CA2993713A1 - System and method for mobile base station authentication - Google Patents
System and method for mobile base station authenticationInfo
- Publication number
- CA2993713A1 CA2993713A1 CA2993713A CA2993713A CA2993713A1 CA 2993713 A1 CA2993713 A1 CA 2993713A1 CA 2993713 A CA2993713 A CA 2993713A CA 2993713 A CA2993713 A CA 2993713A CA 2993713 A1 CA2993713 A1 CA 2993713A1
- Authority
- CA
- Canada
- Prior art keywords
- access
- resource
- mobile device
- backend
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/60—Context-dependent security
- H04W12/63—Location-dependent; Proximity-dependent
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W48/00—Access restriction; Network selection; Access point selection
- H04W48/02—Access restriction performed under specific conditions
- H04W48/04—Access restriction performed under specific conditions based on user or terminal location or mobility data, e.g. moving direction, speed
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
A system and method for increasing the security of a secure resource by determining a current location of a mobile device associated with an end user based on determining the mobile base station to which the mobile device is connected and allowing access to the resource only if an end user has access credentials to access the resource and the physical location of secure resource matches the current location of the mobile device.
Description
SYSTEM AND METHOD FOR MOBILE BASE STATION AUTHENTICATION
TECHNICAL FIELD
[0001] The disclosed systems and methods relate to using location information to determine whether to grant a user physical and/or logical access to a location, an object or a system. In particular, the disclosed systems and methods relate to providing location-based authentication using connectivity information from mobile base stations.
BACKGROUND
TECHNICAL FIELD
[0001] The disclosed systems and methods relate to using location information to determine whether to grant a user physical and/or logical access to a location, an object or a system. In particular, the disclosed systems and methods relate to providing location-based authentication using connectivity information from mobile base stations.
BACKGROUND
[0002] Some previous attempts to use mobile device location information to make decisions regarding security access have drawbacks.
[0003] GPS systems are commonly used to provide location information, however, those systems require GPS to run, which uses battery power to operate and require additional processes, such as a GPS application, to operate. Moreover, GPS may not operate well in buildings or vehicles due to poor transmission of GPS signals. In many cases, a GPS signal is not available due to some sort of interference (naturally occurring or man-made).
[0004] Running GPS may also compromise an end user's privacy. Mobile device OEMs and many application developers often make use of GPS function for uses that invades an individual's privacy without the end user's explicit knowledge. Moreover, if a mobile device is impacted by malware, the GPS function could add more info details for attackers to locate the end user and thus compromise their security. Many mobile apps demand/require access to GPS
data which again weakens one's ability to limit who is tracking them.
data which again weakens one's ability to limit who is tracking them.
[0005] Other systems for providing location information rely on systems such as WiFi connection (or WLAN), a wireless beacon or a relay device in the immediate vicinity of the access location, such as at the ground floor entrance of a building. These types of systems generally require some form of digital ID on the mobile device, such as a smartphone, to be mapped or authenticated to the local wireless network which implies WiFi app or modem needs to be enabled by the end user. Users may often not have their mobile device set to have WiFi enabled or "ON", and the use of WiFi will often drain battery usage. This is the similar scenario when attempting to use another wireless technology such as Bluetooth and Bluetooth Low Energy as both these wirelesses technologies also require apps on the device, an enabled modem and a pairing to the local Bluetooth server. In all of these types of systems, the smartphone itself, loaded and configured apps, and a specific modem turned "ON" are necessary to enable access.
[0006] Applications that use wireless connections to determination location generally require the smartphone to have an installed application on the device to communicate with the wireless service provider to transmit its position. The service provider needs to provide an API of some kind that would define how to receive the coordinates from the smartphone and where/how to transmit them to the electronic access control unit. Additionally, in this type of system, the geo-location info is often the sole method provided to enable door access without requiring additional identification of the individual. This also may mean added complexity for providing access services and additional drain on the mobile device since an app and other mobile modules are required to establish connectivity.
[0007] Other systems require a mobile device to provide identification information to an external service which uses the information to locate the individual. This type of solution is invasive since the end user's devices are required to communicate with an external tracking system to enable location services. These types of system will similarly often require an invasion of the end user's privacy.
[0008] Some previous location verification systems require a user to call an authentication server which then verifies their voice print, and then the authentication server queries the wireless provider to acquire the location of the phone. Requesting a person's location from a wireless provider may not be permissible in various jurisdictions due to privacy laws which often forbids providers from tracking customers unless there is a request by law enforcement.
[0009] Other systems may attempt to use triangulation through cellular signal strength measurements, but will also often require the installation of an application on the mobile device.
SUMMARY
SUMMARY
[0010] There is provided in one embodiment a method of authenticating an end user's access to a resource at a physical location using a mobile device associated with the end user. The mobile device is connected to a mobile network including a plurality of base stations. A request is received from the end user asking to be permitted to access the resource. The method determines whether the end user has access credentials to access the resource.
Information is requested and received from a subscriber server for the mobile network including subscriber data associated with the mobile device, the subscriber data including information on which of the one of the plurality of base stations to which the mobile device is currently connected.
A current location of the mobile device is verified based on the one of the plurality of base stations to which the mobile device is connected. Access to the resource is allowed only if the end user has access credentials to access the resource and the physical location matches the current location of the mobile device.
Information is requested and received from a subscriber server for the mobile network including subscriber data associated with the mobile device, the subscriber data including information on which of the one of the plurality of base stations to which the mobile device is currently connected.
A current location of the mobile device is verified based on the one of the plurality of base stations to which the mobile device is connected. Access to the resource is allowed only if the end user has access credentials to access the resource and the physical location matches the current location of the mobile device.
[0011] In another embodiment there is also a system for providing user access to a secure resource using a mobile device. There is a backend access system and an access database connected to and accessible by the backend access system. A resource access system is in communication with the backend access system, the resource access system configured to receive a request from a user to access the secure resource. The backend access system is configured to communicate with a mobile network database to obtain subscriber data associated with the mobile device in response to the resource access system receiving a request from the user to access the secure resource. The subscriber data includes information on the specified base station to which the mobile device is currently connected.
[0012] In one embodiment, smart card technology, smartphone and Telecom Service Provider base station data/information is used and mapped together with a backend access system (physical or logical oriented) for the sole purpose of increasing authentication sources for physical and/or logical access, thus increasing the security level for access.
[0013] In some embodiments, this technology could be implemented by a business or corporation which mandates this process for access to its premises and/or computer systems. End user employees of the company would then register their device or devices for this added secure access service. User access, for physical or logical purposes, would be based on a primary function or rule of access always "disabled" until the mobile device connects to the specific base station which is identified as the primary and/or closest access point to the asset, such as a building door or specific computer terminal.
[0014] In some embodiments, the system and method use mapping information from two distinct disparate data sources to increase the authentication factor for access services.
[0015] These and other aspects of the system and method are set out in the claims, which are incorporated here by reference.
BRIEF DESCRIPTION OF THE FIGURES
BRIEF DESCRIPTION OF THE FIGURES
[0016] Embodiments will now be described with reference to the figures, in which like reference characters denote like elements, by way of example, and in which:
[0017] Fig. 1 is a schematic diagram of an authentication system using mobile base stations.
DETAILED DESCRIPTION
DETAILED DESCRIPTION
[0018] In an embodiment, the method operates as follows:
a. Smartphones connect to mobile towers and base stations;
b. When a Smartphone is connected to a particular base station, that information is known to the backend mobility systems via its IMSI and/or other device identifying data;
c. If that base station is the primary or closest base station to the targeted physical building or computer terminal for access purposes, that base station will be the prime mobility node where a connected device's ID would be retrieved from mobility backend systems and sent the backend access system to be mapped against a smart card ID and/or user logical access credentials;
d. When the mobile device's ID, retrieved from the specific mobile base station, is sent to the access system and mapped to the user ID, the smart card system identifies the door which this user has access to (as per his/her access profile) and "enables" it for card access, or in the case of logical access, the mobile device's ID is mapped to the corporate logical access system to enable access to a specific computer terminal.
a. Smartphones connect to mobile towers and base stations;
b. When a Smartphone is connected to a particular base station, that information is known to the backend mobility systems via its IMSI and/or other device identifying data;
c. If that base station is the primary or closest base station to the targeted physical building or computer terminal for access purposes, that base station will be the prime mobility node where a connected device's ID would be retrieved from mobility backend systems and sent the backend access system to be mapped against a smart card ID and/or user logical access credentials;
d. When the mobile device's ID, retrieved from the specific mobile base station, is sent to the access system and mapped to the user ID, the smart card system identifies the door which this user has access to (as per his/her access profile) and "enables" it for card access, or in the case of logical access, the mobile device's ID is mapped to the corporate logical access system to enable access to a specific computer terminal.
[0019] The proposed systems and methods may provide certain benefits. No client app is required on the mobile devices. This means, unlike many services/solutions for mobile devices, battery power is not affected since mobile base station connectivity is always working
[0020] The system and method may use either a smartphone or a smart card with a digital ID as a primary secure access device and the RAN base station is the secondary form factor that enables the primary secure device to enable access.
[0021] In an exemplary embodiment, Fig. 1 shows an authentication system 10. A
mobile device 12 is connected to a mobile network through connection 14 to a base station 16, which is shown as a mobile base station tower. The base station 16 connects to a serving gateway (SGW)18 and mobile management entity (MME) 20. A home location register/home subscriber server 22 is connected to the SGW and stores subscriber data associated with users of the mobile network.
The subscriber data can include information regarding the international mobile subscriber identity (IMR), the integrated circuit card ID (ICCID) and/or the international mobile equipment identity (IMEI) or other information that identifies the mobile device with an end user.
mobile device 12 is connected to a mobile network through connection 14 to a base station 16, which is shown as a mobile base station tower. The base station 16 connects to a serving gateway (SGW)18 and mobile management entity (MME) 20. A home location register/home subscriber server 22 is connected to the SGW and stores subscriber data associated with users of the mobile network.
The subscriber data can include information regarding the international mobile subscriber identity (IMR), the integrated circuit card ID (ICCID) and/or the international mobile equipment identity (IMEI) or other information that identifies the mobile device with an end user.
[0022] The mobile subscriber information is provided to a backend access system 26 through a connection 24. The backend access system 26 is connected to an access database 30 through a connection 28. Primary authentication may be provided using a smart card, in which case the backend access system 26 is a backend card access system and the access database is a smart card database. Subscriber data from the mobile network may be mapped to smart card IDs in the backend card access system 26. The backend access system 26 controls access to a resource 34.
The resource may be either an object or a place that the user may need physical access to or may be a system that the user requires logical access to. For example, the resource may be a door which can have access enabled by the backend access system 26.
The resource may be either an object or a place that the user may need physical access to or may be a system that the user requires logical access to. For example, the resource may be a door which can have access enabled by the backend access system 26.
[0023] The resource 34 communicates with the backend access system 26 through connection 32. A user 38 may request access to the resource and may use access credentials as a primary method of authentication, such as a smart card 36. The user 38 may be an employee of a corporation that uses the smart card 36 to access building after access has been granted based on the location information retrieved from the base station 16 and processed by the backend access system 26.
[0024] From the user's perspective, the user 38 attempts to access the resource 34, which may be a computer access terminal or a door or other resource having restricted access. To access the resource, the user may either enter identification information, such as a username and password, or use a security token such as a smart card. The backend access system will then confirm that the smart card or other identification information is correct and matches to a user having security clearance to access the resource. At the same time, the backend access system 26 will determine whether the mobile device associated with the user is at a location that is consistent with the physical location of the resources. Subscriber information from the mobile network that allows for the identification of the location of the mobile device is provided to the backend access system 26. This information may include information showing that the mobile device associated with the user 38 is connected to a particular base station. If the physical location is nearest to one particular base station, then the verification that the user is at the correct location may be provided by simply confirming that the mobile device associated with the user is connected to the particular base station near the access point.
[0025] If the backend access system 26 determines that the user has met the authentication requirements to access the resource and the location information determined from the mobile network are consistent with the user being at the physical location of the resource, then access will be granted. The system does not require the user to install an application to determine the location of the mobile device or phone. The mobile device location is determined directly using the subscriber information from the mobile network which is communicated to the backend access system.
[0026] An exemplary implementation of the system 10 in Fig. 1 is set out as follows. The user's mobile device, such as a phone, connects to the tower and base station 16. The IMSI data associated with the user's phone is sent from the HLR to the smart card access system 26. The IMSI data is mapped to a smart card ID in the card access system. If the information associated with the IMSI data and smart card ID correspond with the required inputs, then the card access system sets the access state for the secure resource, such as a door, to "enabled". The employee uses the smart card to access building and the access is granted based on the ID retrieved from base station. During the operation of the method in this example, the resource access is always disabled until input from HLR is received to enable door access for the specific employee. In this example, the employee's phone does not communicate directly to the backend access system and no private information is communicated directly from the employee's phone.
[0027] The diagram shown in Fig. 1 is a schematic drawing showing an exemplary implementation of the system. The system can be implemented in various ways, using various types of connections that communicate between the various systems and databases. Different configurations of the systems may be used to achieve the intended purposes.
The secure resource may be any access point for which access is restricted, including a door, a computer terminal, or any other system that has a specific location or that has an access terminal at a specific location.
Although the end user is at times described as an employee, the person may be any end user, such as a visitor to the building who has been granted appropriate access so long as the mobile device associated with that user has been included in the system. The mobile device may be a smartphone or any other device that connects to a mobile network. Verifying a current location of the mobile device based on the one of the plurality of base stations to which the mobile device is connected may not require the backend access system to positively determine a location of the mobile device. The backend access system need only verify that the information representing the location of the device matches the required credentials specified by the system. The verification could, for example, be a Boolean response to an inquiry of whether the base station to which the mobile device is connected is the closest base station to the physical location of the resource. The location of user may be compared with the location of the specified mobile base station to which the end user's mobile device is connected to, and that information is included in the multi-factor access configuration that allows the user to access the resource.
The secure resource may be any access point for which access is restricted, including a door, a computer terminal, or any other system that has a specific location or that has an access terminal at a specific location.
Although the end user is at times described as an employee, the person may be any end user, such as a visitor to the building who has been granted appropriate access so long as the mobile device associated with that user has been included in the system. The mobile device may be a smartphone or any other device that connects to a mobile network. Verifying a current location of the mobile device based on the one of the plurality of base stations to which the mobile device is connected may not require the backend access system to positively determine a location of the mobile device. The backend access system need only verify that the information representing the location of the device matches the required credentials specified by the system. The verification could, for example, be a Boolean response to an inquiry of whether the base station to which the mobile device is connected is the closest base station to the physical location of the resource. The location of user may be compared with the location of the specified mobile base station to which the end user's mobile device is connected to, and that information is included in the multi-factor access configuration that allows the user to access the resource.
[0028] By providing access to a resource using mobile base station information, the method and system can provide location information without the limitations of interference that may interrupt a GPS signal. A telecommunications provider can install a cellular antenna to connect to a base station for any location that is problematic for a GPS signal.
[0029] In an embodiment, making use of a cellular antenna and base station to capture location information could be arranged in advance with the telecom service provider and the access point owner (i.e. ยจ private/corporate company or government organization). Use of this info, albeit transparent to the end user, would need to be negotiated ahead of time in the form of a request or arrangement whereas only when a person's smartphone is in a certain vicinity of the cellular antenna/base station would the individual be granted access. Privacy would not be affected since info captured from the smartphone is done so only when in that specific vicinity of the cell antenna/base station for a specific time-dependent purpose of access and the info would never be shared with any other external app (on the smartphone or backend system) for any other purpose, and whereas consent would be clear and understood by all parties using/supporting this service and this service only. It is intended that there would be no ulterior motive for this service and no info acquired from this service would be resold or utilized for any other reason than providing another factor of security for access purposes. Only specific pre-determined mobile devices may participate and be authorized to access the system.
[0030] The use of information from a mobile base station will not affect battery life, because unlike Wifi, Bluetooth, Bluetooth Low Energy or GPS, mobile connectivity is almost always on by default. Accordingly, smartphone info flowing through cellular means, from the mobile antenna and base station, does not affect the battery life of the smartphone or end device.
[0031] In some embodiments, the technology could be offered as "AaaS" (Access as a Service) to other manufacturers would want to offer augmented security via multi-factor access for their equipment or device such as vehicle, a lock to a residence whereas all would be equipped with cellular connectivity, and paired with the same base-station info to which their mobile phones are connected to in order to grant access.
[0032] In some embodiments where split knowledge and dual control are required, a secondary individual would also make use of this access method whereas both individuals would be required to have their mobile device connected to the telco base station to enhance the secure access to a particularly sensitive area/system.
[0033] Immaterial modifications may be made to the embodiments described here without departing from what is covered by the claims.
[0034] In the claims, the word "comprising" is used in its inclusive sense and does not exclude other elements being present. The indefinite articles "a" and "an" before a claim feature do not exclude more than one of the feature being present. Each one of the individual features described here may be used in one or more embodiments and is not, by virtue only of being described here, to be construed as essential to all embodiments as defined by the claims.
Claims (4)
PRIVILEGE IS CLAIMED ARE DEFINED AS FOLLOWS:
1. A method of authenticating an end user's access to a resource at a physical location using a mobile device associated with the end user, the mobile device connecting to a mobile network including a plurality of base stations, the method comprising:
receiving a request from the end user to be permitted to access the resource;
determining whether the end user has access credentials to access the resource;
requesting and receiving information from a subscriber server for the mobile network including subscriber data associated with the mobile device, the subscriber data including information on which of the one of the plurality of base stations to which the mobile device is currently connected;
verifying a current location of the mobile device based on the one of the plurality of base stations to which the mobile device is connected; and allowing access to the resource only if the end user has access credentials to access the resource and the physical location matches the current location of the mobile device.
receiving a request from the end user to be permitted to access the resource;
determining whether the end user has access credentials to access the resource;
requesting and receiving information from a subscriber server for the mobile network including subscriber data associated with the mobile device, the subscriber data including information on which of the one of the plurality of base stations to which the mobile device is currently connected;
verifying a current location of the mobile device based on the one of the plurality of base stations to which the mobile device is connected; and allowing access to the resource only if the end user has access credentials to access the resource and the physical location matches the current location of the mobile device.
2. The method of claim 1 in which the access credentials further comprises a smart card and in which determining whether the end user has access credentials to access the resource further comprises the user presenting the smart card to a smart card reader at the physical location.
3. A system for providing user access to a secure resource using a mobile device, the system comprising:
a backend access system;
an access database connected to and accessible by the backend access system;
a resource access system in communication with the backend access system, the resource access system configured to receive a request from a user to access the secure resource;
in which the backend access system is configured to communicate with a mobile network database to obtain subscriber data associated with the mobile device in response to the resource access system receiving a request from the user to access the secure resource, and in which the subscriber data including information on the base station to which the mobile device is currently connected.
a backend access system;
an access database connected to and accessible by the backend access system;
a resource access system in communication with the backend access system, the resource access system configured to receive a request from a user to access the secure resource;
in which the backend access system is configured to communicate with a mobile network database to obtain subscriber data associated with the mobile device in response to the resource access system receiving a request from the user to access the secure resource, and in which the subscriber data including information on the base station to which the mobile device is currently connected.
4. The system of claim 3 in which the backend access system further comprises a backend card access system and the access database further comprises a smart card database, and in which the backend card access system maps subscriber information associated with the mobile device with a smart card that is used to access the resource access system.
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CA2993713A CA2993713A1 (en) | 2018-02-01 | 2018-02-01 | System and method for mobile base station authentication |
CA3027799A CA3027799C (en) | 2018-02-01 | 2018-12-17 | System and method for mobile base station authentication |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CA2993713A CA2993713A1 (en) | 2018-02-01 | 2018-02-01 | System and method for mobile base station authentication |
Publications (1)
Publication Number | Publication Date |
---|---|
CA2993713A1 true CA2993713A1 (en) | 2019-08-01 |
Family
ID=67477296
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CA2993713A Abandoned CA2993713A1 (en) | 2018-02-01 | 2018-02-01 | System and method for mobile base station authentication |
Country Status (1)
Country | Link |
---|---|
CA (1) | CA2993713A1 (en) |
-
2018
- 2018-02-01 CA CA2993713A patent/CA2993713A1/en not_active Abandoned
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP4777314B2 (en) | How to provide location information | |
EP2476272B1 (en) | Method and system for user authentication by means of a cellular mobile radio network | |
US9197639B2 (en) | Method for sharing data of device in M2M communication and system therefor | |
US8554180B2 (en) | System to dynamically authenticate mobile devices | |
CN102802153B (en) | Use the single wireless subscriber identity module multiple equipment of simultaneous verification on wireless links | |
CN107005442B (en) | Method and apparatus for remote access | |
US20220278973A1 (en) | Network device proximity-based authentication | |
US20090265775A1 (en) | Proximity Based Authentication Using Tokens | |
US10498880B2 (en) | Mobile communication device with a plurality of applications activatable via a pin | |
US10403067B2 (en) | System and method for mobile base station authentication | |
CN103874065A (en) | Method and device for judging user position abnormity | |
WO2001031966A1 (en) | Method and arrangement relating to positioning | |
EP2617218B1 (en) | Authentication in a wireless access network | |
CA3027799C (en) | System and method for mobile base station authentication | |
US20230045525A1 (en) | Verifying subscriber information for device-based authentication | |
CA2993713A1 (en) | System and method for mobile base station authentication | |
KR20160027824A (en) | Method of user authentication uisng usim information and device for user authentication performing the same | |
WO2014009391A1 (en) | A method and a system for transferring access point passwords | |
US11116017B2 (en) | Systems and methods for service enablement and end device activation | |
US20220188443A1 (en) | A computing device, method and system for controlling the accessibility of data | |
JP6749882B2 (en) | User identification method of system linked with mobility management device, access control device, and program | |
KR20110057241A (en) | Minimizing the signaling traffic for home base stations | |
KR101698136B1 (en) | A Method and System for setting Private LTE APN synchronized with the external system of entering control | |
US11516648B2 (en) | Device IMEI/IMEISV/TAC screening and steering while roaming in wireless networks | |
KR20100024300A (en) | System and method for preventing use of illegal mobile terminal |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
FZDE | Discontinued |
Effective date: 20210831 |
|
FZDE | Discontinued |
Effective date: 20210831 |