternatively automatically based on the identification information of the first end of the authentication system read from the tag by said mobile device hosting the application.
  • Advantageously individualized data related to the authentication system or other organisation related to the first end is provided to the mobile device after said tag reading.
  • daily offers may be provided to the mobile device after reading a suitable tag at the store and send the user identity data in a suitable format (identified by the tag) to the system.
  • the application related to the first end may be configured to receive Push Notifications from the system, such as from a server system of a service provider of the identification system (or organisation) in question, such as text, images, URL links, or queries to be answered.
  • the present invention offers advantages over the know prior art, such as the user does not need plurality of different types of user identity data devices, like magnetic or barcode cards, for different cash-register systems or access point systems.
  • user identity data devices like magnetic or barcode cards
  • access point systems for different types of first ends
  • the current systems can be used, when the mobile device may be provided by the user identity data in required format for each first end type in question, which is clear advantage.
  • management of the user identity data as well as the authorization and permissions to different first end systems can be managed easily and fast.
  • Figure 1 illustrates an exemplary embodiment of an authentication system for authenticating a user according to an advantageous embodiment of the invention
  • Figure 2 illustrates another exemplary embodiment of the authentication system for authenticating a user according to an advantageous embodiment of the invention
  • FIG. 1 illustrates a principle of an exemplary authentication 100 system for authenticating a user according to an advantageous embodiment of the invention, where the system comprises the first end 102, mobile device 101 and authentication portion 106.
  • the authentication system 100 comprises a tag 103 arranged at a first end 102, such as the cash-register terminal or the access point system, as described via examples elsewhere in this document.
  • the first end comprises also a reader 109 for reading the user identity data communicated by the mobile device, such as 1 D or 2D barcode reader or NFC or RFID or Bluetooth reader, for example.
  • the mobile device 101 reads 105a the tag and the tag comprises the information related to a format in which said user identity data is to be communicated to the authentication system, advantageously to the reader 109 of the first end.
  • the mobile device 101 comprises a memory or a special application or user identity managing system (like a library) 104 of the user identity data in different formats.
  • the mobile device is configured to send query 105b to the external user identity data managing system 107, whereupon the user identity data managing system 107 may send 105c the user identity data in the format asked by the mobile device.
  • the mobile device 101 advantageously then communicates 105b the user identity data in the format identified by the tag to the authentication system, advantageously to the reader 109.
  • the format of the user identity data is advantageously the format suitable for the reader 109.
  • the tag may have information that the user identity data must be communicated as a 1 D or 2D barcode, whereupon it is displayed in the display of the mobile device as said 1 D or 2D barcode, whereupon the reader reads said code advantageously optically.
  • the tag identifies that the user identity data must be communicated via RFID means, for example, then the mobile device is configured to selected said user identity data in the format suitable to be communicated via said RFID means.
  • the first end 102 When the first end 102 has received the user identity data, it advantageously communicates 105e it to the authentication portion 106 of the authentication system, which is configured to authenticate said user based on the user identity data provided by the mobile device.
  • the first end may also communicate 105e its identification information, such as IP address. Based on the authentication the authentication portion 106 determines permissions of the user to a certain act at said first end 102, and communicates 105f said permissions to said first end
  • the user identity data managing system 107 may be an extemal system of the mobile device, such as an extemal server or cloud system, which is configured to communicate said user identity data in the format identified by the tag as a response to said request to the mobile device.
  • the mobile device 101 may comprise said user identity data managing system 107 (e.g. as a part of the application system), whereupon the user identity data is stored into the memory means of the mobile device beforehand at least in two different formats, and the desired format of the user identity data is selected by the user identity data managing system based on the format information identified by the tag.
  • the first end 102 may comprise said authentication portion 106 of the authentication system for authenticating the user based on the user identity data.
  • FIG. 2 illustrates another exemplary embodiment of the authentication system 200 for authenticating a user according to an advantageous embodiment of the invention, wherein the tag 103 of the first end 102 also comprises identification information related to the first end, such as e.g. cash#3 or door#21 , which is advantageously 105a read by the mobile device 101.
  • the mobile device may communicate both the user identity data as well as also first end identification data to the authentication system, such as to the external authentication end 1 10.
  • the external authentication end 1 10 may then authenticate the user and determine the permission to a certain act at said first end 102 for that user and then communicate information related to the permission either directly 105f (optional) to said first end 102 or alternatively 105d to said mobile device 101 , which again may communicate 105b said information to the first end 102.
  • the mobile device 101 advantageously communicates 105b the information to the reader 109 of the first end 102 in the format identified by the tag 103 and thereby in the format the reader 109 is able to read.
  • the tag 103 may identify the format in which said user identity data should be communicated 105c to the authentication system. Moreover the tag may also identify the format in which the permission or other information must be communicated 105b, 105f to the first end 102, such as to the first end reader 109.

Abstract

An authentication system (100) for authenticating a user by a mobile device (101) at a first end (102) comprises a tag (103) arranged at the first end (102). The tag comprises information related to a format in which the user identity data should be communicated to the authentication system. The tag is read (105a) by the mobile device, whereupon the mobile device is provided (104) by the user identity data in the format identified by the tag. The mobile device communicates (105b, 105c, 105e) said user identity data to the authentication system in the format identified by the tag, whereupon an authentication portion (106) of the authentication system authenticates said user based on the user identity data provided by the mobile device and based on the authentication determines permission to a certain act at said first end (102).

Description

AUTHENTICATION SYSTEM AND METHOD FOR AUTHENTICATING A USER
TECHNICAL FIELD OF THE INVENTION The invention relates to a method and system for authenticating a user. Especially the invention relates to a method and system for authenticating a user by a mobile device by reading a tag.
BACKGROUND OF THE INVENTION There is a need for authenticating a user in many situations, such as at a cash-register terminal in order to recognize possible membership, loyal customership or access to a bonus, discount or account arrangement related to said membership or loyal customer data. The similar needs for authenticating the users are also with different kinds of access systems, for example in relation to locked door, or other access systems or closed environment, where the user identity and thus the access authorization should be authenticated before authorize the access.
Plurality of systems for authenticating users are known from prior art, such as reading different kinds of magnetic or RFID bonus or access card or providing ID information of the user by a mobile device, such as mobile or smart phone, for example via a radio communication link, like via Bluetooth or RFID link, or displaying a number or barcode or the like via a display of the device, where it is read by a reader of the end relating the authenticating system, such as cash-register systems or access point systems. There are however some disadvantages relating to the known prior art. For example different cash-register systems or access point systems must have a suitable and dedicated reading systems, namely a different kind of reader is required for reading e.g. a displayed barcode than for reading information transferred via the radio link. In addition it is not very convenient for the user to carry a number of different cards or devices for the authentication purposes. SUMMARY OF THE INVENTION
An object of the invention is to alleviate and eliminate the problems relating to the known prior art. Especially the object of the invention is to provide a method and system for authenticating a user in different environments so that the user can be authenticated via one user related device and especially independently of the type of the reared used in the end relating the authenticating system, such as cash-register systems or access point systems.
The object of the invention can be achieved by the features of independent claims.
The invention relates to an authentication system for authenticating a user according to claim 1. In addition the invention relates to an authentication method for authenticating a user according to claim 17, as well as to a computer program product according to claim 25. According to an embodiment of the invention the authentication system relates for authenticating a user at a first end, such as at a cash-register or bonus systems at the commercial end system; or an access point system, such as a closed environment system having e.g. locked door or other locked system, which can be opened after successful authorization of the user. Thus the user identity data may relate to a membership or loyal customer data, whereupon a permission to a certain act after authorization may be an access to a bonus, discount or account arrangement related to said membership or loyal customer data. Alternatively in the access control system to a closed system (gate/port/door to a certain closed area, for example) the permission to a certain act may be e.g. a manipulation of the locked port (e.g. opening the port) based on the authentication.
According to an embodiment the first end comprises a reader for reading a user identity data. It is to be noted that the reader type may be chosen freely and can be e.g. 1 D or 2D barcode reader, RFID or NFC reader, Bluetooth or any other type of reader known from prior art. In addition the authentication system comprises a tag arranged at a first end, such as cash-register terminal or access point system (hereinafter the first end). The tag advantageously comprises information related to a format in which said user identity data is to be communicated to the authentication system, such as to the first end's reader. The format may be for example 1 D barcode or 2D barcode format communicated via a display means, or a radio code communicated via a radio communication connection, such as RFID or NFC or Bluetooth readable code for example, depending on the type of the reader at the first end so what kind of format the reader is able to read (these are only examples and the invention is however not limited only to those).
The tag as such is advantageously configured to be read by the mobile device, whereupon the tag may be implemented e.g. by a NFC or RFID, Bluetooth, or 1 D or 2D barcode or a smart code techniques. When the tag is read by the mobile device, the mobile device advantageously selects and communicates, such as displays the user identity data in the format identified by the tag to the authentication system via said reader of the first end. The mobile device is advantageously provided by a user identity data, such as data related to a membership or loyal customership of the store system or access code related to the access point system, at least in the format required by the first end. As an example, the user identity data may be stored beforehand into the memory means of the mobile device. Advantageously the mobile device comprises the user identity data in many different formats and the format identified by the tag in question is selected by the mobile device and communicated to the first end.
According to an embodiment the user identity data may be stored beforehand into an external memory means where the mobile device has an access, advantageously wireless access via internet or mobile communication network. Advantageously the mobile device comprises an application or a user identity data managing system for storing and managing said user identity data. Alternatively the user identity data may be provided to the mobile device by an external user identity data managing system, which advantageously sends the user identity data in the format identified by the tag to the mobile device as a response to a query sent by the mobile device after reading the tag and knowing the format required by the first end. The external user identity data managing system may be implemented e.g. at an external server or cloud system. It is to be noted that according to an embodiment the user identity data may be provided only when the tag is read by the mobile device, for example by the application of the mobile device. This ensures that the user identity data is not used in any other event and minimizes the risk for unauthorized use. In addition the use or communication of the user identity data may be secured by a PIN code or the like, for example the user may be asked to enter the PIN code before sending the user identity data to the reader of the first end.
The user identity data is communicated to the first end by the mobile device in the format identified by the tag and again to an authentication portion of the authentication system. The authentication portion is configured to authenticate said user based on the user identity data provided by the mobile device and based on the authentication configured to determine permission to a certain act at said first end. According to an embodiment the mobile device may also communicate the user identification information to the authentication system being external of the first end, whereupon the external authentication system authenticates the user, determine the permission and then communicates the information related to the permission e.g. directly to the first end or alternatively to the mobile device, which again may communicate it to the first end, and again advantageously in the format identified by the tag.
According to an embodiment the first end may be provided by identification information related to the first end, such as e.g. cash#3 or door#21 , or IP address or the like whereupon also the identification information of the first end may be sent to the authentication system. For example the tag or data communication means of the first end may comprise said first end identification information, whereupon the first end may send its identification information to the authentication system, such as to the authentication portion after reading the user identity data in the suitable format from the mobile device. Alternatively the first end identification information can be read by the mobile device for example from the tag, especially if the mobile device communicates the user identification information to the external authentication system (so not directly to the first end reader), whereupon the mobile device advantageously communicates both the user identification information as well as first end identification information to the external authentication system. According to an embodiment the mobile device comprises own application for different types of the first ends, such as for different chain stores (for example S-store, K-store, etc.) or for different types of access points. The application advantageously comprises the user identity data in different format or has access to or comprises portion of the user data managing system, as well as possibly also other types of data related to the user and to the chain store in question. The suitable application corresponding to the first end type may be selected either manually by the user or alternatively automatically based on the identification information of the first end of the authentication system read from the tag by said mobile device hosting the application.
Advantageously individualized data related to the authentication system or other organisation related to the first end, such as logo, advertisement, offers, or membership information, or map or location information related to the organisation, such as associations or fellowship or chain of stores or offers thereof, is provided to the mobile device after said tag reading. For example daily offers may be provided to the mobile device after reading a suitable tag at the store and send the user identity data in a suitable format (identified by the tag) to the system. According to an example the application related to the first end, as is disclosed elsewhere in this document, may be configured to receive Push Notifications from the system, such as from a server system of a service provider of the identification system (or organisation) in question, such as text, images, URL links, or queries to be answered. The present invention offers advantages over the know prior art, such as the user does not need plurality of different types of user identity data devices, like magnetic or barcode cards, for different cash-register systems or access point systems. In addition there is no need for different types of first ends to update their reading systems for reading the user identity data, but the current systems can be used, when the mobile device may be provided by the user identity data in required format for each first end type in question, which is clear advantage. In addition the management of the user identity data as well as the authorization and permissions to different first end systems can be managed easily and fast. BRIEF DESCRIPTION OF THE DRAWINGS
Next the invention will be described in greater detail with reference to exemplary embodiments in accordance with the accompanying drawings, in which:
Figure 1 illustrates an exemplary embodiment of an authentication system for authenticating a user according to an advantageous embodiment of the invention, and
Figure 2 illustrates another exemplary embodiment of the authentication system for authenticating a user according to an advantageous embodiment of the invention,
DETAILED DESCRIPTION
Figure 1 illustrates a principle of an exemplary authentication 100 system for authenticating a user according to an advantageous embodiment of the invention, where the system comprises the first end 102, mobile device 101 and authentication portion 106. The authentication system 100 comprises a tag 103 arranged at a first end 102, such as the cash-register terminal or the access point system, as described via examples elsewhere in this document. The first end comprises also a reader 109 for reading the user identity data communicated by the mobile device, such as 1 D or 2D barcode reader or NFC or RFID or Bluetooth reader, for example.
In the system the mobile device 101 reads 105a the tag and the tag comprises the information related to a format in which said user identity data is to be communicated to the authentication system, advantageously to the reader 109 of the first end. According to an embodiment the mobile device 101 comprises a memory or a special application or user identity managing system (like a library) 104 of the user identity data in different formats. Alternatively the mobile device is configured to send query 105b to the external user identity data managing system 107, whereupon the user identity data managing system 107 may send 105c the user identity data in the format asked by the mobile device. Anyway, the mobile device 101 advantageously then communicates 105b the user identity data in the format identified by the tag to the authentication system, advantageously to the reader 109. The format of the user identity data is advantageously the format suitable for the reader 109. For example the tag may have information that the user identity data must be communicated as a 1 D or 2D barcode, whereupon it is displayed in the display of the mobile device as said 1 D or 2D barcode, whereupon the reader reads said code advantageously optically. If the tag identifies that the user identity data must be communicated via RFID means, for example, then the mobile device is configured to selected said user identity data in the format suitable to be communicated via said RFID means. When the first end 102 has received the user identity data, it advantageously communicates 105e it to the authentication portion 106 of the authentication system, which is configured to authenticate said user based on the user identity data provided by the mobile device. The first end may also communicate 105e its identification information, such as IP address. Based on the authentication the authentication portion 106 determines permissions of the user to a certain act at said first end 102, and communicates 105f said permissions to said first end 102.
The user identity data managing system 107 may be an extemal system of the mobile device, such as an extemal server or cloud system, which is configured to communicate said user identity data in the format identified by the tag as a response to said request to the mobile device. Alternatively the mobile device 101 may comprise said user identity data managing system 107 (e.g. as a part of the application system), whereupon the user identity data is stored into the memory means of the mobile device beforehand at least in two different formats, and the desired format of the user identity data is selected by the user identity data managing system based on the format information identified by the tag.
In addition, according to an embodiment the first end 102 may comprise said authentication portion 106 of the authentication system for authenticating the user based on the user identity data.
Figure 2 illustrates another exemplary embodiment of the authentication system 200 for authenticating a user according to an advantageous embodiment of the invention, wherein the tag 103 of the first end 102 also comprises identification information related to the first end, such as e.g. cash#3 or door#21 , which is advantageously 105a read by the mobile device 101. Now the mobile device may communicate both the user identity data as well as also first end identification data to the authentication system, such as to the external authentication end 1 10. The external authentication end 1 10 may then authenticate the user and determine the permission to a certain act at said first end 102 for that user and then communicate information related to the permission either directly 105f (optional) to said first end 102 or alternatively 105d to said mobile device 101 , which again may communicate 105b said information to the first end 102. The mobile device 101 advantageously communicates 105b the information to the reader 109 of the first end 102 in the format identified by the tag 103 and thereby in the format the reader 109 is able to read.
It is to be noted that again in embodiment described in Figure 2 the tag 103 may identify the format in which said user identity data should be communicated 105c to the authentication system. Moreover the tag may also identify the format in which the permission or other information must be communicated 105b, 105f to the first end 102, such as to the first end reader 109.
The invention has been explained above with reference to the aforementioned embodiments, and several advantages of the invention have been demonstrated. It is clear that the invention is not only restricted to these embodiments, but comprises all possible embodiments within the spirit and scope of the inventive thought and the following patent claims.

Claims

Claims
1. An authentication system (100) for authenticating a user by a mobile device (101 ) at a first end (102), where the mobile device is configured to provide a user identity data to the authentication system for authenticating the user,
characterized in that:
- the authentication system comprises a tag (103) arranged at the first end (102),
- said tag comprises information related to a format in which said user identity data is to be communicated to the authentication system,
- said tag is configured to be read (105a) by the mobile device, and
- said mobile device is configured to be provided (104) by the user identity data in the format identified by the tag, and the mobile device is configured to communicate (105b, 105c, 105e) said user identity data to the authentication system in the format identified by the tag, whereupon
- an authentication portion (106) of the authentication system is configured to authenticate said user based on the user identity data provided by the mobile device and based on the authentication configured to determine permission to a certain act at said first end
(102).
2. An authentication system of claim 1 , wherein said first end (102) comprises a reader (109), and wherein said mobile device is configured to communicate (105b, 105c) said user identity data to said reader (109) in the format identified by the tag.
3. An authentication system of any of previous claims, wherein the tag also comprises identification information related to the first end (102) of the authentication system, where
- said first end identification information is configured to be read (105a) by the mobile device, whereupon the mobile device (101 ) is configured to communicate (105b, 105c, 105e) said first end identification information and said user identity data to the authentication system, or
- wherein the first end (102) is configured to communicate said first end identification information and said user identity data to the authentication system.
4. An authentication system of any of previous claims, wherein the mobile device (101 ) is configured to send (105c) a request to a user identity data managing system (107) after reading said tag for receiving (105d) said user identity data in the format identified by the tag.
5. An authentication system of claim 4, wherein said user identity data managing system (107) is an external system, such as an external server or cloud system, which is configured to communicate said user identity data in the format identified by the tag as a response to said request to the mobile device.
6. An authentication system of claim 4, wherein said mobile device comprises said user identity data managing system (107) and the user identity data is stored into the memory means of the mobile device beforehand at least in two different formats, whereupon the desired format of the user identity data is selected by the user identity data managing system based on the format information identified by the tag or wherein the mobile device is configured to convert and communicate said user identity data in the format identified by the tag.
7. An authentication system of any of previous claims, wherein the mobile device comprises own application (108) for different types of the first ends, wherein the suitable application corresponding to the first end type is selected either manually or based on the identification information of the first end (102) of the authentication system read from the tag (103) by the mobile device.
8. An authentication system of any of previous claims, wherein the user identity data is provided only when said tag is read by the mobile device.
9. An authentication system of any of previous claims, wherein the authentication portion (106) of the authentication system is configured to provide (105f) information related to said permission to a certain act to the first end (102).
10. An authentication system of any of previous claims, wherein the first end of the authentication system comprises a receiving means, such as the reader (109) configured to receive said user identity data in the format identified by the tag and to transfer it to the authentication portion (106) of the authentication system.
1 1. An authentication system of any of previous claims, wherein the format of the user identity data to be communicated by the mobile device is 1 D barcode, 2D barcode communicated via a display means of the mobile device, or code readable via radio communication connection, such as RFID or NFC or Bluetooth readable code.
12. An authentication system of any of previous claims, wherein the first end (102) of the authentication system comprises said authentication portion (106) of the authentication system for authenticating the user based on the user identity data.
13. An authentication system of any of previous claims, wherein the authentication system relates to payment and/or bonus system of a store and the user identity data relates to a membership or loyal customer data, whereupon said permission to a certain act is an access to a bonus, discount or account arrangement related to said membership or loyal customer data.
14. An authentication system of any of previous claims 1 -12, wherein the authentication system relates to an access control system to a closed system, whereupon when the user is authenticated, the authentication systems provides access control data of the user to the access control system.
15. An authentication system of claim 14, wherein the first end comprises a locked and controllable opened door, port or gate to a closed environment, whereupon said permission to a certain act relates to operation of the locked port.
16. A authentication method for authenticating a user by a mobile device (101 ), where a user identity data is communicated (105b, 105c, 105e) to the authentication system by said mobile device for authenticating the user, characterized in that:
- arranging a tag (103) at a first end (102) of the authentication system, where said tag comprises information related to a format in which said user identity data is to be communicated to the authentication system,
- reading said tag by the mobile device (101 ), and
- providing said mobile device by the user identity data in the format identified by the tag, and communicating said user identity data to the authentication system by the mobile device in the format identified by the tag,
whereupon
- said user is authenticated by an authentication portion (106) of the authentication system based on the user identity data provided by the mobile device and a permission to a certain act at said first end (102) is determined based on said authentication.
17. A method of claim 16, wherein said first end (102) comprises a reader (109) and said user identity data is communicated (105b, 105c, 105e) to said reader (109) in the format identified by the tag.
18. A method of any of claims 16-17, wherein the tag also comprises identification information related to the first end (102) of the authentication system, where
- said first end identification information is read (105a) by the mobile device, whereupon the mobile device (101 ) communicates (105b,
105c, 105e) said first end identification information and said user identity data to the authentication system, or
- wherein the first end (102) communicates said first end identification information and said user identity data to the authentication system.
19. A method of any of claims 16-18, wherein a request for the user identity data in the format identified by the tag is sent to a user identity data managing system after reading said tag for receiving said; wherein
- said user identity data managing system is an external system of the mobile device, such as an external server or cloud system, which communicates said user identity data in the format identified by the tag as a response to said request to the mobile device, or
- the user identity data is stored into the memory means of the mobile device beforehand at least in two different formats, whereupon the desired format of the user identity data is selected by the user identity data managing system of the mobile device based on the format information identified by the tag.
20. A method of any of claims 16-19, wherein the mobile device comprises own application for different types of the first ends, wherein the suitable application corresponding to the first end type is selected either manually or based on the identification information of the first end of the authentication system read from the tag.
21. A method of any of claims 16-19, wherein the first end is a cash system and the user identity data relates to a membership or loyal customer data, whereupon said permission to a certain act is an access to a bonus, discount or account arrangement related to said membership or loyal customer data; or wherein the first end is an access control system to a closed system and wherein said permission to a certain act is a manipulation of the locked port based on the authentication.
22. A method of any of claims 16-21 , wherein the first end of the authentication system receives said user identity data in the format identified by the tag directly from the mobile device in the format identified by said tag, such as in 1 D barcode, 2D barcode format communicated via a display means of the mobile device, or a radio code communicated via a radio communication connection, such as RFID or NFC readable code.
23. A method of any of previous claims 16-22, wherein after the tag reading individualized data related to the authentication system or other organisation related to the first end, such as logo, advertisement, offers, or membership information, or map or location information related to the organisation, such as associations or fellowship or chain of stores, is provided to the mobile device.
24. A method of any of previous claims 16-23, wherein the application is configured to receive Push Notifications from the server system of a service provider of the identification system question, such as text, images, URL links, or queries to be answered.
25. A computer program product for authenticating a user via an application of a mobile device for different identification systems having reading means for reading user identity data, characterized in that it comprises program code means stored on a computer-readable medium, which code means are arranged to perform all the steps of the method defined in claims 17-24, when the program is run on a computer.
PCT/FI2015/050057 2014-01-31 2015-01-29 Authentication system and method for authenticating a user WO2015114215A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
FI20145111A FI125753B (en) 2014-01-31 2014-01-31 Authentication system and method for user authentication
FI20145111 2014-01-31

Publications (1)

Publication Number Publication Date
WO2015114215A1 true WO2015114215A1 (en) 2015-08-06

Family

ID=53756265

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/FI2015/050057 WO2015114215A1 (en) 2014-01-31 2015-01-29 Authentication system and method for authenticating a user

Country Status (2)

Country Link
FI (1) FI125753B (en)
WO (1) WO2015114215A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170013461A1 (en) * 2015-07-06 2017-01-12 Canon Kabushiki Kaisha Communication apparatus, communication method, and program
GB2551794A (en) * 2016-06-30 2018-01-03 Vst Enterprises Ltd Authentication method & apparatus
US11213773B2 (en) 2017-03-06 2022-01-04 Cummins Filtration Ip, Inc. Genuine filter recognition with filter monitoring system

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090066509A1 (en) * 2007-09-07 2009-03-12 Nokia Corporation Uniform architecture for processing data from optical and radio frequency sensors
US20110137804A1 (en) * 2009-12-03 2011-06-09 Recursion Software, Inc. System and method for approving transactions
US20110251910A1 (en) * 2010-04-13 2011-10-13 James Dimmick Mobile Phone as a Switch
EP2378451A1 (en) * 2010-04-19 2011-10-19 Vodafone Holding GmbH User authentication in a tag-based service
US20120259715A1 (en) * 2011-02-02 2012-10-11 Datalogic ADC, Inc. Information gathering and decoding using near field wireless communication
US20130304648A1 (en) * 2012-05-08 2013-11-14 Craig O'Connell System and method for authentication using payment protocol

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090066509A1 (en) * 2007-09-07 2009-03-12 Nokia Corporation Uniform architecture for processing data from optical and radio frequency sensors
US20110137804A1 (en) * 2009-12-03 2011-06-09 Recursion Software, Inc. System and method for approving transactions
US20110251910A1 (en) * 2010-04-13 2011-10-13 James Dimmick Mobile Phone as a Switch
EP2378451A1 (en) * 2010-04-19 2011-10-19 Vodafone Holding GmbH User authentication in a tag-based service
US20120259715A1 (en) * 2011-02-02 2012-10-11 Datalogic ADC, Inc. Information gathering and decoding using near field wireless communication
US20130304648A1 (en) * 2012-05-08 2013-11-14 Craig O'Connell System and method for authentication using payment protocol

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170013461A1 (en) * 2015-07-06 2017-01-12 Canon Kabushiki Kaisha Communication apparatus, communication method, and program
GB2551794A (en) * 2016-06-30 2018-01-03 Vst Enterprises Ltd Authentication method & apparatus
US11213773B2 (en) 2017-03-06 2022-01-04 Cummins Filtration Ip, Inc. Genuine filter recognition with filter monitoring system

Also Published As

Publication number Publication date
FI125753B (en) 2016-02-15
FI20145111A (en) 2015-08-01

Similar Documents

Publication Publication Date Title
EP2487629B1 (en) Secure smart poster
US8422949B1 (en) Public kiosk providing near field communication services
CN205407821U (en) A near field communication device
EP2940640A1 (en) Method for controlling payment device for selecting payment means
US10304011B2 (en) Electronic shelf label system and communications method thereof
US20140214620A1 (en) Method and arrangements for electronic shelf labels
Singh Near-field communication (NFC): an alternative to RFID in libraries
US20160012408A1 (en) Cloud-based mobile payment system
US20130254051A1 (en) Apparatus for issuing receipts and user terminal using the receipts
US20060255917A1 (en) System for protecting tag related information and method thereof
US20130332356A1 (en) Mobile card management method
EP2887272B1 (en) Hybrid NFC and RFID passive contactless card
Mohandes Mobile technology for socio-religious events: a case study of NFC technology
KR20070030231A (en) Method of choosing one of a multitude of data sets being registered with a device and corresponding device
WO2015114215A1 (en) Authentication system and method for authenticating a user
Kulkarni Near field communication (NFC) technology and its application
KR20140082949A (en) Access control system using NFC communication and data exchange methods
US10803445B2 (en) System and method of conducting an authentication transaction
US9021571B2 (en) Method and system for processing a data transfer related to a data-storing card
US20130290190A1 (en) Method and system for providing universal access to a service amongst a plurality of services
KR20110041045A (en) Passport management system and method
KR20150050838A (en) A method of operating a vehicle system using usim synchronization of mobile terminal and vehicle information terminal
KR102220507B1 (en) System, Service Apparatus and Method for Providing Electronic Coupon using Customer Card
KR102059168B1 (en) Method for issue cash receipt using mobile device
KR20140056631A (en) Apparatus and method for providing service based on customer information

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15743550

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15743550

Country of ref document: EP

Kind code of ref document: A1